KR102438865B1 - Method and apparatus for security of data using text filtering - Google Patents

Abstract

The embodiments relate to a data security method using text filtering. According to embodiments, the method comprises: an operation of detecting, by an event detection part of a terminal, an operation signal of an Android application package file (APK); an operation of transmitting, by a transceiver of the terminal, a data packet stored in the terminal to a security server, which is externally transmitted according to a transmission request of the Android application package file, in response to the operation signal; and an operation of analyzing, by a correlation analysis part of the security server, a correlation of the data packet and obtaining the correlation instant information of the data packet. Therefore, the present invention is capable of reducing a load.

Description

Data security method using text filtering

Embodiments of the present invention relate to a technology for securing data, and to a technology for securing data using text filtering.

The present invention relates to tracking and detecting a victim's personal information data leaked through a phishing crime, and more specifically, extracting a keyword of the victim's personal information data and comparing it with keywords distributed online Data can be tracked and detected.

Embodiments provide a data security system that can reduce the load by reducing the number of matching by filtering the processed degree of text data before the matching of web crawled text data and the user's personal information is less than a threshold value.

The technical problems to be achieved in the embodiments are not limited to those mentioned above, and other technical problems not mentioned may be considered by those of ordinary skill in the art from various embodiments to be described below. can

According to embodiments, the operation of detecting an operation signal of an Android application package file (Android application package file, APK) by the event detection unit of the terminal; transmitting, by the transceiver of the terminal in response to the operation signal, a data packet stored in the terminal, which is transmitted to the outside in response to a transmission request of the Android application package file, to a security server; analyzing, by the correlation analysis unit of the security server, the correlation of the data packet, and obtaining correlation instance information of the data packet; retrieving, by the matching unit of the security server, correlation registration information matching the correlation instance information of the data packet in the virtualization database of the security server; transmitting, by the transceiver of the security server, a transmission blocking request signal to the transceiver of the terminal when the correlation registration information matching the correlation instance information is found; When the correlation registration information matching the correlation instance information is not found, determining whether to transmit the data packet to the network based on the communication management information of the data packet, by the control unit of the terminal ; performing a simulation by inputting the mirror packet into the virtual machine of the terminal by the simulation performing unit; determining, by the switch of the terminal, whether to forward the data packet to the transceiver of the terminal based on a result of the simulation; collecting, by the crawling unit of the terminal, text data related to the user's personal information included in the data packet when it is determined to transmit the data packet to the transceiver of the terminal based on the result of the simulation; calculating, by the text matching unit of the terminal, a processing rate of text data related to the personal information; and determining, by the text matching unit of the terminal, that the user's personal information included in the data packet has been exposed when the processing rate of the text data is less than a threshold, wherein the payload analysis unit of the terminal includes: Determining whether to transmit the packet includes determining whether to transmit the mirror packet to a simulation performing unit based on a result of the analysis of the payload by the payload analysis unit of the terminal, The payload analysis model includes a protocol analysis unit, a user behavior analysis unit, a packet analysis unit, a user-defined abnormality analysis unit, and an abnormality characteristic analysis unit, and the operation of outputting the abnormality characteristic vector includes: Payload analysis of the terminal outputting a protocol analysis vector by inputting, by a unit, protocol information of the mirror packet to the protocol analysis unit; outputting a user behavior analysis vector by inputting user behavior information related to the data packet to the user behavior analysis unit by the payload analyzer of the terminal; outputting a packet analysis vector by inputting the payload of the mirror packet to the packet analysis unit by the payload analysis unit of the terminal; outputting a user-defined anomaly analysis vector by inputting the payload of the mirror packet to the user-defined abnormality analysis unit by the payload analysis unit of the terminal; outputting a concatenated vector by performing concatenation on the protocol analysis vector, the user behavior analysis vector, the packet analysis vector, and the user-defined anomaly analysis vector by the payload analysis unit of the terminal; and inputting the combined vector into the abnormality characteristic analysis unit by the payload analysis unit of the terminal to output the abnormality characteristic vector, wherein the central group three-dimensional model is determined to be normal, and a plurality of pluralities above a threshold density are determined to be normal. represents the three-dimensional model of the multi-dimensional space separated by a minimum boundary distance in the normal direction from the central group including the normal feature vector of The method may further include updating, by the payload analyzer, the central group three-dimensional model based on the non-stationary feature vector.

The operation of calculating the processing rate includes, by the text matching unit of the terminal, the number of times the text data is transmitted between the pre-seed value of the personal information and the plurality of C&C servers. It may include an operation of calculating the machining rate.

The method may further include, by the virtualization unit of the security server, virtualizing an internal database of the security server and an external database of one or more external servers to generate a virtualized database.

The operation of generating the virtualized database includes generating correlation hierarchical information for correlation registration information stored in an internal database of the security server and correlation registration information stored in the external database, virtualization database The operation of retrieving may include an operation of searching for correlation registration information matching the correlation instance information based on the correlation hierarchical information.

In the case where the correlation registration information matching the correlation instance information is not found, the determining whether to transmit by the control unit of the terminal includes, by the control unit of the terminal, communication management information of the data packet determining whether to forward the data packet to a switch of the terminal based on and determining, by the switch of the terminal, whether to transmit the data packet to the network based on a result of the pattern analysis.

The operation of determining whether to transmit the mirror packet to the simulation performing unit may include, by the simulation performing unit, inputting the mirror packet into a virtual machine of the terminal to perform a simulation; and determining, by the switch of the terminal, whether to transmit the data packet to the transceiver of the terminal based on a result of the simulation.

The method further includes an operation of classifying one piece of personal information among a plurality of personal information using a personal information relevance model as an input of the text data, wherein the personal information relevance model includes an input layer, one or more hidden layers and an output layer. Including, each training data consisting of training text data and a label of correct personal information is input to the input layer of the personal information relevance model and passes through the one or more hidden layers and output layers to output an output vector, The output vector is input to a loss function layer connected to the output layer, and the loss function layer outputs a loss value using a loss function that compares the output vector with a correct vector for each training data, and the personal information related The parameters of the model are learned in a direction in which the loss value becomes smaller,

[Equation]

The loss function follows the above equation, where n is the number of training data for each class, y and j are identifiers representing classes, C is a constant value, M is the number of classes, and x_y is the number of training data for each class. A probability value belonging to , x_j may mean a probability value that the training data belongs to class j, and L may mean a loss value.

According to embodiments, the data security system may reduce the load by reducing the number of matching by filtering the case where the processing degree of the text data is less than a threshold before matching between the web crawled text data and the user's personal information.

Effects obtainable from the embodiments are not limited to the effects mentioned above, and other effects not mentioned are clearly derived and understood by those of ordinary skill in the art based on the following detailed description. can be

BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are included as part of the detailed description to aid understanding of the embodiments, provide various embodiments and, together with the detailed description, explain technical features of the various embodiments.
1 is a diagram illustrating a configuration of an electronic device according to an exemplary embodiment.
2 is a diagram illustrating a configuration of a program according to an exemplary embodiment.
3 is a diagram illustrating an overall configuration of a data security system according to an embodiment.
4 is a diagram illustrating a configuration of a security server according to an embodiment.
5 is a diagram illustrating a configuration of a terminal according to an embodiment.
6 is a flowchart illustrating an example of a data security method according to an embodiment.
7 is a diagram illustrating a central group three-dimensional model of a multidimensional space according to an exemplary embodiment.
8 is a flowchart illustrating an operation of a data security method according to an embodiment.

The following embodiments combine elements and features of the embodiments in a predetermined form. Each component or feature may be considered optional unless explicitly stated otherwise. Each component or feature may be implemented in a form that is not combined with other components or features. In addition, various embodiments may be configured by combining some components and/or features. The order of operations described in various embodiments may be changed. Some features or features of one embodiment may be included in another embodiment, or may be replaced with corresponding features or features of another embodiment.

In the description of the drawings, procedures or steps that may obscure the gist of various embodiments are not described, and procedures or steps that can be understood at the level of those of ordinary skill in the art are also not described. did.

Throughout the specification, when a part is said to "comprising or including" a certain component, it does not exclude other components unless otherwise stated, meaning that other components may be further included. do. In addition, terms such as "... unit", "... group", and "module" described in the specification mean a unit that processes at least one function or operation, which is hardware or software or a combination of hardware and software. can be implemented as Also, "a or an", "one", "the" and like related terms are used herein in the context of describing various embodiments (especially in the context of the claims that follow). Unless otherwise indicated or clearly contradicted by context, it may be used in a sense including both the singular and the plural.

Hereinafter, embodiments according to various embodiments will be described in detail with reference to the accompanying drawings. DETAILED DESCRIPTION The detailed description set forth below in conjunction with the appended drawings is intended to describe exemplary embodiments of various embodiments, and is not intended to represent the only embodiments.

In addition, specific terms used in various embodiments are provided to help the understanding of various embodiments, and the use of these specific terms may be changed to other forms without departing from the technical spirit of various embodiments. .

1 is a diagram illustrating a configuration of an electronic device according to an exemplary embodiment.

1 is a block diagram of an electronic device 101 in a network environment 100, according to various embodiments. Referring to FIG. 1 , in a network environment 100 , an electronic device 101 communicates with an electronic device 102 through a first network 198 (eg, a short-range wireless communication network) or a second network 199 . It may communicate with at least one of the electronic device 104 and the server 108 through (eg, a long-distance wireless communication network). According to an embodiment, the electronic device 101 may communicate with the electronic device 104 through the server 108 . According to an embodiment, the electronic device 101 includes a processor 120 , a memory 130 , an input module 150 , a sound output module 155 , a display module 160 , an audio module 170 , and a sensor module ( 176), interface 177, connection terminal 178, haptic module 179, camera module 180, power management module 188, battery 189, communication module 190, subscriber identification module 196 , or an antenna module 197 . In some embodiments, at least one of these components (eg, the connection terminal 178 ) may be omitted or one or more other components may be added to the electronic device 101 . In some embodiments, some of these components (eg, sensor module 176 , camera module 180 , or antenna module 197 ) are integrated into one component (eg, display module 160 ). can be The electronic device 101 may also be referred to as a client, a terminal, or a peer.

The processor 120, for example, executes software (eg, a program 140) to execute at least one other component (eg, a hardware or software component) of the electronic device 101 connected to the processor 120. It can control and perform various data processing or operations. According to one embodiment, as at least part of data processing or operation, the processor 120 converts commands or data received from other components (eg, the sensor module 176 or the communication module 190 ) to the volatile memory 132 . may be stored in , process commands or data stored in the volatile memory 132 , and store the result data in the non-volatile memory 134 . According to an embodiment, the processor 120 is the main processor 121 (eg, a central processing unit or an application processor) or a secondary processor 123 (eg, a graphic processing unit, a neural network processing unit (eg, a graphic processing unit, a neural network processing unit) a neural processing unit (NPU), an image signal processor, a sensor hub processor, or a communication processor). For example, when the electronic device 101 includes the main processor 121 and the sub-processor 123 , the sub-processor 123 uses less power than the main processor 121 or is set to be specialized for a specified function. can The auxiliary processor 123 may be implemented separately from or as a part of the main processor 121 .

The secondary processor 123 may, for example, act on behalf of the main processor 121 while the main processor 121 is in an inactive (eg, sleep) state, or when the main processor 121 is active (eg, executing an application). ), together with the main processor 121, at least one of the components of the electronic device 101 (eg, the display module 160, the sensor module 176, or the communication module 190) It is possible to control at least some of the related functions or states. According to an embodiment, the coprocessor 123 (eg, an image signal processor or a communication processor) may be implemented as part of another functionally related component (eg, the camera module 180 or the communication module 190 ). have. According to an embodiment, the auxiliary processor 123 (eg, a neural network processing device) may include a hardware structure specialized for processing an artificial intelligence model. Artificial intelligence models can be created through machine learning. Such learning may be performed, for example, in the electronic device 101 itself on which the artificial intelligence model is performed, or may be performed through a separate server (eg, the server 108). The learning algorithm may include, for example, supervised learning, unsupervised learning, semi-supervised learning, or reinforcement learning, but in the above example not limited The artificial intelligence model may include a plurality of artificial neural network layers. Artificial neural networks include deep neural networks (DNNs), convolutional neural networks (CNNs), recurrent neural networks (RNNs), restricted boltzmann machines (RBMs), deep belief networks (DBNs), bidirectional recurrent deep neural networks (BRDNNs), It may be one of deep Q-networks or a combination of two or more of the above, but is not limited to the above example. The artificial intelligence model may include, in addition to, or alternatively, a software structure in addition to the hardware structure.

The memory 130 may store various data used by at least one component (eg, the processor 120 or the sensor module 176 ) of the electronic device 101 . The data may include, for example, input data or output data for software (eg, the program 140 ) and instructions related thereto. The memory 130 may include a volatile memory 132 or a non-volatile memory 134 .

The program 140 may be stored as software in the memory 130 , and may include, for example, an operating system 142 , middleware 144 , or an application 146 .

The input module 150 may receive a command or data to be used by a component (eg, the processor 120 ) of the electronic device 101 from the outside (eg, a user) of the electronic device 101 . The input module 150 may include, for example, a microphone, a mouse, a keyboard, a key (eg, a button), or a digital pen (eg, a stylus pen).

The sound output module 155 may output a sound signal to the outside of the electronic device 101 . The sound output module 155 may include, for example, a speaker or a receiver. The speaker can be used for general purposes such as multimedia playback or recording playback. The receiver can be used to receive incoming calls. According to one embodiment, the receiver may be implemented separately from or as part of the speaker.

The display module 160 may visually provide information to the outside (eg, a user) of the electronic device 101 . The display module 160 may include, for example, a control circuit for controlling a display, a hologram device, or a projector and a corresponding device. According to an embodiment, the display module 160 may include a touch sensor configured to sense a touch or a pressure sensor configured to measure the intensity of a force generated by the touch.

The audio module 170 may convert a sound into an electric signal or, conversely, convert an electric signal into a sound. According to an embodiment, the audio module 170 acquires a sound through the input module 150 , or an external electronic device (eg, a sound output module 155 ) connected directly or wirelessly with the electronic device 101 . The electronic device 102) (eg, a speaker or headphones) may output a sound.

The sensor module 176 detects an operating state (eg, power or temperature) of the electronic device 101 or an external environmental state (eg, a user state), and generates an electrical signal or data value corresponding to the sensed state. can do. According to an embodiment, the sensor module 176 may include, for example, a gesture sensor, a gyro sensor, a barometric pressure sensor, a magnetic sensor, an acceleration sensor, a grip sensor, a proximity sensor, a color sensor, an IR (infrared) sensor, a biometric sensor, It may include a temperature sensor, a humidity sensor, or an illuminance sensor.

The interface 177 may support one or more specified protocols that may be used by the electronic device 101 to directly or wirelessly connect with an external electronic device (eg, the electronic device 102 ). According to an embodiment, the interface 177 may include, for example, a high definition multimedia interface (HDMI), a universal serial bus (USB) interface, an SD card interface, or an audio interface.

The connection terminal 178 may include a connector through which the electronic device 101 can be physically connected to an external electronic device (eg, the electronic device 102 ). According to an embodiment, the connection terminal 178 may include, for example, an HDMI connector, a USB connector, an SD card connector, or an audio connector (eg, a headphone connector).

The haptic module 179 may convert an electrical signal into a mechanical stimulus (eg, vibration or movement) or an electrical stimulus that the user can perceive through tactile or kinesthetic sense. According to an embodiment, the haptic module 179 may include, for example, a motor, a piezoelectric element, or an electrical stimulation device.

The camera module 180 may capture still images and moving images. According to an embodiment, the camera module 180 may include one or more lenses, image sensors, image signal processors, or flashes.

The power management module 188 may manage power supplied to the electronic device 101 . According to an embodiment, the power management module 188 may be implemented as, for example, at least a part of a power management integrated circuit (PMIC).

The battery 189 may supply power to at least one component of the electronic device 101 . According to one embodiment, battery 189 may include, for example, a non-rechargeable primary cell, a rechargeable secondary cell, or a fuel cell.

The communication module 190 is a direct (eg, wired) communication channel or a wireless communication channel between the electronic device 101 and an external electronic device (eg, the electronic device 102, the electronic device 104, or the server 108). It can support establishment and communication performance through the established communication channel. The communication module 190 may include one or more communication processors that operate independently of the processor 120 (eg, an application processor) and support direct (eg, wired) communication or wireless communication. According to one embodiment, the communication module 190 is a wireless communication module 192 (eg, a cellular communication module, a short-range communication module, or a global navigation satellite system (GNSS) communication module) or a wired communication module 194 (eg, : It may include a local area network (LAN) communication module, or a power line communication module). A corresponding communication module among these communication modules is a first network 198 (eg, a short-range communication network such as Bluetooth, wireless fidelity (WiFi) direct, or infrared data association (IrDA)) or a second network 199 (eg, legacy It may communicate with the external electronic device 104 through a cellular network, a 5G network, a next-generation communication network, the Internet, or a computer network (eg, a telecommunication network such as a LAN or a WAN). These various types of communication modules may be integrated into one component (eg, a single chip) or may be implemented as a plurality of components (eg, multiple chips) separate from each other. The wireless communication module 192 uses subscriber information (eg, International Mobile Subscriber Identifier (IMSI)) stored in the subscriber identification module 196 within a communication network such as the first network 198 or the second network 199 . The electronic device 101 may be identified or authenticated.

The wireless communication module 192 may support a 5G network after a 4G network and a next-generation communication technology, for example, a new radio access technology (NR). NR access technology includes high-speed transmission of high-capacity data (eMBB (enhanced mobile broadband)), minimization of terminal power and access to multiple terminals (mMTC (massive machine type communications)), or high reliability and low latency (URLLC (ultra-reliable and low-latency) -latency communications)). The wireless communication module 192 may support a high frequency band (eg, mmWave band) to achieve a high data rate, for example. The wireless communication module 192 uses various techniques for securing performance in a high-frequency band, for example, beamforming, massive multiple-input and multiple-output (MIMO), all-dimensional multiplexing. It may support technologies such as full dimensional MIMO (FD-MIMO), an array antenna, analog beam-forming, or a large scale antenna. The wireless communication module 192 may support various requirements defined in the electronic device 101 , an external electronic device (eg, the electronic device 104 ), or a network system (eg, the second network 199 ). According to an embodiment, the wireless communication module 192 may include a peak data rate (eg, 20 Gbps or more) for realizing eMBB, loss coverage (eg, 164 dB or less) for realizing mMTC, or U-plane latency for realizing URLLC ( Example: Downlink (DL) and uplink (UL) each 0.5 ms or less, or round trip 1 ms or less) can be supported.

The antenna module 197 may transmit or receive a signal or power to the outside (eg, an external electronic device). According to an embodiment, the antenna module 197 may include an antenna including a conductor formed on a substrate (eg, a PCB) or a radiator formed of a conductive pattern. According to an embodiment, the antenna module 197 may include a plurality of antennas (eg, an array antenna). In this case, at least one antenna suitable for a communication method used in a communication network such as the first network 198 or the second network 199 is connected from the plurality of antennas by, for example, the communication module 190 . can be selected. A signal or power may be transmitted or received between the communication module 190 and an external electronic device through the selected at least one antenna. According to some embodiments, other components (eg, a radio frequency integrated circuit (RFIC)) other than the radiator may be additionally formed as a part of the antenna module 197 .

According to various embodiments, the antenna module 197 may form a mmWave antenna module. According to one embodiment, the mmWave antenna module comprises a printed circuit board, an RFIC disposed on or adjacent to a first side (eg, bottom side) of the printed circuit board and capable of supporting a designated high frequency band (eg, mmWave band); and a plurality of antennas (eg, an array antenna) disposed on or adjacent to a second side (eg, top or side) of the printed circuit board and capable of transmitting or receiving signals of the designated high frequency band. can do.

At least some of the components are connected to each other through a communication method between peripheral devices (eg, a bus, general purpose input and output (GPIO), serial peripheral interface (SPI), or mobile industry processor interface (MIPI)) and a signal ( e.g. commands or data) can be exchanged with each other.

According to an embodiment, the command or data may be transmitted or received between the electronic device 101 and the external electronic device 104 through the server 108 connected to the second network 199 . Each of the external electronic devices 102 or 104 may be the same as or different from the electronic device 101 . According to an embodiment, all or a part of operations executed in the electronic device 101 may be executed in one or more external electronic devices 102 , 104 , or 108 . For example, when the electronic device 101 needs to perform a function or service automatically or in response to a request from a user or other device, the electronic device 101 may perform the function or service itself instead of executing the function or service itself. Alternatively or additionally, one or more external electronic devices may be requested to perform at least a part of the function or the service. One or more external electronic devices that have received the request may execute at least a part of the requested function or service, or an additional function or service related to the request, and transmit a result of the execution to the electronic device 101 . The electronic device 101 may process the result as it is or additionally and provide it as at least a part of a response to the request. For this purpose, for example, cloud computing, distributed computing, mobile edge computing (MEC), or client-server computing technology may be used. The electronic device 101 may provide an ultra-low latency service using, for example, distributed computing or mobile edge computing. In another embodiment, the external electronic device 104 may include an Internet of things (IoT) device. The server 108 may be an intelligent server using machine learning and/or neural networks. According to an embodiment, the external electronic device 104 or the server 108 may be included in the second network 199 . The electronic device 101 may be applied to an intelligent service (eg, smart home, smart city, smart car, or health care) based on 5G communication technology and IoT-related technology.

The server 108 is connected to the electronic device 101 and may provide a service to the connected electronic device 101 . In addition, the server 108 may store and manage various types of information of users who have joined as members by performing a membership registration procedure, and may provide various purchase and payment functions related to services. Also, the server 108 may share execution data of a service application executed in each of the plurality of electronic devices 101 in real time so that the service can be shared among users. The server 108 may have the same configuration as a typical web server (Web Server) or WAP server (WAP Server) in terms of hardware. However, in terms of software, it may include a program module that is implemented through any language such as C, C++, Java, Visual Basic, or Visual C and performs various functions. In addition, the server 108 is generally connected to an unspecified number of clients and/or other servers through an open computer network such as the Internet, receives a request to perform a task from a client or other server, and derives and provides the work result. It means a computer system and the computer software (server program) installed therefor. In addition, the server 108, in addition to the above-described server program, a series of application programs (Application Program) operating on the server 108 and in some cases, various databases (DB: Database, hereinafter " DB") should be understood as a broad concept including. Accordingly, the server 108 classifies, stores and manages member registration information, various information and data about the game in a DB, and this DB may be implemented inside or outside the server 108 . In addition, the server 108 uses a server program that is provided in various ways according to operating systems such as DOS, Windows, Linux, UNIX, and Macintosh in general server hardware. As a representative example, a website used in a Windows environment, Internet Information Server (IIS), and CERN, NCSA, APPACH, etc. used in a Unix environment may be used. In addition, the server 108 may cooperate with an authentication system and a payment system for user authentication of a service or a purchase payment related to a service.

The first network 198 and the second network 199 are a connection structure capable of exchanging information between respective nodes such as terminals and servers, or a network connecting the server 108 and the electronic devices 101 and 104 . (Network). The first network 198 and the second network 199 are Internet (Internet), LAN (Local Area Network), Wireless LAN (Wireless Local Area Network), WAN (Wide Area Network), PAN (Personal Area Network), 3G , 4G, LTE, 5G, Wi-Fi, and the like. The first network 198 and the second network 199 may be the closed first network 198 and the second network 199 such as a LAN or a WAN, but preferably an open type such as the Internet. The Internet is a TCP/IP protocol and several services existing in its upper layers, namely HTTP (HyperText Transfer Protocol), Telnet, FTP (File Transfer Protocol), DNS (Domain Name System), SMTP (Simple Mail Transfer Protocol), SNMP ( Simple Network Management Protocol), NFS (Network File Service), and NIS (Network Information Service) means a worldwide open computer first network 198 and second network 199 structure.

The database may have a general data structure implemented in a storage space (hard disk or memory) of a computer system using a database management program (DBMS). The database may have a data storage form in which data can be freely searched (extracted), deleted, edited, added, and the like. Database is a relational database management system (RDBMS) such as Oracle, Infomix, Sybase, DB2, or object-oriented database management such as Gemston, Orion, O2, etc. It can be implemented for the purpose of an embodiment of the present disclosure by using a system (OODBMS) and an XML-only database (XML Native Database) such as Excelon, Tamino, and Sekaiju, and its function It may have an appropriate field or elements to achieve .

2 is a diagram illustrating a configuration of a program according to an exemplary embodiment.

2 is a block diagram 200 illustrating a program 140 in accordance with various embodiments. According to an embodiment, the program 140 executes an operating system 142 , middleware 144 , or an application 146 executable in the operating system 142 for controlling one or more resources of the electronic device 101 . may include Operating system 142 may include, for example, Android™, iOS™, Windows™, Symbian™, Tizen™, or Bada™. At least some of the programs 140 are, for example, preloaded into the electronic device 101 at the time of manufacture, or an external electronic device (eg, the electronic device 102 or 104 ), or a server (eg, the electronic device 102 or 104 ) when used by a user ( 108)), or may be updated. All or part of the program 140 may include a neural network.

The operating system 142 may control management (eg, allocation or retrieval) of one or more system resources (eg, a process, memory, or power) of the electronic device 101 . The operating system 142 may additionally or alternatively include other hardware devices of the electronic device 101 , for example, the input module 150 , the sound output module 155 , the display module 160 , and the audio module 170 . , sensor module 176 , interface 177 , haptic module 179 , camera module 180 , power management module 188 , battery 189 , communication module 190 , subscriber identification module 196 , or It may include one or more driver programs for driving the antenna module 197 .

The middleware 144 may provide various functions to the application 146 so that functions or information provided from one or more resources of the electronic device 101 may be used by the application 146 . The middleware 144 includes, for example, an application manager 201 , a window manager 203 , a multimedia manager 205 , a resource manager 207 , a power manager 209 , a database manager 211 , and a package manager 213 . ), a connectivity manager 215 , a notification manager 217 , a location manager 219 , a graphics manager 221 , a security manager 223 , a call manager 225 , or a voice recognition manager 227 . can

The application manager 201 may manage the life cycle of the application 146 , for example. The window manager 203 may manage one or more GUI resources used in the screen, for example. The multimedia manager 205, for example, identifies one or more formats required for playback of media files, and encodes or decodes a corresponding media file among the media files using a codec suitable for the selected format. can be done The resource manager 207 may manage the space of the source code of the application 146 or the memory of the memory 130 , for example. The power manager 209 may, for example, manage the capacity, temperature, or power of the battery 189 , and determine or provide related information required for the operation of the electronic device 101 by using the corresponding information. . According to an embodiment, the power manager 209 may interwork with a basic input/output system (BIOS) (not shown) of the electronic device 101 .

The database manager 211 may create, retrieve, or change a database to be used by the application 146 , for example. The package manager 213 may manage installation or update of an application distributed in the form of a package file, for example. The connectivity manager 215 may manage, for example, a wireless connection or a direct connection between the electronic device 101 and an external electronic device. The notification manager 217 may provide, for example, a function for notifying the user of the occurrence of a specified event (eg, an incoming call, a message, or an alarm). The location manager 219 may manage location information of the electronic device 101 , for example. The graphic manager 221 may manage, for example, one or more graphic effects to be provided to a user or a user interface related thereto.

Security manager 223 may provide, for example, system security or user authentication. The telephony manager 225 may manage, for example, a voice call function or a video call function provided by the electronic device 101 . The voice recognition manager 227, for example, transmits the user's voice data to the server 108, and based at least in part on the voice data, a command corresponding to a function to be performed in the electronic device 101; Alternatively, the converted text data may be received from the server 108 based at least in part on the voice data. According to an embodiment, the middleware 244 may dynamically delete some existing components or add new components. According to an embodiment, at least a portion of the middleware 144 may be included as a part of the operating system 142 or implemented as software separate from the operating system 142 .

Application 146 includes, for example, home 251 , dialer 253 , SMS/MMS 255 , instant message (IM) 257 , browser 259 , camera 261 , alarm 263 . , contacts 265, voice recognition 267, email 269, calendar 271, media player 273, album 275, watch 277, health 279 (such as exercise or blood sugar) measuring biometric information), or environmental information 281 (eg, measuring atmospheric pressure, humidity, or temperature information). According to an embodiment, the application 146 may further include an information exchange application (not shown) capable of supporting information exchange between the electronic device 101 and an external electronic device. The information exchange application may include, for example, a notification relay application configured to transmit specified information (eg, call, message, or alarm) to an external electronic device, or a device management application configured to manage the external electronic device. have. The notification relay application, for example, transmits notification information corresponding to a specified event (eg, mail reception) generated in another application (eg, the email application 269 ) of the electronic device 101 to the external electronic device. can Additionally or alternatively, the notification relay application may receive notification information from the external electronic device and provide it to the user of the electronic device 101 .

The device management application is, for example, a power source (eg, turn-on or turn-off) of an external electronic device that communicates with the electronic device 101 or some components thereof (eg, a display module or a camera module of the external electronic device). ) or a function (eg brightness, resolution, or focus). The device management application may additionally or alternatively support installation, deletion, or update of an application operating in an external electronic device.

Throughout this specification, a neural network, a neural network network, and a network function may be used interchangeably. A neural network may be composed of a set of interconnected computational units, which may generally be referred to as “nodes”. These “nodes” may also be referred to as “neurons”. A neural network is configured to include at least two or more nodes. Nodes (or neurons) constituting neural networks may be interconnected by one or more “links”.

In a neural network, two or more nodes connected through a link may relatively form a relationship between an input node and an output node. The concepts of an input node and an output node are relative, and any node in an output node relationship with respect to one node may be in an input node relationship in a relationship with another node, and vice versa. As described above, an input node to output node relationship may be created around a link. One or more output nodes may be connected to one input node through a link, and vice versa.

In the relationship between the input node and the output node connected through one link, the value of the output node may be determined based on data input to the input node. Here, a node interconnecting the input node and the output node may have a weight. The weight may be variable, and may be changed by a user or an algorithm in order for the neural network to perform a desired function. For example, when one or more input nodes are interconnected to one output node by respective links, the output node sets values input to input nodes connected to the output node and links corresponding to the respective input nodes. An output node value may be determined based on the weight.

As described above, in a neural network, two or more nodes are interconnected through one or more links to form an input node and an output node relationship within the neural network. The characteristics of the neural network may be determined according to the number of nodes and links in the neural network, the correlation between the nodes and the links, and the value of a weight assigned to each of the links. For example, when the same number of nodes and links exist and there are two neural network networks having different weight values between the links, the two neural network networks may be recognized as different from each other.

3 is a diagram illustrating an overall configuration of a data security system according to an embodiment.

The phishing method may be applied differently depending on the operating system of the terminal 320 . With the increase in the penetration rate of Android-based mobile devices, the pattern of phishing is expanding to Android-based mobile devices. A mobile device provides and collects various information to a user through an application. Phishing perpetrators use this function to induce victims to install applications, and through the applications, various data such as photos and contact information of victims are collected without permission and used for financial crimes.

When the operating system of the terminal 320 is Android, the C&C server 350 may induce the user to execute the Android application package file. When the user executes the Android application package file, the terminal 320 may transmit various data to the C&C server 350 according to an instruction of the Android application package file. Here, the application file distributed by the perpetrator is an Android-based Android application package file, and when the user executes the Android application package file, the victim's data is leaked to the C&C server 350 of the perpetrator by the Android application package file. is being used

An Android application package (APK) file is a file of a format used by the Android operating system or another operating system based on Android, and is an application that can be executed on the Android operating system, such as a mobile application, a mobile game, or middleware. It is a file in the format for distribution or installation of

The C&C server 350 refers to a server that leaks data from the victim's terminal 320 . A C&C server may refer to a server that generally commands an infected zombie PC from a remote location to perform an attack desired by a hacker or controls malicious code. For example, the C&C server 350 may distribute a malicious code to an infected PC, transmit spam, or perform a DDos attack.

According to an embodiment, the data security system may detect the C&C server 350 using various security techniques. The data security system may detect the IP address of the C&C server 350 . The data security system may track the path through which data is leaked by the phishing application. The data security system can identify the perpetrator by tracking the address of the C&C server 350 communicating through the phishing application. The data security system may prevent the data packet from being leaked from the terminal 320 to the C&C server 350 based on the detection result.

To this end, referring to FIG. 3 , the data security system may include a security server 310 , a network 340 , and a terminal 320 . The data security system may further include one or more external servers 331 and 332 .

When the Android application package file is executed, communication may occur between the Android application package file and the C&C server 350 . The terminal 320 may detect an operation signal of an Android application package file (APK). In response to the operation signal, the terminal 320 may transmit a data packet stored in the terminal transmitted to the outside in response to a transmission request of the Android application package file to the security server.

The security server 310 may analyze the data packet requested to be transmitted to the C&C server 350 by the Android application package file. The security server 310 may collect IP addresses of all packets being communicated through analysis. The security server 310 may specify the IP address of the C&C server 350 from the collected IP addresses.

The security server 310 may collect all data packets transmitted within a short time, for example, a threshold time, from the time the execution command for the Android application package file is generated. The security server 310 may find the IP address of the destination by analyzing the data packet based on the time of the moment when the Android application package file is executed. Since data leakage usually occurs in a short time after the execution command for the Android application package file, the security server 310 can reduce the number of inspection targets while maintaining accuracy.

The security server 310 may analyze the correlation of the data packet and obtain correlation instance information of the data packet. Here, the correlation may indicate a relationship between destination addresses of data packets. For example, when a request for a second address is successively requested for a corresponding data packet after a request for a first address of the data packet, correlation instant information between the request addresses may be obtained. The correlation instance information may refer to correlation information of a data packet currently being inspected, and the correlation registration information may refer to pre-registered correlation information.

The security server 310 may block communication with the C&C server 350 based on a known IP address or URI. For example, if the IP address of 1.1.1.2 is known to be the IP address of the C&C server 350 , the security server 310 may block the IP address of 1.1.1.2.

The data security system may secure a database for the IP addresses of the plurality of C&C servers 350 together with the external servers 331 and 332 and analyze the correlation between the plurality of C&C servers 350 to share the analysis results. . Data security systems can build and use Global Threat Intelligence information, either on their own or in partnership with other security vendors.

The security server 310 may create a virtualized database by virtualizing an internal database of the security server 310 and an external database of one or more external servers. The virtualization unit of the security server 310 may generate correlation hierarchical information for correlation registration information stored in an internal database of the security server 310 and correlation registration information stored in an external database. The correlation hierarchical information may indicate a hierarchical relationship for a plurality of correlations. The security server 310 and the external servers 331 and 332 may share a virtualized database.

The security server 310 may search for correlation registration information matching the correlation instance information of the data packet in the virtualization database of the security server 310 . The matching unit of the security server 310 may search for correlation registration information matching the correlation instance information based on the correlation hierarchical information. When correlation registration information matching the correlation instance information is found, the security server 310 may transmit a transmission blocking request signal to the terminal 320 .

The data security system may perform payload analysis of the data packet transmitted to the C&C server 350 for the unknown C&C server 350 . Hereinafter, a process for analyzing the payload of a data packet is described.

When correlation registration information matching the correlation instance information is not found, the terminal 320 may determine whether to transmit the data packet to the network based on communication management information of the data packet. The terminal 320 may determine whether to forward the data packet to the switch of the terminal based on the communication management information of the data packet. The communication management information indicates information about a communication method of data packets.

For example, the communication management information may include information on whether TCP communication or SSL communication is performed. The data security system may check whether the communication with the C&C server 350 is TCP communication or SSL communication. When communication with the C&C server 350 is SSL communication, the data security system may analyze the payload of a data packet transmitted through SSL communication through an SSL inspection technique. The data security system can verify whether the SSL communication is a managed SSL communication. The data security system can block communication in advance for unmanaged SSL communication as a policy.

The data security system may perform filtering step by step on all transmitted data packets. The data security system can perform primary filtering on all data packets through the switch. The data security system may perform payload analysis on the suspicious data packet as a result of filtering. Payload analysis may be omitted for data packets determined to be safe. In this way, the data security system can increase both inspection speed and accuracy by selecting data packets for payload analysis through simple pattern analysis rather than payload analysis.

The switch of the terminal 320 may perform pattern analysis on the data packet. The terminal 320 may detect the C&C server 350 by learning traffic characteristic information of the communication channel of the C&C server 350 . For example, the switch of the terminal 320 may perform pattern analysis on connection information of the C&C server 350 . The terminal 320 may determine the distribution of TCP flag and port values in the communication session through pattern analysis. The data security system may distinguish the C&C server 350 from the general server through the analysis result.

For example, the terminal 320 classifies a server corresponding to a communication session showing a sequential communication pattern such as SYN-NOP-RST-FIN as a general server, and shows a communication characteristic of a continuous short SYN-NOP-FIN. and a server that mainly uses a specific unknown port may be classified as the C&C server 350 .

The switch of the terminal 320 may determine whether to transmit the data packet to the network based on the result of the pattern analysis. The switch of the terminal 320 may determine whether to forward the data packet to the mirroring unit of the terminal based on the result of the pattern analysis.

The mirroring unit of the terminal 320 may create a mirror packet by copying the data packet. The payload analyzer of the terminal 320 may analyze the payload of the mirror packet. The payload analysis unit of the terminal 320 may determine whether to transmit the mirror packet to the network based on the result of the analysis of the payload.

The payload analyzer may be isolated from other components of the terminal 320 by a security policy. By analyzing the mirror packet identical to the data packet by the payload analysis unit, the terminal 320 can control so that a problem that may occur in the analysis process does not affect other configurations of the terminal 320 .

The data security system may analyze the payload of the data packet by using an abnormal behavior-based analysis technique. Hereinafter, an analysis process using the payload analysis model will be described.

The payload analysis unit of the terminal 320 may output an abnormality feature vector from the mirror packet using the payload analysis model. Here, the payload analysis model may include a protocol analysis unit, a user behavior analysis unit, a packet analysis unit, a user-defined abnormality analysis unit, and an abnormality characteristic analysis unit. Each of the protocol analysis unit, user behavior analysis unit, packet analysis unit, user-defined abnormality analysis unit, and abnormality characteristic analysis unit constituting the payload analysis model is composed of a neural network, can

A neural network constituting a payload analysis model may be composed of a set of interconnected computational units, which may be generally referred to as “nodes”. These “nodes” may also be referred to as “neurons”. A neural network is configured to include at least two or more nodes. Nodes (or neurons) constituting neural networks may be interconnected by one or more “links”.

In a neural network, two or more nodes connected through a link may relatively form a relationship between an input node and an output node. The concepts of an input node and an output node are relative, and any node in an output node relationship with respect to one node may be in an input node relationship in a relationship with another node, and vice versa. As described above, an input node to output node relationship may be created around a link. One or more output nodes may be connected to one input node through a link, and vice versa.

In the relationship between the input node and the output node connected through one link, the value of the output node may be determined based on data input to the input node. Here, a node interconnecting the input node and the output node may have a weight. The weight may be variable, and may be changed by a user or an algorithm in order for the neural network to perform a desired function. For example, when one or more input nodes are interconnected to one output node by respective links, the output node sets values input to input nodes connected to the output node and links corresponding to the respective input nodes. An output node value may be determined based on the weight.

As described above, in a neural network, two or more nodes are interconnected through one or more links to form an input node and an output node relationship within the neural network. The characteristics of the neural network may be determined according to the number of nodes and links in the neural network, the correlation between the nodes and the links, and the value of a weight assigned to each of the links. For example, when the same number of nodes and links exist and there are two neural network networks having different weight values between the links, the two neural network networks may be recognized as different from each other.

The protocol analyzer may analyze each packet for network/protocol information according to various network layers. For example, the protocol analysis unit includes network interface controller information, media access control address, domain name server/service information, proxy information, data encoding/decryption status information, whether data is IPv6 or IPv4, dynamic host configuration information, Windows Internet name Service information and the like can be analyzed.

The user behavior analysis unit may add user behavior information to the analysis result. For example, the user behavior analysis module can analyze user roles/groups, location/geography, devices used, applications used, average session length, data traffic patterns, average amount of uploaded/downloaded data, past security issues, etc. can

The packet analyzer may further analyze packet-related analysis information implementing the DPI technology. For example, the packet analyzer may analyze whether the content matches the file format/standard, the number of retransmissions, the number of unnecessary packets, and the like. For example, the packet analyzer may determine a data packet having a high number of retransmissions as an index of data leakage attempt. A large number of unnecessary packets can also be seen as an indicator of data leak attempts, and data can be leaked by hiding personal information between unnecessary packets and recombination of stolen data by hackers. The packet analyzer may determine that even a very dense packet header with no spaces is abnormal. This can be seen as a signal to manipulate data with the intention of hiding the data in the TCP/UDP/IP header.

The user-defined abnormality analyzer may analyze the data packet to determine whether the analysis result corresponds to the abnormality defined by the user. This allows unknown security/performance issues labeled by the user to be detected.

The payload analysis unit of the terminal may output protocol analysis vector by inputting protocol information of the mirror packet to the protocol analysis unit. The payload analysis unit of the terminal may output user behavior analysis vector by inputting user behavior information related to the data packet to the user behavior analysis unit. The payload analysis unit of the terminal may output a packet analysis vector by inputting the payload of the mirror packet to the packet analysis unit. The payload analysis unit of the terminal may output a user-defined abnormality analysis vector by inputting the payload of the mirror packet to the user-defined abnormality analysis unit.

The payload analyzer of the terminal may perform concatenation on the protocol analysis vector, the user behavior analysis vector, the packet analysis vector, and the user-defined abnormality analysis vector to output a combined vector. The payload analysis unit of the terminal may output the abnormality characteristic vector by inputting the combined vector to the abnormality characteristic analysis unit.

According to an embodiment, the payload analyzer of the terminal may determine whether the non-stationary feature vector is included in the central group stereoscopic model of the multidimensional space. A central group stereoscopic model can be obtained through all relevant data that helps to properly classify the analyzed data packets according to performance or security criteria. The centroid group three-dimensional model may represent a three-dimensional model of a multidimensional space separated by a minimum boundary distance in a normal direction from a centroid group including a plurality of normal feature vectors having a critical density or higher determined to be normal.

The payload analyzer of the terminal may arrange the non-stationary feature vector in a multidimensional space including the central group stereoscopic model. The anomaly feature vector may be arranged in a multidimensional space based on protocol analysis, user behavior analysis, packet analysis, and one or more user-defined anomaly analysis axes.

The security level of the data security system may be adjusted by adjusting the minimum boundary distance. For example, the data security system may set a small minimum boundary distance to adopt a high security level, and set a large minimum boundary distance to adopt a low security level.

According to another embodiment, the payload analyzer considers vectors belonging to the central group three-dimensional model as representative samples of normality, and calculates the distance between each of the plurality of normal feature vectors belonging to the central group three-dimensional model and the non-stationary feature vector to be examined. can The payload analyzer may calculate the final distance by synthesizing the respective distances, and may determine whether the final distance is abnormal by comparing the final distance and the critical distance.

When the non-stationary feature vector is included in the central group stereoscopic model of the multidimensional space, the payload analyzer of the terminal may transmit the mirror packet to the network based on the result of the payload analysis.

When the nonstationary feature vector is not included in the central group stereoscopic model of the multidimensional space, the payload analyzer of the terminal may update the central group stereoscopic model based on the nonstationary feature vector. The payload analyzer of the terminal may determine the closest normal feature vector from the non-stationary feature vector. The payload analyzer of the terminal may adjust the boundary of the three-dimensional model of the multidimensional space toward the determined normal feature vector. For example, toward a stationary feature vector determined from the nonstationary feature vector, the distance from the original boundary to the nonstationary feature vector may be adjusted based on the distance from the original boundary to the stationary feature vector.

The payload analyzer of the terminal may determine whether to transmit the mirror packet to the simulation performing unit based on the result of the payload analysis. The simulation performing unit may perform a simulation by inputting the mirror packet into the virtual machine of the terminal.

The data security system can actually run the transmitted data packet in the virtual machine. The data security system may determine whether the information included in the data packet may have a significant effect on the terminal 320 or the user of the terminal 320 based on the execution result. When it is determined that the transmission of the data packet is an APT attack, the data security system may block the transmission of the data packet.

The switch of the terminal may decide whether to forward the data packet to the transceiver of the terminal based on the result of the simulation. When the simulation result indicates abnormality, the simulation performing unit may transmit a command to block transmission of the data packet to the switch. When the simulation result indicates normality, the simulation performing unit may transmit a command allowing transmission of the data packet to the switch.

When the crawler of the terminal decides to transmit the data packet to the transceiver of the terminal based on the result of the simulation, the crawler of the terminal may collect text data related to the user's personal information included in the data packet. The crawler of the terminal may determine the degree of relevance to the user's personal information for a plurality of text data stored in a plurality of C&C servers or exposed on a network.

The crawler of the terminal may determine the degree of relevance to the user's personal information based on the collected text data using the personal information relevance model. The crawler may classify one piece of personal information among a plurality of pieces of personal information by using a personal information relevance model by inputting text data.

The personal information relevance model may include an input layer, one or more hidden layers, and an output layer. Each training data composed of training text data and a label of correct personal information is input to the input layer of the personal information relevance model and passes through the one or more hidden layers and output layers to output an output vector, and the output vector is It is input to a loss function layer connected to the output layer, and the loss function layer outputs a loss value using a loss function that compares the output vector with a correct vector for each training data, and the personal information relevance model of The parameter may be learned in a direction in which the loss value becomes smaller.

[Equation]

The loss function follows the above equation, where n is the number of training data for each class, y and j are identifiers representing classes, C is a constant value, M is the number of classes, and x_y is the number of training data for each class. A probability value belonging to , x_j may mean a probability value that the training data belongs to class j, and L may mean a loss value.

The text matching unit of the terminal may calculate a processing rate of text data related to personal information. The text matching unit may calculate a processing rate of the text data related to the personal information based on the preseed value of the personal information and the number of times the text data is transmitted between the plurality of C&C servers.

The text matching unit may output the processing rate based on the pre-seed value and the reactant value. The preseed value refers to a number indicating whether output text that can be transformed from personal information is within a predictable range.

The text matching unit may calculate a processing rate of the plurality of collected text data. In an embodiment, the processing rate may be inversely proportional to the matching rate between text data and personal information.

The processing rate may be calculated by <Equation 2>.

In <Equation 2>, T may represent a processing rate, v_react may be a reactant value, S may be a preset value, and p may represent a natural number identifying the text data. The reactant value will be described later.

The text matching unit determines whether the generated processing rate exceeds a predetermined threshold. When the processing rate exceeds the first threshold, the text matching unit may determine that the corresponding text data has insufficient relevance to represent personal information and may filter it.

When the processing rate does not exceed the first threshold, the text matching unit may determine that the user's personal information included in the data packet has been exposed through the text data.

The text matching unit may calculate a reactant value based on the preseed value of personal information and the number of times the text data is transmitted between the plurality of C&C servers. The reactant value may be proportional to the number of times the text data is transmitted between the plurality of C&C servers.

The reactant value may be calculated by <Equation 3>. In Equation 3, v_react may indicate a reactant value, and N_sent may indicate the number of times the text data is transmitted between a plurality of C&C servers.

The text matching unit of the terminal may determine that the user's personal information included in the data packet has been exposed when the processing rate of the text data is less than a threshold value. In this way, the data security system can reduce the load by reducing the number of matching by filtering the case where the processed degree of the text data is less than a threshold before matching between the web crawled text data and the user's personal information.

4 is a diagram illustrating a configuration of a security server 310 according to an embodiment.

According to an embodiment, the security server 400 may include a virtualization unit 401 , a correlation analysis unit 402 , a matching unit 403 , and a transceiver 404 .

The correlation analyzer 402 may analyze the correlation of the data packets. The correlation analyzer 402 may acquire correlation instance information of the data packet based on the analysis result.

The matching unit 403 may search the virtual database of the security server 310 for correlation registration information matching the correlation instance information of the data packet.

When correlation registration information matching the correlation instance information is found, the transceiver 404 may transmit a transmission blocking request signal to the transceiver of the terminal.

When the correlation registration information matching the correlation instance information is not found, the transceiver 404 may transmit a transmission permission signal to the transceiver of the terminal.

The virtualization unit 401 may create a virtualized database by virtualizing an internal database of the security server 400 and an external database of one or more external servers.

The virtualization unit 401 may generate correlation hierarchical information for correlation registration information stored in an internal database of the security server 310 and correlation registration information stored in an external database.

The matching unit 403 may search for correlation registration information matching the correlation instance information based on the correlation hierarchical information.

5 is a diagram illustrating the configuration of a terminal according to an embodiment.

According to an embodiment, the terminal 500 includes an event detection unit 501 , a control unit 502 , a switch 503 , a transceiver 504 , a mirroring unit 505 , a payload analysis unit 506 , and a simulation performing unit. 507 , a processor 508 , a crawling unit 509 , and a text matching unit 510 .

The event detection unit 501 may detect an operation signal of an Android application package file (APK).

In response to the operation signal, the transceiver 504 may transmit a data packet stored in the terminal transmitted to the outside in response to a transmission request of the Android application package file to the security server.

When the correlation registration information matching the correlation instance information is not found in the security server 400, the control unit 502 of the terminal 500 determines whether to transmit the data packet to the network based on the communication management information of the data packet. can decide whether

When correlation registration information matching the correlation instance information is not found, the controller 500 may determine whether to transfer the data packet to the switch of the terminal based on communication management information of the data packet.

The switch 503 may perform pattern analysis on the data packet. The switch 503 may determine whether to transmit the data packet to the network based on the result of the pattern analysis. In order to determine whether to transmit the data to the network, the switch 503 may determine whether to transmit the data packet to the mirroring unit of the terminal based on the result of pattern analysis.

When it is determined that the pattern analysis result is normal, the mirroring unit 505 may create a mirror packet by copying the data packet. The payload analyzer 506 may analyze the payload of the mirror packet. The payload analysis unit 506 may determine whether to transmit the mirror packet to the network based on the result of the analysis of the payload.

In order to determine whether to transmit the mirror packet to the network, the payload analysis unit 506 may determine whether to transmit the mirror packet to the simulation performing unit 507 based on the result of the analysis of the payload.

The simulation performing unit 507 may perform a simulation by inputting the mirror packet into the virtual machine of the terminal. The switch 503 may determine whether to forward the data packet to the transceiver of the terminal based on the result of the simulation.

The crawler 509 of the terminal may determine the degree of relevance to the user's personal information based on the collected text data using the personal information relevance model. The crawler 509 may classify one piece of personal information among a plurality of pieces of personal information using a personal information relevance model by inputting text data.

The text matching unit 510 may calculate a processing rate of text data related to personal information. The text matching unit 510 may calculate a processing rate of the text data related to the personal information based on the preseed value of the personal information and the number of times the text data is transmitted between the plurality of C&C servers. The text matching unit 510 determines whether the generated processing rate exceeds a predetermined threshold. When the processing rate exceeds the first threshold, the text matching unit 510 may determine that the corresponding text data has insufficient relevance to represent personal information and may filter it. When the processing rate does not exceed the first threshold, the text matching unit 510 may determine that the user's personal information included in the data packet has been exposed through the text data.

6 is a flowchart illustrating an example of a data security method according to an embodiment.

Referring to FIG. 6 , the terminal 500 includes an event detection unit 501 , a control unit 502 , a switch 503 , a transceiver 504 , a mirroring unit 505 , a payload analysis unit 506 , and a simulation performing unit. 507 and a processor 508 . The security server 400 may include a virtualization unit 401 , a correlation analysis unit 402 , a matching unit 403 , and a transceiver 404 .

In operation 601 , the event detection unit 501 may detect an operation signal of the Android application package file in response to an execution command for the Android application package file of the terminal 500 . The event detection unit 501 may detect a data transmission request signal for a data packet inside the terminal 500 generated from the Android application package file.

In operation 602 , the event detection unit 501 may transmit a data packet transmission request signal to the transceiver 504 in response to detection of the operation signal. The transceiver 504 may transmit the data packet to the security server 400 . The transceiver 404 of the security server 400 may transmit the data packet to the correlation analyzer 402 .

In operation 605 , the correlation analyzer 402 may analyze the correlation of the data packet and obtain correlation instance information of the data packet. Here, the correlation may indicate a relationship between destination addresses of data packets.

In operation 606 , the correlation analysis unit 402 may transmit correlation instance information to the matching unit 403 .

In operation 607, the matching unit 403 may search for correlation registration information that matches the correlation instance information.

In operation 608 , when matching correlation registration information exists, the correlation analyzer 402 may transmit a transmission blocking request signal to the transceiver 404 .

At operation 609 , the transceiver 404 may transmit a transmit block request signal to the transceiver 504 . The transceiver 504 may transmit a transmission blocking request signal to the controller 502 .

In operation 610 , the controller 502 may block transmission of the data packet in response to the transmission blocking request signal.

In operation 638 , if there is no matching correlation registration information, the correlation analyzer 402 may transmit a transmission permission signal to the transceiver 404 .

At operation 639 , the transceiver 404 may transmit a transmit permission signal to the transceiver 504 . The transceiver 504 may transmit a transmission permission signal to the switch 503 .

At operation 611 , the switch 503 may perform pattern analysis on the data packet. When it is determined that the pattern analysis result is abnormal, the switch 503 may transmit a transmission blocking signal to the controller 502 .

In operation 612 , the controller 502 may block transmission of the data packet in response to the transmission blocking signal.

When it is determined that the pattern analysis result is normal, the switch 503 may transmit the data packet to the mirroring unit 505 .

In operation 613 , the mirroring unit 505 may generate a mirror packet corresponding to the data packet.

In operation 614 , the mirroring unit 505 may transmit the payload of the mirror packet to the payload analysis unit 506 .

In operation 615 , the payload analyzer 506 may analyze the payload of the mirror packet. When it is determined that the payload analysis result is abnormal, the payload analysis unit 506 may transmit a transmission blocking request signal to the control unit 502 .

In operation 616 , the controller 502 may block transmission of the data packet in response to the transmission blocking request signal.

When it is determined that the payload analysis result is normal, the payload analysis unit 506 may transmit the mirror packet to the simulation performing unit 507 .

In operation 617 , the simulation performing unit 507 may perform a simulation using the mirror packet. The simulation performing unit 507 may combine a plurality of mirror packets and run them in a virtual machine that mimics the operating system of the terminal 500 , or may determine whether the combined mirror packets contain important personal information. The simulation performing unit 507 may determine whether the simulation execution result is normal or abnormal.

When the simulation result is abnormal, the simulation performing unit 507 may transmit a transmission blocking request signal to the control unit 502 .

In operation 618 , the controller 502 may block transmission of the data packet in response to the transmission blocking request signal.

When the simulation execution result is normal, the simulation performing unit 507 may transmit a transmission permit signal to the control unit 502 .

In operation 619 , the controller 502 may transmit the data packet to the network in response to the transmission permission signal.

In operation 631 , the crawler 509 may crawl data. The crawler 509 of the terminal may determine the degree of relevance to the user's personal information based on the collected text data using the personal information relevance model. The crawler 509 may classify one piece of personal information among a plurality of pieces of personal information using a personal information relevance model by inputting text data.

In operation 632 , the text matching unit 510 may perform data filtering. The text matching unit 510 may calculate a processing rate of text data related to personal information. The text matching unit 510 may calculate a processing rate of the text data related to the personal information based on the preseed value of the personal information and the number of times the text data is transmitted between the plurality of C&C servers. The text matching unit 510 determines whether the generated processing rate exceeds a predetermined threshold. When the processing rate exceeds the first threshold, the text matching unit 510 may determine that the corresponding text data has insufficient relevance to represent personal information and may filter it. When the processing rate does not exceed the first threshold, the text matching unit 510 may determine that the user's personal information included in the data packet has been exposed through the text data.

7 is a diagram illustrating a central group three-dimensional model of a multidimensional space according to an exemplary embodiment.

According to an embodiment, the payload analyzer of the terminal may determine whether the non-stationary feature vector is included in the central group stereoscopic model of the multidimensional space. A central group stereoscopic model can be obtained through all relevant data that helps to properly classify the analyzed data packets according to performance or security criteria. The centroid group three-dimensional model may represent a three-dimensional model of a multidimensional space separated by a minimum boundary distance in a normal direction from a centroid group including a plurality of normal feature vectors having a critical density or higher determined to be normal.

The payload analyzer of the terminal may arrange the non-stationary feature vector in a multidimensional space including the central group stereoscopic model. The anomaly feature vector may be arranged in a multidimensional space based on protocol analysis, user behavior analysis, packet analysis, and one or more user-defined anomaly analysis axes.

The security level of the data security system may be adjusted by adjusting the minimum boundary distance. For example, the data security system may set a small minimum boundary distance to adopt a high security level, and set a large minimum boundary distance to adopt a low security level.

Referring to FIG. 7 , the multidimensional space represents corners and edges labeled according to security issues within the data packet. For example, the multidimensional space may have five dimensions: a first axis 701 , a second axis 702 , a third axis 703 , a fourth axis 704 , and a fifth axis 705 . For example, the first axis 701 , the second axis 702 , the third axis 703 , the fourth axis 704 , and the fifth axis 705 are the result of protocol analysis and the result of user behavior analysis, respectively. , a packet analysis result, a first user-defined abnormality analysis result, and a second user-defined abnormality analysis result may be an axis serving as a reference for an index indicating the analysis result.

The payload analyzer of the terminal may arrange the non-stationary feature vector in a multidimensional space including the central group stereoscopic model. The anomaly feature vector may be arranged in a multidimensional space based on protocol analysis, user behavior analysis, packet analysis, and one or more user-defined anomaly analysis axes.

According to FIG. 7 , a plurality of points are displayed, and each point represents an anomaly feature vector. Each of the non-stationary feature vectors corresponds to one data packet. One or more central group stereoscopic models 720 and 730 may exist in the multidimensional space. The multidimensional space may have separate centroids, for example, two or more centroid group stereoscopic models 720 and 730 having approximately equal densities.

The central group stereoscopic model 720 may include a plurality of normal feature vectors 721 . The nonstationary feature vector 730 may include a plurality of stationary feature vectors 731 . In addition, two or more subgroups 741 and 751 may exist, but these subgroups are not large enough to threaten the central groups 720 and 730 .

The determination of the central group stereoscopic models 720 and 730 including the normal feature vectors representing the normal data packets may be performed using various techniques, and then, the data packets are continuously analyzed on the system. The update of the central group stereoscopic models 720 and 730 may be continuously performed by the feature vector determined to be abnormal and the feature vector determined to be normal. The data packets may be continuously analyzed and clustered, and one or more central groups that are clustered may reach a density that is recognized as serving a centrality function. The three-dimensional model of the central group exceeding a certain critical density can be a new standard for judging normality.

Feature vectors determined to be abnormal are disposed close to the edge or corner of the multidimensional space. If a particular feature vector is far from centroid, but not close to a known anomaly placed close to a corner or edge, or if it does not sufficiently match a data set of any known anomaly, the data security system will trigger a user-defined user event. can create Compared to the central group stereoscopic model conceptualized by the multidimensional space, such anomalies can be referred to as unknown abnormalities/deviations. When a user event occurs, the data security system may request management authority from the security server 310 to separately classify or label problematic data packets.

8 is a flowchart illustrating an operation of a data security method according to an embodiment.

According to an embodiment, in operation 801 , the event detection unit of the terminal may detect an operation signal of an Android application package file (APK).

According to an embodiment, in operation 803 , in response to the operation signal, the transceiver of the terminal may transmit a data packet stored in the terminal transmitted to the outside in response to a transmission request of the Android application package file to the security server.

According to an embodiment, in operation 805 , the correlation analyzer of the security server may analyze the correlation of the data packet and obtain correlation instance information of the data packet.

According to an embodiment, in operation 807 , the matching unit of the security server may search for correlation registration information matching correlation instance information of the data packet in the virtualization database of the security server.

According to an embodiment, in operation 809 , when correlation registration information matching the correlation instance information is found, the transceiver of the security server may transmit a transmission blocking request signal to the transceiver of the terminal.

According to an embodiment, in operation 811, when correlation registration information matching the correlation instance information is not found, the control unit of the terminal determines whether to transmit the data packet to the network based on the communication management information of the data packet. can decide whether

According to an embodiment, in operation 813, a mirror packet may be input to the virtual machine of the terminal to perform simulation.

According to an embodiment, in operation 815, it may be determined whether to forward the data packet to the transceiver of the terminal based on a result of the simulation.

According to an embodiment, in operation 817, when it is determined to transmit the data packet to the transceiver of the terminal based on the result of the simulation, text data related to the user's personal information included in the data packet is collected. can

According to an embodiment, in operation 819 , a processing rate of text data related to personal information may be calculated.

According to an embodiment, in operation 821 , when the processing rate of text data is less than a threshold value, it may be determined that the user's personal information included in the data packet has been exposed.

The embodiments described above may be implemented by a hardware component, a software component, and/or a combination of a hardware component and a software component. For example, the apparatus, methods and components described in the embodiments may include, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable gate (FPGA). array), a programmable logic unit (PLU), a microprocessor, or any other device capable of executing and responding to instructions, may be implemented using one or more general purpose or special purpose computers. The processing device may execute an operating system (OS) and one or more software applications running on the operating system. The processing device may also access, store, manipulate, process, and generate data in response to execution of the software. For convenience of understanding, although one processing device is sometimes described as being used, one of ordinary skill in the art will recognize that the processing device includes a plurality of processing elements and/or a plurality of types of processing elements. It can be seen that may include For example, the processing device may include a plurality of processors or one processor and one controller. Other processing configurations are also possible, such as parallel processors.

The software may comprise a computer program, code, instructions, or a combination of one or more thereof, which configures a processing device to operate as desired or is independently or collectively processed You can command the device. The software and/or data may be any kind of machine, component, physical device, virtual equipment, computer storage medium or device, to be interpreted by or to provide instructions or data to the processing device. , or may be permanently or temporarily embody in a transmitted signal wave. The software may be distributed over networked computer systems and stored or executed in a distributed manner. Software and data may be stored in one or more computer-readable recording media.

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, etc. alone or in combination. The program instructions recorded on the medium may be specially designed and configured for the embodiment, or may be known and available to those skilled in the art of computer software. Examples of the computer-readable recording medium include magnetic media such as hard disks, floppy disks and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic such as floppy disks. - includes magneto-optical media, and hardware devices specially configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine language codes such as those generated by a compiler, but also high-level language codes that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

As described above, although the embodiments have been described with reference to the limited drawings, those skilled in the art may apply various technical modifications and variations based on the above. For example, the described techniques are performed in a different order than the described method, and/or the described components of the system, structure, apparatus, circuit, etc. are combined or combined in a different form than the described method, or other components Or substituted or substituted by equivalents may achieve an appropriate result.

Therefore, other implementations, other embodiments, and equivalents to the claims are also within the scope of the following claims.

Claims (7)

Detecting an operation signal of an Android application package file (APK) by the event detection unit of the terminal;
transmitting, by the transceiver of the terminal in response to the operation signal, a data packet stored in the terminal, which is transmitted to the outside in response to a transmission request of the Android application package file, to a security server;
analyzing, by the correlation analysis unit of the security server, the correlation of the data packet, and obtaining correlation instance information of the data packet;
retrieving, by the matching unit of the security server, correlation registration information matching the correlation instance information of the data packet in the virtualization database of the security server;
transmitting, by the transceiver of the security server, a transmission blocking request signal to the transceiver of the terminal when the correlation registration information matching the correlation instance information is found;
When the correlation registration information matching the correlation instance information is not found, determining whether to transmit the data packet to the network based on the communication management information of the data packet, by the control unit of the terminal ;
generating a mirror packet by copying the data packet by the mirroring unit of the terminal when it is decided to transmit the data packet to the network;
analyzing the payload of the mirror packet by the payload analyzer of the terminal;
determining, by the payload analyzing unit of the terminal, whether to transmit the mirror packet to the simulation performing unit;
performing a simulation by inputting the mirror packet into the virtual machine of the terminal by the simulation performing unit;
determining, by the switch of the terminal, whether to forward the data packet to the transceiver of the terminal based on a result of the simulation;
collecting, by the crawling unit of the terminal, text data related to the user's personal information included in the data packet when it is determined to transmit the data packet to the transceiver of the terminal based on the result of the simulation;
calculating, by the text matching unit of the terminal, a processing rate of text data related to the personal information; and
determining, by the text matching unit of the terminal, that the user's personal information included in the data packet has been exposed when the processing rate of the text data is less than a threshold value;
The operation of determining whether to transmit by the payload analysis unit of the terminal comprises:
outputting, by the payload analysis unit of the terminal, a result of analysis of the payload including an abnormality feature vector from the mirror packet using a payload analysis model; and
determining, by the payload analyzing unit of the terminal, whether to transmit the mirror packet to the simulation performing unit, based on the result of the analysis of the payload;
The payload analysis model includes a protocol analysis unit, a user behavior analysis unit, a packet analysis unit, a user-defined abnormality analysis unit, and an abnormality characteristic analysis unit,
The operation of outputting the non-stationary feature vector comprises:
outputting a protocol analysis vector by inputting protocol information of the mirror packet to the protocol analysis unit by the payload analysis unit of the terminal;
outputting a user behavior analysis vector by inputting user behavior information related to the data packet to the user behavior analysis unit by the payload analyzer of the terminal;
outputting a packet analysis vector by inputting the payload of the mirror packet to the packet analysis unit by the payload analysis unit of the terminal;
outputting a user-defined anomaly analysis vector by inputting the payload of the mirror packet to the user-defined abnormality analysis unit by the payload analysis unit of the terminal;
outputting a concatenated vector by performing concatenation on the protocol analysis vector, the user behavior analysis vector, the packet analysis vector, and the user-defined anomaly analysis vector by the payload analysis unit of the terminal;
inputting the combined vector into the abnormality characteristic analysis unit by the payload analysis unit of the terminal and outputting the abnormality characteristic vector; and
determining, by the payload analysis unit of the terminal, whether the non-stationary feature vector is included in the central group stereoscopic model of the multidimensional space,
The centroid group three-dimensional model is determined to be normal and represents a three-dimensional model of the multidimensional space separated by a minimum boundary distance in the normal direction from the centroid group including a plurality of normal feature vectors having a critical density or more,
If the nonstationary feature vector is not included in the central group stereoscopic model of the multidimensional space, updating the central group stereoscopic model based on the nonstationary feature vector by the payload analyzer of the terminal. doing,
Data Security Methods.
According to claim 1,
The operation of calculating the processing rate is,
calculating, by the text matching unit of the terminal, a processing rate of text data related to the personal information based on the number of times the text data is transmitted between the pre-seed value of the personal information and a plurality of C&C servers ,
Data Security Methods. According to claim 1,
Further comprising, by the virtualization unit of the security server, the operation of creating a virtualized database by virtualizing the internal database of the security server and the external database of one or more external servers,
Data Security Methods. 4. The method of claim 3,
The operation of creating the virtualized database is,
and generating correlation hierarchical information for correlation registration information stored in the internal database of the security server and correlation registration information stored in the external database,
The operation to search in the virtualized database is,
and searching for correlation registration information matching the correlation instance information based on the correlation hierarchical information.
Data Security Methods. According to claim 1,
The operation of determining whether to transmit by the control unit of the terminal is,
When the correlation registration information matching the correlation instance information is not found, the control unit of the terminal determines whether to forward the data packet to the switch of the terminal based on the communication management information of the data packet. action to decide
including,
performing pattern analysis on the data packet by the switch of the terminal; and
determining, by the switch of the terminal, whether to transmit the data packet to the network based on a result of the pattern analysis
Further comprising, a data security method. According to claim 1,
The operation of determining whether to transmit the mirror packet to the simulation performing unit is,
performing a simulation by inputting the mirror packet into the virtual machine of the terminal by the simulation performing unit; and
determining, by the switch of the terminal, whether to forward the data packet to the transceiver of the terminal based on a result of the simulation
Further comprising, a data security method. According to claim 1,
and classifying one piece of personal information among a plurality of personal information using a personal information relevance model by inputting the text data,
The personal information relevance model includes an input layer, one or more hidden layers and an output layer,
Each training data composed of training text data and a label of correct personal information is input to the input layer of the personal information relevance model and passes through the one or more hidden layers and output layers to output an output vector, and the output vector is It is input to a loss function layer connected to the output layer, and the loss function layer outputs a loss value using a loss function that compares the output vector with a correct vector for each training data, and the personal information relevance model of The parameter is learned in a direction in which the loss value becomes smaller,
[Equation]

The loss function follows the above equation,
In the above formula, n is the number of learning data for each class, y and j are identifiers indicating classes, C is a constant value, M is the number of classes, x_y is the probability value that the learning data belongs to class y, x_j is the class Probability value belonging to j, L means loss value,
Data Security Methods.

Images