KR101786783B1 - Data storing method of cyber blackbox device - Google Patents

Data storing method of cyber blackbox device Download PDF

Info

Publication number
KR101786783B1
KR101786783B1 KR1020150185908A KR20150185908A KR101786783B1 KR 101786783 B1 KR101786783 B1 KR 101786783B1 KR 1020150185908 A KR1020150185908 A KR 1020150185908A KR 20150185908 A KR20150185908 A KR 20150185908A KR 101786783 B1 KR101786783 B1 KR 101786783B1
Authority
KR
South Korea
Prior art keywords
file
hash value
storing
meta information
packet capture
Prior art date
Application number
KR1020150185908A
Other languages
Korean (ko)
Other versions
KR20170076862A (en
Inventor
백승태
김태완
Original Assignee
(주)소만사
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)소만사 filed Critical (주)소만사
Priority to KR1020150185908A priority Critical patent/KR101786783B1/en
Publication of KR20170076862A publication Critical patent/KR20170076862A/en
Application granted granted Critical
Publication of KR101786783B1 publication Critical patent/KR101786783B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/308Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information retaining data, e.g. retaining successful, unsuccessful communication attempts, internet access, or e-mail, internet telephony, intercept related information or call content
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0846Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Abstract

A method of storing data in a cyber black box device according to the present invention includes the steps of: requesting a certification authority for a one-day use password at a cycle of one day, receiving and storing a one-day use password from the certification authority; Generating and storing a one-day use encryption key using the received one-day use password; Collecting network traffic, and generating a packet capture file in units of a predetermined size from the collected network traffic; Extracting meta information from the packet capture file, and generating a hash value for the meta information and a hash value for the packet capture file; And encrypting the packet capture file using the one-day use encryption key, and storing the encrypted packet capture file, the hash value for the meta information, and the hash value for the packet capture file in a file repository .

Description

[0001] The present invention relates to a data storing method of a cyber black box,

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method of storing data in a cyber black box for storing large-capacity network traffic data for pre- and post-cyber attack.

Recently, as the threat of Advanced Persistent Threat (APT) aimed at specific companies, institutions, and major facilities has intensified and become visible as social and national threats such as broadcasting and communication paralysis, volatility and nonvolatile information of network traffic It is important to identify and respond to the cause of the accident quickly in the event of a cyber attack by ensuring long-term preservation and integrity.

Accordingly, technology for cyber black box devices capable of reproducing attack scenarios has been developed through proof and preservation of network traffic for pre- and post-cyber attack, and analyzing cause analysis using the network traffic.

Specifically, it conducts continuous network traffic collection, preservation of evidence for collected data, processing for efficient use of preservation data, management for uninterrupted operation of cyber blackbox, causal analysis and logical reproduction of infringement incidents Device.

In particular, cyber black box devices are used not only for storing the media but also for ensuring authenticity, integrity, authenticity and authenticity of the data in the process of collecting and proving network traffic data, It focuses on performing various analytical functions that enable the administrator to analyze the cause of active attack.

SUMMARY OF THE INVENTION The present invention has been made in view of the above problems, and it is an object of the present invention to secure authenticity, integrity, reliability, and originality of data in collecting and proving network traffic data, The present invention provides a method of storing data in a cyber black box device capable of storing network traffic data so that desired data can be efficiently retrieved and reconfigured.

According to another aspect of the present invention, there is provided a method of storing data in a cyber black box device, the method comprising: requesting a certification authority for a one-day use password at a cycle of one day, receiving and storing a one- ; Generating and storing a one-day use encryption key using the received one-day use password; Collecting network traffic, and generating a packet capture file in units of a predetermined size from the collected network traffic; Extracting meta information from the packet capture file, and generating a hash value for the meta information and a hash value for the packet capture file; And encrypting the packet capture file using the one-day use encryption key, and storing the encrypted packet capture file, the hash value for the meta information, and the hash value for the packet capture file in a file repository .

The step of receiving and storing the one-day-use password can receive and store the one-day-use password and discard the stored one-day-one-day password.

The step of generating and storing the one-day use encryption key may generate and store the one-day use encryption key and discard the previously stored one day use encryption key.

The meta information may include a source IP address, a source port number, a destination IP address, a destination port number, a protocol type, a first time value, and a last time value of the corresponding network traffic.

The hash value for the meta information may include hash values for the meta information and hash values for the entire meta information.

Wherein the file repository comprises n virtual volumes, each virtual volume comprising a file source repository, a file hash value repository, and a file index repository, wherein storing the file in the file repository comprises: Storing the hash value of the nth virtual volume in the file source repository as a hash value for the entire meta information, mapping the hash value of the packet capture file with the hash value for the entire meta information, And stores the hash values of the meta information in the file index storage of the nth virtual volume by mapping the hash values of the meta information with the hash values of the entire meta information.

According to the present invention, it is possible to secure authenticity, integrity, reliability, and originality of data in the course of collecting and proving network traffic data, and to efficiently and efficiently analyze large amount of network traffic data stored in a cyber black box device It is possible to store network traffic data so that desired data can be retrieved and reconfigured.

1 shows a configuration of a cyber black box apparatus according to an embodiment of the present invention.
2 is a flowchart illustrating a method of storing data in a cyber black box device according to an embodiment of the present invention.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the drawings. In the following description and the accompanying drawings, substantially the same components are denoted by the same reference numerals, and redundant description will be omitted. In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear.

1 shows a configuration of a cyber black box apparatus according to an embodiment of the present invention.

The cyber black box device 100 is connected to the Internet through a network device such as a network switch 200 and collects network traffic data transmitted and received through the network switch 200 and performs a function of storing the network traffic data.

The cyber black box device 100 has a black box ID which is a unique identification value. The black box ID may be a unique identification value of, for example, 24 bytes.

The cyber black box device 100 is connected to the certification authority 300 for authenticating the integrity of the cyber black box device via the Internet and the black box ID of the cyber black box device 100 is registered in advance in the certification authority 300 do. The certification authority 300 may be an accredited certification authority such as Korea Internet Promotion Agency.

The cyber black box apparatus 100 includes an integrity management unit 110, an encryption key management unit 120, a packet capture unit 130, a hash value generation unit 140, a storage unit 150, a file storage 160, A management unit 170, a virtual volume access control unit 180, and the like.

The integrity management unit 110 requests the certification authority 300 to use a one-day password (ODP) every one day. A one-day password means a password to be used for one day (24 hours) from the start of use of the corresponding password. The integrity management unit 110 transmits together the black box ID of the cyber black box device 100 when requesting the one day use password to the certification authority 300. [

Upon receiving a request for a one-day use password from the cyber black box device 100, the certification authority 300 generates a one-day use password for the corresponding black box ID and transmits it to the cyber black box device 100. At this time, the certification authority 300 can transmit the digitally signed one-day password using the certificate of the certification authority 300.

The certification authority 300 encrypts the daily use password generated on a daily basis, and stores it in a manner matching with the corresponding black box ID. The stored daily one-day use password is used to request the certification authority 300 to inquire or analyze the data of the cyber black box apparatus 100 by a black box analyzing apparatus (or analysis staff) And can be used.

The integrity management unit 110 receives a one-day use password from the certification authority 300 and stores it. Since the integrity management unit 110 requests the one-day use password to the certification authority 300 every one day, the integrity management unit 110 receives and stores a new one-day use password every day. When the digitally signed one-day use password is received with the public certificate of the certification authority 300, the integrity management unit 110 may store the one-day use password after performing the digital signature validity verification. The one-day password newly received from the certification authority 300 is shared with the encryption key management unit 120 and the virtual volume management unit 170, which will be described later.

The integrity management unit 110 may discard the pre-stored first day one-day password after storing (or at the same time as storing) the new one-day password. At this time, the integrity management unit 110 can completely delete the day-of-use password for one day using a random number, for example, three or more times.

The encryption key management unit 120 generates and stores the one-day use encryption key using the newly received one-day use password. Here, the one-day use cipher key means a cipher key to be used for one day (24 hours) from the start of use of the corresponding cipher key. For example, PKCS # 5, which is a password-based encryption standard, can be used to generate the encryption key. The newly generated one-day use encryption key in the encryption key management unit 120 is shared with the storage unit 150 to be described later.

The encryption key management unit 120 can generate a new one-day use encryption key and store it (or at the same time as storing it), and can discard the previously stored one-day use encryption key. At this time, the encryption key managing unit 120 can completely delete the day 1 day use encryption key by, for example, overwriting it three or more times by using a random number.

The packet capture unit 130 continuously collects network traffic transmitted and received through a network device such as the network switch 200. Collecting all network traffic of the network device may be performed, for example, using port mirroring in the network device. The packet capturing unit 130 divides the network traffic collected continuously into session units based on 4-tuple (source IP address, source port number, destination IP address, and destination port number), extracts a predetermined size (For example, a pcap file) in units of 10 MBytes (for example, 10 MBytes). The packet capture file generated by the packet capture unit 130 is transmitted to a hash value generation unit 140 to be described later.

The hash value generation unit 140 extracts meta information from the packet capture file generated by the packet capture unit 130. [ The extracted meta information is 5-tuple-based session meta information, which is the source IP address, source port number, destination IP address, destination port number, protocol type, and the first time value and last time value As shown in FIG.

The hash value generation unit 140 generates hash values (e.g., sha2 {source IP address}, sha2 {source port number}, sha2 {destination IP address}, sha2 {destination port number} }, sha2 {protocol type}, sha2 {first time value}, sha2 {last time value}, and a hash value for all seven meta information {e.g., seven hash values sha2 {origin IP address + origin port number + destination IP address + destination port number + protocol type + initial time value + last time value}) and a hash value (for example, sha2 {pcap file}) for the packet capture file . The hash values for each of the seven meta information, the hash values for all seven meta information, and the hash values for the packet capture file are passed to the storage 150 along with the original packet capture file.

The storage unit 150 encrypts the packet capture file transferred from the hash value generation unit 140 with a predetermined encryption algorithm using the one-day use encryption key generated by the encryption key management unit 120. [ For example, AES 128, a CBC mode block encryption algorithm, and the like may be used as an encryption algorithm. As a result, the packet capture file is encrypted using a one-day use encryption key that is different every day.

The storage unit 150 stores the encrypted packet capture file in the file storage 160 together with the hash value for the meta information generated by the hash value generation unit 140 and the hash value for the packet capture file.

The file storage 160 includes n virtual volumes 160_1, ..., 160_n, as shown. Each virtual volume includes a file source repository 161, a file hash value repository 162, and a file index repository 163.

The storage unit 150 stores the encrypted packet capture file in the file source repository 161_n of the n-th virtual volume 160_n. At this time, the encrypted packet capture file can be stored as a hash value for the entire seven meta information generated by the hash value generation unit 140. [

When a new one-day use password is received and a corresponding one-day use pass key is generated as described above, the one-day use password and the one-day use pass key are discarded, In order to decrypt the capture file, the user is required to request a one-day use password for the corresponding date on the certification authority 300 and receive the password.

Also, the storage unit 150 maps the hash value of the packet capture file to the file name of the encrypted packet capture file stored in the file source repository 161_n (i.e., a hash value for all seven pieces of meta information) Th virtual volume 160_n in the file hash value storage 162_n. For example, the information stored in the file hash value storage 162_n is [sha2 {origin IP address + origin port number + destination IP address + destination port number + protocol type + initial time value + last time value} ].

Also, the storage unit 150 maps the hash values of each of the seven meta information to a file name of the encrypted packet capture file (i.e., a hash value for all seven meta information) stored in the file source repository 161_n And stores it in the file index storage 163_n of the n-th virtual volume 160_n. For example, the information stored in the file index storage 163_n is [sha2 {source IP address + origin port number + destination IP address + destination port number + protocol type + initial time value + last time value} : sha2 {origin port number}: sha2 {destination IP address}: sha2 {destination port number}: sha2 {protocol type}: sha2 {first time value}: sha2 {last time value}

As described above, the file hash value storage 162_1 to n and the file index storage 163_1 to n are mapped to the file name of the encrypted packet capture file to obtain a hash value for each packet capture file and a hash value The desired network traffic can be efficiently retrieved and reconstructed per session based on seven meta information at the time of preliminary and post-analysis of cyber infringement in the future.

The virtual volume management unit 170 generates and manages the virtual volumes 160_1, ..., and 160_n of the file storage 160. [

For example, the virtual volume manager 170 generates the n-th virtual volume 160_n when the storage space of the (n-1) th virtual volume 160_n-1 becomes 30% or less. The volume name may be determined using a time value at the time of creation of the virtual volume and a one-day password of the integrity management unit 110. For example, the hash value of the value obtained by combining the time value YYYY-MM-DD HH: MM and ODP, that is, [sha2 {YYYY-MM-DDHH: MM + ODP}] may be a volume name.

Also, the virtual volume management unit 170 may delete the oldest virtual volume based on the creation time when the storage space of the entire file storage 160 becomes 10% or less.

The virtual volume access control unit 180 blocks unauthorized access to the file storage 160 other than the storage unit 150 and the virtual volume management unit 170, Thereby preventing the data stored in the file storage 160 from being tampered with.

2 is a flowchart illustrating a method of storing data in a cyber black box device according to an embodiment of the present invention. The data storing method according to the present embodiment includes the steps performed in the cyber black box apparatus 100 described above. Therefore, the contents described above with respect to the cyber black box device 100 are applied to the data storage method according to the present embodiment, even if omitted below.

In step 410, the integrity management unit 110 requests a one-day use password from the certification authority 300.

In operation 420, the integrity management unit 110 receives the one-day password from the certification authority 300 and stores the password.

In operation 430, the integrity management unit 110 discards the stored day-of-use day password.

In operation 440, the encryption key management unit 120 generates and stores the one-day use encryption key using the one-day usage password received in operation 430. [

In operation 450, the encryption key management unit 120 discards the previously used day 1 day use encryption key.

When one day passes in step 460, the steps 410 through 450 are repeated.

In step 510, the packet capture unit 130 collects network traffic transmitted and received through a network device such as the network switch 200.

In step 520, the packet capture unit 130 generates a packet capture file on a predetermined size basis from the collected network traffic.

In operation 530, the hash value generation unit 140 extracts meta information from the packet capture file generated in operation 520.

In step 540, the hash value generator 140 generates a hash value for the meta information and a hash value for the packet capture file.

In step 550, the storage unit 150 encrypts the packet capture file using the one-day use encryption key generated in step 440.

In step 560, the storage unit 150 stores the encrypted packet capture file, the hash value for the meta information, and the hash value for the packet capture file in the file repository 160.

Steps 510 through 560 are continuously and repeatedly performed.

The above-described embodiments of the present invention can be embodied in a general-purpose digital computer that can be embodied as a program that can be executed by a computer and operates the program using a computer-readable recording medium. The computer-readable recording medium includes a storage medium such as a magnetic storage medium (e.g., ROM, floppy disk, hard disk, etc.), optical reading medium (e.g., CD ROM,

The present invention has been described with reference to the preferred embodiments. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the disclosed embodiments should be considered in an illustrative rather than a restrictive sense. The scope of the present invention is defined by the appended claims rather than by the foregoing description, and all differences within the scope of equivalents thereof should be construed as being included in the present invention.

Claims (6)

A method of storing data in a cyber black box device,
Requesting a certification authority for a one-day use password at a cycle of one day, receiving and storing a one-day use password from the certification authority;
Generating and storing a one-day use encryption key using the received one-day use password;
Collecting network traffic, and generating a packet capture file in units of a predetermined size from the collected network traffic;
Extracting meta information from the packet capture file, and generating a hash value for the meta information and a hash value for the packet capture file; And
Encrypting the packet capture file using the one-day use encryption key, and storing the encrypted packet capture file, the hash value for the meta information, and the hash value for the packet capture file in a file repository And storing the data. The method according to claim 1,
Wherein the receiving and storing of the one-day use password comprises receiving and storing the one-day use password and discarding the previously stored one day use password. The method according to claim 1,
Wherein the generating and storing of the one-day use encryption key comprises generating and storing the one-day use encryption key, and discarding the pre-stored one-day use encryption key. The method according to claim 1,
Wherein the meta information includes a source IP address, a source port number, a destination IP address, a destination port number, a protocol type, a first time value, and a last time value of the corresponding network traffic. The method according to claim 1,
Wherein the hash value for the meta information includes a hash value for each of the meta information and a hash value for the entire meta information. 6. The method of claim 5,
Wherein the file repository comprises n virtual volumes, each virtual volume comprising a file source repository, a file hash value repository, and a file index repository,
Storing the encrypted packet capture file in the file repository as a hash value for the entire meta information, storing the encrypted packet capture file in the file source repository of the nth virtual volume, Mapping a hash value of each of the meta information with a hash value of the meta information to store the hash value of the meta information in a file hash value storage of the nth virtual volume, and storing the data in the file index storage of the nth virtual volume.
KR1020150185908A 2015-12-24 2015-12-24 Data storing method of cyber blackbox device KR101786783B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150185908A KR101786783B1 (en) 2015-12-24 2015-12-24 Data storing method of cyber blackbox device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150185908A KR101786783B1 (en) 2015-12-24 2015-12-24 Data storing method of cyber blackbox device

Publications (2)

Publication Number Publication Date
KR20170076862A KR20170076862A (en) 2017-07-05
KR101786783B1 true KR101786783B1 (en) 2017-10-18

Family

ID=59352175

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150185908A KR101786783B1 (en) 2015-12-24 2015-12-24 Data storing method of cyber blackbox device

Country Status (1)

Country Link
KR (1) KR101786783B1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101078546B1 (en) 2011-06-27 2011-11-01 박주혁 Apparatus for coding and decoding of security data file based on data storage unit idedtification, system for electronic signature using the same

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101078546B1 (en) 2011-06-27 2011-11-01 박주혁 Apparatus for coding and decoding of security data file based on data storage unit idedtification, system for electronic signature using the same

Also Published As

Publication number Publication date
KR20170076862A (en) 2017-07-05

Similar Documents

Publication Publication Date Title
CN107947922B (en) Digital file management method and system based on block chain technology
JP6542962B2 (en) Delayed data access
Zawoad et al. Towards building forensics enabled cloud through secure logging-as-a-service
KR102055116B1 (en) Data security service
EP2957063B1 (en) Policy enforcement with associated data
Ray et al. Secure logging as a service—delegating log management to the cloud
CN105191207B (en) Federated key management
US9852300B2 (en) Secure audit logging
US11372993B2 (en) Automatic key rotation
JP6678457B2 (en) Data security services
Muthurajkumar et al. Secured temporal log management techniques for cloud
CN104270614A (en) Video encryption and decryption method and device
O’shaughnessy et al. Impact of cloud computing on digital forensic investigations
GB2520056A (en) Digital data retention management
Ćosić et al. (Im) proving chain of custody and digital evidence integrity with time stamp
CN105049448B (en) Single-sign-on device and method
EP2545488A1 (en) Data capture tool and method
CN110493011B (en) Block chain-based certificate issuing management method and device
CN112583772B (en) Data acquisition and storage platform
KR101786783B1 (en) Data storing method of cyber blackbox device
CN108171078B (en) Data preservation method and device of cloud platform evaluation system facing third party
KR20170098348A (en) Integrity assurance system for mass log data of cyber blackbox
CN113595741B (en) Credible data chain generation system and method based on 5G law enforcement recorder
Mata et al. Enhanced secure data storage in cloud computing using hybrid cryptographic techniques (AES and Blowfish)
Varghese et al. Integrity verification in multi cloud storage

Legal Events

Date Code Title Description
A201 Request for examination
E701 Decision to grant or registration of patent right
GRNT Written decision to grant