KR101860645B1 - Apparatus and Method for implementing communication jamming scheme using packet spoofing in wireless network - Google Patents

Abstract

The present invention relates to wireless network technology, and more particularly, to an apparatus and method for implementing communication jamming scheme using packet spoofing in a wireless network. According to the present invention, a network protocol is divided into an open protocol and a non-open protocol based on packet data obtained through a packet sniffer. A manipulated attack packet suitable for the protocol is generated and transmitted. So, it is possible to more effectively jam a target network. The apparatus further includes a packet parser; an open protocol jamming packet generating unit; a non-open protocol jamming packet generating unit; a jamming unit; and a packet output part.

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention [0001] The present invention relates to a communication disturbing apparatus and method using packet manipulation in a wireless network,

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to wireless network technology, and more particularly, to a communication disturbance apparatus and method using packet manipulation in a wireless network.

In particular, the present invention relates to a communication disturbing apparatus and method for disturbing a target communication system by collecting and analyzing packet data transmitted and received on a wireless network, and generating and transmitting manipulated packets based on the collected packet data.

In general, an attack to disturb the wireless network is referred to as jamming, and frequency jamming is typical. Due to the nature of the communication using radio frequency, only one signal can be transmitted at the same time. Jamming causes the unauthorized equipment to transmit signals at the same frequency as the authorized equipment, and normal communication is impossible due to crosstalk do.

Existing communication disturbing apparatuses use communication characteristics of a physical layer in a communication network to send a communication disturbance signal other than a signal to be disturbed so that a receiving terminal of a communication apparatus within a communication disturbance range can not normally extract a desired signal .

Therefore, the conventional communication disturbing apparatus needs a corresponding process for each signal to be disturbed, and has a problem of generating a disturbance signal continuously.

1. Korean Patent No. 10-1045344 (June 23, 2011) (Title: Apparatus and method for jamming GPS signals) 2. Korean Patent Publication No. 10-2011-0041816 (entitled: Wireless Communication System Limiting Communication Area Using Jamming)

1. "Smart Jamming Technology Trends for GPS Signals" Jung Sung-gyun et al., "Analysis of Electronic Communication Trends," Vol. 27, No. 6, pp. 75-82 2. Jamming et al., "Jamming Technology in Military Communication", The Journal of the Korean Institute of Communication Sciences, Vol.26, No.3, March 2009, pp.32-40

It is an object of the present invention to provide a communication disturbance apparatus and method capable of more effectively disturbing an attack target wireless network.

The present invention provides a communication disturbing apparatus capable of more effectively disturbing a wireless network to be attacked by an aircraft identification device capable of performing identification technology capable of fusing one identifier to realize better performance.

The communication disturbing apparatus includes:

A packet parser that receives packet information of an attack target network using a packet sniffer and divides the network protocol of the packet information into an open protocol, a closed protocol, and an unconfirmed protocol that does not correspond to the open protocol and the closed protocol;

An open protocol disturbance packet generator for generating an open protocol disturbance packet according to the open protocol;

A private protocol disturbance packet generator for generating a private protocol disturbance packet according to the private protocol;

A jamming unit for generating a jamming signal for a jamming attack according to the unidentified protocol; And

And a packet output unit for outputting the private protocol disturbance packet or the open protocol disturbance packet.

In this case, the open protocol disturbance packet generator may include a first protocol analyzer for analyzing a network topology corresponding to an open protocol distinguished by the packet parser; A topology unit for generating the network topology; And a loop generator for generating a loop based on the network topology and generating the open protocol disturbance packet according to the loop.

In addition, the open protocol disturbance packet may be a MAC (Medium Access Control) packet whose routing information is manipulated corresponding to an arbitrarily selected node from which the loop can be generated.

The open protocol disturbance packet generating unit may further include a latency increasing unit for generating an operation packet that is manipulated so as to increase a path corresponding to an arbitrarily selected node from which the loop can be generated.

The private protocol disturbance packet generating unit may include a second protocol analyzer for grouping the packet information corresponding to the private protocol by the same length to generate grouping packet information; A length field extractor for extracting a length information field from the grouping packet information; And a weight calculation unit for calculating a weight using the length information field and generating a closed protocol disturbance packet by modifying packet information according to the weight value.

Also, the weight is divided into a header and a payload using the length information field, and is allocated to a data change amount of the payload. In the private protocol disturbance packet, a packet whose packet information is higher than other weights .

Also, the private protocol disturbance packet generating unit may include: a binary extractor for extracting binary data from the grouping packet information; And a user mode packet generation unit for generating the private protocol disturbance packet by changing the binary data by user input.

In addition, the length information field may be a point where a number obtained by converting an area corresponding to a plurality of preset windows is equal to a length of a previous window and a length of the window.

In addition, the header and the payload are divided into a header and a payload based on the length information field and a payload, respectively. If the length information field is not present, And a payload.

The communication disturbing apparatus may further include a packet log viewer for displaying a public protocol, a private protocol, and the unidentified protocol from the packet parser on the screen.

According to another embodiment of the present invention, there is provided a method for protecting a target network, the method comprising: receiving packet information of an attack target network using a packet sniffer; The packet parser classifying the network protocol of the packet information into an open protocol, a closed protocol, and an unconfirmed protocol that does not correspond to the open protocol and the closed protocol; Generating an open protocol disturbance packet according to the open protocol; Wherein the private protocol disturbance packet generator generates a private protocol disturbance packet according to the private protocol; Generating a jamming signal for a jamming attack according to the unidentified protocol; And outputting the private protocol disturbance packet or the open protocol disturbance packet by the packet output unit.

 According to the present invention, by dividing a network protocol into an open protocol and a non-open protocol based on packet data acquired through a packet sniffer, and generating and transmitting a manipulated attack packet suitable for the protocol, the attack target network can be more effectively disturbed .

1 is a block diagram of a communication disturbing apparatus according to an embodiment of the present invention.
2 is a detailed block diagram of the public protocol disturbance packet generator 124 shown in FIG.
3 is a detailed block diagram of the private protocol disturbance packet generating unit 125 shown in FIG.
4 is a conceptual diagram for explaining the operation of a communication disturbing apparatus according to an embodiment of the present invention.
5 is a flowchart illustrating a communication disturbance procedure according to an exemplary embodiment of the present invention.
6 is a diagram illustrating a packet data structure in an open protocol to which a communication disturbing apparatus according to an embodiment of the present invention is applied.
7 is a diagram illustrating a network topology of an attacked object of a communication disturbance apparatus according to an exemplary embodiment of the present invention.
8 is a diagram for explaining a loop generation attack in a public network protocol of a communication disturbance apparatus according to an embodiment of the present invention.
9 is a diagram for explaining a delay time increasing attack in a public network protocol of a communication disturbance apparatus according to an embodiment of the present invention.
10 is a diagram illustrating a structure including a length field according to a packet structure in a closed network protocol to which a communication disturbing apparatus according to an embodiment of the present invention is applied.
11 is a diagram illustrating length information extraction in a packet in a private network protocol to which a communication disturbing apparatus according to an embodiment of the present invention is applied.
12 is a diagram showing a binary (binary) extraction concept according to an embodiment of the present invention.
13 is a conceptual diagram for explaining a jamming attack of a communication disturbing apparatus according to an embodiment of the present invention.

While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It is to be understood, however, that the invention is not to be limited to the specific embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.

Like reference numerals are used for similar elements in describing each drawing.

The terms first, second, etc. may be used to describe various components, but the components should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from another.

For example, without departing from the scope of the present invention, the first component may be referred to as a second component, and similarly, the second component may also be referred to as a first component. The term "and / or" includes any combination of a plurality of related listed items or any of a plurality of related listed items.

Unless otherwise defined, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.

Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the contextual meaning of the related art and are to be interpreted as either ideal or overly formal in the sense of the present application Should not.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, a communication disturbance apparatus and method using a packet operation in a wireless network according to an embodiment of the present invention will be described in detail with reference to the accompanying drawings.

1 is a block diagram of a communication disturbing apparatus according to an embodiment of the present invention. Referring to FIG. 1, the communication disturbance apparatus 120 transmits a network protocol of an attack target communication system based on packet data acquired through a packet sniffer 110 to an open protocol / private protocol / A protocol that does not belong to the private protocol), generates a malicious attack packet suitable for the protocol, and transmits the attack packet to disturb the attack target network.

In general, all digital wireless communication systems have a network protocol defined, which is simply a communication protocol. Therefore, the network protocol used by the Internet is documented by a specific organization, and based on the distributed data, users are used for a specific purpose. The protocol thus opened is called an opened protocol or known protocol.

Here, the open protocol is a document in which a communication protocol established by a specific organization and / or a group is documented and distributed. The public protocol includes WiFi, Zibgee, Bluetooth, TCP / IP, application (Http, ICMP, ARP ) And so on. Thus, you can see how the above protocol works. Typically, there are "Wireshark" as a tool to monitor and analyze wired / wireless network packets, and "daintree" as a wireless sensor network (Zigbee) monitoring and analysis tool.

These analysis tools are designed to simply sniff and monitor packets, display them in accordance with protocol rules, or add more graphical elements to identify the type and structure of intuitively received packets.

In one embodiment of the present invention, the function of the general network analysis tool is extended to manipulate the packet, and in particular, the routing address information located in the packet is manipulated to generate a loop, or a latency .

In contrast, the use of private protocols such as "skype" by a private agency without designing / developing a publicly available protocol is called a closed protocol or an unknown protocol.

On the other hand, the unconfirmed protocol is a protocol not belonging to the open protocol or the non-public protocol, and is a case where the network protocol of the packet analysis result packet is an open protocol or a closed protocol.

The attacking view depends on whether it is an open protocol or a closed protocol. In the case of open protocols, it is mainly focused on routing attacks. In the case of closed protocols, it is mainly focused on data manipulation attacks.

In the case of public protocol routing attacks, the configuration of the network protocol is completely known, and the network configuration is changed by manipulating the network address.

In the case of the private protocol data attack, the configuration of the network protocol is not known at all, and a part of the packet, which is likely to be the data, is changed / manipulated to transmit the undesired data to the receiving side. If you do not know whether the packet analysis result is public or private, it also includes a function to perform general frequency jamming.

The communication disturbance apparatus 120 performs the analysis / manipulation / attack procedure using the network protocol when the network protocol of the received packets matches one of the open protocol, the private protocol and the unidentified protocol.

The packet sniffer 110 on the left / right side of FIG. 1 is the same one equipment, and the packet sniffer 110 is disposed on the left / right side for clarifying the flow of the procedure.

The communication disturbing apparatus 120 includes a packet parser 121, a packet log viewer 122, a file manager 123, an open protocol disturbance packet generating unit 124, A protocol disturbance packet generation unit 125, a packet output unit 126, a jamming unit 127, and the like.

Packet sniffer 110 receives packet information 101 transmitted and received wirelessly from the attack target network and transmits the packet information 101 to communication disturbing apparatus 120 and transmits the packet to the attack target network at the request of communication disturbance apparatus 120 .

The packet parser 121 is a network protocol analyzing unit for analyzing a network protocol. The packet parser 121 receives a packet transmitted from the packet sniffer 110 and determines whether the network protocol of the received packet list is an open protocol, a private protocol, .

The packet log viewer 122 receives the protocol analysis information output from the packet parser 121 and displays the protocol analysis information on a screen in the form of a protocol when the protocol is an open protocol according to the protocol analysis information. It is possible to display them in the order in which they were received.

The file manager 123 serves to provide a user interface and operate with the file system. The file manager 123 receives the data of the packet log viewer 122 through the user interface and transmits the data to the packet log viewer 122. In this case, the data can be imported / exported in the form of an exel file.

The open protocol disturbance packet generation unit 124 generates an open protocol disturbance packet for the open protocol when the network protocol analyzed by the packet parser 121 is an open protocol.

The private protocol disturbance packet generation unit 125 generates a private protocol disturbance packet for the private protocol when the network protocol analyzed by the packet parser 121 is a private protocol.

The packet output unit 126 outputs the open protocol disturbance packet generated by the open protocol disturbance packet generation unit 124 to the packet sniffer 110. The packet output unit 126 outputs the closed protocol disturbance packet generated by the closed protocol disturbance packet generation unit 125 to the packet sniffer 110.

The jamming unit 127 analyzes the network protocol by the packet parser 121 and outputs a jamming signal for jamming attack to the packet sniffer 110 if the network protocol is not an open protocol or a non-public protocol.

The jamming unit 127 may include a jammer 127-1 for generating a jamming signal in the jamming mode, and a jamming signal output unit 127-2 for outputting a jamming signal and activating jamming. Here, the jamming signal output unit generates a jamming signal according to a deception mode, a constant mode, and a reaction mode (Reactive mode). The Deceptive mode congests the network by sending packets periodically instead of a continuous signal. Constant mode makes communication impossible by continuous signal generation. Reactive mode does not work normally, but when someone sends a packet, it recognizes it and sends a packet to generate a collision.

2 is a detailed block diagram of the public protocol disturbance packet generator 124 shown in FIG. 2, the open protocol disturbance packet generator 124 includes a first protocol analyzer 210 for analyzing a network topology corresponding to an open protocol separated by the packet parser 121, a topology analyzer 210 for generating the network topology, (240), a loop generation unit (250) for generating a loop based on the generated network topology, and the like.

In particular, the loop generation unit 250 selects an arbitrary node from which a loop can be generated based on the network topology, and generates a manipulation packet (MAC) corresponding to the selected node and a manipulated packet in which the routing information is manipulated Protocol disturbance packet).

Meanwhile, the latency increasing unit 260 may generate an operation packet (i.e., an open protocol perturbation packet) manipulated to increase the path of the selected node.

In addition, the open protocol disturbance packet generator 124 may further include a filtering unit 220 for filtering a specific protocol among open protocols, an arranging unit 230 for sorting open protocols into specific parameters, a message corruption detecting unit 270, .

Generally, in the case of message damage detection, a CRC (Cyclic Redundancy Check) method can be used to determine whether a message is damaged in a wireless communication system. In this method, when the data to be transmitted is packetized on the transmission side, an arbitrary code is generated by a formula determined according to the frequency of occurrence of 0 and 1 belonging to the data, and a packet is generated and transmitted. That is, as data + CRC code method, CRC code is generally appended to data.

On the receiving side, the transmitting side knows the formula for generating the CRC, generates the CRC code according to the formula determined after the data is separated from the received packet, compares the received CRC code with the received CRC code, It is judged that the data is damaged.

In order to compare the CRC code, the receiving side needs to know the CRC generation formula used by the transmitting side. There is no known method in the private protocol, and the public protocol adopts a different method according to the RF chip.

In the case of the embodiment of the present invention, the message damage detector 270 notifies the RF chip used for verification and demonstration / experiment of packet corruption when receiving a packet, displays it on the screen, Is used to exclude. In other words, the entire packet is excluded from the analysis due to the fact that the data is corrupted at a certain position (field) although it is damaged.

3 is a detailed block diagram of the private protocol disturbance packet generating unit 125 shown in FIG. 3, the private protocol disturbance packet generating unit 125 includes a second protocol analyzer (not shown) for grouping the packet information corresponding to the private protocol determined by the packet parser 121 by the same length and generating grouping packet information 310), a length field extractor (330) for extracting a length information field from the grouping packet information, and a weight calculator (330) for calculating a weight using the length information field and generating an operation packet by modifying packet information according to the weight 350, and the like.

In particular, the weight calculation unit 350 may classify the header and the payload using the extracted length information field, calculate a data change amount in the area of the payload, assign a weight to the calculated data change amount, And generates an operation packet (i.e., a private protocol disturbance packet) by changing the packet information higher than the other weights.

Alternatively, the private protocol disturbance packet generation unit 125 may include a binary extractor 340 for extracting binary data from the grouping packet information, a control unit 330 for generating the private protocol disturbance packet by changing the binary data by user input, A user mode packet generating unit 360, and the like.

4 is a conceptual diagram for explaining the operation of a communication disturbing apparatus according to an embodiment of the present invention. Referring to FIG. 4, the devices in the box 430 shown in dashed lines are the network components 432-1 through 432-8 to be attacked, and the devices outside the dotted lines are the attacking devices 110 and 120. The devices in the dotted line generate packets during the process of configuring the initial network and transmitting the data after the configuration to the destination 431.

Monitoring software (S / W: Software) may be configured in the destination 431. The first to eighth nodes 432-1 to 432-8 are connected wirelessly and the first node 432-1 can be connected to the destination 431 via wire or wireless and becomes a sink node . The packet sniffer 110 collects the generated packets and sends them to the communication disturbing device 120. [

Attack packets are transmitted through the packet sniffer 110, and equipment in the dotted line receiving the packet generates loop generation, latency increase, and an undesired message as indicated by solid arrows. An example of this situation is as follows.

When a loop occurs, a packet to be transmitted through a predetermined route with a neighbor node ID 6-> 5-> 2->> 1 is transmitted to a neighbor node ID 6-> 5-> 2-> 6 as shown in FIG. And is not transmitted to the destination 431 through the first node (sink node) 432-1 which is ID number 1.

In addition, when the latency (= delay) increases, a packet that can be delivered to 2 hop (step) of ID 8 -> 3 -> 1 is 3hop of ID 8 -> 6 -> 2 -> 1 ). This means that in case of 2 hops, a packet to be transmitted within 1 second may be transmitted over 3 h while passing over 1 hop. In some cases, such an increase in the delay time may serve as a factor for reducing the reliability of the system.

For example, in the case of a wireless system that measures and transmits heart rate, an alarm should be sent within one second when a cardiac arrest is measured. If an extremely long delay of 10 minutes occurs, the system may become obsolete.

In addition, the occurrence of an undesired message has an effect of causing a false detection and / or a sense of false sense by transmitting a packet in a state where measurement and / or detection is not performed. For systems that are critical to metrology and / or detection itself, frequent false positives can reduce reliability.

5 is a flowchart illustrating a communication disturbance procedure according to an exemplary embodiment of the present invention. Referring to FIG. 5, it is determined whether the operation mode is open, closed or not (S500). If the operation mode is open (S510), a public network analysis is performed A step S513 of constructing a topology based on the received packet, a step S515 of generating a packet for loop generation, and a step S540 of storing and transmitting a transmission packet can do.

At this time, a step S517 of generating a packet for increasing a delay time, etc., instead of generating a packet for forming a loop, by constructing a topology based on the received packet after displaying the details according to the message specification (S511) .

In operation mode determination step S520, when the operation mode is non-public, step S520 of performing a private network analysis, step S521 of grouping by packet length, extracting length information, A step S527 of allocating a weight for each byte and changing a packet, and a step S540 of storing and transmitting a transmission packet, and the like.

Of course, steps S525 and S525 of analyzing binary data may be performed in place of such a packet length grouping step S521, the length extraction and payload sorting step S523, and the byte-by-byte weight assignment and packet changing step S527. Changing a packet by user input (S529), and the like.

Meanwhile, if the operation mode is neither public nor private, the jamming may be performed in step S530, the jamming mode may be selected in step S531, and the jamming activation may be selected in step S533.

6 is a diagram illustrating a packet data structure in an open protocol to which a communication disturbing apparatus according to an embodiment of the present invention is applied. Referring to FIG. 6, in the packet sniffer 110, a network system that is an attack target can obtain a packet generated in a network configuration process and a process of transmitting a packet after configuration.

As shown in FIG. 6, since it is possible to know how the packet is configured in the case of the open network protocol, it is necessary to know the length of each packet field, the location of the network header 630, You can see information about the constituent elements. That is, the desired information can be obtained through the packet. Each packet field includes a length field 610, a MAC header 620, a network header 630, a message frame field 640, a CRC (cyclic redundancy check) field 650, and the like.

7 is a diagram illustrating a network topology of an attacked object of a communication disturbance apparatus according to an exemplary embodiment of the present invention. 7, an A node 710 is connected to a neighbor node B 720, a sink node S 750 and a neighbor node D 740, and a B node 720 is connected to A and C Information can be used to understand network connectivity. At this time, in order to know that A node 710 has connectivity with B, D, and S, at least one packet generated during communication between A node 710 and B, D, and S must be collected.

It is described that the communication disturbing device 120 performs a loop generation attack in the open network protocol. Since the method of configuring physical, MAC, routing (network), and application layer according to network protocol is different from that of operation method, a generalization method is suggested.

8 is a diagram for explaining a loop generation attack in a public network protocol of the communication disturbance apparatus 120 according to an embodiment of the present invention. Referring to FIG. 8, in order to construct a network, a node configuring a wireless network generally includes: (1) a process of finding a neighbor node within a communication range; (2) a process of selecting an optimal route among neighbor nodes; A process of transmitting a packet, and (4) a process of recovering a path when a failure occurs.

Most of the nodes forming the network search for the neighbor node and generate the routing table internally based on the packet information received in the process of selecting the route. The routing table manages the destination address of the packet, its own address, and the address of the node to be transmitted to transmit the data to be transmitted to the destination.

That is, the network topology is configured 810 based on the packet information, the loop selectable node selection 820 is performed according to the configured network topology, and the loop generation is performed according to the changed routing information. Of course, the routing table 811 of the A node, the packet structure 821 for the loop creation, and the routing table 831 of the A node are also changed.

The lower right table shows an example of the routing table of the A node. In order to go to S (sink), S (sink) C, it manages information that it must pass through B node. The information managed in the routing table may vary depending on the network protocol, but the destination address and the destination address are necessary, and in some cases, additional information is managed.

Selects an arbitrary node from which a loop can be generated based on the network topology, and generates / transmits a packet in which MAC and routing information are manipulated. Here, in addition to the MAC and routing information, there are components constituting a packet, but only the MAC and the routing items are displayed in the sense that only the address information for changing the route is manipulated. Therefore, the location and length information of the MAC and the address values constituting the routing may be different for each protocol.

The node A that received the manipulated packet receives the packet with the normal packet structure and processes it. At this time, the contents of the routing table are changed by intentionally manipulated information. Originally it is sent to S (sink) to go to S (sink) but it is changed to go to C node to go to S (sink).

Then, in order to go from A node to S, A-> C-> B-> A is transmitted and a loop is generated. At this time, in case of a network protocol having a loop detection function, it is judged as a failure and a failure recovery is performed. Here, selecting a node having a node that is separated by 2hop or more is a value set for an example, but it is not a factor affecting the operation method.

9 is a diagram for explaining a latency increasing attack in a public network protocol of a communication disturbance apparatus according to an embodiment of the present invention. Referring to FIG. 9, in a similar manner to the loop generation attack, in an environment that can be directly transmitted to the node D-> S, a generated packet is generated / transmitted and the packet is transmitted to the node D-> C-> B-> A-> S To increase the delay time. Although the packet will be delivered to the destination, an increase in latency can be a fatal flaw, depending on the application to which the network protocol is applied.

Referring to FIG. 9, a network topology is configured 910 based on packet information, a loop selectable node selection 920 is performed according to a configured network topology, and a loop generation 930 is performed according to changed routing information. Of course, at this time, the routing table 911 of the D node, the packet structure 921 for the loop creation, and the modified routing table 931 of the D node are also changed.

In general, a private network protocol does not know the configuration / content at all. If some of the packet data is arbitrarily changed, it may not be processed by the filtering rule on the receiving side. For example, in the case of a private protocol, the fifth byte (byte) in a packet must be '0' unconditionally. Even if a packet manipulated with a value other than '0' is generated / transmitted, Do not. At this time, when the corresponding protocol is disclosed, it can be known that '0' should be inserted in the fifth byte. Therefore, it is possible to generate a packet that can affect it.

Referring back to FIG. 6, gray portions in FIG. 6 are generally referred to as a header, and white portions are generally referred to as payloads. The header contains information related to the rules / criteria necessary to process the packet and uses values within a certain range.

The payload consists mostly of the actual data to be transmitted (for example, text, temperature / humidity values, etc.).

In the private protocol, the header portion needs to change the data-centric payload portion as there is no basis for manipulation. For example, when the payload contains data "coffee", it is changed to "coffe1", or the value of "35.2" is changed to "10.2".

In order to apply this scheme, it is necessary to distinguish the header / payload. Although it is not known what the arbitrary data information in the packet has in the state without any information, there is one known information, that is, "packet (data) length" information.

Generally, since a fixed length is used for a header, total length information is included in a packet transmission, or a packet sniffer 110 can measure a received packet length. It generally uses a variable-length message format and accordingly contains length information somewhere inside the packet.

10 is a diagram illustrating a structure including a length field according to a packet structure in a closed network protocol to which a communication disturbing apparatus according to an embodiment of the present invention is applied. Referring to FIG. 10, there is shown an example of a packet type according to length information availability / location. This is not representative of the entire network, but is a representation of commonly used forms.

Since the Length information is important information for distinguishing the header / payload, the header of the length information is a header, the payload is a length of the length information, (Case 3). If the length information is not extracted, the header is determined based on the size of the shortest packet among the received packets (cases 1, 2 and 4). At this time, instead of analyzing one packet, all received packets are grouped by the same length and analyzed. Here, in the case of the same length, it is considered that there is a high possibility that the packet is of the same type.

In other words, a network protocol means a method of transmitting and receiving data according to a predetermined rule. The predetermined rule may include a destination, a destination, a data type to be transmitted, a data length, and the like. In this case, there are fixed length packets and variable length packets. In the case of a fixed-length packet, the length of a packet to be transmitted and received is generally the same (for example, when a system for measuring and transmitting temperature and humidity data transmits only predetermined data), and a variable- (Such as SMS text messages, which are limited to 80 bytes, but the length of each sent character varies).

In case of variable length, length information is essential since it is generally necessary to be able to recognize the change in length at the receiving end. Since the header portion of the protocol is almost fixed, the size of the variable payload following the header is known.

According to an embodiment of the present invention, there is proposed a method of changing only a payload in consideration of a case where a header can not be processed by a receiving side when a header is changed. In case 1, the length of the entire received packet is known but the header section can not be distinguished. In the case 1, the header section called Fixed-Length can be estimated.

Further, in case 1, there is a length, but this indicates the length of the entire received packet, and corresponds to the case where there is no data before the length. For example, if 50 bytes are received, the first 1 byte will be specified as 49, followed by 49 bytes of data in the variable interval.

11 is a diagram illustrating length information extraction in a packet in a private network protocol to which a communication disturbing apparatus according to an embodiment of the present invention is applied. Referring to FIG. 11, it shows extraction of length information of a packet for header / payload classification. It is assumed that the length information in the private packet is composed of 1, 2, and 4 bytes. 1130, and 1130 of size 1, 2, and 4 are sequentially shifted by about 1 byte from the beginning to the end of the packet, and the total packet length, the position of the first to third windows 1110, 1120, and 1130, When the area corresponding to the first to third windows 1110, 1120, and 1130 is converted, the numerical value, (4) the length before the window, and (5) the length after the window are compared to analyze whether the item (3) is valid as the length information.

A length information field is set as a point having the highest probability after calculation for the entire received same-length packet.

The hatched portion in FIG. 11 is a point at which the data length is equal to the right data length based on the corresponding point when the area data is converted into a number. After analyzing the same length packet as a whole, a length information field is finally selected. If the length information field can not be extracted, the packet of the shortest length among the received packets is determined as the header size.

If the header / payload has been classified, the amount of change in data in the payload area is calculated. For example, when 1000 bytes of 50 byte length packets are received, the header is divided into 1 to 10 bytes. When the payload is divided into 11 to 50 bytes, 11, 12, 13, 48, 49, 50th data is calculated and a weight is assigned to each sequence number. And generates / transmits a packet by changing the corresponding data according to the assigned weight.

The method of changing specific order data is ① random, ② ascending, ③ descending order, but it is possible to add change method as needed. There is a possibility that data can be lost if the data is randomly changed without meaning (for example, the number is displayed as a special character, the sign of the number is changed, etc.).

Accordingly, it is difficult to know what meaning (temperature, humidity, etc.) of data in a certain area in the payload, but provides a function of changing the data to a least meaningful data and transmitting it.

It can be expressed as Binary Extract or Binary Data Analysis. This representation may select one of the received packets and indicate a 1- to 8-byte area from any location in the packet as shown in FIG.

12 is a diagram showing a binary (binary) extraction concept according to an embodiment of the present invention. Referring to FIG. 12, if the data is classified into 11 data types and the data type is changed, it is determined whether the data is meaningful. In this case, the user mode packet generator (360 in FIG. 3) And the constructed packet is constructed and transmitted.

For example, if you specify an arbitrary position in a packet and change it to 11 data types as shown below, unsigned char and signed char will be checked for only 1 byte. Therefore, 0x01 will be hexcode, I can not find it.

However, in the case of float (4 bytes), it can not be known whether temperature, humidity, or voltage level is 32.768, but it can be inferred that something represents a meaningful value, and a function of generating / transmitting a packet after changing 32.768 to 100.768 do.

12 is a conceptual diagram for explaining a jamming attack of a communication disturbance apparatus according to an embodiment of the present invention. Referring to FIG. 12, a general frequency jamming technique is provided in case that packet manipulation is not performed well, or the target network system has not been able to collect packets of a level that can be analyzed due to a too-rapid generation of packets.

Constant mode 1310 for limiting media access disables communication due to continuous signal generation. Deceptive mode 1320 for congestion induces congestion of the network by periodically transmitting packets instead of continuous signals. Reactive mode 1330 for generating a collision does not normally operate, but when someone transmits a packet, it recognizes the packet and transmits a packet to generate a collision.

The communication disturbing apparatus 120 transmits the jamming signal of the constant mode 1310, the deceptive mode 1320 and the reactive mode 1330 to the packet sniffer 110 through the repeater 1340 send.

  The terms " part, "" module," and the like, which are described in the specification, denote a unit for processing at least one function or operation, and may be implemented by hardware or software or a combination of hardware and software.

(DSP), a programmable logic device (PLD), a field programmable gate array (FPGA), a processor, a controller, a microprocessor, and the like, which are designed to perform the above- , Other electronic units, or a combination thereof. In software implementation, it may be implemented as a module that performs the above-described functions. The software may be stored in a memory unit and executed by a processor. The memory unit or processor may employ various means well known to those skilled in the art.

110: Packet sniffer
120: Communication disturbance device
121: Packet Parser 122: Packet Log Viewer
124: Open protocol disturbance packet generation unit
125: Private protocol disturbance packet generation unit
126: Packet output unit
127: Jamming
127-1: jammer 127-2: jamming signal output section

Claims (11)

A packet parser that receives packet information of an attack target network using a packet sniffer and divides the network protocol of the packet information into an open protocol, a closed protocol, and an unconfirmed protocol that does not correspond to the open protocol and the closed protocol;
An open protocol disturbance packet generator for generating an open protocol disturbance packet according to the open protocol;
A private protocol disturbance packet generator for generating a private protocol disturbance packet according to the private protocol;
A jamming unit for generating a jamming signal for a jamming attack according to the unidentified protocol; And
And a packet output unit for outputting the private protocol disturbance packet or the open protocol disturbance packet,
Wherein the open protocol disturbance packet generator comprises:
A first protocol analyzer for analyzing a network topology corresponding to an open protocol distinguished by the packet parser;
A topology unit for generating the network topology; And
And a loop generator for generating a loop based on the network topology and generating the open protocol disturbance packet according to the loop.
delete The method according to claim 1,
Wherein the open protocol disturbance packet is a MAC (Medium Access Control) message corresponding to a randomly selected node from which the loop can be generated and a packet in which routing information is manipulated.
The method according to claim 1,
Wherein the open protocol disturbance packet generation unit further comprises a latency increasing unit for generating an operation packet that is manipulated such that a path corresponding to an arbitrarily selected node to which the loop can be generated is increased. Communication disturbance device used.
The method according to claim 1,
Wherein the private protocol disturbance packet generator comprises:
A second protocol analyzer for grouping packet information corresponding to the private protocol by the same length to generate grouping packet information;
A length field extractor for extracting a length information field from the grouping packet information; And
And generating a private protocol disturbance packet by calculating a weight value using the length information field and modifying packet information according to the weight value to generate a private protocol disturbance packet.
6. The method of claim 5,
The weight is divided into a header and a payload using the length information field, and is allocated to a data change amount of the payload. The private protocol disturbance packet is a packet whose packet information is higher than other weights among allocated weights A communication disturbance apparatus using packet manipulation in a wireless network.
6. The method of claim 5,
Wherein the private protocol disturbance packet generator comprises:
A binary extractor for extracting binary data from the grouping packet information; And
And a user mode packet generation unit for generating the private protocol disturbance packet by changing the binary data by user input.
The method according to claim 6,
Wherein the length information field is a point where a number obtained by converting an area corresponding to a plurality of windows to be set in advance is equal to a length of a previous window and a length of the window.
9. The method of claim 8,
The header and the payload are divided into a header and a payload based on the length information field and a payload, respectively. If there is no length information field, the header and payload are divided into a header and a payload based on the size of the packet, Wherein the packet is divided into a plurality of packets.
The method according to claim 1,
And a packet log viewer for displaying a public protocol, a private protocol, and the unidentified protocol from the packet parser on the screen.
Receiving packet information of an attack target network using a packet sniffer;
The packet parser classifying the network protocol of the packet information into an open protocol, a closed protocol, and an unconfirmed protocol that does not correspond to the open protocol and the closed protocol;
Generating an open protocol disturbance packet according to the open protocol;
Wherein the private protocol disturbance packet generator generates a private protocol disturbance packet according to the private protocol;
Generating a jamming signal for a jamming attack according to the unidentified protocol; And
And a packet output unit outputting the private protocol disturbance packet or the open protocol disturbance packet,
Wherein generating the open protocol disturbance packet comprises:
Analyzing a network topology in which a first protocol analyzer corresponds to an open protocol separated by the packet parser;
The topology portion creating the network topology; And
And generating a loop based on the network topology and generating the open protocol disturbance packet according to the loop, wherein the loop generation unit generates a loop based on the network topology and generates the open protocol disturbance packet according to the loop.

Images