KR102152313B1 - Method for real-time encryption packet separation and identification in high speed traffic and interworking with yara detection on identified packet, and apparatus thereof - Google Patents

Abstract

The present invention relates to a packet-based threat detection device that provides visibility of encrypted traffic in conjunction with YARA detection technology.
The device of the present invention is implemented based on a hardware module including a Field Programmable Gate Array (FPGA) and memory. In addition, the packet-based threat detection apparatus of the present invention detects a threat by applying an encryption traffic decryption engine 110 that decrypts encrypted network traffic data using a certificate, and a predetermined intrusion detection rule on the decrypted traffic data. With respect to the blocking intrusion detection engine 120 and the traffic data for which no threat is detected by the intrusion detection engine 110, the traffic data is not combined to generate a complete file, but a YARA rule is applied on a packet basis. Includes a packet-based YARA detection engine (130) that redetects threats.

Description

Technology and device for real-time encryption packet separation identification technology in high-speed traffic and YARA detection technology interworking technology for identified packets {METHOD FOR REAL-TIME ENCRYPTION PACKET SEPARATION AND IDENTIFICATION IN HIGH SPEED TRAFFIC AND INTERWORKING WITH YARA DETECTION ON IDENTIFIED PACKET, AND APPARATUS THEREOF}

The present invention relates to the security of computer networks, and more particularly to the security of encrypted packets in high-speed traffic.

Computer networks are used to obtain or share information in the modern information society. A smartphone, desktop, or laptop computer is used to access a network such as an intranet or the Internet to obtain information from a server or upload information to the server to share information.

When so many users access and exchange huge amounts of information, there are always attempts to steal information or attack servers by malicious users.

Security technologies such as SSL (Secure Socket Layer) have been developed and used to prevent abnormal attacks or hacking attempts of such networks. SSL is a technology that can keep all transmitted data private by using an encrypted link between a web server and a user's browser. However, if the SSL technology is used, the security of the data can be maintained, but when data detection for security is required, the problem of decryption occurs again.

Therefore, prior art security devices must provide functions for encryption traffic visibility in order to detect such encrypted data. The encryption traffic visibility providing system of the prior art has three functions. First, the function of decrypting (peaceful culture) encrypted traffic, and second, the function of detecting/blocking threats based on the rules used in the Intrusion Detection/Prevention System for decrypted traffic, Third, if a file is included in the decrypted traffic, it combines all the traffic to create a complete file, and then detects whether the file is a malicious file.

However, in order to detect/block all files in the encrypted traffic, it is necessary to combine and detect all the traffic including the files, so a considerable amount of time and computing power are required in the prior art. In particular, since network traffic must be detected and blocked in real time, the problem of time and performance eventually leads to an increase in cost.

The inventors of the present invention, after deeply considering these problems, have come to complete the present invention regarding an apparatus and method for more effective detection and blocking of files in encrypted packets.

An object of the present invention is to provide an apparatus for detecting and blocking malicious codes (malware files) by separating and identifying encrypted packets in real time within high-speed traffic.

It takes considerable cost and time to detect malicious codes in real time within high-speed traffic. Accordingly, another object of the present invention is to implement a detection device for providing visibility of encrypted traffic, which can save time and cost by reducing the detection time of real-time malicious codes in high-speed traffic.

Meanwhile, other objects not specified of the present invention will be additionally considered within a range that can be easily deduced from the following detailed description and effects thereof.

In order to achieve the above problems, the present invention is a packet-based threat detection device through providing encryption traffic visibility executed on the basis of a hardware module including a field programmable gate array (FPGA) and memory:

An encrypted traffic decryption engine that decrypts the encrypted network traffic data using a certificate;

An intrusion detection engine for detecting and blocking a threat by applying a predetermined intrusion detection rule to the decrypted traffic data; And

A packet-based YARA detection engine for re-detecting a threat by applying a YARA rule based on a packet, rather than generating a complete file by combining all the traffic data with respect to the traffic data for which a threat is not detected by the intrusion detection engine; It characterized in that it includes.

In the packet-based threat detection apparatus through provision of encrypted traffic visibility according to a preferred embodiment of the present invention, the packet-based YARA detection engine comprises:

A string definition unit defining a YARA string based on a packet;

A condition definition unit that defines the condition of the packet-based YARA rule: and

It is recommended to include a YARA rule translator that changes the standard YARA rule to a packet-based YARA rule structure.

In addition, in the packet-based threat detection apparatus through providing encrypted traffic visibility according to a preferred embodiment of the present invention, the encrypted traffic decryption engine, intrusion detection engine, or packet-based YARA detection engine is applied to the hardwired logic of the FPGA. Can be implemented through hardware by

According to the above problem solving means of the present invention, the present invention has the effect of detecting/blocking malicious codes in real time using the abbreviated YARA pattern without combining all the encrypted traffic including files.

In addition, since all encrypted traffic including files is not combined, the time taken to detect malicious codes can be much shorter than that of the prior art, and thus, there is an effect of lowering the price of a blocking system having the same performance.

On the other hand, even if it is an effect not explicitly mentioned herein, it is added that the effect described in the following specification and its provisional effect expected by the technical features of the present invention are treated as described in the specification of the present invention.

1 is a structural diagram of an entire system according to a preferred embodiment of the present invention.
2 is a structural diagram of a packet-based YARA detection engine according to a preferred embodiment of the present invention.
3 is an example of packet-based YARA rule application according to a preferred embodiment of the present invention.
4 is a flowchart of a threat detection method according to another preferred embodiment of the present invention.
5 is a schematic structural diagram of a hardware board according to another embodiment of the present invention.
※ The accompanying drawings are exemplified as reference for understanding the technical idea of the present invention, and the scope of the present invention is not limited thereto.

Hereinafter, a configuration of the present invention guided by various embodiments of the present invention and effects resulting from the configuration will be described with reference to the drawings. In describing the present invention, when it is determined that the subject matter of the present invention may be unnecessarily obscured as matters obvious to those skilled in the art with respect to known functions related to the present invention, a detailed description thereof will be omitted.

1 is a schematic structural diagram of a packet-based threat detection apparatus through provision of encrypted traffic visibility according to a preferred embodiment of the present invention.

The threat detection apparatus according to the present invention can be implemented in various forms. It can be implemented in software using a computer-based device, or it can be implemented by configuring dedicated hardware. The threat detection apparatus of the present invention can be implemented using a Field Programmable Gate Array (FPGA). FPGAs are programmable semiconductors, unlike application specific integrated circuits (ASICs), which cannot be modified once they are manufactured, and have features that enable users to implement hardware designed according to their needs. Since it is implemented as a hardware semiconductor by a logic device, it has the advantage of being much faster than software implementation.

The packet-based threat detection apparatus 10 providing encryption traffic visibility according to a preferred embodiment of the present invention is composed of an encryption traffic decryption engine 110, an intrusion detection engine 120, and a packet-based YARA detection engine 130. .

The encrypted traffic decryption engine 110 decrypts traffic data encrypted by SSL (Secure Socket Layer), HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer), or the like. In other words, it converts the inscription into plain text.

SSL is a communication protocol for securely transmitting data over the Internet with a secure socket layer. As an industry standard protocol for securely sending and receiving data between a web browser and a web server, it was developed by Netscape Communications Inc., and can be applied not only to the web but also to other TCP/IP applications such as the File Transfer Protocol (FTP). SSL has an authentication encryption function.

Instead of using plain text in socket communication, HTTPS encrypts and transmits session data through SSL or TLS protocols. Therefore, it is possible to ensure adequate protection of data. The default TCP/IP port for HTTPS is 443.

SSL or HTTPS decryption is performed using the corresponding certificate 112. It creates, deletes, or updates session information of each traffic session, blocks unauthorized traffic data, and records logs.

The unencrypted traffic data is bypassed by the encrypted traffic decryption engine 110 and transmitted to the intrusion detection engine 120.

The intrusion detection engine 120 detects a threat based on the intrusion detection rule 122 on the decrypted traffic data or the traffic data bypassed because it is not encrypted. Traffic data in which a threat is detected is blocked and a record is left in the detection log 20. Traffic data for which no threat is detected is transmitted to the YARA detection engine 130.

The packet-based YARA detection engine 130 detects threats such as malware by applying the YARA rule 132 to traffic data for which no threat is detected by the intrusion detection engine 120.

In this way, the first threat is detected by the intrusion detection rule 122 of the intrusion detection engine 120, and then the second threat is re-detected by the YARA rule 132 of the packet-based YARA detection engine 130. Detect threats by process. The intrusion detection rule 122 is information indicating that it is an intrusion detection rule, a rule name consisting of letters or numbers (minimum/maximum length applied, for example, minimum 3 characters, maximum 200 characters) to be used as a rule name, and a risk applied by dividing into upper, lower, and lower It may be composed of a risk of notifying the message, a response method for how to process the detected packet, a signature composed of a header and a detection syntax. On the other hand, the Yarra rule 132 is information indicating that it is a Yarra room, a letter or number to be used as a rule name (minimum/maximum length applied, for example, a minimum of 3 characters, a maximum of 200 characters), and a risk indicating the degree of risk applied by dividing the upper, middle, and lower, Further, it may be composed of a signature including signature metadata, a signature string, and a signature condition.

2 is a structural diagram of a packet-based YARA detection engine 130.

The packet-based YARA detection engine 130 includes a string definition unit 134, a condition definition unit 136, and a YARA rule translator 138.

The string definition unit 134 defines a packet-based YARA string. Each string is limited to one packet size, and the string is limited to a text string and a hexa string. Perl-based regular expressions (PCRE) are not supported for strings, and only wildcards (*) and question marks (?) are supported for regular expressions. Wide string is also supported.

The condition definition unit 136 defines a condition of a packet-based YARA rule. Possible conditions are 1. All of them, 2. Any of them, 3. AND, etc. For OR, the rule is divided into each string, and the file size condition is not supported because the condition is defined on a packet basis.

The string definition unit 134 or the condition definition unit 136 does not support YARA additional module options (PE, ELF, Cuckoo, Magic, HASH, MATH).

The YARA rule translator 138 changes the packet-based YARA rule definition defined by the string definition unit 134 and the condition definition unit 136 on a packet basis so that the packet-based YARA detection engine 130 can process. Optimize.

For example, in a preferred embodiment of the present invention, the YARA rule translator 138 translates the rule name to correspond to the rule number 310 of FIG. 3 in the standard YARA rule table, and the risk level corresponds to the number 1 string. In addition, the signature metadata is translated into strings 2 and 3, the rest of the signature string, and the signature condition is translated to correspond to the condition 330 of FIG. 3, and the YARA rule is updated.

In particular, in a preferred embodiment of the present invention, when each configuration of the standard YARA table is input to the YARA rule translator, the YARA rule is recognized in the FPGA and separated into detailed rules in a structure that facilitates the detection process.

The abbreviated YARA rule is uploaded to the internal logic of the FPGA, and matches the header values of packets passing through the FPGA and all data in the payload in real time on a byte basis to find the conditions suitable for the YARA rules loaded in the FPGA.

The advantage is that the same detection result can be obtained even if the standard YARA rule is abbreviated or modified by translating and updating the standard YARA rule as above. Therefore, even if the standard YARA rule is modified based on a packet, the same detection as the standard YARA rule is possible.

Using the updated YARA rule, the preferred YARA detection engine of the present invention detects signature metadata, signature string detection, and signature for each of N packets (N is an integer greater than 1) each consisting of a header and a payload. Run condition detection.

3 shows the packet-based YARA rule structure translated in this way.

YR#1 to YR#3 310 denote YARA rule numbers. Each YARA rule includes a string value 320 and a YARA rule match condition (Condition, 330).

As a result of applying the packet-based YARA rule, YR ID#1~2 340, which are YARA rule ID numbers that match the YARA rule, are displayed in packets of packet data (Packet Payload).

The packet-based YARA rule detection engine 130 of the present invention performs a string match inspection in units of packets by using high-speed dedicated hardware. By blocking packets that meet the condition 330 of each YARA rule on a per packet basis, the inflow of threatened files is essentially blocked. Blocked packets are forwarded to the application layer for assembly of the entire file. When detection and blocking are performed in the YARA rule, a record is left in the detection log (20).

4 is a flowchart illustrating a method of detecting a threat by the packet-based threat detection apparatus 10 by providing the above encrypted traffic visibility.

First, traffic data encrypted with SSL, HTTPS, etc. is decrypted using a certificate (S10). Unencrypted traffic data is delivered to the next step without decryption.

The decrypted traffic data or unencrypted traffic data detects a threat by applying an intrusion detection rule (S20). Then, when a threat is detected, the packet is blocked (S60) and a log is recorded.

Next, if the threat is not detected by applying the intrusion detection rule, the YARA rule is applied (S40) to detect the threat again (S50). To apply the YARA rule, a packet-based YARA string is defined in advance, the conditions of the packet-based YARA rule are defined in advance, and the standard YARA rule is modified using a packet-based YARA rule translator. The process of transforming and applying the packet-based YARA rule is as described above. When a threat is detected, the packet is blocked (S60) and a log is recorded.

5 is a structural diagram of the entire module when the packet-based threat detection apparatus 10 through the provision of encrypted traffic visibility according to the present invention is configured in an FPGA board. Threat detection is possible for both HTTPS-encrypted or unencrypted traffic.

The encrypted traffic decoding engine 110 corresponds to the SSL Traffic Handling Module in the illustrated example. In addition, the Network Attack Mediation Module and the Active Session Management Module overlap with the intrusion detection engine 120 and the packet-based YARA detection engine.

According to the present invention as described above, by applying the YARA rule on a per packet basis, it is possible to detect threats by providing visibility of encrypted packets in real time, and to detect threats much faster than processing with software with a dedicated FPGA hardware design. Therefore, it has the effect of reducing the threat detection time.

Meanwhile, although not shown, the packet-based threat detection apparatus of the present invention may include one or more processors and a memory, and several hardware and/or software modules for implementing functions and improving performance may be added. In addition, as described above, the present invention is implemented based on a hardware module including an FPGA, thereby enabling faster and more accurate detection of malicious modules.

For reference, the threat detection method by providing visibility of an encrypted packet according to an embodiment of the present invention may be implemented in the form of a program command that can be executed through various computer means and recorded in a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, and the like alone or in combination. The program instructions recorded on the medium may be specially designed and configured for the present invention, or may be known and usable to those skilled in computer software.

Examples of computer-readable media include hard disks, magnetic media such as floppy disks and magnetic tapes, optical recording media such as CD-ROMs and DVDs, magnetic-optical media such as floptical disks, and ROM, RAM, A hardware device specially configured to store and execute program instructions such as flash memory or the like may be included. Examples of program instructions include not only machine language codes created by a compiler, but also high-level language codes that can be executed by a computer using an interpreter or the like. The above-described hardware device may be configured to operate as one or more software modules to perform the operation of the present invention, and vice versa.

The scope of protection of the present invention is not limited to the description and expression of the embodiments explicitly described above. In addition, it is added once again that the scope of protection of the present invention may not be limited due to obvious changes or substitutions in the technical field to which the present invention pertains.

Claims (3)

Implemented on the basis of hardware modules including Field Programmable Gate Array (FPGA) and memory:
An encrypted traffic decryption engine that decrypts the encrypted network traffic data using a certificate;
An intrusion detection engine for detecting and blocking a threat by applying a predetermined intrusion detection rule to the decrypted traffic data; And
A packet-based YARA detection engine for re-detecting a threat by applying a YARA rule based on a packet, rather than generating a complete file by combining all the traffic data with respect to the traffic data for which the threat is not detected by the intrusion detection engine; Including,
The packet-based YARA detection engine:
A string definition unit defining a YARA string based on a packet;
A condition defining unit defining a condition of a packet-based YARA rule; And
Including a YARA rule translator that changes the standard YARA rule to a packet-based YARA rule structure,
The YARA rule translator translates the rule name of the standard YARA rule to correspond to the rule number of the packet-based YARA rule, and the risk of the standard YARA rule, signature metadata, and signature are each translated into at least one string of the packet-based YARA rule. , The signature condition of the standard YARA rule is translated into the condition of the packet-based YARA rule,
The packet-based threat detection apparatus through provision of encrypted traffic visibility, characterized in that the string of the packet-based YARA rule is one packet size.
delete The method of claim 1,
The encrypted traffic decryption engine, the intrusion detection engine, or the packet-based YARA detection engine is executed through hardware by hardwired logic of the FPGA.

Images