KR102297290B1 - Method and Apparatus for Analyzing the Quantization of Network Traffic - Google Patents

Abstract

The present disclosure relates to a device and method for analyzing network traffic. According to an embodiment of the present disclosure, a network traffic analysis device includes: a transceiver for transmitting and receiving a signal; and a processor which controls the transceiver. The processor classifies and segments collected network traffic based on each network packet header information, extracts a continuous common part for arbitrary n bytes of the segmented network traffic, and based on the continuous common part, quantization may be performed, but the quantized network traffic may be structured. The present invention evaluates the similarity of network traffic and provides a visualized traffic analysis result.

Description

Apparatus and method for quantization analysis of network traffic {Method and Apparatus for Analyzing the Quantization of Network Traffic}

The present disclosure relates to an apparatus and method for quantization analysis of network traffic, and to an apparatus and method for classifying, segmenting, and quantizing network traffic for network traffic identification and similarity evaluation.

With the dazzling development of mobile technology and the emergence of a newly transformed platform service, the ICT (Information & Communications Technology) environment is rapidly developing. ICT technology is used in health care, medical care, welfare, energy, manufacturing, finance, education, national defense, agriculture, forestry, livestock, fisheries, automobile, transportation, aviation, space, shipbuilding, tourism, sports, retail, logistics, construction, It is applied to industrial areas including facility management, safety management, and environmental management, as well as daily areas including smart home and connected car. is raising

In particular, health care, major national infrastructure (power, gas, transportation, etc.) and manufacturing industries are also rapidly transitioning to a smart environment in which information and communication technology (ICT) and operational technology (OT, Operational Technology) converge. Information and communication technologies include the Internet of Things (IoT), Supervisory Control And Data Acquisition (SCADA), Programmable Logic Controller (PLC), and Distributed Control System (DCS). System) and other operating technologies are being fused to develop an environment that enables remote control and monitoring with digitalized equipment in various fields.

Meanwhile, the operating equipment may be in charge of analyzing network traffic in order to manage the asset and the operating state of the operating target through operational update and maintenance management.

The conventional network traffic analysis technology is characterized by in-depth analysis of header information and payload data of a packet based on prior information on standard protocols used in each field, but traffic analysis applied to one field The technology has a problem that it cannot be applied to other fields, and there is a limit to visualizing the analysis results.

In addition, as the operating equipment is mixed with two-way and/or unidirectional communication devices, and various standard and/or non-standard dedicated protocols are used, it may be difficult to analyze network traffic of the operating equipment. When network traffic analysis becomes difficult, it can be vulnerable to update or patch failure of operational equipment, which is critical for availability, malware infection, and hacking attacks, which can lead to security incidents directly related to people's lives or national security.

Accordingly, it can be applied to various fields such as medical hospitals, national important infrastructures, and manufacturing facilities, and can identify devices connected to the network and secure visibility in the convergence environment of information and communication technology (ICT) and operation technology (OT). There is a need for an approach-type network traffic analysis method.

In order to solve the problems of the prior art, an object of the present disclosure is to provide a network traffic quantization analysis apparatus and method that can provide a visualized analysis result.

In addition, an object of the present disclosure is to provide an apparatus and method for analyzing network traffic quantization applicable to various convergence fields such as the Internet of Things and industrial control networks.

Another object of the present disclosure is to provide an apparatus and method for analyzing network traffic quantization capable of identifying network traffic even without prior information on standard and/or non-standard protocols of network communication.

Other objects and advantages of the present disclosure may be understood by the following description, and will become more clearly understood by the examples of the present disclosure. Moreover, it will be readily apparent that the objects and advantages of the present disclosure may be realized by the means and combinations thereof indicated in the claims.

According to an embodiment of the present disclosure, an apparatus for analyzing network traffic includes a transceiver for transmitting and receiving a signal and a processor for controlling the transceiver, wherein the processor classifies the collected network traffic based on each network packet header information. Segmentation, extracting a continuous common part for the segmented network traffic payload, and performing quantization based on the continuous common part, the quantized network traffic may be structured.

Meanwhile, the quantization may include mapping the periodic table to atomic symbols using the quantization table.

Meanwhile, the structured network traffic may have a molecular structure structured based on quantized atoms.

Meanwhile, the network packet header information may include source IP, destination IP, source port, destination port, and protocol information of the network packet.

Meanwhile, when the protocol information of the network packet header information is a UDP protocol, the network packet header information may further include a communication direction of a network packet and packet transmission interval information.

Meanwhile, when the protocol information of the network packet header information is a TCP protocol, the network packet header information may further include PSH flag information and ACK flag information.

Meanwhile, the continuous common portion may be a portion having the same location and the same size in the segmented network traffic.

Meanwhile, the processor may generate attribute information of the structured network traffic, wherein the attribute information of the network traffic may include property information of atoms and molecules of a quantized structural formula for a segmentation unit of the network traffic.

Meanwhile, the characteristic information may include chemical formulas, isotopes, and orbital information of the atoms and molecules.

Meanwhile, the processor may perform a similarity comparison between the structured network traffic pre-stored in the database and the particle structure of the structured network traffic.

Meanwhile, if it is determined that the particle structures are similar, the processor may compare the orbital similarity of each particle included in the structured network traffic.

On the other hand, the continuous common part is extracted by an n-byte filter based on the payload of the network traffic converted into hexadecimal number, the n-byte filter is repeatedly applied, n is preferentially 8, 6, 4 is selected in order, and optionally 7, 5, 3 may be selected in order.

Meanwhile, the structured network traffic may be marked based on the SMILES notation rule.

According to an embodiment of the present disclosure, a network traffic analysis method performed by a network traffic analysis apparatus includes the steps of classifying and segmenting collected network traffic based on each network packet header information; It may include extracting a contiguous common part for arbitrary n bytes, performing quantization based on the contiguous common part, and structuring the quantized network traffic.

According to an embodiment of the present disclosure, a network traffic analysis system includes a network traffic collection device that collects network traffic, classifies the collected network traffic based on each network packet header information to segment it, and the segmented network Network traffic analysis that extracts a continuous common part for any n bytes of traffic, performs quantization based on the continuous common part, and structuralizes the quantized network traffic to derive an analysis result of the collected network traffic and an apparatus and a network traffic evaluation device for comparing a similarity between a structural formula of the network traffic and a structural formula pre-stored in a database based on an analysis result of the device and the network traffic.

According to the present disclosure, a network traffic analysis apparatus and method for evaluating similarity of network traffic and providing a visualized traffic analysis result can be expected.

Also, according to the present disclosure, network traffic can be identified even if there is no prior information on standard and/or non-standard protocols of network communication.

In addition, according to the present disclosure, network traffic in various convergence fields such as the Internet of Things and industrial control networks can be analyzed.

In addition, according to the present disclosure, visibility can be secured by analyzing network traffic to identify a device connected to the network.

In addition, according to the present disclosure, it is possible to analyze network traffic, quantize it into atoms and molecules to form a structural formula, and share it by converting it into various particle structure notation methods.

Effects that can be obtained in the embodiments of the present disclosure are not limited to the above-mentioned effects, and other effects not mentioned are the technical fields to which the technical configuration of the present disclosure is applied from the description of the embodiments of the present disclosure below. It can be clearly derived and understood by those of ordinary skill in the art. That is, unintended effects of implementing the configuration described in the present disclosure may also be derived by those of ordinary skill in the art from the embodiments of the present disclosure.

1 is a diagram for explaining a network analysis apparatus according to an embodiment of the present disclosure.
2 is a diagram for explaining a network analysis method according to an embodiment of the present disclosure.
3A and 3B are diagrams for explaining a segmentation process of network traffic according to an embodiment of the present disclosure.
4A and 4B are diagrams for explaining a continuous common part extraction process of network traffic according to an embodiment of the present disclosure.
5 is a diagram for explaining a quantization table for network traffic analysis according to an embodiment of the present disclosure.
6 is a diagram for explaining a particle structure of segmentation traffic and a process of generating attribute information according to an embodiment of the present disclosure.
7 is a diagram for explaining a process of formulating a segmentation traffic unit according to an embodiment of the present disclosure.
8 is a diagram for explaining an evaluation process of a network traffic analysis result according to an embodiment of the present disclosure.
9A and 9B are diagrams for explaining a result of a simulation display of segmentation traffic particle information according to an embodiment of the present disclosure;
10 is a diagram for explaining a network analysis apparatus according to another embodiment of the present disclosure.
11 is a diagram for explaining a network analysis method according to another embodiment of the present disclosure.
12 is a diagram for explaining a network traffic analysis system according to an embodiment of the present disclosure.

Hereinafter, embodiments of the present disclosure will be described in detail with reference to the accompanying drawings so that those of ordinary skill in the art to which the present disclosure pertains can easily implement them. However, the present disclosure may be implemented in several different forms and is not limited to the embodiments described herein.

In describing an embodiment of the present disclosure, if it is determined that a detailed description of a well-known configuration or function may obscure the gist of the present disclosure, a detailed description thereof will be omitted. And, in the drawings, parts not related to the description of the present disclosure are omitted, and similar reference numerals are attached to similar parts.

In the present disclosure, components that are distinguished from each other are for clearly explaining each characteristic, and do not necessarily mean that the components are separated. That is, a plurality of components may be integrated to form one hardware or software unit, or one component may be distributed to form a plurality of hardware or software units. Accordingly, even if not specifically mentioned, such integrated or distributed embodiments are also included in the scope of the present disclosure.

In the present disclosure, components described in various embodiments do not necessarily mean essential components, and some may be optional components. Accordingly, an embodiment composed of a subset of components described in an embodiment is also included in the scope of the present disclosure. In addition, embodiments including other components in addition to components described in various embodiments are also included in the scope of the present disclosure.

Meanwhile, in describing the present disclosure, segmented traffic may be mixed with segmented network traffic.

Meanwhile, in describing the present disclosure, a continuous common part pattern may be used interchangeably with a continuous common part, a repeating part, a repeating pattern, and a continuous common pattern.

Meanwhile, in describing the present disclosure, descriptions with reference to one drawing may be applied to other drawings and descriptions of other drawings as long as they are not arranged with the descriptions of other drawings and other drawings.

Meanwhile, in describing the present disclosure, quantized particle structure information may be included in, or mixed with, quantized particle information, attribute information, and characteristic information.

Meanwhile, in describing the present disclosure, the network traffic analysis apparatus and the network traffic quantization analysis apparatus may be mixed, the network traffic analysis system may be mixed with the network traffic quantization analysis system, and the network traffic analysis method may be mixed with the network traffic quantization analysis method. can

The present disclosure relates to a technology for analyzing network traffic, and more specifically, segmenting network traffic collected in various convergence environment fields, such as medical IoT and industrial control networks, into segmentation traffic, and generating quantized particle structure and attribute information It is about technologies that can identify and visualize unrelated network traffic or similarities.

Hereinafter, the present disclosure will be described in detail with reference to the drawings.

1 is a diagram for explaining an apparatus for analyzing network traffic according to an embodiment of the present disclosure. As an embodiment, the network traffic analysis apparatus 100 includes a network traffic feature engineering unit 110 , a segmentation traffic quantization particle generation unit 120 , a network traffic particle information display unit 130 , a network traffic evaluation unit 140 , and a network It may include a traffic particle information storage unit 150 .

As an embodiment, the network traffic feature engineering unit 110 may classify and sessionize all traffic collected on the network based on network packet header information. For example, the session may be performed by classifying it based on a tuple of network packet header information. A tuple of network packet header information may be source and destination ports, source and destination IP addresses, and protocol information used, and may be referred to as a 5-tuple, but limited thereto. it's not going to be Meanwhile, each classified traffic bundle may be classified as segmentation traffic on the basis of segmentation. An embodiment of the segmentation process of network traffic will be described in more detail with reference to FIGS. 3A and 3B . In this case, when the network traffic is segmented, other information of the network packet header information may be further used according to the protocol information of the packet, which will be described in more detail with reference to other drawings below.

In this case, a continuous common subpattern (CCS) may be extracted from the classified segmentation traffic. Here, the continuous common partial pattern may be extracted while skipping a specific value (eg, 00). As an embodiment, the continuous common partial pattern may be extracted based on a feature generated by applying an arbitrary fixed number of n-Bytes Filters to segmentation traffic. The continuous common partial pattern extraction process will be described in more detail below with reference to FIGS. 4A and 4B .

Meanwhile, the network traffic feature engineering unit 110 may directly collect network traffic or receive the collected network traffic from the outside, but is not limited thereto.

As an embodiment, the generated segmentation traffic may be used by the segmentation traffic quantization particle generator 120 . The segmentation traffic quantization particle generator 120 may calculate a quantization particle with respect to the continuous common partial patterns of the segmentation unit and map it to a quantization table. As an embodiment, a periodic table may be utilized as a quantization table, and consecutive common subpatterns may be mapped to quantized atomic symbols that each define a different atom. An example of a quantization table for network traffic analysis will be described in more detail with reference to FIG. 5 . On the other hand, it is possible to generate a molecular structure by converting each segmentation traffic into structural formulas in the constituent arrangement of atoms, and to generate property information of quantized particles by extracting property information of atoms and molecules. This will be described in more detail with reference to FIGS. 6 to 8 .

On the other hand, as an embodiment, the network traffic evaluation unit 130 compares the particle structure information of the segmentation traffic having a molecular structure structured in the configuration arrangement of atoms generated above with the previously stored quantized particle structure information to configure the traffic particles. It is possible to evaluate the similarity while identifying As an embodiment, the pre-stored quantized particle structure information may be stored in the traffic particle information storage unit 140 , and the traffic particle information storage unit 140 stores the traffic particle information in a structured form. can The traffic particle information storage unit may process input/output operations including inquiry, conversion, addition, modification, and deletion of traffic particle information for network traffic evaluation. In addition, it may be responsible for overall management of information stored in the database. Meanwhile, the network traffic evaluation unit 130 may add particle structure information of segmentation traffic, which is a similarity comparison target, as new quantized particle information according to the similarity evaluation result, or may update pre-stored quantized particle structure information according to an update criterion. This will be described in more detail with reference to FIGS. 6 to 9 .

Meanwhile, a connection relationship between components included in the apparatus for analyzing network traffic of FIG. 1 is illustrated as an exemplary embodiment. Therefore, for example, it is also possible to connect the unconnected network traffic feature engineering unit 110 and the network traffic particle information display unit 130 to perform communication, and is not limited to the connection relationship shown in FIG. 1 .

Meanwhile, the network traffic analysis apparatus of FIG. 1 may perform the network traffic analysis method of FIGS. 2 and 11 , and may be included in the network traffic analysis system of FIG. 12 . This will be described in more detail below with reference to other drawings.

Meanwhile, the network traffic analysis apparatus of FIG. 1 may perform the same function as the network analysis apparatus of FIG. 10 . For example, the network traffic feature engineering unit 110 , the segmentation traffic quantization particle generation unit 120 , the network traffic particle information display unit 130 , the network traffic evaluation unit 140 , and the network traffic particle information storage unit 150 . All or some functions may be performed by the processor of FIG. 10 . This will be described in more detail with reference to FIG. 10 below.

2 is a diagram for explaining a network analysis method according to an embodiment of the present disclosure. More specifically, it is a diagram for explaining an example of a network analysis method that can be performed by the network analysis apparatus.

Before describing an example of a network analysis method, it is assumed that previously collected network traffic is used, and may be collected based on various network environments and standard and/or non-standard protocols. Meanwhile, the present disclosure is not limited thereto.

Also, as an embodiment, the network analysis apparatus may be the network analysis apparatus of FIG. 1 or 10 , but is not limited thereto.

As an embodiment, the network analysis apparatus may perform network traffic segmentation ( S210 ) based on the collected network traffic. For example, the collected network traffic may be classified and sessioned based on network packet header information. As an embodiment, the network packet header information may include source and/or destination IP addresses, source and/or destination ports, protocol information used, and packet payload information. As an embodiment, the network packet payload information may include only information about bytes of a limited size from the first byte of the payload. For example, the limited size may be a value set within 32 bytes, and may be configured by limitingly increasing the size to be used according to user settings. Processing performance can be increased by analyzing only a limited range of packets based on network packet payload information. Meanwhile, the limited size may be a value other than 32 bytes, and the present disclosure is not limited thereto.

Based on the segmented network traffic, segmentation classified traffic may be segmented ( S220 ). As an embodiment, each traffic bundle subdivided in the previous process ( S210 ) may be classified according to the segmentation criterion. As an embodiment, the segmentation criterion may use used protocol information that may be included in network packet header information. For example, if the protocol used is the UDP protocol, network traffic segmentation may be performed based on source and destination IP and source and destination port information included in network packet header information, but additionally, packet communication direction, UDP protocol Segmentation may be performed by further using at least one of information such as a predetermined time interval of packet transmission during periodic transmission of packets that may occur due to characteristics. As another example, when the protocol used is the TCP protocol, network traffic segmentation may be performed based on source and destination IP and source and destination port information included in the network packet header information, but additionally using TCP flag information Network traffic segmentation can be performed. For example, at least one of PSH flag information, ACK flag information, and the same ACK number information may be further used.

When the network traffic is segmented, a continuous common partial pattern (CCS) of the segmented traffic may be extracted ( S230 ). As an embodiment, the continuous common portion may mean a common portion of an arbitrary n-byte size that is consecutively the same between several segmented traffic, and an n-bytes filter may be applied to this common portion. In addition, a portion matching the same location and size in several segmented traffic may be referred to as a continuous common portion. For example, if a common part in segmentation traffic is repeated and matched by a specific n-byte filter a predetermined number of times, it may be selected as one continuous common part pattern. In this case, the number of repetitions of n-bytes for setting the continuous common partial pattern may be changed and may be set according to a user setting. As an embodiment, the n value of the n-byte filter may be an integer value of 3 or more and 8 or less. For example, the size n to be applied first may be applied step-by-step (Basic n-BF) in a descending order in the order of 8, 6, or 4 bytes. As another example, the n value may be selectively applied in units of 7, 5, or 3 bytes (Optional n-BF), but is not limited thereto. As an embodiment, after extracting a common part by applying an 8 (or 7) byte filter to the segmentation traffic, it is named as a first continuous common part pattern, and then on the remaining part of the segmentation traffic that is not set as a continuous common part pattern A continuous common pattern may be extracted by applying a 6 (or 5) byte filter, and this may be referred to as a second continuous common partial pattern. Thereafter, in the same way, a 4 (or 3) byte filter is applied to the remaining portion of the segmentation traffic to extract a continuous common partial pattern again, and this may be referred to as a third continuous common partial pattern. However, since this corresponds to an embodiment, the present disclosure is not limited thereto.

Thereafter, it is also possible to use the extracted continuous common partial pattern as it is as a final continuous common partial pattern and map it to the quantization table. have. The continuous common subpatterns may be expressed as one continuous common subpattern by integrating the results selected by various n-byte filters.

Meanwhile, depending on the protocol used of the network packet, other information may be further included in the network packet header information and used for classification, which will be described in more detail with reference to other drawings below.

Meanwhile, since FIG. 2 corresponds to an embodiment of the present disclosure, some processes may be added or excluded, the order may be changed, or each process may be specified, and is not limited to FIG. 2 .

Also, the above description may be applied to a network traffic analysis method according to another embodiment of the present disclosure shown in FIG. 10 . A network traffic analysis method according to another embodiment will be described in more detail below with reference to FIG. 11 .

3A and 3B are diagrams for explaining a segmentation process of network traffic according to an embodiment of the present disclosure. More specifically, it is a diagram for explaining a process of segmenting network traffic according to a protocol using network packets.

As an embodiment, FIGS. 3A and 3B may be included in the segmentation (S220) process of the segmented classification traffic included in FIG. 2 . As another embodiment, FIGS. 3A and 3B may also be included in the process of classifying and segmenting the collected network traffic of FIG. 11 ( S1110 ).

As an embodiment, FIG. 3A is a diagram for explaining a process of segmenting network traffic for a UDP protocol and a result thereof according to an embodiment of the present disclosure. For example, in the segmentation process of network traffic, the payload information for each packet is a 32-byte hexadecimal value (for example, 1000 0030 1000 0000 00e6 0010 0010 0030 0000 192e 1101 03c1 29a0 80a0 8030 8002). It may include the process of converting to . Thereafter, it may include a process of sequentially listing the converted packets. For example, a number such as 01 02 03 ... 0n expressed on the leftmost side of the result 300 of FIG. 3A may mean a number of a packet, and may include a payload value converted into a hexadecimal value. have.

As another embodiment, FIG. 3B is a diagram for explaining a process of segmenting network traffic for a TCP protocol and a result thereof according to an embodiment of the present disclosure. For example, the segmentation process of network traffic converts the payload information for each packet into a 32-byte hexadecimal value (for example, 0b4d 5348 7c5e 267c 7c7c 7c7c 7c7c 4e4d 447c 4850 3135 3934 3730 3634 3630). It may include a conversion process. Thereafter, it may include a process of sequentially listing the converted packets. For example, a number such as 01 02 03 ... 0n on the left-most side expressed in the result 310 of FIG. 3B may mean a number of a packet, and may include a payload value converted into a hexadecimal value. can

Meanwhile, as an embodiment, the segmentation traffic according to the segmentation process of the network traffic of FIGS. 3A and 3B may be used for continuous common part extraction of the network traffic of FIG. 4 .

4A and 4B are diagrams for explaining a continuous common part extraction process of network traffic according to an embodiment of the present disclosure.

As an embodiment, FIGS. 4A and 4B may be included in the process of extracting a continuous common portion of the segmentation traffic included in FIG. 2 ( S230 ). As another embodiment, FIGS. 4A and 4B may also be included in the process of classifying and segmenting the collected network traffic of FIG. 11 ( S1110 ).

For clarity of explanation, it is assumed below that the processes of FIGS. 4A and 4B are based on FIGS. 3A and 3B, but the present disclosure is not limited thereto.

Meanwhile, in the following, it is assumed that n of the n-byte filter sequentially corresponds to 8, 6, and 4 for clarity of explanation, but the present disclosure is not limited thereto.

As an embodiment, FIG. 4A shows the results of sequentially applying an n-byte filter (eg, Basic n-BF, n = 8, 6, 4) to a 32-byte array of segmentation traffic based on the UDP protocol, respectively. It is a drawing for explanation. For example, the first packet (eg, pkt#10) may be with the second packet (eg, pkt#23), assuming that an 8-byte filter is applied. According to the 8-byte filter 401, the common part can be selected into two parts. For example, the 50 00 32 00 55 00 41 00 part and the 36 00 32 00 31 00 33 00 part included in both the first packet and the second packet are selected as the first continuous common part by the 8-byte filter ( 401) can be Thereafter, a 6-byte filter may be applied to the remainder of the first packet and the second packet, and patterns selected based on the 8-byte filter may be temporarily converted to a value of 00. As an example, if 2 bytes starting with 00 are located in the first, that is, the prefix or the last, that is, the suffix of each packet, skip to the next byte without applying a byte filter. Accordingly, it is possible to increase the efficiency by applying the byte filter again to the pattern already selected as the continuous common part, or by preventing the continuous common part patterns by different byte filters from overlapping each other. In addition, a meaningless pattern including a value of '00' may be removed, and the significance of the extraction pattern may be maximally secured. Accordingly, in the remaining parts, the common part may be selected into two parts. For example, the 00 01 00 01 09 00 part and the 32 00 42 00 58 00 part included in both the first packet and the second packet may be selected 402 as the second continuous common part. Thereafter, a 4-byte filter may be applied to the remaining portions of the first packet and the second packet. However, if the remaining portion is within 4-bytes in consideration of the packet length information of the first packet and the packet length information of the second packet, the 4-byte filter The byte filter may not be applied. In addition, as described above, it is also possible to extract a continuous common part for two packets, but the present disclosure is not limited thereto. Also, it is possible to apply a byte filter to the first packet and the n-th packet. That is, it is not necessary to follow the packet order when determining the continuous common part of packets.

Meanwhile, the above process may be repeated for other packets segmented by being included in the collected network traffic. If all packets are sequentially rearranged, results shown in set 1 to set 23 may be obtained. Here, each set may be used to mean including a packet (eg, two packets) used for continuous common part selection. For example, set 10 may include a continuous common part selection result 403 of packet #10. In the above embodiment, set 10 and set 23 may have the same continuous common part selection result.

Meanwhile, FIG. 4B shows that an n-byte filter (eg, Basic n-BF, n = 8, 6, 4) is sequentially applied to the segmented network traffic for the TCP protocol according to an embodiment of the present disclosure. It is a figure for explaining the result. For example, for the first packet (pkt#1) and the second packet (pkt#2), three consecutive common partial patterns may be selected by an 8-byte filter. For example, the continuous common partial pattern is 0b 4d 53 48 7c 5e 7e 5c, 26 7c 7c 7c 7c 7c 7c 7c, and 4e 4d 44 7c 48 50 31 35, and may be selected as the first continuous common partial pattern. . Thereafter, in the same manner as described above, a 6-byte filter may be applied to the remaining portions of the first packet and the second packet, and the continuous common partial pattern is 39 34 37 30 36 34, which is a second continuous common partial pattern. can Then, the same process can be repeated for other packets. As mentioned above, since it is not always possible to extract a continuous common partial pattern only from two packets, a continuous common partial pattern is also obtained for the third packet (pkt#3) to the eighth packet (pkt#8). can be selected. Thereafter, the results of selecting a continuous common partial pattern with other packets for all packets are sequentially rearranged, and sets 1 to 20 can be derived. As an embodiment, the filter application method may be the same as described with reference to FIG. 4A .

5 is a diagram for explaining a quantization table for network traffic analysis according to an embodiment of the present disclosure. More specifically, as an embodiment, a diagram for explaining a case in which a quantization table is based on the periodic table.

As an embodiment, the quantization table of FIG. 5 may be used in a quantization mapping process of continuous common partial patterns of segmentation traffic. Meanwhile, the quantization mapping process may be included in FIGS. 6 and 11 below, and may be used by the network traffic analysis apparatus of FIGS. 2 and 10 .

The periodic table in the field of chemistry is a table in which elements are arranged according to their properties for easy identification, and 118 elements are divided into 7 periodic groups and 18 groups. As an embodiment, based on the periodic table of FIG. 5 , a quantization table according to a first operation value of a packet including a continuous common partial pattern (CCS) may be redefined. For example, if the value of n of the n-byte filter is 8, it can cover atoms in the range of atomic number 3 to 36 (n-BQ, n = 8), and the number of elements in that range (Psize) becomes 34. Also, other values of n can specify a specific range in the same way. For example, if the value of n is 7, an atom corresponding to an atomic number of 57 to 71 may belong to it, and the number of elements in the range may be 15. In this case, for example, in the case of a 5-byte filter, an atom corresponding to an atomic number in the range of 89 to 103 may belong, and in the case of a 4-byte filter, an atom corresponding to an atomic number in the range of 55 to 108 may belong. However, in the case of a 4-byte filter, atoms included in the 5-byte filter may be excluded. That is, the number of elements of the 4-byte filter may be 24.

On the other hand, the expression of the element symbol (A) shown in the periodic table may include atomic number, isotope, number of atoms, and charge amount information. Since the element allocation of each byte filter described above corresponds to an embodiment, when elements allocated to different byte filters are the same, that is, when the same atomic number is designated, this may be defined as an isotope. In addition, as an embodiment, the amount of charge may be given when the continuous common partial pattern does not start from the first byte, and may be expressed as + (positive charge) or - (negative charge) according to the notation method of elements in the periodic table.

Meanwhile, since the present disclosure is not limited to FIG. 5 , it will be possible to use other tables including a binary number table, a figure table, etc. in addition to the periodic table.

6 is a diagram for explaining a particle structure of segmentation traffic and a process of generating attribute information according to an embodiment of the present disclosure.

More specifically, as an embodiment, after completing the extraction of continuous common partial patterns of segmentation traffic, it is structured into particles into atomic and molecular structures based on a quantization table based on the periodic table as shown in FIG. It is a diagram for explaining a process of generating information about

As an embodiment, the process of FIG. 6 may be performed by the network traffic analysis apparatus of FIGS. 1 and 10 , and may be included in the network traffic analysis method of FIGS. 2 and 11 . In the following for clarity of explanation, it is assumed that the process of FIG. 2 has been performed before the process of FIG. 6 and that the process of FIG. 6 is based on FIGS. 3A, 3B, 4A and 4B, but the present disclosure is limited thereto no.

As an embodiment, a quantization particle operation ( S610 ) on segmentation traffic may be performed. In the quantization particle operation process, for a packet payload of segmentation traffic including a continuous common partial pattern (CCS), a hexadecimal (Hex) value of the first 1 byte may be converted into a decimal (Dec) value. Thereafter, modular arithmetic may be performed on this. In addition, as described with reference to FIGS. 4A and 4B , each n-byte interval section to which the n-byte filter is applied may be defined differently. As an embodiment, when using the quantization table described with reference to FIG. 5 and using an 8-byte filter first, an orbital group (orbital group) representing each 8-byte interval as {s, p, d, f} group) can be defined. For example, the orbital notation form is the starting position [n] (n = 1 to 32) of the continuous common subpattern (CCS), the type of orbital [O] (O = s, p, d, f), the continuous common subpattern It can be defined as <nOb> by combining the byte length [b] (b = 8 ~ 3) of (CCS). For example, based on the result shown in FIG. 4A , the orbital of set 10 may be expressed as <1s3, 5p4, 9d4, 13f3>.

As an embodiment, the process of transforming ( S620 ) the particles calculated by the quantization mapping based on the quantization table may include the process of applying a result value calculated on the quantized particles ( S610 ) to the quantization table. For example, by using a quantization table based on the periodic table of FIG. 5 , an atomic number for a quantized particle operation result expressed in an orbital may be determined. In this case, within the element range (n-BQ) corresponding to the n-byte value of the largest continuous common subpattern, that is, within the element range determined according to the n value, which is the largest of the n-byte filters applied to the packet, As a result, the element corresponding to the value can be designated and quantized in the continuous common subpattern. For example, according to the result shown in FIG. 4A , in set 12, since the hexadecimal (Hex) value of the first 1 byte is 10, if it is converted to a decimal (Dec) value, it can be 16. . As an example, set 12 of FIG. 4A has an 8-byte filter applied as a byte filter with the largest n, so the continuous common subpattern of set 12 can be quantized to elements with atomic numbers 3 to 36. . That is, it can be quantized to atoms for 34 elements. Based on the number of elements, if you perform a modular operation (mod 34, Psize) on the converted decimal value, 16 can be obtained as a result value. Thereafter, the atomic number corresponding to the operation result value in the element range (3 to 36) of the 8-byte filter is the 19th (=16) considering that the element range of the 8-byte filter starts from the atomic number 3 +3) can be specified as an element. Accordingly, the atomic symbol can be determined as K (potassium). In this way, quantization can be performed based on a continuous common partial pattern extracted with respect to segmentation traffic, a quantization particle operation result, and a quantization table.

When the quantization process is performed, a structural formula of a segmentation traffic unit may be generated based on the transformed particles ( S630 ). As an embodiment, as mentioned above, if the periodic table shown in FIG. 5 is used as a quantization table, the structural formula of the segmentation traffic unit may take the form of a chemical structural formula. That is, it can be expressed as a structure including atoms and molecules. With respect to the atomic symbols determined by the previous process ( S620 ), a structural formula, ie, a molecular structure, may be generated in a segmentation unit. As an embodiment, the structural formula of the segmentation traffic unit may be represented by a rule defined based on a representative Simplified Molecular Input Line Entry System (SMILES) notation rule among notation schemes representing the structure of a compound as a character string. As an embodiment, the defined rule may include extending the prefix while connecting atoms starting from the first position of the continuous common sub-pattern as a center. At this time, if the starting atom is determined to be H (hydrogen), H (hydrogen) may be connected to a branch without connecting to the central atom. Also, the defined rule may include, if consecutive patterns with the same prefix are repeated between sets, this is marked as multiple bonds between atoms. As an embodiment, when patterns having the same prefix are repeated between two sets, it is denoted by a double bond (=), and when there are three or more, it is defined as a triple bond (#). In addition, the defined rule may include, if several sets having the same prefix are alternately repeated once, it is denoted as an interatomic ring (Cyclic). If these rules are further defined, the shape of the molecular structure can be described and explained in more detail. Meanwhile, since the above description corresponds to an embodiment of the present disclosure, in another embodiment, the defined rule may not be defined based on the SMILES notation rule, and may be defined differently from the above.

When the structural formula for the segmentation traffic unit is generated, attribute information on the components included in the structured traffic may be generated ( S640 ). For example, if a quantization table based on the periodic table of FIG. 5 is used, the structural formula for the segmentation traffic unit may include atoms and molecules. Accordingly, the generated attribute information may include attribute information on atoms and molecules. The attribute information on atoms and molecules may include information on properties of quantized atoms and molecules, that is, information on quantized particle structures. In more detail, it may include information on properties of protonated particles, such as chemical formulas of atoms and molecules, isotopes, orbitals. In addition, statistical information on segment traffic, such as a communication direction of segmentation traffic, a communication period, an average/standard deviation of a packet length, and entropy, may be generated and may be included in the generated attribute information.

Meanwhile, attribute information of the generated structured traffic and a structural formula for a segmentation traffic unit may be used when evaluating network traffic. As an embodiment, when the network traffic analysis apparatus of FIGS. 1 and 10 performs network traffic evaluation, the network traffic analysis apparatus may use the structured traffic attribute information and the structural formula for the segmentation traffic unit, as shown in FIG. It is also possible to be used by a network traffic evaluation device.

7 is a diagram for explaining a process of formulating a segmentation traffic unit according to an embodiment of the present disclosure.

As an embodiment, the process of FIG. 7 may be performed by the network traffic analysis apparatus of FIGS. 1 and 10 , and may be included in the network traffic analysis method of FIGS. 2 and 11 . Also, it may be included in generating a structural formula for the segmentation traffic unit of FIG. 6 ( FIGS. 6 and s630 ).

Hereinafter, for clarity of explanation, it is assumed that the process of formulating the segmentation traffic unit of FIG. 7 is based on FIGS. 3A, 3B, 4A, 4B, 5 and 6, but the present disclosure is not limited thereto.

Atoms transformed by quantization mapping by the atomic transformation ( FIGS. 6 and s620 ) of FIG. 6 with respect to the result column (sets 1 to 23) of FIG. 4A may be organized as shown in FIG. 7 . As an embodiment, when the UDP protocol is used, sets 1 to 23 may be listed based on a continuous common part pattern for a segmented traffic unit. At this time, since sets 14 to 16 have a prefix starting with 10 00, the central valence can be determined as K (potassium) as mentioned in FIG. 6 . Thus, three sets with the same prefix (eg, sets 14 to 16) can be expressed as a triple bond of K#K, i.e. K (potassium). Then, among the central atoms by the other set, it can be extended by connecting with the adjacent central atoms at the K#K position of the triple bond (sets 14 to 16). As an embodiment, at the K#K bonding positions of sets 14 to 16, linking the central atoms of each set one by one in a decreasing set number (set 13 to set 1), 'K#K (sets 14 to 16) )-K(set 13)-K(set 12)-K(set 6)-Ca(set 2)'. The remaining atoms (I+, H) may be connected by branches of adjacent previous central atoms. By connecting as described above in the opposite downward direction from the K#K binding site, that is, in the direction in which the set number increases (set 17 to set 23), the entire molecular structure of the segmentation traffic, that is, the overall structural formula can be completed.

Also, even when the TCP protocol is used, the same process as described above can be performed. For example, for sets 1 to 20, silicon triple bonds in sets 3 to 5 (Si#Si), silicon triple bonds in sets 6 to 8 (Si#Si), silicon triple bonds in sets 10 to 12 ( Si#Si), connecting the silicon triple bonds of sets 13 to 15 (Si#Si) and the silicon triple bonds of sets 17 to 19 (Si#Si), and the silicon of sets 1, 2, 9, 16 and 20 can connect

On the other hand, sets 1 to 2 may not be expressed as double bonds because they are different from the configuration of the end of the set collection in which a silicon triple bond is generated. More specifically, when sets 1 to 2 are expressed as silicon double bonds, atomic configurations of silicon double bonds and silicon triple bonds are different, so that sets 1 to 2 may not be expressed as bonds. However, since this corresponds to an embodiment, the present disclosure is not limited thereto.

8 is a diagram for explaining an evaluation process of a network traffic analysis result according to an embodiment of the present disclosure.

As an embodiment, the process of FIG. 8 may be performed by the network traffic analysis apparatus of FIGS. 1 and 10 , and may be included in the network traffic analysis method of FIGS. 2 and 11 .

In addition, as an embodiment, when the network traffic analysis apparatus of FIGS. 1 and 10 performs network traffic evaluation up to the network traffic analysis apparatus, the process of FIG. 8 may be performed in the network traffic analysis apparatus, and by the network traffic evaluation apparatus of FIG. may be performed.

In addition, as an embodiment, it is assumed that the network traffic evaluation process of FIG. 8 is based on the previous FIGS. 3A to 7 for clarity of explanation, but the present disclosure is not limited thereto.

As an embodiment, in order to evaluate the network traffic analysis result, particles of structured segmentation traffic may be identified ( S810 ). In this case, the structured segmentation traffic may include particles transformed by mapping a continuous common partial pattern to a specific value based on a quantization table, and it is possible to identify which particles are included. As an embodiment, a particle may be identified based on attribute information on structured segmentation traffic, and the attribute information on segmentation traffic may include quantized particle structure information. In this case, the attribute information on the segmented traffic may be compared with the quantized particle structure of other traffic previously stored in the database. In addition, the attribute information and the particle structure information may be expressed by a notation rule based on the above-mentioned SMILES format. Here, the quantization particle structure information for the target segmentation traffic may be stored in the database as a form of the structured segmentation traffic. Meanwhile, the database may be managed by a network traffic analysis device or a network traffic evaluation device, and input/output (eg, inquiry, conversion, addition, modification, and deletion) requests to the database may be processed.

Based on the identified particles, the similarity between the particles may be compared (S820). As an embodiment, if the quantized particle structure information of structured segmentation traffic is expressed based on the SMILES format, first compare the similarity of the SMILES format particle structure with the particle structure information obtained by inquiring the above-mentioned database. can In this case, the similarity comparison result may be derived in such a way that a matching ratio is calculated by comparing each configuration of the entire quantized particle structure, and the similarity level may be expressed according to a similarity threshold preset by the user. As an embodiment, if it is determined that the particle structure information is the same, that is, the particle structure stored in the database and the particle structure for the current segmentation traffic may be the same. If the particle structure is the same, the degree of similarity in orbital configuration for each particle defined in the above-mentioned quantized particle calculation can be compared. Here, when the particle structure information is expressed based on the SMILES format, the similarity of the orbital configuration may be compared through SMARTS (SMILES Arbitrary Target Specification) pattern matching.

According to the similarity comparison result, new quantized particle information may be added and/or updated ( S830 ). That is, when it is determined that the similarity comparison result is equal to or greater than the reference value, the particle information previously stored in the database may be updated. On the other hand, if it is determined that the similarity comparison result is low or it is determined that the particle information is significantly different from the existing particle information, it can be added to the database as a new quantized particle. Meanwhile, when there is no previously stored particle information in the similarity comparison ( S820 ), that is, when the initial similarity comparison is executed, the quantized particle information may be added to the database and registered. In this case, additional information such as an identifier name for the quantization particle information to be added or updated, a traffic generating device type to be added or updated, and a management code number may be further registered in the database.

9A and 9B are diagrams for explaining a result of a simulation display of segmentation traffic particle information according to an embodiment of the present disclosure.

As an embodiment, the result of FIG. 9 may be derived by the network traffic analysis apparatus of FIGS. 1 and 10 , and may be derived by the network traffic analysis method of FIGS. 2 and 11 and the process of FIGS. 6 and 8 . have.

Also, as an embodiment, when the network traffic analysis apparatus of FIGS. 1 and 10 performs network traffic evaluation up to the network traffic analysis apparatus, the result of FIG. 9 may be derived from the network traffic analysis apparatus, and by the network traffic evaluation apparatus of FIG. may be derived.

In addition, as an embodiment, it is assumed that the simulation result of the visualization display of the segmentation traffic information of FIG. 9 is generated based on the preceding FIGS. 3A to 8 for clarity of explanation, but the present disclosure is not limited thereto .

As an embodiment, FIG. 9A is a diagram illustrating a structural formula of UDP segmentation traffic particle information according to the present disclosure expressed as a 2D structural formula in a SMILES format or modeling the result as a 3D model in a ball and stick format. Here, the 2D structural formula of the SMILES format can be converted into other notation methods such as International Chemical Identifier (InChl) and SYBYL Line Notation (SLN) through input/output processing of the database. In addition, the 3D model can be converted to other modeling such as van der Waals Spheres, Wireframe, Line, etc.

FIG. 9B shows an example in which the structural formula of TCP segmentation traffic particle information is expressed as a 2D structural formula in the SMILES format or a 3D model in the ball and bar format is modeled as shown in FIG. 9A.

10 is a diagram for explaining an apparatus for analyzing network traffic according to another embodiment of the present disclosure. More specifically, it is a diagram for explaining a network traffic analysis apparatus 1000 including a transceiver 1001 for transmitting and receiving a signal and a processor 1002 for controlling the transceiver.

As an embodiment, the network traffic analysis apparatus 1000 of FIG. 10 may perform the process of FIGS. 2, 6, 8 and/or 11 , and may provide a function provided by the network analysis apparatus of FIG. 2 . can

As an embodiment, the transceiver 1001 may receive the collected network traffic and transmit a result of analyzing the network traffic. In addition, when the processor 1002 can also perform network traffic evaluation, it can also transmit and receive network traffic evaluation results.

As an embodiment, the processor 1002 may classify and segment the collected network traffic, extract a continuous common portion of the segmented network traffic, and perform quantization based on the continuous common portion. The quantization may include mapping the periodic table to atomic symbols using the quantization table, and the structured network traffic may have a molecular structure structured based on quantized atoms. Also, the network packet header information may include source IP, destination IP, source port, destination port, and protocol information of the network packet. In addition, when the protocol information of the network packet header information is a UDP protocol, the network packet header information may further include a communication direction of a network packet and packet transmission interval information, and the protocol information of the network packet header information is TCP In the case of a protocol, the network packet header information may further include PSH flag information and ACK flag information. As an embodiment, the continuous common portion may be a portion having the same location and the same size in the segmented network traffic, and may be determined based on the above-mentioned n-byte filter. In addition, the processor may generate attribute information of the structured network traffic, wherein the attribute information of the network traffic may include property information of atoms and molecules of a quantized structural formula for a segmentation unit of the network traffic, The characteristic information may include chemical formulas, isotopes, and orbital information of the atoms and molecules. The derived characteristic information and attribute information may be included in the network traffic analysis result, and the processor may perform a similarity comparison between the structured network traffic pre-stored in the database and the particle structure of the structured network traffic. In this case, the database may be located outside or may be included in the network traffic analysis apparatus 1000 although not shown in FIG. 10 . In addition, if it is determined that the particle structures are similar, the processor may evaluate the network traffic by comparing the orbital similarity of each particle included in the structured network traffic. The segmentation of the network traffic may include converting any n bytes of a payload of the network traffic into hexadecimal numbers. In addition, the quantized network traffic may be structured into an array, and the structured network traffic may be marked based on a SMILES notation rule, which may be the same as described above.

Meanwhile, in FIG. 10 , it has been described that network traffic is previously collected from the outside and delivered to the network traffic analysis apparatus of FIG. 10 , but since this corresponds to an embodiment, it will be possible for the processor to directly collect network traffic. In addition, the processor can directly evaluate the network traffic analysis result.

11 is a diagram for explaining a network traffic analysis method according to another embodiment of the present disclosure.

As an embodiment, the network traffic analysis method of FIG. 11 may be performed by the network traffic analysis apparatus of FIGS. 2 and 10 , and may include the processes of FIGS. 2, 6 and 8 .

As an embodiment, the apparatus for analyzing network traffic may classify and segment the collected network traffic ( S1110 ). This includes processes corresponding to S210 and S220 of FIG. 2 , and the description with reference to FIGS. 3A and 3B may be applied. For example, the collected network traffic may be classified and sessioned based on network packet header information. As an embodiment, the network packet header information may include source and/or destination IP addresses, source and/or destination ports, and protocol information used, and may further include other information according to the protocol used. This may be the same as described with reference to FIG. 2 . Meanwhile, although it is illustrated that network traffic is previously collected, this corresponds to an embodiment, so it is also possible to directly collect network traffic.

Thereafter, a continuous common portion of the segmented network traffic may be extracted ( S1120 ). This may include the process S230 of FIG. 2 , and the description with reference to FIGS. 4A and 4B may be applied. The continuous common part may mean a part matching the same location and size in several segmented traffic, and may be selected by an n-byte filter. This may be the same as described above with reference to FIG. 2 .

As an embodiment, when a continuous common part is extracted, it may be quantized based on it ( S1130 ). Quantization may be performed based on the quantization table including FIG. 5 , and may include steps S610 and S620 of FIG. 6 . Using the quantization table of Figure 5, it is possible to determine the atom to be mapped to the atomic symbol using the prefix of the continuous common part, to determine the central atom to connect to another atom, and to branch to the atom, which is mentioned above. It's like a bar.

Thereafter, the quantized network traffic may be structured (S1140). The structural formulating process may include steps S630 and S640 of FIG. 6 . The structured network traffic may be expressed as an array and may be included in the network traffic analysis result. When the periodic table shown in FIG. 5 is used as a quantization table, the structural formula of the segmentation traffic unit can take the form of a chemical structural formula. Such a chemical structural formula may be expressed by a rule defined based on the SMILES (Simplified Molecular Input Line Entry System) notation rule. Also, the attribute information generated based on the structured network traffic may include attribute information on atoms and molecules. The attribute information may include property information of quantized particles, such as chemical formulas of atoms and molecules, isotopes, orbitals. This is as mentioned above.

On the other hand, although not shown in FIG. 11, the network traffic analysis method identifies particles of structured segmentation traffic using the network traffic analysis result including the structured network traffic, compares the similarity between the particles, The process of adding, registering, or updating the quantized particle structure information to the database may also be included. This may be the same as described with reference to FIG. 8 .

Meanwhile, since FIG. 11 corresponds to an embodiment of the present disclosure, some steps may be excluded, added, changed, or the order may be changed.

12 is a diagram for explaining a network traffic analysis system according to an embodiment of the present disclosure. As an embodiment, the network traffic analysis system may include a network traffic collection device 1201 , a network traffic analysis device 1202 , and a network traffic estimation device 1203 .

As an embodiment, the network traffic collection device 1201 may be a device that collects network traffic from various network environments based on standard and/or non-standard protocols. For example, network traffic may be collected to identify devices connected from a network environment in which information and communication technologies and operation technologies of various fields such as medical hospitals, national important infrastructures, manufacturing facilities, and the like are fused. The collected network traffic may be transmitted to the network traffic analysis device 1202 or the network traffic evaluation device 1203 , or may be delivered to another external system.

As an embodiment, the network traffic analysis apparatus 1202 may analyze the collected network traffic in order to identify a device connected to the network and secure visibility. For example, the apparatus for analyzing network traffic may be shown in FIGS. 1 and/or 10 , and may perform the network traffic analysis method of FIGS. 2, 6 and/or 11 . As an embodiment, the network traffic analysis apparatus 1202 classifies and sessionizes the collected network traffic based on network packet header information, classifies it into segmentation traffic, and extracts a continuous common partial pattern of network packet payload information. can do. In addition, after mapping it using a quantization table, it is possible to create and manage information on a structured high, quantized, and structured arrangement. In addition, the network traffic analysis result may be transmitted to the network traffic collection device 1201 , the network traffic evaluation device 1203 , and/or another external system.

Meanwhile, as an embodiment, the network traffic evaluation apparatus 1203 may perform network traffic evaluation, such as comparing the similarity between the network traffic and the previously analyzed network traffic, and comparing the orbital similarity based on the network traffic analysis result. . For example, the apparatus for evaluating network traffic may perform the process of FIG. 8 . Thereafter, the network traffic evaluation result may be transmitted to the network traffic collection device 1201 and/or the network traffic analysis device 1202 or another external system.

Meanwhile, the network traffic analysis system of FIG. 12 may be connected to other network traffic analysis systems. For example, one network traffic analysis system may transmit/receive collected network traffic, network traffic analysis results, network traffic evaluation results, etc. to another network traffic analysis system, and according to circumstances, share a database in which network traffic is stored. can do.

In addition, since the network traffic analysis system of FIG. 12 corresponds to an embodiment, the network traffic collecting device or the network traffic evaluating device may not be included, and other devices may be further included. In addition, the network traffic collection device and/or the network evaluation device may be implemented in a form included in one network analysis device.

Various embodiments of the present disclosure do not list all possible combinations, but are intended to describe representative aspects of the present disclosure, and the details described in various embodiments may be applied independently or in combination of two or more.

In addition, various embodiments of the present disclosure may be implemented by hardware, firmware, software, or a combination thereof. In addition, it may be implemented by a combination of one or more software rather than one software, and one subject may not perform all processes.

For implementation by hardware, one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), general purpose It may be implemented by a processor (general processor), a controller, a microcontroller, a microprocessor, and the like. For example, it may take various forms including the general-purpose processor. It is apparent that hardware may be disclosed in combination of one or more.

The scope of the present disclosure includes software or machine-executable instructions (eg, operating system, application, firmware, program, etc.) that cause an operation according to the method of various embodiments to be executed on a device or computer, and such software or and non-transitory computer-readable media in which instructions and the like are stored and executed on a device or computer.

The network traffic analysis computer program according to an embodiment of the present disclosure is stored in a non-transitory computer-readable medium, and includes the steps of classifying and segmenting the collected network traffic based on each network packet header information, the segmentation Extracting a contiguous common part for any n bytes of the quantized network traffic, performing quantization based on the contiguous common part, and structuring the quantized network traffic may be performed.

The present disclosure described above, for those of ordinary skill in the art to which the present disclosure pertains, various substitutions, modifications, and changes are possible within the scope without departing from the technical spirit of the present disclosure, so the scope of the present disclosure is It is not limited by one embodiment and the accompanying drawings.

100: network traffic analysis device
110: Network Traffic Feature Engineering Department
120: segmentation traffic quantization particle generator
130: network traffic evaluation unit
140: traffic particle information storage unit
150: traffic particle information display unit

Claims (15)

A network traffic analysis device comprising:
a transceiver for transmitting and receiving a signal; and
A processor for controlling the transceiver; including,
The processor is
The collected network traffic is classified and segmented based on the network packet header information.
extracting a continuous common part of network packet payload information for the packet of the segmented network traffic;
performing quantization of mapping the continuous common parts to atoms of the periodic table based on the periodic table as a quantization table;
Structuring the atom to which the continuous common moiety is mapped into a molecular structure,
Comparing the particle structure similarity between the structured molecular structure pre-stored in the database and the structured molecular structure,
If it is determined that the particle structure is similar,
A network traffic analysis device for comparing the orbital similarity between the structured molecular structure and each particle included in the previously stored structured molecular structure.
delete delete According to claim 1,
The network packet header information is
Including source IP, destination IP, source port, destination port and protocol information of the packet of the network traffic, network traffic analysis apparatus.
5. The method of claim 4,
When the packet of the network traffic is based on the UDP protocol,
The network packet header information is
Communication direction of the packet of the network traffic, further comprising packet transmission interval information, network traffic analysis apparatus.
5. The method of claim 4,
If the packet of the network traffic is based on the TCP protocol,
The network packet header information is
Network traffic analysis apparatus further comprising PSH flag information and ACK flag information.
According to claim 1,
The continuous common part is
The apparatus for analyzing network traffic, having the same location and the same size between the network packet payload information of the packet of the network traffic.
According to claim 1,
The processor is
Generates attribute information of the structurally formulated molecular structure,
The attribute information is
A network traffic analysis device including information on properties of atoms and molecules of the molecular structure.
9. The method of claim 8,
The characteristic information is
A network traffic analysis device comprising chemical formulas, isotopes, and orbital information of the atoms and molecules.
delete delete According to claim 1,
The continuous common part is
Extracted by an n-byte filter based on the network packet payload information converted to hexadecimal,
The n-byte filter is repeatedly applied, n is preferentially selected in order of 8, 6, 4, and selectively selected in order of 7, 5, 3, network traffic analysis apparatus.
According to claim 1,
The structuralized molecular structure is marked based on the SMILES notation rule, a network traffic analysis device.
In the network traffic analysis method performed by the network traffic analysis apparatus,
classifying and segmenting the collected network traffic based on network packet header information;
extracting a continuous common part of network packet payload information for the segmented network traffic packet;
performing quantization of mapping the continuous common part to the atoms of the periodic table based on the periodic table as a quantization table; and
Structuring the atom to which the continuous common portion is mapped into a molecular structure, and performing a particle structure similarity comparison between the structured molecular structure pre-stored in a database and the structured molecular structure;
The step of performing the particle structure similarity comparison is,
If it is determined that the particle structure is similar,
Comprising comparing orbital similarity for each particle included in the structured molecular structure and the previously stored structured molecular structure, network traffic analysis method.
a network traffic collection device for collecting network traffic;
The collected network traffic is classified and segmented based on network packet header information, a continuous common part of network packet payload information for the packet of the segmented network traffic is extracted, and the continuous common part is extracted a network traffic analysis device that maps and quantizes atoms of the periodic table based on a quantization table that is a periodic table, and structuralizes the atoms to which the continuous common parts are mapped into a molecular structure to derive an analysis result of the collected network traffic; and
Based on the analysis result of the network traffic, the similarity of the particle structure between the structured molecular structure and the structured molecular structure previously stored in a database is compared, and when it is determined that the particle structure is similar, the structured molecular structure and a network traffic evaluation device for comparing orbital similarity for each particle included in the pre-stored structured molecular structure.

Images