KR101988205B1 - Virtual private network service system - Google Patents

Abstract

The present invention relates to a virtual private network service system capable of realizing a virtual private network by downloading a virtual private network system to a remote user terminal on a web through a public network and installing the system without having separate VPN equipment. The system comprises: a remote user terminal; a VPN main unit for transmitting virtual private network (VPN) installation information to the remote user terminal when the connection is established through the user terminal, and providing a VPN tunneling unit and an authentication module to the remote user terminal when a user′s installation request signal is received; and an internal terminal connected to a private network in the enterprise which the remote user terminal is to access and connecting to the remote user terminal.

Description

{VIRTUAL PRIVATE NETWORK SERVICE SYSTEM}

The present invention relates to a virtual private network service system, and more particularly, to a virtual private network service system capable of downloading and installing a virtual private network system from a web site to a remote user terminal via a public network, Service system.

Typically, in a distributed enterprise environment, a typical method of connecting head office and branch office is to construct a network using a leased line or a frame relay.

However, such a leased line or a frame relay has a problem in that the line cost is relatively high.

Therefore, virtual private network (VPN) technology has emerged as a new network service using Internet (public network) which is inexpensive and widely used compared to leased line or frame relay.

Virtual Private Network VPN (Virtual Private Network) technology is a technology to construct a virtual private network so that it can communicate securely with the outside by connecting the remote terminal (branch office) with the head office using the existing public network.

However, in the conventional VPN system, as shown in FIG. 1, in order to construct a virtual communication line called 'tunnel' at the start point and end point of a virtual private network (VPN) on a public network, VPN units 200, 300, and 400 were also required on the LAN 301 side of the branch office / branch office and on the internal terminal PC side LAN 201 connected to the private network in the corporation.

Therefore, the user at the remote location can only transmit and receive information and data in the place where the VPN units 200, 300, and 400 are installed, and the user has to directly carry the VPN units 200, 300,

In addition, the VPN units 200, 300, and 400 are not easy to install by ordinary users, and have problems in compatibility with different networks and systems.

Korean Patent Publication No. 10-2015-0079236 Korean Patent No. 10-1473607

Accordingly, it is an object of the present invention to provide a virtual private network (VPN) service system capable of downloading and installing a virtual private network system on the web anytime and anywhere without a separate VPN device.

According to an aspect of the present invention, there is provided a virtual private network service system comprising: a remote user terminal at a remote location; A VPN main unit for providing virtual private network (VPN) installation information to the remote user terminal when the connection is established through the user terminal, and providing a VPN tunneling unit and an authentication module to the remote user terminal, ; And an internal terminal connected to the private network in the enterprise to which the remote user terminal is to access and connected to the remote user terminal.

In one embodiment, a virtual private network service system according to an embodiment of the present invention, in accordance with an embodiment of the present invention, includes a destination IP of all packets passing through a TDI layer of the remote user terminal, And a redirector for hooking the filtered packet and converting the destination IP of the hooked packet into an agent IP, Module and a redirector module, converts the agent IP into a VPN main unit IP, adds a destination IP to the remote user terminal for the first connection to the contents of the packet, A VPN tunneling unit having an agent module for transmitting to the main unit; An authentication module for authenticating a connection to a VPN main unit of the remote user terminal; And, when an encrypted packet is received from the agent module, converts the IP address of the VPN main unit of the packet into the destination IP address of the remote user terminal for the first connection and decrypts the IP address to an internal terminal connected to the private network And a VPN main unit for encrypting the response packet and transmitting the encrypted response packet to the remote user terminal in the reverse order.

In one embodiment, the VPN main unit is implemented on a development environment management system that restricts a developer's authority on use of a software component and performs security authentication on a development system used by a developer, , And when receiving a software component creation or modification permission request message from the development system, processing the software component creation or modification permission request message by checking the rights information of the development system, the software component including source code and debugging information A binary binary not including debugging information, a document for a detailed description of the code, and a process equation model for understanding the code, the permission information including at least one of read Authority, software Wherein the development environment management system includes at least one of a storage right for creating and modifying a storage unit and a permission right for adjusting rights information, When a software component is created or modified by any one development system that satisfies the rights information so that it can be used in the development system, it is stored and controlled so that it can be shared by other development systems. A database storing the creation or revision history of the software component is constructed so that it can be tracked step by step and the influence of the specific variable on the change of the value of any other variable can be grasped, Component Generates history information including whether to create / modify the software component, the creation / modification date of the software component, the creation / modification frequency of the software component, and the rights information of the development system that created / modified the software component, The history information database of the software component corresponding to the type having the highest importance can be constructed by updating the database for the storage space management Or a history information database for each creation / modification date of a software component, or builds a history information database for each piece of authority information, and sets an index of the history information database in advance When the index is reached, the history information database is updated. To update the history information database, the entire index of the history information database is divided into three sections in ascending order, and the history information corresponding to the section including the lowest index among the three sections It is assumed that the generation / modification date is considered to have elapsed for a long time, and it is deleted without any condition, and only the history information corresponding to the type of the software component having the highest importance among the history information corresponding to the middle section of the three sections is maintained, Updating the history information database in such a manner that all history information whose creation / modification frequency is higher than a preset reference frequency is deleted and remaining history information is maintained, or the authority whose rights information is regarded as the highest authority information Adjust information The history information corresponding to the section having the highest index among the three sections is updated by updating / updating the history information database in such a manner that the history information as the authority adjusting authority is retained and all remaining history information is deleted. It can be regarded as relatively recent and can be maintained as it is.

In one embodiment, the VPN main unit generates information to be protected from an external attack such as hacking or Ransomware as a backup file, and then transmits the generated backup file to a primary backup file including the same data and a secondary Further comprising a backup file distribution module for generating a backup in order to store the primary backup file and the secondary backup file at different storage locations, wherein the backup file distribution module predicts the existence of the folder or the location of the folder, And to prevent the data that should not be deleted from being accidentally deleted or modified, the storage location of the primary backup file and the secondary backup file, which are stored at predetermined intervals, is stored in a predetermined place, a newly created place, Or stored in a location designated by a folder or subfolder generated according to a random variable, and detects an intrusion from outside In this case, even if some backup files are lost or deleted due to an attack, duplication from the original backup file and the secondary backup file that have been created so that the necessary data can be restored using sporadically existing backup files in the system To generate a plurality of sub-backup files of each backup file, and to individually store the generated plurality of sub-backup files in different places generated according to the random variable, If the backup file is permanently deleted from the system and the backup file is stored in the synchronization folder linked with the cloud service, the backup file is stored in the corresponding synchronization folder and the backup backup file is uploaded to the cloud , Disables synchronization for that synchronization folder, If the order of changing the storage location of the uploaded backup file is reached, the folder in which the selective synchronization is canceled is synchronized again to download the backup file uploaded to the cloud service, and the downloaded backup file is newly created according to the random variable Location.

Therefore, according to the virtual private network service system according to the embodiment of the present invention, the virtual private network system can be downloaded from the web through the public network at any time, anywhere without using a separate VPN device, And can be installed and used.

In addition, a virtual private network system is implemented in an application layer, so that there is no problem in the system and the transmission speed is improved.

In addition, since the packet is hooked in the TDI layer, there is no change or burden on the system, and the possibility of impulsiveness with other applications is reduced.

1 is a block diagram of a conventional virtual private network (vpn) service system,
2 is a block diagram of a virtual private network service system according to an embodiment of the present invention;
3 is a block diagram of a VPN tunneling unit of a virtual private network service system according to an embodiment of the present invention.
4 is a block diagram illustrating IP addresses of respective components of a virtual private network service system according to an exemplary embodiment of the present invention.
5 is a block diagram illustrating a process of converting a packet of a virtual private network service system according to an embodiment of the present invention.
6 is a flowchart of a virtual private network service system according to an embodiment of the present invention;
7 is a diagram illustrating an example of a virtual private network installation information provided to a user in an embodiment of the present invention,
8 is an example of a screen showing an authentication module provided to a user in an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

FIG. 2 is a block diagram of a VPN (Virtual Private Network) virtual private network according to an embodiment of the present invention. FIG. 3 is a block diagram of a virtual private network according to an embodiment of the present invention. Lt; RTI ID = 0.0 > 53 < / RTI >

2 and 3, a virtual private network (VPN) service system 1 according to an embodiment of the present invention includes a remote user terminal 20, a public network 10, an enterprise private network 40, A VPN main unit 50, a VPN tunneling unit 53, and an internal terminal 30.

Here, the VPN tunneling unit 53 may further include a filter 531, a redirector module 533, and an agent module 535.

The remote user terminal 20 connects to the VPN main unit 50 connecting the public network 10 and the private network 40 in the enterprise via the public network 10.

2, the remote user terminal 20 may be provided as a computer connectable to the Internet or the public network 10.

Here, the Internet or the public network 10 can use various methods using wireless or wireline.

The internal terminal 30 is connected to a private network 40 in the enterprise connected to the VPN main unit 50, as shown in FIG.

The VPN main unit 50 communicates with the agent module 535 through SSL (Secure Sockets Layer) WEB standard encryption communication.

SSL (Secure Sockets Layer) Web standard encryption communication is a communication technology that can protect the contents of information even if the information is leaked through hacking by encrypting the information in the communication between the browser and the server by web server authentication.

Accordingly, the VPN main unit 50 can provide a physical device protection function, an internal security information protection function, and a virtual private network (VPN) function while minimizing degradation of the existing network.

In addition, the VPN main unit 50 can support various algorithms such as RSA 4096, RC5, 3DES, SHA-1 and protocols such as SSL v2, v3, TLS v1, and WTLS for communication security.

In addition, since the VPN main unit 50 is capable of High Availability (H / A), it is possible to provide a configuration for stable service through a failover when a failure occurs.

In addition, the VPN main unit 50 can load balance (L / B) between systems so that load balancing operation is possible.

The VPN tunneling unit 53 may include a filter 531, a redirector module 533 and an agent module 535, as shown in FIG.

The filter 531 checks all the packets 60 passing through the TDI layer 31 of the remote user terminal 20 as shown in Figure 3, And filters packets 60 destined for a given internal terminal 30. [

Here, the TDI layer 31 is located as a standard between the user mode 33 of the window and the kernel mode 35, as shown in FIG.

All the transmission packets 60 of the PC are judged as accessible or not accessible through the user mode 33 of the window and the kernel mode 35. If it is determined that the packets are physically impossible, The TDI layer 31 may be provided with a filter 531 to filter packets 60 that are destined for an area (private network in the enterprise) that is not possible.

Therefore, by hooking up the packet 60 in the TDI layer 31, the system need not be changed, the system is not burdened, and the possibility of impulsiveness with other applications is reduced.

Hereinafter, filtering conditions and methods will be described later.

The redirector module 533 hooks the packet 60a filtered by the filter 531 and transmits it to the agent module 535 as shown in FIG.

The agent module 535 establishes an SSL communication connection with the VPN main unit 50 when receiving the packet 60b from the redirector module 533. [

Since the agent module 535 establishes SSL communication with the VPN main unit 50 in the application layer of the user mode 33, there is no problem in the system and the transmission speed is increased.

The virtual private network service system 1 will be described in detail with reference to FIGS. 3 to 8. FIG.

The virtual private network service system 1 according to an embodiment of the present invention includes a remote user terminal 20, an agent module 535, an agent module 535, a VPN main unit 50, a VPN main unit 50, And is connected to the server of the internal terminal 30 connected to the private network 40 three times.

4, the remote user terminal 20, the agent module 535, the VPN main unit 50, and the internal terminal 30 are connected to a network Each IP address (70, 80, 90, 100) can have.

Accordingly, the packet 60 generated in the remote user terminal 20 can be transmitted / received to the destination via the respective IP addresses 70, 80, 90, and 100.

The user connects to the VPN main unit 50 through the public network 10 using the remote user terminal 20. (S10)

The user can execute the web browser using the remote user terminal 20 to access the VPN main unit 50 and input the IP address set by the administrator of the VPN main unit 50 in the WEB address window.

The remote user terminal 20 may have its assigned public IP address 80 associated with the public network 10, as shown in FIG.

For example, the remote user terminal 20 may have a user terminal IP 80 (192.168.1.1), as shown in FIG.

When the remote user terminal 20 accesses the VPN main unit 50, the VPN main unit 50 transmits the virtual private network installation information 51 to the remote user terminal 20. (S11)

When the remote user terminal 20 is connected to the VPN main unit 50, the VPN main unit 50 transmits the virtual private network installation information 51 to the remote user terminal 20 as shown in FIG.

As shown in FIG. 7, the virtual private network installation information 51 may be transmitted to an application window asking whether a virtual private network is installed.

The user may install virtual private network (VPN) software by clicking on the installation tool 52, as shown in FIG.

Here, the installation tool 52 can be in various forms, for example, an ActiveX control driver installation can be used

1, the user can easily install and use the virtual private network software by downloading the virtual private network software anytime and anywhere through the public network 10 without having to provide the separate VPN units 300 and 400 on the user terminal side .

The user transmits a response signal to the VPN main unit 50 via the remote user terminal 20, indicating whether the virtual private network is installed (S13)

The user can transmit a response signal to the VPN main unit 50 by clicking the installation tool 52 in the virtual private network installation information 51 as shown in FIG.

Here, if the user does not select the installation tool 52, the VPN main unit 50 can release the connection and ask whether to install the installation tool 52 again.

When the user selects the installation tool 52, the VPN main unit 50 downloads the VPN tunneling unit 53 and the authentication module 55 to the remote user terminal 20 (S15)

The user installs the VPN tunneling unit 53 and the authentication module 55 downloaded to the remote user terminal 20. (S17)

When the VPN tunneling unit 53 and the authentication module 55 are installed in the remote user terminal 20, an authentication module 55 application window for establishing VPN tunneling is installed in the remote user terminal 20 And the user is authenticated for connection with the remote user terminal 20 through the authentication module 55. (S18)

As shown in FIG. 8, for example, an ID / password, a certificate, an ID / password / certificate, or a mobile phone SMS authentication method can be used as the login method through the authentication module 55 .

If the user is permitted to authenticate via the ID / password and the certificate, the remote user terminal 20 is connected to the VPN main unit 50. (S19)

A packet 60 is generated at the remote user terminal 20 and passes through the user mode 33, the TDI layer, and the kernel mode 35. At step S20,

All packets 60 generated in the application of the remote user terminal 20 pass through the TDI layer 31 in the user mode 33 and into the kernel mode 35 as shown in FIG.

Herein, the filter 531 determines whether the destination IP 63 of the packet among all the packets 60 passing through the TDI layer 31 is the IP 70 of the internal terminals PC1 to PCn connected to the private network 40 in the enterprise. (S21). ≪ RTI ID = 0.0 >

The filter 531 may be installed at various positions, for example, as shown in FIG. 3, and may be installed in the TDI layer 31.

Therefore, there is no change or burden on the system, and the possibility of impulsiveness with other applications is reduced.

The filter 531 compares the destination IP 63 of all the packets 60 that pass through the TDI layer 31 with the IP 70 of the predetermined internal terminals PC1 to PCn connected to the private network 40 in the enterprise

The filter 531 may be performed with various filtering conditions so that the destination IP 63 of all the packets 60 passing through the TDI layer 31 may be transmitted to the private network 40 Can be compared with the IP 70 of the internal terminals PC1 to PCn.

In addition, the filter 531 can be implemented by a situation analysis method that intelligently filters through a state table for managing a session that changes according to a network state, instead of filtering by a simple rule when controlling a packet to be transmitted / received.

3, the filter 531 stores the destination IP 63 of the packet 60 among all the packets 60 passing through the TDI layer 31 of the remote user terminal 20, When the destination IP 63 of the packet 60 and the IP 70 of the predetermined internal terminals PC1 to PCn coincide with each other, And the remaining packet 60 flows into the kernel mode 35. [

The filter 531 simply flows the packet 60 to the kernel mode 35 if the destination IP 63 of the packet 60 does not match the IP 70 of the given internal terminals PC1 to PCn. (S22)

The filter 531 filters the packet 60a when the destination IP 63 of the packet 60 and the IP 70 of the internal terminals PC1 to PCn are matched as shown in Fig.

At this time, the redirector module 533 hooks the packet 60a filtered by the filter 531, converts the destination IP 63 of the packet 60a into the agent module IP 90, and transmits it to the agent module 535 (S23)

The redirector module 533 hooks the packet 60a and transmits it to the agent module 535 as shown in FIG.

At this time, when the destination IP 63 of the packet 60 is generated as 10.10.0.1, the source port is assigned an arbitrary port, and the redirector module 533 allocates the arbitrary port (source port) allocated to the memory Store the destination address and destination port of 10.0.0.1 in memory.

5, the redirector module 533 converts the destination IP 63 of the packet 60a into the agent module IP 90 of the agent module 535 and transmits the converted packet 60b to the agent Module 535, as shown in FIG.

That is, in the redirector module 533, the destination IP 63 is changed from 10.10.0.1/80 to 127.0.0.1/31081 and transferred to the agent module 535 as shown in FIG.

The agent module 535 receiving the packet 60b converts the agent module IP 90 of the packet 60b into the VPN main unit IP 100. In step S24,

When receiving the packet 60b, the agent module 535 connects the VPN main unit 50 with the SSL communication and transmits the received packet 60b to the VPN main unit 50.

When the packet 60b is received by the agent module 535, the agent module 535 is installed in the user mode 33 of the remote user terminal 20 and establishes SSL communication with the VPN main unit 50.

The agent module 535 transmits the packet 60c transmitted from the redirector module 533 to the VPN main unit 50. [

At this time, the agent module 535 converts the destination IP 63 of the received packet 60b into the VPN main unit IP 100.

5, the destination IP 63 (127.0.0.1/31081) of the packet 60b received by the agent module 535 is converted into 211.1.1.1/8080 and transmitted to the VPN main unit 50 do.

The agent module 535 adds the destination IP 10.10.0.1/80 to which the packet 65c of the packet 60c is initially connected and transmits the packet.

That is, when the packet 60b is received, the agent module 535 retrieves the source port from the memory, finds the destination IP 10.10.0.1 and the destination port, and adds it to the content 65. [

The agent module 535 encrypts the packet 60c and transmits it to the VPN main unit 50. (S25)

The VPN main unit 50 having received the packet 60c converts the VPN main unit IP 100 of the packet 60c into the destination IP 70 to which the remote user terminal 20 first attempts to connect.

When receiving the packet 60c from the agent module 535, the VPN main unit 50 makes a new connection with the internal terminal 30 connected to the private network 40 to which the VPN main unit 50 is initially connected, To the internal terminal (30).

At this time, the VPN main unit 50 converts the destination IP 63 of the received packet 60c into the IP 70 of the internal terminal 30 to which the remote user terminal initially accesses.

That is, the destination IP 63 of the received packet 60c is converted from 211.1.1.1/8080 to 10.10.0.0/80 as shown in FIG.

The VPN main unit 50 decrypts the packet 60d and transmits it to the internal terminal 30. (S27)

The internal terminal 30 receiving the packet 60d transmits the response packet 66 to the VPN main unit 50 and the VPN main unit 50 transmits the response packet 66 to the remote user terminal 20 (S28)

The VPN main unit 50 encrypts the response packet 66 to the remote user terminal 20 waiting for a response and transmits the packet 60 in the reverse order of the received packet as shown in FIG.

When the response packet 66 is received from the remote user terminal 20, the remote user terminal 20 and the internal terminal 30 are connected to each other (S29)

Accordingly, the user can download the virtual private network system 1 to the remote user terminal 20 via the public network 10 and download the virtual private network system 1 to the virtual private network system 1 anytime and anywhere without having a separate VPN device. Installation and use.

Hereinafter, various embodiments of the VPN main unit 50 will be described.

First, a part of the configuration of the VPN main unit 50 having the above-described configuration may be implemented by artificial intelligence, and may further include a decision reason presentation module (not shown in the drawings for convenience of explanation) .

The decision reasoning module analyzes not only the data given or input by the user, but also the causal relation of the decision, and finds the appropriate grounds. Reason can be explained at user level. The decision-making reason module enables reliable decision-making between the user and the artificial intelligence, so that the feedback by the user can be appropriately reflected when a problem or an error occurs. In addition, by providing a decision reason module, it is possible to solve the disbelief that the user has in the artificial intelligence because the artificial intelligence can not clearly explain the cause of the result of the artificial intelligence, It is possible to avoid the problem of overfitting that the optimal solution in the region can be selected rather than the optimal solution in the whole viewpoint.

In one embodiment, the decision reason presentation module may further comprise a model building module and a reason explaining interface module. The model building module can be implemented as a deep explanation learning module, an analytical model generation module, and a model induction module.

The in-depth explanation learning module is a modified deep learning technique that allows in-depth neural networks to learn explanatory features. For example, if you learn a model that distinguishes the images of the arms and legs, each of the hidden nodes may have a nail or claw shape, a finger or toe shape, a palm or soles Position, and so on, and can determine the basis of judgment through the activated hidden node when the model judges which image is a hand. The basis of such judgment may be expressed verbally through a natural language generation model such as RNN (Recurrent Neural Network). RNN is a model of deep learning. It is a type of artificial neural network. It is used to learn data that changes with time, such as time series data. Input and output data are obtained by using input control vector and forgetting vector and output control vector. . In the input control vector, the input signal accepts a value after passing through the connection layer with the activation function, and the forgetting vector reflects a part of the past input to the current input. And the output control vector takes the value by using the activation function considering the past value and the modified input value. The final result is then returned to the input. Such a circular neural network is mainly used for classifying document emotion or recognizing handwritten characters, and can be used mainly for speech recognition, time series prediction, and waveform generation. This is because the input data can be processed in an appropriate order even if the input data is a fixed shape without any order.

Further, in one embodiment, the in-depth explanation learning module may visually display the portion based on the image. For example, if an artificial intelligence system categorizes a cat image, the existing system derives only whether the input image is a cat, but the in-depth explanation learning module derives the cat's presence and uses the image of the ground (hair, .

An interpretable model generation module can construct structured data as a causal model that can be interpreted. According to one embodiment, a model generation module that can be interpreted by using BPL (Bayesian program learning) can be constructed, and BPL is a method for learning to express a combination of small pieces. For example, When you do, divide the letters into strokes and create them with the most reasonable combination of strokes. BPL can be imitated like a human once without large amounts of data, and it can evolve the Neural Network (neural network model) and change the probability based on the event when a new event is given. That is, the BPL includes not only changing the weight of virtual variables, but also generating other virtual variables in the middle. Given a new environment, it is another way to understand the phenomenon. For example, if a coin is thrown 100 times and the front face comes out 60 times and the back face comes out 40 times, the probability of coming out is 60% It is a way to reduce the probability of the face to 59.4%.

Also, in one embodiment, the interpretable model generation module may be implemented through a probabilistic approach. The probabilistic approach is similar to learning a few samples that can produce learning effects, such as showing a long chair and a short chair and a medium-length chair. That is, it is a technique to learn by filling in the deficient data by oneself. Depending on the embodiment, the probabilistic approach may include the ability to calibrate the probability and the program by itself through mathematical calculations.

Also, in one embodiment, the interpretable model generation module may be implemented using And-Or-Graph. And-Or-Graph is an AND / OR graph, which shows the condition and conclusion relation of the rule and the AND / OR relation in the form of a graph. The intermediate and final data derived by artificial intelligence are structured, There is an advantage that is easy to explain. That is, a graph is represented by AND node and OR node. All AND nodes must be processed, and only one OR node can be finished. By using the AND / OR graph, we can construct a set of scattered rules as one structure, and can easily grasp the logical relationship between each statement.

The model induction module can infer any arbitrary black box model as an explanatory model. In one embodiment, the model inductance module can be implemented with LIME (local interpretable model-agnostic explanations), and LIME can be used to make any black box model locally explicable via sparse linear combination around data that can already be described . For example, if a black box model classifies an image as a heart, it can be described as a description of the heart of another model that can be explained, that is, the pixels expressing the heart against a given image, Can be presented.

Also, in one embodiment, the model inductance module may be implemented as a BES (Bayesian rule lists) that expresses the model as a series of if-then conditional statements. BRL makes it possible to understand complex models by dividing the high-dimensional, multivariable feature space into simple and already interpretable conditional statements.

The detailed explanation learning module, the interpretable model generation module and the model inducement module described above can be operated independently or in combination with each other, and the order of implementation can also be changed according to the embodiment.

Next, the reason explanation interface module can express the artificial intelligence decision making in a way that the user can understand. Reason Description The interface module may include a requirement that the description provided is iterative, contains all the necessary explanations, does not contain unnecessary descriptions, and the amount is appropriate. In other words, it is easy for the user to provide the user with the result of artificial intelligence, such as language, table, image, graph, formula, etc., have.

In addition, the reason explanation interface module can receive a user's correction command. To this end, the reason explanation interface module may include the possibility of correcting that explanation should be flexible, respect user feedback, watch for gradual changes, and so on. For this explanation, we can evaluate and develop the effectiveness of the reason explaining interface module by receiving feedback on the clarity and utility of the explanation to the user.

In another embodiment, the decision reason presentation module may be formed of a causal model. The causal model may be formed by combining the deep running and the Marco Bandom field. First, we model the probability distribution of the deep Marco Bandom field model from the learning data and study the structure of the Marco Bandom field which shows the conditional independence between the random variables. By inferring the latent function of the Marco Bandom field whose structure is learned to the depth neural network, it is possible to alleviate the problem of exponential increase of the number of parameters required for the latent function as the number of input variables increases, The relationship can be learned. According to the embodiment, after learning the class classification problem as an auxiliary task attribute or a super category, it is possible to linearly combine the class classification problem in the output step to enable effective expression. It may also include an interactive learning algorithm that allows the person to identify and correct the causal relationship by learning to correct it.

In yet another embodiment, the decision reason presentation module may be implemented with an analysis module. This is a technique for regression analysis of time series functions into multivariate Gaussian based on various kernels. It can be explained based on the combination of kernels found above by learning the optimal time series data representing the kernel in the Gaussian process. Furthermore, even when there are a plurality of time series data, it is possible to explain a common characteristic among a plurality of time series data by learning a combination of a kernel expressed in common and a kernel representing characteristics of each time series data. By creating a combination of kernels found through the time series data analysis model in natural language, the user can explain the process and reason for the decision derived by artificial intelligence in natural language.

Through the module of decision-making reason, it is possible to visualize and characterize the decision-making process of artificial intelligence from the viewpoint of the user, and to explain the components involved in the decision-making process. At the same time, It can be divided into elements and result elements. Especially, it is created in the form of an automatic report that can be easily understood by the user, thereby providing not only the result of analyzing the data but also the reason, so that the artificial intelligence can interact with the human being more precisely.

Next, the VPN main unit 50 may further include a backup file distribution module (not shown in the drawing for convenience of explanation).

The backup file distribution module generates important information such as user information or system information to be protected from an external attack such as hacking or Ransomware as a backup file and then transmits the generated backup file to a primary backup file And the secondary backup are sequentially generated and stored, but the primary backup file and the secondary backup file are stored in different storage locations.

However, the generation of the backup file is not limited to the primary and secondary, and a plurality of backup files of the tertiary or higher order may be generated in consideration of the performance of the system and the like.

In addition, the backup file distribution module is not limited to the predetermined period, for example, once every three hours or once every five hours, which is basically a period set in the system, It is possible to set the storage location of the stored primary backup file and the secondary backup file to a predetermined place or a newly created place on the system.

At this time, it is preferable that the moving location of the backup file is designated as a folder or a subfolder generated according to an arbitrary random variable, not the default location set in the system or the location designated by the user.

Accordingly, an attacking program such as a hacking or a random software can prevent the existence of a folder in which a file intended to be attacked or the location of the folder to be predicted and easily attacked, as well as prevent customer information It is possible to prevent the same important data from being deleted or modified by the user inadvertently.

In the present invention, the primary backup file and the secondary backup file are files containing data of the same content, and there is no mutual rank, and even in the movement of the file, the secondary backup The file may be moved, or the primary backup file may be moved after the secondary backup file is moved.

In one embodiment, when an intrusion is detected from the outside, the backup file distribution module continuously replicates from the pre-created primary backup file and the secondary backup file to generate a plurality of sub-backup files of each backup file And the generated plurality of sub-backup files may also be separately stored in different places generated according to random variables.

Accordingly, even if some backup files are lost or deleted due to an attack by storing a plurality of backup files sporadically generated in the system by dividing them into arbitrary places, it is possible to use a backup file that exists sporadically in the system to store necessary data Can be easily restored.

Next, the backup file distribution module permanently deletes, from among a plurality of backup files, a file that is determined to be a currently received backup file on the system.

Accordingly, in the present invention, it is possible to change into a zombie program that can not perform a normal function on the system due to a hacking or an attack of the Ransomware or expose other files existing on the system due to the attack By deleting a file on the system beforehand, it is possible to prevent an entire system from being attacked by some files in advance.

In one embodiment, when the backup file is stored in the synchronization folder cooperating with the cloud service, when the backup file is stored in the synchronization folder and the backup file is uploaded to the cloud, You can turn off synchronization for the folder.

For example, when the cloud service for user synchronization is called "Dropbox ", the function of the backup file distribution module as described above is implemented by using the " selective synchronization service"

That is, when the backup file distribution module creates a "backup folder" as a space for storing backup files on the system, the cloud service creates the newly created "backup folder" on the cloud in the same manner.

Next, the backup file distribution module will store the backup file in the corresponding folder, and accordingly, the corresponding backup file is also uploaded in the cloud.

Finally, when uploading of the corresponding backup file on the cloud is completed, the backup file distribution module selectively cancels the synchronization for the "backup folder" used for uploading the backup file, and deletes the "backup folder"

In this case, rather than releasing synchronization to the entire system, the synchronization service to the cloud service is continuously performed by releasing synchronization with only the "backup folder" temporarily created for use in uploading the backup file On the other hand, as backup files are uploaded to the cloud and then deleted on the system, the backup files can be securely stored in the cloud, while preventing continuous exposure to attacks that infiltrate the system.

In one embodiment, when the storage location of the backup file uploaded on the cloud becomes a change order, the backup file distribution module re-synchronizes the folder from which the selective synchronization has been canceled to download the backup file uploaded to the cloud service After that, the downloaded backup file can be moved to the newly created place according to the random variable as described above.

Then, the VPN main unit 50 can be implemented on a development environment management system (not shown in the drawings for the sake of explanation).

In a development environment, a plurality of developers use a plurality of development systems for software development, and each development system can develop and directly manage software components and software under the control of a developer. Each development system uses Trusted Platform Module (TPM) standard technology, so that the software components are only available to licensed development systems. The Trusted Platform Module (TPM) is a type of security device that can generate and manage security keys for data encryption.

The development environment management system restricts the developer's authority on the use of software components and can perform security authentication on the development system used by the developer.

When the development environment management system receives the software component creation or modification permission request message from the development system, it can process the software component creation or modification permission request message by checking the rights information of the development system.

Here, the software component may comprise at least one of a source code, a binary containing debugging information, a pure binary not including debugging information, a document for detailed description of the code, and a process equation model for understanding the code .

The authority information may be configured to include at least one of read permission to read the software component, permission to save and modify the software component, and permission to adjust the authority information.

When a software component is created or modified by one of the development systems satisfying the rights information, the development environment management system can store the software component and control it so that it can be shared by other development systems. This is because a module built by one of the development systems may be used in another development system.

The development environment management system can build a database storing the history of creation or modification of such software components. This is because the history information can be used to track the change in the value of a particular variable step by step and it can be understood how the particular variable has affected the change of the value of any other variable.

Specifically, the development environment management system can be classified into various types of software components such as types of software components, creation / modification of corresponding software components, creation / modification dates of corresponding software components, creation / modification frequency of corresponding software components, The history information including the authority information of the system can be generated.

The development environment management system can store indexes in the history information database every time history information is generated.

At this time, the development environment management system can build a history information database for each type of software component. That is, the development environment management system can build a history information database according to the importance of the software components, and the history information database of the software components corresponding to the type having the highest importance is the database update target for storage space management It can be excluded.

Alternatively, the development environment management system can construct a history information database for each creation / modification date of a software component. For example, the development environment management system can build a history information database of a specific date and exclude the history information database from the database update target.

Alternatively, the development environment management system can build a history information database for each authority information. For example, the development environment management system constructs a history information database of the software components by the development system corresponding to the authority to adjust the authority information regarded as the highest authority information, and excludes the history information database from the database update target .

The development environment management system can update the history information database for efficient storage management as described above.

More specifically, the development environment management system can update the history information database when the index of the history information database reaches a predetermined index.

For example, the development environment management system can divide the entire index of the history information database into three sections in ascending order.

The development environment management system can delete the history information corresponding to the section including the lowest index among the three sections without any condition. The history information corresponding to the relevant section can be regarded as a generation / modification date has passed a long time, and the possibility of referring to the history information is low, so it can be deleted without any condition.

The development environment management system can update the history information corresponding to the middle section of the three sections by determining whether to delete or maintain the history information according to the type of the software component. That is, the development environment management system can classify the importance according to the type of the software component, and only the history information corresponding to the type of the software component having the highest importance among the history information corresponding to the middle section of the three sections is maintained, The history information database can be updated in such a manner that all information is deleted.

Alternatively, the development environment management system can determine whether to delete or maintain the history information corresponding to the middle section of the three sections according to the generation / modification frequency of the software component, and update the history information. That is, it is possible to update the history information database in such a manner that history information having a generation / correction frequency higher than a preset reference frequency among the history information corresponding to the middle section of the three sections is deleted and the remaining history information is maintained.

Alternatively, the development environment management system can update the history information corresponding to the middle section of the three sections by determining whether to delete or maintain the history information according to the authority information of the development system. That is, among the history information corresponding to the middle section of the three sections, the history information, which is the authority to adjust the authority information in which the authority information is regarded as the highest authority information, is maintained and the remaining history information is deleted The history information database can be updated.

The development environment management system can maintain the history information corresponding to the section including the highest index among the three sections. The history information corresponding to the corresponding section can be regarded as a relatively recent date of generation / modification, and the possibility that the history information is referred to again is high, so that it can be maintained.

It will be apparent to those skilled in the art that the above-described embodiments are for illustrative purposes only and that those skilled in the art will readily understand that other embodiments can be readily modified without departing from the spirit or essential characteristics of the embodiments described above You will understand. It is therefore to be understood that the above-described embodiments are to be considered in all respects only as illustrative and not restrictive. For example, each component described as a single entity may be distributed and implemented, and components described as being distributed may also be implemented in a combined form.

It is to be understood that the scope of the present invention is defined by the appended claims rather than the foregoing description and should be construed as including all changes and modifications that come within the meaning and range of equivalency of the claims, .

1: Virtual Private Network (VPN) service system,
10: Public network,
20: remote user terminal,
30: internal terminal,
31: TDI layer,
33: user mode,
35: kernel mode,
40: private network,
50: VPN main unit,
51: Virtual private network installation information,
52: Installation tool,
53: VPN tunneling unit,
55: authentication module,
60 (60a, 60b, 60c, 60d): packet,
61: source IP,
63: Destination IP,
65: Content,
66: response packet,
70: internal terminal IP,
80: remote user terminal IP,
90: Agent IP,
100: VPN main unit IP,
531: filter,
533: Redirector module,
535: Agent module.

Claims (2)

A remote user terminal at a remote location;
A VPN tunneling unit and an authentication module to the remote user terminal when the installation request signal is received from the remote user terminal when the connection is established through the remote user terminal, unit;
A plurality of internal terminals connected to a private network in the enterprise to which the remote user terminal is to access and connected to the remote user terminal;
A filter for filtering a packet matched by comparing a destination IP of all packets passing through the TDI layer of the remote user terminal with an IP of each of the internal terminals and a filter for filtering the filtered packet, A redirector module for converting a destination IP address of the hooked packet into an agent IP address and a destination IP address of the packet to be converted into a VPN main unit IP by receiving the converted packet from the redirector module, A VPN tunneling unit having an Agent module for adding, to the VPN main unit, a destination IP address to which the remote user terminal initially connects, adding the content to the contents of the packet, And
And an authentication module authenticating a connection to a VPN main unit of the remote user terminal,
When the encrypted packet is received from the agent module, the VPN main unit converts the IP address of the VPN main unit of the packet into the destination IP address of the remote user terminal for the first connection and decrypts it, And transmits the encrypted response packet to the remote user terminal in the reverse order,
Wherein the VPN main unit further comprises a backup file distribution module,
Wherein the backup file distribution module comprises:
Hacking, and random software, to the backup file, and then creates the backup file, which is generated, with the primary backup file including the same data and the secondary backup The primary backup file and the secondary backup file are stored in different storage locations, and the primary backup file and the secondary backup file are generated in accordance with an arbitrary random variable at predetermined intervals, Go to the folder where it was saved,
When an external attack is detected, duplication is continuously performed from the pre-created primary backup file and the secondary backup file to generate a plurality of sub-backup files, and the sub-backup files are created in different folders Respectively,
If the backup file is saved in the synchronization folder that is linked with the cloud service, when the backup file is saved in the corresponding synchronization folder and the backup file that is saved is uploaded to the cloud, the synchronization is canceled for the synchronization folder, If the order of changing the storage location of the uploaded backup file is reached, the folder in which the selective synchronization is canceled is synchronized again to download the backup file uploaded to the cloud service, and the downloaded backup file is newly created according to the random variable A virtual private network (VPN) service system that moves to a folder.

delete

Images