KR102307030B1 - Internet of Things Communication System with Packet Safety Verification - Google Patents

Abstract

The present invention relates to an IoT communication system having a packet safety verification function.
According to the present invention, a plurality of IoT devices connected to a sub-network that generate and transmit or receive packets, an identification name, a matching number, and a virtual IP address transmitted from the plurality of IoT devices are registered and registered. An Internet server that connects the communication between the IoT device and other IoT devices by providing the matching number and the virtual IP address to the IoT device to communicate, and installed in each subnetwork and connected to the corresponding subnetwork Allocating matching entry information to a plurality of IoT devices, verifying a packet received from the IoT device, and converting the IP address of the IoT device included in the header of the verified packet from the real IP address to the virtual IP address It includes a gatekeeper that changes to and transmits to the corresponding IoT device.
According to the present invention, all data packets are transmitted through a gatekeeper to which the sending or receiving IoT device is connected, and the gatekeeper changes the real IP address of the sending IoT device included in the packet to a virtual IP address. to prevent the actual IP address from being exposed to the outside.

Description

Internet of Things Communication System with Packet Safety Verification

The present invention relates to an IoT communication system having IP address conversion and pass packet safety verification functions, and more particularly, to an IoT device by giving an actual IP address and a virtual IP address, and to another IoT device located outside In the case of communication, it relates to an IoT communication system that communicates using a virtual IP address.

In the existing IoT operation IP communication, a method of connecting IoT devices to the Internet based on the IPv4 protocol through a NAT (Network Address Translation) device with a 32-bit private IP address is used.

Whenever an IP packet passes through a NAT device, a private IP address-public IP address translation process must be performed, and a port number translation process is also performed at the same time. The NAT device holds entry information indicating the policy of translating addresses and port numbers for incoming and outgoing packets. Therefore, in order to establish a connection to the requested IoT device, it is necessary for the requesting device to find out the policy entry information held by the NAT device belonging to the requested IoT device. NAT management, that is, IP address translation and port number translation This is very complicated. In addition, both SDN technology and DNS technology can be used to know the name of the requested IoT device and try to connect to the device.

The Internet of Things (IoT) operating network environment, which the United States is taking a major trend in recent years, is a method of assigning a 128-bit address to an IoT device and operating the IoT device based on the IPv6 network protocol. The above method does not require the NAT device itself.

Both SDN technology and DNS technology can be used to know the name of the requested IoT device and try to connect to this device, but it is possible only with the support of DNS version 6, which handles 128-bit address system. Of course, if IPv6 and DNS version 6 are ideally applied to all IoT devices, of course, this method is better than the NAT device method.

The problem is that when considering the compatibility operation with IoT devices deployed and operated based on the existing IPv4 protocol and the existing DNS system, both IPv4 and IPv6 methods must exist in parallel, and an interface between two different systems must exist. There was a problem that the system became too complicated.

In addition, if the IPv6 protocol is used as it is, the 128-bit address system must be followed as it is, so all packets have 128-bit addresses. This causes a problem in that the overhead of the packet increases, and the method of using the IPv6-type Internet of Things device is a method of using a 100% public IP address. Therefore, if a hacker applies a scanning method of monitoring to find an IP address in order to attack a corresponding IoT device, the IP address and connected location of the IoT device of the desired attack target can be easily allowed to the hacker. In other words, it is inevitably very vulnerable to hacker attacks.

In particular, Internet of Things devices do not have sufficient computing resources to prepare for such attacks on their own with the computing power of a general computer or smartphone. Therefore, there is a need for a new technology that can fundamentally respond to hacker attacks by changing the method of uniformly assigning public IPv6 addresses to IoT devices.

The technology underlying the present invention is disclosed in Korean Patent Application Laid-Open No. 10-2016-0023368 (published on March 3, 2016).

The technical problem to be achieved by the present invention is to provide an IoT communication system that gives real IP addresses and virtual IP addresses to IoT devices, and communicates using virtual IP addresses when communicating with other IoT devices located outside. It is intended to provide

According to an embodiment of the present invention for achieving this technical problem, in an IoT communication system having a packet safety verification function, a plurality of IoT devices connected to a subnetwork and generating and transmitting or receiving packets; The identification name, matching number, and virtual IP address received from the plurality of IoT devices are registered, and the registered matching number and virtual IP address are provided to the IoT device to communicate between the IoT device and other IoT devices. an Internet server that connects communication of , and a gatekeeper that changes the IP address of the IoT device included in the header of the verified packet from the real IP address to a virtual IP address and transmits it to the corresponding IoT device.

The IoT device may include at least any one of equipment, electronic devices, automatic vehicles, drones, and robots.

The IoT device transmits a dynamic address assignment request signal to a gatekeeper in a state in which an identification name is assigned, and the gatekeeper generates matching entry information including a matching number, a real IP address, and a virtual IP address, It is allocated to the IoT device, and the allocated matching entry information may be stored in the form of an address mapping table.

The Internet server may be based on one technology selected from a technology using software-defined networking (SDN) and a technology using a domain name system (DNS).

When an IoT device that transmits a packet is called a first IoT device and an IoT device that receives a packet is called a second IoT device, the Internet server may The matching number and virtual IP address of the second IoT device are extracted by comparing the identification name of the Internet device with the registered information, and the matching number and virtual IP address of the second IoT device are extracted to the first IoT device. can transmit

The packet includes a header and a data part, and the header includes an IP address of the first IoT device, an IP address of a second IoT device, a matching number of the first IoT device, and a matching number of the second IoT device. may include.

When the first IoT device connected to the first subnetwork transmits a packet to the second IoT device, the first gatekeeper included in the first subnetwork uses the stored address matching table to transmit the packet. The real IP address of the first IoT device included in the header of ' may be changed to a virtual IP address, and the packet including the changed header may be transmitted to the second gatekeeper to which the second IoT device is connected.

The second gatekeeper extracts the virtual IP address of the second IoT device included in the header of the received packet, and uses the stored address matching table to store the extracted virtual IP address of the second IoT device. The IP address may be changed and the packet including the changed header may be transmitted to the second IoT device.

When communication is performed between a plurality of IoT devices connected to the same subnetwork, packets transmitted or received from the IoT device pass through the same gatekeeper, and the gatekeeper receives the packets received from the sending IoT device. can change the real IP address of the sending IoT device included in the header of the have.

In addition, according to an embodiment of the present invention, in the P2P-based IoT communication connection system, a plurality of IoT devices connected to a subnetwork and generating and transmitting or receiving packets, the plurality of IoT devices Internet that connects the communication between the IoT device and other IoT devices by registering the identification name, matching number, and virtual IP address received from It is installed in a server and each sub-network, and it allocates matching entry information to a plurality of IoT devices connected to the respective sub-network, verifies the packet received from the IoT device, and a gatekeeper that changes the IP address of the IoT device included in the header from the real IP address to the virtual IP address and transmits it to the corresponding IoT device, wherein the gatekeeper is configured to include a session establishment request packet generated from the IoT device. Validate the session setup.

The IoT device may include at least any one of equipment, electronic devices, automatic vehicles, drones, and robots.

The IoT device transmits a dynamic address assignment request signal to a gatekeeper in a state in which an identification name is assigned, and the gatekeeper generates matching entry information including a matching number, a real IP address, and a virtual IP address, It is allocated to the IoT device, and the allocated matching entry information may be stored in the form of an address mapping table.

The header included in the packet includes the IP address of the first IoT device corresponding to the transmitting side, the IP address of the second IoT device corresponding to the receiving side, the matching number of the first IoT device, and the second IoT device. It may include the matching number of the device.

The Internet server compares the identification name of the second IoT device received from the first IoT device with pre-registered information to extract a matching number and virtual IP address of the second IoT device, and the extracted second The matching number and virtual IP address of the IoT device may be transmitted to the first IoT device.

When the first IoT device connected to the first subnetwork transmits a session request packet to the second IoT device connected to the second subnetwork, the first gatekeeper included in the first subnetwork is configured to: The real IP address of the first IoT device included in the header of the packet is changed to a virtual IP address using the stored address matching table, and the session request packet including the changed header is transferred to the second subnetwork included in the second subnetwork. can be sent to the gatekeeper.

The second gatekeeper determines whether to accept the session request packet by verifying the identification name and virtual IP address of the first IoT device included in the header of the session request packet, and if accepted, matches the stored address Using the table, the virtual IP address of the second IoT device may be changed to a real IP address, and a packet requesting data including the changed header may be transmitted to the second IoT device.

When verification of the session request packet is completed and session establishment is completed, the first IoT device transmits the generated packet to a second gatekeeper, and the second IoT device transmits the generated packet to the first gate. can be sent to the keeper.

Further, according to an embodiment of the present invention, in the Internet of Things communication connection system based on DNS (Domain Name System), a plurality of IoT devices connected to a subnetwork and generating and transmitting or receiving packets, a plurality of of a server belonging to, and registering an identification name, matching number, and virtual IP address in the form of a domain received from the IoT device in any one affiliate server among a plurality of affiliate servers, and the registered matching number and virtual IP address an Internet server that connects communication between the IoT device and other IoT devices by providing Allocating matching entry information, verifying the packet received from the IoT device, changing the IP address of the IoT device included in the header of the verified packet from the real IP address to the virtual IP address, Includes a gatekeeper that transmits to

The IoT device may include at least any one of equipment, electronic devices, automatic vehicles, drones, and robots.

The IoT device transmits a dynamic address assignment request signal to a gatekeeper in a state in which an identification name is assigned, and the gatekeeper generates matching entry information including a matching number, a real IP address, and a virtual IP address, It is allocated to the IoT device, and the allocated matching entry information may be stored in the form of an address mapping table.

In a state where the first IoT device corresponding to the transmitting side is connected to the first sub-network and the second IoT device corresponding to the receiving side is connected to the second sub-network, the first IoT device is connected to the Internet When a query regarding the IP address of the second IoT device is made to a server, the Internet server transmits a query regarding the IP address of the second IoT device to an upper-level name server among a plurality of affiliated servers, and the upper-level name server If there is no result of the DNS query, the upper-level name server may transmit the IP address of the lower-level name server to the first IoT device to continuously perform queries and responses.

The affiliated server may extract the virtual IP address of the second IoT device using the matching entry information registered in its database, and transmit the extracted virtual IP address to the first IoT device in the form of a DNS reply. .

The header included in the packet includes the IP address of the first IoT device corresponding to the transmitting side, the IP address of the second IoT device corresponding to the receiving side, the matching number of the first IoT device, and the second IoT device. It may include the matching number of the device.

When a packet requesting data is transmitted to the first IoT device, the first gatekeeper included in the first subnetwork uses the stored address matching table to determine the The real IP address of the first IoT device may be changed to a virtual IP address, and a packet including the changed header may be transmitted to a second gatekeeper included in the second subnetwork.

The second gatekeeper verifies the identification name and virtual IP address of the first IoT device included in the header of the packet to determine whether to accept the data request packet, and if accepted, the address matching table can be used to change the virtual IP address of the second IoT device to a real IP address, and transmit a packet including the changed header to the second IoT device. .

The second IoT device may generate a packet requested from the first IoT device, and transmit the generated packet to the first IoT device through a second gatekeeper.

As described above, according to the present invention, all data packets are transmitted through the gatekeeper to which the sending or receiving IoT device is connected, and the gatekeeper converts the real IP address of the sending IoT device included in the packet into a virtual IP address. In addition, when a specific IoT device is attacked from the outside, the traffic analysis attack is performed to determine what purpose the specific IoT device is used for. Although information can be obtained through this, the real IP address and the virtual IP address exposed to the outside are different from each other, making the traffic analysis attack difficult.

In addition, according to the present invention, a Masquerade attack that attempts to access under the guise of a legitimate access, a Denial of Service (DoS) attack that prevents the IoT device from operating normally, and a Man intervening in the middle -It has the effect of blocking In-Middle-Attack (MIMA) attacks and worms and viruses that try to infiltrate IoT devices at the gatekeeper stage.

1 is a configuration diagram for explaining an IoT communication system according to an embodiment of the present invention.
2 is a flowchart illustrating a communication method using an IoT communication system according to an embodiment of the present invention.
3 is a flowchart illustrating a method of performing communication between IoT devices connected to the same network according to another embodiment of the present invention.
4 is a flowchart illustrating a P2P communication method using an SDN-based IoT communication system according to an embodiment of the present invention.
5 is a flowchart illustrating a DNS-based IoT communication method according to an embodiment of the present invention.
FIG. 6 is a view for explaining step S510 shown in FIG. 5 .

Hereinafter, preferred embodiments according to the present invention will be described in detail with reference to the accompanying drawings. In this process, the thickness of the lines or the size of the components shown in the drawings may be exaggerated for clarity and convenience of explanation.

In addition, the terms to be described later are terms defined in consideration of functions in the present invention, which may vary according to the intention or custom of the user or operator. Therefore, definitions of these terms should be made based on the content throughout this specification.

Hereinafter, an IoT communication system according to an embodiment of the present invention will be described with reference to FIG. 1 .

1 is a configuration diagram for explaining an IoT communication system according to an embodiment of the present invention.

1, according to an embodiment of the present invention, an IoT communication system includes a plurality of IoT devices 110, 120, 130, 140, gatekeepers 210, 220, 230, 240, and an Internet server ( 300) is included.

First, the IoT devices 110 , 120 , 130 , and 140 represent devices that transmit and receive data between things using the wireless Internet in a state in which a sensor and a module for bus communication are built-in, and analyze and process the data. Here, the IoT devices 110 , 120 , 130 , and 140 include equipment, electronic devices, automatic vehicles, drones, and robots.

The IoT devices 110 , 120 , 130 , and 140 are connected to a network and include an identification name for identifying the device and an actual IP address. IP addresses are not randomly assigned, but are managed by grouping adjacent numbers according to a certain rule. That is, the plurality of IoT devices 110 , 120 , 130 , and 140 are grouped into corresponding sub-networks. In addition, the plurality of IoT devices 110 , 120 , 130 , 140 divides the generated data into packets and transmits them through the network. Here, the packet includes a header and a data part, and the header includes identification names and IP addresses of the IoT devices 110 , 120 , 130 , 140 that transmit and receive packets.

In other words, the identification names and IP addresses of the IoT devices 110, 120, 130, and 140 that transmit packets, and the identification names and IP addresses of the IoT devices 110, 120, 130, and 140 that receive packets are described. include address.

Meanwhile, in the embodiment of the present invention, an IoT device that transmits a packet among the plurality of IoT devices 110, 120, 130, 140 is referred to as a first IoT device 110, and an IoT device that receives the packet is referred to as the first IoT device 110. It is called a second IoT device 120 . In addition, the network to which the first IoT device 110 is connected is a first sub-network, and the network to which the second IoT device 120 is connected is a second sub-network. The network is different.

The gatekeepers 210, 220, 230, and 240 are installed in each of a plurality of sub-networks, and are connected to packets transmitted from a plurality of IoT devices 110, 120, 130, and 140 connected to the internal sub-network and to the external sub-network. A packet received from a plurality of IoT devices 110 , 120 , 130 , and 140 is received, and an IoT IP address included in the received packet is converted and verified.

In other words, when receiving a dynamic address assignment request signal from the IoT devices 110 , 120 , 130 , 140 connected to the corresponding sub-network, the gatekeepers 210 , 220 , 230 , and 240 perform the corresponding IoT devices 110 , 120 , 130, 140) are assigned matching entry information. Here, the matching entry information includes an arbitrarily assigned matching number and a virtual IP address. In addition, the gatekeepers 210, 220, 230, and 240 match basic information including identification names and real IP addresses given to the IoT devices 110, 120, 130, and 140 with the allocated matching entry information, and store it in the form of an address mapping table. do. Accordingly, the gatekeepers 210 , 220 , 230 , and 240 have as many address mapping tables (AMTs) as the total number of all IoT devices 110 , 120 , 130 , and 140 connected to the sub-network.

For example, when the first IoT device 110 to which the identification name of EN777 is assigned transmits a dynamic address assignment request signal to the corresponding first gatekeeper 210, the gatekeeper 210 returns a matching number ( Nonce777), a virtual IP address (vIP_EN777), and a real IP address (rIP_EN777) are generated and allocated to the first IoT device 110 . Then, the first gatekeeper 210 stores the allocated matching entry information in the form of an address mapping table as shown in Table 1 below.

Distinguished name matching number virtual IP address real IP address EN777 Nonce777 vIP_EN777 rIP_EN777

Then, upon receiving the packet from the first IoT device 110 , the first gatekeeper 210 extracts the real IP address of the first IoT device 110 included in the header of the packet. Then, the first gatekeeper 210 changes the extracted real IP address to a virtual IP address using pre-stored entry information, and then transmits the changed packet to the second IoT device 120 .

On the other hand, the packet transmitted from the first gatekeeper 210 is transferred to the second gatekeeper 220 installed in the second subnetwork. Then, the second gatekeeper 220 extracts the virtual IP address of the second IoT device 120 included in the header of the received packet. Next, the second gatekeeper 220 changes the extracted virtual IP address to a real IP address using the previously stored matching entry information, and transmits the changed packet to the second IoT device 120 .

In other words, packets transmitted or received from the plurality of IoT devices 110. 120, 130, 140 pass through the corresponding gatekeepers 210, 220, 230, and 240, and the gatekeepers 210, 220, 230, and 240. broadcasts by changing the real IP address included in the received packet to a virtual IP address. On the other hand, when some other external device operates as the calling device and the IoT devices 110. 120, 130, and 140 operate as the called device, the external device uses the matching entry information of the called device to access the subnetwork. will enter into That is, in order to communicate with the IoT devices 110. 120, 130, and 140 connected to the corresponding subnetwork, the gatekeepers 210, 220, 230, and 240 can be accessed using the virtual IP address. Therefore, the gatekeepers 210, 220, 230, and 240 first verify reliability before delivering the entered packet to the corresponding IoT device 110. 120, 130, and 140, and transmit the packet passing the verification to the corresponding IoT device ( 110. 120, 130, 140).

Finally, the Internet server 300 extracts the IP addresses of the IoT devices 110. 120, 130, 140 by using the identification names of the IoT devices 110. 120, 130, 140, and extracts the extracted things. The Internet of Things devices 110. 120, 130, and 140 are communicated using the IP addresses of the Internet devices 110. 120, 130, and 140.

In other words, the IoT devices 110 , 120 , 130 , and 140 transmit matching entry information allocated from the corresponding gatekeepers 210 , 220 , 230 , and 240 to the Internet server 300 . Then, the Internet server 300 registers the received matching entry information. When the first IoT device 110 that transmits the packet knows only the identification name of the second IoT device 120 that receives the packet in a state in which registration for matching entry information is completed, and transmits the packet, the first The IoT device 110 requests an IP address for the second IoT device 120 from the Internet server 300 . Then, the Internet server 300 extracts an IP address matching the identification name of the second IoT device 120 using the previously registered matching entry information. Then, the Internet server 300 transmits the extracted IP address of the second IoT device 120 to the corresponding first IoT device 110 .

On the other hand, the method of extracting the IP address corresponding to the name of the IoT device in order to perform communication between the IoT devices is classified into a technology using software-defined networking (SDN) and a technology using the domain name system (DNS). do. The first method extracts the IP address of the second IoT device 120 requested by the first IoT device 110 using an identification name, and uses the extracted IP address of the second IoT device 120 . Thus, when attempting to establish a connection between the first IoT device and the second IoT device, the SDN controller acts as a central control device.

On the other hand, the second method is a method of extracting the IP address of the second IoT device 120 using the Query/Reply protocol of the DNS system. In other words, the first IoT device 110 requests the IP address of the second IoT device 120 in a state where it knows the domain name of the second IoT device 120 . Then, the DNS system sends a plurality of An IP address matching the domain name of the second IoT device 120 is extracted through a query/response with affiliated servers.

Meanwhile, when the first IoT device 110 and the second IoT device 120 perform peer-to-peer (P2P) communication, SDN technology is used. In addition, when the first IoT device 110 is a client and the second IoT device 120 operates as a server, the DNS technology is used in Internet communication in a client/server method.

Hereinafter, a communication method using an IoT communication system according to an embodiment of the present invention will be described with reference to FIG. 2 .

2 is a flowchart illustrating a communication method using an IoT communication system according to an embodiment of the present invention.

As shown in FIG. 2 , the first IoT device 110 and the second IoT device 120 according to an embodiment of the present invention include a corresponding first gatekeeper 210 and a second gatekeeper 220 . Sends a dynamic address allocation request signal to Then, the first gatekeeper 210 and the second gatekeeper 220 allocate matching entry information to the corresponding first IoT device 110 and the second IoT device 120 ( S210 ).

In other words, the first IoT device 110 and the second IoT device 120 transmit a dynamic address allocation signal to the first gatekeeper 210 and the second gatekeeper 220 in a state in which identification names are assigned. do. Here, the first gatekeeper 210 is installed in the sub-network to which the first IoT device 110 is connected, and the second gatekeeper 220 is installed in the sub-network to which the second IoT device 120 is connected. it will be installed

Then, the first gatekeeper 210 and the second gatekeeper 220 authenticate the identification names of the first IoT device 110 and the second IoT device 120 , and the authentication is completed for the first IoT device. Address-related information is allocated to the 110 and the second IoT device 120 . Here, the address-related information includes a matching number, a virtual IP address, and a real IP address. Then, the first gatekeeper 210 and the second gatekeeper 220 register new matching entry information (identification name, matching number, virtual IP address, and real IP) in their address mapping tables. In this case, the matching number is used as an index value for the first gatekeeper 210 and the second gatekeeper 220 to find the relationship between the virtual IP address and the real IP address of a specific IoT device.

Next, the first IoT device 110 and the second IoT device 120 transfer the allocated matching entry information to the Internet server 300 and register it ( S220 ).

In other words, the first IoT device 110 and the second IoT device 120 to which the matching entry information is allocated perform a registration procedure of address-related information in the Internet server 300 . Here, the Internet server 300 is based on one technology selected from a technology using software-defined networking (SDN) and a technology using a domain name system (DNS).

이고, 제1게이트키퍼(210)로부터 매칭번호(

), 가상 IP 주소(vIP_

) 및 실재 IP 주소(rIP_

)를 할당 받았다고 가정한다. 그러면 제1 사물인터넷 장치(110)는 식별명칭(

), 매칭번호(Nonce

) 및 가상 IP 주소(vIP_

)를 SDN 인터넷 서버(300)에 송신하여 등록시킨다. First, when registering address-related information in the SDN-based Internet server 300 , the first IoT device 110 and the second IoT device 120 provide an identification name, a matching number, and a virtual IP address to the SDN. It is transmitted to the base Internet server 300 . For example, the identification name of the first IoT device 110 is

and the matching number from the first gatekeeper 210 (

), virtual IP address (vIP_

) and real IP address (rIP_

) is assumed to be assigned. Then, the first IoT device 110 identifies the name (

), matching number (Nonce)

) and virtual IP address (vIP_

) is transmitted to the SDN Internet server 300 and registered.

On the other hand, when registering address-related information in the DNS-based Internet server 300 , the IoT device 100 transmits the wholesaler identification name, matching number, and virtual IP address to the DNS-based Internet server 300 . do.

.utopia.com이고, 게이트키퍼(200)로부터 매칭번호(

), 가상 IP 주소(vIP_

) 및 실재 IP 주소(rIP_

)를 할당 받았다고 가정한다. 그러면 사물인터넷 장치(100)는 식별명칭(

.utopia.com), 매칭번호(

,) 및 가상 IP 주소(vIP_

)를 SDN 인터넷 서버(300)에 송신한다. For example, the identification name of the IoT device 100 is

It is .utopia.com, and the matching number (

), virtual IP address (vIP_

) and real IP address (rIP_

) is assumed to be assigned. Then, the IoT device 100 identifies the name (

.utopia.com), matching number (

,) and virtual IP address (vIP_

) to the SDN Internet server 300 .

The SDN or DMS-based Internet server 300 authenticates and registers the received registration request information, and then transmits a registration completion signal to the corresponding IoT device 100 (S225).

When registration is completed in steps S220 and S225, the first IoT device 110 transmits the IP of the second IoT device 120 to the second IoT device 120 connected to another sub-network. The address information is requested and received from the Internet server 300 (S230).

In other words, in a state where only the identification name of the second IoT device 120 is known, the first IoT device 110 sends the matching number and IP address of the second IoT device 120 to the Internet server 300 . request. Then, the Internet server 300 extracts the registered matching number and virtual IP address using the received identification name of the second IoT device 120 , and then uses the extracted matching number and virtual IP address as the first Internet of Things (IoT) address. to the device 110 .

Next, the first IoT device 110 generates a packet and transmits it to the first gatekeeper 210 (S240).

Meanwhile, the packet includes a header and a data part, and the header includes information on addresses of the first IoT device 110 and the second IoT device 120 . In other words, the first IoT device 110 includes the matching number and the real IP address assigned from the first gatekeeper 210 and the matching number of the second IoT device 120 received from the Internet server 300 . and a virtual IP address are inserted into the header. Upon receiving the packet, the first gatekeeper 210 changes the header value of the packet and broadcasts the changed packet toward the second IoT device 120 (S250).

In other words, the first gatekeeper 210 extracts the matching number and the real IP address of the first IoT device 110 from the received packet. Then, the first gatekeeper 210 obtains the virtual IP address of the first IoT device 110 from a pre-stored address mapping table using the extracted matching number. Next, the first gatekeeper 210 changes the real IP address of the first IoT device 110 included in the header of the packet to the obtained virtual IP address.

The packet transmitted in S250 first arrives at the second gatekeeper 220 installed in the subnetwork to which the second IoT device 120 is connected. Then, the second gatekeeper 220 changes the header value of the received packet, and transmits the changed packet to the second IoT device 120 (S260).

In order to access a specific IoT device 110 , 120 , 130 , 140 , the corresponding IoT device 110 , 120 , 130 , 140 must first pass through the gatekeepers 21 , 220 , 230 , and 240 . That is, the packet broadcast from the first gatekeeper 210 passes through the second gatekeeper 220 before reaching the second IoT device 120 . At this time, the second gatekeeper 220 extracts the matching number and virtual IP address of the second IoT device 120 included in the header of the packet, and uses the extracted matching number to perform the second IoT device 120 . Get the real IP address of Next, the second gatekeeper 220 changes the virtual IP address of the second IoT device 120 included in the packet header to the real IP address obtained, and then converts the changed packet to the second IoT device 120 . ) is transmitted to

The IoT communication system according to an embodiment of the present invention may block access to the IoT device 110 using the real IP address by inducing communication between the IoT devices 100 using the virtual IP address. In addition, the gatekeeper 200 implements the same role as a router, but verifies all packets transmitted or received from the plurality of IoT devices 100 connected to the sub-network, and is transmitted to the IoT device 100 . It protects IoT devices from hacker attacks by identifying whether a packet contains malicious or aggressive content.

Hereinafter, a method of performing communication between IoT devices connected to the same network using FIG. 3 will be described.

3 is a flowchart illustrating a method of performing communication between IoT devices connected to the same network according to another embodiment of the present invention.

In FIG. 3, for convenience of description, the first IoT devices 110-1, 110-2, and 110-3 included in the first subnetwork will be described as an example.

)(110-1), 자율주행차량(

)(110-2) 및 카메라 장치(

)(110-3)을 포함할 수 있다. At this time, the plurality of IoT devices connected to the first sub-network are autonomous vehicles (

) (110-1), autonomous vehicle (

) (110-2) and the camera device (

) (110-3).

)(110-1)이 동일 서브네트워크에 소속된 자율주행차량(

)(110-2) 및 카메라 장치(

)(110-3)에 각각 데이터 패킷을 보내는 경우에 대하여 설명한다. 4, the autonomous vehicle (

) (110-1) is an autonomous vehicle belonging to the same subnetwork (

) (110-2) and the camera device (

), a case in which data packets are transmitted to 110-3 will be described.

)(110-1), 자율주행차량(

)(110-2) 및 카메라 장치(

)(110-3)는 해당 게이트키퍼(200)에 동적 주소 할당 요청신호를 송신하여 게이트키퍼(200)로부터 매칭번호, 가상 IP주소 및 실재 IP 주소를 할당 받는다. 그리고, 제1 자율주행차량(

)(110-1), 제2 자율주행차량(

)(110-2) 및 카메라 장치(

)(110-3)는 SDN 또는 DNS 기반의 인터넷 서버(300)에 각각의 매칭 번호 및 IP주소가 등록된 상태이다. First, autonomous vehicles (

) (110-1), autonomous vehicle (

) (110-2) and the camera device (

) 110-3 transmits a dynamic address assignment request signal to the corresponding gatekeeper 200 to receive a matching number, virtual IP address, and real IP address assigned from the gatekeeper 200 . And, the first autonomous vehicle (

) (110-1), the second autonomous vehicle (

) (110-2) and the camera device (

) 110-3 indicates that each matching number and IP address are registered in the SDN or DNS-based Internet server 300 .

)(110-1)은 제2 자율주행차량(

)(110-2)과의 양방향 통신을 수행하기 위하여 패킷을 전송한다(S310). Then, as shown in FIG. 3, the first autonomous vehicle (

) (110-1) is the second autonomous vehicle (

) transmits a packet to perform bidirectional communication with 110-2 (S310).

)(110-1)의 실재 IP주소 및 매칭번호(

)와 제2 자율주행차량(

)(110-2)의 가상 IP주소 및 매칭번호(

)를 포함한다. 전송된 패킷은 해당 게이트키퍼(200)에 먼저 도달하게 된다. At this time, in the header of the transmitted packet, the first autonomous vehicle (

) (110-1) real IP address and matching number (

) and the second autonomous vehicle (

) (110-2) virtual IP address and matching number (

) is included. The transmitted packet arrives at the corresponding gatekeeper 200 first.

)(110-2)에게 전달한다(S320).Then, the gatekeeper 200 verifies the packet and changes the header of the packet. Then, the gatekeeper 200 transmits the changed packet to the second autonomous vehicle (

) to (110-2) (S320).

)(110-1)의 실재 IP주소 및 매칭번호(

)를 추출하고, 기 저장된 주소 매핑 테이블을 이용하여 제1 자율주행차량(

)(110-1)의 가상 IP 주소를 획득한다. 그리고 게이트키퍼(200)는 패킷의 헤더에 포함된 제1 자율주행차량(

)(110-1)의 실재 IP 주소를 획득한 가상 IP로 변경한다. In other words, the gatekeeper 200 is the first autonomous vehicle (

) (110-1) real IP address and matching number (

) and using a pre-stored address mapping table to extract the first autonomous vehicle (

) obtains a virtual IP address of 110-1. And the gatekeeper 200 is the first autonomous vehicle (

) (110-1) changes the real IP address to the acquired virtual IP.

)(110-2)의 가상 IP주소 및 매칭번호(

)를 추출하고, 기 저장된 주소 매핑 테이블을 이용하여 제2 자율주행차량(

)(110-2)의 실재 IP 주소를 획득한다. 그리고 게이트키퍼(200)는 패킷의 헤더에 포함된 제2 자율주행차량(

)(110-2)의 가상 IP 주소를 획득한 실재 IP로 변경한다.In addition, the gatekeeper 200 includes the second autonomous vehicle (

) (110-2) virtual IP address and matching number (

) and using a pre-stored address mapping table to extract the second autonomous vehicle (

) to obtain the real IP address of 110-2. And the gatekeeper 200 is the second autonomous vehicle (

), the virtual IP address of 110-2 is changed to the obtained real IP.

)(110-2)에 전달한다. Then, the gatekeeper 200 transmits the changed packet to the second autonomous vehicle (

) to (110-2).

)(110-1)과 동일 서브 네트워크에 머무르는 카메라 장치(

)(110-3)와의 통신을 수행할 경우, 제1 자율주행차량(

)(110-1)은 패킷을 생성하여 송신한다(S330). In addition, the first autonomous vehicle (

) (110-1) and a camera device (

) (110-3), the first autonomous vehicle (

) 110-1 generates and transmits a packet (S330).

)(110-3)에서 전송된 패킷의 해더에는 제1 자율주행차량(

)(110-1)의 실재 IP주소 및 매칭번호(

)와 카메라 장치(

)(110-3)의 가상 IP주소 및 매칭번호(

)를 포함한다. 전송된 패킷은 해당 게이트키퍼(200)에 먼저 도달하게 된다. At this time, the first autonomous vehicle (

) in the header of the packet transmitted in 110-3, the first autonomous vehicle (

) (110-1) real IP address and matching number (

) and the camera device (

) (110-3) virtual IP address and matching number (

) is included. The transmitted packet arrives at the corresponding gatekeeper 200 first.

)(110-3)에게 전달한다(S340).Then, the gatekeeper 200 verifies the packet and changes the header of the packet. Then, the gatekeeper 200 transmits the changed packet to the camera device (

) (110-3) (S340).

)(110-1)의 실재 IP주소 및 매칭번호(

)를 추출하고, 기 저장된 주소 매핑 테이블을 이용하여 제1 자율주행차량(

)(110-1)의 가상 IP 주소를 획득한다. 그리고 게이트키퍼(200)는 패킷의 헤더에 포함된 제1 자율주행차량(

)(110-1)의 실재 IP 주소를 획득한 가상 IP로 변경한다. In other words, the gatekeeper 200 is the first autonomous vehicle (

) (110-1) real IP address and matching number (

) and using a pre-stored address mapping table to extract the first autonomous vehicle (

) obtains a virtual IP address of 110-1. And the gatekeeper 200 is the first autonomous vehicle (

) (110-1) changes the real IP address to the acquired virtual IP.

)(110-3)의 가상 IP주소 및 매칭번호(

)를 추출하고, 기 저장된 주소 매핑 테이블을 이용하여 카메라 장치(

)(110-3)의 실재 IP 주소를 획득한다. 그리고 게이트키퍼(200)는 패킷의 헤더에 포함된 카메라 장치(

)(110-3)의 의 가상 IP 주소를 획득한 실재 IP로 변경한다.In addition, the gatekeeper 200 includes a camera device (

) (110-3) virtual IP address and matching number (

), and the camera device (

) to obtain the real IP address of (110-3). And the gatekeeper 200 is a camera device included in the header of the packet (

), the virtual IP address of 110-3 is changed to the obtained real IP.

)(110-3)에 전달한다.Then, the gatekeeper 200 transmits the changed packet to the camera device (

) to (110-3).

As such, the IoT communication method according to an embodiment of the present invention may implement a mobile edge computing technology. In other words, the gatekeeper 200 performs communication between the IoT devices 110-1, 110-2, and 110-3 connected to the same subnetwork by applying the MEC technology. In particular, the IoT communication method can achieve the effect of maximizing communication security and shortening data transmission by applying MEC technology in an autonomous vehicle environment. Hereinafter, a P2P communication method using an SDN-based IoT communication system according to another embodiment of the present invention will be described in more detail with reference to FIG. 4 .

4 is a flowchart illustrating a P2P communication method using an SDN-based IoT communication system according to another embodiment of the present invention.

First, the first IoT device 110 and the second IoT device 120 transmit a dynamic address allocation request signal to the corresponding first gatekeeper 210 and the second gatekeeper 220, and accordingly It is assumed that matching numbers, virtual IP addresses, and real IP addresses are allocated from the first gatekeeper 210 and the second gatekeeper 220 .

Then, as shown in FIG. 4 , the first IoT device 110 queries the Internet server 300 for the IP address of the second IoT device 120 , and receives information therefor. (S410).

이고, 제1 게이트키퍼(210)로부터 [

, vIP_

, rIP_

]의 매칭 엔트리 정보를 할당받은 제1 사물인터넷 장치(110)가 식별명칭이

인 제2사물인터넷 장치(120)에게 패킷을 송신하고자 할 경우, 제1 사물인터넷 장치(110)는 제2사물인터넷 장치의 식별명칭(

)을 인터넷서버(300)에 전달하여 IP주소를 요청한다. In other words, the identification name is

and from the first gatekeeper 210 [

, vIP_

, rIP_

The first IoT device 110 to which the matching entry information of ] is assigned has an identification name

When a packet is to be transmitted to the second IoT device 120, the first IoT device 110 provides an identification name (

) to the Internet server 300 to request an IP address.

)에 매칭되는 매칭번호(

) 및 가상 IP 주소(vIP_

)를 추출한 다음, 추출된 매칭번호(

) 및 가상 IP 주소(vIP_

)를 제1 사물인터넷 장치(110)에 응답형식으로 전달한다.Then, the Internet server 300 uses the registration information stored in the database to identify the name (

) matching number (

) and virtual IP address (vIP_

), and then the extracted matching number (

) and virtual IP address (vIP_

) to the first IoT device 110 in the form of a response.

When step S410 is completed, the first IoT device 110 generates and transmits a session establishment packet including its own address information and address information of the second IoT device 120 (S420).

, D.IP= vIP_

, Op.1=

, Op.2=

]로 구성된다. 생성된 패킷은 목적지인 제2 사물인터넷 장치(120)로 전송된다. 전송된 패킷은 제1 게이트키퍼(210)에 도달하게 된다. 그러면, 제1 게이트키퍼(210)는 패킷의 헤더를 [S.IP= vIP_

, D.IP= vIP_

, Op.1=

, Op.2=

]로 변경한 다음, 제2 사물인터넷 장치(120)가 접속되어 있는 제2 게이트키퍼(220) 방향으로 브로드캐스팅한다. At this time, the related field of the packet header related to the address area is [S.IP= rIP_

, D.IP= vIP_

, Op.1=

, Op.2=

] is composed of The generated packet is transmitted to the second IoT device 120 as a destination. The transmitted packet arrives at the first gatekeeper 210 . Then, the first gatekeeper 210 sets the header of the packet to [S.IP=vIP_

, D.IP= vIP_

, Op.1=

, Op.2=

], and then broadcast in the direction of the second gatekeeper 220 to which the second IoT device 120 is connected.

, D.IP= rIP_

, Op.1=

, Op.2=

]로 변경한다. 그리고, 변경된 패킷을 실질적으로 rIP_

를 사용하는 제2 사물인터넷 장치(120)에 전달한다. The broadcast packet arrives at the second gatekeeper 220 via the Internet in the usual way. Then, the second gatekeeper 220 verifies the security of the arrived packet, and sets the header of the packet to [S.IP=vIP_

, D.IP= rIP_

, Op.1=

, Op.2=

change to ]. And, the changed packet is effectively rIP_

is transmitted to the second IoT device 120 using

When the second IoT device 120 accepts the session request from the first IoT device 110 , the second IoT device 120 generates and transmits a session request acceptance response packet ( S430 ).

, vIP_

)를 추출한다. 그리고, 제2 사물인터넷 장치(120)는 추출된 주소관련 정보를 이용하여 패킷 헤더의 관련 필드가 [S.IP=rIP_

, D.IP= vIP_

, Op.1=

, Op.2=

]로 구성된 패킷을 생성하여 제1 사물인터넷 장치(110)에게 송신한다. In other words, the second IoT device 120 includes address-related information (

, vIP_

) is extracted. Then, the second IoT device 120 uses the extracted address-related information to set the related field of the packet header to [S.IP=rIP_

, D.IP= vIP_

, Op.1=

, Op.2=

] is generated and transmitted to the first IoT device 110 .

, D.IP= vIP_

, Op.1=

, Op.2=

]로 변경하여 제1 사물인터넷 장치(110)와 동일한 서브네트워크에 포함된 제1 게이트키퍼(210)에 브로드캐스팅한다. The transmitted packet arrives at the second gatekeeper 220, and the second gatekeeper 220 sets the packet header to [S.IP=vIP_

, D.IP= vIP_

, Op.1=

, Op.2=

] to broadcast to the first gatekeeper 210 included in the same subnetwork as the first IoT device 110 .

, D.IP= rIP_

, Op.1=

, Op.2=

]로 변경한다. 그리고, 변경된 패킷을 실질적으로 rIP_

를 사용하는 제1 사물인터넷 장치(110)에 전달한다. The broadcast packet arrives at the first gatekeeper 210 via the usual method of the Internet. Then, the first gatekeeper 210 verifies the security of the arrived packet, and sets the header of the packet to [S.IP=vIP_

, D.IP= rIP_

, Op.1=

, Op.2=

change to ]. And, the changed packet is effectively rIP_

is transmitted to the first IoT device 110 using

When the acceptance response to the session request is completed, the first IoT device 110 and the second IoT device 120 perform two-way P2P communication (S440).

That is, when the first IoT device 110 generates and transmits a packet, the transmitted packet does not reach the first gatekeeper 210 to which it belongs, and the second gate to which the second IoT device 120 belongs. The keeper 220 is reached. Then, the second gatekeeper 220 performs verification and address conversion on the received packet, and then transmits the packet in which the header value of the packet is changed to the second IoT device 120 .

Similarly, when the second IoT device 120 generates and transmits a packet, the transmitted packet does not reach the second gatekeeper 220 to which it belongs, and does not reach the first gate to which the first IoT device 110 belongs. The keeper 210 is reached. Then, the first gatekeeper 210 performs verification and address conversion on the received packet, and then transmits the packet in which the header value of the packet is changed to the first IoT device 110 .

Hereinafter, a DNS-based IoT communication method according to another embodiment of the present invention will be described in more detail with reference to FIGS. 5 and 6 .

5 is a flowchart illustrating a DNS-based IoT communication method according to another embodiment of the present invention.

First, the first IoT device 110 and the second IoT device 120 transmit a dynamic address allocation request signal to the corresponding first gatekeeper 210 and the second gatekeeper 220, and accordingly, the first It is assumed that a matching number, a virtual IP address, and a real IP address are allocated from the gatekeeper 210 and the second gatekeeper 220 .

Then, as shown in FIG. 5 , the first IoT device 110 queries the Internet server 300 for the IP address of the second IoT device 120 and receives information about it ( S510).

이고, 제1 게이트키퍼(210)로부터 [

, vIP_

, rIP_

]의 매칭 엔트리 정보를 할당받은 제1 사물인터넷 장치(110)가 식별명칭이

인 제2사물인터넷 장치(120)에게 패킷을 송신하고자 할 경우, 제1 사물인터넷 장치(110)는 제2사물인터넷 장치의 도메인 식별명칭(

.utopia.com)을 인터넷서버(300)에 전달하여 IP주소를 요청한다. In other words, the identification name is

and from the first gatekeeper 210 [

, vIP_

, rIP_

The first IoT device 110 to which the matching entry information of ] is assigned has an identification name

When a packet is to be transmitted to the second IoT device 120, the first IoT device 110 sets the domain identification name (

utopia.com) to the Internet server 300 to request an IP address.

On the other hand, the DNS-based Internet server 300 is composed of a plurality of affiliated servers (AU). The affiliated server includes a root domain server at the highest level and a plurality of sub-domain servers. Meanwhile, since the IP address of the root domain server is not changed, all of the plurality of domain servers recognize the root domain server.

Hereinafter, a process in which the first IoT device 110 acquires address information of the second IoT device 120 through a query with a plurality of affiliated servers will be described with reference to FIG. 6 .

FIG. 6 is a view for explaining step S510 shown in FIG. 5 .

As shown in FIG. 6 , first, the first IoT device 110 inquires for an IP address of the nearest DNS server in order to find out the address of the second IoT device 120 ( S511 ).

If the nearest DNS server (hereinafter referred to as a “first affiliated server”) knows the IP address of the second IoT device 120 , it immediately provides the IP address. On the other hand, when the first affiliate server does not know the IP address of the second IoT device 120, the first affiliate server requests an inquiry from the root domain server (S512).

The root domain server transmits the IP address of the related affiliate server to the first affiliate server using the domain identification name of the second IoT device 120 (S513).

.utopia.com일 경우, 최상위 도메인이 ".com"이 된다. 따라서, 루트 도메인서버는 ".com"이 등록된 소속 서버의 IP주소를 제1 소속서버에 전달한다. For example, the domain identification name of the second IoT device 120 is

If it is .utopia.com, the top-level domain will be ".com". Accordingly, the root domain server transfers the IP address of the affiliated server where ".com" is registered to the first affiliated server.

Then, the first affiliated server inquires of the name server managing ".com" (S614).

Then, the ".com" name server searches for the IP address of the second IoT device 120 using its own database. As a result of the search, if the IP address of the second IoT device 120 is unknown, the ".com" name server provides the IP address of the name server of "utopia", which is a subordinate server, to the first affiliated server (S515).

The first affiliated server inquires the IP address of the second IoT device 120 from the name server of “utopia” using the IP address of the name server of “utopia” received from the name server “.com” (S516) .

Finally, the name server of “utopia” searches for the IP address of the inquired second IoT device 120 using its own database. Then, when the IP address of the second IoT device 120 is found, the name server of “utopia” extracts the matching number and IP address of the second IoT device 120 and provides it to the first affiliated server (S517). ).

) 및 IP주소(vIP_

)를 제1 사물인터넷 장치(110)에게 전달한다(S518). Then, the first affiliated server receives the matching number (

) and IP address (vIP_

) to the first IoT device 110 (S518).

Upon completion of step S610, the first IoT device 110 transmits an HTTP request packet to the second IoT device 120 as a client (S520).

, D.IP= vIP_

, Op.1=

, Op.2=

]로 구성된다. 생성된 HTTP요청 패킷은 제2 사물인터넷 장치(120)를 향하여 전송된다. 전송된 HTTP요청 패킷은 제2 사물인터넷 장치(120)에 전달되기 전에 제1 게이트키퍼(210)에 도달하며, 제1 게이트키퍼(210)는 HTTP요청 패킷의 헤더를 [S.IP= vIP_

, D.IP= vIP_

, Op.1=

, Op.2=

]로 변경한다. 그 다음, 제1 게이트키퍼(210)는 제2 사물인터넷 장치(120)가 속한 제2 게이트키퍼(220)방향으로 HTTP요청 패킷을 브로드캐스팅한다. In other words, the first IoT device 110 generates an HTTP request packet. At this time, the relevant field of the header of the HTTP request packet is [S.IP= rIP_

, D.IP= vIP_

, Op.1=

, Op.2=

] is composed of The generated HTTP request packet is transmitted toward the second IoT device 120 . The transmitted HTTP request packet arrives at the first gatekeeper 210 before being delivered to the second IoT device 120, and the first gatekeeper 210 sets the header of the HTTP request packet to [S.IP=vIP_

, D.IP= vIP_

, Op.1=

, Op.2=

change to ]. Next, the first gatekeeper 210 broadcasts the HTTP request packet in the direction of the second gatekeeper 220 to which the second IoT device 120 belongs.

, D.IP= rIP_

, Op.1=

, Op.2=

]로 변경한 다음, 변경된 HTTP요청 패킷을 실질적으로 rIP_

를 사용하는 제2 사물인터넷 장치(120)에 전달한다. The HTTP request packet arrives at the second gatekeeper 220 via the Internet in a conventional manner. Then, the second gatekeeper 220 verifies the packet, and sets the header of the verified packet as S.IP=vIP_

, D.IP= rIP_

, Op.1=

, Op.2=

], then the changed HTTP request packet is effectively rIP_

is transmitted to the second IoT device 120 using

If the second IoT device 120 can provide file information specified by the HTTP request of the first IoT device 110 , the second IoT device 120 generates and generates an HTTP response packet. The HTTP response packet is transmitted toward the first IoT device 110 (S530).

, vIP_

)를 추출한다. 그리고, 제2 사물인터넷 장치(120)는 추출된 주소관련 정보를 이용하여 패킷 헤더의 관련 필드가 [S.IP=rIP_

, D.IP= vIP_

, Op.1=

, Op.2=

]로 구성된 HTTP 응답 패킷을 생성하여 제1 사물인터넷 장치(110)에게 송신한다. In other words, the second IoT device 120 includes address-related information (

, vIP_

) is extracted. Then, the second IoT device 120 uses the extracted address-related information to set the related field of the packet header to [S.IP=rIP_

, D.IP= vIP_

, Op.1=

, Op.2=

] is generated and transmitted to the first IoT device 110 .

, D.IP= vIP_

, Op.1=

, Op.2=

]로 변경하여 제1 사물인터넷 장치(110)에 소속되어 있는 제1 게이트키퍼(210)에 브로드캐스팅한다. The transmitted HTTP response packet arrives at the second gatekeeper 220, and the second gatekeeper 220 sets the packet header to [S.IP=vIP_

, D.IP= vIP_

, Op.1=

, Op.2=

] to broadcast to the first gatekeeper 210 belonging to the first IoT device 110 .

, D.IP= rIP_

, Op.1=

, Op.2=

]로 변경한다. 그리고, 변경된 패킷을 실질적으로 rIP_

를 사용하는 제1 사물인터넷 장치(110)에 전달한다. 이렇게 하여 제1 사물인터넷 장치(110)는 제2 사물인터넷장치(120)에서 보내주는 HTTP 응답 패킷에 포함된 원하는 파일 정보를 수신할 수 있다. The broadcast HTTP response packet arrives at the first gatekeeper 210 via a conventional method of the Internet. Then, the first gatekeeper 210 verifies the security of the arrived packet, and sets the header of the packet to [S.IP=vIP_

, D.IP= rIP_

, Op.1=

, Op.2=

change to ]. And, the changed packet is effectively rIP_

is transmitted to the first IoT device 110 using In this way, the first IoT device 110 may receive desired file information included in the HTTP response packet sent from the second IoT device 120 .

As described above, according to the present invention, all data packets are transmitted through the gatekeeper to which the sending or receiving IoT device is connected, and the gatekeeper converts the real IP address of the sending IoT device included in the packet into a virtual IP address. In addition, when a specific IoT device is attacked from the outside, the traffic analysis attack is performed to determine what purpose the specific IoT device is used for. Although information can be obtained through this, the real IP address and the virtual IP address exposed to the outside are different from each other, making the traffic analysis attack difficult.

In addition, the IoT communication system according to the present invention provides a masquerade attack that attempts to access under the guise of a legitimate access, a Denial of Service (DoS) attack that prevents the IoT device from operating normally, and a third party intervenes It has the effect of blocking Man-In-Middle-Attack (MIMA) attacks and worms and viruses that try to infiltrate IoT devices at the gatekeeper stage.

Although the present invention has been described with reference to the embodiment shown in the drawings, this is merely exemplary, and it will be understood by those skilled in the art that various modifications and equivalent other embodiments are possible therefrom. will be. Therefore, the true technical protection scope of the present invention should be determined by the technical spirit of the following claims.

110, 120, 130, 140: IoT device
210, 220, 230, 240: Gatekeeper
300: Internet Server

Claims (26)

In the IoT communication system having a packet safety verification function,
A plurality of IoT devices connected to the subnetwork and generating and transmitting or receiving packets;
The identification name, matching number, and virtual IP address received from the plurality of IoT devices are registered, and the registered matching number and virtual IP address are provided to the IoT device to communicate between the IoT device and other IoT devices. an Internet server that connects the communications of
It is installed in each sub-network, and it allocates matching entry information to a plurality of IoT devices connected to the corresponding sub-network, verifies the packet received from the IoT device, and is included in the header of the verified packet. An IoT communication system including a gatekeeper that changes the IP address of an existing IoT device from an actual IP address to a virtual IP address and transmits it to the corresponding IoT device. According to claim 1,
The IoT device is
An IoT communication system including at least one of equipment, electronic devices, automatons, drones, and robots. According to claim 1,
The IoT device is
Sends a dynamic address allocation request signal to the gatekeeper with an identification name assigned,
The gatekeeper is
An IoT communication system for generating matching entry information including a matching number, a real IP address, and a virtual IP address, allocating the matching entry information to the corresponding IoT device, and storing the allocated matching entry information in the form of an address mapping table. 4. The method of claim 3,
The internet server is
An IoT communication system based on one technology selected from the technology using Software-Defined Networking (SDN) and the technology using Domain Name System (DNS). 5. The method of claim 4,
If the IoT device that transmits the packet is called the first IoT device and the IoT device that receives the packet is called the second IoT device,
The internet server is
The matching number and virtual IP address of the second IoT device are extracted by comparing the identification name of the second IoT device received from the first IoT device with previously registered information, and matching of the extracted second IoT device An IoT communication system that delivers a number and a virtual IP address to the first IoT device. 6. The method of claim 5,
The packet includes a header and a data part,
The header is
An IoT communication system including an IP address of the first IoT device, an IP address of a second IoT device, a matching number of the first IoT device, and a matching number of the second IoT device. 7. The method of claim 6,
When the first IoT device connected to the first subnetwork transmits a packet to the second IoT device,
A first gatekeeper included in the first subnetwork,
The real IP address of the first IoT device included in the header of the packet is changed to a virtual IP address using the stored address matching table, and the packet including the changed header is converted into a second IoT device connected to the second IoT device. Internet of Things communication system that transmits to the gatekeeper. 8. The method of claim 7,
the second gatekeeper,
Extracting the virtual IP address of the second IoT device included in the header of the received packet, changing the extracted virtual IP address of the second IoT device to the real IP address using the stored address matching table, An IoT communication system that delivers a packet including a header to a second IoT device. According to claim 1,
When communication is performed between a plurality of IoT devices connected to the same subnetwork, packets transmitted or received from the IoT devices pass through the same gatekeeper,
The gatekeeper is
The real IP address of the sending IoT device included in the header of the packet received from the sending IoT device is changed to a virtual IP address, the virtual IP address of the receiving IoT device is changed to the real IP address, and the changed packet is changed. An IoT communication system that delivers In the IoT communication connection system based on P2P,
A plurality of IoT devices connected to the subnetwork and generating and transmitting or receiving packets;
The identification name, matching number, and virtual IP address received from the plurality of IoT devices are registered, and the registered matching number and virtual IP address are provided to the IoT device to communicate between the IoT device and other IoT devices. an Internet server that connects the communications of
It is installed in each sub-network, and it allocates matching entry information to a plurality of IoT devices connected to the corresponding sub-network, verifies the packet received from the IoT device, and is included in the header of the verified packet. It includes a gatekeeper that changes the IP address of the IoT device from an actual IP address to a virtual IP address and transmits it to the IoT device,
The gatekeeper is
An IoT communication system for performing session establishment by verifying the session establishment request packet generated from the IoT device. 11. The method of claim 10,
The IoT device is
An IoT communication system including at least one of equipment, electronic devices, automatons, drones, and robots. 12. The method of claim 11,
The IoT device is
Sends a dynamic address allocation request signal to the gatekeeper with an identification name assigned,
The gatekeeper is
An IoT communication system for generating matching entry information including a matching number, a real IP address, and a virtual IP address, allocating the matching entry information to the corresponding IoT device, and storing the allocated matching entry information in the form of an address mapping table. 12. The method of claim 11,
The header included in the packet is
IoT including the IP address of the first IoT device corresponding to the transmitting side, the IP address of the second IoT device corresponding to the receiving side, the matching number of the first IoT device, and the matching number of the second IoT device communication system. 14. The method of claim 13,
The internet server is
The matching number and virtual IP address of the second IoT device are extracted by comparing the identification name of the second IoT device received from the first IoT device with previously registered information, and matching of the extracted second IoT device An IoT communication system that delivers a number and a virtual IP address to the first IoT device. 15. The method of claim 14,
When the first IoT device connected to the first subnetwork transmits a session request packet to the second IoT device connected to the second subnetwork,
A first gatekeeper included in the first subnetwork,
The real IP address of the first IoT device included in the header of the packet is changed to a virtual IP address using the address matching table, and the session request packet including the changed header is transferred to the second gate included in the second subnetwork. Internet of Things communication system that transmits to the keeper. 16. The method of claim 15,
the second gatekeeper,
determining whether to accept the session request packet by verifying the identification name and virtual IP address of the first IoT device included in the header of the session request packet;
In case of acceptance, the virtual IP address of the second IoT device is changed to an actual IP address using the stored address matching table, and a packet requesting data including the changed header is transmitted to the second IoT device. communication system. 17. The method of claim 16,
When verification of the session request packet is completed and session establishment is completed,
The first IoT device,
Transmitting the generated packet to the second gatekeeper,
The second IoT device,
An IoT communication system that transmits the generated packet to the first gatekeeper. In the Internet of Things communication connection system based on DNS (Domain Name System),
A plurality of IoT devices connected to the subnetwork and generating and transmitting or receiving packets;
It includes a plurality of affiliated servers, and registers the domain type identification name, matching number, and virtual IP address received from the IoT device in any one affiliated server among the plurality of affiliated servers, and the registered matching number and virtual IP address An Internet server that connects the communication between the IoT device and another IoT device by providing the address to the IoT device with which it wants to communicate; and
It is installed in each sub-network, and it allocates matching entry information to a plurality of IoT devices connected to the corresponding sub-network, verifies the packet received from the IoT device, and is included in the header of the verified packet. An IoT communication system including a gatekeeper that changes the IP address of an existing IoT device from an actual IP address to a virtual IP address and transmits it to the corresponding IoT device. 19. The method of claim 18,
The IoT device is
An IoT communication system including at least one of equipment, electronic devices, automatons, drones, and robots. 19. The method of claim 18,
The IoT device is
Sends a dynamic address allocation request signal to the gatekeeper with an identification name assigned,
The gatekeeper is
An IoT communication system for generating matching entry information including a matching number, a real IP address, and a virtual IP address, allocating the matching entry information to the corresponding IoT device, and storing the allocated matching entry information in the form of an address mapping table. 21. The method of claim 20,
In a state where the first IoT device corresponding to the transmitting side is connected to the first sub-network and the second IoT device corresponding to the receiving side is connected to the second sub-network,
When the first IoT device queries the Internet server about the IP address of the second IoT device,
The internet server is
A query regarding the IP address of the second IoT device is transmitted to the upper-level name server among the plurality of affiliated servers, and if there is no DNS query result in the upper-level name server, the upper-level name server returns the IP address of the lower-level name server to the first thing An Internet of Things (IoT) communication system that continuously performs queries and responses by sending it to Internet devices. 22. The method of claim 21,
The affiliated server is
An IoT communication system that extracts a virtual IP address of a second IoT device using the matching entry information registered in its own database, and delivers the extracted virtual IP address to the first IoT device in a DNS reply format. 22. The method of claim 21,
The header included in the packet is
A thing including the IP address of the first IoT device corresponding to the transmitting side, the IP address of the second IoT device corresponding to the receiving side, the matching number of the first IoT device, and the matching number of the second IoT device Internet communication system. 24. The method of claim 23,
When the first IoT device transmits a data request packet to the second IoT device,
A first gatekeeper included in the first subnetwork,
The real IP address of the first IoT device included in the header of the packet is changed to a virtual IP address using the stored address matching table, and the packet including the changed header is converted to a second gate included in the second subnetwork. Internet of Things communication system that transmits to the keeper. 25. The method of claim 24,
the second gatekeeper,
determining whether to accept the data request packet by verifying the identification name and virtual IP address of the first IoT device included in the header of the packet;
In the case of acceptance, the IoT communication system changes the virtual IP address of the second IoT device to an actual IP address using the address matching table, and transmits a packet including the changed header to the second IoT device. 26. The method of claim 25,
The second IoT device,
An IoT communication system that generates a packet requested from the first IoT device and transmits the generated packet to the first IoT device through a second gatekeeper.

Images