KR102136082B1 - Server apparatus, client apparatus and method for communicating based on network address mutation - Google Patents

Abstract

A server device, a client device, and a network address variation based communication method are disclosed. The network address variation-based communication method according to an embodiment of the present invention, in a network address variation-based communication method of a server device and a client device, sets an external address of a network interface that receives a packet from the client device, and the network interface Setting an internal address of the virtual network interface for forwarding a packet received through the virtual network interface; And shifting the external address based on a preset network address variation rule and forwarding a packet received from the client device to the virtual network interface based on the changed external address to communicate with the client device.

Description

Server device, client device and network address variation-based communication method {SERVER APPARATUS, CLIENT APPARATUS AND METHOD FOR COMMUNICATING BASED ON NETWORK ADDRESS MUTATION}

The present invention relates to a technique for defending an attacker's attack behavior in a network environment, and more particularly, to an active defense technique and a network address variation technique for neutralizing attacker's reconnaissance behavior.

Prior to the actual attack, attackers perform a reconnaissance step to secure the vulnerability of the target system. Attackers conduct reconnaissance using sniffing and probing techniques to obtain target system information (host name, MAC/IP address, operating system type and version, open port, operating service type). To perform.

The goal of the MTD (Moving Target Defense) technology is to increase the workload of an attacker's reconnaissance action by making the protected object various properties less static, less homogeneous, and less deterministic. will be. As a result, it reduces the similarity of a single successful attack and adds dynamics to the system, reducing the attack's life time, thereby limiting the attack damage. The main technologies of MTD are divided into dynamic networks, dynamic platforms, dynamic runtime environments, dynamic software, and dynamic data.

Previous studies related to network address variation use a network address translation (NAT) address variation method and an address generation method using cryptographic algorithms for network address generation and variation. However, in the case of NAT type address variation, since the address variation action is performed on network equipment such as a gateway, it implies the possibility of the actual address of the protected server being exposed to an internal attacker located in the same subnetwork as the protected server.

1 is a diagram showing a network address variation based communication system.

Referring to FIG. 1, the NAT-based network address variation technique implies a vulnerability in which a network address of a protected server is exposed to an internal attacker in a network environment.

When generating a network address using a cryptographic algorithm, an address conflict problem in which the same output value for different inputs is generated may occur. Previous studies proposed an address generation method, but did not propose and resolve an address conflict problem and address synchronization problems.

The present invention proposes a network address variation technique, which is a detailed technique of dynamic networks, and more specifically, proposes a network address variation method with enhanced safety and efficiency that solves the two most important issues in network address variation. .

On the other hand, Korean Patent Publication No. 10-2005-0102892 "Communication System and Communication Method Using Multiple IP Addresses" performs communication with an external network using multiple Internet Protocol (IP) addresses in one communication system. Disclosed is a communication system capable of being performed.

However, Korean Patent Publication No. 10-2005-0102892 has limitations in terms of an attack risk from an attacker when an address change rule is exposed, an address conflict problem due to address change, and an address synchronization problem.

An object of the present invention is to provide an active security technology that increases the cost of an attacker's reconnaissance activity in a network environment.

In addition, the present invention aims to provide a secure communication channel between legitimate entities belonging to the network.

Network address variation-based communication method according to an embodiment of the present invention for achieving the above object is a network address variation-based communication method of the server device and the client device, the external address of the network interface for receiving a packet from the client device Setting, and setting an internal address of the virtual network interface for forwarding a packet received through the network interface to a virtual network interface; And mutating the external address based on a preset network address variation rule, and forwarding a packet received from the client device to the virtual network interface through the mutated external address to communicate with the client device.

At this time, the communication method based on the network address variation may further include changing the gateway address of the virtual network interface to the mutated external address after the step of mutating the external address.

In this case, the communicating step may map the external address and the MAC address (Media Access Control address) of the server device at the time when the connection between the server device and the client device is established, and record it in a table.

In this case, each of a plurality of external addresses may be mapped and recorded in the table.

At this time, the communicating step may maintain a network connection between the server device and the client device by receiving a packet from the client device through any one of a plurality of external addresses recorded in the table.

At this time, the network address variation based communication method further includes generating, before the setting step, anonymous address information used by the server device to set an external address of a network interface that receives a packet from the client device. can do.

At this time, the generating of the anonymous address information may generate anonymous address information including a plurality of anonymous IP addresses and a plurality of anonymous ports from a random value using a predetermined function.

At this time, the step of mutating the external address uses any one of a plurality of anonymous IP addresses and a plurality of anonymous ports included in the anonymous address information every predetermined period according to the predetermined address variation rule. To change the external address.

At this time, the generating of the anonymous address information may further include generating anonymous address information including a plurality of anonymous IP addresses and anonymous ports from random values using a predetermined function.

At this time, in the network address variation based communication method, before the step of generating the anonymous address information, the server device performs authentication with the client device, and the server device and the client device that have successfully authenticated share the session key. It may further include.

At this time, the predetermined function may generate the random value using the session key.

In addition, the server device according to an embodiment of the present invention for achieving the above object includes at least one processor and an execution memory for storing at least one program executed by the one or more processors, the at least one program Sets an external address of a network interface that receives a packet from a client device, sets an internal address of the virtual network interface to forward packets received through the network interface to a virtual network interface, and sets a predetermined network address variation rule The external address may be changed based on the packet, and a packet received from the client device may be forwarded to the virtual network interface through the mutated external address to communicate with the client device.

At this time, the one or more processors may change the gateway address of the virtual network interface to a mutated external address.

In this case, the at least one program may map the external address and the MAC address (Media Access Control address) of the server device at the time when the connection with the client device is established and record the result in a table.

In this case, each of a plurality of external addresses may be mapped and recorded in the table.

At this time, the at least one program may maintain a network connection with the client device by receiving a packet from the client device through any one of a plurality of external addresses recorded in the table.

At this time, the at least one program may generate anonymous address information used to set an external address of a network interface that receives a packet from the client device.

At this time, the at least one program may generate anonymous address information including a plurality of anonymous IP addresses and a plurality of anonymous ports from a random value using a predetermined function.

At this time, the at least one program may perform authentication with the client device, and the client device that has successfully authenticated may share the session key.

At this time, the predetermined function may generate the random value using the session key.

In addition, the client device according to an embodiment of the present invention for achieving the above object includes at least one processor and an execution memory for storing at least one program executed by the one or more processors, the at least one program Sets the external address of the network interface of the server device to transmit the packet to the server device, sets the external address to be changed as the destination address according to the preset address variation rule, and transmits the packet through the external address of the server device. Can communicate.

The present invention can provide an active security technology that increases the cost of an attacker's reconnaissance activity in a network environment.

In addition, the present invention can provide a secure communication channel between legitimate entities belonging to the network.

1 is a diagram showing a network address variation based communication system.
2 is a block diagram illustrating a network address variation based communication system according to an embodiment of the present invention.
3 is a sequence diagram showing a network address variation based communication method according to an embodiment of the present invention.
FIG. 4 is a sequence diagram illustrating an example of the authentication and session key sharing steps shown in FIG. 3.
5 is a sequence diagram illustrating an example of a network address variation step illustrated in FIG. 3.
6 is a view showing a network address variation based communication method according to an embodiment of the present invention.
7 is a diagram illustrating packet forwarding through N:1 mapping of an ARP table according to an embodiment of the present invention.
8 is a block diagram illustrating a client device for a network address variation based communication method according to an embodiment of the present invention.
9 is a block diagram showing a server apparatus for a network address variation based communication method according to an embodiment of the present invention.
10 is a view showing a computer system according to an embodiment of the present invention.

If described in detail with reference to the accompanying drawings the present invention. Here, repeated descriptions, well-known functions that may unnecessarily obscure the subject matter of the present invention, and detailed description of the configuration will be omitted. Embodiments of the present invention are provided to more fully describe the present invention to those skilled in the art. Therefore, the shape and size of elements in the drawings may be exaggerated for a more clear description.

Throughout the specification, when a part “includes” a certain component, this means that other components may be further included rather than excluding other components unless specifically stated to the contrary.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.

2 is a block diagram illustrating a network address variation based communication system according to an embodiment of the present invention.

Referring to FIG. 2, the network address variation based communication system may include an authentication server 100, a client device 200, and a protected server (server device) 300.

The authentication server 100 may authenticate the client device 200 and the protected server 300.

The client device 200 and the protected server 300 may request authentication from the authentication server 100 and perform session key generation and distribution among authenticated entities.

At this time, the client device 200 and the protected server 300 may generate and distribute a session key for use in a sub-network.

At this time, the client device 200 and the protected server 300 may generate anonymous address information using the session key.

In addition, the client device 200 and the protected server 300 may perform network address variation network address tracking.

At this time, the protected server 300 may generate anonymous address information, and change the network address of the protected server 300 using the anonymous address information.

At this time, the client device 200 may generate anonymous address information and track the mutated network address of the protected server 300 using the anonymous address information.

At this time, the server device 300 may generate anonymous address information used to set an external address of a network interface that receives a packet from the client device 200.

At this time, the client device 200 may generate anonymous address information used to track the external address of the network interface through which the server device 300 receives the packet from the client device 200.

At this time, the client device 200 and the server to be protected 300 may perform secure communication that transmits and receives packets while changing the network address based on a preset network address variation rule.

3 is a sequence diagram showing a network address variation based communication method according to an embodiment of the present invention. FIG. 4 is a sequence diagram illustrating an example of the authentication and session key sharing steps shown in FIG. 3. 5 is a sequence diagram illustrating an example of a network address variation step illustrated in FIG. 3.

Referring to FIG. 3, a server device, a client device, and a network address variation-based communication method according to an embodiment of the present invention may perform an anonymous address information generation, network address synchronization, and communication operation method. The present invention can largely include two steps (authentication and session key distribution step and network address variation and secure communication step).

Table 1 is a description of Notation used in the present invention.

Server_p_j J th protected server belonging to subnetwork "p" Client_p_i Client "i", which is served by the protected server "Server_p_j" belonging to the "p" subnetwork SK_p_k Secret key (symmetric key) used by Server_p_j and Client_p_i to generate an anonymous address in the "k" th session IP_j_k_c IP address used when the protected server "j" performs the "c" th address shift in the "k" th session PORT_j_s_k_c The port used when the service "s" provided by the protected server "j" performs the "c"-th address shift in the "k"-th session [a single-protected server can provide multiple services. Services are divided into process units, and each process must use a different port.] T _p Standard time used in subnetwork "p" (hours:minutes:seconds) α _p Number of protected servers belonging to subnetwork "p" α _{p_j} Number of processes running on Server_p_j CTR _h Anonymous value generation function Recursive call count H _X () One-way hash function using "x" as key, used to generate anonymous values
H _X : {0,1} ^* ⅹ key → {0,1} ²⁵⁶ V Output value of one-way hash function to be used for IP generation, anonymous value vX Anonymous value V divided by n-bit V' Duplicate values among vXs V'' A set of anonymous IPs generated by α _p P Output value of one-way hash function to be used for port creation, anonymous value pX Anonymous value P divided by 16-bit P' A set that removes duplicate values among pXs P'' A set of anonymous ports created by α _{p_j} f() Anonymous address (IP, Port) generation function

Steps S110 and S120 are preliminary steps for generating and synchronizing anonymous addresses.

Steps (S110) and step (S120) may use the object authentication technique (certificate based, non-certificate based) and key management (distribution and update) techniques in use in a general IT environment.

Step S110 and step S120 may use various object authentication and key management techniques.

Steps S110 and S120 may generate and share a session key used to generate anonymous address information.

Referring to FIG. 4, in step S110, the authentication server 100 may perform object authentication of the client device 200 and the server device 300.

In step S110, the client device Client_p_i 200 and the server device (protected server, Server_p_j) 300 may be authenticated by the authentication server 100.

At this time, in step S110, only the objects that have passed the authentication process can enter the session key generation and distribution process in step S120.

In step S120, the client device (Client_p_i) 200 and the server device (protected server, Server_p_j) 300 may perform session key generation and distribution.

At this time, in step S120, when the object authentication and the session key distribution process are normally ended, the client device (Client_p_i) 200 and the server device (Server_p_j) 300 may share the same group session key "SK_p_k". . The step S120 may correspond to the 0th session since the system is the first step to start. SK_p_k is a secret key used to generate an anonymous address, and only legitimate entities can be obtained.

At this time, in step S120, the client device (Client_p_i) 200 and the server device (Server_p_j) 300 may generate and distribute a session key to be used in the subnetwork "p" to which they belong.

At this time, step S120 is the authentication server 100 or the client device (Client_p_i) 200 and the server device (Server_p_j) 300 generates a session key itself to generate a group session key to generate anonymous address information." SK_p_k" can be distributed.

Objects that have successfully ended both steps (S110) and (S120) can receive the session key "SK_p_0" to be used in the 0th session and use it to generate anonymous address information.

At this time, the session key "SK_p_k" to be used for the k-th session may be generated by additionally performing a session key update process.

Referring to FIG. 5, step S130 may generate and synchronize anonymous address information to be used for network address variation.

At this time, step S130 may change the network address of the server device (Server_p_j) 300 using the anonymous address information.

Step (S130) is the network address of the client device (Client_p_i) 200 and the server device (Server_p_j) 300 using the anonymous addresses generated in steps S131 and S131 of generating and synchronizing anonymous address information. It may include the step of mutating (S132).

Step S130 may be performed by the interaction of the server device (Server_p_j) 300 and the client device (Client_p_i) 200.

Before starting the detailed description of step 130, assumptions of the server device 300 and the client device 200 according to an embodiment of the present invention will be described.

For example, the subnetwork "p" to which the server device (Server_p_j) 300 belongs may use an IPv4 addressing system.

When using xxx.xxx.xxx.xxx as the subnet mask, the mask is β bit, the available IP address band is 0 to 2 ⁿ -1, and n = 32-β can be calculated. .

For example, when the subnet mask is 255.255.255.0, since β = 24 and n = 8, the available IP address band may be 0 to 255. In this case, the size of the generated anonymous address is 8 bits, but only addresses other than the network address, gateway address, and broadcast address 3 can be assigned to hosts in the subnetwork.

At this time, the number of server devices (Server_p_j) 300 existing in the corresponding subnetwork may be α _p .

The server devices (Server_p_j) 300 may be in a state in which a session key is distributed after normally passing object authentication.

At this time, all the server devices 300 and the client devices 200 may be time-synchronized, and there is no message exchange procedure between each other according to a predetermined rule based on the session key distributed through the above process. You can create your own address.

Referring back to FIG. 5, step S131 may generate anonymous address information (Pseudonym Address Generation).

That is, in step S131, the server device 300 may generate anonymous address information used to set an external address of a network interface that receives a packet from the client device 200.

At this time, step S131 may generate anonymous address information including a plurality of anonymous IP addresses and a plurality of anonymous ports from a random value using a predetermined function.

At this time, the predetermined function may generate a random value using the session key.

At this time, step S131 may generate a random value (random value) for use as anonymous address information.

At this time, step S131 may use a one-way hash function to generate a random value.

It can be seen that Equation 1 shows an example of an algorithm (one-way hash function) generating a random value.

[Equation 1]

h _{SK_p_k} (T _p ||CTR _h ) = V

The function h _{SK_p_k} () is a one-way hash function that uses SK_k as a secret key, and the size of the output value can be variable depending on the one-way hash function used.

In addition, step S131 may generate an anonymous IP.

At this time, step S131 may generate α _p different n-bit anonymous IPs.

At this time, in step S131, the number of server devices (Server_p_j) 300 (including oneself) in the subnetwork “p” to which the server device (Server_p_j) 300 belongs (α _p ) You can create an anonymous IP. When the subnet mask of the corresponding subnetwork is xxx.xxx.xxx.xxx and the mask is β bit, the server device (Server_p_j) 300 may need an n-bit anonymous IP.

At this time, in step S131, in order to use the random value V as an anonymous IP, V may be divided into n-bit sizes and duplicate values may be removed.

At this time, in step S131, after removing the duplicated value, α _p anonymous n-bit anonymous IPs are generated to generate an anonymous IP to be used for address variation. The algorithm for generating α different anonymous IPs of N-bit size can be expressed as in Equation 2.

[Equation 2]

f(h _{SK_p_k} (T _p || CTR _h )) = {v1, v2, ..., v α }

The function f() may be a function that recursively calls Equation 1 until α _p is generated for different anonymous IPs of N-bit size.

Step S131 may first divide V into n-bit sizes.

V = {v1, v2, ..., vX}

At this time, in step S131, if V is not a multiple of n-bits, the remaining bits can be removed from V.

At this time, step S131 may delete duplicate values among the divided elements of V.

V'= {v1, v2, ..., vY} (Y=<X)

At this time, in step S131, Y is α _p If it is smaller, CTR _h can be increased by 1 and then (Equation 1) can be called recursively.

At this time, step (S131) is Y = α _p The process can be performed recursively until n can generate n _p -bit anonymous IPs of size n.

V'' = {v1, v2, ..., vα _p }

In addition, step S131 may create an anonymous port.

At this time, in step S131, the server device (Server_p_j) 300 may generate an anonymous port (Port) as many as the number of processes (α _{p_j} ) that provide network services among processes in which it is operating. In general, the port (Port) can be determined between 0 to 65535.

At this time, in step S131, the server device (Server_p_j) 300 may generate α _{p_j} 16-bit anonymous ports. The method of creating an anonymous port is as follows.

To use the random value P as an anonymous address, the P can be divided into 16-bit sizes and duplicate values can be removed. After removing duplicate values, if you create α _{p_j} 16-bit anonymous addresses, you can create an anonymous port to use for port mutation. The algorithm for generating α _{p_j} 16 different anonymous ports of 16-bit size can be expressed as in Equation 3.

[Equation 3]

f(h _{SK_p_k} (T _p || CTR _h )) = {p1, p2, ..., pα _{p_j} }

At this time, step S131 may first divide P into a 16-bit size.

P = {p1, p2, ..., pX}

At this time, in step S131, if P is not a multiple of 16-bit, the remaining bits can be removed from P.

At this time, step S131 may delete duplicate values among the divided elements of P.

P'= {p1, p2, ..., pY} (Y=<X)

At this time, in step S131, if Y is less than α _{p_j} , CTR _R may be increased by 1 and then Equation 3 may be recursively called.

At this time, step S131 may recursively perform the above process until Y = α _{p_j} to generate 16-bit α _{p_j} anonymous addresses.

P'' = {p1, p2, ..., pα _{p_j} }

In addition, step S131 may store anonymous address information.

At this time, in step S131, the server device (Server_p_j) 300 generating α anonymous IPs to be used for the C-th address variation in the Kth session is V'' = {v1, v2, ..., vα _p } You can safely store it as anonymous address information in your own repository.

At this time, in step S131, the server device (Server_p_j) 300 may safely manage the address storage.

At this time, in step S131, the server device ( _{Server_p_j} ) 300 generating α _{p_j} anonymous ports to be used for the C-th address variation in the K-th session P'' = {p1, p2, ..., pα _{p_j} } Can be safely stored in your repository as anonymous address information.

At this time, in step S131, the server device Server_p_j 300 may safely manage the address storage.

In addition, step S132 may perform network address variation (Network Address Mutation).

That is, in step S132, the server device 300 first sets an external address of a network interface that receives a packet from the client device 200, and forwards the packet received through the network interface to a virtual network interface. You can set the internal address of the virtual network interface.

At this time, in step S132, in order to configure a hidden tunnel to communicate with the client device 200 even if the external address is changed by the server device 300 before the address change is performed, the network is set as follows. You can do

At this time, step S132 may first generate a virtual network interface (Hidden Interface) having an independent MAC address (MAC address).

At this time, step S132 may set an arbitrary IP network (Hidden Address) to the virtual network interface as an internal address (IP address, netmask).

At this time, step S132 may set the default gateway of the virtual interface as the external address of the IP address of the network interface to which address variation is to be performed.

At this time, step S132 is a destination NAT for forwarding a packet coming through a port generated with anonymous address information from among incoming packets received from the client device 200 to a virtual network interface (Hidden Interface). IP/Port) as the destination address.

At this time, in step S132, among the outgoing packets transmitted to the client device 200, Source NAT (IP/Port) for the packets generated in connection with the virtual network interface (Hidden Interface) as a source address Can be set.

In addition, in step S132, the client device 200 may perform network setting.

At this time, in step S132, among the outgoing packets transmitted to the server device 300, destination NAT (IP/) for packets generated in connection to the virtual network interface of the server device 300 (Hidden Interface). Port) as the destination address.

In addition, step S132 may perform address variation (server-side) and address tracking (client-side).

That is, step S132 may change the external address based on a preset network address variation rule.

At this time, in step S132, the server device 300 may continuously change the external address of the network interface according to a predetermined specific time point and time period based on the procedure of the anonymous address information generation step S131.

At this time, step (S132) is the server device 300 according to the predetermined address variation rule every predetermined period, any one of a plurality of anonymous IP addresses included in the anonymous address information and a plurality of anonymous ports The external address can be changed using one.

In this case, the predetermined function is a session shared by the server device 300 with the client device 200 in step S110, and the successful authentication between the server device 300 and the client device 200. The random value may be generated using a key.

At this time, in step S132, the client device 200 is also set to continuously change by embedding the same address generation mechanism as the server device 300 to track the network address of the server device 300.

At this time, in step S132, the server device 300 and the client device 200 may update the following network settings in order to prevent the connection from being lost whenever the external address is changed. All the processes of step S132 may be simultaneously performed by the server device 300 and the client device 200 in an address variation period (a specific time) according to a predetermined address variation rule.

First, in step S132, the server device 300 may change the external address of the network interface (the IP of eth0) based on a preset network address variation rule.

At this time, step S132, the server device 300 may change the gateway address of the virtual network interface (Hidden Interface) to the external address changed from the above (External Address).

At this time, in step S132, among the incoming packets received by the server device 300 through the external address to the network interface, forwarding the packet in a state that satisfies the address variation rule to the destination NAT Settings table for update.

At this time, in step S132, among the incoming packets transmitted by the server device 300 through an external address to the network interface, a packet in a state that does not satisfy the address variation rule is dropped (DROP). You can update the configuration table to make it work.

At this time, step S132 may set the connection filtering to distinguish the suspicious connection from among the generated connections and to forcibly disconnect the suspicious connection.

At this time, in step S132, suspicious connections may be distinguished by various connection filtering techniques, and connections may be forcibly disconnected at every address variation cycle according to the connection filtering technique.

At this time, step S132 may perform validation every time a new connection is created through a separate connection monitoring process.

In this case, step S132 sets a specific source port of the client device 200, and if a connection that does not match the set source port is performed, it may be determined as a suspicious connection.

Therefore, the source port (source port) is originally specified within the range defined in the OS, but by specifying this, the attacker will have the burden of specifying their own source port (source port) in addition to the server's IP:Port. Can. Eventually, the information that an attacker needs to find in order to access and maintain a hidden tunnel is the destination IP, destination port, and source port, and an attacker against this based on C-class The hidden tunnel prediction complexity of can be expressed by Equation (4).

[Equation 4]

K, l, and m may correspond to constant values taking into account network conditions or those that need to be excluded from the service port.

In addition, in step S132, the client device 200 may track the external address that is changed in the server device 300 based on a preset network address variation rule.

At this time, in step S132, the client device 200 sets the destination address of the packet for creating a connection from the application to the internal address (Hidden Address) of the server device 300, the server device ( 300) You can update the Destination NAT configuration table to change to the External Address.

At this time, step S132 updates the source NAT table in which the client device 200 replaces the source port of the packet that has become the destination NAT with a preset port (which may be created and changed at every predetermined variation cycle). can do.

At this time, step S132, the client device 200 may delete the connection tracking (Connection Tracking) information of the TCP connection (Connection) state is "SYN_SENT".

At this time, in step S132, when the address variation occurs before the client device 200 reaches the TCP [SYN] packet to the server device 300, the destination of the TCP [SYN] packet that is retransmitted after the RTO has passed. ) May be recorded in the SYN_SENT connection tracking table generated when a TCP[SYN] packet is sent during the previous cycle.

Therefore, in step S132, the client device 200 continues to only the external address of the server device 300 before the mutation, not the external address of the server device 300 after the external address is changed, TCP[SYN]. Because it sends a packet, it can be performed for the purpose of recovering a 3-way handshake failure. This can be a criterion for arithmetically defining the minimum period in the address variation technique, and since the time for the TCP[SYN] packet to reach the server is RTT/2, the theoretically (ideally) minimum address variation possible in this technique The period can be expressed as Equation 5.

[Equation 5]

In Equation 5, k is 0 when the server device 300 and the client device 200 are ideally capable of time synchronization without error, and if all address variation processing times are the same, it is 0. It may correspond to a constant value to be added in consideration of the minute error of and the address variation processing time of the server device 300 and the client device 200.

In addition, in step S140, the server device 300 and the client device 200 may perform secure communication through external addresses (Secure Communication).

In this case, step S140 includes the server device 300 in the first source address information of the predefined client device 200 and the packet received from the client device 200 based on the predetermined address variation rule. When the second source address information of the client device 200 matches, the packet may be forwarded to the virtual network interface.

In this case, step S140 includes the server device 300 in the first source address information of the predefined client device 200 and the packet received from the client device 200 based on the predetermined address variation rule. If the second source address information of the client device 200 does not match, access to the client device 200 may be blocked.

At this time, in step S140, the server device 300 includes the source address information of the server device 300 corresponding to the internal address in a packet based on the preset address variation rule to the client device 200. I can send it.

At this time, step S140 may prevent server tracking through packet eavesdropping.

At this time, in step S140, an attacker who has penetrated the network monitors the traffic of the server device 300 and the client device 200 to see the header of the IP packet through packet eavesdropping, and the current server device 300 ) Can respond to an attack model that determines what a reachable address is.

For example, assuming that the address of the server device 300 changes from A1 to A10, in the connection formed in A1, the destination of the packet and the IP of the source (Source) of the server device 300 IP will be recorded as A1. Thereafter, even if the connection is continued while the address of the server device 300 is changed from A2 to A10, the address of the server device 300 recorded in the packet header may be recorded as in A1.

In other words, whatever the address of the current server, network communication may be performed with the external address for the previously established connection. Then, at the point when A1 passes, no matter how much packet eavesdropping occurs, the current address of the server device 300 may not be known.

However, it is valid for an attacker to find out the address of the server device 300 through packet eavesdropping before the end of the A1 cycle, and it is effective for the attack until the corresponding address is removed in the next address variation cycle. It can be considered as having time.

Accordingly, the present invention may use an N:1 mapping of IP and MAC of an Address Resolution Protocol (ARP) table to allow a packet different from the address of the server device 300 to arrive at the corresponding server device 300.

Assuming that the MAC address of the server device 300 is called MAC[S] and the IP address changes from IP_T1[S] to IP_T10[S], when a connection is established from IP_T1[S], the ARP table displays {IP_T1[S ]: MAC[S]} is recorded. After that, if the IP address of the server device 300 continues to change and communication continues, {IP_T1[S]~ IP_T10[S]: MAC[S]} will be recorded in the ARP table. Can. Therefore, even if the IP address is different on the network, the packet can reach the network interface (External Interface) of the server device 300 (because the MAC is fixed).

Thereafter, according to the Local Packet Processing Flow of the OS and the Destination NAT table set in the initial network configuration, as soon as the packet goes up to the OS layer, the Destination IP address can be changed to an internal address, In the next procedure, it may be determined whether the packet is the IP of the server device 300. Since the server device 300 has a virtual network interface (Hidden Interface) of the server device 300 created in the initial network setting process in addition to the network interface (External Interface), it recognizes that it is its own packet and passes through the IP layer to the upper layer. Can go up.

Since the above technique is based on N:1 mapping in the ARP table, if any one of N, which is an IP address displacement range of a specific server device 300, is occupied by another server device, the connection is disconnected, so the address variation sub The address range allocated to the network should not be invaded by each address variation server device 300. Based on the N server devices 300 in the C-class in the technology to which it is applied, the predicted complexity of the attacker's Hidden Tunnel can be expressed as Equation 6.

[Equation 6]

That is, step S140 may map the external address and the MAC address (Media Access Control address) of the server device at the time when the connection between the server device and the client device is established and record it in a table.

In this case, each of a plurality of external addresses may be mapped and recorded in the table, and the table may correspond to the ARP table.

At this time, step S140, the server device 300 receives the packet from the client device through any one of a plurality of external addresses recorded in the table, the server device 300 and the client device 200 It is possible to maintain a network connection therebetween. FIG. 6 is a diagram illustrating a network address variation based communication method according to an embodiment of the present invention.

Referring to FIG. 6, as described above, the server device 300 and the client device 200 have completed initial network configuration, and the client device 200 has a virtual network interface of the server device 300 (Hidden Interface). The flow of packets generated when a hidden tunnel is generated by accessing with can be represented as shown in FIG. 6. As shown in FIG. 6, the connection created by the Hidden Tunnel is not lost even if the IP of the server's IP address (External Address (eth0 IP)) changes, and the network interface (External) Interface) can be directly accessed from the outside.

At this time, when the client device 200 meets a specific condition at a specific time to access the network interface (external interface) of the server device 300, the server device 300 attempts to connect the valid client device 200 It is determined that the packet can be forwarded to the virtual network interface to connect to the Hidden Tunnel (Hidden Tunnel). The specific time/specific condition mentioned herein is hidden information that is not disclosed to the attacker, and may be information regarding a predetermined address variation rule.

7 is a diagram illustrating packet forwarding through N:1 mapping of an ARP table according to an embodiment of the present invention.

Referring to FIG. 7, the server device 300, the client device 200, and the network address variation based communication method according to an embodiment of the present invention can prevent server tracking through packet eavesdropping.

At this time, in the network address variation-based communication method according to an embodiment of the present invention, an attacker who penetrates the network monitors the traffic of the server device 300 and the client device 200, and the IP is transmitted through packet eavesdropping. By looking at the header of the packet, it is possible to cope with an attack model that determines what an accessible address of the current server device 300 is.

For example, assuming that the address of the server device 300 changes from A1 to A10, in the connection formed in A1, the destination of the packet and the IP of the source (Source) of the server device 300 IP will be recorded as A1. Thereafter, even if the connection is continued while the address of the server device 300 is changed from A2 to A10, the address of the server device 300 recorded in the packet header may be recorded as in A1.

In other words, whatever the address of the current server, network communication may be performed with the external address for the previously established connection. Then, at the point when A1 passes, no matter how much packet eavesdropping occurs, the current address of the server device 300 may not be known.

However, it is valid for an attacker to find out the address of the server device 300 through packet eavesdropping before the end of the A1 cycle, and it is effective for the attack until the corresponding address is removed in the next address variation cycle. It can be considered as having time.

Accordingly, the present invention may use an N:1 mapping of IP and MAC of an Address Resolution Protocol (ARP) table to allow a packet different from the address of the server device 300 to arrive at the corresponding server device 300.

Assuming that the MAC address of the server device 300 is called MAC[S] and the IP address changes from IP_T1[S] to IP_T10[S], when a connection is established from IP_T1[S], the ARP table displays {IP_T1[S ]: MAC[S]} is recorded. After that, if the IP address of the server device 300 continues to change and communication continues, {IP_T1[S]~ IP_T10[S]: MAC[S]} will be recorded in the ARP table. Can. Therefore, even if the IP address is different on the network, the packet can reach the network interface (External Interface) of the server device 300 (because the MAC is fixed).

Thereafter, according to the Local Packet Processing Flow of the OS and the Destination NAT table set in the initial network configuration, as soon as the packet goes up to the OS layer, the Destination IP address can be changed to an internal address, In the next procedure, it may be determined whether the packet is the IP of the server device 300. Since the server device 300 has a virtual network interface (Hidden Interface) of the server device 300 created in the initial network setting process in addition to the network interface (External Interface), it recognizes that it is its own packet and passes through the IP layer to the upper layer. Can go up.

Since the above technique is based on N:1 mapping in the ARP table, if any one of N, which is an IP address displacement range of a specific server device 300, is occupied by another server device, the connection is disconnected, so the address variation sub The address range allocated to the network should not be invaded by each address variation server device 300. Based on the N server devices 300 in the C-class in the technology to which it is applied, the predicted complexity of the attacker's hidden tunnel can be expressed as Equation (6).

8 is a block diagram illustrating a client device for a network address variation based communication method according to an embodiment of the present invention.

Referring to FIG. 8, the client device 200 for a network address variation based communication method according to an embodiment of the present invention includes a key storage unit 210, a first random value generation unit 220, and an anonymous IP generation unit ( 230 ), a second random value generator 240, an anonymous port generator 250, an anonymous address storage unit 260, and a NAT setting information update unit 270.

The key storage unit 210 may authenticate the server device 300 through the authentication server 100 and generate a session key to store the distributed session key.

The first random value generator 220 may generate a first random value used for anonymous IP generation for use in network address variation.

The anonymous IP generator 230 may generate an anonymous IP through a one-way hash function using a session key and a first random value according to a preset address variation rule. The detailed generation process is described in step S131.

The second random value generator 240 may generate a second random value used for generating an anonymous port for use in network address variation.

The anonymous port generator 250 may generate an anonymous port through a one-way hash function using a session key and a second random value according to a predetermined address variation rule. The detailed generation process is described in step S131.

The anonymous address storage unit 260 may store the generated plurality of anonymous IP addresses and a plurality of anonymous ports as anonymous address information.

The NAT configuration information update unit 270 may generate a destination address for communicating with an external address of the network interface of the server device 300 in a packet using anonymous address information according to a predetermined address variation rule.

The NAT configuration information update unit 270 may generate the source address of the client device 200 to be forwarded to the internal address of the server device 300 in a packet according to a preset address variation rule.

The NAT setting information update unit 270 is a destination for packets generated in a connection from a server device 300 to a virtual network interface (Hidden Interface) among outgoing packets transmitted to the server device 300. NAT (IP/Port) can be set as the destination address.

At this time, the NAT configuration information update unit 270 is set to be continuously changed by embedding the same address generation mechanism as the server device 300 to track the external address of the network interface of the server device 300.

9 is a block diagram showing a server apparatus for a network address variation based communication method according to an embodiment of the present invention.

Referring to FIG. 9, a server device 300 for a network address variation-based communication method according to an embodiment of the present invention includes a key storage unit 310, a first random value generation unit 320, and an anonymous IP generation unit ( 330), the second random value generation unit 340, an anonymous port generation unit 350, an anonymous address storage unit 360, a virtual interface gateway update unit 370, NAT setting information update unit 380 and network address change It may include a portion 390.

The key storage unit 310 may authenticate the client device 200 through the authentication server 100 and generate a session key to store the distributed session key.

The first random value generator 320 may generate a first random value used for anonymous IP generation for use in network address variation.

The anonymous IP generator 330 may generate an anonymous IP through a one-way hash function using a session key and a first random value according to a predetermined address variation rule. The detailed generation process is described in step S131.

The second random value generator 340 may generate a second random value used for generating an anonymous port for use in network address variation.

The anonymous port generator 350 may generate an anonymous port through a one-way hash function using a session key and a second random value according to a preset address variation rule. The detailed generation process is described in step S131.

The anonymous address storage unit 360 may store the generated plurality of anonymous IP addresses and a plurality of anonymous ports as anonymous address information.

The virtual interface gateway update unit 370 may set a virtual network interface to configure a hidden tunnel to communicate with the client device 200 even if the external address is changed before performing the address variation.

At this time, the virtual interface gateway update unit 370 may first create a virtual network interface (Hidden Interface) having an independent MAC address (MAC address).

At this time, the virtual interface gateway update unit 370 may set an arbitrary IP network (Hidden Address) to the virtual network interface as an internal address (IP address, netmask).

At this time, the virtual interface gateway update unit 370 may change the gateway address of the virtual network interface (Hidden Interface) to the external address changed from the above.

The NAT setting information update unit 380 is a destination NAT (IP/Port) for forwarding a packet coming through a port generated with anonymous address information among incoming packets received from the client device 200 to a virtual network interface (Hidden Interface). ) As the destination address.

At this time, the NAT setting information update unit 380, among the outgoing (outgoing) packets transmitted to the client device 200, the source NAT for the packet generated in the connection (Connection) connected to the virtual network interface (Hidden Interface) ( IP/Port) as the source address.

At this time, the NAT setting information update unit 380 is configured to forward packets in a state that satisfies the address variation rule to the destination NAT among incoming packets received through an external address to the network interface. Tables can be updated.

At this time, the NAT configuration information update unit 380 is used to drop (DROP) packets in an incoming packet transmitted through an external address to a network interface from among addresses that do not satisfy the address variation rule. Settings table can be updated.

The network address changing unit 390 may set the default gateway of the virtual interface as an external address of an IP address of the network interface to which address variation is to be performed.

At this time, the network address changing unit 390 may continuously change the external address of the network interface according to a predetermined specific time point and time period based on the procedure of the anonymous address information generation step (S131).

At this time, the network address change unit 390 may update the network settings to prevent the risk of a connection being lost whenever the external address is changed.

At this time, the network address changing unit 390 may change the external address (IP of eth0) of the network interface based on a preset network address variation rule.

At this time, the network address changing unit 390 uses any one of a plurality of anonymous IP addresses and a plurality of anonymous ports included in the anonymous address information every predetermined period according to a predetermined address variation rule. The external address can be changed.

10 is a view showing a computer system according to an embodiment of the present invention.

Referring to FIG. 10, the authentication server 100, the client device 200, and the server device (the server to be protected) 300 according to an embodiment of the present invention include a computer system 1100, such as a computer-readable recording medium. ). As shown in FIG. 10, the computer system 1100 includes one or more processors 1110, memories 1130, user interface input devices 1140, and user interface output devices 1150 that communicate with each other through the bus 1120. And storage 1160. In addition, the computer system 1100 may further include a network interface 1170 connected to the network 1180. The processor 1110 may be a central processing unit or a semiconductor device that executes processing instructions stored in the memory 1130 or the storage 1160. The memory 1130 and the storage 1160 may be various types of volatile or nonvolatile storage media. For example, the memory may include ROM 1131 or RAM 1132.

At this time, the server device 300 according to an embodiment of the present invention includes at least one processor and an execution memory storing at least one program executed by the at least one processor, wherein the at least one program is a client device Set the external address of the network interface that receives the packet from 200, set the internal address of the virtual network interface for forwarding the packet received through the network interface to the virtual network interface, and set a predetermined network address variation rule The external address may be changed based on the packet, and a packet received from the client device 200 may be forwarded to the virtual network interface through the changed external address to communicate with the client device 200.

At this time, at least one program of the server device 300 may perform authentication through the authentication server 100 with respect to the client device 200, and share a session key with the client device 200 that is successfully authenticated. .

At this time, at least one program of the server device 300 may generate anonymous address information used to set an external address of a network interface that receives a packet from the client device 200.

At this time, at least one program of the server device 300 may generate anonymous address information including a plurality of anonymous IP addresses and a plurality of anonymous ports from a random value using a predetermined function.

At this time, the predetermined function may generate the random value using the session key.

At this time, at least one program of the server device 300 may change the gateway address of the virtual network interface to a mutated external address.

At this time, the at least one program of the server device 300 maps the external address and the MAC address (Media Access Control address) of the server device at the time the connection is established with the client device 200 and records it in a table. Can.

In this case, each of a plurality of external addresses may be mapped and recorded in the table, and the table may correspond to the ARP table.

At this time, the at least one program of the server device 300 receives a packet from the client device through any one of a plurality of external addresses recorded in the table to maintain a network connection with the client device 200. Can.

At this time, at least one program of the server device 300 is included in the packet received from the client device 200 and the first source address information of the predefined client device 200 based on the predetermined address variation rule. When the second source address information of the client device 200 matches, the packet may be forwarded to the virtual network interface.

At this time, one or more processors of the server device 300 are included in the first source address information defined in the client device 200 and the packet received from the client device 200 based on the predetermined address variation rule. If the second source address information of the client device 200 does not match, access to the client device may be blocked.

At this time, one or more processors of the server device 300 transmits the source address information of the server device 300 corresponding to the internal address to the client device 200 based on the preset address variation rule in a packet. can do.

In addition, the client device 200 according to an embodiment of the present invention includes one or more processors and an execution memory storing at least one program executed by the one or more processors, and the at least one program includes a server device ( In order to send a packet to 300), an external address of the network interface of the server device 300 is set, and an external address that is changed according to a preset address variation rule is set as a destination address to set the external address of the server device 300. You can communicate by sending packets.

At this time, the at least one program of the client device 200 may perform authentication through the authentication server 100 for the server device 300 and share a session key with the server device 300.

At this time, the at least one program of the client device 200 may generate anonymous address information for tracking the external address of the network interface of the server device 300.

At this time, the at least one program of the client device 200 may generate anonymous address information including a plurality of anonymous IP addresses and a plurality of anonymous ports from a random value using a predetermined function.

At this time, the predetermined function may generate the random value using the session key.

At this time, the at least one program of the client device 200 includes the source address of the client device 200 forwarded to the internal address of the server device 300 in a packet based on a predetermined address variation rule, and the server device It can be transmitted to (300).

At this time, the at least one program of the client device 200 may generate anonymous address information used for tracking the external address of the network interface through which the server device 300 receives a packet from the client device 200. have.

As described above, the server device, the client device, and the network address variation-based communication method according to an embodiment of the present invention are not limited to the configuration and method of the embodiments described above, but the embodiments are All or some of the embodiments may be selectively combined to constitute various modifications.

100: authentication server 200: client device (Client_p_i)
210: key storage unit 220: first random value generation unit
230: anonymous IP generator 240: second random value generator
250: anonymous port generation unit 260: anonymous address storage unit
270: NAT configuration information update unit
300: server device (server to be protected, Server_p_j)
310: key storage unit 320: first random value generation unit
330: anonymous IP generator 340: second random value generator
350: anonymous port generator 360: anonymous address storage
370: virtual interface gateway update unit
380: NAT configuration information update unit
390: network address change unit
1100: computer system 1110: processor
1120: bus 1130: memory
1131: Romans 1132: Ram
1140: user interface input device
1150: user interface output device
1160: storage 1170: network interface
1180: network

Claims (20)

In the communication method based on the network address variation of the server device and the client device,
Setting an external address of a network interface for receiving packets from the client device, and setting an internal address of the virtual network interface for forwarding packets received through the network interface to a virtual network interface;
Mutating the external address based on a preset network address variation rule; And
Forwarding a packet received from the client device through the mutated external address to the virtual network interface to communicate with the client device;
Including,
The step of mutating the external address is
After the server device receives the packet from the client device, sets the IP address and port for the destination of the packet to the internal address,
The server device and the client device change the external address every predetermined period according to the preset address variation rule,
The communication step
If the port of the packet received at the external address changed at each predetermined period matches the port for the destination set at the internal address, the packet received at the external address changed at each predetermined period is internal to the virtual network interface. Network address variation based communication method, characterized by forwarding to an address. The method according to claim 1,
The network address variation based communication method
After the step of mutating the external address,
And changing the gateway address of the virtual network interface to a mutated external address. The method according to claim 1,
The communication step
Network address variation-based communication method characterized in that the mapping of the external address and the MAC address (Media Access Control address) of the server device when the connection between the server device and the client device is established and recorded in a table. The method according to claim 3,
The table above
Network address variation based communication method, characterized in that each of a plurality of external addresses are mapped and recorded with the MAC address. The method according to claim 4,
The communication step
A network address variation-based communication method, characterized by maintaining a network connection between the server device and the client device by receiving a packet from the client device through any one of a plurality of external addresses recorded in the table. The method according to claim 1,
The network address variation based communication method
Before the setting step,
And generating, by the server device, anonymous address information used to set an external address of the network interface receiving the packet from the client device. The method according to claim 6,
The step of generating the anonymous address information
A network address variation-based communication method characterized by generating anonymous address information including a plurality of anonymous IP addresses and a plurality of anonymous ports from a random value using a predetermined function. The method according to claim 7,
The step of mutating the external address is
The external address is changed by using any one of a plurality of anonymous IP addresses and one of a plurality of anonymous ports included in the anonymous address information every predetermined period according to the predetermined address variation rule. Communication method based on network address variation. The method according to claim 8,
The network address variation based communication method
Before the step of generating the anonymous address information,
And the server device performs authentication with the client device, and the server device and the client device that have successfully authenticated share the session key. The method according to claim 9,
The preset function
Network address variation based communication method characterized in that the random value is generated using the session key. One or more processors; And
An execution memory storing at least one program executed by the one or more processors;
Including,
The at least one program
Set an external address of a network interface that receives packets from a client device, set an internal address of the virtual network interface to forward packets received through the network interface to a virtual network interface, and set a predetermined network address variation rule. Varies the external address based on the packet, and forwards the packet received from the client device to the virtual network interface through the mutated external address to communicate with the client device,
After receiving the packet from the client device, set the IP address and port for the destination of the packet to the internal address,
The external address is changed every predetermined period according to the preset address variation rule,
If the port of the packet received at the external address that changes every predetermined period matches the port for the destination set as the internal address, the packet received at the external address that changes every predetermined period is internal to the virtual network interface. A server device characterized by forwarding to an address. The method according to claim 11,
The at least one program
Server device, characterized in that for changing the gateway address of the virtual network interface to a mutated external address. The method according to claim 12,
The at least one program
And mapping the external address and the MAC address (Media Access Control address) of the server device at the time the connection is established with the client device and recording the result in a table. The method according to claim 13,
The table above
A server device, characterized in that each of a plurality of external addresses is mapped and recorded with the MAC address. The method according to claim 14,
The at least one program
A server device receiving a packet from the client device through any one of a plurality of external addresses recorded in the table to maintain a network connection with the client device. The method according to claim 11,
The at least one program
And generating anonymous address information used to set an external address of a network interface that receives a packet from the client device. The method according to claim 16,
The at least one program
A server device characterized in that it generates anonymous address information including a plurality of anonymous IP addresses and a plurality of anonymous ports from a random value using a predetermined function. The method according to claim 17,
The at least one program
A server device that performs authentication with the client device, and the client device that has successfully authenticated shares the session key. The method according to claim 18,
The preset function
And generating the random value using the session key. delete

Images