KR102449118B1 - System for controlling transmission and reception of file of application based on proxy and method thereof - Google Patents

Abstract

According to an embodiment of the present disclosure, a gateway comprises: a communication circuit; a processor operatively connected to the communication circuit; and a memory operatively connected to the processor. The memory may store instructions to allow a gateway, upon execution by the processor, to execute a proxy server to: receive a service processing request from a node, confirm whether data flow information corresponding to information included in the service processing request exists, wherein the information included in the service processing request includes departure or destination information, and process the service processing request on the basis of the data flow information when the data flow information exists. Therefore, file reception and transmission for each application and network can be controlled.

Description

SYSTEM FOR CONTROLLING TRANSMISSION AND RECEPTION OF FILE OF APPLICATION BASED ON PROXY AND METHOD THEREOF

Embodiments disclosed in this document relate to a system for controlling file transmission and reception of an application based on a proxy, and a method therefor.

Communication is performed using TCP (Transmission Control Protocol) based on IP (Internet Protocol) between the terminal and the server, and the source IP, destination IP, and port information are identified using 5-tuple information included in the data packet. Firewall technology to perform access control is commonly used.

Firewall technology identifies the IP assigned to a terminal or network terminal (eg, gateway, router, etc.) plays a blocking role.

A technology such as an IP-based firewall has a problem in that it is difficult to control by IP unit when creating a private IP band by configuring a subnetwork by a terminal or a router and a gateway in an Internet band where IP allocation and control is difficult. In addition, there is a problem in that the IP can be forged or modulated in the IP communication structure. Accordingly, the firewall is used as a minimum safety device.

In order to solve this problem, a tunneling technology (e.g., IPSec (Internet Protocol) Security), Generic Routing Encapsulation (GRE), GPRS Tunneling Protocol (GTP), or Secure Sessions (Secure Sockets Layer (SSL), Transport Layer Security (TLS)). It solves the underlying problems.

However, when using a VPN (Virtual Private Network) based on tunneling technology that is created at the level of the terminal (IP unit assigned to the terminal), unallowed or insecure applications are connected to the unpermitted destination network through tunneling that is always connected after initial authentication. Since access vulnerabilities are inherent, security incidents due to infiltration of various malware and ransomware are increasing.

In order to solve this problem, application connectivity control technology that allows only permitted applications to access the permitted network is applied to identify the application that is the fundamental communication subject, and to block the access of unauthorized applications in advance to prevent various types of malware and ransomware. It prevents access to an unauthorized destination network and effectively solves various network security problems currently occurring.

With the recent industrial development, the increase in the global work environment and home work environment that transcends boundaries, and the shift to the cloud increases, the terminal can access the work system anytime, anywhere, and the application access control technology in this environment Provides optimal security factors for protection.

However, there is a problem that an application cannot control an action of receiving or transmitting a file through the network while the allowed application is able to access the allowed network.

For example, in a telecommuting environment using a PC connected to the Internet, access the cloud with an application allowed to receive important files and leak them, or transfer files containing malicious code from the Internet to the cloud to other terminals. It cannot prevent the spread of danger.

That is, in the case of an application that contains macros or programmable information and loads an executable file through the runtime included in the application itself (eg, a text editing tool, a graphic editing tool, etc.), it contains malicious code that the user cannot infer. These malicious codes may access the cloud and receive important files (eg, personal information, confidential information) and leak them, or files containing malicious codes may be transmitted to the cloud and propagated to all terminals connected to the cloud. It has potential problems.

DLP (Data Loss Prevention) technology exists as a similar technology to solve this problem, and DLP technology prevents unauthorized media (eg, USB (Universal Serial Bus), removable storage devices, etc.) from being connected, or Prevents file transfer in a way that prevents sharing of a specific folder on the network, or blocks a file from being selected when a file is selected for a specific application to transfer a file, or file IO (input output) of a specific application When a file system IO (or file system IO) occurs, the file IO is traced to prevent data leakage by removing the handle of the file IO if the user does not have file IO permission.

The problem with this DLP technology is that, since a collective security policy is always enforced on the terminal where the application is installed, there is a limit to the area where physical security control is impossible and the application of the security policy is limited in a telecommuting environment using a terminal owned by an individual. Actions that prevent unauthorized media from being connected cannot be enforced.

Furthermore, when using the DLP technology that tracks a specific action, if the specific action is not performed, for example, For example, it is impossible to prevent non-user malicious code from directly loading and transferring files without a file selection window.

To solve this problem, a DLP technology that tracks the file system IO of a specific application is used, but the technology tracks the IO of a file for a specific application and blocks it in batches, so the specific network accessed by the application is There is a problem that it is difficult to allow file transfer in , and some DLP technologies provide a method to unlock the file IO limit by identifying the access address bar of the Internet browser to solve this problem, but In this case, there is a limit in controlling file reception and transmission because network connection information cannot be tracked.

Various embodiments disclosed in this document are intended to provide a system for solving the above-described problems in a network environment and a method therefor.

A gateway according to an embodiment disclosed in this document includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor, wherein the memory, when executed by the processor The gateway executes the proxy server to: receive a service processing request from a node, and check whether data flow information corresponding to the information included in the service processing request exists, wherein the information included in the service processing request is Including source information or destination information, and when the data flow information exists, instructions for processing the service processing request based on the data flow information may be stored.

The method of operating a gateway according to an embodiment disclosed in this document includes receiving a service processing request from a node, checking whether data flow information corresponding to information included in the service processing request exists, and the service processing request The information included in may include source information or destination information, and when the data flow information exists, processing the service processing request based on the data flow information.

Various embodiments disclosed in this document may control file IO based on information identifying an application and a network accessed by the application by utilizing the application connectivity control technology.

Various embodiments disclosed in this document identify whether or not to allow file transmission and reception of the identified target by identifying the application and network information connected to or to be connected to the network through the proxy server, and only the allowed connection target. By allowing transmission and reception, it is possible to control file reception and transmission by application and network.

In addition, various effects directly or indirectly identified through this document may be provided.

1 illustrates an architecture in a network environment according to various embodiments.
2 is a functional block diagram illustrating a database stored in a controller according to various embodiments of the present disclosure;
3 illustrates control flow information and data flow information according to various embodiments of the present disclosure.
4 is a functional block diagram of a node according to various embodiments.
5 illustrates an operation for controlling transmission of a data packet according to various embodiments of the present disclosure.
6 is a signal flow diagram illustrating a controller connection according to various embodiments of the present disclosure.
7 is a flowchart illustrating a signal for user authentication according to various embodiments of the present disclosure.
8 illustrates a signal flow diagram for network access according to various embodiments of the present disclosure.
9 is a flowchart illustrating a service request processing of a gateway according to various embodiments of the present disclosure;
10 is a flowchart for receiving a service request processing result of a gateway according to various embodiments of the present disclosure;
11 illustrates a signal flow diagram for transmitting a service request processing log and a rejection log according to various embodiments of the present disclosure.
12 is a flowchart illustrating a signal flow for updating a control flow according to various embodiments of the present disclosure;
13 is a flowchart illustrating a signal flow for removing a control flow according to various embodiments of the present disclosure;
14 illustrates a signal flow diagram for data flow removal according to various embodiments of the present disclosure.

Hereinafter, various embodiments of the present invention will be described with reference to the accompanying drawings. However, this is not intended to limit the present invention to specific embodiments, and it should be understood that various modifications, equivalents, and/or alternatives of the embodiments of the present invention are included.

In this document, the singular form of a noun corresponding to an item may include one or more items, unless the context clearly dictates otherwise. As used herein, "A or B", "at least one of A and B", "at least one of A or B", "A, B or C", "at least one of A, B and C" and "A; Each of the phrases "at least one of B, or C" may include any one of, or all possible combinations of, items listed together in the corresponding one of the phrases. Terms such as "first", "second", or "first" or "second" may simply be used to distinguish an element from other elements in question, and may refer elements to other aspects (e.g., importance or order) is not limited. It is said that one (eg, first) component is “coupled” or “connected” to another (eg, second) component, with or without the terms “functionally” or “communicatively”. When referenced, it means that one component can be connected to the other component directly (eg by wire), wirelessly, or through a third component.

Each component (eg, a module or a program) of components described in this document may include a singular or a plurality of entities. According to various embodiments, one or more components or operations among the corresponding components may be omitted, or one or more other components or operations may be added. Alternatively or additionally, a plurality of components (eg, a module or a program) may be integrated into one component. In this case, the integrated component may perform one or more functions of each component of the plurality of components identically or similarly to those performed by the corresponding component among the plurality of components prior to the integration. . According to various embodiments, operations performed by a module, program, or other component are executed sequentially, in parallel, repeatedly, or heuristically, or one or more of the operations are executed in a different order, omitted, or , or one or more other operations may be added.

As used herein, the term “module” may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as, for example, logic, logic block, component, or circuit. A module may be an integrally formed part or a minimum unit or a part of the part that performs one or more functions. For example, according to an embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of the present document may be implemented as software (eg, a program or an application) including one or more instructions stored in a storage medium (eg, memory) readable by a machine. For example, the processor of the device may call at least one of the one or more instructions stored from the storage medium and execute it. This makes it possible for the device to be operated to perform at least one function according to the called at least one command. The one or more instructions may include code generated by a compiler or code executable by an interpreter. The device-readable storage medium may be provided in the form of a non-transitory storage medium. Here, 'non-transitory' only means that the storage medium is a tangible device and does not contain a signal (eg, electromagnetic wave), and this term is used in cases where data is semi-permanently stored in the storage medium and It does not distinguish between temporary storage cases.

Methods according to various embodiments disclosed in this document may be provided by being included in a computer program product. Computer program products may be traded between sellers and buyers as commodities. The computer program product is distributed in the form of a machine-readable storage medium (eg compact disc read only memory (CD-ROM)), or via an application store or between two user devices (eg smartphones). It can be distributed directly or online (eg, downloaded or uploaded). In the case of online distribution, at least a part of the computer program product may be temporarily stored or temporarily created in a machine-readable storage medium such as a memory of a server of a manufacturer, a server of an application store, or a relay server.

1 illustrates an architecture in a network environment according to various embodiments.

The nodes 201-1 and 201-2 shown in FIG. 1 may be various types of devices capable of performing data communication. For example, the nodes 201-1 and 201-2 may include portable devices such as smartphones or tablets, computer devices such as desktops or laptops, multimedia devices, medical devices, cameras, wearable devices, and VR devices. It may include a virtual reality device or a home appliance device, but is not limited to the aforementioned devices. For example, nodes 201-1 and 201-2 may include servers or gateways that may transmit data packets through applications. The nodes 201-1 and 201-2 may also be referred to as 'electronic devices' or 'terminals'.

The node 201-1 accesses the service servers 205-1 and 205-2 through the Internet, and the node 201-2 accesses the service servers 205-1 and 205-2 through the intranet. This can be assumed.

The nodes 201-1 and 201-2 may store access applications 211-1 and 211-2 and access control applications 212-1 and 212-2.

Each of the connection applications 211-1 and 211-2 transmits data packets to the service servers 205-1 and 205-2 through the gateway 203 under the control of the connection control applications 212-1 and 212-2. or vice versa, data packets may be received.

Some of the access applications (211-1, 211-2) are permitted and/or secured applications such as web browsers or business applications, while others are disallowed programs (e.g. malware, ransomware, other unallowed applications). applications) or insecure malicious programs (applications infected with malware, forged or tampered with). According to embodiments, the access control applications 212-1 and 212-2 identify a program (or access application) requesting transmission of a data packet, and a data packet of an unauthorized program is transmitted to the nodes 201-1 and 201 -2) can be prevented from being transmitted to the outside. In addition, according to embodiments, the access control applications 212-1 and 212-2 are not authorized through the secure session 220-1 between the access control applications 212-1 and 212-2 and the gateway 203. It is possible to block a program's access to the service servers 205-1 and 205-2 and isolate the program.

For example, before the connection applications 211-1 and 211-2 according to the embodiments communicate with the service servers 205-1 and 205-2, the access control applications 212-1 and 212-2 are the controllers. It is checked whether access is possible from the 202 , and if the connection is possible, authentication can be performed with the gateway 203 through the data packet authenticated by the controller 202 . When authentication is completed, the access control applications 212 - 1 and 212 - 2 may create a secure session 220 - 1 with the gateway 203 .

The access control applications 212-1 and 212-2 may create a channel with the gateway 203 to connect to the service servers 205-1 and 205-2. Through the channel created between the nodes 201-1 and 201-2 and the gateway 203, the access control applications 212-1 and 212-2 are disallowed access applications 211-1 and 211-2. It is possible to prevent transmission of data packets to this unauthorized destination, and allow only permitted data packets to be transmitted to the service servers 205-1 and 205-2.

The controller 202 may be, for example, a server (or a cloud server, or an intranet). The controller 202 manages data transmission between the nodes 201-1 and 201-2, the gateway 203, and the service servers 205-1 and 205-2 to ensure reliable data transmission within the network environment. can For example, the controller 202 allows network access of authorized nodes 201-1 and 201-2 (or access control applications 212-1 and 212-2) through policy information or blacklist information. can do.

In addition, the controller 202 mediates the creation of a secure session 220-1 between the access control application 212-1 and the gateway 203, or a security event collected from the node 201-1 or the gateway 203. Accordingly, the secure session 220 - 1 may be removed. The access control application 212-1 can communicate with the service servers 205-1 and 205-2 only through the secure session 220-1 authorized by the controller 202, and the authorized secure session 220- If 1) does not exist, network access of the node 201-1 and the access control application 212-1 may be blocked.

In one embodiment, the connection application 211-1 may communicate with the service servers 205-1 and 205-2 through the secure session 220-1 authorized by the controller 202, and the authorized security If the session 220-1 does not exist, the network connection of the access application 211-2 is blocked from the access control application 212-2, the controller 202, or the gateway 203, or a state that does not guarantee safety network access is allowed, and the controller 202 may provide a function suitable for the corresponding security level to the node 201 - 2 . According to an embodiment, the controller 202 performs various operations (eg, registration, authorization, authentication, renewal, termination) associated with network access of the node 201-1 or the access control applications 212-1 and 212-2. In order to perform , the access control application 212-1 may transmit and receive a control data packet. A flow (eg, 230 ) through which a control data packet is transmitted may be referred to as a 'control flow'.

The controller 230 performs network access and channel control of the access control applications 212-1 and 212-2, and when the access control applications 212-1 and 212-2 are terminated or the interlocked security system 206 ), by immediately recovering the channel between the nodes 201-1 and 201-2 and the gateway 203 according to a security event received from the ), it is possible to maintain a secure network state at all times.

The gateway 203 may be located at a boundary of a network to which the nodes 201-1 and 201-2 belong or a boundary of a network to which the service servers 205-1 and 205-2 belong. According to an embodiment, the gateway 203 may be connected to the controller 202 based on a cloud. The gateway 203 may forward only the authorized data packets among the data packets received from the access control applications 212-1 and 212-2 to the service servers 205-1 and 205-2. A flow (eg, 240-1, 240-2) through which data packets are transmitted between the access control applications 212-1 and 212-2 and the gateway 203 may be referred to as a 'data flow'. .

A data flow can be created not only on a node or IP basis, but also on a more granular basis (eg, an application unit). The gateway 203 performs authentication of the access control applications 212-1 and 212-2 before creating a secure session 220-1 between the access control applications 212-1 and 212-2 and the gateway 203, and , indiscriminate network access by forwarding only the data packets transmitted through the secure session 220-1 among the data packets transmitted from the access control applications 212-1 and 212-2 to the service servers 205-1 and 205-2 can be blocked in advance.

The gateway 203 creates a channel with the nodes 201-1 and 201-2 using the tunneling module 204-1, and transmits the data packet received through the authorized channel to the proxy server included in the gateway 203. The service servers 205-1 and 205-2 receive from the authenticated nodes 201-1 and 201-2 by relaying service processing with the service servers 205-1 and 205-2 via 204-2. service request can be processed.

FIG. 2 is a functional block diagram illustrating a database stored in the controller 202 according to various embodiments of the present disclosure, and FIG. 3 shows control flow information 340 and data flow information 350 among information included in the database.

Referring to FIG. 2 , the controller 202 may store databases 311 to 319 for controlling network access and data transmission in the memory 330 . Although FIG. 2 shows only the memory 330, the controller 202 uses an external electronic device (eg, the nodes 201-1 and 201-2 of FIG. 1), the gateway 203, or the service servers 205-1 and 205- 2)) and a communication circuit for performing communication (eg, the communication circuit 430 of FIG. 4 ) and a processor (eg, the processor 410 of FIG. 4 ) for controlling the overall operation of the controller 202 ) can do. The administrator accesses the controller 202 and creates a connection-oriented policy for controlling the connection between the access control applications 212-1 and 212-2, the gateway 203, and the service servers 205-1 and 205-2. Because it can be set, network access can be controlled more precisely and safely than session management at the service end.

The access policy database 311 may include information on networks and/or services to which the identified network, node, or application can connect. For example, when the controller 202 requests a network access from the access control applications 212-1 and 212-2, the controller 202 determines the identified network based on the policy of the access policy database 311 (eg, the node 201-1, network to which 201-2) belongs), nodes, users (eg, users of nodes 201-1, 201-2), and/or applications (eg, connections included in nodes 201-1 and 201-2) The applications 211-1 and 211-2) may determine whether access to the service servers 205-1 and 205-2 is possible. In an embodiment, the controller 202 may create a whitelist of the access applications 211-1 and 211-2 that can be accessed by a specific service (eg, IP and port) based on the access policy database 311 . .

The channel policy database 312 contains a series of information (authentication information, encryption algorithm, tunnel) necessary for channel creation with the gateway 203 existing between service servers (destination IP and port) on the connection path according to the channel policy. If there is a channel connected in advance through another gateway between the endpoint IP (tunnel end point IP, etc.) and the access path, a set of information (IPs assigned to nodes 201-1 and 201-2) to use it information collection and alternative processing, etc.).

The service policy database 313 contains information required for the nodes 201-1 and 201-2 to pass through the gateway 203 or a separately separated proxy server 204-2 when the nodes 201-1 and 201-2 attempt to access the domain address. may include. For example, the service policy database 313 may include information such as domain address resolution information and a certificate required for domain access. In addition, the service policy database 313 may include a series of information such as information on whether to return the service processing request result as failure information or redirect to another URL when the data flow check fails. According to the service policy of the service policy database 313 as described above, the proxy server 204-2 processes the service between the nodes 201-1 and 201-2 and the service servers 205-1 and 205-2 on the access path. Requests can be relayed.

The file policy database 314 is associated with an access policy, and may include information for establishing a file policy for the access applications 211-1 and 211-2. For example, the file policy database 314 may include information on whether to allow or not allow the file reception and transmission of the connection applications 211-1 and 211-2.

The blacklist policy database 315 is a target ( Example: A blacklist registration policy for blocking access to at least one of a node identifier (identifier), IP address, media access control (MAC) address, or user ID) may be included.

The blacklist database 319 may include a list of objects blocked by the blacklist policy database 315 . For example, when the identification information of the nodes 201-1 and 201-2 requesting network access is included in the blacklist database 319, the controller 202 rejects the network access request to the nodes 201-1 and 201 -2) can be isolated.

The control flow table 316 is an example of a session table for managing the flow (ie, control flow) of control data packets generated between the access control applications 212-1 and 212-2 and the controller 202 .

For example, referring to FIG. 3 , when the access control applications 212-1 and 212-2 successfully access the controller 202 , the control flow information 340 and the control flow ID 342 (or 'control flow') identification information') may be generated by the controller 202 . The control flow information 340 may include identification information 344 indicating at least one of an IP, a node, an application, or a target additionally identified through association with a service server, which is identified during controller access and authentication. For example, when a network access request of the access control application 212 is received, the controller 202 sets the control flow ID and identification information included in the access request to the control flow ID 342 included in the control flow information 340 and By mapping with identification information 344 , access control applications 212-1 and 212-2 can connect to service servers 205-1 and 205-2 and secure session 220-1 with gateway 203 You can decide whether to create a data flow for creation. The state information 346 may indicate various states such as creation, authentication, update, termination, and the like of a control flow.

According to an embodiment, since the control flow has an expiration time, the nodes 201-1 and 201-2 must update the expiration time of the control flow based on the time information 348, and the expiration time If not updated, the control flow (or the control flow information 340 ) may be removed. In addition, immediate access is blocked according to the security event collected from the nodes 201-1 and 201-2, the access control applications 212-1 and 212-2, other security applications (not shown), or the gateway 203. The controller 202 may remove the control flow if it is determined that it is necessary, or a connection termination request is received from them. When the control flow is removed, the associated data flow is also removed, and the gateway 203 connects the access control applications 212-1 and 212-2 or the service servers 205-1 and 205 of the access applications 211-1 and 211-2. -2) can be blocked.

The data flow table 317 is a table for managing a flow (eg, a data flow) through which detailed data packets are transmitted between the nodes 201-1 and 201-2 and the gateway 203 .

The data flow table 317 includes data flow information ( 350) may be included.

The data flow information 350 may be generated in a secure session, an application, or a more granular unit. The data flow table 317 may include an application ID for identifying whether a data packet transmitted from a source is an authorized data packet, a destination IP address, and/or a service port.

Referring to FIG. 3 , the data flow information 350 may include a data flow ID 351 and a control flow ID 352 when the data flow is dependent on the control flow. In addition, the data flow information 350 determines whether a channel is created between the application and the gateway 203 and a corresponding data packet when accessing the service servers 205-1 and 205-2 through the proxy server 204-2. Determination of forwarding of data packets based on URL information and domain information to control service requests according to source IP and destination IP, service port information, protocol information, certificate information (including identification information), and service request path (URL) of It may include inspection target information 353 for performing the test, and/or state information 356 indicating whether the data flow is in a usable and valid state.

In addition, the data flow information 350 may further include file IO information 354 . The file IO information 354 may include control information such as whether an application can receive a file, whether a file can be transmitted, and a file IO processing exception, and target information such as a domain and URL to which control according to the control information is applied.

Also, the data flow information 350 may further include file check information 355 . The file inspection information 355 is the target of the proxy server 204-1 or the application connected to the proxy server 204-1 depending on whether file inspection is to be performed upon transmission (upload) or reception (download) of a file. Whether to scan files and allow file downloads and uploads, and information on patterns and rules to be applied when scanning files, external applications (such as vaccines, malware detection tools, Data Loss Prevention technologies, etc.) and external devices It may include a series of information for detecting a file that cannot be downloaded or uploaded, such as information for linked inspection.

The channel table 318 may include a channel dedicated IP assigned to the node 201-1 or 201-2 and channel generation information.

4 is a functional block diagram of a node 201 according to various embodiments. At least some of the configurations illustrated in FIG. 4 may be applied to the controller 202 , the gateways 203 - 1 and 203 - 2 , or the service servers 205 - 1 and 205 - 2 .

Referring to FIG. 4 , the node 201 may include a processor 410 , a memory 420 , and a communication circuit 430 . According to an embodiment, the node 201 may further include a display 440 to provide a user interface.

The processor 410 may control the overall operation of the node. In various embodiments, the processor 410 may include one processor core or a plurality of processor cores. For example, the processor 410 may include a multi-core such as a dual-core, a quad-core, or a hexa-core. According to embodiments, the processor 410 may further include a cache memory located inside or outside. According to embodiments, the processor 410 may be configured with one or more processors. For example, the processor 410 may include at least one of an application processor, a communication processor, and a graphical processing unit (GPU).

All or part of processor 410 may be electrically or operatively (eg, memory 420 , communication circuitry 430 , or display 440 ) with other components within node 201 (eg, memory 420 , communication circuitry 430 , or display 440 ). operatively) coupled with or connected to. The processor 410 may receive commands from other components, interpret the received commands, and perform calculations or process data according to the interpreted commands. The processor 410 may interpret and process a message, data, command, or signal received from the memory 420 , the communication circuit 430 , or the display 440 . The processor 410 may generate a new message, data, instruction, or signal based on the received message, data, instruction, or signal. The processor 410 may provide the processed or generated messages, data, instructions, or signals to the memory 420 , the communication circuitry 430 , or the display 440 .

The processor 410 may process data or signals generated or generated in a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may write (or store) or update instructions, data, or signals to the memory 420 to execute or control a program.

The memory 420 may store a command for controlling a node, a control command code, control data, or user data. For example, the memory 420 may include at least one of an application program, an operating system (OS), middleware, or a device driver. The memory 420 may include one or more of volatile memory and non-volatile memory. Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM). may include The nonvolatile memory may include a read only memory (ROM), a programmable ROM (PROM), an electrically programmable ROM (EPROM), an electrically erasable programmable ROM (EEPROM), a flash memory, and the like. The memory 420 includes a nonvolatile medium such as a hard disk drive (HDD), a solid state disk (SSD), an embedded multi media card (eMMC), and a universal flash storage (UFS). may include more.

According to an embodiment, the memory 420 may store the access applications 211-1 and 211-2 and the access control applications 212-1 and 212-2 of FIG. 1 . The access control applications 212-1 and 212-2 may perform a network connection and secure session 220-1 creation with the gateway 203, and a control flow creation and update function with the controller 202. To this end, the access control application 212 may include one or more security modules. In an embodiment, the memory 420 may store the control flow information 340 and the data flow information 350 of FIG. 3 .

In an embodiment, the access applications 211-1 and 211-2 may include one or more security modules to create a secure session 220-1 with the gateway 203.

The communication circuit 430 may support establishment of a wired or wireless communication connection between the node 201 and an external electronic device (eg, the controller 202 or the gateway 203 ) and performing communication through the established connection. According to an embodiment, the communication circuit 430 is a wireless communication circuit (eg, a cellular communication circuit, a short-range wireless communication circuit, or a global navigation satellite system (GNSS) communication circuit) or a wired communication circuit (eg, a local area network (LAN) ) communication circuit, or power line communication circuit), and using the corresponding communication circuit among them, a short-distance communication network such as Bluetooth, WiFi direct or IrDA (infrared data association) or a cellular network, Internet, or long-distance communication such as a computer network It can communicate with an external electronic device through a network. The above-described various types of communication circuits 430 may be implemented as a single chip or as separate chips.

The display 440 may output content, data, or a signal. In various embodiments, the display 440 may display image data processed by the processor 410 . According to embodiments, the display 440 may be configured with an integrated touch screen by being combined with a plurality of touch sensors (not shown) capable of receiving a touch input or the like. When the display 440 is configured as a touch screen, a plurality of touch sensors may be disposed above the display 440 or below the display 440 .

5 illustrates an operation for controlling transmission of a data packet according to various embodiments of the present disclosure.

Referring to FIG. 5 , the access control application 212 detects a network access request to the service server 205 from the access application 211 included in the node 201 , and the node 201 or the access control application 212 . ) may determine whether the controller 202 and the connected state. When the node 201 or the access control application 212 is not connected to the controller 202 , the access control application 212 may block transmission of a data packet from a kernel or a network driver including the operating system. Through the access control application 212 , the node 201 may in advance block access of a malicious application in an application layer among seven open system interconnection (OSI) layers.

In one embodiment, the access control application 212 is not connected to the controller 202 , the access control application 212 is not authenticated by the gateway 203 , or the access control application 212 and If a secure session between the gateways 203 is not created, the data packet transmitted from the access control application 212 is blocked by the gateway 203 and the access control application 212 may request a connection to the controller 202 . only According to an embodiment, even if the access control application 212 is not authenticated by the gateway 203 , the data packet transmitted from the access control application 212 may not be blocked by the gateway 203 .

According to another embodiment, when the access control application 212 is not installed in the node 201 or a malicious application bypasses the control of the access control application 212 , an unauthorized data packet may be transmitted from the node 201 . have. In this case, the gateway 203 existing at the boundary of the network blocks data packets received with unauthorized secure sessions and data packets with no data flow, so data packets transmitted from the node 201 (eg, TCP session) are blocked. data packets for generation) may not reach the service server 205 . In other words, node 201 may be isolated from service server 205 .

6 is a signal flow diagram illustrating a controller connection according to various embodiments of the present disclosure.

Since the node 201 needs to be authorized by the controller 202 to access the network, the access control application 212 of the node 201 requests the controller 202 to create a control flow to the node 201 You can try to connect to the controller of

Referring to FIG. 6 , in operation 605 , the node 201 may detect a controller access event. For example, when the access control application 212 is installed and/or executed within the node 201 , the node 201 may detect that a connection to the controller 202 is requested.

In operation 610 , the node 201 may request a controller connection from the controller 202 . For example, the access control application 212 may transmit identification information of the access control application 212 to the controller 202 . Additionally, the access control application 212 may include identification information of the node 201 (eg, terminal ID, IP address, MAC address), type, location, environment, identification information of a network to which the node 201 belongs, and/or network Any identification information generated by the system itself may be further transmitted.

In operation 615 , the controller 202 may identify whether a target (eg, the access control application 212 and the node 201 ) requesting controller access can access the controller. According to an embodiment, the controller 202 controls whether the information received from the node 201 is included in the access policy database 311 or whether the node 201, the network to which the node 201 belongs, and/or access control. Based on at least one of whether the identification information of the application 212 is included in the blacklist database 314, it is possible to check whether the controller access of the target requesting the controller access is possible.

If the controller connection of the target requesting the controller connection is possible, the controller 202 generates a control flow (or control flow information 340 ) between the node 201 (or the access control application 212 ) and the controller 202 . can do. In this case, the controller 202 generates control flow identification information 342 in the form of a random number, and controls identification information of at least one of the node 201 , the network to which the node 201 belongs, or the access control application 212 . It may be stored in the flow table 316 . Information stored in the control flow table 316 (eg, control flow information 340 ) may include user authentication of the node 201 , updating information of the node 201 , checking a policy for network access of the node 201 , and / Or it can be used for validation.

In operation 620, the controller 202 may check the access policy and the channel policy. The controller 202 may check the access policy corresponding to information identified in the access policy database 311 (eg, node 201 and source network information to which the node 201 belongs). The controller 202 may generate whitelist information of accessible applications based on the checked access policy. The controller 202 may check the channel policy through the IP of the node 201 identified in the channel policy database 312 . The controller 202 may check whether there is destination network information to which the access request node 201 can be basically connected. If the controller connection of the target requesting the controller connection is possible, the controller 202 provides information necessary for the node 201 to access the destination network (eg, the type of node 201 included in the control flow, location information, environment and Information on the source network including the node 201) and the types of channels to which the node 201 can be connected and information on the gateway 203 can be listed. The controller 202 may identify one channel and one gateway optimized for the node 201 from among the listed gateways by checking the status (eg, throughput, failure or not) of the listed gateways 203 . Here, the type of channel to which the node 201 can be connected and the information of the gateway 203 are the IP of the node 201 identified through the controller 202 and the IP of the node 201 identified by the node 201 . can be identified based on

In another embodiment, the controller 202 may not perform operation 620 . For example, if it is not possible to access the controller of the target that has requested access, the controller 202 may not perform operation 620 .

In operation 625 , the controller 202 may transmit a response to the controller connection request to the node 201 .

In an embodiment, the controller 202 may transmit the control flow information 340 including the control flow identification information 342 to the node 201 in response to the controller access request. In an embodiment, the controller 202 may transmit the white list generated through the execution of operation 820 to the access control application 212 . According to an embodiment, when a target requesting controller access is unavailable or is included in the blacklist, the controller 202 may notify the controller access unavailable in response to the controller access request without generating a control flow.

When a channel and a gateway to which the node 201 can connect exist, the controller 202 sends information for the node 201 to create a channel (eg, a series of information such as gateway and channel authentication) to the node 201 . can be transmitted According to an embodiment, when the node 201 connects through a channel previously connected between the gateway existing in the source network to which the node 201 belongs and the gateway existing at the boundary of the destination network (that is, the node 201 and the gateway) 203), or when connecting through another channel technology between the terminal and the destination network boundary, the controller 202 may not transmit separate channel creation information to the node 201 have.

In an embodiment, the node 201 may process the result value according to the received response. For example, the access control application 212 may store the received control flow identification information and display a user interface screen indicating that the controller connection is complete to the user. When the controller connection is completed, the network connection request of the node 201 to the service server 205 may be controlled by the controller 202 .

According to an embodiment, the controller 202 may determine that the node 201 is not accessible. For example, when the controller connection impossible information is received, the node 201 may output a user interface screen indicating that the controller connection is impossible to the user. For example, the user interface screen may include a user interface indicating that access to the node 201 is blocked and guiding the release of isolation through an administrator (eg, the controller 202 ).

In an embodiment, the access control application 212 of the node 201 , the controller 202 , and the gateway 203 may further perform operations 630 to 650 . According to an embodiment, the access control application 212 , the controller 202 , and the gateway 203 of the node 201 may perform all or part of operations 630 to 670 .

In operation 630 , the access control application 212 may determine whether channel creation is necessary. For example, when the controller 202 transmits information for creating a channel (eg, a series of information such as gateway and channel authentication), the access control application 212 may determine that channel creation is necessary. As another example, when the controller 202 does not transmit separate channel creation information to the node 201 , the access control application 212 may determine that channel creation is not required.

In operation 635 , the access control application 212 may request the gateway 203 to create a channel. When it is determined that channel creation is necessary, the access control application 212 may request the gateway 203 to create a channel. For example, the access control application 212 may transmit a channel creation request including a series of information for channel creation (eg, gateway and channel authentication, etc.) received from the controller 202 to the gateway 203 .

In operation 640 , the gateway 203 may create a channel based on a set of information for channel creation (eg, gateway and channel authentication, etc.). In operation 645 , the gateway 203 may transmit a response including the channel creation result to the access control application 212 . The channel creation result may include a channel dedicated IP allocated to the node 201 and corresponding channel creation information.

In operation 650 , the access control application 212 may perform an inspection of the application. When it is determined that channel creation is not necessary, or when a response including a channel creation result is received from the gateway 203 , the access control application 212 may perform an application check. For example, when the white list is received from the controller 202 , the access control application 212 may check whether an application included in the white list is installed in the node 201 . In the case of applications included in the white list among applications installed in the node 201, the access control application 212 determines whether the integrity and stability of the application (application forgery and tampering, code signing inspection, fingerprint inspection) according to the validation policy. at least one of them) can be checked.

In operation 655 , the access control application 212 may transmit a test result of the application to the controller 202 .

The controller 202 may check whether the application is valid based on the test result. If the application is valid, the controller 202 checks the gateway 203 where the node 201 is located in the access policy and service policy for the node 201 to allow the network access of the node 201, and then operates 640 can be performed.

In operation 660, when the channel creation is completed according to the channel creation processing result, the controller 202 registers the channel dedicated IP assigned to the node 201 and the corresponding channel creation information in the channel table 318, and the node 201 The transmitted series of information may be updated in the identified control flow information 240 .

Data flow (or data flow information (or data flow information () 350)) can be created.

The controller 202 may check a file IO policy in the file policy table 314 when creating a data flow, and generate file IO information 354 based on the file IO policy. The file IO information 354 determines whether to allow downloading or uploading a file when accessing the service server 205 to which the data flow is applied. It may include a series of policy information related to file IO control information on whether to disallow IO and file IO control information for each file type on which file types are allowed or disallowed.

In addition, the controller 202 may generate the file inspection information 255 including whether to inspect the file when the data flow is generated, and pattern and rule information to be inspected when the file is inspected.

In operation 665 , the controller 202 may transmit a response to the connection application check result transmission of the access control application 212 . For example, the controller 202 can send the data flow information 350 to the access control application 212 . Also, in operation 670 , the controller 202 may transmit the data flow information 350 to the gateway 203 .

According to the operations of FIG. 6 , when the node 211 is normally connected to the controller 202 , it is checked whether all network access requests generated by the node 211 are authorized through the controller 202 . After normally accessing the controller 202 , since user authentication is not performed before user authentication, an access policy corresponding to an unidentified user (guest) may be applied to the node 211 .

7 is a flowchart illustrating a signal for user authentication according to various embodiments of the present disclosure. The operations shown in FIG. 7 may be implemented, for example, after the signal flow diagram of FIG. 6 .

In order for the node 201 to be granted detailed access to the destination network, the access control application 212 of the node 201 may be authenticated by the controller 202 for the user of the node 201 .

Referring to FIG. 7 , in operation 705 , the node 201 may receive an input for user authentication. The input for user authentication may be, for example, a user input inputting a user ID and password. As another example, the input for user authentication may be a user input (eg, biometric information) for more enhanced authentication.

For example, when the access control application 212 is executed, the node 201 may display a user interface screen for receiving information required for access to the controller. The user interface screen may include an input window for inputting controller access information (eg, IP or domain), an input window for inputting a user ID, and/or an input window for inputting a password. After information is input in the input windows, the node 201 may detect a controller access event by receiving an input for a button for user authentication. For example, when controller access information, user ID, and password are input, the node 201 may receive an input for a button for accessing the controller as a user. As another example, when only controller access information is input and a user ID and password are not input, the node 201 may receive an input for a button for accessing the controller as a guest.

In operation 710 , the node 201 may request user authentication from the controller 202 . For example, the access control application 212 may transmit input information for user authentication to the controller 202 . If the control flow between the node 201 and the controller 202 has already been created, the access control application 212 may transmit input information for user authentication together with the control flow identification information.

In operation 715 , the controller 202 may authenticate the user based on the information received from the node 201 . For example, the controller 202 may include a user ID, password, and/or enhanced authentication information included in the received information, and a database included in the memory of the controller 202 (eg, the access policy database 311 of FIG. 2 ). ) or the blacklist database 319), it is possible to determine whether the user is accessible according to the access policy and whether the user is included in the blacklist.

When the user is authenticated, the controller 202 checks the control flow information 340 in the control flow table 316 based on the control flow identification information transmitted by the node 201, and enters the checked control flow information 340. You can add user identification information (eg user ID). The added user identification information may be used for an authenticated user's controller access or network access.

In operation 720, the controller 202 performs access policies corresponding to information identified in the access policy database 311 and the channel policy database 312 (eg, node 201, source network information to which the node 201 belongs), and You can check the channel policy.

The controller 202 may generate white list information of accessible applications based on the access policy checked in the access policy database 311 . As a result of the connection, the controller 202 may return a control flow ID for identifying a control flow and a generated application whitelist upon a connection completion state and subsequent user authentication requests and continuous node information update of the node 201 .

The controller 202 may check the channel policy through the IP of the node 201 identified in the channel policy database 312 . The controller 202 may check whether destination network information to which the access request node 201 can be basically connected based on the checked channel policy exists. If the controller connection of the target requesting the controller connection is possible, the controller 202 provides information necessary for the node 201 to access the destination network (eg, the type of node 201 included in the control flow, location information, environment and Information on the source network including the node 201) and the types of channels to which the node 201 can be connected and information on the gateway 203 can be listed. The controller 202 may identify one channel and one gateway optimized for the node 201 from among the listed gateways by checking the status (eg, throughput, failure or not) of the listed gateways 203 . Here, the type of channel to which the node 201 can be connected and the information of the gateway 203 are the IP of the node 201 identified through the controller 202 and the IP of the node 201 identified by the node 201 . can be identified based on In another embodiment, the controller 202 may not perform operation 720 . For example, if it is not possible to access the controller of the target that has requested access, the controller 202 may not perform operation 720 .

In operation 725 , the controller 202 may transmit a response to the user authentication request to the node 201 . In an embodiment, the controller 202 may transmit information indicating that the user is authenticated to the node 201 in response to the user authentication request. In an embodiment, the controller 202 may transmit the white list generated by performing operation 720 to the access control application 212 . According to an embodiment, when a target requesting controller access is unavailable or included in a blacklist, the controller 202 may notify the controller access unavailable in response to the user authentication request.

When a channel and a gateway to which the node 201 can connect exist, the controller 202 sends information for the node 201 to create a channel (eg, a series of information such as gateway and channel authentication) to the node 201 . can be transmitted According to an embodiment, when the node 201 connects through a channel previously connected between the gateway existing in the source network to which the node 201 belongs and the gateway existing at the boundary of the destination network (that is, the node 201 and the gateway) 203), or when connecting through another channel technology between the terminal and the destination network boundary, the controller 202 may not transmit separate channel creation information to the node 201 have.

In an embodiment, the node 201 may process a result value for user authentication. For example, the node 201 may output a user interface screen indicating that user authentication is completed to the user through the display.

According to another embodiment, the controller 202 may determine that user authentication is impossible. For example, if the user's identification information is included in the blacklist database, the controller 202 may determine that user authentication is impossible. In this case, in operation 725, the controller 202 may transmit information indicating that user authentication is impossible to the node 201, and the node 201 may output a user interface screen indicating that user authentication has failed through the display. can For example, node 201 may display a user interface screen via access control application 212 . The user interface screen indicates that access to the node 201 is blocked, and may include a user interface that guides release of isolation through an administrator (eg, the controller 202 ).

In an embodiment, the access control application 212 of the node 201 , the controller 202 , and the gateway 203 may further perform operations 730 to 750 . According to an embodiment, the access control application 212 , the controller 202 , and the gateway 203 of the node 201 may perform all or part of operations 730 to 770 .

In operation 730 , the access control application 212 may determine whether channel creation is necessary. For example, when the controller 202 transmits information for creating a channel (eg, a series of information such as gateway and channel authentication), the access control application 212 may determine that channel creation is necessary. As another example, when the controller 202 does not transmit separate channel creation information to the node 201 , the access control application 212 may determine that channel creation is not required.

In operation 735 , the access control application 212 may request the gateway 203 to create a channel. When it is determined that channel creation is necessary, the access control application 212 may request the gateway 203 to create a channel. For example, the access control application 212 may transmit a channel creation request including a series of information for channel creation (eg, gateway and channel authentication, etc.) received from the controller 202 to the gateway 203 .

In operation 740 , the gateway 203 may create a channel based on a set of information for channel creation (eg, gateway and channel authentication, etc.). In operation 745 , the gateway 203 may transmit a response including the channel creation result to the access control application 212 . The channel creation result may include a channel dedicated IP allocated to the node 201 and corresponding channel creation information.

In operation 750 , the access control application 212 may perform an inspection of the application. When it is determined that channel creation is not necessary, or when a response including a channel creation result is received from the gateway 203 , the access control application 212 may perform an application check. For example, when the white list is received from the controller 202 , the access control application 212 may check whether an application included in the white list is installed in the node 201 . In the case of applications included in the white list among applications installed in the node 201, the access control application 212 determines whether the integrity and stability of the application (application forgery and tampering, code signing inspection, fingerprint inspection) according to the validation policy. at least one of them) can be checked.

In operation 755 , the access control application 212 may transmit a test result of the application to the controller 202 .

The controller 202 may validate whether the application is valid based on the test result. If the application is valid, the controller 202 determines the gateways 203-1 and 203-2 where the node 201 is located in the access policy and service policy for the node 201 to allow the node 201 to access the network. After checking, operation 740 may be performed.

In operation 760, when the channel creation is completed according to the channel creation processing result, the controller 202 registers the channel dedicated IP allocated to the node 201 and the corresponding channel creation information in the channel table 318, and the node 201 The transmitted series of information may be updated in the identified control flow information 240 . The node 201 may generate a data flow based on source IP, destination IP, service port information, protocol information, certificate information, domain and URL information so that the node 201 can control a service processing request without a network access request procedure.

The controller 202 may check a file IO policy when generating a data flow, and may generate file IO information 354 based on the file IO policy. The file IO information 354 determines whether to allow downloading or uploading a file when accessing the service server 205 to which the data flow is applied. It may include a series of policy information related to file IO control information on whether to disallow IO and file IO control information for each file type on which file types are allowed or disallowed.

In addition, the controller 202 may generate the file inspection information 355 including whether to inspect the file when the data flow is generated, and pattern and rule information to be inspected when the file is inspected.

In operation 765 , the controller 202 may transmit a response to the transmission of the application check result of the access control application 212 . For example, the controller 202 can send the data flow information 350 to the access control application 212 . Also, in operation 770 , the controller 202 may transmit the data flow information 350 to the gateway 203 .

According to the operations of FIG. 7 , when the user of the node 211 is normally authenticated, an access policy corresponding to the authenticated user is applied to the node 211 , and the controller 202 checks whether network access is authorized. .

FIG. 8 is a signal flow diagram illustrating a network connection according to various embodiments of the present disclosure, and the operations illustrated in FIG. 8 may be implemented after, for example, the signal flow diagram of FIG. 6 or 7 .

Referring to FIG. 8 , in operation 805 , the node 201 may detect a network connection event of the connection application 211 . For example, the node 201 may detect through the connection control application 212 that the connection application is attempting to connect to the destination network.

In an embodiment, the access control application 212 may inspect the data flow when a network access event is detected. For example, the access control application 212 may check whether a data flow corresponding to identification information, destination IP and/or port information of the access application exists. Also, the access control application 212 may check whether the data flow is valid even if the data flow exists. For example, the access control application 212 performs an integrity and safety check (eg, whether the application is forged or tampered with, a code signing check, and a fingerprint check) of the access control application 212 and the access application according to the validation policy. And, according to the access policy received from the controller 202 , it is possible to check whether access to the destination IP and port of the access application installed in the node 201 is possible.

If a valid data flow exists, the connection control application 212 may omit the following operations and transmit the data packet of the connection application to the gateway 203 through the secure session.

If the data flow exists but is not valid, the connection control application 212 may output a user interface screen indicating that the network connection fails without sending the data packet.

When the data flow does not exist, the authentication time of the data flow has expired and an update is required, or when the data flow needs to be updated for other reasons, the access control application 212 may request the controller 202 to access the network. have. According to an embodiment, the access control application 212 performs integrity and safety checks of the access control application 212 and the access application according to the validation policy before requesting network access, and when the integrity and stability of the application is confirmed, the controller 202 may request a network connection.

In operation 810 , the access control application 212 may request a network connection from the controller 202 . In this case, the access control application 212 may transmit the access application identification information and the identification information (eg, IP and service port) of the service server 205 to the controller 202 together with the identification information of the control flow.

In operation 815 , the controller 202 may check the access policy and the channel policy related to the access application in response to the request received from the access control application 212 .

The controller 202 may check whether the connection application satisfies the connection policy of the connection policy database 311 . For example, the controller 202 determines whether identification information of a target (eg, a connection application) and a requested target (eg, the service server 205) that has requested a network connection is included in the access policy database 311 and whether the network connection You can check whether the gateway connection of the requesting target is possible.

If the access application cannot access the network, the controller 202 may transmit information indicating that the connection is impossible to the node 201 in operation 820 . In this case, the access control application 212 may output a user interface screen indicating that access is not possible through the display.

If the access application can access the network, the controller 202 may check whether a channel has been created in the channel table to access the corresponding network. When a channel is not created or when a channel must be created in order to access a corresponding service in the channel policy, the controller 202 may transmit information indicating that access is impossible to the node 201 in operation 820 . .

When a channel is created, or when there is no need to create a channel in order to access the service in the channel policy, the controller 202 transmits information requested by the node 201 to access the data flow table (eg, destination IP and service). It can be checked whether a valid data flow exists based on the port information, etc.).

If there is no valid data flow, the controller 202 creates a data flow that allows the target (eg, a connection application) to connect to the network between the node 201 and the service servers 205-1 and 205-2. can The controller 202 may generate data flow information 350 including source IP, destination IP, service port information, protocol information, certificate information, domain and URL information, and the like.

In operation 820 , the controller 202 may transmit a response to the network access request of the access control application 212 to the node 201 . For example, the controller 202 may transmit the data flow information 350 generated by performing operation 815 to the access control application 212 . According to an embodiment, when the target requesting access is unavailable, the controller 202 may notify the network access unavailable in response to the network access request. Here, the data flow information 350 transmitted in operation 820 may include source IP, destination IP, service port information, protocol information, certificate information, domain and URL information, and the like.

The node 201 may process the result according to the received response. For example, the access control application 212 may store the received data flow information 350 and perform a file IO table check if a network connection is possible. For another example, when receiving a response indicating that the network connection is unavailable, the node 201 may drop a data packet of the connection application.

Also, in operation 825 , the controller 202 may transmit the data flow information 350 to the gateway 203 . Here, the data flow information 350 transmitted in operation 825 may include source IP, destination IP, service port information, protocol information, certificate information, domain and URL information, and the like.

9 is a flowchart illustrating a service request processing of a gateway according to various embodiments of the present disclosure, and the operations illustrated in FIG. 9 may be implemented after, for example, the signal flow diagram of FIGS. 6, 7 or 8 .

Referring to FIG. 9 , in operation 910 , the gateway 203 (or the proxy server 204 - 2 ) receives a service request including source IP or certificate identification information, destination IP or domain information and port information, and protocol information. can receive The service request may be transmitted from the node 201 .

In operation 920 , the gateway 203 may check whether the data flow information 350 exists based on information included in the service request. For example, the gateway 203 may check whether the data flow information 350 exists based on source IP or certificate identification information, destination IP or domain information and port information, and protocol information.

If the data flow information 350 exists, the gateway 203 may perform operation 930 .

In operation 930 , the gateway 203 may check whether file information is included in the service processing request. When file information is included in the service processing request, the gateway 203 may perform operation 940 . If file information is not included in the service processing request, the gateway 203 may perform operation 970 .

In operation 940 , the gateway 203 may determine whether file transfer is permitted based on the file IO information 354 included in the data flow information 350 . If file transfer is allowed, the gateway 203 may perform operation 950 . If the file transfer is not allowed, the gateway 203 may perform operation 980 . In another example, when file transfer for file information included in the service processing request is not permitted, the gateway 203 forwards the service processing request to a path specified according to the service processing policy, or redirects to the node 201 information can be returned.

In another embodiment, if the file transfer is allowed, the gateway 203 may check whether the extension allows the file transfer based on the file IO information 354 included in the data flow information 350 . If the file transmission is allowed and the extension is the file transmission allowed, the gateway 203 may perform operation 950 . If the file transmission is not allowed or the file transmission is not allowed, the gateway 203 may perform operation 980 . In another example, if the file transfer is not allowed, or if the file transfer is not allowed, the gateway 203 forwards the service processing request to the path specified according to the service processing policy, or redirects to the node 201 information can be returned.

In operation 950 , the gateway 203 may determine whether to check the file based on the file check information 355 included in the data flow information 350 . When examining the file, the gateway 203 may perform operation 960 . If the file is not checked, the gateway 203 may perform operation 970 .

In operation 960 , the gateway 203 may determine whether the file information check succeeded. For example, the gateway 203 inspects the file information included in the service processing request information according to the file inspection method indicated by the file inspection information 355 included in the data flow information 350 , and whether the inspection result is successful can be checked. Here, the file information inspection performs its own inspection based on the pattern and rule information included in the data flow, or uses external applications (eg, vaccines, malware detection tools, data loss prevention technology, etc.) and external devices. inspection can be performed through In addition, the file information check may check whether malware, malicious code, personal information, or the like exists in the scanned file, or may substitute information that is not permitted or unsafe information with other information.

If the file check is successful, the gateway 203 may perform operation 970 . If the file check fails, the gateway 203 may perform operation 980 .

In operation 970 , the gateway 203 may forward the service processing request to the destination based on the source IP or certificate identification information, destination IP or domain information and port information, and protocol information. For example, the gateway 203 may forward the service processing request to the destination when the file information check is successful, when the file information is not included, or when the file information check is not required.

In operation 980 , the gateway 203 may return service request failure information to the node 201 . In another example, instead of operation 980 , the gateway 203 may return information for forwarding the service processing request to the path specified according to the service processing policy, or redirecting the service processing request to the node 201 .

10 is a flowchart for receiving a service request processing result of a gateway according to various embodiments of the present disclosure, and the operations illustrated in FIG. 10 may be implemented after, for example, the signal flow diagram of FIG. 9 .

Referring to FIG. 10 , in operation 1010 , the gateway 203 (or the proxy server 204 - 2 ) may receive a service processing request result. Here, the result according to the service processing request may be data according to the operations of FIG. 9 . The service request processing result may be transmitted from the destination of the service request (eg, the service servers 205-1ㅓ and 205-2).

In operation 1020 , the gateway 203 may check whether file information is included in the service processing request result. When file information is included in the service processing request result, the gateway 203 may perform operation 1030 . When the file information is not included in the service processing request result, the gateway 203 may perform operation 1060 .

In operation 1030 , the gateway 203 may determine whether file reception is permitted based on the file IO information 354 included in the data flow information 350 . If file reception is allowed, the gateway 203 may perform operation 1040 . If the file reception is not allowed, the gateway 203 may perform operation 1070 .

In another embodiment, if the file reception is allowed, the gateway 203 may check whether the file reception is allowed based on the file IO information 354 included in the data flow information 350 . When the file reception is allowed and the file reception is allowed extension, the gateway 203 may perform operation 1040 . If the file reception is not allowed or the file reception is not allowed, the gateway 203 may perform operation 1070 .

In operation 1040 , the gateway 203 may determine whether to check the file based on the file check information 355 included in the data flow information 350 . When examining the file, the gateway 203 may perform operation 1050 . If the file is not checked, the gateway 203 may perform operation 1060 .

In operation 1050 , the gateway 203 may determine whether the file information check is successful. For example, the gateway 203 examines the file information included in the service processing request result information according to the file inspection method indicated by the file inspection information 355 included in the data flow information 350, and the success of the inspection result can check whether Here, the file information inspection performs its own inspection based on the pattern and rule information included in the data flow, or uses external applications (eg, vaccines, malware detection tools, data loss prevention technology, etc.) and external devices. inspection can be performed through In addition, the file information check may check whether malware, malicious code, personal information, or the like exists in the scanned file, or may substitute information that is not permitted or unsafe information with other information.

If the file check is successful, the gateway 203 may perform operation 1060 . If the file check fails, the gateway 203 may perform operation 1070 .

In operation 1060 , the gateway 203 may forward the service processing request to the node 201 based on the source IP or certificate identification information, destination IP or domain information and port information, and protocol information. For example, the gateway 203 may forward the service processing request result to the node 201 when the file information check is successful, when the file information is not included, or when the file information check is not required.

In operation 1060 , the gateway 203 may return service request failure information.

11 illustrates a signal flow diagram for transmitting a service request processing log and a rejection log according to various embodiments of the present disclosure;

In operation 1105 , the gateway 203 may transmit a service request processing log and a rejection log to the controller 202 . The gateway 203 may transmit a service request processing log and a rejection log to the controller 202 in a designated time unit. For example, the service request may include a service processing request to the service server 205 of the node 201 .

In operation 1110 , the controller 202 may analyze the log received from the gateway 203 . The controller 202 may update statistical information on service request and rejection based on the received log information. The controller 202 may analyze the received log to check whether a service requesting target (eg, the node 201 or the access application 211 of the node 201) is performing an abnormal behavior. For example, when the service requesting target is performing an abnormal behavior, the controller 202 may register in the blacklist database 319 according to the blacklist policy of the blacklist policy database 315 . Also, the controller may block the service access of the target by removing the data flow and the control flow of the target performing the non-ideal behavior. The controller 202 may return the updated data flow information to the gateway 203 .

In operation 1115 , the controller 202 may transmit the update result of the data flow to the gateway 203 . When a data flow needs to be removed according to the received data flow information 350, the gateway 203 removes the data flow of the target performing the non-ideal behavior from the data flow table 317 so that the target is no longer connected to the service. You can make the request impossible to fulfill.

12 is a flowchart illustrating a signal flow for updating a control flow according to various embodiments of the present disclosure;

Referring to FIG. 12 , in operation 1205 , the access control application 212 may request a control flow update.

In one embodiment, the access control application 212 may request a control flow update from the controller 202 to maintain the control flow and data flow. In an embodiment, the access control application 212 may request control flow update by including identification information of the control flow every specified period.

In operation 1210 , the controller 202 may update (check) the control flow. For example, the controller 202 determines whether the control flow information 340 indicated by the received identification information exists in the control flow table 316, and if the control flow information 340 exists, the data flow information 350 dependent on it. It can be checked whether . A control flow may not exist if the connection is released by another security system, the update time elapses, or if the connection is released due to risk detection. If the control flow does not exist, the controller 202 may return the connection unavailable information to the node 201 . When the control flow exists, the controller 202 may update the update time or expiration time of the control flow, and search for a data flow dependent on the control flow. For example, when re-authentication needs to be performed in the discovered data flow or there is a data flow that can no longer be accessed, the controller 202 may return the corresponding data flow information to the node 201 .

For example, if the update (check) fails, the controller 202 may transmit connection unavailable information to the node 201 . In this case, the node 201 may terminate the access control application 212 or block the network connection of the access control application 212 . For another example, if the update (check) is successful, the controller 202 may update the expiration time of the control flow and the data flow dependent thereon. The controller 202 may transmit the updated control flow information and data flow information to the node 201 . In this case, the node 201 may update the control flow information 340 and the data flow information 350 .

In operation 1215 , the controller 202 may transmit update (inspection) result information to the access control application 212 . For example, if the update (check) fails, the controller 202 may transmit connection unavailable information. For another example, if the update (check) is successful, the controller 202 may transmit the updated control flow information 340 and data flow information 350 dependent thereon to the access control application 212 . In this case, the node 201 may update the control flow information 340 and the data flow information 350 .

The access control application 212 may process the update (check) result information. When the control flow update result indicates that the connection is unavailable, the connection control application 212 may terminate the connection application 211 or block all network connections of the connection application 211 . When the control flow update result indicates normal and there is updated data flow information 350 , the access control application 212 may update the data flow table 317 in the access control application 212 .

13 is a flowchart illustrating a signal flow for removing a control flow according to various embodiments of the present disclosure;

Referring to FIG. 13 , in operation 1305 , the node 201 may request the controller 202 to terminate the control flow. For example, the node 201 may terminate the access control application 212 , request the end of the control flow when the network connection is not used for a specified time, or a connection termination request is received from another system.

In operation 1310 , the controller 202 may remove a control flow corresponding to the identification information received from the node 201 . The controller 202 may also remove data flows that are dependent on the removed control flow.

In operation 1315 , the controller 202 may request the gateway 203 to remove the data flow.

In operation 1320 , the gateway 203 may block the access control application 212 from connecting to the network by removing the data flow.

Through the operations of FIG. 13 , the gateway 203 periodically performs a data flow update procedure with the controller 202 and returns invalid data flow information 350 according to the termination of the connection application of the node 201 or the disconnection of the network connection. Received and matched with the session information stored in the gateway 203, it is possible to remove the invalid session. Accordingly, the embodiments according to the present disclosure may make it impossible to use a service in an authenticated state for a target whose authentication is not valid according to a characteristic that the situation of the node 201 cannot be known, such as HTTP.

14 illustrates a signal flow diagram for data flow removal according to various embodiments of the present disclosure.

Referring to FIG. 14 , in operation 1405 , the access control application 212 may detect termination of the access application 211 . The access control application 212 may monitor in real time whether the access application 211 running in the node 201 is terminated.

In operation 1410 , the access control application 212 may request the controller 202 to terminate the data flow. For example, the access control application 212 may request the end of the data flow by transmitting data flow identification information assigned to the terminated connection application 211 or identification information of the connection application 211 to the controller 202 . .

In operation 1415 , the controller 202 may remove the data flow based on the data flow identification information received from the node 201 or the identification information of the access application 211 . The controller 202 may identify and search for a control flow based on the received data flow identification information or identification information of the access application 211 , and remove a data flow dependent on the identified and searched control flow.

In operation 1420 , the controller 202 requests the gateway 203 to remove the data flow, and in operation 1425 , the gateway 203 removes the data flow, thereby providing a service corresponding to the removed data flow of the access control application 212 . Access to the server 205 may be blocked. After that, the connection application 211 is no longer able to transmit the data packet to the destination network.

The above description is merely illustrative of the technical idea disclosed in this document, and those of ordinary skill in the art to which the embodiments disclosed in this document belong are not departing from the essential characteristics of the embodiments disclosed in this document. Various modifications and variations will be possible.

Therefore, the embodiments disclosed in this document are for explanation rather than limiting the technical ideas disclosed in this document, and the scope of the technical ideas disclosed in this document is not limited by these embodiments. The protection scope of the technical ideas disclosed in this document should be interpreted by the following claims, and all technical ideas within the equivalent scope should be interpreted as being included in the scope of the present document.

Claims (16)

In the gateway,
communication circuit;
a processor operatively coupled to the communication circuitry; and
a memory operatively coupled to the processor, the memory storing a proxy server, wherein the memory, when executed by the processor, causes the gateway to execute the proxy server:
Receive a service processing request from a node,
Check whether data flow information corresponding to the information included in the service processing request exists, wherein the information included in the service processing request includes departure information or destination information,
When the data flow information exists, on the basis of the data flow information, storing instructions for processing the service processing request,
When processing the service processing request, the instructions include:
Check whether file information is included in the service processing request,
If file information is not included in the service processing request, forwarding the service processing request to a destination according to the service processing request,
When file information is included in the service processing request, the gateway is configured to process the service processing request according to whether transmission of a file indicated by the file information is permitted.
delete The method according to claim 1, wherein the instructions are executed by the gateway,
Based on the file IO (input output) information included in the data flow information, it is checked whether the transmission of the file indicated by the file information included in the service processing request is allowed,
If the transmission of the file is not allowed, returning the service processing request to the node,
When transmission of the file is permitted, the gateway is configured to process the service processing request according to whether the file indicated by the file information has been successfully checked. The method according to claim 3, wherein the instructions are the gateway,
Based on the file IO information, it is confirmed whether the extension of the file is an extension that allows file transfer,
If it is not an extension that allows the file transfer, the service processing request is returned to the node,
If the extension allows the file transmission, the gateway is configured to process the service processing request according to whether the file indicated by the file information has been successfully checked. The method according to claim 1, wherein the instructions are executed by the gateway,
Based on the file inspection information included in the data flow information, it is confirmed whether the file information inspection of the file indicated by the file information included in the service processing request is necessary,
If the file information check is not required, forwarding the service processing request to a destination according to the service processing request,
When the file information check is necessary, the gateway processes the service processing request according to whether or not the file check of the file indicated by the file information is successful. The method according to claim 1, wherein the instructions are executed by the gateway,
inspecting the file information included in the service processing request based on the file inspection method indicated by the file inspection information included in the data flow information;
If the file information check is successful, forwarding the service processing request to a destination according to the service processing request,
When the file information check fails, the gateway returns the service processing request to the node. The method according to claim 1, wherein the instructions are executed by the gateway,
After forwarding the service processing request, receiving the service processing result from the destination server,
A gateway to process the service processing result based on the data flow information. The method according to claim 7, wherein the instructions are executed by the gateway,
When file information is included in the service processing result, based on the file IO (input output) information included in the data flow information, it is checked whether reception of the file indicated by the file information included in the service processing result is allowed do,
If the reception of the file is allowed, based on the file check information included in the data flow information, it is checked whether the file information check of the file indicated by the file information included in the service processing result is necessary,
when the file information check is necessary, check the file information included in the service processing result based on the file check method indicated by the file check information included in the data flow information;
When the file information check succeeds, the service processing result is forwarded to the node according to the service processing result. In the method of operation performed by running the proxy server of the gateway,
receiving a service processing request from a node;
Checking whether data flow information corresponding to the information included in the service processing request exists, the information included in the service processing request includes source information or destination information,
when the data flow information exists, processing the service processing request based on the data flow information;
The operation of processing the service processing request is,
checking whether file information is included in the service processing request;
forwarding the service processing request to a destination according to the service processing request when the file information is not included in the service processing request; and
and if the service processing request includes file information, processing the service processing request according to whether transmission of a file indicated by the file information is permitted. delete The method according to claim 9, wherein the processing of the service processing request comprises:
Based on the file IO (input output) information included in the data flow information, the operation of checking whether the transmission of the file indicated by the file information included in the service processing request is allowed,
returning the service processing request to the node when transmission of the file is not permitted; and
and processing the service processing request according to whether the file indicated by the file information has been successfully checked when the transmission of the file is permitted. The method of claim 11, wherein the processing of the service processing request comprises:
Based on the file IO information, the operation of checking whether the extension of the file is an extension that allows file transfer,
If it is not an extension that allows the file transfer, returning the service processing request to the node, and
and processing the service processing request according to whether or not the inspection of the file indicated by the file information succeeds in the case of the extension allowing the file transmission. The method according to claim 9, wherein the processing of the service processing request comprises:
an operation of determining whether a file information check of a file indicated by the file information included in the service processing request is necessary based on the file check information included in the data flow information;
forwarding the service processing request to a destination according to the service processing request when the file information check is not required; and
and processing the service processing request according to whether or not the file check of the file indicated by the file information is successful when the file information check is required. The method according to claim 9, wherein the processing of the service processing request comprises:
checking the file information included in the service processing request based on the file checking method indicated by the file checking information included in the data flow information;
If the file information check is successful, forwarding the service processing request to a destination according to the service processing request; and
and returning the service processing request to the node when the file information check fails. 10. The method of claim 9,
receiving a service processing result from a destination server after forwarding the service processing request; and
and processing the service processing result based on the data flow information. The method according to claim 15, The operation of processing the service processing result,
When file information is included in the service processing result, based on the file IO (input output) information included in the data flow information, it is checked whether reception of the file indicated by the file information included in the service processing result is allowed action,
When the reception of the file is permitted, based on the file check information included in the data flow information, checking whether the file information check of the file indicated by the file information included in the service processing result is necessary;
when the file information check is required, checking the file information included in the service processing result based on the file checking method indicated by the file check information included in the data flow information; and
and forwarding the service processing result to the node according to the service processing result when the file information check is successful.

Images