KR102430988B1 - Method, device and system for controlling policy setting of host firewall based on artificial intelligence - Google Patents

Abstract

According to one embodiment of the present invention, a method for controlling policy setting of a host firewall based on artificial intelligence, performed by a central server, comprises the steps of: receiving operating system information on a first server and network setting information on the first server, from the first server, which is one of a plurality of servers connected to a central server through an internal network; analyzing a network connection state of the first server on the basis of the operating system information on the first server and the network setting information on the first server; selecting a firewall policy suitable for the first server on the basis of an output of a first artificial neural network by applying an analysis result of the network connection state of the first server to the first artificial neural network in the central server; checking whether a first policy is included in the firewall policy of the first server when the first policy is selected as a firewall policy suitable for the first server; additionally registering the first policy to the firewall policy of the first server when it is confirmed that the first policy is not included in the firewall policy of the first server; and transmitting a setting change command for the firewall policy of the first server to the first server when the first policy is additionally registered in the firewall policy of the first server, and controlling the first policy to set as the firewall policy of the first server. Therefore, an integrated host firewall manager service can be provided.

Description

METHOD, DEVICE AND SYSTEM FOR CONTROLLING POLICY SETTING OF HOST FIREWALL BASED ON ARTIFICIAL INTELLIGENCE}

The following embodiments relate to a technology for controlling policy settings of a host firewall based on artificial intelligence.

Firewalls can be divided into network firewalls and host firewalls, and the one most companies usually use is a network firewall. The network firewall may be configured as a network gateway method or a bridge method by configuring the main firewall on top of the main switch. That is, an internal network and an external network may be divided and managed based on the firewall equipment.

In using a network firewall, a plurality of servers can be connected to the internal network through the internal network based on the network firewall, and communication between the plurality of servers connected through the internal network does not go through the firewall, so it is not blocked separately. to be. Accordingly, a configuration of a host firewall is required for a firewall for communication between a plurality of servers connected through an internal network.

In a general host firewall, individual settings must be performed by accessing a local PC or server from each operating system. . Accordingly, there is an increasing demand for management through a single firewall manager as in the case of a network firewall, and an active policy configuration is required.

In addition, if there are hundreds of servers to be operated, it is impossible to manage hundreds of firewall policies one by one. For example, in the case of Linux or Unix, the structure of the command for configuring the server firewall is complicated, so that only an advanced engineer who has acquired specialized knowledge can configure the firewall. Accordingly, it is impossible to manage policies individually for each server, so the firewall of the operating system is removed or the service is stopped and operated.

In addition, in general, small and medium-sized companies that lease a single server or manage a colocation server in an IDC data center are managed defenselessly if they do not acquire professional firewall knowledge. In the IDC data center, it is impossible to manage all customers' firewall policies, and customers do not have personnel who have acquired specialized knowledge. It is a situation that cannot be dealt with. In addition, there is a problem in that a large amount of unnecessary internal traffic is not blocked, so that excessive resources are used in network equipment.

Accordingly, there is an increasing demand to provide an integrated host firewall manager service by solving the above-mentioned problems and actively and conveniently setting the host firewall, and research on related technologies is required.

Korean Patent No. 10-2333028 Korean Patent Registration No. 10-2312019 Korean Patent No. 10-2280774 Korean Patent No. 10-1415850

According to one embodiment, an artificial intelligence-based host firewall policy setting control method, device and system are provided, which selects a firewall policy suitable for the server according to the network connection state of the server, and sets the selected policy as the firewall policy of the server. to do for that purpose.

Objects of the present invention are not limited to the objects mentioned above, and other objects not mentioned will be clearly understood from the description below.

According to an embodiment, in a method for controlling policy settings of a host firewall based on artificial intelligence, performed by a central server, from a first server that is any one of a plurality of servers connected to the central server through an internal network , receiving operating system information of the first server and network setting information of the first server; analyzing a network connection state of the first server based on the operating system information of the first server and network setting information of the first server; applying an analysis result of the network connection state of the first server to a first artificial neural network in the central server, and selecting a firewall policy suitable for the first server based on the output of the first artificial neural network; when a first policy is selected as a firewall policy suitable for the first server, checking whether the first policy is included in the firewall policy of the first server; if it is confirmed that the first policy is not included in the firewall policy of the first server, adding and registering the first policy to the firewall policy of the first server; and when the first policy is additionally registered in the firewall policy of the first server, a setting change command for the firewall policy of the first server is transmitted to the first server, so that the first policy is applied to that of the first server. A method for controlling policy settings of an AI-based host firewall is provided, including the step of controlling to be set as a firewall policy.

In the method for controlling the policy setting of the AI-based host firewall, after controlling the first policy to be set as the firewall policy of the first server, the servers operating in the environment of a first operating system among the plurality of servers are first classifying into groups; classifying the servers classified into the first group, which are connected to a first port and perform communication, into a 1-1 group; checking whether the first policy is included in the firewall policy of the second server when the first server and the second server are classified into the 1-1 group; if it is confirmed that the first policy is not included in the firewall policy of the second server, adding and registering the first policy to the firewall policy of the second server; and when the first policy is additionally registered in the firewall policy of the second server, a setting change command for the firewall policy of the second server is transmitted to the second server, so that the first policy is applied to the second server. It may further include the step of controlling to be set as a firewall policy.

In the method for controlling policy setting of the AI-based host firewall, after controlling the first policy to be set as the firewall policy of the first server, monitoring information on network traffic of the first server from the first server receiving; By applying monitoring information on network traffic of the first server to a second artificial neural network in the central server, based on the output of the second artificial neural network, it is determined whether an approach estimated as an attack is detected to the first server. detecting; calculating the number of first attacks, which is the number of times that the first server has been attacked during the reference period, by checking how many times the access estimated as an attack is detected by the first server during a preset reference period; checking whether the first number of attacks is less than a preset first reference number; determining the state of the first server as a normal state when it is confirmed that the first number of attacks is less than the first reference number; when it is confirmed that the first number of attacks is greater than the first reference number, determining whether the first number of attacks is less than a preset second reference number; determining the state of the first server as a warning state when it is confirmed that the first number of attacks is less than the second reference number; determining the state of the first server as a critical state when it is confirmed that the first number of attacks is greater than the second reference number; transmitting a notification message warning of an attack of the first server to a first administrator terminal registered as an administrator of the first server when the state of the first server is determined to be a warning state; and when it is determined that the state of the first server is in a critical state, a connection blocking command of the first port that is allowed to be connected through the first policy is transmitted to the first server, and the first server in the first port It may further include the step of controlling to block the connection through the.

In the method for controlling the policy setting of the AI-based host firewall, after controlling the first policy to be set as the firewall policy of the first server, the first policy and the second policy are included in the firewall policy of the first server. checking a first list that is a list of IP addresses allowed to connect through the first policy and a second list that is a list of IP addresses that are allowed to connect through the second policy, if registered; As a result of comparing the first list and the second list, if it is confirmed that the first list has a wider allowable range than the second list, the priority of the first policy is set as the first priority, and the second policy setting the priority of the to second priority; As a result of comparing the first list and the second list, if it is confirmed that the first list has a narrower allowable range than the second list, the priority of the first policy is set to the second priority, and the second policy setting the priority of As a result of comparing the first list and the second list, if it is confirmed that the allowable ranges of the first list and the second list are the same, the third list of IP addresses whose connection is blocked through the first policy checking the list and a fourth list that is a list of IP addresses whose connection is blocked through the second policy; As a result of comparing the third list and the fourth list, if it is confirmed that the third list has a narrower blocking range than the fourth list, the priority of the first policy is set as the first priority, and the second policy setting the priority of the to second priority; and when it is confirmed that the third list has a wider blocking range than the fourth list as a result of comparing the third list and the fourth list, the priority of the first policy is set to the second priority, and the second The method may further include setting the priority of the policy to the first priority.

According to another embodiment, in a method for controlling policy settings of a host firewall based on artificial intelligence, performed by a first agent installed in a first server, operating system information of the first server and a network of the first server obtaining setting information; analyzing a network connection state of the first server based on the operating system information of the first server and network setting information of the first server; applying an analysis result of the network connection state of the first server to a first artificial neural network in the first server, and selecting a firewall policy suitable for the first server based on the output of the first artificial neural network; when a first policy is selected as a firewall policy suitable for the first server, checking whether the first policy is included in the firewall policy of the first server; when it is confirmed that the first policy is not included in the firewall policy of the first server, adding and setting the first policy to the firewall policy of the first server; and when the first policy is additionally registered in the firewall policy of the first server, transmitting a setting change notification message for the firewall policy of the first server to a central server. A setting control method is provided.

According to an embodiment, by controlling the policy setting of the host firewall based on artificial intelligence, the host firewall can be actively and conveniently configured to provide an integrated host firewall manager service.

On the other hand, the effects according to the embodiments are not limited to those mentioned above, and other effects not mentioned will be clearly understood by those of ordinary skill in the art from the following description.

1 is a diagram schematically showing the configuration of a system according to an embodiment.
2 is a flowchart illustrating a process of controlling policy settings of a host firewall based on artificial intelligence, performed by a central server according to an embodiment.
3 is a flowchart illustrating a process of controlling policy settings of a host firewall based on artificial intelligence, performed by a first agent installed in a first server according to an embodiment.
4 is a flowchart illustrating a process of setting a firewall policy by interworking with each server according to an embodiment.
5 is a flowchart illustrating a process of detecting an approach estimated as an attack and providing a countermeasure according to the number of attacks, according to an exemplary embodiment.
6 is a flowchart illustrating a process of setting a priority of a firewall policy according to an IP address allowable range according to an exemplary embodiment.
7 is a flowchart illustrating a process of setting a priority of a firewall policy according to an IP address blocking range according to an exemplary embodiment.
8 is a diagram for explaining learning of a first artificial neural network according to an embodiment.
9 is a diagram for explaining learning of a second artificial neural network according to an embodiment.
10 is an exemplary diagram of a configuration of an apparatus according to an embodiment.

Hereinafter, embodiments will be described in detail with reference to the accompanying drawings. However, since various changes may be made to the embodiments, the scope of the patent application is not limited or limited by these embodiments. It should be understood that all modifications, equivalents and substitutes for the embodiments are included in the scope of the rights.

Specific structural or functional descriptions of the embodiments are disclosed for purposes of illustration only, and may be changed and implemented in various forms. Accordingly, the embodiments are not limited to a specific disclosure form, and the scope of the present specification includes changes, equivalents, or substitutes included in the technical spirit.

Although terms such as first or second may be used to describe various elements, these terms should be interpreted only for the purpose of distinguishing one element from another. For example, a first component may be termed a second component, and similarly, a second component may also be termed a first component.

When a component is referred to as being “connected” to another component, it may be directly connected or connected to the other component, but it should be understood that another component may exist in between.

The terms used in the examples are used for the purpose of description only, and should not be construed as limiting. The singular expression includes the plural expression unless the context clearly dictates otherwise. In the present specification, terms such as “comprise” or “have” are intended to designate that a feature, number, step, operation, component, part, or combination thereof described in the specification exists, but one or more other features It is to be understood that this does not preclude the possibility of the presence or addition of numbers, steps, operations, components, parts, or combinations thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which the embodiment belongs. Terms such as those defined in a commonly used dictionary should be interpreted as having a meaning consistent with the meaning in the context of the related art, and should not be interpreted in an ideal or excessively formal meaning unless explicitly defined in the present application. does not

In addition, in the description with reference to the accompanying drawings, the same components are assigned the same reference numerals regardless of the reference numerals, and the overlapping description thereof will be omitted. In the description of the embodiment, if it is determined that a detailed description of a related known technology may unnecessarily obscure the gist of the embodiment, the detailed description thereof will be omitted.

The embodiments may be implemented in various types of products, such as personal computers, laptop computers, tablet computers, smart phones, televisions, smart home appliances, intelligent cars, kiosks, wearable devices, and the like.

An artificial intelligence (AI) system is a computer system that implements human-level intelligence, and unlike the existing rule-based smart system, the machine learns and makes decisions on its own. The more the AI system is used, the better the recognition rate and the more accurate understanding of user preferences, and the existing rule-based smart systems are gradually being replaced by deep learning-based AI systems.

Artificial intelligence technology consists of machine learning and element technologies using machine learning. Machine learning is an algorithm technology that categorizes/learns characteristics of input data by itself, and element technology uses machine learning algorithms such as deep learning to simulate functions such as cognition and judgment of the human brain. It consists of technical fields such as understanding, reasoning/prediction, knowledge expression, and motion control.

The various fields where artificial intelligence technology is applied are as follows. Linguistic understanding is a technology for recognizing and applying/processing human language/text, and includes natural language processing, machine translation, dialogue system, question and answer, and speech recognition/synthesis. Visual understanding is a technology for recognizing and processing objects like human vision, and includes object recognition, object tracking, image search, human recognition, scene understanding, spatial understanding, image improvement, and the like. Inferential prediction is a technology for logically reasoning and predicting by judging information, and includes knowledge/probability-based reasoning, optimization prediction, preference-based planning, and recommendation. Knowledge expression is a technology that automatically processes human experience information into knowledge data, and includes knowledge construction (data generation/classification) and knowledge management (data utilization). Motion control is a technology for controlling autonomous driving of a vehicle and movement of a robot, and includes motion control (navigation, collision, driving), manipulation control (action control), and the like.

In general, in order to apply the machine learning algorithm to real life, learning is performed in the Trial and Error method due to the characteristics of the basic methodology of machine learning. In particular, deep learning requires hundreds of thousands of iterations. It is impossible to execute this in the actual physical external environment, so instead, the actual physical external environment is implemented on a computer and learning is performed through simulation.

1 is a diagram schematically showing the configuration of a system according to an embodiment.

Referring to FIG. 1 , a system according to an embodiment may include a plurality of servers 100 and a central server 200 . As shown in FIG. 1 , the policy setting control method of the AI-based host firewall may be performed in a system including a plurality of servers 100 and a central server 200 . Here, the system may be implemented as a distributed environment in which a plurality of single servers or cloud servers are operated.

The plurality of servers 100 may include a first server 110 , a second server 120 , and the like, and each of the plurality of servers 100 is a host connected to the central server 200 through an internal network. can

Each of the plurality of servers 100 may transmit/receive data to and from the central server 200 through a network connected to an internal network.

In each of the plurality of servers 100, an agent including a command in which a policy setting control method of an AI-based host firewall is implemented may be installed.

Each of the plurality of servers 100 may generate system data (CPU, memory, disk, disk input/output, and network traffic) and system log data.

The central server 200 may transmit and receive data to and from the plurality of servers 100 through a network connected through an internal network, thereby controlling the overall operation of each of the plurality of servers 100 .

In the central server 200 , an agent including a command in which a policy setting control method of an AI-based host firewall is implemented may be installed. Accordingly, the system may set the host firewall policy through the agent installed in the central server 200 , or may set the host firewall policy through the agent installed in each of the plurality of servers 100 .

That is, the plurality of servers 100 are hosts connected to each other through an internal network, and the central server 200 is a main server connected to the outside through an external network while being connected to the plurality of servers 100 through an internal network. operation can be controlled. In this case, a host firewall is configured in a host connected through an internal network, and a network firewall is configured in the central server 200 connected through an external network.

According to an embodiment, an integrated host firewall manager service can be provided so that the host firewall function, which is basically configured and managed, can be actively and conveniently used through the AI-based host firewall policy setting control method.

Specifically, the system may provide an integrated host firewall manager, such as a network firewall. In addition, since the firewall policy is applied from the top down, the priority of the policy can be automatically detected and processed to be applied. In addition, if an agent program is installed in each of the plurality of servers 100, a service can be provided so that the host firewall manager function can be used. In addition, by detecting a network port in an allowed state in each of the plurality of servers 100 in which the agent is installed, a basic configuration guide of the host firewall may be provided to the user. In addition, when abnormal traffic exceeding a threshold is detected, network port information of a server that is generating excessive traffic may be notified, and a configuration guide may be provided to change the configuration of the host firewall. In addition, by linking artificial intelligence deep learning, it is possible to automatically detect excessive network traffic and excessive access to a specific network port, and provide a configuration guide to change the host firewall configuration.

That is, the system may provide a guide so that the firewall policy can be configured for each of the plurality of servers 100 according to the type of network (TCP port, etc.). In this case, a template for setting the firewall policy may be automatically provided, and a default value for the firewall policy may be set.

In addition, the system can detect an attack presumed to be an attack based on deep learning of artificial intelligence, and recommend a blocking policy or provide a guide. A detailed description related thereto will be described later with reference to FIG. 5 .

In addition, when a plurality of firewall policies are set in one server, the system can automatically detect and set the priority of the policy. A detailed description related thereto will be described later with reference to FIGS. 6 and 7 .

The central server 200 may store and manage information about the firewall policy set in each of the plurality of servers 100 in a database, and any one of the plurality of servers 100 may be rebooted or information about the firewall policy Information on the firewall policy may be stored separately for each of the plurality of servers 100 so that the information can be retrieved when necessary. In this case, the information on the firewall policy may be encrypted and stored so as not to be confirmed even if a hacker hacks the information on the firewall policy. In addition, the central server 200 may periodically update the firewall policy for each of the plurality of servers 100 to continuously update information on the firewall policy.

According to an embodiment, the firewall policy may be configured by setting a policy name, forwarding type, protocol, external allowed IP address list, external blocked IP address list, virtual port, operation port, and the like, respectively.

Meanwhile, the plurality of servers 100 and the central server 200 may include a plurality of artificial neural networks that have been trained in advance to perform a machine learning algorithm.

In the present invention, artificial intelligence (AI) refers to a technology that imitates human learning ability, reasoning ability, perceptual ability, etc., and implements it with a computer, and the concepts of machine learning, symbolic logic, etc. may include. Machine Learning (ML) is an algorithm technology that classifies or learns characteristics of input data by itself. Artificial intelligence technology is an algorithm of machine learning that can analyze input data, learn the results of the analysis, and make judgments or predictions based on the results of the learning. In addition, technologies that use machine learning algorithms to simulate functions such as cognition and judgment of the human brain can also be understood as a category of artificial intelligence. For example, technical fields such as verbal comprehension, visual comprehension, reasoning/prediction, knowledge expression, and motion control may be included.

Machine learning may refer to the processing of training a neural network model using experience of processing data. With machine learning, computer software could mean improving its own data processing capabilities. The neural network model is constructed by modeling the correlation between data, and the correlation may be expressed by a plurality of parameters. A neural network model extracts and analyzes features from given data to derive correlations between data, and repeating this process to optimize parameters of a neural network model can be called machine learning. For example, a neural network model may learn a mapping (correlation) between an input and an output with respect to data given as an input/output pair. Alternatively, the neural network model may learn the relationship by deriving regularity between the given data even when only input data is given.

The artificial intelligence learning model or neural network model may be designed to implement a human brain structure on a computer, and may include a plurality of network nodes that simulate neurons of a human neural network and have weights. A plurality of network nodes may have a connection relationship with each other by simulating a synaptic activity of a neuron through which a neuron sends and receives a signal through a synapse. In the AI learning model, a plurality of network nodes can exchange data according to a convolutional connection relationship while being located in layers of different depths. The artificial intelligence learning model may be, for example, an artificial neural network model, a convolutional neural network model, or the like. As an embodiment, the AI learning model may be machine-learned according to a method such as supervised learning, unsupervised learning, reinforcement learning, or the like. Machine learning algorithms for performing machine learning include Decision Tree, Bayesian Network, Support Vector Machine, Artificial Neural Network, Ada-boost. , Perceptron, Genetic Programming, Clustering, etc. may be used.

Among them, CNNs are a type of multilayer perceptrons designed to use minimal preprocessing. CNN consists of one or several convolutional layers and general artificial neural network layers on top of it, and additionally utilizes weights and pooling layers. Thanks to this structure, CNN can fully utilize the input data of the two-dimensional structure. Compared with other deep learning structures, CNN shows good performance in both video and audio fields. CNNs can also be trained through standard back-passing. CNNs are easier to train than other feed-forward neural network techniques and have the advantage of using fewer parameters.

Convolutional networks are neural networks comprising sets of nodes with bound parameters. The increased size of available training data and the availability of computational power, combined with advances in algorithms such as piecewise linear units and dropout training, have greatly improved many computer vision tasks. For huge data sets, such as those available for many tasks today, overfitting is not important, and increasing the size of the network improves test accuracy. Optimal use of computing resources becomes a limiting factor. To this end, a distributed, scalable implementation of deep neural networks may be used.

The embodiments described above may be implemented by a hardware component, a software component, and/or a combination of a hardware component and a software component. For example, the apparatus, methods and components described in the embodiments may include, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable gate (FPGA). array), a programmable logic unit (PLU), a microprocessor, or any other device capable of executing and responding to instructions, may be implemented using one or more general purpose or special purpose computers. The processing device may execute an operating system (OS) and one or more software applications running on the operating system. The processing device may also access, store, manipulate, process, and generate data in response to execution of the software. For convenience of understanding, although one processing device is sometimes described as being used, one of ordinary skill in the art will recognize that the processing device includes a plurality of processing elements and/or a plurality of types of processing elements. It can be seen that may include For example, the processing device may include a plurality of processors or one processor and one controller. Other processing configurations are also possible, such as parallel processors.

2 is a flowchart illustrating a process of controlling policy settings of a host firewall based on artificial intelligence, performed by a central server according to an embodiment.

All processes shown in FIG. 2 may be performed by the central server 200 itself, but the present invention is not limited thereto, and all processes shown in FIG. 2 may be performed through an agent installed in the central server 200 .

Referring to FIG. 2 , first, in step S201 , the central server 200 may receive the operating system information of the first server 110 and the network setting information of the first server 110 from the first server 110 . . Here, the operating system information of the first server 110 may include information for identifying the type and version of the operating system installed and operated in the first server 110 , and the network setting of the first server 110 . The information may include information indicating a network setting state of the first server 110 .

In step S202 , the central server 200 may analyze the network connection state of the first server 110 based on the operating system information of the first server 110 and the network setting information of the first server 110 . In this case, the central server 200 may analyze the network connection state of the first server 110 to generate an analysis result for the network connection state of the first server 110 . Here, the analysis result of the network connection state of the first server 110 is analyzed by which operating system the first server 110 is operated and through which network port the first server 110 is connected. It may contain one result.

In step S203 , the central server 200 may apply the analysis result of the network connection state of the first server 110 to the first artificial neural network previously learned in the central server 200 .

According to an embodiment, the first artificial neural network may be an algorithm that analyzes and outputs a firewall policy suitable for the server after receiving an analysis result of the network connection state of the server.

In step S204 , the central server 200 may select a firewall policy suitable for the first server 110 based on the output of the first artificial neural network.

For example, the central server 200 applies the analysis result of the network connection state of the first server 110 to the first artificial neural network, and as a result of checking the output of the first artificial neural network, the output value is confirmed as “0” , a firewall policy suitable for the first server 110 may be selected as the first policy, and when the output value is confirmed as “1”, a firewall policy suitable for the first server 110 may be selected as the second policy.

The first artificial neural network may be trained to analyze a firewall policy suitable for the server through the analysis result of the network connection state of the server. The first artificial neural network may be learned through a method described later with reference to FIG. 8 . Through this, the first artificial neural network may analyze and output a firewall policy suitable for the server in consideration of the network connection state of the server.

In step S205 , the central server 200 may check whether the policy selected in step S204 is included in the firewall policy of the first server 110 . For example, if the first policy is selected as a firewall policy suitable for the first server 110 , the central server 200 may check whether the first policy is included in the firewall policy of the first server 110 . .

To this end, information on the firewall policy set in each of the plurality of servers 100 may be stored separately for each server in the database of the central server 200 . The number of information about the firewall policy may be different depending on the firewall policy set in the server, and when a plurality of firewall policies are set in one server, a priority for each of the plurality of firewall policies may be set .

If it is confirmed in step S205 that the first policy is included in the firewall policy of the first server 110 , in step S206 , the central server 200 does not require a change to the firewall policy of the first server 110 . can be judged as

That is, since the first policy selected as a firewall policy suitable for the first server 110 is already set in the first server 110 , the central server 200 maintains the firewall policy of the first server 110 . may be deemed necessary.

After step S206 , when a certain period elapses, the process returns to step S201 , and the central server 200 returns the operating system information of the first server 110 and the network setting information of the first server 110 from the first server 110 again. In response, a firewall policy suitable for the first server 110 may be selected again.

On the other hand, if it is confirmed in step S205 that the first policy is not included in the firewall policy of the first server 110 , in step S207 , the central server 200 changes the firewall policy of the first server 110 . may be deemed necessary.

That is, since the first policy selected as the firewall policy suitable for the first server 110 is not set in the first server 110 , the central server 200 does not change the firewall policy of the first server 110 . may be deemed necessary.

In step S208 , the central server 200 may register by adding the selected policy to the firewall policy of the first server 110 . For example, if the first policy is selected as a firewall policy suitable for the first server 110 , the central server 200 may register the first policy by adding the first policy to the firewall policy of the first server 110 . In this case, when the second policy is already registered in the firewall policy of the first server 110 , the first policy may be additionally registered in the firewall policy of the first server 110 . Through this, when a plurality of policies are registered in the firewall policy of the first server 110 , the central server 200 may set a priority for each of the plurality of policies. A detailed description related thereto will be described later with reference to FIGS. 6 and 7 .

The process of adding and registering the first policy to the firewall policy of the first server 110 is performed by adding the first policy to information about the firewall policy of the first server 110 stored in the database of the central server 200 . By updating, setting of the firewall policy may be performed through step S209.

In step S209 , when the first policy is additionally registered in the firewall policy of the first server 110 , the central server 200 sends a setting change command for the firewall policy of the first server 110 to the first server 110 . , the first policy may be controlled to be set as the firewall policy of the first server 110 . Here, the setting change command for the firewall policy of the first server 110 is a command for setting by adding the first policy to the firewall policy of the first server 110 , and the first server 110 is the first server ( The first policy may be added and set as the firewall policy of the first server 110 through the setting change command for the firewall policy of 110 ).

After step S209, when a certain period of time elapses, the process returns to step S201, and the central server 200 returns the operating system information of the first server 110 and the network setting information of the first server 110 from the first server 110 again. In response, a firewall policy suitable for the first server 110 may be selected again.

3 is a flowchart illustrating a process of controlling policy settings of a host firewall based on artificial intelligence, performed by a first agent installed in a first server according to an embodiment.

All the processes shown in FIG. 3 may be performed through the first agent installed in the first server 110, but is not limited thereto, and all the processes shown in FIG. 3 may be performed by the first server 110 itself. have.

Referring to FIG. 3 , first, in step S301 , the first server 110 may obtain operating system information of the first server 110 and network setting information of the first server 110 . To this end, the database of the first server 110 stores the operating system information of the first server 110 reflecting the real-time state of the first server 110 and the network setting information of the first server 110, The first server 110 may obtain operating system information of the first server 110 and network setting information of the first server 110 from the database.

In step S302 , the first server 110 may analyze the network connection state of the first server 110 based on the operating system information of the first server 110 and the network setting information of the first server 110 . . In this case, the first server 110 may analyze the network connection state of the first server 110 to generate an analysis result for the network connection state of the first server 110 .

In step S303 , the first server 110 may apply the analysis result of the network connection state of the first server 110 to the first artificial neural network previously learned in the first server 110 .

In step S304 , the first server 110 may select a firewall policy suitable for the first server 110 based on the output of the first artificial neural network.

In step S305 , the first server 110 may check whether the policy selected in step S304 is included in the firewall policy of the first server 110 . For example, if the first policy is selected as the firewall policy suitable for the first server 110 , the first server 110 may check whether the first policy is included in the firewall policy of the first server 110 . have.

To this end, information on the firewall policy set in the first server 110 is stored in the database of the first server 110 , and the first server 110 inquires the information on the firewall policy stored in the database to , the firewall policy set in the first server 110 can be checked.

If it is confirmed in step S305 that the first policy is included in the firewall policy of the first server 110 , in step S306 , the first server 110 does not need to change the firewall policy of the first server 110 . can be judged not to be.

After step S306, after a certain period of time, the process returns to step S301, and the first server 110 obtains the operating system information of the first server 110 and the network setting information of the first server 110 again, and the first server A firewall policy suitable for (110) can be selected again.

On the other hand, if it is confirmed in step S305 that the first policy is not included in the firewall policy of the first server 110 , in step S307 , the first server 110 changes the firewall policy of the first server 110 . This may be considered necessary.

In step S308 , the first server 110 may set by adding the selected policy to the firewall policy of the first server 110 . For example, if the first policy is selected as a firewall policy suitable for the first server 110 , the first server 110 may set the firewall policy by adding the first policy to the firewall policy of the first server 110 .

In step S309, when the first policy is additionally registered in the firewall policy of the first server 110, the first server 110 sends a setting change notification message for the firewall policy of the first server 110 to the central server 200 ) can be transmitted. Here, the setting change notification message for the firewall policy of the first server 110 is a notification message for notifying that the first policy is added and set to the firewall policy of the first server 110, and the central server 200 The first policy may be added and registered as the firewall policy of the first server 110 through the setting change notification message for the firewall policy of the first server 110 .

After step S309, after a certain period of time, it returns to step S301, the first server 110 obtains the operating system information of the first server 110 and the network setting information of the first server 110 again, and the first server A firewall policy suitable for (110) can be selected again.

4 is a flowchart illustrating a process of setting a firewall policy by interworking with each server according to an embodiment.

Referring to FIG. 4 , first, in step S401 , the central server 200 operates as the environment of the first operating system among the plurality of servers 100 after the first policy is set as the firewall policy of the first server 110 . The servers may be classified into a first group.

For example, the central server 200 classifies servers operating in an environment of a first operating system into a first group among the plurality of servers 100 , and classifies servers operating in an environment of a second operating system into a second group. can do.

In step S402 , the central server 200 may classify servers that are connected to the first port and perform communication among the servers classified into the first group into the 1-1 group.

For example, the central server 200 classifies servers that are connected to the first port to perform communication among the servers classified into the first group into a 1-1 group, and is connected to the first port to perform communication. Servers may be classified into a 1-2 group.

In step S403 , the central server 200 may confirm that the first server 110 and the second server 120 are classified into the 1-1 group.

In step S404, when the first server 110 and the second server 120 are classified into the 1-1 group, the central server 200 includes the first policy in the firewall policy of the second server 120. You can check whether there is

If it is confirmed in step S404 that the first policy is included in the firewall policy of the second server 120 , in step S405 , the central server 200 does not require a change to the firewall policy of the second server 120 . can be judged as

That is, when the first server 110 and the second server 120 have the same operating system and the same operating port, the first policy selected as a firewall policy suitable for the first server 110 is not only the first server 110 but also the second server 110 . If the second server 120 is already set, the central server 200 may determine that maintenance of the firewall policy of the second server 120 is necessary.

If it is confirmed in step S404 that the first policy is not included in the firewall policy of the second server 120, in step S406, the central server 200 determines that a change to the firewall policy of the second server 120 is required. can judge

That is, when the first server 110 and the second server 120 have the same operating system and the same operating port, the first policy selected as a firewall policy suitable for the first server 110 is set only on the first server 110 , If there is and is not set in the second server 120 , the central server 200 may determine that a change to the firewall policy of the second server 120 is necessary.

In step S407 , the central server 200 may register by adding the first policy to the firewall policy of the second server 120 .

In step S408 , when the first policy is additionally registered in the firewall policy of the second server 120 , the central server 200 sends a setting change command for the firewall policy of the second server 120 to the second server 120 . , the first policy may be controlled to be set as the firewall policy of the second server 120 . Here, the setting change command for the firewall policy of the second server 120 is a command for setting by adding the first policy to the firewall policy of the second server 120, and the second server 120 is the second server ( 120), through the setting change command for the firewall policy, the first policy may be added and set as the firewall policy of the second server 120 .

5 is a flowchart illustrating a process of detecting an approach estimated as an attack and providing a countermeasure according to the number of attacks, according to an exemplary embodiment.

Referring to FIG. 5 , first, in step S501 , the central server 200 may receive monitoring information on network traffic of the first server 110 from the first server 110 . Here, the monitoring information on the network traffic of the first server 110 is monitoring information on which port the connection is made to and the traffic is generated from the first server 110 , and per hour for each IP address connected to the first server 110 . Monitoring information on how much traffic is generated may be included.

In step S502 , the central server 200 may apply the monitoring information for the network traffic of the first server 110 to the second artificial neural network previously learned in the central server 200 .

According to an embodiment, the second artificial neural network may be an algorithm that receives monitoring information on network traffic of a server and outputs a detection result of whether an approach estimated as an attack is detected to the server.

In step S503 , the central server 200 may detect whether an approach estimated as an attack is detected to the first server 110 based on the output of the second artificial neural network.

For example, the central server 200 applies the monitoring information for the network traffic of the first server 110 to the second artificial neural network, and as a result of checking the output of the second artificial neural network, if the output value is “0”, , it is detected that the approach estimated as an attack to the first server 110 is not detected, and when the output value is confirmed as “1”, it may be detected that the approach estimated as an attack to the first server 110 is detected. .

The second artificial neural network may be trained to analyze whether an approach estimated as an attack is detected to the server through monitoring information on network traffic of the server. The second artificial neural network may be learned through a method described later with reference to FIG. 9 . Through this, the second artificial neural network may analyze and output whether an approach estimated as an attack is detected to the server in consideration of the change state of the server's network traffic.

In step S504, the central server 200 checks how many times an attack presumed to be an attack on the first server 110 is detected during the reference period, and the first attack is the number of times the first server 110 is attacked during the reference period. number can be calculated. Here, the reference period may be set differently depending on the embodiment, and steps S501 to S503 may be repeatedly performed during the reference period. Through this, the central server 200 may calculate the number of first attacks by checking how many times an approach estimated as an attack is detected to the first server 110 during the reference period.

In step S505, the central server 200 may check whether the first number of attacks is less than the first reference number. Here, the first reference number may be set differently in proportion to the length of the reference period.

If it is determined in step S505 that the number of first attacks is less than the first reference number, in step S507, the central server 200 may determine the state of the first server 110 as a normal state.

After step S507, after a certain period of time, the process returns to step S501, and the central server 200 receives again monitoring information for the network traffic of the first server 110 from the first server 110, the first number of attacks can be calculated again.

If it is determined in step S505 that the number of first attacks is greater than the first reference number, in step S506 , the central server 200 may check whether the first number of attacks is less than the second reference number. Here, the second reference number may be set to a value greater than the first reference number.

If it is determined in step S506 that the number of first attacks is less than the second reference number, in step S508 , the central server 200 may determine the state of the first server 110 as a warning state.

If it is confirmed in step S506 that the number of first attacks is greater than the second reference number, in step S509, the central server 200 may determine the state of the first server 110 as a dangerous state.

In step S510 , when it is determined that the state of the first server 110 is a warning state, the central server 200 may transmit a notification message warning of an attack of the first server 110 to the first manager terminal. Here, the first manager terminal means a terminal used by the first manager registered as the manager of the first server 110, and the database of the central server 200 stores contact information of the first manager terminal, Through this, the central server 200 may transmit a notification message to the first manager terminal.

In step S511, if the state of the first server 110 is determined to be in a dangerous state, the central server 200 sends a connection blocking command of the first port through which the connection is allowed through the first policy to the first server 110 transmission, the connection through the first port in the first server 110 may be controlled to be blocked.

That is, in the first server 110 , the first policy is set as a firewall policy, and the first policy includes a setting to allow a connection through the first port, so that the network connection state of the first server 110 is In a state in which a connection through the first port is allowed, traffic is generated through the first port, and when the number of attacks through the first port is too large, the central server 200 gives a command to block the connection of the first port. can be transmitted to the first server 110 , so that the connection through the first port is blocked in the first server 110 . In this case, the first server 110 may block the connection of the first port through the connection blocking command of the first port, so that traffic does not occur through the first port.

6 is a flowchart illustrating a process of setting a priority of a firewall policy according to an IP address allowable range according to an exemplary embodiment.

Referring to FIG. 6 , first, in step S601 , the central server 200 may confirm that the first policy and the second policy are registered in the firewall policy of the first server 110 . At this time, the central server 200 obtains information on the firewall policy of the first server 110 from the database, and based on the information on the firewall policy of the first server 110 , the firewall of the first server 110 . You can check which policies are registered in the policy.

In step S602, the central server 200 checks the setting information of the first policy among the firewall policies of the first server 110 to check the first list, which is a list of IP addresses that are allowed to connect through the first policy. can To this end, the database of the central server 200 separates and stores setting information for each policy, and the policy setting information may include list information of allowed IP addresses indicating which IP addresses are allowed.

In step S603, the central server 200 checks the setting information of the second policy among the firewall policies of the first server 110 to check the second list, which is a list of IP addresses that are allowed to connect through the second policy. can

In step S604, the central server 200 may compare the first list and the second list.

In step S605 , as a result of comparing the first list and the second list, the central server 200 may check whether the allowable range of the first list and the allowable range of the second list are the same.

If it is confirmed in step S605 that the allowable range of the first list and the allowable range of the second list are the same, step S701 may be performed, and a detailed description thereof will be described later with reference to FIG. 7 .

If it is determined in step S605 that the allowable range of the first list and the allowable range of the second list are not the same, in step S606, the central server 200 compares the first list and the second list, It may be checked whether the allowable range is wider than the allowable range of the second list.

If it is confirmed in step S606 that the allowable range of the first list is wider than that of the second list, in step S607, the central server 200 sets the priority of the first policy to the first priority, and the priority of the second policy You can set the rank to rank 2.

That is, in the state where the central server 200 has the first policy and the second policy registered as the firewall policy of the first server 110 , the allowable range of the connection through the first policy is higher than the allowable range of the connection through the second policy. In a wide case, the priority of the first policy may be set as the first priority, and the priority of the second policy may be set as the second priority.

If it is confirmed in step S606 that the allowable range of the first list is narrower than the allowable range of the second list, in step S608, the central server 200 sets the priority of the first policy to the second priority, and the priority of the second policy You can set the ranking to 1st priority.

That is, in the state that the central server 200 has the first policy and the second policy registered as the firewall policy of the first server 110 , the allowable range of the connection through the second policy is higher than the allowable range of the connection through the first policy. In a wide case, the priority of the second policy may be set as the first priority, and the priority of the first policy may be set as the second priority.

7 is a flowchart illustrating a process of setting a priority of a firewall policy according to an IP address blocking range according to an embodiment.

Referring to FIG. 7 , first, in step S701 , the central server 200 may confirm that the allowable ranges of the first list and the second list are the same. For example, when the number of IP addresses included in the first list is three and the number of IP addresses included in the second list is three, it can be confirmed that the allowable ranges of the first list and the second list are the same. .

In step S702, the central server 200 checks the setting information of the first policy among the firewall policies of the first server 110, and confirms the third list, which is a list of IP addresses from which connection is blocked through the first policy. can To this end, the database of the central server 200 separates and stores setting information for each policy, and the setting information of the policy may include list information of blocked IP addresses indicating which IP addresses are being blocked.

In step S703, the central server 200 checks the setting information of the second policy among the firewall policies of the first server 110, and checks the fourth list, which is a list of IP addresses from which connection is blocked through the second policy. can

In step S704, the central server 200 may compare the third list and the fourth list.

In step S705, as a result of comparing the third list and the fourth list, the central server 200 may check whether the blocking range of the third list and the blocking range of the fourth list are the same.

If it is confirmed in step S705 that the blocking range of the third list and the blocking range of the fourth list are the same, in step S707, the central server 200 sets the priority of the first policy among the first policy and the second policy as the first priority. can be set.

That is, in the state where the central server 200 has the first policy and the second policy registered as the firewall policy of the first server 110 , the connection allowable range through the first policy and the connection allowable range through the second policy are If the same and the connection blocking range through the first policy and the connection blocking range through the second policy are the same, the priority of the policy set as the firewall policy of the first server 110 among the first policy and the second policy is 1 It may be set as the priority, and the priority of the policy set as the firewall policy of the first server 110 later may be set as the second priority.

If it is confirmed in step S705 that the blocking range of the third list and the blocking range of the fourth list are not the same, in step S706, the central server 200 compares the third list and the fourth list. It may be checked whether the blocking range is narrower than the blocking range of the fourth list.

If it is confirmed in step S706 that the blocking range of the third list is narrower than the blocking range of the fourth list, in step S708, the central server 200 sets the priority of the first policy to the first priority, and the priority of the second policy You can set the rank to rank 2.

That is, in the state where the central server 200 has the first policy and the second policy registered as the firewall policy of the first server 110 , the connection allowable range through the first policy and the connection allowable range through the second policy are In the same case, when the connection blocking range through the first policy is narrower than the connection blocking range through the second policy, the priority of the first policy may be set as the first priority, and the priority of the second policy may be set as the second priority .

If it is confirmed in step S706 that the blocking range of the third list is wider than the blocking range of the fourth list, in step S709, the central server 200 sets the priority of the first policy to the second priority, and the priority of the second policy You can set the ranking to 1st priority.

That is, in the state where the central server 200 has the first policy and the second policy registered as the firewall policy of the first server 110 , the connection allowable range through the first policy and the connection allowable range through the second policy are In the same case, when the connection blocking range through the second policy is narrower than the connection blocking range through the first policy, the priority of the second policy may be set as the first priority, and the priority of the first policy may be set as the second priority .

Meanwhile, the system according to an embodiment may further include a cloud storage and a plurality of parallel servers in addition to the plurality of servers 100 and the central server 200 .

An agent performing the function of a log bot is installed in each of the plurality of servers 100 . That is, the first agent is installed in the first server 110 , and the second agent is installed in the second server 120 .

A plurality of agents are bots that manage logs of a database included in each of the plurality of servers 100, and are included in each of the plurality of servers 100 through a database access control solution (database access tool, program, etc.). By accessing the database, you can monitor the process of changing the information stored in the database, and when information is changed, log data can be created and recorded. Here, the log data may include information about a query used to change information, an IP address that requested information change, and the like.

For example, when the first server 110 and the first user terminal are connected, and a database access program is installed in the first user terminal, by the first query transmitted from the first user terminal, the first server ( 110), when the information stored in the database is changed, the first agent may generate and record log data for the database change based on the first query and the IP address of the first user terminal.

According to an embodiment, the central server 200 may be configured to include cloud storage, a plurality of parallel servers, and a database of the central server 200 .

Cloud storage can be implemented as object storage built to store and retrieve any amount of data from anywhere. Cloud storage may provide a Simple Storage Service (S3), which may refer to an object storage service that provides industry-leading scalability, data availability, and security and performance. This means that customers of all sizes and industries can use the service to acquire as much data as they want across a variety of use cases, such as data lakes, websites, mobile applications, backup and restore, archives, enterprise applications, IoT devices, and big data analytics. can be stored and protected. S3 provides easy-to-use management features so you can organize your data and configure fine-grained access controls according to your specific business, organizational and compliance requirements.

The central server 200 may be an own server owned by a person or an organization that provides services using the central server 200, may be a cloud server, or peer-to-peer (p2p) of distributed nodes. It may be a set. The central server 200 may be configured to perform all or part of an arithmetic function, a storage/referencing function, an input/output function, and a control function of a typical computer.

The central server 200 may control the overall operation of the system by controlling the respective operations of the plurality of agents installed in the plurality of servers 100 , the cloud storage, the plurality of parallel servers, and the databases of the central server 200 .

The plurality of parallel servers is a plurality of servers constituting the Auto Scaling Group, and may include a first parallel server, a second parallel server, and the like.

An auto-scaling policy may be set for a plurality of parallel servers through auto-scaling. The automatic scaling policy is connected to the Auto Scaling Group, which is a bundle of servers, so that the number of servers is kept to a minimum when the service is idle, and the number of servers is increased to the maximum when a load occurs to implement stable and flexible services.

The database of the central server 200 is a database for storing log data and may perform a database function of the central server 200 .

According to an embodiment, the plurality of agents installed in the plurality of servers 100 may extract log data for each of the plurality of servers 100 under the control of the central server 200 . Here, the log data may include information on queries and IP addresses.

That is, the central server 200 may process log data to be extracted for each of the plurality of servers 100 through a plurality of agents installed in each of the plurality of servers 100 .

For example, the first agent installed in the first server 110 extracts log data generated in the first server 110 by changing the information stored in the database of the first server 110, and the second server 120 The second agent installed in may extract log data generated by the second server 120 by changing information stored in the database of the second server 120 .

The first agent and the second agent may be operated under the control of the central server 200, and log data may be extracted whenever log data is newly recorded due to a change in information stored in the database, and may be batched every preset period. log data can also be extracted.

Thereafter, the plurality of agents installed in the plurality of servers 100 may copy the extracted log data into packets under the control of the central server 200 .

That is, the central server 200 may process the extracted log data to be copied into packets through a plurality of agents installed in each of the plurality of servers 100 .

For example, the first agent installed in the first server 110 copies log data extracted from the first server 110 into packets, and the second agent installed in the second server 120 is installed in the second server 120 . ) extracted log data can be copied into packets.

The first agent and the second agent may be operated under the control of the central server 200, and whenever log data is extracted, the extracted log data may be copied into a packet, and the extracted log data may be batch-extracted every preset period. Log data can be replicated in packets.

Thereafter, the plurality of agents installed in the plurality of servers 100 may deliver the replicated log data to the central server 200 .

Specifically, the plurality of agents installed in the plurality of servers 100 may deliver the replicated log data to the cloud storage, and when the replicated log data is delivered from the plurality of agents to the cloud storage, the delivered log data is transferred to the cloud storage. can be saved. Thereafter, the central server 200 may acquire log data stored in the cloud storage.

Thereafter, when the replicated log data is delivered, the central server 200 may process decryption of the delivered log data in parallel. In this case, the central server 200 may parallelly process the decryption of the obtained log data through an auto scaling group connected to the central server 200 .

For example, if the Auto Scaling Group consists of 5 servers, and the number of tasks to be processed to decrypt log data is 10,000, the central server 200 performs 2,000 tasks to be processed. By distributing the distributed work to five parallel servers for processing, decryption of log data can be processed in parallel through a plurality of parallel servers.

Thereafter, the central server 200 may control the operations of the databases of the plurality of parallel servers and the central server 200 to store the decrypted log data in the database of the central server 200 connected to the central server 200 . .

For example, when decryption of log data is processed in parallel through the first parallel server and the second parallel server, the central server 200 decrypts the log data decrypted through the first parallel server and the second parallel server. The collected log data may be combined and processed to be stored in the database of the central server 200 .

That is, as described above, when a packet of log data is copied and delivered to the central server 200 , the central server 200 may acquire the delivered log data and extract a query therefrom. In this case, the central server 200 may control the decryption required for extracting the query to be distributed through a plurality of parallel servers, so that the decryption can be distributed and processed in parallel.

According to an embodiment, the central server 200 may obtain a file list of log data to be processed among log data files stored in the cloud storage. That is, it is possible to obtain a list of files to be processed among the files stored in the cloud storage.

For example, when files for the first log data, the second log data, and the third log data are stored in the cloud storage, the central server 200 provides the first log data, the second log data, and the third log data. It is possible to obtain a file list including

The central server 200 may obtain a file list of log data that needs to process all log data files stored in the cloud storage, and a file list of log data that only needs to process log data files stored within a preset period. can also be obtained with

When it is confirmed that the storage capacity of the cloud storage remains less than or equal to the reference capacity, the central server 200 may obtain a file list of log data to be processed from the cloud storage, and the log to be processed from the cloud storage every preset period. You can get a file list of data.

Thereafter, the central server 200 may generate a list of tasks to be processed using the obtained file list. That is, the central server 200 may generate a list of tasks to be processed through a plurality of parallel servers.

For example, if 10,000 log data is included in the file list, since the central server 200 requires decryption of 10,000 log data, it is possible to generate a list of 10,000 days corresponding to 10,000 log data. can

Thereafter, the central server 200 may distribute tasks included in the list of created tasks, and transmit a processing request for the distributed tasks to a plurality of parallel servers constituting the auto-scaling group, respectively. In this case, the instance of the auto scaling group may request a list of tasks to be processed from the central server 200 . A list of files to be processed and a key file required for decrypting the files are stored in the list of tasks, so that the central server 200 distributes the list of files to be processed and the key file and transmits them to a plurality of parallel servers. .

For example, if a list of jobs numbered from 1 to 6,000 is generated, the central server 200 distributes jobs from 1 to 2,000 as the first job, and assigns jobs from 2001 to 4,000. You can divide it into 2 jobs, and you can divide the jobs 4,001 through 6,000 into 3 jobs. Then, the central server 200 transmits a processing request for the first job to the first parallel server, transmits a processing request for the second job to the second parallel server, and sends the processing request for the third job to the third can be sent to the server.

Thereafter, the central server 200 processes the log data files and key files necessary for processing the distributed work to be delivered from the cloud storage to a plurality of parallel servers, respectively, and the log data files and keys delivered to the plurality of parallel servers. Based on the file, it is possible to process log data decoding and packet analysis in progress. That is, the instance of the auto scaling group downloads the file specified in the list and the key file required for processing from the cloud storage, and a plurality of parallel servers can perform decryption and packet analysis. In this case, packet analysis can be performed using Tshark, a Terminal version of Wireshark.

For example, tasks 1 through 2,000 are distributed as the first task, tasks 2001 through 4,000 are distributed as the second task, tasks 4001 through 6,000 are distributed as the third task, and so on, When the processing for the first job is requested to the first parallel server, the processing for the second job is requested to the second parallel server, and the processing for the third job is requested to the third server, the first parallel server is In order to process 1 task, log data files from 1 to 2,000 and key files are obtained from cloud storage, decryption and packet analysis are performed on log data from 1 to 2,000, and a second parallel server to process the second job, obtains the log data from 2001 to 4,000 and key files from cloud storage, decrypts the log data from 2001 to 4,000, and analyzes the packet, and the third server to process the third task, may obtain log data and key files from number 4,001 to number 6,000 from the cloud storage, and perform decryption and packet analysis on log data number 4,001 to number 6,000.

Thereafter, when decoding and packet analysis of log data are performed through the plurality of parallel servers, the central server 200 may store the analysis results extracted through the decoding and packet analysis of the log data in the database of the central server 200 . . That is, the analysis result may be stored in the database of the central server 200 .

Thereafter, the central server 200 may check the processed file through the analysis result stored in the database of the central server 200 , and process the processed file to be deleted from the cloud storage. That is, the processed file can be deleted from the cloud storage.

For example, when decryption and packet analysis of log data from Nos. 1 to 6,000 are completed, and the analysis results for log data Nos. 1 to No. 6,000 are stored in the database of the central server 200, cloud storage The log data files numbered 1 to 6,000 stored in .

According to an embodiment, the access program installed in the external terminal connected to the first server 110 may transmit a DB change request to the database of the first server 110 . That is, various access programs such as ERP, Toad program, DB Log Manager may send a request to each of the plurality of servers 100 .

Thereafter, when the access program transmits a DB change request to the first server 110 , the central server 200 filters only the change request transmitted to the first port through the first agent installed in the first server 110 . Thus, log data can be captured as packets and processed to be saved as files. Here, the first port may mean a port to which a connection is allowed through the first policy.

That is, when various access programs such as ERP, Toad program, DB Log Manager, etc. send a request to each of the plurality of servers 100, the DB agent keeps all packets coming to each of the plurality of servers 100 in a sniffing method. By looking at it, you can filter and store only requests coming to the database dedicated communication port (eg, 3306). In this case, the DB agent can capture and store packets by using Gopacket, and store the captured packets in the form of a pcap file by 10,000.

Thereafter, the central server 200 may process the log data captured as packets and stored as files to be transferred from the first agent to the cloud storage. That is, the pcap file saved by the DB agent can be transferred to the cloud storage.

According to an embodiment, the database of the first server 110 must set the protocol according to the method used in the DB Log in advance for the security protocol (TLS) to be used in the communication process with the outside.

Since the DB log requires an external decryption process using the database server's private key, the encryption protocol using the Diffie-Hellman key exchange method cannot be used.

The Diffie-Hellman method is a method that cannot be decrypted from the outside because the key is dynamically generated during the communication process. Therefore, it is necessary to set only Cipher Suites to be used except for the method in which “ECDHE” or “DHE” is entered.

8 is a diagram for explaining learning of a first artificial neural network according to an embodiment.

According to an embodiment, the first artificial neural network may be separately configured by being included in each of the central server 200 and the first server 110 , or may be integrated into one.

The first artificial neural network may be an algorithm to analyze and output a firewall policy suitable for the server after receiving an analysis result of the network connection state of the server. The device in which the first artificial neural network is learned may be the same device as the central server 200 or the first server 110 that analyzes which policy is suitable for the server using the learned first artificial neural network, and may be a separate device. It may be a device of Hereinafter, a process in which the first artificial neural network is trained will be described.

First, in step S801 , the central server 200 or the first server 110 may generate an input based on the analysis result of the server's network connection state.

Specifically, the central server 200 or the first server 110 may perform a process of preprocessing the analysis result of the network connection state of the server. The analysis result of the network connection state on which the preprocessing has been performed may be used as it is as an input of the first artificial neural network, or the input may be generated through a normal process of removing unnecessary information.

In step S802 , the central server 200 or the first server 110 may apply an input to the first artificial neural network. The first artificial neural network may be an artificial neural network trained according to reinforcement learning. The first artificial neural network may be a Q-Network, a Depp Q-Network (DQN), or a relational network (RL) structure suitable for outputting abstract reasoning through reinforcement learning.

The first artificial neural network trained according to reinforcement learning may be updated and optimized by reflecting the evaluation in various rewards. For example, the first reward may increase as a firewall policy suitable for the server is selected in consideration of the server's network connection state, and the second reward does not select a firewall policy that is not suitable for the server in consideration of the server's network connection state. If not, it may be higher.

In step S803 , the central server 200 or the first server 110 may obtain an output from the first artificial neural network. The output of the first artificial neural network may be information on a firewall policy suitable for the server. In this case, the first artificial neural network may select a firewall policy suitable for the server in consideration of the network connection state of the server, and output information on the firewall policy most suitable for the server.

In step S804 , the central server 200 or the first server 110 may evaluate the output of the first artificial neural network and pay a reward. In this case, the evaluation of the output may be divided into a first compensation, a second compensation, and the like.

Specifically, the central server 200 or the first server 110 provides a larger amount of first reward as a firewall policy suitable for the server is selected in consideration of the server's network connection state, and the server's network connection state is taken into consideration. The higher the secondary reward, the less the inappropriate firewall policy is selected.

In step S805, the central server 200 or the first server 110 may update the first artificial neural network based on the evaluation.

Specifically, the central server 200 or the first server 110 maximizes the expected value of the sum of the rewards in an environment in which the first artificial neural network analyzes the firewall policy most suitable for the server. As much as possible, the first artificial neural network may be updated through a process of optimizing a policy for determining actions to be taken in specific states.

For example, if the central server 200 or the first server 110 has a problem in selecting the second policy as a firewall policy suitable for the first server 110, there is a problem in selecting the second policy Generates first learning data including information indicating To prevent this from happening, the first artificial neural network may be updated through the process of learning the first artificial neural network.

Meanwhile, the process of optimizing the policy may be performed through the process of estimating the maximum value of the expected value of the sum of rewards or the maximum value of the Q-function, or estimating the minimum value of the loss function of the Q-function. Estimation of the minimum value of the loss function may be performed through stochastic gradient descent (SGD) or the like. The process of optimizing the policy is not limited thereto, and various optimization algorithms used in reinforcement learning may be used.

The central server 200 or the first server 110 may gradually update the first artificial neural network by repeating the learning process of the first artificial neural network as described above.

Specifically, the central server 200 or the first server 110 selects a firewall policy suitable for the server, including items such as forwarding type, protocol, externally allowed IP address, external blocked IP address, virtual port, and operating port. Considering all of them, after selecting the most suitable firewall policy for the server, it is possible to train the first artificial neural network to output information about the selected firewall policy.

Through this, the central server 200 or the first server 110 may learn the first artificial neural network that analyzes and outputs a firewall policy suitable for the server after receiving the analysis result of the server's network connection state.

That is, when the central server 200 or the first server 110 analyzes the firewall policy suitable for the server through the analysis result of the server's network connection state, reinforcement learning through the first reward, the second reward, etc. Reflecting, by adjusting the analysis criteria, it is possible to train the first artificial neural network.

9 is a diagram for explaining learning of a second artificial neural network according to an embodiment.

According to an embodiment, the second artificial neural network may be an algorithm that receives monitoring information on network traffic of a server and outputs a detection result of whether an approach estimated as an attack is detected to the server. The device for learning the second artificial neural network may be the same device as the central server 200 that analyzes whether the server has been attacked using the learned second artificial neural network, or may be a separate device. Hereinafter, a process for learning the second artificial neural network will be described.

First, in step S901 , the central server 200 may generate an input based on monitoring information for network traffic of the server.

Specifically, the central server 200 may perform a process of pre-processing monitoring information for network traffic of the server. The monitoring information on the network traffic of the server on which the preprocessing has been performed may be used as it is as an input of the second artificial neural network, or the input may be generated through a normal process of removing unnecessary information.

In step S902, the central server 200 may apply an input to the second artificial neural network. The second artificial neural network may be an artificial neural network trained according to reinforcement learning. The second artificial neural network may be a Q-Network, a Depp Q-Network (DQN), or a relational network (RL) structure suitable for outputting abstract reasoning through reinforcement learning.

The second artificial neural network trained according to reinforcement learning may be updated and optimized by reflecting the evaluation in various rewards. For example, the first reward may increase the reward value when it detects that an access estimated as an attack is detected as the server's network traffic is excessively generated. If the server detects that an approach that is presumed to be an attack is detected, the reward value may be increased.

In step S903, the central server 200 may obtain an output from the second artificial neural network. The output of the second artificial neural network is a detection result of whether an approach estimated as an attack is detected by the server.

The second artificial neural network may analyze whether an approach estimated as an attack is detected to the server through monitoring information on network traffic of the server, and may output a detection result of whether an approach estimated as an attack is detected to the server.

In step S904 , the central server 200 may evaluate the output of the second artificial neural network and pay a reward. In this case, the evaluation of the output may be divided into a first compensation, a second compensation, and the like.

Specifically, the central server 200 grants a large amount of the first reward when it detects that the server detects that an attack presumed to be an attack is detected as the server's network traffic is excessively generated. A large second reward may be awarded if an approach presumed to be an attack is detected as being detected.

In step S905, the central server 200 may update the second artificial neural network based on the evaluation.

Specifically, the central server 200 analyzes whether or not the second artificial neural network detects whether an approach estimated as an attack to the server is detected through the monitoring information on the server's network traffic. The second artificial neural network may be updated through a process of optimizing a policy that determines actions to be taken in specific states so that the expectation of consensus is maximized.

Meanwhile, the process of optimizing the policy may be performed through the process of estimating the maximum value of the expected value of the sum of rewards or the maximum value of the Q-function, or estimating the minimum value of the loss function of the Q-function. Estimation of the minimum value of the loss function may be performed through stochastic gradient descent (SGD) or the like. The process of optimizing the policy is not limited thereto, and various optimization algorithms used in reinforcement learning may be used.

The central server 200 may gradually update the second artificial neural network by repeating the learning process of the second artificial neural network as described above. Through this, the central server 200 may learn the second artificial neural network that outputs the detection result of whether an approach estimated as an attack is detected to the server through the monitoring information on the network traffic of the server.

That is, the central server 200 reflects reinforcement learning through the first reward, the second reward, etc. when analyzing whether an access estimated as an attack is detected to the server through the monitoring information on the network traffic of the server. , by adjusting the analysis criteria, it is possible to train the second artificial neural network.

10 is an exemplary diagram of a configuration of an apparatus according to an embodiment.

The apparatus 1000 according to one embodiment includes a processor 1001 and a memory 1002 . The processor 1001 may include at least one of the devices described above with reference to FIGS. 1 to 9 , or perform at least one method described above with reference to FIGS. 1 to 9 . Specifically, the apparatus 1000 may be a server, a user terminal, or an artificial neural network learning apparatus. A person or organization using the apparatus 1000 may provide a service related to some or all of the methods described above with reference to FIGS. 1 to 9 .

The memory 1002 may store information related to the methods described above or a program in which the methods described below are implemented. Memory 1002 may be volatile memory or non-volatile memory.

The processor 1001 may execute a program and control the apparatus 1000 . The code of the program executed by the processor 1001 may be stored in the memory 1002 . The device 1000 may be connected to an external device (eg, a personal computer or a network) through an input/output device (not shown), and may exchange data through wired/wireless communication.

The apparatus 1000 may be used to train an artificial neural network or to use a learned artificial neural network. Memory 1002 may include a learning or learned artificial neural network. The processor 1001 may learn or execute an artificial neural network algorithm stored in the memory 1002 . The apparatus 1000 for training an artificial neural network and the apparatus 1000 for using the learned artificial neural network may be the same or may be separate.

The embodiments described above may be implemented by a hardware component, a software component, and/or a combination of a hardware component and a software component. For example, the apparatus, methods and components described in the embodiments may include, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable gate (FPGA). array), a programmable logic unit (PLU), a microprocessor, or any other device capable of executing and responding to instructions, may be implemented using one or more general purpose or special purpose computers. The processing device may execute an operating system (OS) and one or more software applications running on the operating system. The processing device may also access, store, manipulate, process, and generate data in response to execution of the software. For convenience of understanding, although one processing device is sometimes described as being used, one of ordinary skill in the art will recognize that the processing device includes a plurality of processing elements and/or a plurality of types of processing elements. It can be seen that may include For example, the processing device may include a plurality of processors or one processor and one controller. Other processing configurations are also possible, such as parallel processors.

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, etc. alone or in combination. The program instructions recorded on the medium may be specially designed and configured for the embodiment, or may be known and available to those skilled in the art of computer software. Examples of the computer-readable recording medium include magnetic media such as hard disks, floppy disks and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic such as floppy disks. - includes magneto-optical media, and hardware devices specially configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine language codes such as those generated by a compiler, but also high-level language codes that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

The software may comprise a computer program, code, instructions, or a combination of one or more thereof, which configures a processing device to operate as desired or is independently or collectively processed You can command the device. The software and/or data may be any kind of machine, component, physical device, virtual equipment, computer storage medium or device, to be interpreted by or to provide instructions or data to the processing device. , or may be permanently or temporarily embody in a transmitted signal wave. The software may be distributed over networked computer systems and stored or executed in a distributed manner. Software and data may be stored in one or more computer-readable recording media.

As described above, although the embodiments have been described with reference to the limited drawings, those skilled in the art may apply various technical modifications and variations based on the above. For example, the described techniques are performed in a different order than the described method, and/or the described components of the system, structure, apparatus, circuit, etc. are combined or combined in a different form than the described method, or other components Or substituted or substituted by equivalents may achieve an appropriate result.

Therefore, other implementations, other embodiments, and equivalents to the claims are also within the scope of the following claims.

Claims (5)

In the method of controlling the policy setting of the host firewall based on artificial intelligence, performed by a central server,
receiving operating system information of the first server and network setting information of the first server from a first server that is any one of a plurality of servers connected to the central server through an internal network;
analyzing a network connection state of the first server based on the operating system information of the first server and the network setting information of the first server;
applying an analysis result of the network connection state of the first server to a first artificial neural network in the central server, and selecting a firewall policy suitable for the first server based on the output of the first artificial neural network;
when a first policy is selected as a firewall policy suitable for the first server, checking whether the first policy is included in the firewall policy of the first server;
if it is confirmed that the first policy is not included in the firewall policy of the first server, adding and registering the first policy to the firewall policy of the first server;
When the first policy is additionally registered in the firewall policy of the first server, a setting change command for the firewall policy of the first server is transmitted to the first server, so that the first policy is applied to the firewall of the first server controlling to be set as a policy;
receiving monitoring information on network traffic of the first server from the first server;
By applying monitoring information on network traffic of the first server to a second artificial neural network in the central server, based on the output of the second artificial neural network, it is determined whether an approach estimated as an attack is detected to the first server. detecting;
calculating the number of first attacks, which is the number of times that the first server has been attacked during the reference period, by checking how many times the access estimated as an attack is detected by the first server during a preset reference period;
checking whether the first number of attacks is less than a preset first reference number;
determining the state of the first server as a normal state when it is confirmed that the first number of attacks is less than the first reference number;
when it is confirmed that the first number of attacks is greater than the first reference number, determining whether the first number of attacks is less than a preset second reference number;
determining the state of the first server as a warning state when it is confirmed that the first number of attacks is less than the second reference number;
determining the state of the first server as a critical state when it is confirmed that the first number of attacks is greater than the second reference number;
transmitting a notification message warning of an attack of the first server to a first administrator terminal registered as an administrator of the first server when the state of the first server is determined to be a warning state; and
If it is determined that the state of the first server is in a critical state, a connection blocking command of the first port that is allowed to be connected through the first policy is transmitted to the first server, and the first server receives the first port Including the step of controlling the connection through the blocking,
How to control policy settings for an AI-based host firewall. The method of claim 1,
After the step of controlling the first policy to be set as the firewall policy of the first server,
classifying servers operating in an environment of a first operating system among the plurality of servers into a first group;
classifying servers that are connected to a first port and perform communication among the servers classified into the first group into a 1-1 group;
when the first server and the second server are classified into the 1-1 group, checking whether the first policy is included in the firewall policy of the second server;
if it is confirmed that the first policy is not included in the firewall policy of the second server, adding and registering the first policy to the firewall policy of the second server; and
When the first policy is additionally registered in the firewall policy of the second server, a setting change command for the firewall policy of the second server is transmitted to the second server, so that the first policy is applied to the firewall of the second server Further comprising the step of controlling to be set as a policy,
How to control policy settings for an AI-based host firewall. delete The method of claim 1,
After the step of controlling the first policy to be set as the firewall policy of the first server,
When the first policy and the second policy are registered in the firewall policy of the first server, the connection is made through the first list and the second policy, which is a list of IP addresses that are allowed to connect through the first policy. checking a second list that is a list of allowed IP addresses;
As a result of comparing the first list and the second list, if it is confirmed that the first list has a wider allowable range than the second list, the priority of the first policy is set as the first priority, and the second policy setting the priority of the to second priority;
As a result of comparing the first list and the second list, if it is confirmed that the first list has a narrower allowable range than the second list, the priority of the first policy is set to the second priority, and the second policy setting the priority of
As a result of comparing the first list and the second list, if it is confirmed that the allowable ranges of the first list and the second list are the same, the third list of IP addresses whose connection is blocked through the first policy checking the list and a fourth list that is a list of IP addresses whose connection is blocked through the second policy;
As a result of comparing the third list and the fourth list, if it is confirmed that the third list has a narrower blocking range than the fourth list, the priority of the first policy is set as the first priority, and the second policy setting the priority of the to second priority; and
As a result of comparing the third list and the fourth list, if it is confirmed that the third list has a wider blocking range than the fourth list, the priority of the first policy is set to the second priority, and the second policy is Further comprising the step of setting the priority of
How to control policy settings for an AI-based host firewall. delete

Images