KR102239769B1 - Network security method using ship maintenance support network system - Google Patents

Abstract

The present invention relates to a network security method using a ship maintenance support network system to enhance security. According to one embodiment of the present invention, the network security method comprises the following steps: introducing a ship facility into a ship maintenance plant in which a ship maintenance network including a plurality of access points (AP) is provided to allow the ship facility to be repaired by using one or more maintenance devices provided in the ship maintenance plant; receiving, by a control server, facility information on the ship facility through a mobile device to monitor a maintenance process for the ship facility; and allowing a management server to collect and analyze wireless intrusion detection results into the ship maintenance network by using a plurality of AP detection sensors provided in the ship maintenance plant. The step of collecting and analyzing the wireless intrusion detection result includes a step of performing an authentication process by at least one of the plurality of APs when an arbitrary AP invades the ship maintenance network and the ship maintenance network can be formed by completing mutual authentication between the plurality of APs.

Description

Network security method using ship maintenance support network system {NETWORK SECURITY METHOD USING SHIP MAINTENANCE SUPPORT NETWORK SYSTEM}

The present invention relates to a ship maintenance network security system. More specifically, a wireless network is formed based on a plurality of APs for which mutual authentication has been completed in the ship maintenance factory, and an authentication procedure is required according to the intrusion of an unauthorized AP. A ship maintenance support network system including a control server that receives facility information on ship equipment through the device and a management server that collects and analyzes wireless intrusion detection results from AP detection sensors installed in the ship maintenance plant. It relates to the network security method used.

Industrial control systems for ship maintenance have been presented with various methods for incorporating IT (Information Technology) technology into operation and facility maintenance for automation. Inside facilities such as ships or ship repair shops, facility operation and maintenance are monitored using a closed communication network. However, the security solution for the conventional industrial control system is built as an IT security solution using a firewall, etc., so it is impossible to completely defend against external intrusion. There is a risk of hacking in connecting external networks. In addition, in the case of domestic and overseas industrial control systems, it has a firm competitive advantage in the area of construction and manufacturing, but the basic design of industrial control systems, high value-added equipment, package facilities, management and operation systems, remote monitoring systems, which are the basis of industrial control systems Common core technology areas such as maintenance and repair are weak. Furthermore, since the life cycle of the data of the remote monitoring system of the industrial control system is only several years, the life cycle of the industrial control system is several decades, so it is important to efficiently store and manage data for a long period of time. However, the remote monitoring system of the conventional industrial control system is not easy to be compatible with the equipment of the industrial control system due to limited data collection, and thus integrated remote monitoring is difficult. Accordingly, in order to prevent data increase and security accidents in industrial control systems, and to overcome the security problem of network connection required for real-time data transmission, the need for a remote monitoring method of a highly reliable industrial control system has increased.

In other words, a ship repair shop with IoT technology collects sensor-based data and creates information and knowledge through data communication and acquired data using wired or wireless terminals. It is very important to strengthen the security of the terminal through construction and mobile apps. In addition, as the units for facilities and parts have increased, it is essential to build a network infrastructure to build a big data system for high-quality information. Data goes through the steps of'data -> information -> knowledge -> wisdom' until it provides usefulness for judgment to the commander or operator. Quality data management is the most basic and very important process. Therefore, since the above-described big data system is essential to grasp the movement path of various facilities and to efficiently grasp the maintenance status of ship facilities, security measures for this are also continuously required.

Republic of Korea Patent Publication No. 10-2014-0045829 (Publication date: 2014.04.17)

The present invention is to solve the above-described problem, and in a network built using a wireless AP in a ship repair shop, an authentication procedure between wireless APs is required to improve security. Its purpose is to provide a network security method using a ship maintenance support network system.

In addition, the purpose of this purpose is to reinforce security by allowing data to be transmitted through a physical one-way transmission module for information that requires security, such as ship equipment abnormality information or unauthorized AP intrusion information transmitted in real time.

In addition, in the case of a mobile device used in a ship repair shop, the purpose is to improve security by enabling encryption/decryption through a security keyboard so that information requiring security is input through a security keyboard.

As an embodiment of the present invention, a network security method using a ship maintenance support network system including a ship maintenance factory, a control server, and a management server may be provided.

In the network security method using the ship maintenance support network system according to an embodiment of the present invention, ship equipment is stored in a ship maintenance factory equipped with a ship maintenance network equipped with a plurality of APs, and one or more maintenance devices provided in the ship maintenance factory are installed. A step of being maintained by using, a step of monitoring the maintenance process of a ship facility by receiving facility information on a ship facility through a mobile device in the control server, and using a plurality of AP detection sensors provided in the ship maintenance factory in the management server. The method includes the step of collecting and analyzing the wireless intrusion detection result into the ship maintenance network, and the collecting and analyzing the wireless intrusion detection result includes at least one of a plurality of APs when a random AP intrudes into the ship maintenance network. It further includes performing the authentication process by, and the ship maintenance network may be formed by completing mutual authentication between the plurality of APs in advance.

In the network security method using the ship maintenance support network system according to an embodiment of the present invention, the first security data is transmitted from a ship maintenance factory to a control server using a first one-way transmission module included in the ship maintenance support network system. The step of further comprising: the first security data may be defect information of the ship equipment detected by the maintenance device provided in the ship maintenance factory.

In the network security method using the ship maintenance support network system according to an embodiment of the present invention, the step of detecting operation data and maintenance data of ship equipment using a detection sensor provided in a maintenance device, and ship equipment using a detection model A step of determining the defect information of, and the detection model may be generated according to a result of learning based on a deep learning algorithm for operation data and maintenance data.

In the network security method using the ship maintenance support network system according to an embodiment of the present invention, the step of performing the authentication process includes: transmitting an AP authentication request message to the AP invaded by the first AP, and The step of determining whether the AP identification information extracted from the response message to the request message from the AP is included in the pre-stored authorized AP list, and transmitting the AP authentication result to the remaining APs in the plurality of APs by the first AP Including the step of, the first AP may be interlocked in advance with an AP detection sensor that has detected a wireless intrusion of the AP intruding into the ship maintenance network among the plurality of APs.

In the network security method using the ship maintenance support network system according to an embodiment of the present invention, the second security data is transmitted from the ship maintenance factory to the management server using a second one-way transmission module included in the ship maintenance support network system. The second security data may be discrimination information on an unauthorized AP according to an authentication process in the ship maintenance network.

In the network security method using the ship maintenance support network system according to an embodiment of the present invention, as a security card is inserted and mounted in a mobile device, input with a virtual keyboard capable of operating in a security mode and a virtual keyboard operating in a security mode An encoding unit for generating encrypted data according to a predetermined encryption algorithm in which encryption is performed based on the key information received from the management server for the input data is included, and the key information is included in the tag information of the security card and the mobile device in the management server. It may be generated based on the identification information.

In the network security method using the ship maintenance support network system according to an embodiment of the present invention, the facility information includes regular inspection results for ship facilities, a moving route of ship facilities, maintenance history for ship facilities, and status information of ship facilities. Is included, and in the management server, a random key corresponding to the security information to be encrypted is generated from the equipment information by the mobile device, and encrypted data is generated by encoding the security information to be encrypted using the random key, The mobile device can transmit the encrypted data and the encrypted random key to the control server based on the encryption random key according to encryption for the random key using the public key that corresponds to the control server's private key and received in advance from the control server.

According to the network security method using the ship maintenance support network system of the present invention, the authentication procedure between the wireless APs is essentially required in the network built using the wireless AP in the ship maintenance factory, thereby improving security. There is an effect that can be.

In addition, for information requiring security such as equipment abnormality information or unauthorized AP intrusion information transmitted in real time, there is an effect of enhancing security by allowing data to be transmitted through a physical one-way transmission module.

In addition, in the case of a mobile device used in a ship repair shop, encryption/decryption is possible through a security keyboard, so that information requiring security is input through a security keyboard, thereby improving security.

1 is an exemplary view showing a ship maintenance support network system according to an embodiment of the present invention.
2 is a flowchart illustrating a network security method using a ship maintenance support network system according to an embodiment of the present invention.
3 is a flowchart illustrating a process of transmitting first security data using a first one-way transmission module in a network security method using a ship maintenance support network system according to an embodiment of the present invention.
4 is a flowchart illustrating an authentication process in a network security method using a ship maintenance support network system according to an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those of ordinary skill in the art can easily implement the present invention. However, the present invention may be implemented in various different forms and is not limited to the embodiments described herein. In the drawings, parts irrelevant to the description are omitted in order to clearly describe the present invention, and similar reference numerals are attached to similar parts throughout the specification.

The terms used in the present specification will be briefly described, and the present invention will be described in detail.

Terms used in the present invention have selected general terms that are currently widely used as possible while taking functions of the present invention into consideration, but this may vary according to the intention or precedent of a technician working in the field, the emergence of new technologies, and the like. In addition, in certain cases, there are terms arbitrarily selected by the applicant, and in this case, the meaning of the terms will be described in detail in the description of the corresponding invention. Therefore, the terms used in the present invention should be defined based on the meaning of the term and the overall contents of the present invention, not a simple name of the term.

When a part of the specification is said to "include" a certain component, it means that other components may be further included rather than excluding other components unless specifically stated to the contrary. In addition, terms such as "... unit" and "module" described in the specification mean a unit that processes at least one function or operation, which may be implemented as hardware or software or a combination of hardware and software. . In addition, when a part is said to be "connected" with another part throughout the specification, this includes not only the case of being "directly connected", but also the case of being connected "with another element in the middle."

1 is an exemplary view showing a ship maintenance support network system according to an embodiment of the present invention, Figure 2 is a flow chart showing a network security method using the ship maintenance support network system according to an embodiment of the present invention, Figure 3 Is a flow chart showing a process of transmitting first security data using a first one-way transmission module in a network security method using a ship maintenance support network system according to an embodiment of the present invention, and FIG. 4 is an embodiment of the present invention. In the network security method using the ship maintenance support network system according to the embodiment, a flow chart showing the authentication process. Hereinafter, the present invention will be described in detail with reference to the drawings described above.

As an embodiment of the present invention, a network security method using a ship maintenance support network system including a ship maintenance factory, a control server, and a management server may be provided.

1 and 2, the network security method using the ship maintenance support network system according to an embodiment of the present invention is a ship equipment is received in a ship maintenance factory equipped with a ship maintenance network equipped with a plurality of APs. Step (S100) of performing maintenance using one or more maintenance devices provided in the maintenance factory, step (S200) and management of receiving facility information about ship facilities through a mobile device in the control server and monitoring the maintenance process of ship facilities (S200) In the server, the step of collecting and analyzing the wireless intrusion detection result to the ship maintenance network using a plurality of AP detection sensors provided in the ship maintenance factory (S300), and the step of collecting and analyzing the wireless intrusion detection result, Further comprising the step of performing an authentication process by at least one of the plurality of APs when a random AP intrudes into the ship maintenance network, and the ship maintenance network may be formed by completing mutual authentication between the plurality of APs in advance. .

Hereinafter, a network security method using a ship maintenance support system according to an embodiment of the present invention will be described in more detail for each step (S100-S300).

First, in S100, a ship equipment is received in a ship maintenance factory equipped with a ship maintenance network equipped with a plurality of APs, and a maintenance process may be performed using one or more maintenance devices provided in the ship maintenance factory.

According to one disclosure, the ship maintenance factory 100 is provided with a plurality of maintenance devices, and the maintenance is performed by the maintenance device as ship equipment is received, and the ship maintenance factory 100 is a target of maintenance of various facilities within the ship. As a result, it is possible to perform maintenance regularly or irregularly using a plurality of maintenance devices. In the present specification, there is no limitation on ship equipment, and various ship equipment may be included in the ship equipment.

According to one disclosure, a ship maintenance factory 100 includes a plurality of APs (access points) to form a ship maintenance network, and the AP can connect wireless devices to wired devices according to a related standard using Wi-Fi. As a connection module to enable it, it may be referred to as a wireless access point (WAP). The plurality of APs may be linked to maintenance devices and ship facilities, as well as other facilities and equipment (Ex. AP detection sensor, detection sensor, etc.) in the ship maintenance factory 100.

In addition, authentication between the plurality of APs may be completed in advance. That is, the APs constituting the ship maintenance network provided in the ship maintenance plant 100 may be already authenticated with each other. Various methods can be used for mutual authentication between a plurality of APs constituting a ship maintenance network.

Contrary to this, in the ship maintenance network construction step, all authentication based on an authentication constant may be performed for each of the management server 300 and a plurality of APs. That is, the ship maintenance network may be established between the management server 300 and the individual APs as all authentication procedures based on the authentication constant are completed. In other words, the management server 300 can transmit an authentication request message to each AP, and authentication constants (α0, α1) are generated according to Equation 1 below for the relationship between the management server 300 and the AP. I can. The management server 300 may preset private information and public information in an authentication request message sent to the AP.

:제너레이터(generator), s:비공개정보, t:공개정보, z0,z1 :난수,

,

,

,

: 인증상수인 것을 특징으로 한다.Where, p: a prime number that satisfies the discrete log problem, q: a prime that can divide p-1,

: Generator, s: private information, t: public information, z0,z1: random number,

,

,

,

: It is characterized by being an authentication constant.

)를 전달받을 수 있으며, 인증요구 메시지의 신뢰도가 검증된 경우, 관리서버(300)와 검증이 완료된 AP 간의 인증이 완료되어 선박정비네트워크가 구축될 수 있다. 인증요구 메시지는 관리서버(300)에서 소정의 난수 생성 알고리즘에 따라 생성된 난수에 기초하여 생성될 수 있다. The AP is an authentication request message generated from the management server 300 (

) Can be received, and if the reliability of the authentication request message is verified, authentication between the management server 300 and the verified AP is completed, and a ship maintenance network may be established. The authentication request message may be generated based on a random number generated according to a predetermined random number generation algorithm in the management server 300.

In addition, in order to verify the reliability of the authentication request message, a verification process may be performed by substituting the shared constant and the authentication request message into Equation 2 below.

In this way, if the left and right sides of Equation 2 match, the authentication request from the management server 300 is permitted, and an authentication response message indicating that the authentication has been successfully performed may be generated and transmitted to the AP side. As described above, since the ship maintenance network is established, all APs in the ship maintenance network can be authenticated between the management server 300, and the management server 300 and the authenticated AP are authenticated to other APs in the ship maintenance network. By sending a message, authentication can also be performed between APs.

3, in the network security method using the ship maintenance support network system according to an embodiment of the present invention, by using a first one-way transmission module included in the ship maintenance support network system from the ship maintenance factory to the control server The step of transmitting the first security data may be further included, and the first security data may be information on defects of ship equipment detected by a maintenance device provided in a ship maintenance factory.

In addition, in the network security method using the ship maintenance support network system according to an embodiment of the present invention as shown in Figure 3, by using the detection sensor provided in the maintenance device to detect the operation data and maintenance data of the ship equipment The step of determining the defect information of the ship facility using the step and the detection model may be further included, and the detection model may be generated according to a result of learning based on a deep learning algorithm for operation data and maintenance data.

As shown in Fig. 3, before the maintenance process according to the ship equipment being received to the maintenance factory is performed, ship equipment having a problem such as a failure is selected according to the process S50-S70, and information on the selected ship equipment Can be transmitted to the control server. In other words, the ship equipment stocked to the ship maintenance factory may be determined according to the process S50-S70.

According to one disclosure, a detection model (not shown) is generated according to a result previously learned according to a deep learning algorithm, and the deep learning algorithm may include a convolutional neural network (CNN). In addition, the recognition model may be generated according to a learned result by combining with a recurrent neural network (RNN) in addition to the CNN. Hereinafter, a description will be made based on a detection model formed according to a CNN-based learning result. First, briefly explaining CNN, CNN can be a type of artificial neural network used to analyze input data (mainly, visual images), and features are extracted from the input data in the feature extraction layer, and extracted from the classification layer. Based on the characteristics, the input data may be classified into which class. The feature extraction layer may include at least one convolutional layer and a pooling layer, and the classification layer is a fully connected layer including one hidden layer. ) Can be. The convolution layer may correspond to a filter that generates a feature map representing features of an object through a convolution operation. In the pooling layer, a pooling operation may be performed to reduce the size of the output data of the convolution layer or to emphasize specific data. The pooling layer may include a max pooling layer and an average pooling layer. The fully connected layer may correspond to a classifier for classifying input data based on the extracted feature information.

That is, a deep learning-based detection model can be used to determine the normal operation or failure of ship equipment from operation data and maintenance data of ship equipment, and defect information is more accurately determined according to the detection result of the detection model. Can be.

In addition, according to one disclosure, the detection model is preferably a first neural network for extracting a first feature from the input data, a second neural network for extracting a second feature from the input data, and the extracted first feature and the second feature. A classification layer for determining defects based on features and a fusion layer formed such that outputs of the first neural network and the second neural network are fused and input to the classification layer may be further included.

The first neural network may correspond to a neural network formed based on a convolutional neural network (CNN) including a single convolutional layer. That is, the first neural network is formed in a shallow structure by having only the first convolution layer and the first pooling layer, so that the first feature may be extracted from the input image.

Alternatively, the second neural network may correspond to a neural network formed based on a convolutional neural network including a plurality of convolutional layers. That is, the second neural network is formed in a deep structure with second to fourth convolution layers and a second pooling layer, so that the second feature may be extracted from the input image data.

A neural network including only one convolutional layer may correspond to a shallow neural network as described above, and a neural network including a plurality of convolutional layers may correspond to a deep neural network. Accordingly, the first feature extracted from the first neural network having a shallow structure may be a shallow feature, and the second feature extracted from the second neural network having a deep structure may be a deep feature.

The fusion layer may be a layer connecting the outputs of the first neural network and the second neural network to become an input of the classification layer. The fusion layer may be composed of a pooling layer.

The classification layer is a fully connected layer as described above, and the classification layer additionally includes at least one hidden layer and an output layer, as well as a flatten layer for dimensional change. Can be included. The softmax activation function is used in the output layer, so that the degree of defect occurrence due to welding can be determined.

In more detail, in the first neural network, a single first convolutional layer and a first pooling layer are formed together to form a shallow convolutional neural network. Unlike this, in the second neural network, three convolutional layers corresponding to the second convolution layer, the third convolution layer, and the fourth convolution layer, and the second pooling layer are connected to form a deep convolutional neural network. have. The number of filters and the filter size of the first to fourth convolution layers may be the same or may be set differently.

When the structure of the detection model is to classify the input data based on the features extracted from the shallow and deep neural networks as described above, more accurate results can be obtained compared to the discrimination results according to the convolutional neural network of the general structure. have. That is, the feature extraction from the input data was separately performed through two convolutional neural networks, and then more accurate defects were determined according to the result of fusion in the fusion layer.

According to one disclosure, prior to step S50, the step of receiving the ship's operation information from the ship's control device (S10), the step of one-way transmission to the first security module to transmit the ship's operation information to the management server (S11). ), the first security module generates first information based on the identification information of the ship, includes the first information in the IN area of the transaction, and the operation information of the ship is out of the transaction. ) Firstly encrypting the ship's operation information through a block chain by creating a primary block by including it in the domain (S20), using a first random number for the first encrypted ship's operation information 2nd encryption is performed by generating second information, including the second information in the in area of the transaction, and generating a secondary block by including the first information in the out area of the transaction, and then performing the second encryption. Transmitting the encrypted operation information of the vessel to the management server (S22), receiving, from the management server, remote condition diagnosis information for diagnosing the condition of a plurality of vessels (S24) (The remote condition diagnosis information, Generate third information using a second random number value for the second information, and generate a third block including the third information in the in area of the transaction and the remote condition diagnosis information in the out area of the transaction. It is encrypted), obtaining a third block corresponding to the second information by searching the block chain based on the identification information of the ship included in the second information (S26), the first in the second security module The step of obtaining the remote condition diagnosis information from the third block by decoding the third block using a random number value and a second random number value (S28), and the obtained remote condition diagnosis information only through a second security module. The step of transmitting to the control device of the ship (S30) by means of one-way communication and the step of controlling the ship (S33) based on the remote condition diagnosis information in the control device of the ship may be performed first.

Steps S10-S33 described above by one start may be performed by a security device (not shown), and the security device may be included in the ship maintenance support network system.

The security device according to one disclosure may perform an encryption/decryption function using a block chain to improve security. In other words, it can be operated based on a block chain in order to understand the operation status of the ship and transmit it to the management server. In addition, the security device can enhance the security of data by encrypting/decrypting received data or transmitted data using a block chain, and prevents the risk of forgery and tampering of the system by performing data transmission through the block chain. can do.

In step S10 due to the start of the day, the security device includes the operation status diagnosis information and maintenance status diagnosis information diagnosed in real time during the operation of the ship from the control device of the ship, and the preventive inspection information and parts life cycle information diagnosed periodically. You can receive driving information. By the start of the day, the operation information of the ship includes operation operation information including speed, temperature, pressure, and motor rotation speed acquired in real time while the ship is running, standard operation information of each equipment included in the ship, and process information. It may include periodic diagnosis information determined periodically, equipment operation information determining a physical failure of the equipment, parts life information determining the life cycle of parts included in each equipment, and surrounding environment information acquired based on the location of the ship. In addition, the ship's operation information is characterized in that it is transmitted only to the first security module using a one-way network.

In step S11 according to the one initiation, the security device may provide a step of one-way transmission to the first security module in order to transmit the ship's operation information to the management server outside the ship.

By the beginning, the security module is a module responsible for receiving and transmitting data, and the first security module can communicate with the ship's database, and the first security module can only receive data received from the ship, and the ship Data cannot be transferred. That is, by receiving data in only one direction, it is possible to prevent a third party (Ex. hacker) from accessing the ship's data through the first security module.

By initiation, the security device may generate log information of the ship's operation information by recording the time when the ship's operation information was received by the first security module and the time transmitted from the first security module.

In step S20 according to the start of the day, the security device generates first information based on the identification information of the ship in the first security module, includes the first information in the IN area of the transaction, and stores the operation information of the ship. By creating a primary block by including it in the OUT area of the transaction, it is possible to provide a step of first encrypting the ship's operation information through a block chain. Blockchain, widely known through bitcoin, etc., stores information by connecting it in blocks. A brief look at each block includes a header and a transaction, and a transaction includes a transaction identifier, an IN area, and an out area. Since the data structure of the blockchain is a known configuration, detailed descriptions thereof will be omitted. The security device stores and manages at least one of personal information consent, authentication code, and access token in the blockchain in order to perform authentication of at least one terminal, device, and server according to standard protocols such as Oauth. The security device stores the pair of information (e.g., ship ID) and data in the IN area and OUT area of the block of the blockchain. The security device generates information in various forms so that information such as a user authentication code and an access code required for access to the management server can be easily stored, managed, and retrieved.

First, the security device generates first information based on the identification information of the ship. The security device may generate a hash value calculated by using the identification information of the ship as an input of the hash function as the first information. The security device stores the first information in the IN area of the block, and stores operation information such as temperature, speed, and internal pressure of the ship in the OUT area of the same block.

The security device generates second information based on the first random number value. The security device may generate the first random number value as second information as it is, or may generate a hash value for the first random number value as second information. The second information is used as an authentication code issued to an authentication application in the process of authentication through the blockchain. The security device stores the second information in the IN area of the block and the first information in the OUT area of the same block. Therefore, the security device can easily check which ship the authentication code is for and at which time it was issued by searching the blockchain using the authentication code as the kit value.

The security device generates third information based on the second random number value. The security device may generate the second random number value as third information as it is, or may generate a hash value for the second random number value as third information. The third information is used as an access token in the process of authentication. The security device stores third information in the IN area of the block, and stores drug prescription information and user identification information in the OUT area of the same block. Therefore, like the authentication code, the security device can easily check whether the access token for the customer of a specific company has been effectively issued by searching the blockchain for the access token as a kit value.

In addition to this, the security device can generate the fourth information based on the identification information of other ships and other external servers using the block chain and store it in the block of the block chain together with the affiliate identification information.

The authentication code or access token may have an expiration date. The security device can determine whether the authentication code or the access token has passed a preset validity period based on the generation time of the block in which the authentication code or access token is stored. When receiving an authentication code or an access token whose validity period has elapsed from a user terminal or the like, the security device may inform that the authentication code or the access token is not valid to inform the user to perform the login authentication process again.

By initiation, the security device generates first information based on the identification information of the ship for automatic authentication of at least one ship, includes the first information in the IN area of the transaction, and includes the ship's operation information. Blocks containing in the transaction's OUT area can be stored in the blockchain.

In step S22 by the start of the day, the security device generates second information using a first random number for the first encrypted ship's operation information, includes the second information in the phosphor area of the transaction, and includes the first information. The second encryption is performed by generating a second block by including in the out area of the transaction, and then transmitting the operation information of the ship processed by the second encryption to the management server through a public network.

That is, the security device can prevent the ship's state data from leaking to the outside by encrypting the ship's state data twice. In addition, by performing encryption using a random number value, even if data is leaked, it is possible to prevent decryption of encrypted information easily.

According to one start, the random number value may be a random value RA using a predetermined time. Here, the random time refers to the XOR value of the current time (Tc) at which the random value is generated and the input time (Tp) when the private key is entered into the ship's communication terminal, and the random value is a random time value. It means a random number value obtained by a general random number generator, as shown in [Equation 3] below.

[Equation 3]

Tc))RE = F(Random(Tp

Tc))

In step S24 according to the start of the day, the security device uses the artificial intelligence learning model generated by learning big data related to the state of a plurality of ships from the management server to the public network. It is possible to provide a step of receiving through.

According to one disclosure, the management server may provide a step of acquiring a decryption key from the database for decrypting the operation information of the ship subjected to the secondary encryption using the identification information of the ship. In addition, according to one disclosure, the management server may provide a step of decrypting the operation information of the ship subjected to the secondary encryption process by using the encryption key.

By the start of the day, the encryption key is a random value generated by reflecting the second encryption time, and the management server can generate the encryption key by obtaining the time at which the second encryption process has been performed in the security device, and use this to generate the second encryption. The processed ship's operation information can be decoded and data can be obtained.

By the start of the day, the management server transmits the time information when the operation information of the ship was generated, the time information processed by the first encryption and the operation information of the ship to the first security module from the operation information of the ship processed by the second encryption process. A step of acquiring transmission log information including information may be provided.

In addition, the management server may provide a step of determining that the transmission log information is hacking information when the transmission log information is different from the reference information determined by the first security module.

In addition, when it is determined that the management server is hacking information, it is possible to increase security by discarding the operation information of the ship that has been subjected to the secondary encryption process without decrypting.

Here, the remote condition diagnosis information is 3 that generates third information using a second random number value for the second information, and includes the third information in the in area of the transaction and the remote status diagnosis information in the out area of the transaction. It may be encrypted by creating a tea block.

In step S26 according to an initiation, the security device may provide a step of acquiring a third block corresponding to the second information by searching the block chain based on the identification information of the ship included in the second information.

That is, the security device goes through a process of obtaining a third block corresponding to the second information in order to receive a result value for the transmitted data. At this time, the security device may determine the reliability of data in order to prevent intrusion from hackers.

In step S28 according to the start of the day, the security device may provide a step of obtaining remote condition diagnosis information from the third block by decrypting the third block using the first random number value and the second random number value in the second security module. have.

At the start of the day, the first random number value may be a random value generated using the current time Tc at the time when the random value is started to be generated and the time Tp at the time when the ship's operation information is received by the first security module. , The second random number value may be a random value generated using the current time Tc at the time when the random value starts to be generated and the time Tp at which the management server receives remote condition diagnosis information from the ship.

According to the start of the day, the security device stores the time information and the second encryption-processed ship operation information from the remote condition diagnosis information obtained from the ship's second security module, and the second encryption-processed ship's operation information in the management server. It is possible to provide a step of acquiring reception log information including information about a time taken for decoding.

When the reception log information is different from the reference log information determined by the first security module, the security device may provide a step of determining the remote condition diagnosis information as hacking information.

By initiation, the security device may block remote condition diagnosis information determined as hacking information. In other words, it is possible to block unclear data from outside.

In step S30 according to one initiation, the security device may provide a step of transmitting the obtained remote condition diagnosis information to the control device of the ship by unidirectional communication only through the second security module.

According to one initiation, the second security module may prevent leakage of control information included in the remote condition diagnosis information by performing one-way communication that transmits data only to the ship.

In step S33 according to an initiation, the security device may provide a step of controlling the ship based on the remote condition diagnosis information in the control device of the ship. That is, the remote condition diagnosis information includes information capable of controlling the ship, so that the external server can control the internal devices of the ship while maintaining security.

By one disclosure, the ship of the present invention may be remotely controlled and managed through a security device, and to perform this, a control signal may be received from the management server. The management server may provide a step of acquiring data on the state of a plurality of ships and analyzing the acquired data using a communication protocol for each ICS. The management server may provide a step of classifying and grouping data into analog information, discrete information, and time-series information. The management server may provide a step of extracting and storing data according to a data extraction period and a data transmission period. The management server may provide a step of determining the index field, storage field, data exchange method, transmission error data application, etc. of the stored data, and converting the data structure into big data. The management server may provide a step of generating an artificial intelligence learning model that diagnoses and analyzes the condition from the condition data of the vessel using big data. The management server diagnoses ship operation information using an artificial intelligence learning model, equipment life information according to the condition of the ship, equipment replacement information, equipment operating environment information, equipment failure prediction information, equipment inventory management information, and equipment remote control information. It is possible to increase the security of data communication of a ship using a public network, including the step of generating remote condition diagnosis information including a. The management server can determine the ship's operation information and generate control information using an artificial intelligence (AI) system that simulates functions such as recognition and judgment of the human brain using machine learning algorithms such as deep learning. Machine learning is an algorithm technology that classifies/learns the features of input data by itself, and element technology is a technology that simulates functions such as cognition and judgment of the human brain using machine learning algorithms such as deep learning. It consists of technical fields such as understanding, reasoning/prediction, knowledge expression, and motion control. The management server can perform multidimensional analysis, integrated indexing, and integrated search through the big data system, and can operate the integrated data storage through the tasks of monitoring learned data and creating and managing big data. In addition, by operating an engine that predicts the failure of the ship using big data, it is possible to generate a control signal that predicts the failure of the ship and prevents the failure in advance. As a result, the management server can monitor the ship in an integrated manner by managing the user/operator management page, failure prediction results, failure prevention system, remote monitoring, overall plant status and individual plant status.

Referring to FIG. 4, in the network security method using the ship maintenance support network system according to an embodiment of the present invention, the step of performing the authentication process includes an AP authentication request message for an AP intruded by a first AP. Transmitting, determining whether the AP identification information extracted from the response message to the request message from the intruding AP is included in the pre-stored authorized AP list, and the remaining APs in the plurality of APs by the first AP And transmitting an AP authentication result, and the first AP may be previously interlocked with an AP detection sensor that has detected a wireless intrusion of an AP that has invaded into the ship maintenance network among the plurality of APs.

Unlike the mutual authentication between APs for establishing the ship maintenance network described above, the authentication process described below may be performed for any AP that has invaded the ship maintenance network.

In more detail, the first AP is an AP that is previously linked with an AP detection sensor that detected an AP intruding into the ship maintenance network among a plurality of APs in the ship maintenance network (already when the ship maintenance network was established), and the first AP From, the detection result of the AP detection sensor may be transmitted to the remaining APs constituting the ship maintenance network. For example, among a plurality of AP detection sensors (Ex. a first sensor, a second sensor, a third sensor, etc.), a second sensor and a plurality of APs (Ex. a first AP, a second AP, a third AP, etc.) ), if the second AP has already been linked during the ship maintenance network establishment and the second sensor detects wireless intrusion, the second AP linked with the second sensor may be the first AP.

In other words, through the above process, the authentication relationship between the plurality of APs of the ship maintenance network is maintained firmly by transmitting the AP authentication result for the AP invading from the outside to the remaining APs in the ship maintenance network from the first AP. Therefore, security can be strengthened.

The AP identification information may include an identification code, device code, address information, etc. that are uniquely assigned to each AP.

In addition, the remaining APs among the plurality of APs in the ship maintenance network received about the result of the authentication process with the intruding AP by the first AP according to the above process transmits an unauthorized message to the intruding AP, and the unauthorized When a response from the intrusive AP occurs to a message, the identification data of the intrusive AP may be extracted from the response and the identification data may be added to the unauthorized AP list. In other words, not only the authentication procedure by the first AP, but also a list of unauthorized APs by the remaining APs among the plurality of APs in the ship maintenance network is created, so that a ship maintenance network with enhanced security can be established.

In the network security method using the ship maintenance support network system according to an embodiment of the present invention, the second security data is transmitted from the ship maintenance factory to the management server using a second one-way transmission module included in the ship maintenance support network system. The second security data may be discrimination information on an unauthorized AP according to an authentication process in the ship maintenance network.

That is, when the AP authentication result by the first AP as described above is determined to be an unauthorized AP (when the AP identification information for the intruding AP from the authorized AP list could not be matched), even among a plurality of APs in the ship maintenance network Although the AP authentication result may be transmitted, the management server 300 cannot receive the result, and the wireless intrusion result may be information that must be protected for security. It may be transmitted from the ship maintenance factory 100 to the management server 300.

That is, the unauthorized AP according to the authentication result for the AP intruding into the ship maintenance network using the second one-way transmission module capable of physically transmitting data in one direction from the ship maintenance factory 100 to the management server 300 as described above. By transmitting the identification information to the management server 300, security can be enhanced.

In the network security method using the ship maintenance support network system according to an embodiment of the present invention, as a security card is inserted and mounted in a mobile device, input with a virtual keyboard capable of operating in a security mode and a virtual keyboard operating in a security mode An encoding unit for generating encrypted data according to a predetermined encryption algorithm in which encryption is performed based on the key information received from the management server for the input data is included, and the key information is included in the tag information of the security card and the mobile device in the management server. It may be generated based on the identification information.

The mobile device 400 may be a mobile terminal such as a mobile phone, a smart phone, a laptop computer, a personal digital assistant (PDA), a portable multimedia player (PMP), a tablet PC, etc. have.

According to one disclosure, the virtual keyboard may be operated in a security mode by a control unit as described later, but when not operated in the security mode, it may be used through the mobile device 400 as a general virtual keyboard. When the virtual keyboard is operated in the secure mode, encryption in the encoding unit as well as decryption in the decoding unit may be performed. In other words, when the virtual keyboard is not operated in the secure mode, encryption/decryption cannot be performed in the encoding unit and the decoding unit, respectively. That is, the mobile device 400 may further include a control unit for controlling the virtual keyboard to operate in a security mode according to a result of matching the tag information of the security card with pre-stored reference information.

According to one disclosure, the controller may control the overall operation of the mobile device 400. In particular, the control unit controls the operation of the virtual keyboard in the security mode. When the security card is inserted into the mobile device 400, the tag information of the security card is stored in the data storage unit (not shown) of the mobile device 400. The virtual keyboard may be operated in a security mode according to a result of matching with reference information stored in advance. The data storage unit may be a database management system (DBMS) for interworking with a database and accessing data in the database.

According to one disclosure, the security card may be inserted and mounted in the mobile device 400 as described above. That is, the security card may be inserted into the mobile device 400 and mounted, and only when the security card is inserted into the mobile device 400 and mounting is completed, an environment for operating in the security mode may be provided. In addition, unique tag information may be generated in advance in the security card and input or stored in the security card. That is, the tag information of the security card is unique information individually assigned to each security card, and may be information for distinguishing it from other security cards.

According to one disclosure, reference information on a security card that can be attached and connected to the mobile device 400 may be previously stored in the data storage unit. That is, the control unit determines whether the reference information stored in the data storage unit and the tag information of the security card obtained as the security card is mounted on the mobile device 400 are matched, and whether the virtual keyboard can be operated in the security mode according to the determination result. Whether or not can be determined. That is, when the reference information and the tag information are matched, the virtual keyboard can be operated in a security mode, and when the match is not made, the virtual keyboard is operated in the security mode even if the security card is mounted on the mobile device 400. Can't. The reference information stored in the data storage unit may be information on security cards that can be individually connected to each mobile device 400. That is, just as the tag information of the security card is unique information individually given to each security card, the reference information is mounted on the mobile device 400 for each mobile device 400 so that the virtual keyboard is operated in a security mode. The security card that can be connected to the device 400 may be determined differently.

According to one disclosure, when the controller controls the virtual keyboard to operate in the security mode according to the above process, input data input by the user to the virtual keyboard operated in the security mode may be encrypted. That is, the encoding unit may generate encrypted data as a result of encrypting input data inputted by a user through a virtual keyboard operated in a secure mode according to a predetermined encryption algorithm. Various encryption algorithms may be used for the encryption algorithm, and are not limited to a specific encryption algorithm. Any encryption algorithm can be applied as long as it uses the key information used in encryption of the encryption algorithm. However, in the case of encryption using the symmetric encryption method AES algorithm (Advanced Encryption Standard Algorithm), security can be secured the most. In particular, key information used in the encryption algorithm may be generated from the management server 300 and transmitted to the mobile device 400. The key information refers to an encryption key having a predetermined number of bits used in an encryption algorithm. When the above-described AES algorithm is used, the key information may be an encryption key having a length (size) of 128 bits.

In addition, according to one disclosure, the key information may be generated by the management server 300 based on the tag information of the security card and the identification information of the mobile device 400. That is, the management server 300 can generate key information, which is an encryption key having a predetermined length, using the tag information of the security card and the identification information of the mobile device 400, and is generated by the management server 300 as described above. The key information may be transmitted to the mobile device 400 and used for encryption and decryption in the encoding unit and the decoding unit, respectively. The identification information of the mobile device 400 may be provided individually for each mobile device 400 and may be unique information for distinguishing it from other mobile devices 400. That is, the management server 300 generates key information used for encryption/decryption in the mobile device 400 based on both tag information, which is the unique information of the security card, and the identification information, which is the unique information of the mobile device 400. Can be. In other words, the key information may be generated as information unique to the security card and the mobile device 400 matching the security card.

According to one disclosure, in the mobile device 400, a decoding unit for decrypting the input data using an encryption algorithm based on the key information may be further included for the encrypted data input by the user to the virtual keyboard operated in the secure mode. have. That is, the encrypted data encrypted by the encoding unit may be decrypted through the decoding unit and the input data may be extracted. Preferably, the decoding unit may perform decryption using an encryption algorithm as described above in a state that a predetermined decryption condition is satisfied. That is, unlike encryption, in the case of decryption, the decoding unit can proceed with decryption only when additional decryption conditions are satisfied. In the predetermined decryption condition, when a user inputs encrypted data using a virtual keyboard operated in a secure mode (Condition 1), the user copies and pastes the encrypted data through the mobile device 400. ) May correspond to the case (Condition 2) and the case where the user inputs an image capturing the screen on which the encrypted data is displayed using the mobile device 400 (Condition 3). In addition, the user may set the decryption condition to a specific condition (Ex. condition 2) among the conditions 1 to 3 above. For example, since the decoding unit can proceed only when the above condition 2 is satisfied as a decoding condition preset by the user, even if the user inputs the encrypted data to be decrypted using a virtual keyboard (Condition 1), the decoding unit Decryption cannot be performed at. The same is true even if an image on which encrypted data is displayed is input to satisfy condition 3. Contrary to this, if the decoding unit sets that decoding can proceed only when the user satisfies condition 3 as the decoding condition, the decoding unit does not proceed even if the user copies and pastes the encrypted data. Does not.

As described above, by enabling encryption and decryption on the virtual keyboard applied to the mobile device 400, security may be enhanced in the operation of the ship maintenance support network system of the present invention.

In addition, the mobile device 400 may perform obfuscation on predetermined data to be transmitted to the management server 300 or the control server 200. Various types of obfuscation algorithms may be applied to the obfuscation. In addition, the mobile device 400 may include a forgery module to prevent forgery or alteration of the application and to prevent illegal use of the application by using hacking or the like.

In the network security method using the ship maintenance support network system according to an embodiment of the present invention, the facility information includes regular inspection results for ship facilities, a moving route of ship facilities, maintenance history for ship facilities, and status information of ship facilities. Is included, and in the management server, a random key corresponding to the security information to be encrypted is generated from the equipment information by the mobile device, and encrypted data is generated by encoding the security information to be encrypted using the random key, The mobile device can transmit the encrypted data and the encrypted random key to the control server based on the encryption random key according to encryption for the random key using the public key that corresponds to the control server's private key and received in advance from the control server.

That is, it is possible to strengthen security through the encryption of the equipment information as described above.

In more detail, the equipment information includes the results of regular inspections on ship equipment, the movement path of the ship equipment, maintenance history for the ship equipment, and status information of the ship equipment. The security information to be encrypted by the mobile device 400 is It can be selected from the equipment information. A random key corresponding to each security information may be generated only for the security information selected by the mobile device 400. That is, by generating an individual random key for each of the selected security information can be individually encrypted.

In addition, according to one disclosure, the mobile device 400 may select the security information and set the number of times of decryption for encrypted data. The number of times of decryption indicates the number of times that encryption data can be decrypted using a random key. In the present invention, security is enhanced by limiting the number of times that security information can be decrypted.

According to one disclosure, the number of decoding times may be derived from an analysis model previously generated in the management server 300. The number of decoding can be derived from the analysis model generated in advance according to the result learned based on the deep learning algorithm, and in the analysis model, from the output of the first CNN and the first CNN to determine the security level from the specific contents of the security information. A second CNN for deriving the number of decoding times from the identification information of the mobile device 400 based on the security level determined by the first CNN after being connected may be included. That is, the analysis model may be configured in a form in which the first CNN and the second CNN are combined. In the second CNN, the number of decryption may be derived based on identification information of the mobile device 400 (eg, identification code for identification, user experience, security level preset for the user, etc.). In other words, by determining the security level from the contents of the security information in the first CNN and determining the security level of the user in the second CNN, the number of decryption times indicating the number of times that can be decrypted may be determined.

The above description of the present invention is for illustrative purposes only, and those of ordinary skill in the art to which the present invention pertains will be able to understand that other specific forms can be easily modified without changing the technical spirit or essential features of the present invention. will be. Therefore, it should be understood that the embodiments described above are illustrative in all respects and are not limiting. For example, each component described as a single type may be implemented in a distributed manner, and similarly, components described as being distributed may also be implemented in a combined form.

Although the preferred embodiments of the present invention have been described in detail above, the scope of the present invention is not limited thereto, and various modifications and improvements by those skilled in the art using the basic concept of the present invention defined in the following claims are also present. It belongs to the scope of rights of That is, the scope of the present invention is indicated by the claims to be described later rather than the detailed description, and all changes or modified forms derived from the meaning and scope of the claims and their equivalent concepts should be interpreted as being included in the scope of the present invention. do.

10: Security system for smart factory monitoring and management system
100: ship maintenance factory
200: control server
300: management server
400: mobile device

Claims (7)

In the network security method using a ship maintenance support network system including a ship maintenance plant, a control server and a management server,
A step in which ship equipment is stocked in a ship maintenance factory equipped with a ship maintenance network equipped with a plurality of APs and maintained using one or more maintenance devices provided in the ship maintenance factory;
Receiving facility information on the ship facility through a mobile device at the control server and monitoring a maintenance process for the ship facility; And
In the management server, comprising the step of collecting and analyzing the wireless intrusion detection result to the ship maintenance network using a plurality of AP detection sensors provided in the ship maintenance factory,
The step of collecting and analyzing the wireless intrusion detection result further includes performing an authentication process by at least one of the plurality of APs when a random AP intrudes into the ship maintenance network,
The ship maintenance network is formed by completing mutual authentication between the plurality of APs in advance,
The step of performing the authentication process,
Transmitting an AP authentication request message to the invading AP by a first AP;
Determining whether or not the AP identification information extracted from the response message to the request message from the invading AP is included in a pre-stored authorized AP list; And
And transmitting the AP authentication result to the remaining APs in the plurality of APs by the first AP,
The first AP is previously interlocked with an AP detection sensor that has detected a wireless intrusion of the invading AP into the ship maintenance network among the plurality of APs,
Further comprising the step of transmitting second security data from the ship maintenance factory to the management server using a second one-way transmission module included in the ship maintenance support network system,
The second security data is discrimination information on an unauthorized AP according to the authentication process in the ship maintenance network,
Characterized in that all authentication procedures based on an authentication constant are completed between the management server and the plurality of APs,
The authentication constant is generated by Equation 1 below,

---Equation 1
Where p is a prime number that satisfies the discrete log problem, q is a prime that can divide p-1,

Is a generator, s is private information, t is public information, z0,z1 are random numbers

,

,

,

Is the authentication constant,
The plurality of APs is an authentication request message generated from the management server (

) Can be received, and when the reliability of the authentication request message is verified, authentication between the management server and the plurality of APs that have been verified is completed,
In order to verify the reliability of the authentication request message, the authentication constant and the authentication request message are substituted into Equation 2 below, and a process of verifying the reliability of the authentication request message is performed,

---Equation 2
Network security method using ship maintenance support network system. The method of claim 1,
Transmitting first security data from the ship maintenance factory to the control server using a first one-way transmission module included in the ship maintenance support network system,
The first security data is information on defects of ship equipment detected by a maintenance device provided in the ship maintenance factory,
Network security method using ship maintenance support network system. The method of claim 2,
Detecting operation data and maintenance data of the ship equipment using a detection sensor provided in the maintenance device; And
Further comprising the step of determining the defect information of the ship equipment by using the detection model,
The detection model is generated according to a result of learning based on a deep learning algorithm for the motion data and maintenance data,
Network security method using ship maintenance support network system. delete delete The method of claim 1,
A virtual keyboard capable of operating in a security mode when a security card is inserted and mounted in the mobile device; And an encoding unit for generating encrypted data according to a predetermined encryption algorithm in which encryption is performed based on key information received from the management server with respect to the input data input by the virtual keyboard operated in the security mode,
The key information is generated based on the tag information of the security card and the identification information of the mobile device in the management server,
Network security method using ship maintenance support network system. The method of claim 1,
The facility information includes a result of a regular inspection on the ship facility, a moving path of the ship facility, a maintenance history for the ship facility, and status information of the ship facility,
In the management server, a random key corresponding to the security information to be encrypted is generated from the facility information by the mobile device, and encrypted data is generated by encoding the security information to be encrypted using the random key. ,
The encrypted data and the encryption random key from the mobile device to the control server based on an encryption random key corresponding to encryption for the random key using a public key previously received from the control server and corresponding to the private key of the control server. To transmit,
Network security method using ship maintenance support network system.

Images