KR101951208B1 - A firewall system for monitoring network traffic by using firewall agent - Google Patents

Abstract

The present invention relates to a firewall system for monitoring a signature and traffic using a firewall agent configured for each computer terminal and, more specifically, to a firewall system for monitoring a signature and traffic using a firewall agent configured for each computer terminal, for performing a security process on a packet data according to sub security policy information by installing and configuring the firewall agent in each computer terminal and for performing security processing, when the security policy information established in the main firewall apparatus is acquired by the firewall agent, by referring to the comprehensive security policy information established for the packet data received from the computer terminal having the firewall agent.

Description

FIELD OF THE INVENTION The present invention relates to a firewall system for monitoring network traffic using a firewall agent,

The present invention relates to a firewall system for monitoring network traffic using a firewall agent configured for each computer terminal. More particularly, the firewall agent is installed in each computer terminal to perform security processing on packet data according to sub- Or when the firewall agent acquires the comprehensive security policy information established in the main firewall device, the firewall agent refers to the comprehensive security policy information established with respect to the packet data received from the computer terminal having the firewall agent, And a firewall system for monitoring network traffic using a firewall agent configured for each computer terminal.

Along with the increase in information system assets, various operating systems (OS), application programs for mobile terminals (APPLICATION), and security solutions have been developed and used.

Security events recorded in such various environments are also stored in various forms, and their capacity is also rapidly increasing.

Events related to security breaches occurring in various types of local terminals are recorded in the event log by a local terminal or a monitoring device on the network.

The administrator analyzes the generated event log to check the damage of the security breach, and takes measures to prevent further infringement.

1 is a block diagram illustrating a network risk composite analysis system according to the prior art.

The plurality of detection sensors 10 included in the analysis system of FIG. 1 collect security events occurring in the respective networks in real time and store them in the DB in the form of a log file including the destination IP of the corresponding security event.

The plurality of detection sensors 10 calculates the risk level and reliability of the collected security events using the risk level and reliability calculation formula set by the administrator based on the network security operation policy itself and calculates the calculated risk level and reliability Adds the log file to the log file, and stores the log file in the DB.

The log file normalization unit 11 collects log files of the security events from the DBs of the respective detection sensors 10 and stores log files of the security events in the log files of the respective security events as normalization information set by the administrator on the basis of the network security operation policy Into a normalized log file format.

The individual risk calculating section 13 calculates the risk value and the reliability, which are identified from the asset value of the IT asset of the network and the corresponding normalization log file calculated in correspondence with the normalization log file of the security event in the asset value calculating section 12, Based on the operation policy, it assigns to the risk calculation formula set by the administrator and calculates the individual risk of the security events. If the calculated risk exceeds the predetermined risk, the alarm occurrence signal is outputted.

However, in the related art, the generated network-based security event log is analyzed to measure the risk. In some cases, it is effective to group and analyze various security events related to each other.

In addition, in the conventional technology for analyzing the network-based security event log, there is a problem in that it is difficult to efficiently cope with such a need because the related analysis method can not be provided.

That is, in the early days, the security control service operates a network security system, and the basic service level limited to monitoring various events occurring in the equipment is mainstream.

Recently, hacking techniques such as alteration of homepage or leakage of important information have become more intelligent, specialized, advanced and time-consuming, and various personal information protection accidents have been experienced, and personal information protection is also recognized as an important point of security. However, And is not operated.

In order to solve the above problems, a company or a national institution performs risk management so as to be able to respond to various events (hereinafter referred to as security events) related to security breaches occurring in the network (hereinafter referred to as security events) To ensure the availability, integrity and confidentiality of multiple security solutions, we have developed an integrated security management system (ESM), a risk management system (RMS), a threat management system (TMS) A network security management system such as a firewall, an intrusion detection system (IDS), and an intrusion prevention system (IPS) is constructed.

The risk management system (RMS) collects and analyzes security events for all information technology (IT) assets of the network, such as various security devices or network devices (e.g., servers, routers, Prevention of security incidents by responding to the detection and management of security level is always stable.

The threat management system (TMS) collects and analyzes security events occurring in the network to be managed, and particularly detects and identifies cyber threats of network traffic, and analyzes and comprehensively analyzes network traffic to provide early warning.

The firewall installs a router or an application gateway so that all information flows only through them, thereby selectively accepting, rejecting, or modifying information transmitted between a network in the enterprise or an organization and the Internet.

The intrusion detection system (IDS) collects and analyzes security events occurring in the network to be managed, and when the malicious network traffic is detected, the IDS performs a function of alarming the administrator.

The intrusion prevention system (IPS) collects and analyzes security events occurring in the network to be managed, and alerts the administrator to malicious network traffic and immediately blocks the security events.

The normal network security management system operating as described above determines the threat level corresponding to the security event according to the security policy of the network.

However, such a network security management system does not consider integrated, relevant analysis and unstructured data.

In addition, the rapid growth of the Internet provides various advantages, but at the same time, the Internet contains many problems.

The biggest problem area is the security area.

Many systems are now subject to attack, and these intrusion behaviors are classified according to the type of intrusion model, with misuse intrusions and abnormal intrusions.

Many intrusion detection techniques are introduced and intrusion detection systems (IDS: Intrusion Detection Systems) equipped with them are being commercialized, but most of them are detecting patterns, and the false rate is very high.

As described above, there is a problem in practically applying the intrusion detection information due to a high false rate to perform the actual control using only the intrusion detection information.

That is, the control system using the intrusion detection log information up to now has a disadvantage that it is difficult to confirm the actual intrusion information due to a large number of false positives.

On the other hand, methods using traffic statistics are proposed as attempts to detect external intrusions using statistical techniques.

In the case of the method using the traffic statistics, abnormality detection is performed through the time series analysis of the traffic statistical information, for example, in the case where the amount of traffic increases rapidly or the amount of traffic of a specific port increases more than usual.

However, this method can also be regarded as an attack against a normal use that causes a lot of traffic, and there is a problem that can not be detected for intrusion attempts that cause small traffic.

That is, the control system using the traffic statistic information provides a method of detecting the abnormal traffic by not utilizing the specific pattern unlike the intrusion detection system.

Generally, the method using traffic statistic information compares the amount of traffic of the steady state with the statistic value of the traffic and the amount of the traffic statistic information collected at present to determine whether it is a steady state or an abnormal state.

This method also uses only the statistical information of the traffic, so there is a difficulty in detecting the attack in the case of an attack with a high false alarm rate and a low traffic volume.

In addition, existing network firewalls operate at the network layer level in the OSI7 layer.

Since the existing firewall device controls the traffic according to the policy registered in the firewall, it is inconvenient for the administrator to directly manage the firewall policy, and communication between the devices connected to the internal network is difficult to control, The firewall program installed in the operating system has a serious problem that the operating system or the firewall program can not function normally when the virus is infected with the virus.

Accordingly, the present invention proposes a system that can control traffic between devices connected to the internal network, automatically manage a firewall policy, and automatically detect and analyze new attacks.

(Prior art) Korean Patent Registration No. 10-1323852

SUMMARY OF THE INVENTION Accordingly, it is a primary object of the present invention to provide a firewall agent for each of a plurality of devices connected to an internal network, Data, collects sub-security policy information provided by each firewall agent in the main firewall device, establishes comprehensive security policy information, and provides the established security policy information to the firewall agent, the firewall agent To perform security processing by referring to the comprehensive security policy information established for the packet data received from the configured device.

A second object of the present invention is to provide a main firewall device that collects sub-security policy information provided by a plurality of firewall agents and establishes comprehensive security policy information through machine learning to identify and manage threat elements in advance, Continuous attacks, and various security threats.

According to an aspect of the present invention, there is provided a firewall system for monitoring network traffic using a firewall agent,

And acquires sub-security policy information from each firewall agent installed in each computer terminal 400, establishes comprehensive security policy information using the obtained sub-security policy information, A main firewall device 100 for performing security processing on packet data transmitted from the internal network to the external network or from the external network to the internal network or from the internal network to the internal network by referring to the comprehensive security policy information,

A hub 200 for network connection between each computer terminal and each facility configured in the internal network and relaying packet data transmission / reception between each computer terminal and each facility in the internal network,

In the case where the integrated security policy information is not acquired from the main firewall device, the sub security policy information is provided to each of the computer terminals 400, and the sub security policy information is provided to the main firewall device. The firewall agent 300 for performing security processing on the received packet data according to the comprehensive security policy information obtained when the security policy information is obtained from the main firewall device .

According to another aspect of the present invention, there is provided a firewall system for monitoring network traffic using a firewall agent configured for each computer terminal,

A firewall agent is installed and configured for each of a plurality of devices connected to the internal network to perform security processing on the received packet data according to the sub security policy information or to collect sub security policy information provided from each firewall agent in the main firewall device In the case of providing the comprehensive security policy information to the firewall agent, the firewall agent refers to the comprehensive security policy information established on the packet data received from the device configured by the firewall agent and performs security processing .

In particular, the firewall agent that includes the sub-security policy information established for each firewall agent configured in the internal network and obtains the comprehensive security policy information refers to the security policy other than the established sub-security policy information, It is possible to cope with security threats from various threat elements according to security processes not established in a specific firewall agent and to provide an effect of automatically managing a firewall policy.

In addition, in the main firewall device, the sub security policy information provided by a plurality of firewall agents is collected to establish comprehensive security policy information through machine learning (machine learning) to identify and manage threat elements in advance, They actively prepare for threats and respond quickly.

In other words, by collecting, analyzing, learning and reasoning security events occurring in firewall agents in real time, it continuously generates a prediction model for malicious code and network risk situation and performs integrated management to ensure availability, integrity and confidentiality can do.

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a block diagram of a network risk overall analysis system according to the prior art; FIG.
BACKGROUND OF THE INVENTION 1. Field of the Invention [0001] The present invention relates to a firewall system for monitoring network traffic using a firewall agent configured for each computer terminal according to the first embodiment of the present invention.
3 is a block diagram of a firewall agent 300 of a firewall system for monitoring network traffic using a firewall agent configured for each computer terminal according to the first embodiment of the present invention.
4 is a block diagram of a sub-security policy information generating unit 330 of a firewall system for monitoring network traffic using a firewall agent configured for each computer terminal according to the first embodiment of the present invention.
5 is a block diagram of a main firewall device 100 of a firewall system for monitoring network traffic using a firewall agent configured for each computer terminal according to the first embodiment of the present invention.
6 is a block diagram of a total security policy information generation unit 140 according to another embodiment of a firewall system for monitoring network traffic using a firewall agent configured for each computer terminal according to the first embodiment of the present invention.
FIG. 7 is an exemplary diagram illustrating an operation of a firewall agent of a firewall system for monitoring network traffic using a firewall agent configured for each computer terminal according to the first embodiment of the present invention; FIG.
FIG. 8 is an exemplary diagram illustrating a depth neural network algorithm of a firewall system for monitoring network traffic using a firewall agent configured for each computer terminal according to the first embodiment of the present invention; FIG.

The following merely illustrates the principles of the invention. Therefore, those skilled in the art will be able to devise various apparatuses which, although not explicitly described or illustrated herein, embody the principles of the invention and are included in the concept and scope of the invention.

Furthermore, all of the conditional terms and embodiments listed herein are, in principle, only intended for the purpose of enabling understanding of the concepts of the present invention, and are not to be construed as limited to such specifically recited embodiments and conditions do.

In describing the present invention, the terms first, second, etc. may be used to describe various elements, but the elements may not be limited by terms.

Terms are for the sole purpose of distinguishing one component from another.

For example, without departing from the scope of the present invention, the first component may be referred to as a second component, and similarly, the second component may also be referred to as a first component.

It is to be understood that when an element is referred to as being connected or connected to another element, it may be directly connected or connected to the other element, but it may be understood that other elements may be present in between .

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.

The singular expressions may include plural expressions unless the context clearly dictates otherwise.

It is to be understood that the term " comprising, " or " comprising " as used herein is intended to specify the presence of stated features, integers, But do not preclude the presence or addition of steps, operations, elements, components, or combinations thereof.

In addition, the shapes and sizes of the elements in the drawings and the like can be exaggerated for clarity.

Hereinafter, an embodiment of a firewall system for monitoring network traffic using a firewall agent according to the present invention will be described in detail.

2 is an overall configuration diagram of a firewall system for monitoring network traffic using a firewall agent according to the first embodiment of the present invention.

As shown in FIG. 2, a firewall system for monitoring network traffic using a firewall agent configured for each computer terminal of the present invention includes a main firewall device 100, a hub 200, a plurality of firewall agents 300, A computer terminal 400, and a plurality of facilities 450.

More specifically, the main firewall 100 is connected to the hub 200, acquires sub-security policy information from each firewall agent installed in each computer terminal 400, And performs security processing on packet data transmitted from the internal network to the external network or from the external network to the internal network or from the internal network to the internal network by referring to the established comprehensive security policy information .

The main firewall device 100 is configured between network sections having different trust levels. For example, the main firewall device 100 may be configured between an external network and an internal network, To prevent high-level networks, that is, from entering the internal network.

Often, a section with high reliability in the view of a network administrator is called an internal network section (internal network), and a section with low reliability is called an Internet section or an external network section (external network).

In addition, there are DMZ sections for servers that provide services to the outside world, and it helps prevent intrusion from the Internet to the internal network and freely communicate with the Internet in the internal network.

Most firewall devices are firewalls based on security policy and control traffic between networks with various level of security policy.

The security policy means a policy for blocking and allowing an IP address and a port, and defense against a DOS attack.

For example, it detects / blocks abnormal traffic virus malicious code coming from external network, detects / blocks malicious sites and randomly registered sites, detects / blocks services such as instant messenger, P2P, and games, Security policy information such as detection / blocking of transmission.

The hub 200 connects each computer terminal and each facility of the internal network, and relays packet data transmission / reception between the respective computer terminals and the respective facilities in the internal network.

Referring to FIG. 2, when one of the computer terminals 400 transmits the packet data to one of the facilities 450, the hub passes through the hub, and the hub receives the packet data, .

In addition, the firewall agent 300 is installed in each computer terminal 400, establishes sub security policy information and provides it to the main firewall device, and when it does not acquire comprehensive security policy information from the main firewall device, Performs security processing on the received packet data according to the established sub security policy information, and performs security processing on the received packet data according to the integrated security policy information obtained when the comprehensive security policy information is obtained from the main firewall device .

For example, when the first firewall agent 301 detects the site address' www.123.co.kr ', it establishes the first sub-security policy information to be blocked, and when the second firewall agent 302' the first firewall agent 301 and the second firewall agent 302 respectively set the second sub-security policy information to block when detecting the site address 'www.456.co.kr' Information and second sub-security policy information to the main firewall device, respectively.

Thereafter, when the firewall agent 300 does not acquire the comprehensive security policy information from the main firewall apparatus 100, the firewall agent 300 performs security processing on the received packet data according to the sub security policy information established by the firewall agent 300, When the comprehensive security policy information is acquired from the firewall device, the security processing is performed on the received packet data with reference to the acquired comprehensive security policy information.

For example, if the integrated security policy information including the first sub-security policy information and the second sub-security policy information is not acquired, the first firewall agent 301 determines that the received packet The security processing is performed on the data.

However, in this case, when the first firewall agent 301 detects the site address 'www.456.co.kr', it can not block the problem. This is because the security policy of 'www.456.co.kr' is not included in the first sub-security policy established by the first firewall agent 301 as a security policy established by the second firewall agent 302 .

On the other hand, if the first firewall agent 301 acquires the comprehensive security policy information including the first sub-security policy information and the second sub-security policy information, when detecting the site address 'www.456.co.kr' The first firewall agent 301 can block access to the site address ('www.456.co.kr').

That is, even if the security policies established in the firewall agents other than the first firewall agent 301 are not registered in the first firewall agent 301 by the administrator, the security policy information provided by the main firewall device 100 It is possible to perform the security processing according to the security policy established by the other firewall agents.

The total security policy information according to the present invention includes sub security policy information established for each firewall agent 300 configured in the internal network. In this case, any one of the firewall agents that have acquired the comprehensive security policy information transmits the sub security policy information And can perform security processing on the received packet data with reference to the sub security policy information established by the other firewall agents.

For example, the first sub-security policy information to block when detecting the site address 'www.123.co.kr' established by the first firewall agent 301, the first sub-security policy information to be blocked by the second firewall agent 302 If the main firewall device receives the comprehensive security policy information including the second sub security policy information to block when detecting the site address 'www.456.co.kr', all the firewall agents use the comprehensive security policy information Processing is performed.

In this case, a specific one of the firewall agents can use the sub security policy information established by the other firewall agent as well as the sub security policy information of the specific one, so that the security processing of the packet data collectively received is performed.

On the other hand, the packet data described in the present invention is a formatted block of data transmitted by the computer network of the packet data system in the information technology.

Packet data consists of control information and user data, which is also referred to as a payload. A computer communication connection that does not support packet data simply transmits data in succession of bytes, strings, and bits.

When the data is formatted into packet data, the network can send a long message more effectively and reliably, and therefore, the present invention will be described in terms of packet data instead of data.

Hereinafter, the reason why the firewall agent 300 is installed for each computer terminal 400 will be described in more detail.

As shown in FIG. 2, the main firewall apparatus 100 of the present invention includes comprehensive security policy information on packet data transmitted from the internal network to the external network, from the external network to the internal network, and from the internal network to the internal network And performs security processing based on the established comprehensive security policy information.

At this time, when the packet data is transmitted between the internal network elements, that is, between the plurality of computer terminals 400 and the facilities 450, the IP bands of the transmitting subject that receives the packet data and the receiving subject that receives the packet data are not the same When the packet data flow is examined, the packet data is transferred from the transmission subject (computer terminal), the hub, the main firewall device, the hub, and the receiving subject (facility). Therefore, it is possible to perform security processing according to the comprehensive security policy information of the main firewall device at the time of packet data transmission because it passes through the main firewall device.

However, when packet data is transmitted between the internal network elements, that is, between the plurality of computer terminals 400 and the facilities 450, the transmission band for transmitting the packet data and the band band for receiving the packet data are the same In the case of the packet data flow, the packet is transmitted from the transmitting entity (computer terminal) to the hub to the receiving entity (facility). Therefore, when the packet data is transmitted, it is impossible to perform security processing according to the comprehensive security policy information of the main firewall device because it does not go through the main firewall device.

In fact, although the packet data transmitted from the transmitting entity passes through the main firewall device, regardless of the security processing of the main firewall device, the packet data is automatically transmitted to the receiving entity through the hub (that is, (In the case where the IP bands are not the same) via the main firewall device in a case where the main firewall device is provided as a main firewall device, .

In order to solve this problem, in the present invention, a firewall agent (auxiliary firewall device) is installed in each computer terminal.

In this case, each of the firewall agents configured for each computer terminal identifies the characteristics of packet data transmitted to the computer terminal that is installed and installed to the computer terminal, and establishes the sub security policy information, Processing is performed.

Then, the firewall agent (auxiliary firewall device) provides the sub security policy information established by itself to the main firewall device, and the main firewall device synthesizes the collected sub security policy information to establish the comprehensive security policy information, Agent.

Accordingly, the firewall agents that receive the comprehensive security policy information perform the security processing using the comprehensive security policy information (including the sub security policy information established by itself).

If the main firewall device does not provide the comprehensive security policy information to all the firewall agents, the firewall agents perform only security processing according to the sub security policy information established by the main firewall device.

At this time, the comprehensive security policy information established by the main firewall device contains the contents of the security situation occurring in all the computer terminals in the internal network connected to the internal network, (E.g., a first computer terminal) according to the provided comprehensive security policy information without establishing a security policy for a security situation that does not occur in a specific computer terminal (e.g., the first computer terminal) It is possible to take immediate action in the event of a security situation that does not occur in itself.

For reference, all computer terminals have their own IP addresses. For example, '192.168.100.1', '192.168.100.2', '192.168.100.254', '192.168.101.1', '192.168.101.2', '192.168.101.254', '192.168.102.1', '192.168.102.2 ',' 192.168.102.254 ', and so on.

In this case, the IP addresses assigned to the computer terminals used in the internal network are maximum 254 in one IP band, and up to 254 in a computer terminal capable of managing in one IP band.

If the computer terminals having the same IP address are connected to the internal network, the main firewall device transmits a gateway address (unique IP address of the main firewall device) of three IP bands (100 bands, 101 bands, 102 bands) .

Accordingly, in the above case, there are 254 * 3 = 762 computer terminals capable of security management by the main firewall device.

In the case where packet data is transmitted from a computer terminal having an IP address of 192.168.100.1 to a PC having an IP address of 192.168.100.10 (in the case of packet data transmission between the same IP band), as described above, The security processing becomes impossible.

This is because the packet data transmission path does not go through the main firewall device because it is a transmission subject (computer terminal), a hub, and a receiver (facility), and security processing can not be performed according to the comprehensive security policy information.

Conversely, when data is transmitted from a computer terminal having an IP address of 192.168.100.1 to a computer terminal having an IP address of 192.168.101.10 (in the case of packet data transmission between different IP bands), as described above, Processing becomes possible.

This is because the packet data transmission path goes through the main firewall device since it is a transmission subject (computer terminal), a hub, a main firewall device, a hub, and a receiver (facility).

3 is a block diagram of a firewall agent 300 of a firewall system for monitoring network traffic using a firewall agent configured for each computer terminal according to the first embodiment of the present invention.

3, the firewall agent 300 includes a traffic log file generation unit 310, a traffic log file DB 320, a sub security policy information generation unit 330, a sub security policy information DB 340, A sub-security policy information transmitting unit 350, and a sub-security processing performing unit 360.

Specifically, the traffic log file generation unit 310 generates a traffic log file including a time of received packet data, a source IP (source IP), a destination IP (DIP), a packet data type, and a D PORT And stores it in the traffic log file DB.

division Time of occurrence SIP DIP TYPE D Port ... One TCP 12: 10: 00.00 192.168.100.123 211.123.123.10 SYN 80 2 TCP 12: 10: 00.02 211.123.123.10 192.168.100.123 SYN / ACK 1001 3 TCP 12: 10: 00.03 192.168.100.123 211.123.123.10 ACK 80 4 UDP 12: 10: 00.06 192.168.100.123 222.111.222.10 99

As shown in Table 1, the traffic log file generation unit 310 includes meaningful information such as a time of packet data, a source IP, a destination IP, a packet data type, and a destination port (D PORT) , And stores the traffic log file in the traffic log file DB.

Accordingly, the traffic log file DB 320 stores the traffic log file as shown in Table 1.

In addition, the sub-security policy information generator 330 extracts a traffic log file stored in the traffic log file DB to generate an association rule, and calculates a predictive value using the generated association rule, , Accumulates the number of duplicated counts, and then establishes the sub-security policy information and stores the sub-security policy information in the sub-security policy information DB.

This is for performing machine learning (machine learning) based on the collected traffic log file.

4, in order to perform the above function, the sub-security policy information generating unit 330 generates a sub-

A support score calculation module (331) for calculating a support score by calculating the weight of items generated in the plurality of traffic log files;

A reliability calculation module (332) for calculating a reliability value by calculating a specific weight of a traffic log file including a set item among traffic log files including any item among the set items;

An improvement degree calculating module (333) for calculating an improvement value by a value obtained by dividing the weight of the set items generated at the same time by the weight of the traffic log files in which items are not included at the same time;

An association rule generation module 334 for generating association rules by obtaining the support value, the reliability value, and the improvement value calculated by the support degree calculation module, the reliability calculation module, and the improvement degree calculation module;

A prediction degree calculation module (335) for calculating a prediction value based on a value obtained by dividing the cumulative number of times of occurrence of the traffic log file whose improvement value calculated by the improvement degree calculation module is equal to or greater than a reference value by an average of occurrence time;

A sub security policy information establishing module for establishing sub security policy information after the traffic log files are sorted in descending order of the predictive value calculated by the predictive value calculating module, 336);

And a sub security policy information storage module 337 for storing the sub security policy information generated by the sub security policy information creation module in the sub security policy information DB 340. [

More specifically, the support degree calculation module 331 calculates a support value by calculating a specific weight in which items are generated in a plurality of traffic log files.

Table 1 shows that the items to be used for calculating the support score are set as two items of SIP and D port and the weight of each item generated in the four traffic log files is calculated using Equation 1 below do.

SUPPORT = P (A∩B) (Equation 1)

For example, in Table 1, six items (classification, occurrence time, SIP, DIP, TYPE, D port) are stored in the packet data. ), SIP and D port are listed for each row, and the support for each value can be obtained as follows (Table 2 -> Table 3 -> Table 4).

SIP D Port One 192.168.100.123 80 2 211.123.123.10 1001 3 192.168.100.123 80 4 192.168.100.123 99

List item's value 192.168.100.123 80 211.123.123.10 1001 99

List item's value Support 192.168.100.123 3/4 = 75% 80 2/4 = 50% 211.123.123.10 1/4 = 25% 1001 1/4 = 25% 99 1/4 = 25%

The reliability calculation module 332 calculates the reliability value by calculating the specific gravity of the traffic log file including the set items among the traffic log files including any one of the set items.

Table 1 will be described. The reliability value is calculated by calculating the weight of the traffic log file including the SIP and the D port set at the same time among the traffic log files including the SIP items. For example, When calculating the reliability value of the traffic log file including the SIP (192.168.100.123) and the D port (80) among the traffic log files including the SIP (192.168.100.123), the following equation .

CONFIDENCE = P (A? B) / P (A) (Equation 2)

In the above case, the reliability value is obtained by dividing two times of the log including the SIP (192.168.100.123) and the D port (80) among the 4 logs including the SIP (192.168.100.123). (Table 5)

SIP D Port Concurrent inclusion



⇒ SIP D Port CONFIDENCE One 192.168.100.123 80 include 192.168.100.123 80 2/3 = 66% 2 211.123.123.10 1001 Without 211.123.123.10 1001 1/3 = 33% 3 192.168.100.123 80 include 192.168.100.123 99 1/3 = 33% 4 192.168.100.123 99 Without

The improvement degree calculation module 333 calculates the improvement value by dividing the weight of the set items generated at the same time by the specific weight at which the traffic log files in which items are not included are generated at the same time.

As shown in Table 1, the enhancement value is calculated by dividing the weight of the simultaneous occurrence of the item SIP and the D port by the weight of the traffic log file in which the item SIP and the D port are not included at the same time. The proportion of the simultaneous generation of the SIP (192.168.100.123) and the D port (80) in the first traffic log file is divided by the proportion of the traffic log files in which the SIP (192.168.100.123) and the D port (80) The following equation (3) is used in the case where the degree of improvement is calculated by the value.

P (A) P (B) = P (A | B) / P (B)

Among the four logs in Table 1, the ratio of traffic log files that do not contain SIP and D port simultaneously is 2/4 = 0.5. The improvement value can be obtained by dividing this value by the reliability value as follows. (Table 6)

SIP  D Port Reliability Enhancement 192.168.100.123 80 2/3 = 66% 66 / 0.5 = 132% 211.123.123.10 1001 1/3 = 33% 33 / 0.5 = 66% 192.168.100.123 99 1/3 = 33% 33 / 0.5 = 66%

At this time, the association rule generation module 334 acquires the support value, the reliability value, and the enhancement value calculated by the support degree calculation module, the reliability calculation module, and the improvement degree calculation module to generate the association rule.

Generally, when analyzing the traffic log file, the association analysis is performed using various association analysis algorithms such as frequency analysis, crossover analysis, correlation analysis, and the association rule is generated.

That is, as the support value, the reliability value, and the enhancement value are larger in generating the association rule, the associativity is high for each item.

For example, if an association rule is created based on a value that is 50% or more of the support value, the reliability value, and the enhancement value, the following values are generated in each module for the association rule creation (see Tables 7 to 9).

Support value calculation module 331 Result value The value of the item Support 192.168.100.123 3/4 = 75% 80 2/4 = 50%

The reliability calculation module 332 SIP D Port CONFIDENCE 192.168.100.123 80 66%

The improvement degree calculation module 333 SIP D Port Reliability Enhancement 192.168.100.123 80 2/3 = 66% 66 / 0.5 = 132% 211.123.123.10 1001 1/3 = 33% 33 / 0.5 = 66% 192.168.100.123 99 1/3 = 33% 33 / 0.5 = 66%

As mentioned above, when the association rule generation target is selected, the items that are included in the supportability, reliability and improvement degree are 192.168.100.123, 80, and these items are duplicated with SIP (192.168.100.123) and D port (80) It is likely to occur and is temporarily stored in the association rule table as shown in Table 10 below.

SIP D Port 192.168.100.123 80

Then, the prediction-degree calculating module 335 calculates a predictive value based on a value obtained by dividing the cumulative number of times of occurrence of the traffic log file whose improvement value calculated by the improvement degree calculating module is equal to or greater than the reference value by the average of the occurrence times do.

For example, when the predictive value is calculated by a value obtained by dividing the cumulative occurrence count (C) by the traffic logging time (T) with respect to the traffic log file having the improvement value calculated by the improvement degree calculation module as a reference value of 1 or more The following equation (4) is used.

P (B)? 1) (C / T) else null (Equation 4) Predicted PREDICTION =

For example, in the improvement degree of the above-described improvement degree calculating module, the prediction degree is set to 0 for the degree of improvement of 1 or less, and in the case of 192.168.100.123, 80 in which the degree of improvement is 1 or more, (192.168.100.123), D port (80) and traffic logging time are collected, and the number of occurrences is 2 times and the time is 0.06, which is calculated as 2 / 0.06,

SIP D Port Enhancement Forecast 192.168.100.123 80 132% = 1.32 2 / 0.06 = 33 211.123.123.10 1001 66% = 0.66 0 192.168.100.123 99 66% = 0.66 0

After that, the sub-security policy information establishing module 336 sorts the traffic log files in the descending order of the degree of prediction calculated by the degree of likelihood calculating module, accumulates the number of counts generated by duplication, Information will be established.

At this time, the sub-security policy information storage module 337 stores the sub-security policy information generated by the sub-security policy information creation module in the sub-security policy information DB 340.

Forecast division SIP DIP TYPE D Port Re time Count 33 TCP 192.168.100.123 211.123.123.10 - 80 0.15 2 0 TCP 211.123.123.10 192.168.100.123 - 1001 0 One 0 UDP 192.168.100.123 222.111.222.10 - 99 0 One

Therefore, the sub-security policy information DB 340 stores the traffic log file as shown in Table 12.

The stored traffic log file of Table 12 is information obtained by performing machine learning by the sub-security policy information generating unit 330, and can be integrated with information generated through previous machine learning and can be updated In Table 12, the information includes meaningful traffic log files that may be generated in the future. If the traffic log files are generated as shown in Table 12, the traffic log files shown in Table 1 are deleted.

The sub-security policy information transmitting unit 350 matches the sub-security policy information stored in the sub-security policy information DB 340 with the unique ID information of the corresponding firewall agent and transmits the matching information to the main firewall apparatus 100 .

For example, when the unique ID information of the first firewall agent is '# 1', the unique ID information is matched with the sub security policy information established by the first firewall agent and transmitted to the main firewall device.

At this time, when the sub security processing unit 360 does not acquire the comprehensive security policy information from the main firewall apparatus, the sub security processing unit 360 performs security processing on the received packet data with reference to the established sub security policy information.

That is, the security processing for the packet data received based on the sub security policy information stored in the sub security policy information DB 340 is performed. For example, when the traffic log And perform security processing (e.g., white list, black list, etc.) of the file.

Meanwhile, when the main security processing unit 360 obtains the comprehensive security policy information from the main firewall apparatus, the sub security processing unit 360 performs security processing by referring to the comprehensive security policy information on the received packet data.

That is, when the comprehensive security policy information is provided from the main firewall device, security processing is performed by referring to the comprehensive security policy information. Since the dictionary provides security policy information that is not set in the specific firewall agent by the administrator A new type of packet data connection can be blocked by a specific firewall agent.

The operation of the firewall agent will be described with reference to FIG.

The labeling data required for the sub-security policy information generation unit 330 of the firewall agent (ID is 001) to analyze the traffic log file by machine learning (machine learning) is generated using information according to standards such as packet data type and protocol Information is used as labeling data.

Labeling data is divided into normal packet data W (white) and abnormal packet data B (black).

For example, as shown in FIG. 7, it is assumed that three TCP connections are made from the internal user 1 to the server.

The information on the 3-way handshake process is shown below.

division SMAC DMAC SIP DIP TYPE D Port TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 211.123.123.10 SYN 80 TCP 38: 1b: 1c: ca: 99: a0 17: 0c: 29: Fa: 01: b0 211.123.123.10 192.168.100.123 SYN / ACK 4001 TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 222.111.222.10 ACK 80

Table 13 above shows the primary connection.

division SMAC DMAC SIP DIP TYPE D Port TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 211.123.123.10 SYN 80 TCP 38: 1b: 1c: ca: 99: a0 17: 0c: 29: Fa: 01: b0 211.123.123.10 192.168.100.123 SYN / ACK 5001 TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 222.111.222.10 ACK 80

Table 14 above shows the secondary connection.

division SMAC DMAC SIP DIP TYPE D Port TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 211.123.123.10 SYN 80 TCP 38: 1b: 1c: ca: 99: a0 17: 0c: 29: Fa: 01: b0 211.123.123.10 192.168.100.123 SYN / ACK 6001 TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 222.111.222.10 ACK 80

Table 15 shows the time of the third connection.

At this time, the traffic log file generation unit 310 generates a traffic log file including time, SIP, DIP, packet data type, and D PORT of the received packet data, and stores the generated traffic log file in the traffic log file DB.

time division SMAC DMAC SIP DIP TYPE D Port 0.01 TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 211.123.123.10 SYN 80 0.02 TCP 38: 1b: 1c: ca: 99: a0 17: 0c: 29: Fa: 01: b0 211.123.123.10 192.168.100.123 SYN / ACK 4001 0.03 TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 222.111.222.10 ACK 80 10.01 TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 211.123.123.10 SYN 80 10.02 TCP 38: 1b: 1c: ca: 99: a0 17: 0c: 29: Fa: 01: b0 211.123.123.10 192.168.100.123 SYN / ACK 5001 10.03 TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 222.111.222.10 ACK 80 20.01 TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 211.123.123.10 SYN 80 20.02 TCP 38: 1b: 1c: ca: 99: a0 17: 0c: 29: Fa: 01: b0 211.123.123.10 192.168.100.123 SYN / ACK 6001 20.03 TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 222.111.222.10 ACK 80

That is, the traffic log file shown in Table 16 is generated and stored in the traffic log file DB.

Then, the sub-security policy information generating unit 330 extracts the traffic log file stored in the traffic log file DB to generate an association rule, calculates a predictive value using the generated association rule, After accumulating the number of counts generated redundantly, the sub-security policy information is established and stored in the sub-security policy information DB.

type SMAC DMAC SIP DIP TYPE D Port Re time Count division Forecast TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 211.123.123.10 SYN 80 0.1 3 W 3 TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 222.111.222.10 ACK 80 0.1 3 W 3 TCP 38: 1b: 1c: ca: 99: a0 17: 0c: 29: Fa: 01: b0 211.123.123.10 192.168.100.123 SYN / ACK 4001 0.1 One W One TCP 38: 1b: 1c: ca: 99: a0 17: 0c: 29: Fa: 01: b0 211.123.123.10 192.168.100.123 SYN / ACK 5001 0.1 One W One TCP 38: 1b: 1c: ca: 99: a0 17: 0c: 29: Fa: 01: b0 211.123.123.10 192.168.100.123 SYN / ACK 6001 0.1 One W One

That is, the sub security policy information as shown in Table 17 is generated and stored in the sub security policy information DB. (The predictive value in Table 17 is an example for the sake of understanding.)

In the sub-security policy information of Table 17, there is a predictive value for the packet data to be connected. The higher the value of the predictive value, the closer to the normal packet data.

In the above procedure, it is assumed that the connection of one of the three connections due to the modulation of the packet data occurs as follows.

division SMAC DMAC SIP DIP TYPE D Port TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 211.123.123.10 SYN 80 TCP 38: 1b: 1c: ca: 99: a0 17: 0c: 29: Fa: 01: b0 211.123.123.10 192.168.100.123 SYN / ACK 4001 TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 222.111.222.10 ACK 80

Table 18 shows the primary connection.

division SMAC DMAC SIP DIP TYPE D Port TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 211.123.123.10 SYN 80 TCP 38: 1b: 1c: ca: 99: a0 17: 0c: 29: Fa: 01: b0 211.123.123.10 192.168.100.123 SYN / ACK 5001 TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 222.111.222.10 ACK 80

Table 19 above shows the secondary connection.

division SMAC DMAC SIP DIP TYPE D Port TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 211.123.123.10 SYN 80 TCP 38: 1b: 1c: ca: 99: a0 17: 0c: 29: Fa: 01: b0 211.123.123.10 192.168.100.123 SYN / ACK 6001 TCP 50: B7: c3: AD: B9: 71 38: 1b: 1c: ca: 99: a0 192.168.100.123 222.111.222.10 ACK 80

Table 20 shows the third connection.

At this time, the packet data of SMAC 50: B7: c3: AD: B9: 71 is modulated.

At this time, the traffic log file generation unit 310 of the firewall agent generates a traffic log file as shown in the following Table 21 and stores it in the traffic log file DB.

Packet data with SMAC 50: B7: c3: AD: B9: 71 in Table 21 is modulated.

time division SMAC DMAC SIP DIP TYPE D Port 0.01 TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 211.123.123.10 SYN 80 0.02 TCP 38: 1b: 1c: ca: 99: a0 17: 0c: 29: Fa: 01: b0 211.123.123.10 192.168.100.123 SYN / ACK 4001 0.03 TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 222.111.222.10 ACK 80 10.01 TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 211.123.123.10 SYN 80 10.02 TCP 38: 1b: 1c: ca: 99: a0 17: 0c: 29: Fa: 01: b0 211.123.123.10 192.168.100.123 SYN / ACK 5001 10.03 TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 222.111.222.10 ACK 80 20.01 TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 211.123.123.10 SYN 80 20.02 TCP 38: 1b: 1c: ca: 99: a0 17: 0c: 29: Fa: 01: b0 211.123.123.10 192.168.100.123 SYN / ACK 6001 20.03 TCP 50: B7: c3: AD: B9: 71 38: 1b: 1c: ca: 99: a0 192.168.100.123 222.111.222.10 ACK 80

Then, the sub-security policy information generator 330 of the firewall agent generates sub-security policy information as shown in Table 22 below and stores the sub-security policy information in the sub-security policy information DB.

type SMAC DMAC SIP DIP TYPE D Port Re time Count division Forecast TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 211.123.123.10 SYN 80 0.1 3 W 3 TCP 17: 0c: 29: Fa: 01: b0 38: 1b: 1c: ca: 99: a0 192.168.100.123 222.111.222.10 ACK 80 0.1 2 W 3 TCP 50: B7: c3: AD: B9: 71 38: 1b: 1c: ca: 99: a0 192.168.100.123 222.111.222.10 ACK 80 0.1 One B One TCP 38: 1b: 1c: ca: 99: a0 17: 0c: 29: Fa: 01: b0 211.123.123.10 192.168.100.123 SYN / ACK 4001 0.1 One W One TCP 38: 1b: 1c: ca: 99: a0 17: 0c: 29: Fa: 01: b0 211.123.123.10 192.168.100.123 SYN / ACK 5001 0.1 One W One TCP 38: 1b: 1c: ca: 99: a0 17: 0c: 29: Fa: 01: b0 211.123.123.10 192.168.100.123 SYN / ACK 6001 0.1 One W One

That is, as shown in Table 22, the packet data of SMAC 50: B7: c3: AD: B9: 71 is modulated packet data and is represented as 'B', which is abnormal packet data, to generate sub-security policy information.

'W' in the column of Table 22 is an abbreviation of the white list, which means normal packet data, and 'B', abbreviation of black list means abnormal packet data.

5 is a block diagram of a main firewall device 100 of a firewall system for monitoring network traffic using a firewall agent configured for each computer terminal according to the first embodiment of the present invention.

As shown in FIG. 5, the main firewall device 100 includes:

A traffic log file including the time of packet data transmitted from the internal network to the external network or from the external network to the internal network, the SIP, the DIP, the packet data type, and the D PORT is generated and stored in the main traffic log DB A traffic log file generation unit 110;

A main traffic log file DB 120 storing a traffic log file generated by the main traffic log file generation unit;

A traffic log file analysis unit 130 for analyzing the predicted degree, SIP, DIP, packet data type, D PORT, and count number of the traffic log file stored in the main traffic log file DB using the received sub security policy information;

A total security policy information for storing the total number of counts generated after the traffic log files are sorted in order of the degree of predictability of the traffic log file, A generating unit 140;

A security policy information DB 150 storing the comprehensive security policy information generated by the comprehensive security policy information generation unit;

A comprehensive security policy information transmission unit 160 for transmitting the comprehensive security policy information stored in the security policy information DB to each firewall agent;

A main security processing unit 170 for performing security processing with reference to the comprehensive security policy information stored in the security policy information DB 150 for packet data transmitted from the internal network to the external network or from the external network to the internal network, ; ≪ / RTI >

Specifically, the main traffic log file generation unit 110 generates a main traffic log file including a time of packet data transmitted from the internal network to the external network or from the external network to the internal network, a traffic log including a SIP, a DIP, a packet data type, File and stores it in the main traffic log file DB.

For example, since the WAN, LAN, DMZ interface and main firewall are connected as shown in Table 13, meaningful information including time, SIP, DIP, packet data type, and D PORT of packet data transmitted / And generates and stores the traffic log file in the main traffic log file DB.

division Time of occurrence Zone SIP DIP TYPE D Port ... TCP 0.01 Wan-> Lan 192.168.100.123 211.123.123.10 SYN 80 TCP 0.02 Lan-> Wan 211.123.123.10 192.168.100.123 SYN / ACK 1001 UDP 0.03 Wan-> Dmz 192.168.100.123 222.111.222.10 ICMP 00 TCP 0.05 Dmz-> Wan 222.111.222.10 192.168.100.123 TCP 0.05 Lan-> Dmz 192.168.100.123 192.168.100.123 SYN 80

Therefore, the main traffic log file DB 120 stores the traffic log file as shown in Table 23.

At this time, the traffic log file analyzing unit 130 uses the received sub security policy information to calculate the predicted degree of the traffic log file stored in the main traffic log file DB, the SIP, the DIP, the packet data type, the D PORT, Analysis.

That is, since the sub security policy information provided from the respective firewall agents is acquired, the traffic log file stored in the main traffic log file DB is analyzed using the information. For example, as shown in Table 24, The DIP, the packet data type, the D PORT, and the count number.

Forecast division SIP DIP TYPE D Port Re time Count One TCP 192.168.100.123 211.123.123.10 SYN 80 1.3 11 2 TCP 211.123.123.10 192.168.100.123 SYN / ACK 1001 2.5 22 3 UDP 192.168.100.123 222.111.222.10 99 0.1 11

At this time, the comprehensive security policy information generating unit 140 arranges the traffic log files in order of the degree of prediction of the traffic log files, accumulates the counts of the duplicated counts, and then establishes the comprehensive security policy information, And stored in the information DB 150.

Therefore, the comprehensive security policy information as shown in Table 24 is stored in the security policy information DB 150.

6, the comprehensive security policy information generating unit 140 according to another embodiment of the present invention,

An item attachment map generation module 141 for obtaining the sub security policy information provided from the respective firewall agents and calculating the item association rule support value;

A group processing module (142) for setting firewall agents having a support value having the highest association rule support value as a group;

Layer perceptron learning module 143 for calculating an output value using a Deep Neural Network algorithm and a Reinforcement Learning algorithm.

Specifically, the item-related-land map calculation module 141 calculates sub-security policy information provided from the respective firewall agents, and then calculates an association rule support value for each item. The support-attribution calculation module 331 ). ≪ / RTI >

That is, the support value is calculated by calculating the weight of the items generated in the plurality of traffic log files.

For example, it is assumed that the sub-security policy information collected from the firewall agents is as follows.

That is, the sub-security policy information of the firewall agents # 1, # 2, and # 3 is shown in Table 25 below.

agent
ID Forecast division SIP DIP D Port Re time Count #One 33 TCP 192.168.100.123 211.123.123.10 80 0.15 2 #One 0 TCP 211.123.123.10 192.168.100.123 1001 0 One #One 0 UDP 192.168.100.123 222.111.222.10 99 0 One #2 33 TCP 192.168.100.123 211.123.123.11 80 0.15 2 #2 0 TCP 211.123.123.11 192.168.100.123 2001 0 One #2 0 UDP 192.168.100.123 222.111.222.11 99 0 One # 3 0 TCP 1.1.1.1 2.2.2.2 80 0 2 # 3 0 TCP 2.2.2.2 1.1.1.1 3001 0 One

If the number of items used in the support calculation is two (SIP, D port), the values for SIP and D port are listed for each row, and the support for each value can be obtained as follows (Table 26 -> Table 27 -> Table 28)

SIP D Port One 192.168.100.123 80 2 211.123.123.10 1001 3 192.168.100.123 99 4 192.168.100.123 80 5 211.123.123.11 2001 6 192.168.100.123 99 7 1.1.1.1 80 8 2.2.2.2 3001

->

List item's value 192.168.100.123 80 211.123.123.10 1001 99 211.123.123.11 2001 1.1.1.1 2.2.2.2 3001

->

List item's value Support 192.168.100.123 4/8 = 50% 80 3/8 = 37% 211.123.123.10 1/8 = 12% 1001 1/8 = 12% 99 2/8 = 25% 211.123.123.11 1/8 = 12% 2001 1/8 = 12% 1.1.1.1 1/8 = 12% 2.2.2.2 1/8 = 12% 3001 1/8 = 12%

Thereafter, the group processing module 142 sets the firewall agents having the highest support value of the association rule support value as a group.

For example, if information including 192.168.100.123 (50%) indicated by the item with the highest degree of support is selected from the example of the above-described item-addition map generation module 141,

Agent ID Forecast division SIP DIP D Port Re time Count #One 33 TCP 192.168.100.123 211.123.123.10 80 0.15 2 #One 0 TCP 211.123.123.10 192.168.100.123 1001 0 One #One 0 UDP 192.168.100.123 222.111.222.10 99 0 One #2 33 TCP 192.168.100.123 211.123.123.11 80 0.15 2 #2 0 TCP 211.123.123.11 192.168.100.123 2001 0 One #2 0 UDP 192.168.100.123 222.111.222.11 99 0 One # 3 0 TCP 1.1.1.1 2.2.2.2 80 0 2 # 3 0 TCP 2.2.2.2 1.1.1.1 3001 0 One

Then, the group processing module 142 groups values such as SIP, D port, and agent ID as shown in Table 30 on the basis of the degree of support.

group Agent ID division value Support A group (support degree 30% -100%) # 1, # 2 SIP 192.168.100.123 50% #One Dport 80 37%
B group (support 0% -30%) # 1, # 2 Dport 99 25% #One SIP 211.123.123.10 12% #One Dport 1001 12% #2 SIP 211.123.123.11 12% #2 Dport 2001 12% # 3 SIP 1.1.1.1 12% # 3 SIP 2.2.2.2 12% # 3 Dport 3001 12%

Thereafter, the multi-layer perceptron learning module 143 calculates an output value using a Deep Neural Network algorithm and a Reinforcement Learning algorithm.

That is, the output value is calculated by using the Deep Neural Network algorithm and the Reinforcement learning algorithm, which is an error back propagation algorithm (multi-layer perceptron learning algorithm), and comprehensive security policy information is established with the corresponding output value, And stored in the policy information DB 150.

More specifically, the information grouped in the group processing module 142 is information including an agent ID, an item classification, a value, etc., and the items are not limited to the above values, and all meaningful information in the traffic is an item .

The depth neural network algorithm and the reinforcement learning algorithm structure the output type by the administrator. Similar to the sub-security policy information of the firewall agent, the output value is formed as shown in Table 31 below.

Allow / Deny Agent ID Type SIP DIP Port Count ...

In this case, the input values to be input to the neural network algorithm are generated as shown in Table 32 below, and grouped information is used as an input value to the neural network algorithm.

Agent ID Forecast Type SIP DIP D Port Re time Count ... #One 33 TCP 192.168.100.123 211.123.123.10 80 - 2 ... #2 33 TCP 192.168.100.123 211.123.123.11 80 - - ...

The in-depth neural network algorithm that receives the above values as input values can calculate the output values as shown in the following Table 33 on the above-mentioned values by calculating them together with the accumulated values for each item.

Allow / Deny Agent ID Type SIP DIP D Port ... null #One TCP 192.168.100.X null 80 ... null #2 TCP 192.168.100.X null 80 ...

For example, assuming that SIP (192.168.100.123) is input to the in-depth neural network algorithm, the value of 192.168.100.123 is passed through a number of hidden layers with a high weight for the supported items based on the support, When some values exceeding the allowable value of SIP such as 192.168.100.999 are outputted, it is judged that an error has occurred and the weight is corrected and the output value is obtained again. do.

This process can be diagrammed as shown in FIG. 8, and it is possible to extract an item for which a security policy is to be created by repeating the process of FIG.

The above output value establishes a policy for allow / deny through the reinforcement learning algorithm. The reinforcement learning algorithm uses information such as communication protocol, existing security policy, and sub security policy information as environment, And recognizes the security policy for the value received from the neural network algorithm.

For example, assuming that the outputs of the neural network algorithms in Table 34 are all output values for the information generated in the 3-way handshake process, the values of the sub-security policy information in the environment of the reinforcement learning algorithm are used to compare whether they occur normally in the 3-way handshake process Able to know.

Allow / Deny Agent ID Type SIP DIP D Port ... null #One TCP 192.168.100.X null 80 ... null #2 TCP 192.168.100.X null 80 ...

In addition, if TCP connection is established in a normal communication protocol, TCP termination should be performed. If the TCP termination is not performed, the reinforcement learning algorithm can be known by using environment information.

For example, if the information transmitted from agent # 1 includes normal TCP termination information and agent # 2 does not contain the termination information of normal TCP, the reinforcement learning algorithm judges it, And a security policy is generated.

Allow / Deny Agent ID Type SIP DIP D Port ... Allow #One TCP 192.168.100.X null 80 ... Deny #2 TCP 192.168.100.X null 80 ...

The above example is a fragmentary example, but if you use various items in each module, more accurate and faster security policies can be created.

In addition, the Deep Neural Network described in the present invention can be applied to a high level of abstractions (a task of summarizing core contents or functions in a large amount of data or complex data) through a combination of various nonlinear transformation techniques, This is an area of machine learning that teaches computers to people's minds in a large framework.

When there is any data, it is represented in a form that can be understood by the computer (for example, in the case of an image, pixel information is expressed as a column vector), and many studies As a result of these efforts, various deep learning techniques such as deep neural networks, convolutional deep neural networks, and deep belief networks have been developed for computer vision, voice Recognition, natural language processing, voice / signal processing, and so on.

The Deep Learning Project with Stanford University's Andrew Yeung and Google in 2012 saw 16,000 computer processors, more than a billion neural networks, and deep neural networks (DNNs), making it possible to recognize more than 10 million videos uploaded to YouTube Respectively.

This software framework is referred to as DistBelief in the paper, and Microsoft, Facebook, etc., are also making impressive achievements by acquiring research teams or running their own development team.

Reinforcement learning is also an area of machine learning.

A method inspired by behavioral psychology, in which an agent defined in an environment recognizes the current state and selects an action or sequence of actions that maximizes compensation among the selectable behaviors.

These problems are so comprehensive that they are also studied in areas such as game theory, control theory, operational science, information theory, simulation-based optimization, multiagent systems, flock intelligence, statistics, and genetic algorithms.

The field in which reinforcement learning is studied in operational science and control theory is called "approximate dynamic programming".

The optimization control theory also studies similar problems, but it differs from the reinforcement learning approach in terms of learning and approximation in that most studies focus on the existence and characteristics of the optimal solution.

In economics and game theory, reinforcement learning is also used to explain how equilibrium can occur under limited rationality.

The 'environment' covered in reinforcement learning is mainly given by the Markov decision process.

The difference between the existing method of solving the Markov decision process problem and the reinforcement learning is that the reinforcement learning does not require knowledge of the Markov decision process and that reinforcement learning can not be applied to a deterministic method The problem of the Markov decision process.

Reinforcement learning also differs from general instruction in that there is no training set of input and output pairs and no explicit correction is made for wrong behavior.

Instead, the focus of reinforcement learning is on-line performance, which is enhanced by balancing exploration and exploitation. The balance problem of search and use is the most studied problem in reinforcement learning, and it has been studied in multi-armed bandit problem and finite Markov decision process.

As a result, the multi-layer perceptron learning module 143 of the present invention calculates an output value using a Deep Neural Network algorithm and a Reinforcement learning algorithm, which are types of machine learning, will be.

Then, the integrated security policy information transmission unit 160 transmits the comprehensive security policy information stored in the security policy information DB to each firewall agent.

That is, each of the firewall agents performs security processing on the packet data received based on the comprehensive security policy information established in the main firewall device.

Also, the main security processing unit 170 refers to the comprehensive security policy information stored in the security policy information DB 150 with respect to packet data transmitted from the internal network to the external network or from the external network to the internal network, .

For example, the packet data is securely handled as a normal (white list) when the degree of prediction is higher than a reference value (for example, 2) and an abnormal (black list) when the degree of prediction is lower than the reference value.

An example of establishing the comprehensive security policy information in the main firewall will be described in more detail as follows.

The main traffic log file generation unit 110 of the main firewall device includes time, SIP, DIP, packet data type, and D PORT of packet data transmitted from the internal network to the external network or from the external network to the internal network as shown in Table 13 And stores the generated traffic log file in the main traffic log file DB.

At this time, the traffic log file analyzing unit 130 of the main firewall device obtains the sub security policy information as shown in Table 12 provided from the firewall agent, and predicts the traffic log file stored in the main traffic log file DB, the SIP, the DIP, Packet data type, D PORT, and count number.

Then, the total security policy information generating unit 140 arranges the traffic log files in the descending order of the degree of prediction of the traffic log files, accumulates the counts of the duplicated counts, and then establishes the total security policy information, And stored in the information DB.

In other words, referring to Table 12, if the log files are sorted in a descending order of the degree of prediction and the number of counts that are duplicated is accumulated, for example, the first packet data '17: 0c: 01: b0 ', the cumulative count number 3 is generated.

In the end, the comprehensive security policy information includes type information (TCP, UDP, etc.), SMAC information, DMAC information, SIP information, DIP information, type information (SYN, ACK, SYN / ACK, 5001, 6001, etc.), RE TIME information, count information, division information (White, Black), and prediction value.

According to the present invention, a firewall agent is installed and configured for each of a plurality of devices connected to the internal network to perform security processing on received packet data according to sub-security policy information, In the case of providing comprehensive security policy information to the firewall agent by collecting security policy information and establishing comprehensive security policy information, the firewall agent refers to the comprehensive security policy information established with respect to the packet data received from the device configured by the firewall agent, The effect of performing the processing is exhibited.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, It should be understood that various modifications may be made by those skilled in the art without departing from the spirit and scope of the present invention.

100: main firewall device
200: Hub
300: Firewall Agent
400: computer terminal

Claims (6)

1. A firewall system for monitoring network traffic using a firewall agent,
And acquires sub-security policy information from each firewall agent installed in each computer terminal 400, establishes comprehensive security policy information using the obtained sub-security policy information, A main firewall device 100 for performing security processing on packet data transmitted from the internal network to the external network or from the external network to the internal network or from the internal network to the internal network by referring to the comprehensive security policy information,
A hub 200 for network connection between each computer terminal and each facility configured in the internal network and relaying packet data transmission / reception between each computer terminal 400 and each facility 450 configured in the internal network, Wow,
In the case where the integrated security policy information is not acquired from the main firewall device, the sub security policy information is provided to each of the computer terminals 400, and the sub security policy information is provided to the main firewall device. The firewall agent 300 for performing security processing on the received packet data according to the comprehensive security policy information obtained when the security policy information is obtained from the main firewall device And is characterized in that,

The firewall agent (300)
A traffic log file generation unit 310 for generating a traffic log file including the time of received packet data, the SIP, the DIP, the packet data type, and the D PORT and storing the generated traffic log file in the traffic log file DB;
A traffic log file DB 320 storing a traffic log file generated by the traffic log file generation unit 310;
Extracts a traffic log file stored in the traffic log file DB 320 to generate an association rule, calculates a predictive value using the generated association rule, aligns the traffic log files in order of the predictive value, A sub security policy information generating unit 330 for generating a sub security policy and generating and storing the sub security policy information DB in the sub security policy information DB after accumulating the counts that are generated redundantly;
A sub security policy information DB 340 for storing sub security policy information generated by the sub security policy information generating unit 330;
A sub-security policy information transmitter 350 for matching the sub-security policy information stored in the sub-security policy information DB 340 with the unique ID information of the corresponding firewall agent and transmitting the matching result to the main firewall 100;
When the integrated security policy information is not acquired from the main firewall apparatus, security processing is performed on the received packet data with reference to the established sub security policy information or when acquiring comprehensive security policy information from the main firewall apparatus And a sub security processing unit 360 for performing security processing on the received packet data with reference to the integrated security policy information,

The sub-security policy information generating unit 330,
A support score calculation module (331) for calculating a support score by calculating the weight of items generated in the plurality of traffic log files;
A reliability calculation module (332) for calculating a reliability value by calculating a specific weight of a traffic log file including a set item among traffic log files including any item among the set items;
An improvement degree calculating module (333) for calculating an improvement value by a value obtained by dividing the weight of the set items generated at the same time by the weight of the traffic log files in which items are not included at the same time;
An association rule generation module 334 for generating association rules by obtaining the support value, the reliability value, and the improvement value calculated by the support degree calculation module, the reliability calculation module, and the improvement degree calculation module;
A prediction degree calculation module (335) for calculating a prediction value based on a value obtained by dividing the cumulative number of times of occurrence of the traffic log file whose improvement value calculated by the improvement degree calculation module is equal to or greater than a reference value by an average of occurrence time;
A sub security policy information establishing module for establishing sub security policy information after the traffic log files are sorted in descending order of the predictive value calculated by the predictive value calculating module, 336);
And a sub security policy information storage module (337) for storing the sub security policy information generated by the sub security policy information creation module in the sub security policy information DB (340) A firewall system that uses agent to monitor network traffic.
The method according to claim 1,
The integrated security policy information established by the main firewall device 100 includes sub security policy information established for each firewall agent 300 configured in the internal network,
In this case, one of the firewall agents that have acquired the comprehensive security policy information from the main firewall apparatus 100 refers to the sub security policy information established by the other firewall agents and the sub security policy information established by the firewall agent, Wherein the firewall agent monitors the network traffic using the firewall agent.
delete The method according to claim 1,
The main firewall device (100)
A traffic log file including the time of packet data transmitted from the internal network to the external network or from the external network to the internal network or from the internal network to the internal network, SIP, DIP, packet data type, and D PORT is generated, A main traffic log file generation unit 110 for storing the main traffic log file;
A main traffic log file DB 120 storing traffic log files generated by the main traffic log file generation unit;
A traffic log file analysis unit 130 for analyzing the predicted degree, SIP, DIP, packet data type, D PORT, and count number of the traffic log file stored in the main traffic log file DB using the received sub security policy information;
A total security policy information for storing the total number of counts generated after the traffic log files are sorted in order of the degree of predictability of the traffic log file, A generating unit 140;
A security policy information DB 150 storing the comprehensive security policy information generated by the comprehensive security policy information generation unit;
A comprehensive security policy information transmission unit 160 for transmitting the comprehensive security policy information stored in the security policy information DB to each firewall agent;
A main security for performing security processing with reference to the comprehensive security policy information stored in the security policy information DB 150 for packet data transmitted from the internal network to the external network or from the external network to the internal network or from the internal network to the internal network And a process execution unit (170) for monitoring the network traffic using the firewall agent.
The method according to claim 1,
The sub-security policy information generating unit 330,
And machine learning (machine learning) is performed based on the collected traffic log file to establish sub-security policy information.
5. The method of claim 4,
The integrated security policy information generation unit 140,
A firewall system for monitoring network traffic using a firewall agent, characterized by establishing comprehensive security policy information using a Deep Neural Network algorithm and a Reinforcement learning algorithm.

Images