KR102339826B1 - Cyber attack detection/blocking system and method through wireless communication in Linux network system environment - Google Patents

Abstract

The present invention relates to a system and a method for detecting and blocking cyber attacks through wireless communication in a closed network environment. In a closed network environment that is not connected to an external network, an attacker with malicious intent leaks data through wireless communication or inserts malicious code that functions as a backdoor detects and blocks cyberattacks that communicate with the outside world. The system comprises: a signal processor for collecting non-standard RF signals of various frequency bands, identifying a signal source location of each collected RF signal, and generating raw data for each of the collected RF signals; a signal analyzer that extracts actual data of each RF signal using the generated raw data, determines whether an attack occurs using the extracted actual data, and outputs threat information and signal information according to the determination result; and a threat signal situation display for displaying the threat information and signal information so as to correspond to the signal source location of each RF signal identified by the signal processor, and generating a threat response command signal according to a user's selection of an attack command to neutralize a threat signal.

Description

Cyber attack detection/blocking system and method through wireless communication in Linux network system environment and method therefor

The present invention relates to a system and method for detecting and blocking cyber attacks through wireless communication in a closed network environment. In particular, in a closed network environment not connected to an external network, an attacker with malicious intentions To a system and method for detecting and blocking a cyber attack through wireless communication in a closed network environment, which can detect and block a cyber attack that communicates with the outside by leaking or loading malicious code that functions as a backdoor.

1 is a diagram illustrating a network system for detecting a cyber attack according to an embodiment of the prior art, and FIG. 2 is a diagram illustrating a network system for detecting an RF signal according to another embodiment of the prior art.

That is, FIG. 1 is a method of installing and operating a separate cyber attack detection system in a terminal to determine in the case of a data leakage attack or a backdoor charging attack through a wireless network, and FIG. It is simply a method of detecting RF signals that are not normally used.

As shown in FIG. 1 , in the method of installing a separate cyber attack detection agent in a plurality of terminals, when the malicious code is installed, the signature-based malware detection module 10 is used to detect the malicious code based on the signature. Alternatively, a cyber attack may be detected based on the behavior of the malicious code through the abnormal behavior detection module 11 .

In the case of signature-based detection using the signature-based malware detection module 10, when the executable file is installed in the terminal, it is compared with the signature of the previously identified malicious code and if they match each other, the cyber attack is detected and blocked.

And, in the case of behavior-based detection through the abnormal behavior detection module 11, when an executable file is executed in the terminal, the function call flow is identified, and when an action similar to a function call and intention of a general malicious code is performed, it detects and blocks data leakage It is to defend against an attack or backdoor charging attack.

On the other hand, as shown in FIG. 2 , in another conventional embodiment, a method of detecting an RF signal that is not normally used simply by installing an RF threat detector and collecting a wireless RF signal in real time is a wireless RF signal collection module (20) collects and learns information such as the frequency band, number of channels, and hopping method of the normally used wireless RF signal, and when an external abnormal RF signal occurs using the abnormal frequency band detection module 21 If the frequency band or channel of the network is different, it is judged to be a cyber attack and data leakage attack or backdoor charging attack is defended.

However, in the case of the method shown in FIG. 1, if a separate cyber attack detection agent is installed in the terminal, the performance of the terminal is deteriorated or the performance of behavior-based detection is deteriorated, so that the probability of false positives increases. Therefore, there is a problem that such a cyber attack detection system cannot be installed in an environment where the performance of the terminal is important because there is a risk that the terminal cannot perform its proper function and there is a risk of malfunction.

And, in the case of the method shown in FIG. 2, the method of simply detecting an RF signal that is not normally used by collecting a wireless RF signal in real time is performed by an attacker knowing the frequency band, channel, and hopping method normally used by the attacker. If an attack signal is generated and injected by simulation, there is a problem in that a cyber attack cannot be detected.

After all, the prior art is expensive to separately develop, install, and manage a cyber attack detection system for each terminal, and is not free from the problem of performance guarantee. There is a problem in that an attack signal that performs a sophisticated attack cannot be detected because it is a detection method using the characteristic RF signal.

Republic of Korea Patent Registration No. 10-11560050000 (2012/06/07)

Accordingly, the present invention is to solve the problems according to the prior art, and an object of the present invention is to allow an attacker with malicious intent to leak data through wireless communication in a closed network environment that is not connected to an external network. An object of the present invention is to provide a system and method for detecting and blocking a cyber attack through wireless communication in a closed network environment that detects and blocks a cyber attack that communicates with the outside by loading a malicious code that performs the function of a backdoor.

That is, the present invention collects non-standard RF signals that can prevent data leakage and backdoor attack threats using a wireless signal protocol occurring in a closed network environment, analyzes the data, determines whether it is a cyber attack, and then performs a response attack. An object of the present invention is to provide a system and method for detecting and blocking cyber attacks through wireless communication in a network environment.

However, the problems to be solved by the present invention are not limited to the problems described above, and other problems may exist. In addition, the technical field of the present invention can be applied not only to a general communication network, but also to a military communication system, that is, a closed network system that holds secret information in a military combat system system.

A system for detecting and blocking a cyber attack through wireless communication in a closed network environment according to an aspect of the present invention for achieving the above object collects non-standard RF signals of various frequency bands, and the signal source location of each collected RF signal a signal processor for identifying and generating raw data for each of the collected RF signals; a signal analyzer that extracts actual data of each RF signal using the generated raw data, determines whether an attack is made using the extracted actual data, and outputs threat information and signal information according to the determination result; and displaying the threat information and signal information so as to correspond to the signal source location of each RF signal identified by the signal processor, and displaying a threat signal situation in which a threat response command signal is generated according to the user's selection of a neutralization attack command for the threat signal may include a group.

The collected RF signals of various frequency bands may be non-standard RF signals of about 300 MHz to 6 GHz bands.

The signal processor may be installed in a plurality of terminals in the closed network system, and the signal analyzer and the threat signal situation display unit may be installed in a control room outside the closed network.

When a threat response command signal according to a user's selection is received from the threat signal situation display device, the signal processor may transmit an attack neutralization signal to the identified signal source location.

The signal processor includes: a wireless RF signal collection module for collecting non-standard RF signals of various bands; Detects whether the collected RF signal uses the frequency hopping technique, and if it is an RF signal using the frequency hopping technique, identifies a frequency hopping protocol and combines them into one signal, and then generates raw data for the collected RF signal hopping frequency identification module; After identifying each signal source location for the RF signals of various frequency bands collected by the wireless RF signal collection module, the signal source location identification module provides signal source location information of the identified RF signals to the threat signal situation indicator ; and when receiving an attack neutralization command (threat response command) from the threat signal situation display device, an attack signal for neutralizing communication of an attack tool by transmitting a neutralization signal including strong noise to the identified signal source location of the RF signal It may include a disabling module.

The signal source position identification module may measure the signal strength of each of the RF signals of various frequency bands collected by the wireless RF signal collection module and identify the signal source position of the corresponding RF signal using the measured signal strength.

The signal analyzer may include: an encoding/decoding module for identifying an encoding technique of a standard/non-standard protocol by utilizing a commercial encoding technique for the raw data of each wireless RF signal, and performing decoding of the identified technique; an encryption algorithm detection module that determines whether the wireless RF signal decoded through the encoding/decoding module is encrypted and outputs a wireless RF signal according to the determination result; a payload data extraction module for extracting the payload of the wireless RF signal output from the encryption algorithm detection module to extract actual data of each RF signal; and a threat radio signal that analyzes the actual data of the RF signal extracted from the payload data extraction module to determine whether the RF signal is an attack signal, and provides threat information and signal information to the threat signal situation display unit according to the determination result It may include an identification module.

The encryption algorithm detection module, when the RF signal decoded through the encoding/decoding module is encrypted, identifies which algorithm the RF signal is encrypted with, and then decrypts the signal to extract the payload data It is provided as a module, and when encryption is not performed, the corresponding RF signal can be provided to the payload data extraction module without decryption operation.

The threat wireless signal identification module analyzes the actual data extracted through the payload data extraction module and detects whether a data leakage attack is being made through the corresponding RF signal or whether a C&C communication command of the backdoor is being transmitted or received. Information and RF signal information can be provided as a threat signal condition indicator.

The threat signal situation display unit, a control signal for displaying the location information of the RF signals identified by the signal source location identification module of the signal processor on an indoor map, signal information and threats provided from the threat wireless signal identification module of the signal analyzer A control signal for displaying information so as to correspond to the location information of the RF signal source, and threat information provided by the threat wireless signal identification module of the signal analyzer are identified, and when the RF signal is determined to be a threat signal, an operator is alerted. a control unit that generates an alarm generation control signal for generating a , and provides a threat response command signal to an attack signal neutralization module of the signal processor when an attack neutralization command selection signal is input from a user; a display module for displaying the signal source positions of the RF signals generated by the control unit, and displaying threat information and signal information to correspond to the displayed position of the signal source; and a real-time threat notification module that generates an alarm for notifying an operator of a threat situation of an attack signal in real time according to an alarm generation control signal generated by the control unit.

On the other hand, the cyber attack detection and blocking method through wireless communication in a closed network environment according to another embodiment of the present invention collects non-standard RF signals of various frequency bands to determine the signal source location of each collected RF signal, generating, in a signal processor, raw data for each of the collected RF signals; extracting actual data of each RF signal using the generated raw data, determining whether to attack using the extracted actual data, and outputting threat information and signal information according to the determination result from a signal analyzer; and displaying the threat information and signal information so as to correspond to the signal source location of each RF signal identified by the signal processor, and displays a threat response command signal according to the user's selection of a neutralization attack command for the threat signal in the threat signal situation display It may include steps that occur.

The collected RF signals of various frequency bands may be non-standard RF signals of about 300 MHz to 6 GHz bands.

The signal processor may be installed in a plurality of terminals in the closed network system, and the signal analyzer and the threat signal situation display unit may be installed in a control room outside the closed network.

The generating of the raw data in the signal processor may include transmitting an attack neutralization signal to the identified signal source location when a threat response command signal according to a user's selection is received from the threat signal situation display. can

The generating of the raw data in the signal processor may include: collecting non-standard RF signals of various bands; Detects whether the collected RF signal uses the frequency hopping technique, and if it is an RF signal using the frequency hopping technique, identifies a frequency hopping protocol and combines them into one signal, and then generates raw data for the collected RF signal step; After identifying each signal source location for the collected RF signals of various frequency bands, providing signal source location information of the identified RF signals to the threat signal situation indicator; and when receiving an attack neutralization command (threat response command) from the threat signal situation display device, transmitting a neutralization signal including strong noise to the identified signal source location of the RF signal to neutralize the communication of the attack tool. may include

In the providing step, the signal source identification may measure the signal strength of each of the collected RF signals of various frequency bands and identify the signal source location of the corresponding RF signal using the measured signal strength.

In the step of outputting the threat information and signal information from the signal analyzer, the encoding method of the standard/non-standard protocol is identified by using a commercial encoding method for the raw data of each wireless RF signal, and decoding of the identified method is performed. step; determining whether the decoded wireless RF signal is encrypted and outputting a wireless RF signal according to the determination result;

extracting the payload of the outputted wireless RF signal to extract actual data of each RF signal; and analyzing the actual data of the extracted RF signal to determine whether the corresponding RF signal is an attack signal, and then providing threat information and signal information to the threat signal situation display unit according to the determination result.

In the step of outputting the wireless RF signal, when the decoded RF signal is encrypted, it is identified by which algorithm the corresponding RF signal is encrypted, and then output after de-encrypting the corresponding signal, and encryption is performed. If not, it can be output without decryption operation.

In the step of providing the threat information and signal information to the threat signal situation display, the extracted actual data is analyzed to detect whether a data leakage attack is being made through the RF signal and whether a C&C communication command of the backdoor is being transmitted or received. It is possible to provide the detected threat information and RF signal information as a threat signal situation indicator.

In the step of generating the threat response command signal in the threat signal situation display, a control signal for displaying the signal source location information of the identified RF signals on an indoor map, the threat information and the signal information of the RF signal source generating an alarm generating control signal for generating an alarm to an operator when the RF signal is determined to be a threat signal by identifying a control signal for displaying in correspondence with the location information and the threat information; Displaying the signal source location of the generated RF signals, displaying threat information and signal information to correspond to the displayed signal source location, and notifying the operator of the threat situation of the attack signal in real time according to the alarm generation control signal generating an alarm; and when an attack neutralization command selection signal is input from the user, providing a threat response command signal to the signal processor.

According to the present invention, without installing a separate cyber attack detection system for each terminal, it collects RF signals to the outside, analyzes data, and determines whether it is a cyber attack based on the analyzed data, so management costs and performance guarantee problems It is free from the above and can detect attack signals of more sophisticated attackers.

In addition, according to the present invention, if a system for detecting and blocking data leakage and backdoor in a closed network environment through non-standard wireless signal protocol analysis is developed, the cost is dramatically reduced and the cyber security for the wireless terminal that transmits/receives important information It can prevent and respond to the attack threat to be safe.

Effects of the present invention are not limited to the effects mentioned above, and other effects not mentioned will be clearly understood by those skilled in the art from the following description.

The accompanying drawings below are provided to help understanding of the present embodiment, and provide embodiments together with detailed description. However, the technical features of the present embodiment are not limited to specific drawings, and features disclosed in each drawing may be combined with each other to constitute a new embodiment.
1 is a diagram illustrating a closed network network system for detecting a cyber attack according to an embodiment of the related art.
2 is a diagram illustrating a closed network network system for detecting an abnormal RF signal according to another embodiment of the related art.
3 is a diagram illustrating a network connection configuration for a system for detecting and blocking a cyber attack through wireless communication in a closed network environment according to the present invention.
FIG. 4 is a diagram showing a detailed block configuration of the signal processor shown in FIG. 3;
5 is a view showing a detailed block configuration of the signal analyzer shown in FIG.
6 is a diagram illustrating a detailed block configuration of the threat signal situation display shown in FIG. 3 .
7 is a flowchart illustrating a method for detecting and blocking a cyber attack through wireless communication in a closed network environment according to the present invention.

Advantages and features of the present invention, and a method for achieving them will become apparent with reference to the embodiments described below in detail in conjunction with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but may be implemented in various different forms, and only those of ordinary skill in the art to which the present invention pertains, to complete the disclosure of the present invention. It is provided to fully understand the scope of the present invention, and the present invention is only defined by the scope of the claims.

The terminology used herein is for the purpose of describing the embodiments and is not intended to limit the present invention. In this specification, the singular also includes the plural unless specifically stated otherwise in the phrase. As used herein, “comprises” and/or “comprising” does not exclude the presence or addition of one or more other components in addition to the stated components. Like reference numerals refer to like elements throughout, and "and/or" includes each and every combination of one or more of the recited elements. Although "first", "second", etc. are used to describe various elements, these elements are not limited by these terms, of course. These terms are only used to distinguish one component from another. Accordingly, it goes without saying that the first component mentioned below may be the second component within the spirit of the present invention.

Unless otherwise defined, all terms (including technical and scientific terms) used herein will have the meaning commonly understood by those of ordinary skill in the art to which this invention belongs. In addition, terms defined in a commonly used dictionary are not to be interpreted ideally or excessively unless specifically defined explicitly.

Hereinafter, a system for detecting and blocking a cyber attack through wireless communication in a closed network environment and a method therefor according to the present invention will be described in detail with reference to the accompanying drawings.

3 is a diagram illustrating a network connection configuration for a system for detecting and blocking a cyber attack through wireless communication in a closed network environment according to the present invention.

Referring to FIG. 3 , the cyber attack detection and blocking system through wireless communication in a closed network environment according to the present invention includes a signal processor 100 installed in a plurality of terminals in a closed network network system, and a signal analyzer installed in a central control room. 200 and may include a threat signal situation display 300 .

The signal processor 100 is installed in a plurality of terminals in a closed network system, collects a wireless attack signal targeting a closed network network, preprocesses the signal for analysis, and then converts the preprocessed signal into the signal analyzer 200 provided with

That is, the signal processor 100 collects non-standard RF signals of various frequency bands, identifies the signal source location of each collected RF signal, identifies the frequency hopping technique of each collected RF signal, and collects them into one signal. Thereafter, raw data for the RF radio signal may be provided to the signal analyzer 200 .

In addition, the signal processor 100 provides raw data for each RF signal collected to the signal analyzer 200 , and a threat response command according to the user's selection from the threat signal situation display 300 , that is, neutralizes the attack signal. In accordance with the command, a neutralization signal including strong noise is transmitted to the identified signal source location.

The signal analyzer 200 uses the raw data for the RF signals collected by the signal processor 100 to identify an encoding technique of the corresponding RF signals, and performs decoding of the identified technique.

Then, the signal analyzer 200 determines whether the decoded RF signal is encrypted, decrypts the encryption, extracts actual data of each RF signal to determine whether to attack, and displays threat information and signal information in the threat signal situation display (300).

The threat signal situation display 300 displays the signal source location identified by the signal processor 100 and the threat information/signal information provided from the signal analyzer 200, and then generates an alarm in case of a threat signal, When a neutralization attack command is input from the operator according to the occurrence of an alarm, a neutralization attack command signal is provided to the signal processor 100 .

The detailed configuration and detailed operation of the signal processor 100 , the signal analyzer 200 and the threat signal situation display 300 shown in FIG. 3 will be described in detail with reference to FIGS. 4 and 5 .

4 is a diagram showing a detailed block configuration of the signal processor 100 shown in FIG. 3 , FIG. 5 is a diagram showing a detailed block configuration of the signal analyzer 200 shown in FIG. 3 , and FIG. 3 is a diagram illustrating a detailed block configuration of the threat signal situation display 300 .

As shown in FIG. 4, the signal processor 100 shown in FIG. 3 includes a wireless RF signal collection module 110, a hopping frequency identification module 120, a signal source location identification module 130, and an attack signal neutralization module ( 140) may be included.

In addition, the signal analyzer 200 shown in FIG. 4 includes an encoding/decoding module 210, an encryption algorithm detection module 220, a payload data extraction module 230 and a threat radio signal identification module as shown in FIG. (240).

In addition, as shown in FIG. 6 , the threat signal situation display 300 shown in FIG. 4 includes a control unit 310 , an indoor map-based signal source information display module 320 , a signal information display module 330 , and a threat It may include a detailed information display module 340 and a real-time threat notification module 350 .

The wireless RF signal collection module 110 of the signal processing unit 100 shown in FIG. 4 collects non-standard RF signals of various bands, and then converts the collected RF signals of various non-standard frequency bands to the hopping frequency identification module 120 . to provide. The various non-standard frequency bands may be signals of about 300 MHz to 6 GHz bands.

And, the hopping frequency identification module 120 of the signal processor 100 detects whether the collected RF signal provided from the wireless RF signal collection module 110 uses a frequency hopping technique, and is an RF signal using the frequency hopping technique. In this case, after identifying the frequency hopping protocol and combining them into one signal, the raw data of the collected RF signal is transmitted to the encoding/decoding module 210 of the signal analyzer 200 .

On the other hand, the signal source location identification module 130 of the signal processor 100 measures the signal strength of each of the RF signals of various frequency bands collected by the wireless RF signal collection module 110 and uses the measured signal strength to correspond After identifying the signal source of the RF signal, that is, in which zone the signal is generated, the position information of the identified signal source of each RF signal is applied to the attack signal neutralization module 140 and the threat signal situation display 300 shown in FIG. 6 . It is transmitted to the control unit 310 . Here, it should be understood that the signal source location information of each RF signal may be directly transmitted to the threat signal situation display 300 , but may also be transmitted to the threat signal situation display 300 through the signal analyzer 200 .

And, when the attack signal neutralization module 140 of the signal processor 100 receives an attack neutralization command (threat response command) from the threat signal situation display 300, strong noise is transmitted to the identified signal source location of the RF signal. It transmits a neutralization signal including

The encoding/decoding module 210 of the signal analyzer 200 shown in FIG. 5 receives the raw data of each wireless RF signal collected through the wireless RF signal collection module 100 of the signal processor 100, and the received After identifying the encoding method of the standard/non-standard protocol by utilizing the existing commercial encoding method for raw data and decoding the identified method, the decoded RF signal is provided to the encryption algorithm detection module 220 .

The encryption algorithm detection module 220 of the signal analyzer 200 determines whether the standard/non-standard wireless RF signal decoded through the encoding/decoding module 210 is encrypted, and if it is an encrypted RF signal, the signal is After identifying which algorithm is encrypted, the encryption of the corresponding signal is released and provided to the payload data extraction module 230, and when encryption is not performed, the corresponding RF signal is immediately transferred to the payload data extraction module 230 provided with

The payload data extraction module 230 of the signal analyzer 200 extracts the payload of the RF signal provided from the encryption algorithm detection module 220, extracts the actual data of each RF signal, and then extracts the extracted data. It is provided to the threat radio signal identification module 240 .

The threat wireless signal identification module 240 of the signal analyzer 200 analyzes the actual data of the RF signal extracted from the payload data extraction module 230 to determine whether a data leak attack is being made through the RF signal, a backdoor It detects whether a C&C communication command is being transmitted and received, and provides the detected threat information and RF signal information to the control unit 310 of the threat signal situation display 300 shown in FIG. 6 .

The control unit 310 of the threat signal situation display 300 converts the signal source location information of the RF signals identified through the signal source location identification module 130 of the signal processor 100 shown in FIG. 4 to an indoor map-based signal. It is provided to the original information display module 320 .

Accordingly, the indoor map-based signal source information display module 320 analyzes the location information of the corresponding signal sources provided from the control unit 310 and displays the signal source locations of the corresponding RF signals on the map.

Then, the control unit 310 transmits the signal information and threat information provided from the threat wireless signal identification module 340 of the signal analyzer 200 to the signal information display module 330 and the threat signal detailed information display module 340, respectively. to provide.

The signal information display module 330 and the threat signal detailed information display module 340 respectively display RF signal information and threat detailed information of the corresponding signal to correspond to the signal source displayed on the map.

Then, the control unit 310 recognizes the threat information provided by the threat wireless signal identification module 240 of the signal analyzer 200 and generates a notification to the real-time threat notification module 350 when the corresponding RF signal is determined to be a threat signal Provides a control signal.

Accordingly, the real-time threat notification module 350 generates an alarm according to the notification generation control signal provided from the control unit 310 .

In this way, when a threat alarm signal is generated and the operator checks it and inputs a neutralization attack command signal (threat response command signal) to neutralize the attack of the corresponding RF signal, the controller 310 controls the corresponding threat response command signal is provided to the attack signal neutralization module 140 of the signal processor 100 shown in FIG. 3 .

Accordingly, when the attack signal neutralization module 140 of the signal processor 100 receives a threat response command signal from the control unit 310 of the threat signal situation display 300 , the signal source location identification module of the signal processor 100 . By transmitting a neutralization signal including strong noise to the position of the signal source identified through 130, the communication of the attack tool is neutralized.

An attached diagram for a method of detecting and blocking a cyber attack through wireless communication in a closed network environment according to the present invention corresponding to the operation of the system for detecting and blocking a cyber attack through wireless communication in a closed network environment according to the present invention Let's look at it step by step with reference to 7.

7 is a diagram illustrating an operation flowchart of a method for detecting and blocking a cyber attack through wireless communication in a closed network environment according to the present invention.

Referring to FIG. 7 , first, non-standard RF signals of various bands are collected ( S701 ). Here, the various frequency bands may be signals in a band of about 300 MHz to 6 GHz.

Next, the signal source of the collected various RF signals is identified, that is, the signal strength of each of the collected RF signals of various frequency bands is measured and the signal strength of the corresponding RF signal is generated using the measured signal strength It is determined whether the signal is a signal, it is detected whether the collected RF signal uses the frequency hopping technique, and if it is an RF signal using the frequency hopping technique, the frequency hopping protocol is identified and combined into one signal (S702)

Receive the raw data of each wireless RF signal collected, identify the encoding method of the standard/non-standard protocol by using the existing commercial encoding method for the received raw data, and a decoding method corresponding to the identified encoding method and decodes the RF signal (S703).

Next, it is determined whether the standard/non-standard radio RF signal decoded through the step S703 is encrypted (S704).

As a result of the determination, if the decoded standard/non-standard wireless RF signal is in an encrypted state, after identifying which algorithm the corresponding signal is encrypted, the encryption of the corresponding signal is released (S705).

Next, when the encryption is released and the RF signal is determined in step S704, if the corresponding RF signal is an unencrypted signal, the payload of the corresponding RF signal is extracted, and actual data of each RF signal is extracted (S706).

Then, by analyzing the actual data extracted through the step S706, it detects whether a data leakage attack is being made through the corresponding RF signal and whether the C&C communication command of the backdoor is being transmitted or received, and provides detected threat information and RF signal information ( S707).

Next, the signal source location information of the RF signals identified in step S702 is analyzed, the signal source locations of the corresponding RF signals are displayed on an indoor map, and the threat information and RF signal information provided through the step S707 are displayed on the map. It is displayed so as to correspond to the signal source indicated in . And, as a result of analyzing the detailed threat information, if the corresponding RF signal is a threat signal, a threat alarm signal is generated (S708).

As such, after the threat alarm signal is generated and the operator confirms it, it is determined whether a neutralization attack command signal (threat response command signal) for neutralizing the attack of the corresponding RF signal is input from the operator (S709).

As a result of the determination, when a neutralization attack command signal to neutralize the attack of the RF signal is input from the operator, a neutralization signal including strong noise is generated and transmitted to the signal source location of the collected RF signals identified through step S702. The communication of the attack tool is disabled (S710).

As a result, the system and method for detecting and blocking cyber attacks through wireless communication in a closed network environment according to the present invention can detect and respond to cyber attacks such as data leakage and backdoor charging attacks in a closed network environment.

And, in the case of the existing cyber attack detection and blocking system, the present invention installs a separate cyber attack detection system for each terminal or collects RF signals and compares simple characteristics to perform anomaly detection. It can solve the problem of reducing the installation cost and guaranteeing the performance of the attack detection system.

In addition, the present invention can detect and respond to sophisticated cyber attacks because threat signal detection is performed through payload data extraction and analysis rather than simple wireless signal characteristic comparison.

The method for detecting and blocking a cyber attack through wireless communication in a closed network environment according to an embodiment of the present invention described above may be implemented as a program (or application) and stored in a medium in order to be executed in combination with a computer that is hardware. can

The above-mentioned program, in order for the computer to read the program and execute the methods implemented as a program, C, C++, JAVA, Ruby, which the processor (CPU) of the computer can read through the device interface of the computer; It may include code coded in a computer language such as machine language. Such code may include functional code related to a function defining functions necessary for executing the methods, etc., and includes an execution procedure related control code necessary for the processor of the computer to execute the functions according to a predetermined procedure. can do. In addition, the code may further include additional information necessary for the processor of the computer to execute the functions or code related to memory reference for which location (address address) in the internal or external memory of the computer to be referenced. have. In addition, when the processor of the computer needs to communicate with any other computer or server located remotely in order to execute the above functions, the code uses the communication module of the computer to determine how to communicate with any other computer or server remotely. It may further include a communication-related code for whether to communicate and what information or media to transmit and receive during communication.

The storage medium is not a medium that stores data for a short moment, such as a register, a cache, a memory, etc., but a medium that stores data semi-permanently and can be read by a device. Specifically, examples of the storage medium include, but are not limited to, ROM, RAM, CD-ROM, magnetic tape, floppy disk, and optical data storage device. That is, the program may be stored in various recording media on various servers accessible by the computer or in various recording media on the computer of the user. In addition, the medium may be distributed in a computer system connected to a network, and a computer-readable code may be stored in a distributed manner.

The description of the present invention described above is for illustration, and those of ordinary skill in the art to which the present invention pertains can understand that it can be easily modified into other specific forms without changing the technical spirit or essential features of the present invention. will be. Therefore, it should be understood that the embodiments described above are illustrative in all respects and not restrictive. For example, each component described as a single type may be implemented in a dispersed form, and likewise components described as distributed may also be implemented in a combined form.

The scope of the present invention is indicated by the following claims rather than the above detailed description, and all changes or modifications derived from the meaning and scope of the claims and their equivalent concepts should be interpreted as being included in the scope of the present invention. do.

100 : signal handler
110: wireless RF signal acquisition module
120: hopping frequency identification module
130: signal source location identification module
140: attack signal neutralization module
200: signal analyzer
210: encoding/decoding module
220: encryption algorithm detection module
230: payload data extraction module
240: threat radio signal identification module
300: threat signal situation display
310: control unit
320: indoor map-based signal source information display module
330: signal information display module
340: threat signal detailed information display module
350: Real-time threat notification module

Claims (20)

A system for detecting and blocking cyber attacks through wireless communication in a closed network environment, the system comprising:
a signal processor for collecting non-standard RF signals of various frequency bands, identifying a signal source location of each collected RF signal, and generating raw data for each of the collected RF signals;
a signal analyzer that extracts actual data of each RF signal using the generated raw data, determines whether an attack is made using the extracted actual data, and outputs threat information and signal information according to the determination result; and
A threat signal situation display that displays the threat information and signal information so as to correspond to the signal source location of each RF signal identified by the signal processor, and generates a threat response command signal according to the user's selection of a neutralization attack command for the threat signal including,
The signal processor is
a wireless RF signal collection module that collects non-standard RF signals of various bands;
Detects whether the collected RF signal uses the frequency hopping technique, and if it is an RF signal using the frequency hopping technique, identifies a frequency hopping protocol and combines them into one signal, and then generates raw data for the collected RF signal hopping frequency identification module;
After identifying each signal source location for the RF signals of various frequency bands collected by the wireless RF signal collection module, the signal source location identification module provides signal source location information of the identified RF signals to the threat signal situation indicator ; and
When receiving an attack neutralization command (threat response command) from the threat signal situation display device, the neutralization signal is transmitted to the identified RF signal source location with a neutralization signal containing strong noise to neutralize the communication of the attack tool. contains a module,
The signal analyzer is
an encoding/decoding module for identifying an encoding method of a standard/non-standard protocol by utilizing a commercial encoding method for raw data of each radio RF signal, and performing decoding of the identified method;
an encryption algorithm detection module that determines whether the wireless RF signal decoded through the encoding/decoding module is encrypted and outputs a wireless RF signal according to the determination result;
a payload data extraction module for extracting a payload of a wireless RF signal output from the encryption algorithm detection module, and extracting actual data of each RF signal; and
After determining whether the corresponding RF signal is an attack signal by analyzing the actual data of the RF signal extracted from the payload data extraction module, threat information and signal information are provided to the threat signal situation indicator according to the determination result. A system for detecting and blocking cyber attacks through wireless communication in a closed network environment that includes a module.
According to claim 1,
The collected RF signals of various frequency bands are non-standard RF signals of 300 MHz to 6 GHz bands. Cyber attack detection and blocking system through wireless communication in a closed network environment.
According to claim 1,
The signal processor is mounted on a plurality of terminals in the closed network system, and the signal analyzer and the threat signal situation display unit are installed in a control room outside the closed network cyber attack detection and blocking system through wireless communication in a closed network environment.
According to claim 1,
The signal processor is
When a threat response command signal according to the user's selection is received from the threat signal situation display device, the attack neutralization signal is transmitted to the identified signal source location. Cyber attack detection and blocking through wireless communication in a closed network environment system.
delete According to claim 1,
The signal source location identification module,
Through wireless communication in a closed network environment, the signal strength of each RF signal of various frequency bands collected by the wireless RF signal collection module is measured and the signal source location of the corresponding RF signal is identified using the measured signal strength Cyber attack detection and blocking system.
delete According to claim 1,
The encryption algorithm detection module,
If the RF signal decoded through the encoding/decoding module is encrypted, after identifying which algorithm the RF signal is encrypted, the encryption for the signal is de-encrypted and provided to the payload data extraction module, and encryption is performed If not, a cyber attack detection and blocking system through wireless communication in a closed network environment that provides the corresponding RF signal to the payload data extraction module without decryption operation.
According to claim 1,
The threat radio signal identification module comprises:
By analyzing the actual data extracted through the payload data extraction module, it detects whether a data leakage attack is being made through the corresponding RF signal and whether the C&C communication command of the backdoor is being transmitted or received, and the detected threat information and RF signal information is used as a threat signal A cyber attack detection and blocking system through wireless communication in a closed network environment that is provided as a situation display.
10. The method of claim 9,
The threat signal situation display device,
A control signal for displaying the location information of the RF signals identified by the signal source location identification module of the signal processor on an indoor map, the signal information and threat information provided from the threat wireless signal identification module of the signal analyzer, the location of the RF signal source An alarm generating control signal for generating an alarm to the operator when the RF signal is determined to be a threat signal by identifying a control signal to be displayed corresponding to the information, and threat information provided by the threat wireless signal identification module of the signal analyzer a control unit for generating each and providing a threat response command signal to the attack signal neutralization module of the signal processor when an attack neutralization command selection signal is input from the user;
a display module for displaying the signal source positions of the RF signals generated by the control unit, and displaying threat information and signal information to correspond to the displayed position of the signal source; and
Cyber attack detection through wireless communication in a closed network environment, which includes a real-time threat notification module that generates an alarm to notify an operator of a threat situation of an attack signal in real time according to an alarm generation control signal generated by the control unit; blocking system.
A method for detecting and blocking cyber attacks through wireless communication in a closed network environment, the method comprising:
collecting non-standard RF signals of various frequency bands, identifying a signal source location of each collected RF signal, and generating raw data for each collected RF signal in a signal processor;
extracting actual data of each RF signal using the generated raw data, determining whether to attack using the extracted actual data, and outputting threat information and signal information according to the determination result from a signal analyzer; and
Each of the threat information and signal information is displayed to correspond to the signal source location of each RF signal identified by the signal processor, and a threat response command signal is generated in the threat signal situation display according to the user's selection of a neutralization attack command for the threat signal comprising the steps of
The generating of the raw data in the signal processor includes:
collecting non-standard RF signals of various bands;
Detects whether the collected RF signal uses the frequency hopping technique, and if it is an RF signal using the frequency hopping technique, identifies a frequency hopping protocol and combines them into one signal, and then generates raw data for the collected RF signal step;
After identifying each signal source location for the collected RF signals of various frequency bands, providing signal source location information of the identified RF signals to the threat signal situation indicator; and
When receiving an attack neutralization command (threat response command) from the threat signal situation display device, transmitting a neutralization signal including strong noise to the identified signal source location of the RF signal to neutralize the communication of the attack tool and
The step of outputting the threat information and signal information from the signal analyzer comprises:
identifying an encoding technique of a standard/non-standard protocol by using a commercial encoding technique for raw data of each radio RF signal, and performing decoding of the identified technique;
determining whether the decoded wireless RF signal is encrypted and outputting a wireless RF signal according to the determination result;
extracting the payload of the outputted wireless RF signal to extract actual data of each RF signal; and
In a closed network environment, comprising the step of analyzing the actual data of the extracted RF signal to determine whether the RF signal is an attack signal, and then providing threat information and signal information to the threat signal situation display unit according to the determination result A method of detecting and blocking cyber attacks through wireless communication.
12. The method of claim 11,
The collected RF signals of various frequency bands are non-standard RF signals of 300 MHz to 6 GHz bands. A method for detecting and blocking cyber attacks through wireless communication in a closed network environment.
12. The method of claim 11,
The method for detecting and blocking a cyber attack through wireless communication in a closed network environment, wherein the signal processor is mounted on a plurality of terminals in the closed network system, and the signal analyzer and the threat signal situation display unit are installed in a situation room outside the closed network.
12. The method of claim 11,
The generating of the raw data in the signal processor includes:
Cyber through wireless communication in a closed network environment, comprising the step of transmitting an attack neutralization signal to the identified signal source location when a threat response command signal according to the user's selection is received from the threat signal situation display device How to detect and block attacks.
delete 12. The method of claim 11,
In the step of providing the signal source identification is,
A method of detecting and blocking a cyber attack through wireless communication in a closed network environment, wherein the signal strength of each of the collected RF signals of various frequency bands is measured and the signal source location of the corresponding RF signal is identified using the measured signal strength .
delete 12. The method of claim 11,
The step of outputting the wireless RF signal,
If the decoded RF signal is encrypted, after identifying which algorithm the corresponding RF signal is encrypted, the encryption for the corresponding signal is released and then output, and if encryption is not performed, it is output without decryption operation A method of detecting and blocking cyber attacks through wireless communication in a closed network environment.
12. The method of claim 11,
The step of providing the threat information and signal information to the threat signal situation display includes:
By analyzing the extracted actual data, it detects whether a data leak attack is being made through the corresponding RF signal and whether the C&C communication command of the backdoor is being transmitted or received, and provides the detected threat information and RF signal information as a threat signal situation display. A method of detecting and blocking cyber attacks through wireless communication in a closed network environment.
20. The method of claim 19,
The step of generating the threat response command signal in the threat signal situation display period includes:
By identifying a control signal for displaying the signal source location information of the identified RF signals on an indoor map, a control signal for displaying the threat information and signal information to correspond to the location information of the RF signal source, and the threat information generating an alarm generation control signal for generating an alarm to an operator when the corresponding RF signal is determined to be a threat signal;
Displaying the signal source location of the generated RF signals, displaying threat information and signal information to correspond to the displayed signal source location, and notifying the operator of the threat situation of the attack signal in real time according to the alarm generation control signal generating an alarm; and
A method of detecting and blocking a cyber attack through wireless communication in a closed network environment, comprising the step of providing a threat response command signal to the signal processor when an attack neutralization command selection signal is input from a user.

Images