KR102439880B1 - System for controlling transmission and reception of file of application and method thereof - Google Patents

Abstract

The present invention relates to a system for controlling transmission and reception of a file of an application to control file input/output (IO) on the basis of information identifying an application and a network accessed by the application, and a method thereof. According to one embodiment of the present invention, a node comprises: a communication circuit; a processor operatively connected to the communication circuit; and a memory operatively connected to the processor to store an access control application and a target application. The method stores instructions to allow the node, when executed by the processor, to identify a file IO information check event by the target application through the access control application; check whether the file IO information check is required through the access control application on the basis of authorized file IO information of a data flow related to the target application; request a file IO information check to an external server through the access control application on the basis of checking that the file IO information check is required; and allow or block file IO of the target application through the access control application on the basis of a result of checking the file IO information received from the external server.

Description

SYSTEM FOR CONTROLLING TRANSMISSION AND RECEPTION OF FILE OF APPLICATION AND METHOD THEREOF

Embodiments disclosed in this document relate to a system for controlling file transmission and reception of an application and a method therefor.

Communication is performed using TCP (Transmission Control Protocol) based on IP (Internet Protocol) between the terminal and the server, and the source IP, destination IP, and port information are identified using 5-tuple information included in the data packet. Firewall technology to perform access control is commonly used.

Firewall technology identifies the IP assigned to a terminal or network terminal (eg, gateway, router, etc.) plays a blocking role.

A technology such as an IP-based firewall has a problem in that it is difficult to control by IP unit when creating a private IP band by configuring a subnetwork by a terminal or a router and a gateway in an Internet band where IP allocation and control is difficult. In addition, there is a problem in that the IP can be forged or modulated in the IP communication structure. Accordingly, the firewall is used as a minimum safety device.

In order to solve this problem, a tunneling technology (e.g., IPSec (Internet Protocol) Security), Generic Routing Encapsulation (GRE), GPRS Tunneling Protocol (GTP), or Secure Sessions (Secure Sockets Layer (SSL), Transport Layer Security (TLS)). It solves the underlying problems.

However, when using a VPN (Virtual Private Network) based on tunneling technology that is created at the level of the terminal (IP unit assigned to the terminal), unallowed or insecure applications are connected to the unpermitted destination network through tunneling that is always connected after initial authentication. Since access vulnerabilities are inherent, security incidents due to infiltration of various malware and ransomware are increasing.

In order to solve this problem, application connectivity control technology that allows only permitted applications to access the permitted network is applied to identify the application that is the fundamental communication subject, and to block the access of unauthorized applications in advance to prevent various types of malware and ransomware. It prevents access to an unauthorized destination network and effectively solves various network security problems currently occurring.

With the recent industrial development, the increase in the global work environment and home work environment that transcends boundaries, and the shift to the cloud increases, the terminal can access the work system anytime, anywhere, and the application access control technology in this environment Provides optimal security factors for protection.

However, there is a problem that an application cannot control an action of receiving or transmitting a file through the network while the allowed application is able to access the allowed network.

For example, in a telecommuting environment using a PC connected to the Internet, access the cloud with an application allowed to receive important files and leak them, or transfer files containing malicious code from the Internet to the cloud to other terminals. It cannot prevent the spread of danger.

That is, in the case of an application that contains macros or programmable information and loads an executable file through the runtime included in the application itself (eg, a text editing tool, a graphic editing tool, etc.), it contains malicious code that the user cannot infer. These malicious codes may access the cloud and receive important files (eg, personal information, confidential information) and leak them, or files containing malicious codes may be transmitted to the cloud and propagated to all terminals connected to the cloud. It has potential problems.

DLP (Data Loss Prevention) technology exists as a similar technology to solve this problem, and DLP technology prevents unauthorized media (eg, USB (Universal Serial Bus), removable storage devices, etc.) from being connected, or Prevents file transfer in a way that prevents sharing of a specific folder on the network, or blocks a file from being selected when a file is selected for a specific application to transfer a file, or file IO (input output) of a specific application When a file system IO (or file system IO) occurs, the file IO is traced to prevent data leakage by removing the handle of the file IO if the user does not have file IO permission.

The problem with this DLP technology is that, since a collective security policy is always enforced on the terminal where the application is installed, there is a limit to the area where physical security control is impossible and the application of the security policy is limited in a telecommuting environment using a terminal owned by an individual. Actions that prevent unauthorized media from being connected cannot be enforced.

Furthermore, when using the DLP technology that tracks a specific action, if the specific action is not performed, for example, For example, it is impossible to prevent non-user malicious code from directly loading and transferring files without a file selection window.

To solve this problem, a DLP technology that tracks the file system IO of a specific application is used, but the technology tracks the IO of a file for a specific application and blocks it in batches, so the specific network accessed by the application is There is a problem that it is difficult to allow file transfer in , and some DLP technologies provide a method to unlock the file IO limit by identifying the access address bar of the Internet browser to solve this problem, but In this case, there is a limit in controlling file reception and transmission because network connection information cannot be tracked.

Various embodiments disclosed in this document are intended to provide a system for solving the above-described problems in a network environment and a method therefor.

A node according to an embodiment disclosed in this document includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing a connection control application and a target application, The memory, when executed by the processor, causes the node to identify, through the connection control application, a file input output (IO) information check event by the target application, and through the connection control application, with the target application. Based on the authorized file IO information of the related data flow, check whether the file IO information check is necessary, and based on the confirmation that the file IO information check is necessary, through the access control application, the file IO information to the external server It is possible to request inspection and store commands for allowing or blocking the file IO of the target application through the access control application based on the result of the inspection of the file IO information received from the external server.

The method of operating a node according to an embodiment disclosed in this document is an operation of identifying a file input output (IO) information check event by a target application of the node through the access control application of the node, the access control application Through, based on the authorized file IO information of the data flow related to the target application, the operation of determining whether the file IO information check is necessary, based on the confirmation that the file IO information check is necessary, through the access control application , an operation of requesting an external server to check the file IO information, and an operation of allowing or blocking the file IO of the target application through the access control application based on the file IO information inspection result received from the external server may include

Various embodiments disclosed in this document may control file IO based on information identifying an application and a network accessed by the application by utilizing the application connectivity control technology.

Various embodiments disclosed in this document constantly monitor the IO of the file system of the terminal, identify the application and network information that are connected or to be connected, and determine whether to allow the identified target file IO through a centralized controller. It is possible to control file reception and transmission by application and network by checking and allowing file IO only for permitted connection targets.

Furthermore, various embodiments disclosed in this document are in a state in which file IO is used before network connection (preparation state for file transmission), and when file IO is used and released before network connection (file transfer) In the case of different network connection and connection target (application and network) identification time and file IO processing time, such as when file IO is being used after network connection (file is being transmitted or received). By controlling the corresponding network and file IO, it is possible to fine-grained control of file reception and transmission, and to bypass the access control application and prevent the file from being transmitted or received.

According to various embodiments disclosed in this document, network access control and file IO control are combined, so that when the access control application is terminated, access to a target network is blocked, thereby blocking an action of receiving a file in advance.

Furthermore, various embodiments disclosed in this document prevent file transmission in a manner that blocks the file from being selected when a specific application selects a file to transmit the file by always tracking the IO of the file system. It is possible to solve the problem of transferring files over the network by directly accessing the file system, which is a problem inherent in the DLP technology of the form.

In addition, various effects directly or indirectly identified through this document may be provided.

1 illustrates an architecture in a network environment according to various embodiments.
2 is a functional block diagram illustrating a database stored in a controller according to various embodiments of the present disclosure;
3 illustrates information included in a control flow and a data flow according to various embodiments of the present disclosure.
4 is a functional block diagram of a node according to various embodiments.
5 illustrates an operation for controlling transmission of a data packet according to various embodiments of the present disclosure.
6 is a signal flow diagram illustrating a controller connection according to various embodiments of the present disclosure.
7 is a flowchart illustrating a signal for user authentication according to various embodiments of the present disclosure.
8 illustrates a user interface screen for accessing a controller according to various embodiments of the present disclosure.
9 illustrates a signal flow diagram for network access according to various embodiments of the present disclosure.
10 is a flowchart illustrating an operation of a node for monitoring file IO access according to various embodiments of the present disclosure.
11 is a flowchart illustrating an operation of a node for checking a file IO table according to various embodiments of the present disclosure.
12 is a signal flow diagram for checking file write information according to various embodiments of the present disclosure.
13 is a flowchart illustrating a signal for checking file read information according to various embodiments of the present disclosure.
14 is a flowchart illustrating an operation of a node for transmitting a data packet according to various embodiments of the present disclosure.
15 is a flowchart illustrating a signal flow for updating a control flow according to various embodiments of the present disclosure;
16 is a diagram illustrating a signal flow for removing a control flow according to various embodiments of the present disclosure;
17 illustrates a signal flow diagram for data flow removal according to various embodiments of the present disclosure.

Hereinafter, various embodiments of the present invention will be described with reference to the accompanying drawings. However, this is not intended to limit the present invention to specific embodiments, and it should be understood that various modifications, equivalents, and/or alternatives of the embodiments of the present invention are included.

In this document, the singular form of a noun corresponding to an item may include one or more items, unless the context clearly dictates otherwise. As used herein, "A or B", "at least one of A and B", "at least one of A or B", "A, B or C", "at least one of A, B and C" and "A; Each of the phrases "at least one of B, or C" may include any one of, or all possible combinations of, items listed together in the corresponding one of the phrases. Terms such as "first", "second", or "first" or "second" may simply be used to distinguish an element from other elements in question, and may refer elements to other aspects (e.g., importance or order) is not limited. It is said that one (eg, first) component is “coupled” or “connected” to another (eg, second) component, with or without the terms “functionally” or “communicatively”. When referenced, it means that one component can be connected to the other component directly (eg by wire), wirelessly, or through a third component.

Each component (eg, a module or a program) of components described in this document may include a singular or a plurality of entities. According to various embodiments, one or more components or operations among the corresponding components may be omitted, or one or more other components or operations may be added. Alternatively or additionally, a plurality of components (eg, a module or a program) may be integrated into one component. In this case, the integrated component may perform one or more functions of each component of the plurality of components identically or similarly to those performed by the corresponding component among the plurality of components prior to the integration. . According to various embodiments, operations performed by a module, program, or other component are executed sequentially, in parallel, repeatedly, or heuristically, or one or more of the operations are executed in a different order, omitted, or , or one or more other operations may be added.

As used herein, the term “module” may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as, for example, logic, logic block, component, or circuit. A module may be an integrally formed part or a minimum unit or a part of the part that performs one or more functions. For example, according to an embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of the present document may be implemented as software (eg, a program or an application) including one or more instructions stored in a storage medium (eg, memory) readable by a machine. For example, the processor of the device may call at least one of the one or more instructions stored from the storage medium and execute it. This makes it possible for the device to be operated to perform at least one function according to the called at least one command. The one or more instructions may include code generated by a compiler or code executable by an interpreter. The device-readable storage medium may be provided in the form of a non-transitory storage medium. Here, 'non-transitory' only means that the storage medium is a tangible device and does not contain a signal (eg, electromagnetic wave), and this term is used in cases where data is semi-permanently stored in the storage medium and It does not distinguish between temporary storage cases.

Methods according to various embodiments disclosed in this document may be provided by being included in a computer program product. Computer program products may be traded between sellers and buyers as commodities. The computer program product is distributed in the form of a machine-readable storage medium (eg compact disc read only memory (CD-ROM)), or via an application store or between two user devices (eg smartphones). It can be distributed directly or online (eg, downloaded or uploaded). In the case of online distribution, at least a part of the computer program product may be temporarily stored or temporarily created in a machine-readable storage medium such as a memory of a server of a manufacturer, a server of an application store, or a relay server.

1 illustrates an architecture in a network environment according to various embodiments.

The node 201 shown in FIG. 1 may be various types of devices capable of performing data communication. For example, the node 201 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, a virtual reality (VR) device, or a home appliance, and is not limited to the above-described devices. For example, node 201 may include a server or gateway capable of sending data packets through an application. The node 201 may also be referred to as an 'electronic device' or a 'terminal'.

The node 201 may store a plurality of target applications 211-1, 211-2, and 211-3 and an access control application 212 .

Each of the target applications 211-1, 211-2, and 211-3 is controlled by the access control application 212 to the service servers 205-1 and 205-2 through the gateways 203-1 and 203-2. It can transmit data packets and vice versa.

Some of the target applications (211-1, 211-2, 211-3) are allowed and/or secured applications, such as web browsers or business applications, while others are disallowed programs (e.g. malware, ransomware). , other unauthorized applications) or unsecured malicious programs (applications infected with malware, forged or tampered with). According to embodiments, the access control application 212 identifies a program (or a target application, a process of the target application) requesting transmission of a data packet, and transmits a data packet of an unauthorized program to the outside of the node 201 . can be prevented from becoming In addition, according to embodiments, the access control application 212 is an unauthorized program through the secure sessions 220-1 and 220-2 between the access control application 212 and the gateways 203-1 and 203-2. It is possible to block access to the service servers 205-1 and 205-2 and isolate the corresponding program.

For example, before the target applications 211-1, 211-2, and 211-3 according to the embodiments communicate with the service servers 205-1 and 205-2, the access control application 212 is the controller 202 ), and if the connection is possible, authentication can be performed with the gateways 203-1 and 203-2 through the data packet authenticated by the controller 202. When authentication is completed, the access control application 212 may create the gateways 203 - 1 and 203 - 2 and secure sessions 220 - 1 and 220 - 2 .

According to various embodiments, the node 201 includes an access control application 212 and a network driver (not shown) for managing network connections of target applications 211-1, 211-2, and 211-3 stored in the node 201. city) may be included. For example, when a connection event to the service servers 205-1 and 205-2 of the target applications 211-1, 211-2, and 211-3 stored in the node 201 occurs, the access control application 212 ) may determine whether the target applications 211-1, 211-2, and 211-3 are accessible. If the target applications 211-1, 211-2, and 211-3 are accessible, the access control application 212 is connected to the gateways 203-1 and 203-2 through the secure sessions 220-1 and 220-2. data packets can be transmitted. The access control application 212 may control transmission of a data packet through a network driver and a kernel including an operating system in the node 201 .

In addition, the access control application 212 may monitor and control the file system input output (IO) in the kernel. File system IO refers to input and/or output generated in the file system of the kernel by any application (or any process). The file system IO includes an operation of writing specific information to the file system, reading specific information of the file system, or updating the file system. For file system IO, any application (or any process) must obtain a handle (eg a file handle) to use the file system.

The access control application 212 includes a file system driver (not shown) or a file system IO control module (not shown) capable of monitoring file system IO through hooking for a file system IO event in order to monitor the file system IO. may include File system IO can also be referred to as file IO.

The file IO control module may monitor the file IO and identify which application among the target applications 211-1, 211-2, and 211-3 accesses the file system (or accesses the file IO).

The file IO control module may check whether the file IO access of the corresponding application is possible in connection with the network to which the corresponding application is connected through identification information and process identifier (PID) of the application related to the data flow. The file IO control module allows the node 201 to control file transmission and file reception in detail by processing so that the application can no longer access the file IO when the file IO access of the application is impossible. The file IO control module can remove the file IO handle so that the application can no longer access the file IO if the application cannot access the file IO. The removal of a file IO handle may also be referred to as a file IO removal.

The controller 202 may be, for example, a server (or a cloud server). The controller 202 manages data transmission between the node 201, the gateways 203-1 and 203-2, and the service servers 205-1 and 205-2, thereby ensuring reliable data transmission within the network environment. can For example, the controller 202 may allow network access of the authorized node 201 (or the access control application 212 ) through policy information or blacklist information.

In addition, the controller 202 mediates the creation of secure sessions 220-1 and 220-2 between the access control application 212 and the gateways 203-1 and 203-2, or the node 201 or the gateway 203 The security sessions 220-1 and 220-2 may be removed according to the security event collected from -1 and 203-2). The access control application 212 can communicate with the service servers 205-1 and 205-2 only through the secure sessions 220-1 and 220-2 authorized by the controller 202, and the authorized secure session ( If 220 - 1 and 220 - 2 do not exist, network access of the node 201 and the access control application 212 may be blocked. In an embodiment, the target applications 211-1, 211-2, and 211-3 only access the service servers 205-1 and 205 through the secure sessions 220-1 and 220-2 authorized by the controller 202. -2), and if an authorized secure session 220-1, 220-2 does not exist, the network connection of the target application 211-1, 211-2, 211-3 is the access control application 212 ), the controller 202 or the gateway 203 . According to an embodiment, the controller 202 is a connection control application ( 212) and control data packets can be transmitted and received. A flow (eg, 230 ) through which a control data packet is transmitted may be referred to as a 'control flow'.

The gateways 203 - 1 and 203 - 2 may be located at the boundary of the network to which the node 201 belongs or the boundary of the network to which the service servers 205 - 1 and 205 - 2 belong. According to an embodiment, the gateways 203 - 1 and 203 - 2 may be connected to the controller 202 based on a cloud. The gateways 203 - 1 and 203 - 2 may forward only the authorized data packets among the data packets received from the access control application 212 to the service servers 205 - 1 and 205 - 2 . A flow (eg, 240-1, 240-2) through which data packets are transmitted between the access control application 212 and the gateways 203-1 and 203-2 may be referred to as a 'data flow'. .

A data flow can be created not only on a node or IP basis, but also on a more granular basis (eg, an application unit). Gateways 203-1 and 203-2 are the access control applications 212 and the gateways 203-1 and 203-2 before the creation of secure sessions 220-1 and 220-2 of the access control application 212. By performing authentication and forwarding only the data packets transmitted through the secure sessions 220-1 and 220-2 among the data packets transmitted from the access control application 212 to the service servers 205-1 and 205-2, You can block network access in advance.

2 is a functional block diagram illustrating a database stored in the controller 202 according to various embodiments, and FIG. 3 is control flow information 340, data flow information 350, and file IO table information ( 360) is shown.

Referring to FIG. 2 , the controller 202 may store databases 311 to 317 for controlling network access and data transmission in the memory 330 . 2 shows only the memory 330 , the controller 202 is an external electronic device (eg, the node 201 in FIG. 1 , the gateways 203 - 1 and 203 - 2 ) or the service servers 205 - 1 and 205 - 2)) and a communication circuit for performing communication (eg, the communication circuit 430 of FIG. 4 ) and a processor (eg, the processor 410 of FIG. 4 ) for controlling the overall operation of the controller 202 ) can do. Since the administrator can access the controller 202 and set a connection-oriented policy for controlling the connection between the access control application 212 and the service servers 205-1 and 205-2, managing sessions at the service end You can control network access more precisely and safely.

The access policy database 311 may include information on networks and/or services to which the identified network, node, or application can connect. For example, when the access control application 212 requests a network access, the controller 202 identifies a network (eg, a network to which the node 201 belongs) based on the policy of the access policy database 311 , a node, and a user. (eg, users of node 201), and/or applications (eg, target applications 211-1, 211-2, 211-3) included in node 201) are service servers 205-1, 205 It is possible to determine whether access to -2) is possible. In an embodiment, the controller 202 whitelists the target applications 211-1, 211-2, and 211-3 that can be accessed by a specific service (eg, IP and port) based on the access policy database 311 . can create

The file IO policy database 312 is associated with the access policy, and may include information for establishing the file IO policy for the target applications 211-1, 211-2, and 211-3. For example, the file IO policy database 312 may include information on whether to allow or not allow the file reception and transmission of the target applications 211-1, 211-2, and 211-3. Also, for example, the file IO policy database 312 may include access right information on whether to allow the node 201 to write a file or allow the node 201 to read a file for an arbitrary file. The access right information may be associated with user identification information and node identification information, application identification information, and/or network identification information.

The blacklist policy database 313 is a target ( Example: A blacklist registration policy for blocking access to at least one of a node identifier (identifier), IP address, media access control (MAC) address, or user ID) may be indicated.

The blacklist database 314 may include a list of objects blocked by the blacklist policy database 313 . For example, the controller 202 may isolate the node 201 by rejecting the network connection request when the identification information of the node 201 requesting the network connection is included in the blacklist database 314 .

The control flow table 315 is an example of a session table for managing the flow (ie, control flow) of control data packets generated between the access control application 212 and the controller 202 .

For example, referring to FIG. 3 , when the access control application 212 successfully accesses the controller 202 , the control flow information 340 and the control flow ID 342 (also referred to as 'control flow identification information') may be generated by the controller 202 . The control flow information 340 may include identification information 344 indicating at least one of an IP, a node, an application, or a target additionally identified through association with a service server, which is identified during controller access and authentication. For example, when a network access request of the access control application 212 is received, the controller 202 sets the control flow ID and identification information included in the access request to the control flow ID 342 included in the control flow information 340 and By mapping with the identification information 344 , it is possible to determine whether the access control application 212 can connect to the service servers 205 - 1 and 205 - 2 and create secure sessions 220 - 1 and 220 - 2 with the gateway 203 . It can be determined whether data flow can be created for The state information 346 may indicate various states such as creation, authentication, update, termination, and the like of a control flow.

According to an embodiment, since the control flow has an expiration time, the node 201 needs to update the expiration time of the control flow based on the time information 348, and if the expiration time is not updated for a certain period of time, the control flow ( Alternatively, the control flow information 340 may be removed. In addition, it is determined that immediate access blocking is required according to the security event collected from the node 201, the access control application 212, another security application (not shown), or the gateway 203-1, 203-2, When a connection termination request is received from them, the controller 202 may remove the control flow. When the control flow is removed, the associated data flow is also removed, and the gateways 203-1 and 203-2 are connected to the access control application 212 or the service server 205 of the target applications 211-1, 211-2, 211-3. -1, 205-2) can be blocked.

The data flow table 316 shows a flow (eg, a data flow) through which detailed data packets are transmitted between the node 201 and the gateways 203-1 and 203-2, and the service servers 205-1 and 205-2. ) is a table for managing Data flows can be created in TCP sessions, applications, or more granular units. The data flow table 316 may include an application ID, a destination IP address, and/or a service port for identifying whether a data packet transmitted from a source is an authorized data packet.

Referring to FIG. 3 , the data flow information 350 may include a data flow ID 351 and a control flow ID 352 when the data flow is dependent on the control flow. In addition, the data flow information 350 includes authorized target information 353 for determining forwarding of the data packet based on the source IP and destination IP and port of the data packet, and a state indicating whether the data flow is in a usable and valid state. information 355 , and/or time information 356 indicating authentication expiration time information of the data flow. In addition, the data flow information 350 may further include authorized file IO information 354 . The authorized file IO information 354 may include information on whether to allow an application's file IO access (eg, access such as read or write). For example, the authorized file IO information 354 may include writable path information and whether or not a file is writable during file IO for receiving a file of an application. For example, the authorized file IO information 354 may include readable path information and whether a file IO for file transfer of an application is readable. Also, for example, the authorized file IO information 354 includes information on whether or not to allow file IO of an application applying a data flow (eg, file IO processing exception, etc.). Also, for example, the authorized file IO information 354 includes information on whether or not the file write information check is required when writing the file of the application that applies the data flow, and/or information such as whether the file read information check is required when reading the file. may include File write information check and/or file read information check may be performed by node 201 and/or controller 202 .

The file IO table 317 is a database for recording and managing file IOs generated in the node 201 , and may include file IO table information 360 .

Referring to FIG. 3 , the file IO table information 360 includes the PID 361 of the process in which the file system IO is generated and application identification information 362 for identifying the application (eg, application name and execution path, unique information, etc.) ) may be included. The file IO table information 360 may include a data flow ID 363 for association with network access control information when a file system IO is generated in a state in which a data flow is identified. The file IO table information 360 includes the file IO information 364 on which form (eg, read and/or write) the file system IO occurred, the path where the file system IO occurred, the file name, and/or the file management file information 365, including unique information (eg hash and signature, header information, etc.) for It may include state information 366 including information on whether or not a write request is required, and/or file IO time information 367 indicating a time when the file IO occurred.

4 is a functional block diagram of a node 201 according to various embodiments. At least some of the configurations illustrated in FIG. 4 may be applied to the controller 202 , the gateways 203 - 1 and 203 - 2 , or the service servers 205 - 1 and 205 - 2 .

Referring to FIG. 4 , the node 201 may include a processor 410 , a memory 420 , and a communication circuit 430 . According to an embodiment, the node 201 may further include a display 440 to provide a user interface.

The processor 410 may control the overall operation of the node. In various embodiments, the processor 410 may include one processor core or a plurality of processor cores. For example, the processor 410 may include a multi-core such as a dual-core, a quad-core, or a hexa-core. According to embodiments, the processor 410 may further include a cache memory located inside or outside. According to embodiments, the processor 410 may be configured with one or more processors. For example, the processor 410 may include at least one of an application processor, a communication processor, and a graphical processing unit (GPU).

All or part of processor 410 may be electrically or operatively (eg, memory 420 , communication circuitry 430 , or display 440 ) with other components within node 201 (eg, memory 420 , communication circuitry 430 , or display 440 ). operatively) coupled with or connected to. The processor 410 may receive commands from other components, interpret the received commands, and perform calculations or process data according to the interpreted commands. The processor 410 may interpret and process a message, data, command, or signal received from the memory 420 , the communication circuit 430 , or the display 440 . The processor 410 may generate a new message, data, instruction, or signal based on the received message, data, instruction, or signal. The processor 410 may provide the processed or generated messages, data, instructions, or signals to the memory 420 , the communication circuitry 430 , or the display 440 .

The processor 410 may process data or signals generated or generated in a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may write (or store) or update instructions, data, or signals to the memory 420 to execute or control a program.

The memory 420 may store a command for controlling a node, a control command code, control data, or user data. For example, the memory 420 may include at least one of an application program, an operating system (OS), middleware, or a device driver. The memory 420 may include one or more of volatile memory and non-volatile memory. Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM). may include The nonvolatile memory may include a read only memory (ROM), a programmable ROM (PROM), an electrically programmable ROM (EPROM), an electrically erasable programmable ROM (EEPROM), a flash memory, and the like. The memory 420 includes a nonvolatile medium such as a hard disk drive (HDD), a solid state disk (SSD), an embedded multi media card (eMMC), and a universal flash storage (UFS). may include more.

According to an embodiment, the memory 420 may store the target applications 211-1, 211-2, and 211-3 and the access control application 212 of FIG. 1 . The access control application 212 may perform network connection and secure sessions 220-1 and 220-2 creation with the gateways 203-1 and 203-2, and control flow creation and update functions with the controller 202. have. To this end, the access control application 212 may include one or more security modules. In an embodiment, the memory 420 may store the control flow information 340 of FIG. 3 , the data flow information 350 , and the file IO table information 360 .

In one embodiment, the target application 211-1, 211-2, 211-3 is one or more security modules to create a secure session (220-1, 220-2) with the gateway (203-1, 203-2) may include

The communication circuit 430 establishes a wired or wireless communication connection between the node 201 and an external electronic device (eg, the controller 202 or the gateways 203-1 and 203-2), and performs communication through the established connection. can support According to an embodiment, the communication circuit 430 is a wireless communication circuit (eg, a cellular communication circuit, a short-range wireless communication circuit, or a global navigation satellite system (GNSS) communication circuit) or a wired communication circuit (eg, a local area network (LAN) ) communication circuit, or power line communication circuit), and using the corresponding communication circuit among them, a short-distance communication network such as Bluetooth, WiFi direct or IrDA (infrared data association) or a cellular network, Internet, or long-distance communication such as a computer network It can communicate with an external electronic device through a network. The above-described various types of communication circuits 430 may be implemented as a single chip or as separate chips.

The display 440 may output content, data, or a signal. In various embodiments, the display 440 may display image data processed by the processor 410 . According to embodiments, the display 440 may be configured with an integrated touch screen by being combined with a plurality of touch sensors (not shown) capable of receiving a touch input or the like. When the display 440 is configured as a touch screen, a plurality of touch sensors may be disposed above the display 440 or below the display 440 .

5 illustrates an operation for controlling transmission of a data packet according to various embodiments of the present disclosure.

Referring to FIG. 5 , the access control application 212 detects a network access request to the service server 205 from the target application 211 included in the node 201 , and the node 201 or the access control application 212 . ) may determine whether the controller 202 and the connected state. When the node 201 or the access control application 212 is not connected to the controller 202 , the access control application 212 may block transmission of a data packet from a kernel or a network driver including the operating system. Through the access control application 212 , the node 201 may in advance block access of a malicious application in an application layer among seven open system interconnection (OSI) layers.

In one embodiment, the access control application 212 is not connected to the controller 202 , the access control application 212 is not authenticated by the gateway 203 , or the access control application 212 and If a secure session between the gateways 203 is not created, the data packet transmitted from the access control application 212 is blocked by the gateway 203 and the access control application 212 may request a connection to the controller 202 . only According to an embodiment, even if the access control application 212 is not authenticated by the gateway 203 , the data packet transmitted from the access control application 212 may not be blocked by the gateway 203 .

According to another embodiment, when the access control application 212 is not installed in the node 201 or a malicious application bypasses the control of the access control application 212 , an unauthorized data packet may be transmitted from the node 201 . have. In this case, the gateway 203 existing at the boundary of the network blocks data packets received with unauthorized secure sessions and data packets with no data flow, so data packets transmitted from the node 201 (eg, TCP session) are blocked. data packets for generation) may not reach the service server 205 . In other words, node 201 may be isolated from service server 205 .

6 is a signal flow diagram illustrating a controller connection according to various embodiments of the present disclosure.

Since the node 201 needs to be authorized by the controller 202 to access the network, the access control application 212 of the node 201 requests the controller 202 to create a control flow to the node 201 You can try to connect to the controller of

Referring to FIG. 6 , in operation 605 , the node 201 may detect a controller access event. For example, when the access control application 212 is installed and/or executed within the node 201 , the node 201 may detect that a connection to the controller 202 is requested.

In operation 610 , the node 201 may request a controller connection from the controller 202 . For example, the access control application 212 may transmit identification information of the access control application 212 to the controller 202 . Additionally, the access control application 212 may include identification information of the node 201 (eg, terminal ID, IP address, MAC address), type, location, environment, identification information of a network to which the node 201 belongs, and/or network Any identification information generated by the system itself may be further transmitted.

In operation 615 , the controller 202 may identify whether a target (eg, the access control application 212 and the node 201 ) requesting controller access can access the controller. According to an embodiment, the controller 202 controls whether the information received from the node 201 is included in the access policy database 311 or whether the node 201, the network to which the node 201 belongs, and/or access control. Based on at least one of whether the identification information of the application 212 is included in the blacklist database 314, it is possible to check whether the controller access of the target requesting the controller access is possible.

If the controller connection of the target requesting the controller connection is possible, the controller 202 may generate a control flow between the node 201 (or the access control application 212 ) and the controller 202 . In this case, the controller 202 generates control flow identification information in the form of a random number, and stores identification information of at least one of the node 201 , the network to which the node 201 belongs, or the access control application 212 in the control flow table ( 315) can be stored. Information stored in the control flow table 315 (eg, control flow information 340 ) includes user authentication of the node 201 , information update of the node 201 , policy confirmation for network access of the node 201 , and / Or it can be used for validation.

In operation 620 , the controller 202 may check an access policy corresponding to information identified in the access policy database 311 (eg, node 201 and source network information to which node 201 belongs). The controller 202 may generate whitelist information of accessible applications based on the checked access policy. In another embodiment, the controller 202 may not perform operation 620 . For example, if it is not possible to access the controller of the target that has requested access, the controller 202 may not perform operation 620 .

In operation 625 , the controller 202 may transmit a response to the controller connection request to the node 201 . In an embodiment, the controller 202 may transmit the control flow information 340 including the control flow identification information to the node 201 in response to the controller access request. In an embodiment, the controller 202 may transmit the white list generated by performing operation 620 to the access control application 212 . According to an embodiment, when a target requesting controller access is unavailable or is included in the blacklist, the controller 202 may notify the controller access unavailable in response to the controller access request without generating a control flow.

In an embodiment, the node 201 may process the result value according to the received response. For example, the access control application 212 may store the received control flow identification information and display a user interface screen (not shown) indicating that the controller connection is complete to the user. When the controller connection is completed, the network connection request of the node 201 to the service server 205 may be controlled by the controller 202 .

According to an embodiment, the controller 202 may determine that the node 201 is not accessible. For example, when the controller connection impossible information is received, the node 201 may output a user interface screen indicating that the controller connection is impossible to the user. For example, the user interface screen may include a user interface indicating that access to the node 201 is blocked and guiding the release of isolation through an administrator (eg, the controller 202 ).

In an embodiment, the access control application 212 of the node 201 , the controller 202 , and the gateway 203 may further perform operations 630 to 650 . According to an embodiment, the access control application 212 , the controller 202 , and the gateway 203 of the node 201 may perform all or part of operations 630 to 650 .

In operation 630 , the access control application 212 may perform an inspection of the application. For example, when the white list is received from the controller 202 , the access control application 212 may check whether an application included in the white list is installed in the node 201 . In the case of applications included in the white list among applications installed in the node 201, the access control application 212 determines whether the integrity and stability of the application (application forgery and tampering, code signing inspection, fingerprint inspection) according to the validation policy. at least one of them) can be checked.

In operation 635 , the access control application 212 may transmit a test result of the application to the controller 202 .

The controller 202 may check whether the application is valid based on the test result. If the application is valid, the controller 202 checks the gateways 203-1 and 203-2 where the node 201 is located in the access policy for the node 201 to allow the node 201 to access the network, Thereafter, operation 640 may be performed.

In operation 640, the controller 202 sends the data packet to the service server 205-1 and 205-2 through the gateways 203-1 and 203-2 without the node 201 requesting a network connection. A data flow can be created based on IP, destination IP and port information.

The controller 202 may check a file IO policy when generating a data flow, and may generate authorized file IO information 354 based on the file IO policy. The data flow information 350 of the data flow may include the generated authorized file IO information 354 . The authorized file IO information 354 may include policy information related to file IO access of an application using a data flow. For example, the authorized file IO information 354 may include information on whether to allow an application's file IO access (eg, access such as read or write). In addition, the authorized file IO information 354 may include information about a file path to which an application is allowed to access, and/or information about a file path to which an access is not allowed.

In operation 645 , the controller 202 may transmit a response to the transmission of the application check result of the access control application 212 . For example, the controller 202 may send the data flow information 350 including the authorized file IO information 354 to the access control application 212 . Also, in operation 650 , the controller 202 may transmit the data flow information 350 including the authorized file IO information 354 to the gateway 203 .

7 illustrates a signal flow diagram for user authentication according to various embodiments of the present disclosure, and FIG. 8 illustrates a user interface screen for controller access according to various embodiments of the present disclosure. The operations shown in FIG. 7 may be implemented, for example, after the signal flow diagram of FIG. 6 .

In order for the node 201 to be granted detailed access to the destination network, the access control application 212 of the node 201 may be authenticated by the controller 202 for the user of the node 201 .

Referring to FIG. 7 , in operation 705 , the node 201 may receive an input for user authentication. The input for user authentication may be, for example, a user input inputting a user ID and password. As another example, the input for user authentication may be a user input (eg, biometric information) for more enhanced authentication.

For example, referring to FIG. 8 , when the access control application 212 is executed, the node 201 may display a user interface screen 810 for receiving information required for access to the controller. The user interface screen 810 may include an input window 811 for inputting a user ID, and/or an input window 812 for inputting a password. After information is input into the input windows 811 and 812 , the node 201 may detect a controller connection event by receiving an input for the button 813 for user authentication.

In operation 710 , the node 201 may request user authentication from the controller 202 . For example, the access control application 212 may transmit input information for user authentication to the controller 202 . If the control flow between the node 201 and the controller 202 has already been created, the access control application 212 may transmit input information for user authentication together with the control flow identification information.

In operation 715 , the controller 202 may authenticate the user based on the information received from the node 201 . For example, the controller 202 may include a user ID, password, and/or enhanced authentication information included in the received information, and a database included in the memory of the controller 202 (eg, the access policy database 311 of FIG. 2 ). ) or the blacklist database 314), it is possible to determine whether the user is accessible according to the access policy and whether the user is included in the blacklist.

When the user is authenticated, the controller 202 checks the control flow information 340 in the control flow table 315 based on the control flow identification information transmitted by the node 201, and enters the checked control flow information 340. You can add user identification information (eg user ID). The added user identification information may be used for an authenticated user's controller access or network access.

In operation 720 , the controller 202 may check an access policy corresponding to information identified in the access policy database 311 (eg, node 201 and source network information to which node 201 belongs). The controller 202 may generate white list information of accessible applications based on the checked access policy. In another embodiment, the controller 202 may not perform operation 720 . For example, if it is not possible to access the controller of the target that has requested access, the controller 202 may not perform operation 720 .

In operation 725 , the controller 202 may transmit a response to the user authentication request to the node 201 . In an embodiment, the controller 202 may transmit information indicating that the user is authenticated to the node 201 in response to the user authentication request. In an embodiment, the controller 202 may transmit the white list generated by performing operation 720 to the access control application 212 . According to an embodiment, when a target requesting controller access is unavailable or included in a blacklist, the controller 202 may notify the controller access unavailable in response to the user authentication request.

In an embodiment, the node 201 may process a result value for user authentication. For example, the node 201 may output a user interface screen indicating that user authentication is completed to the user through the display.

According to another embodiment, the controller 202 may determine that user authentication is impossible. For example, if the user's identification information is included in the blacklist database, the controller 202 may determine that user authentication is impossible. In this case, in operation 725, the controller 202 may transmit information indicating that user authentication is impossible to the node 201, and the node 201 may output a user interface screen indicating that user authentication has failed through the display. can For example, referring to FIG. 8 , the node 201 may display the user interface screen 820 through the access control application 212 . The user interface screen 820 may include a user interface 825 that indicates that access to the node 201 is blocked, and guides release of isolation through an administrator (eg, the controller 202 ).

In an embodiment, the access control application 212 of the node 201 , the controller 202 , and the gateway 203 may further perform operations 730 to 750 . According to an embodiment, the access control application 212 , the controller 202 , and the gateway 203 of the node 201 may perform all or part of operations 730 to 750 .

In operation 730 , the access control application 212 may perform an application check. For example, when the white list is received from the controller 202 , the access control application 212 may check whether an application included in the white list is installed in the node 201 . In the case of applications included in the white list among applications installed in the node 201, the access control application 212 determines whether the integrity and stability of the application (application forgery and tampering, code signing inspection, fingerprint inspection) according to the validation policy. at least one of them) can be checked.

In operation 735 , the access control application 212 may transmit a test result of the application to the controller 202 .

The controller 202 may validate whether the application is valid based on the test result. If the application is valid, the controller 202 checks the gateways 203-1 and 203-2 where the node 201 is located in the access policy for the node 201 to allow the node 201 to access the network, Thereafter, operation 740 may be performed.

In operation 740, the controller 202 transmits the data packet to the service servers 205-1 and 205-2 through the gateways 203-1 and 203-2 without the node 201 requesting a network connection. A data flow can be created based on IP, destination IP and port information.

The controller 202 may check a file IO policy when generating a data flow, and may generate authorized file IO information 354 based on the file IO policy. The data flow information 350 of the data flow may include the generated authorized file IO information 354 . The authorized file IO information 354 may include policy information related to file IO access of an application using a data flow. For example, the authorized file IO information 354 may include information on whether to allow an application's file IO access (eg, access such as read or write). In addition, the authorized file IO information 354 may include information about a file path to which an application is allowed to access, and/or information about a file path to which an access is not allowed.

In operation 745 , the controller 202 may transmit a response to the transmission of the application check result of the access control application 212 . For example, the controller 202 may send the data flow information 350 including the authorized file IO information 354 to the access control application 212 . Also, in operation 750 , the controller 202 may transmit the data flow information 350 including the authorized file IO information 354 to the gateway 203 .

9 illustrates a signal flow diagram for network connection according to various embodiments of the present disclosure, and the operations illustrated in FIG. 9 may be implemented after, for example, the signal flow diagram of FIG. 6 or 7 .

Referring to FIG. 9 , in operation 905 , the node 201 may detect a network access event. For example, the node 201 may detect, through the access control application 212 , that the target application is attempting to connect to the service server 205 .

In an embodiment, the access control application 212 may inspect the data flow when a network access event is detected. For example, the access control application 212 may check whether a data flow corresponding to identification information, destination IP and/or port information of the target application exists. Also, the access control application 212 may check whether the data flow is valid even if the data flow exists. For example, the access control application 212 performs an integrity and safety check (eg, whether the application is forged or tampered with, code signing check, fingerprint check) of the access control application 212 and the target application according to the validation policy. and whether access to the destination IP and port of the target application installed in the node 201 is possible according to the access policy received from the controller 202 .

If a valid data flow exists, the access control application 212 may omit the following operations and transmit the data packet of the target application to the gateway 203 through the secure session.

If the data flow exists but is not valid, the connection control application 212 may output a user interface screen indicating that the network connection fails without sending the data packet.

When the data flow does not exist, the authentication time of the data flow has expired and an update is required, or when the data flow needs to be updated for other reasons, the access control application 212 may request the controller 202 to access the network. have. According to an embodiment, the access control application 212 performs integrity and safety checks of the access control application 212 and the target application according to the validation policy before requesting network access, and when the integrity and stability of the application is confirmed, the controller 202 may request a network connection.

In operation 910 , the access control application 212 may request a network connection to the service server 205 from the controller 202 . In this case, the access control application 212 may transmit the target application identification information and identification information (eg, IP and service port) of the service server 205 to the controller 202 together with the identification information of the control flow.

In operation 915 , the controller 202 may check the access policy and the file IO policy related to the target application in response to the request received from the access control application 212 .

The controller 202 may check whether the target application satisfies the access policy of the access policy database 311 . For example, the controller 202 determines whether identification information of a target (eg, a target application) and a requested target (eg, the service server 205) that has requested a network connection is included in the access policy database 311 and whether the network connection You can check whether the gateway connection of the requesting target is possible.

If the target application is not accessible, the controller 202 may transmit information indicating that the connection is impossible to the node 201 in operation 920 . In this case, the access control application 212 may output a user interface screen indicating that access is not possible through the display.

If the target application is accessible, the controller 202 checks the authorized file IO information 354 related to the target (eg, the target application) that has requested the connection, and establishes the connection based on the authorized file IO information 354 . You can check whether the file IO access of the requested target (eg target application) is allowed. Checking whether to allow file IO access is checking whether to allow the application's file IO access (eg, access such as read or write), or the file path to which the application is allowed to access, and/or This may include checking for file paths that are not allowed to access.

The controller 202 may check whether a data flow accessible to the corresponding destination IP and port exists in the data flow table 316 in order to allow the node 201 to access the network.

If there is no valid data flow, the controller 202 creates a data flow that allows the target (eg, the target application) to connect to the network between the node 201 and the service servers 205-1 and 205-2. can The controller 202 may generate the data flow information 350 based on information such as source IP, destination IP and port information, and authorized file IO information 354 . Here, the authorized file IO information 354 may be generated according to the file IO policy.

The controller 202 may check a file IO policy when generating a data flow, and may generate authorized file IO information 354 based on the file IO policy. The data flow information 350 of the data flow may include the generated authorized file IO information 354 . The authorized file IO information 354 may include policy information related to file IO access of an application using a data flow. For example, the authorized file IO information 354 may include information on whether to allow an application's file IO access (eg, access such as read or write). In addition, the authorized file IO information 354 may include information about a file path to which an application is allowed to access, and/or information about a file path to which an access is not allowed.

In operation 920 , the controller 202 may transmit a response to the network access request of the access control application 212 to the node 201 . For example, the controller 202 may transmit the data flow information 350 generated by performing operation 915 to the access control application 212 . According to an embodiment, when the target requesting access is unavailable, the controller 202 may notify the network access unavailable in response to the network access request.

The node 201 may process the result according to the received response. For example, the access control application 212 may store the received data flow information 350 and perform a file IO table check if a network connection is possible. As another example, when receiving a response indicating that the network connection is unavailable, the node 201 may drop a data packet of the target application. As another example, when receiving a response indicating that the network connection is unavailable, the node 201 may remove the file system IO of the target application (or remove the file system IO handle).

Also, in operation 925 , the controller 202 may transmit the data flow information 350 to the gateway 203 .

10 is a flowchart illustrating an operation of the node 201 for monitoring file IO access according to various embodiments of the present disclosure. The following operation flowchart may be implemented by the node 201 or the access control application 212 installed in the node 201 .

Referring to FIG. 10 , in operation 1010 , the access control application 212 may detect a file IO access event. The access control application 212 may confirm that the file IO access event has occurred when the target applications 211-1, 211-2, and 211-3 (or processes thereof) access the file IO.

In operation 1020 , the access control application 212 may check the PID of the process accessing the file IO and check whether a data flow allocated to the corresponding PID exists.

If a data flow exists, the access control application 212 may proceed to operation 1030 . If the data flow does not exist, the connection control application 212 may proceed to operation 1035 . Also, if the PID 361 of the process accessing the file IO does not exist, the access control application 212 may proceed to operation 1035 .

In operation 1030 , if there is a data flow, the access control application 212 may check the type of file IO accessed by the corresponding process.

When the type of file IO accessed by the corresponding process is write (or all file access types related to writing), the access control application 212 may proceed to operation 1040 . When the type of file IO accessed by the corresponding process is read (or all file access types related to read), the access control application 212 may proceed to operation 1050 .

The type of file IO accessed by the process may simultaneously request one or more file reads and/or one or more writes, and when multiple file IOs exist, each step may be performed sequentially and/or in parallel. For example, operations 1040 and 1050 may be performed sequentially and/or in parallel.

In operation 1035 , if the data flow does not exist, the access control application 212 may store the file IO information in the file IO table 317 . For example, the access control application 212 stores the identified file IO information (eg, file location, file name, type of file IO (eg, file read or write), file IO time information) of the process in the file IO table ( 317) can be stored. After that, when the corresponding process accesses the network, the access control application 212 searches the file IO table 317 for details so that the data packet can be inspected.

In operation 1040, the access control application 212 may perform a file write information check. The file write information check may be a check on whether the target file of the file IO is finally saved and/or whether the write of the target application in which the file IO has occurred is allowed to be written.

In operation 1050 , the access control application 212 may perform a file read information check.

11 is a flowchart illustrating an operation of the node 201 for checking a file IO table according to various embodiments of the present disclosure. The following operation flowchart may be implemented by the node 201 or the access control application 212 installed in the node 201 .

Referring to FIG. 11 , in operation 1110 , the access control application 212 may detect a file IO table check event. The access control application 212 may detect a file IO table check event when a data flow for which a network connection occurs is detected. The access control application 212 may detect when the data flow information 350 is obtained (or updated) as a file IO table check event.

In operation 1120 , the access control application 212 examines the file IO table 317 , the target application 211-1 , 211-2 , 211-3 (or process thereof) that is using the file IO for the data flow. You can check if this exists. The access control application 212 may search the file IO table information 360 corresponding to the PID 361 as one of the target application identification information from the file IO table 317 .

If there is an application using the file IO, the access control application 212 may proceed to operation 1130 . If the application is not using the file IO, the access control application 212 may proceed to operation 1135 .

In operation 1130 , when the file IO currently being used exists, the access control application 212 may check the type of file IO accessed by the corresponding process.

When the type of file IO accessed by the corresponding process is write (or all file access types related to writing), the access control application 212 may proceed to operation 1140 . When the type of file IO accessed by the corresponding process is read (or all file access types related to read), the access control application 212 may proceed to operation 1150 .

The type of file IO accessed by the process may simultaneously request one or more file reads and/or one or more writes, and when multiple file IOs exist, each step may be performed sequentially and/or in parallel. For example, operations 1140 and 1150 may be performed sequentially and/or in parallel.

In operation 1135 , the access control application 212 may transmit a data packet when the file IO currently in use does not exist.

In operation 1140 , the access control application 212 may perform file write information check.

In operation 1150 , the access control application 212 may perform a file read information check.

12 is a signal flow diagram for checking file write information according to various embodiments of the present disclosure. The operations of FIG. 12 may be performed after the operations of FIG. 10 or 11 . The operations of FIG. 12 may be included in operation 1040 of FIG. 10 or operation 1140 of FIG. 11 .

Referring to FIG. 12 , in operation 1205 , the node 201 may detect a file write information check event. For example, if the type of file IO accessed by the target application (or process) is write (or all file access types related to writing), the access control application 212 detects that a file write information check event has occurred. can

In operation 1210 , the node 201 may check a data flow based on identification information and/or network connection identification information of a target application.

The node 201 may check whether the file is writable and/or whether it is necessary to check the file write information based on the authorized file IO information 354 of the data flow information 350 .

If the authorized file IO information 354 indicates that the file write is not allowed, the node 201 may suspend the file access of the target application. File access abort processing may be performed based on API (application programming interface) and/or hooking provided by the operating system to abort file access, such as file handle removal, file handle conflict, and file write buffer initialization. can In addition, the file access stop processing may be performed based on a forcible termination of the corresponding process or a series of file access control interruption commands. The node 201 may change the state of the corresponding file IO in the file IO table 317 to access interruption processing after stopping the file access of the target application. Also, the node 201 may change the state of the corresponding data flow and block the network connection to block the data packet flowing from the network. The node 201 may drop the data packet being transmitted if there is a data packet being transmitted.

If the authorized file IO information 354 indicates that a file write is possible and that the file write information check is unnecessary, the node 201 may allow the file write of the target application to be processed.

If the authorized file IO information 354 indicates that a file write is possible and indicates that a file write information check is required, the node 201 may proceed to operation 1215 .

In operation 1215 , the node 201 may check file information of the file IO target file. The file information may include unique information and identification information (eg, a file name, a file path, partial contents of a file, header information, hash information, and/or signature information).

The node 201 may extract unique information and identification information of the file IO target file when the target application accesses the file IO is released. Release of file IO access may be made after the target application has completed writing the file.

In operation 1220 , the node 201 may request the controller 202 to check the file write information. The file write information check request may include data flow identification information and file information. In another example, the file write information check request may include target application identification information, network identification information, and file information.

In operation 1225, the controller 202 may check the file IO policy.

The controller 202 may check whether a file IO target file exists in the file IO table 317 based on the information included in the file write information check request. When the file IO target file exists in the file IO table 317 , the controller 202 may check the state information 366 of the file IO table 317 .

If the file IO target file does not exist in the file IO table 317 , the controller 202 controls the file IO matched to the user, the node 201 , the target application, and/or the network in the file IO policy database 312 . Based on the policy, you can check whether to allow the file write of the file IO target file. The controller 202 may store the result of checking whether to allow the file to be written and the file IO information 364 in the file IO table 317 . In another embodiment, whether to allow the file write of the file IO target file may be confirmed according to the result of the controller 202 querying the file IO policy for the file IO target file to the external linkage system.

In operation 1230 , the controller 202 may transmit a response to the node 201 . The response may include information on whether to allow file writes of the file IO target file. For example, if a file write of the file IO target file is allowed, the response may indicate that the file is writable. For another example, if the file IO target file does not allow file write, the response may indicate that the file write is not possible (or the file write fails).

In operation 1235, the node 201 may process the received response. For example, if the response indicates that the file is writable, the node 201 indicates that the file write is enabled to the file IO table information 360 including the file IO information 364 and the status information 366 of the file IO target file. Information that is available may be added and/or updated. For another example, if the response indicates that the file is not writable, the node 201 deletes the file IO target file, and then processes the file to be unusable.

13 is a flowchart illustrating a signal for checking file read information according to various embodiments of the present disclosure. The operations of FIG. 13 may be performed after the operations of FIG. 10 or 11 . The operations of FIG. 13 may be included in operation 1050 of FIG. 10 or operation 1150 of FIG. 11 .

Referring to FIG. 13 , in operation 1305 , the node 201 may detect a file read information check event. For example, when the type of file IO accessed by the target application (or process) is read (or all file access types related to read), the access control application 212 detects that a file read information check event has occurred. can

In operation 1310 , the node 201 may check a data flow based on identification information and/or network connection identification information of a target application.

The node 201 may check whether a file can be read and/or whether a file read information check is required based on the authorized file IO information 354 of the data flow information 350 .

If the authorized file IO information 354 indicates that the file read is not allowed, the node 201 may suspend the file access of the target application. File access abort processing may be performed based on APIs and/or hooks provided by the operating system to abort file access, such as file handle removal, file handle conflict, and file read buffer initialization. In addition, the file access stop processing may be performed based on a forcible termination of the corresponding process or a series of file access control interruption commands. The node 201 may change the state of the corresponding file IO in the file IO table 317 to access interruption processing after stopping the file access of the target application. Also, the node 201 may change the state of the corresponding data flow and block the network connection, thereby blocking the data packet transmitted to the network. The node 201 may drop the data packet being transmitted if there is a data packet being transmitted.

If the authorized file IO information 354 indicates that file reading is possible and that the file read information check is unnecessary, the node 201 may allow the target application to read the file.

If the authorized file IO information 354 indicates that the file is readable and indicates that the file read information check is required, the node 201 may proceed to operation 1315 .

In operation 1315 , the node 201 may check the file IO table information 360 from the file IO table 317 based on the target application identification information and the file IO information.

When the file IO table information 360 in which the file IO is recorded exists and the file read of the target application is set to be possible in the data flow, the node 201 may allow the file read process.

If the file IO table information 360 in which the file IO is recorded exists, but it is set to be impossible to read the file of the target application, the node 201 may suspend the file access of the target application. The node 201 may change the state of the corresponding file IO in the file IO table 317 to access interruption processing after stopping the file access of the target application. Also, the node 201 may change the state of the corresponding data flow and block the network connection, thereby blocking the data packet transmitted to the network. The node 201 may drop the data packet being transmitted if there is a data packet being transmitted.

If the file IO table information 360 in which the file IO is recorded does not exist, or if the file IO table information 360 in which the file IO is recorded exists but the file read information check is required, the node 201 performs operation 1320 can proceed with

In operation 1320 , the node 201 may request the controller 202 to check the file read information. The file read information check request may include data flow identification information and file information. In another example, the file read information check request may include target application identification information, network identification information, and file information. The file information may include unique information and identification information (eg, a file name, a file path, partial contents of a file, header information, hash information, and/or signature information).

In operation 1325, the controller 202 may check the file IO policy.

The controller 202 may check whether a file IO target file exists in the file IO table 317 based on the information included in the file read information check request. When the file IO target file exists in the file IO table 317 , the controller 202 may check the state information 366 of the file IO table 317 .

If the file IO target file does not exist in the file IO table 317 , the controller 202 controls the file IO matched to the user, the node 201 , the target application, and/or the network in the file IO policy database 312 . Based on the policy, you can check whether to allow the file read of the file IO target file. The controller 202 may store the result of checking whether the file is allowed to read and the file IO information 364 in the file IO table 317 . In another embodiment, whether to allow the file read of the file IO target file may be confirmed according to the result of the controller 202 querying the file IO policy for the file IO target file to the external linkage system.

In operation 1330 , the controller 202 may transmit a response to the node 201 . The response may include information on whether to allow file reading of the file IO target file. For example, if a file read of the file IO target file is allowed, the response may indicate that the file is read. For another example, if the file IO target file is not allowed to read, the response may indicate that the file is not readable (or the file read fails).

In operation 1335 , the node 201 may process the received response. For example, if the response indicates that the file read is possible, the node 201, the file IO table information 360 including the file IO information 364 and the state information 366 of the file IO target file, the file read is Information that is available may be added and/or updated. For another example, if the response indicates that the file is not readable, the node 201 deletes the file IO target file, and then processes the file to be unusable.

14 is a flowchart illustrating an operation of the node 201 for transmitting a data packet according to various embodiments of the present disclosure. The following operation flowchart may be implemented by the node 201 or the access control application 212 installed in the node 201 .

Referring to FIG. 14 , in operation 1410 , the access control application 212 may detect a data packet transmission event. The access control application 212 may detect a data packet transmission request requested by the target applications 211-1, 211-2, 211-3 (or a process thereof) as a data packet transmission event.

In operation 1420, when a data packet transmission event is detected after network access is permitted, the access control application 212 identifies the transmitted data packet and the target application 211-1, 211-2, and 211-3 for a data flow You can check whether . Identifies the target application 211-1, 211-2, 211-3 (or a process thereof) requesting transmission of the data packet, and the identified target application 211-1, 211-2, 211-3 ( Alternatively, the PID of the process) may be checked and whether a data flow assigned to the corresponding PID exists.

If a data flow exists, the access control application 212 may proceed to operation 1430 . If the data flow does not exist, the connection control application 212 may proceed to operation 1435 . At operation 1435 , the connection control application 212 may drop the data packet if no data flow exists.

In operation 1430 , the access control application 212 may check the file IO table if there is a data flow.

In operation 1440 , the access control application 212 may check whether the file IO or read of the target application (or its process) is permitted in the authorized file IO information 354 of the data flow information 350 . If file IO, or read, is permitted, the access control application 212 may proceed to operation 1455 . If the file IO and read are not allowed, the access control application 212 may proceed to operation 1445 . At operation 1455 , the connection control application 212 may send the data packet to the network.

In operation 1445 , the access control application 212 may check whether the file IO does not exist in the file IO table 317 . The access control application 212 uses the PID, which is one of the application identification information, to determine whether a read-type file IO exists, or whether it is being accessed as a read-type file IO, and whether there is a file IO that has been used after access. can be checked The access control application 212 determines whether there is a file IO of a read type performed by the target application (or a process thereof), or whether it is being accessed as a file IO of a read type, whether there is a file IO that has been accessed and then used is terminated can check whether

If the file IO does not exist, the connection control application 212 may proceed to operation 1455 . If the file IO exists, the connection control application 212 can proceed to operation 1450 . At operation 1455 , the connection control application 212 may send the data packet to the network.

At operation 1450 , the connection control application 212 may examine the data packet if the file IO exists. The access control application 212 checks the target file of the file IO, and whether a part of the target file or unique information for managing the target file (eg, hash, header information, signature information, etc.) is included in the data packet. can be inspected. The access control application 212 may check whether the transmitted data packet includes partial content of the file or unique information for managing the file (eg, hash, header information, signature information, etc.).

At operation 1460 , the access control application 212 may verify whether the inspection of the data packet was successful. The access control application 212 determines that the data packet inspection has failed when the data packet includes partial contents of the file or unique information (eg, hash, header information, signature information, etc.) for managing the file. can If the inspection of the data packet is successful, the access control application 212 may proceed to operation 1455 . If the inspection of the data packet fails (that is, when the data packet does not contain some contents of the file or unique information for managing the file (eg, hash, header information, signature information, etc.), the access control application ( 212 may proceed to operation 1450 . At operation 1470 , the access control application 212 may send the data packet to the network.

At operation 1470 , the access control application 212 may drop the data packet and block the network connection.

15 is a flowchart illustrating a signal flow for updating a control flow according to various embodiments of the present disclosure;

Referring to FIG. 15 , in operation 1505 , the access control application 212 may request a control flow update.

In one embodiment, the access control application 212 may request a control flow update from the controller 202 to maintain the control flow and data flow. In an embodiment, the access control application 212 may request to update the control flow in order to transmit the file IO access blocked history when a file is stored or read through a network connection in the file IO table 317 . In addition, the access control application 212 may request a control flow update including identification information of the control flow every specified period.

In operation 1510 , the controller 202 may update (check) the control flow. For example, the controller 202 determines whether the control flow information 340 indicated by the received identification information exists in the control flow table 315, and if the control flow information 340 exists, the data flow information 350 dependent on it. It can be checked whether . A control flow may not exist if the connection is released by another security system, the update time elapses, or if the connection is released due to risk detection.

For example, if the update (check) fails, the controller 202 may cause the node 201 to terminate the access control application 212 or block the access control application 212 from connecting to the network. For another example, if the update (check) is successful, the controller 202 may update the expiration time of the control flow and the data flow dependent thereon. In this case, the node 201 may update the control flow information 340 and the data flow information 350 .

When there is the file IO table information 360 received from the node 201, the controller 202 updates the file IO table 317 existing in the controller 202, and stores the updated file IO table 317 to Based on the data, it is used as an inquiry and audit data for actions from the user and the node 201, and when an abnormal action occurs, the control flow can be terminated.

In operation 1515 , the controller 202 may transmit update (inspection) result information to the access control application 212 . For example, if the update (check) fails, the controller 202 may transmit connection unavailable information. For another example, if the update (check) is successful, the controller 202 may transmit the updated control flow information 340 and data flow information 350 dependent thereon to the access control application 212 . In this case, the node 201 may update the control flow information 340 and the data flow information 350 .

The access control application 212 may process the update (check) result information.

If the control flow update result indicates that the connection is unavailable, the access control application 212 may terminate the target application or block all network connections of the target application. When the control flow update result indicates normal and there is updated data flow information 350 , the access control application 212 may update the data flow table 316 in the access control application 212 .

16 is a diagram illustrating a signal flow for removing a control flow according to various embodiments of the present disclosure.

Referring to FIG. 16 , in operation 1605 , the node 201 may request the controller 202 to terminate the control flow. For example, the node 201 may terminate the access control application 212 , request the end of the control flow when the network connection is not used for a specified time, or a connection termination request is received from another system.

In operation 1610 , the controller 202 may remove a control flow corresponding to the identification information received from the node 201 . The controller 202 may also remove data flows that are dependent on the removed control flow.

In operation 1615 , the controller 202 requests the gateway 203 to remove the data flow, and in operation 1620 , the gateway 203 may block the network access of the access control application 212 by removing the data flow.

17 illustrates a signal flow diagram for data flow removal according to various embodiments of the present disclosure.

Referring to FIG. 17 , in operation 1705 , the access control application 212 may detect termination of the target application. The access control application 212 may monitor whether the target application running in the node 201 is terminated in real time.

In operation 1710 , the access control application 212 may examine the data flow table 316 . The access control application 212 may check whether a data flow corresponding to identification information and PID (or PID of a child) of the terminated target application exists in the data flow table 316 . When the data flow of the target application is confirmed, the access control application 212 may delete the corresponding data flow from the data flow table 316 .

In order to track the termination of multiple executable target applications, when the terminated target application does not exist in the running process list, the access control application 212 records a data flow corresponding to identification information of the terminated application in the data flow table ( 316) can be deleted.

In operation 1715 , the access control application 212 may request the controller 202 to end the data flow. For example, the access control application 212 may transmit the data flow list deleted in operation 1710 to the controller 202 to request the end of the data flow.

In operation 1720 , the controller 202 may remove a data flow corresponding to the data flow list from the node 201 . In operation 1725 , the controller 202 requests the gateway 203 to remove the data flow, and in operation 1730 , the gateway 203 removes the data flow, thereby providing a service corresponding to the removed data flow of the access control application 212 . Access to the server 205 may be blocked.

The above description is merely illustrative of the technical idea disclosed in this document, and those of ordinary skill in the art to which the embodiments disclosed in this document belong are not departing from the essential characteristics of the embodiments disclosed in this document. Various modifications and variations will be possible.

Therefore, the embodiments disclosed in this document are for explanation rather than limiting the technical ideas disclosed in this document, and the scope of the technical ideas disclosed in this document is not limited by these embodiments. The protection scope of the technical ideas disclosed in this document should be interpreted by the following claims, and all technical ideas within the equivalent scope should be interpreted as being included in the scope of the present document.

Claims (16)

In the node,
communication circuit;
a processor operatively coupled to the communication circuitry; and
a memory operatively coupled to the processor for storing a connection control application and a target application, wherein the memory, when executed by the processor, causes the node to:
Through the access control application, identify the file IO (input output) information check event by the target application,
Through the access control application, based on the authorized file IO information of the data flow related to the target application, check whether the file IO information check is necessary,
On the basis of determining that the file IO information inspection is necessary, through the access control application, requesting the file IO information inspection from the external server,
Based on the file IO information check result received from the external server, through the access control application, storing the commands to allow or block the file IO of the target application,
node.
The method according to claim 1, wherein the instructions are executed by the node,
Through the access control application, if the authorized file IO information indicates that the file IO is impossible, to block the file IO of the target application
node.
The method according to claim 1, wherein the instructions are executed by the node,
If, through the access control application, the authorized file IO information indicates that the file IO is possible, and it is confirmed that the file IO information check is not necessary, the file IO of the target application is allowed;
Through the access control application, if the authorized file IO information indicates that the file IO is possible, and it is confirmed that the file IO information inspection is necessary, to request the file IO information inspection from the external server
node.
The method according to claim 1, wherein the instructions are executed by the node,
When access to the file IO of the target application is confirmed through the access control application, check whether a data flow assigned to the target application exists,
If there is a data flow assigned to the target application, check the type of the file IO of the target application through the access control application,
When the type of the file IO is related to writing, requesting the external server to check the file write information through the access control application,
When the type of the file IO is related to read, through the access control application, the external server to request a file read information check
node.
5. The method of claim 4, wherein the instructions are executed by the node,
When there is no data flow allocated to the target application, through the access control application, to store the file information related to the file IO of the target application in the file IO table
node.
The method according to claim 1, wherein the instructions are executed by the node,
When the file IO table check event by the target application is identified, through the access control application, it is checked whether the file IO being used by the target application exists,
When the file IO in use does not exist, the data packet of the target application is transmitted through the access control application,
to request the file IO information check from the external server through the access control application when the file IO in use exists
node.
In the operation method of the node,
Through the access control application of the node, the operation of identifying a file input output (IO) information check event by the target application of the node,
Through the access control application, based on the authorized file IO information of the data flow related to the target application, the operation of determining whether the file IO information check is necessary;
On the basis of determining that the file IO information check is necessary, through the access control application, an operation of requesting an external server to check the file IO information, and
Based on a result of checking the file IO information received from the external server, through the access control application, the operation method comprising the operation of allowing or blocking the file IO of the target application.
8. The method of claim 7,
Through the access control application, if the authorized file IO information indicates that the file IO is impossible, further comprising the operation of blocking the file IO of the target application
how it works.
8. The method of claim 7,
If, through the access control application, the authorized file IO information indicates that the file IO is possible, and it is confirmed that the file IO information check is not necessary, an operation of allowing the file IO of the target application; and
If, through the access control application, the authorized file IO information indicates that the file IO is possible, and it is confirmed that the file IO information inspection is necessary, the method further comprising the operation of requesting the file IO information inspection from the external server
how it works.
8. The method of claim 7,
When access to the file IO of the target application is confirmed through the access control application, checking whether a data flow allocated to the target application exists;
If there is a data flow allocated to the target application, checking the file IO type of the target application through the access control application;
If the type of the file IO is related to writing, requesting the external server to check the file write information through the access control application, and
When the type of the file IO is read-related, requesting the external server to check the file read information through the access control application
how it works.
11. The method of claim 10,
When the data flow allocated to the target application does not exist, through the access control application, further comprising the operation of storing file information related to the file IO of the target application in a file IO table
how it works.
8. The method of claim 7,
When the file IO table check event by the target application is identified, the operation of checking whether the file IO being used by the target application exists through the access control application;
If the file IO in use does not exist, transmitting the data packet of the target application through the access control application, and
When the file IO in use exists, requesting the external server to check the file IO information through the access control application
how it works.
in the server,
communication circuit;
a processor operatively coupled to the communication circuitry; and
a memory operatively coupled to the processor and configured to store a database, wherein the memory, when executed by the processor, causes the server to:
Receive a file IO information check request from the access control application of the node, the file IO information check request includes file identification information of the file IO target file,
Checking whether file IO table information for the target file exists in the database using the file identification information,
If the file IO table information exists, check whether file IO is allowed for the target file in the file IO table information,
A server that stores commands for transmitting a response indicating whether the file IO is allowed to the node.
The method according to claim 13, wherein the instructions are executed by the server,
If the file IO table information does not exist, check whether file IO is allowed for the target file based on the file IO policy
server.
In the method of operating a server,
Receiving a file IO information check request from the access control application of the node, the file IO information check request includes file identification information of the file IO target file,
Checking whether or not file IO table information for the target file exists in the database of the server using the file identification information;
If the file IO table information exists, checking whether file IO is allowed for the target file in the file IO table information, and
and transmitting a response indicating whether the file IO is allowed to the node.
16. The method of claim 15,
When the file IO table information does not exist, based on the file IO policy, comprising the operation of determining whether to allow file IO to the target file
how it works.

Images