KR102472554B1 - System for controlling network access based on controller and method of the same - Google Patents

Abstract

An objective of the present invention is to effectively resolve various network security problems. According to one embodiment of the present invention, a node comprises a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing an access control application and a target application. The memory can store instructions which, when executed by the processor, cause the node to sense a network access event through the access control application, check the existence of a data flow applied from an external server, corresponding to a data packet to be transmitted by the target application, and including an authentication state, transmit the data packet if the authentication state is authenticated and the data flow which can be accessed or is allowed to be transmitted regardless of the authentication state exists, perform a network access test associated with whether the data packet can be transmitted if the authentication state is authenticated and a data flow which cannot be accessed exists, and drop the data packet if the authentication state of the data flow is not valid.

Description

System for controlling controller-based network access and method therefor

Embodiments disclosed in this document relate to a system and method for controlling a controller-based network connection.

Multiple devices may communicate data over a network. For example, a smartphone may transmit or receive data with a server via the Internet. The network may include a private network such as an intranet as well as a public network such as the Internet.

In general, communication between nodes and servers uses IP (Internet Protocol)-based TCP (Transmission Control Protocol), and access control is performed by identifying source IP, destination IP, and port information with 5 Tuples information included in data packets. Commonly used firewall technology that performs

Firewall technology identifies IPs assigned to nodes or network nodes and controls access of inbound or outbound data packets between network boundaries, thereby blocking unauthorized IPs from accessing unauthorized destination networks.

Technologies such as IP-based firewalls can cause problems that are difficult to control by IP unit in the case of nodes in the Internet band where IP allocation and control are difficult, or in the case of creating a private IP band by configuring a sub-network with routers and gateways. In practice, firewalls are used as a minimum safeguard.

In order to solve the above problems, connectivity control such as tunneling technology or secure session that encrypts data packets transmitted between nodes and servers or gateways, prevents forgery and tampering, and allows unique access only to authorized targets. technology is being used.

However, VPN (Virtual Private Network) based on tunneling technology created at the terminal level has a vulnerability in that unapproved or unsafe applications access unallowed destination networks through always-connected tunneling after initial authentication. In other words, in the above vulnerability, VPN technology is increasing security incidents due to infiltration of various malware and ransomware.

In addition, communication between servers on an always-connected network has increased along with recent business complexity, and the target application operating in the server is a Micro Service Architecture in which all service logic is not operated in one application, but is separated and operated in modules or functional units. As it develops into a form, actual communication is changed to communication of a module or functional unit that is lower than the application level, and the identification unit is changed, requiring a network access control technology at a level lower than the application level.

Various embodiments disclosed in this document are intended to provide a system and method for solving the above problems in a network environment.

A node according to an embodiment disclosed herein includes communication circuitry, a processor operatively connected to the communication circuitry, and a memory operatively connected to the processor and storing a connection control application and a target application; When the memory is executed by the processor, the node detects a network connection event through the access control application, corresponds to a data packet to be transmitted by the target application, and confirms the existence of a data flow authorized from an external server , The data flow includes an authentication state, and if the authentication state is authentication complete and accessible or the data flow is allowed to be transmitted regardless of the authentication state, the data packet is transmitted, and the authentication state is authenticated complete, and if there is an inaccessible data flow, perform a network connection check related to whether the data packet can be transmitted, and store instructions to drop the data packet if the authentication state of the data flow is invalid can

A method of operating an access control application installed in a node according to an embodiment disclosed in this document includes detecting a network access event through the access control application, corresponding to a data packet to be transmitted by the target application, and applying an application from an external server. confirming the existence of a data flow that has been authenticated, the data flow includes an authentication state, and if the authentication state is authentication complete or the data flow allowed to be transmitted exists regardless of the authentication state, the data packet is transmitted; If the authentication status is authentication complete and there is an inaccessible data flow, performing a network connection check related to whether or not the data packet transmission is possible, or dropping the data packet if the authentication status of the data flow is invalid can include

According to the embodiments disclosed in this document, an application accessibility control technology that allows only permitted safe applications to access a permitted network is applied to identify applications that are fundamental communication subjects and block access of disallowed applications in advance. By doing so, it is possible to prevent various types of malware and ransomware from accessing an unauthorized destination network and effectively solve various network security problems currently occurring.

According to the embodiments disclosed in this document, due to the increase in datadam, my data, and AI services, communication of modules or functional units can be controlled in a more granular unit than applications, and data or data possessed by data providers In order to deliver the data entrusted by the owner to the data consumer, the allowed module may control network access so that only data permitted by the data owner or previously permitted by policy is transmitted.

According to the embodiments disclosed in this document, the calculation result of Data Centric Networking-centered AI overlaid on the conventional IP-based network and countless processed valuable data stored in the server are transmitted to the consumer and real value It can be used as a base technology for granting.

In addition, according to the embodiments disclosed in this document, in order to control network access of module unit and data unit that cannot be controlled by conventional application connectivity control technology, the operating system (Kernel Level) has a lower level than an application that cannot be identified. For unit identification, a method for controlling module or data level network access may be provided by inserting an identification layer added when network access is performed in the target application (user level).

In addition, according to the embodiments disclosed in this document, when a module or function in a target application (user level) that cannot be identified in an operating system (kernel level) accesses a network and transmits data, transmission is performed when the target application accesses the network. It is possible to provide a structure that allows or disallows network access depending on whether or not to allow network access including the identification information by checking each identification information included in one authentication data packet with the controller.

In addition, according to the embodiments disclosed in this document, whitelist-based network access is allowed for each identification unit according to the authentication policy of the controller set in advance, or a third party (eg, data owner) allows a network access of the corresponding identification unit. By additionally checking whether or not to allow access, it is possible to provide a structure that allows network access only with the approval of a third party, and since network access by each identification unit is recorded, it is possible to inquire what data was transmitted by which module at what time and where. can provide a way to do it.

In addition, according to the embodiments disclosed in this document, when data centric networking is configured to transmit credit information of a data owner entrusted to a credit institution to another institution, the credit information data of the data owner is transferred to In order to control the transmission to other institutions, only the data permitted by the user, the permitted data supplying institution may create network access at the time of data provision, and release the network connection at the end of data provision, in accordance with the permitted third party. It is possible to provide a method that can reach the practical purpose of My Data.

In addition, according to the embodiments disclosed in this document, various authentication information (eg, public key-based encryption/decryption key and certificate), data information signed based on authentication information (eg, propagation of approved data on a blockchain network) ) Transmission and personal information stored in the cloud, which is always connected to the network, but connects to the Internet only when remote storage including information that needs to be isolated from the Internet is required, thereby blocking external risks from the Internet. , By transmitting only allowed data, it is possible to block the transmission of non-permitted data by non-permitted subjects (e.g., when personal information is arbitrarily leaked by a thief).

In addition, according to the embodiments disclosed in this document, if the target application fails to transmit the data packet after transmitting the authentication data packet, it must wait for a set timeout period or retry the connection, thereby providing a delay time and intuitive It can solve the problem of not being able to check the authentication result.

In addition, according to the embodiments disclosed in this document, an application included in an access control application performs data packet authentication of a target application in advance through an interface (API or Remote Procedure Call, RPC server), and after confirming the authentication result, Authentication results can be intuitively checked by attempting network access, and transmission of unauthorized data packets can be blocked by performing network access control at the time of network access.

In addition to this, various effects identified directly or indirectly through this document may be provided.

1 shows an environment including a plurality of networks.
2 illustrates an architecture within a network environment according to various embodiments.
3 is a functional block diagram illustrating a database stored in a controller according to various embodiments.
4 shows a functional block diagram of a node in accordance with various embodiments.
5 is a diagram showing the structure of an authentication data packet according to various embodiments.
6 is a diagram illustrating an operation of controlling transmission of a data packet according to various embodiments.
7 shows a signal flow diagram for controller connection of a node according to various embodiments.
8 shows a signal flow diagram for network connection authentication of a node according to various embodiments.
9A shows a signal flow diagram for controlling network access of a node according to various embodiments.
9B is a signal flow diagram for network connection test of a node according to various embodiments.
10 shows a signal flow diagram for transmitting a data packet of a node according to various embodiments.
11 shows a signal flow diagram for controlling reception of a data packet by a gateway according to various embodiments.
12 shows a signal flow diagram for updating a control flow of a node according to various embodiments.
13 shows a signal flow diagram for disconnection of a node according to various embodiments.
14 illustrates a signal flow diagram for termination of application execution of a node according to various embodiments.

Hereinafter, various embodiments of the present invention will be described with reference to the accompanying drawings. However, it should be understood that this is not intended to limit the present invention to the specific embodiments, and includes various modifications, equivalents, and/or alternatives of the embodiments of the present invention.

In this document, the singular form of a noun corresponding to an item may include one item or a plurality of items, unless the context clearly dictates otherwise. In this document, "A or B", "at least one of A and B", "at least one of A or B", "A, B or C", "at least one of A, B and C" and "A, Each of the phrases such as "at least one of B or C" may include any one of the items listed together in the corresponding one of the phrases, or all possible combinations thereof. Terms such as "first", "second", or "first" or "secondary" may simply be used to distinguish a given component from other corresponding components, and may be used to refer to a given component in another aspect (eg, importance or order) is not limited. A (e.g., first) component is said to be "coupled" or "connected" to another (e.g., second) component, with or without the terms "functionally" or "communicatively." When mentioned, it means that the certain component may be connected to the other component directly (eg by wire), wirelessly, or through a third component.

Each component (eg, module or program) of the components described in this document may include singular or plural entities. According to various embodiments, one or more components or operations among corresponding components may be omitted, or one or more other components or operations may be added. Alternatively or additionally, a plurality of components (eg modules or programs) may be integrated into a single component. In this case, the integrated component may perform one or more functions of each of the plurality of components identically or similarly to those performed by a corresponding component of the plurality of components prior to the integration. . According to various embodiments, operations performed by modules, programs, or other components are executed sequentially, in parallel, iteratively, or heuristically, or one or more of the operations are executed in a different order, omitted, or , or one or more other operations may be added.

The term "module" used in this document may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as logic, logic block, component, or circuit, for example. A module may be an integrally constructed component or a minimal unit of components or a portion thereof that performs one or more functions. For example, according to one embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of the present document may be implemented as software (eg, a program or application) including one or more instructions stored in a storage medium (eg, memory) readable by a machine. For example, the processor of the device may call at least one command among one or more commands stored from a storage medium and execute it. This enables the device to be operated to perform at least one function according to the at least one command invoked. The one or more instructions may include code generated by a compiler or code executable by an interpreter. The device-readable storage medium may be provided in the form of a non-transitory storage medium. Here, 'non-temporary' only means that the storage medium is a tangible device and does not contain a signal (e.g. electromagnetic wave), and this term refers to the case where data is stored semi-permanently in the storage medium. It does not discriminate when it is temporarily stored.

Methods according to various embodiments disclosed in this document may be included and provided in a computer program product. Computer program products may be traded between sellers and buyers as commodities. A computer program product is distributed in the form of a device-readable storage medium (eg compact disc read only memory (CD-ROM)), or through an application store or between two user devices (eg smartphones). It can be distributed (e.g., downloaded or uploaded) directly or online. In the case of online distribution, at least part of the computer program product may be temporarily stored or temporarily created in a device-readable storage medium such as a manufacturer's server, an application store server, or a relay server's memory.

1 shows an environment including a plurality of networks.

Referring to FIG. 1 , the first network 10 and the second network 20 may be different networks. For example, the first network 10 may be a public network such as the Internet, and the second network 20 may be a private network such as an intranet or VPN. According to embodiments, the first network 10 may include the data provider network 210 of FIG. 2 , and the second network 20 may include the data consumer network 220 of FIG. 2 .

The first network 10 may include a source node 101 . In FIG. 1 and embodiments described below, the 'source node' may be various types of devices capable of performing data communication. For example, the source node 101 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, or a virtual reality (VR) device. , or home appliances, but is not limited to the aforementioned devices. For example, source node 101 may include a server or gateway capable of transmitting data packets through an application. The source node 101 may also be referred to as 'electronic device' or 'terminal'. Meanwhile, the destination node 102 may include the same or similar device as the above-described source node 101 . For another example, the destination node 102 can be substantially the same as the destination network.

The source node 101 may attempt access to the second network 20 and transmit data to the destination node 102 included in the second network 20 . Source node 101 may transmit data to destination node 102 via gateway 103 and tunnel 105 . However, it is not limited thereto, and the source node 101 may transmit data to the destination node 102 through various paths such as a tunnel, a secure session, and a channel.

If access to the first network 10 of the starting node 101 is approved, since the starting node 101 can communicate with all servers included in the first network 10, the starting node 101 is malicious. ) can be exposed from program attacks. For example, the origin node 101 may be infected with malicious code 110c, as well as trusted and/or secure applications such as Internet web browser 110a and business application 110b. ) may receive data of an untrusted or unsecured application such as the business application 110d.

The starting node 101 infected by the malicious program may attempt access to the second network 20 and/or data transmission. When the second network 20 is formed based on IP, such as VPN, it may be difficult to individually monitor a plurality of devices included in the second network 20, and application in the OSI layer Security at the layer or transport layer may be vulnerable. In addition, if the source node 101 includes a malicious application after the channel has already been created, the data of the malicious application will be delivered to another electronic device (eg, the destination node 102) within the second network 20. can

2 illustrates an architecture within a network environment according to various embodiments.

Referring to FIG. 2, the number of nodes 201, gateways 203, destination networks 204, data provider networks 210, and data consumer networks 220 is not limited to the number shown in FIG. For example, a plurality of nodes may have network access controlled by the controller 202, and the controller 202 may communicate with a plurality of gateways and control transmission of data to a plurality of destination networks.

Node 201 may include a connection control application 211 and a target application 221 . For example, the access control application 211 checks whether a connection is possible from the controller 202 when a network connection occurs, and only if the connection is possible, the destination through the gateway 203 based on the data flow generated by the controller 202. Data packets may be transmitted over the network 204 . For example, the gateway 203 may include a first gateway 213 present at the node 201 side network boundary and a second gateway 223 present at the destination network 204 side network boundary.

The data flow-based connectivity control technology provides a structure in which communication is possible only when there is a data flow authorized by the controller 202 in order for the node 201 to access the destination network 204, and the data flow does not exist. If not, a structure in which the node 201 cannot perform communication may be provided. For example, the access control application 211 may restrict transmission of data packets of the target application 212 if no data flow exists.

According to an embodiment, the access control application 211 may include a network driver, a data flow processor, a control flow processor, and an application interface (API). For example, the access control application 211 may include a network driver for controlling network access in an operating system (kernel level) and a data flow processing unit for checking whether data packets are transmitted and processing them based on the data flow. . In addition, the access control application 211 may include a control flow processor that performs communication between the controllers 202 and processes commands and messages (network access request, network access authentication request). In addition, the access control application 211 authenticates a data packet to be transmitted by the target application, or an interface (Application Application It may include application interfaces that provide Procedure Interfaces, APIs, Remote Procedure Calls (RPCs).

Controller 202 may be a server (or cloud server). Controller 202 may perform network access control of node 201 to destination network 204 .

According to one embodiment, the controller 202 may send and receive control data packets to and from the node 201 to perform various operations (eg, registration, approval, authentication, renewal, and termination) associated with the network connection of the node 201. can A flow through which the control data packet is transmitted may be referred to as a control flow.

Through the above operations, the controller 202 may provide an environment capable of blocking access to the destination network 204 of disallowed nodes.

The gateway 203 may include a first gateway 213 and a second gateway 223 . For example, the gateway 203 may provide a technology capable of safely transmitting data packets in a network section through a secure channel. In addition, the gateway 203 checks whether the data packet received from the access control application 211 is actually transmitted by the allowed node 201, and the data packet that is transmitted by bypassing the access control application 211 It can play a blocking role. That is, the gateway 203 may always enable a secure network configuration throughout the data provider network 210 and the data consumer network 220 .

Data owner 206 can communicate with controller 202 . The controller 202 may allow whitelist-based network access for each identification unit according to the authentication policy, and further confirms whether or not the data owner 206 allows the network access of the corresponding identification unit, so that the data owner ( 206) can provide a structure that allows network access only by approval. In addition, since network access can be recorded for each identification unit, the data owner 206 can inquire what data was transmitted by which module and when and where.

3 is a functional block diagram illustrating a database stored in a controller according to various embodiments. Although FIG. 3 shows only the memory 330, the controller includes a communication circuit for communicating with an external electronic device (eg, the communication circuit 430 of FIG. 4) and a processor for controlling the overall operation of the controller (eg, FIG. Four processors 410) may be further included.

Since the administrator can connect to the controller 202 and set a connection-oriented policy to control access between applications and servers, security such as existing Network Access Control (NAC) and firewalls that simply perform access control based on IP It is possible to control network access that is more granular than technology and more secure from the point of view of network access.

The access policy database 311 may include information on networks and/or services to which an identified network, node (eg, node 201 of FIG. 2 ), user, unidentified user, or application may access. For example, when access to a destination network is requested from a node, the controller identifies the network (eg, the network to which the node belongs), the node, the user (eg, the user of the node), based on the access policy database 311, and/or determine whether an application (an application included in a node) is allowed to connect to the destination network.

The authentication policy database 312 identifies an access target at a more granular level than an application, which is the smallest unit of access control in an access policy (eg, information included in the access policy database 311), and allows the identified target to access. It may contain service information. For example, the authentication policy database 312 determines whether or not access to a service accessible by policy is always allowed when there is a request for network access with corresponding identification information, or whether other systems or third parties connected to the controller (eg : whether or not to allow access only when approved by the data owner). For another example, the authentication policy database 312 determines whether or not network access is continuously allowed after network access is allowed or under certain conditions (eg, TCP SYM Packet, TCP FIN Packet, the amount of transmitted data packets depends on the data flow). It may include whether or not to release the network connection and re-perform data packet authentication when the amount of data packets included in the data flow is exceeded, the update process character of the data packets included in the data flow, etc.) is satisfied. have. In addition, the authentication policy database 312 may include whether to perform data packet authentication only when first connecting to a network or whether to check data packet authentication every data packet transmission time. Depending on the embodiment, the authentication policy database 312 may include a method for extracting identification information included in an authentication data packet and a method for checking (eg, one time password, authentication information generation and checking algorithms such as HMAC). Depending on the embodiment, the authentication policy database 312 includes information about whether it is possible to transmit data packets without additional authentication and information about changing the authentication state of the data flow when the renewal condition of the data flow is satisfied. It may contain information for generating information. That is, the controller 202 may generate authentication information based on the authentication policy database 312 .

The blacklist policy database 313 may include a policy for permanently or temporarily blocking access of nodes. The blacklist policy database 313 includes information (e.g., node, IP address, MAC (media access) identified through analysis of risk, occurrence cycle, and/or behavior of security events among security events periodically collected from nodes or gateways. control) address, or at least one of user ID).

The blacklist database 314 may include a list of at least one of nodes, IP addresses, MAC addresses, or users blocked by the blacklist policy database 313 . For example, if a node requesting access to the destination network is included in the blacklist database 314, the controller may isolate the node from the destination network by rejecting the connection request of the node.

The control flow table 315 is an example of a session table for managing a flow (eg, control flow) of control data packets generated between a node and a controller. When accessing the controller successfully, control flow information may be generated by the controller. The control flow information may include at least one of control flow identification information, an IP address identified during access to and authentication of a controller, a node ID, and a user ID. For example, when access to a destination network is requested from a node, the controller may search for control flow information through control flow identification information received from the node, and the IP address, node ID, or user information included in the searched control flow information By mapping at least one of the IDs to the access policy database 311, it is possible to determine (determine) whether a node can be connected and whether a data flow for creating a TCP session with a destination network can be created.

According to one embodiment, a control flow may have an expiration time. The node needs to update the expiration time of the control flow, and if the expiration time is not updated for a certain period of time, the control flow (or control flow information) may be removed. In addition, when it is determined that immediate disconnection is necessary according to the security event collected from the node, the controller may remove the control flow according to the request of the node to terminate the connection. If the control flow is removed, the previously created data flow is also removed, so node access may be blocked.

The data flow table 316 is a table for managing a flow (eg, data flow) in which detailed data packets are transmitted between nodes, gateways, and destination networks. A data flow can be created by a TCP session created by node or IP unit, by application of a node, or by a more granular unit. The data flow table 316 includes data flow identification information, control flow identification information when the data flow is subordinate to the control flow, application ID for identifying whether the data packet transmitted from the node is an authorized data packet, and source network identification information , destination network identification information and/or service port. The data flow table 316 determines whether or not network access is continuously allowed after network access is allowed or specific conditions (eg, TCP SYM Packet, TCP FIN Packet, amount of transmitted data packets, amount of data packets included in the data flow) may include authentication information including whether to release the network connection and re-perform data packet authentication when a rule such as including an update processing character of a data packet included in a data flow is satisfied. . Depending on the embodiment, the authentication information may include whether to perform data packet authentication only when first connecting to a network or whether to check data packet authentication every data packet transmission time. In addition, the data flow table 316 includes data flow state information including whether the data flow has been authenticated and can be transmitted, whether authentication is required, or whether network access is possible without authentication because authentication is unnecessary ( or authentication status information of a data flow).

Depending on the embodiment, the data flow table 316 may be equally included in a node (eg, node 201 of FIG. 2 ) and a gateway (eg, gateway 203 of FIG. 2 ).

4 shows a functional block diagram of a node in accordance with various embodiments.

Referring to FIG. 4 , a node may include a processor 410 , a memory 420 , and a communication circuit 430 . According to one embodiment, the node may further include a display 440 to interface with a user.

The processor 410 may control the overall operation of the node. In various embodiments, the processor 410 may include a single processor core or may include a plurality of processor cores. For example, the processor 410 may include multi-cores such as dual-core, quad-core, and hexa-core. According to embodiments, the processor 410 may further include an internal or external cache memory. According to embodiments, the processor 410 may be configured with one or more processors. For example, the processor 410 may include at least one of an application processor, a communication processor, or a graphical processing unit (GPU).

All or part of processor 410 is electrically or operatively coupled to other components within the node (e.g., memory 420, communication circuitry 430, or display 440). (coupled with) or connected to. The processor 410 may receive commands from other components of the node, interpret the received commands, and perform calculations or process data according to the interpreted commands. The processor 410 may interpret and process messages, data, commands, or signals received from the memory 420 , the communication circuit 430 , or the display 440 . The processor 410 may generate a new message, data, command, or signal based on the received message, data, command, or signal. Processor 410 may provide processed or generated messages, data, instructions, or signals to memory 420 , communication circuitry 430 , or display 440 .

The processor 410 may process data or signals generated or generated by a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may record (or store) or update instructions, data, or signals in the memory 420 to execute or control a program.

The memory 420 may store commands for controlling nodes, control command codes, control data, or user data. For example, the memory 420 may include at least one of an application program, an operating system (OS), middleware, or a device driver.

The memory 420 may include one or more of volatile memory and non-volatile memory. Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM). can include The nonvolatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, and the like.

The memory 420 uses a nonvolatile medium such as a hard disk drive (HDD), a solid state disk (SSD), an embedded multi media card (eMMC), or a universal flash storage (UFS). can include more.

According to an embodiment, the memory 420 may store some of the information included in the memory of the controller (eg, the memory 330 of FIG. 3 ). For example, the memory 420 may store the data flow table 316 described in FIG. 3 .

The communication circuit 430 may support establishing a wired or wireless communication connection between a node and an external electronic device (eg, the controller 202 of FIG. 2 ) and performing communication through the established connection. According to one embodiment, the communication circuit 430 may be a wireless communication circuit (eg, cellular communication circuit, short-range wireless communication circuit, or global navigation satellite system (GNSS) communication circuit) or a wired communication circuit (eg, a local area network (LAN)). ) communication circuit, or power line communication circuit), and using a corresponding communication circuit among them, a short-distance communication network such as Bluetooth, WiFi direct, or IrDA (infrared data association) or a cellular network, a long-distance communication such as the Internet, or a computer network It may communicate with an external electronic device through a network. The various types of communication circuits 430 described above may be implemented as a single chip or may be implemented as separate chips.

The display 440 may output content, data, or signals. In various embodiments, the display 440 may display image data processed by the processor 410 . According to embodiments, the display 440 may be configured as an integrated touch screen by being combined with a plurality of touch sensors (not shown) capable of receiving a touch input. When the display 440 is configured as a touch screen, a plurality of touch sensors may be disposed above the display 440 or below the display 440 .

A server (eg, the controller 202 of FIG. 2 ) according to an embodiment may include a processor 410 , a memory 420 , and a communication circuit 430 . The processor 410, memory 420, and communication circuit 430 included in the server may be substantially the same as the processor 410, memory 420, and communication circuit 430 described above.

A gateway (eg, the gateway 203 of FIG. 2 ) according to an embodiment may include a processor 410 , a memory 420 , and a communication circuit 430 . The processor 410, memory 420, and communication circuit 430 included in the gateway may be substantially the same as the processor 410, memory 420, and communication circuit 430 described above.

5 is a diagram showing the structure of an authentication data packet according to various embodiments.

Existing data packets can be composed of a data packet structure including an IP header and payload including 5 tuples (source, destination information, etc.) information, which is a unit that can be identified in OSI (Open System Interconnection) during IP communication. .

In order to implement Micro Service Architecture and Data Centric Networking, 5 tuples and applications that are actual communication subjects that can be identified in the operating system (Kernel Level) of nodes are targeted applications (e.g. : It may be necessary to know whether the minimum identification unit (unit defined in the user level) in the target application 212 of FIG. 2 is connected to the network.

The target application (e.g. target application 212 in FIG. 2) is an authentication data packet (e.g. a single authentication data packet) containing information that can identify the included module or function, and data that can be used to access the network. 510 and a data packet 520 using the authentication data packet as a header may be transmitted. In this case, a network access control application (e.g., the access control application 211 of FIG. 2) controlling network access at the operating system (kernel level) of the node can check the received authentication data packets 510 and 520, Authentication information is extracted from the authentication data packets 510 and 520 and transmitted to a controller (e.g., the controller 202 of FIG. 2) to determine whether to allow network access based on the authentication information, and A structure allowing network access based on whether or not network access is allowed may be provided.

Authentication information in the authentication data packets 510 and 520 can identify a level that cannot be identified by the operating system (Kernel), and is the minimum identification unit for requesting network access permission when a target application accesses a network in order to control network access. can include For example, the identification unit may include information such as a module, function, or data, and the identification unit may be assigned according to the intention of a target developing and operating a target application. For another example, the authentication information may include an authentication information generation algorithm designated by the controller to double check the network access of the target application.

A single authentication data packet 510 may include an IP header and payload. For example, the payload of a single authentication data packet 510 may include an authentication data packet. Depending on the embodiment, the single authentication data packet 510 may be a structure for initial network access authentication.

The data packet 520 using the authentication data packet as a header may include an IP header, a payload including the authentication data packet, and a payload including the actual transmission data packet. Depending on the embodiment, the data packet 520 using the authentication data packet as a header may be a data packet for inspecting successive data packets.

In one embodiment, authentication data packets 510 and 520 may include one or more pieces of authentication information.

6 is a diagram illustrating an operation of controlling transmission of a data packet according to various embodiments.

Referring to FIG. 6 , node 201 blocks data packets transmitted to destination network 204 after controller 202 is connected to network drivers and operating system kernel levels in the case of unacceptable data packets having no data flow. can Thus, node 201 may not transmit any data packets to destination network 204 that do not go through connection control application 211 .

The access control application 211 must access the controller 202 to identify and authenticate a node or one or more identification information and applications, modules, functions, and data included in the application. After authentication is performed, the access control application 211 queries the controller 202 for access network information when the target application 212 accesses the destination network 204 to determine whether access is possible, modules and functions of the authorized application, Only objects such as data can be controlled to be accessible to the network.

Unauthorized nodes or applications, modules, functions, data, etc. included in the application are basically in a state in which they cannot access the destination network 204, and the target application 212 and the modules included in the target application 212 from the controller 202. and when data flow information including access information such as function and data is not transmitted to the first gateway 213 or the second gateway 223, the first gateway 213 or the second gateway 223 sends a data packet Since forwarding of is blocked, the node 201 cannot reach the destination network 204, that is, it is in an isolated state.

7 shows a signal flow diagram for controller connection of a node according to various embodiments.

Since the node 201 needs to be authorized by the controller 202 in order to access or receive the network, the access control application 211 of the node 201 requests the controller 202 to create a control flow, so that the node ( 201) can try to connect to the controller.

Referring to FIG. 7 , the connection control application 211 of the node 201 may, in operation 705 , request a controller connection to the controller 202 . For example, the access control application 211 may perform a controller connection request to create a control flow with the controller 202 . For example, the controller connection request may include information about node 201 or connection control application 211 .

In operation 710, the controller 202 may check whether or not the access control application 211 is in an accessible state according to an access policy based on information requested for access. For example, the information requested for access by the access control application 211 may include the type of node 201, location information, environment, network including the node 201, and information about the access control application 211. have.

In one embodiment, the controller 202 may use an access control application (eg, blacklist database 314 in FIG. 211) may transmit connection failure information (operation 725).

If the node 201 is accessible, in operation 715, the controller 202 may create a connection control application 211 or a control flow between the node 201 and the controller 202. In this case, the controller 202 may generate control flow identification information in the form of random numbers, and the identification information of the node 201 and/or the network to which the node 201 belongs is stored in a control flow table (eg, the control flow of FIG. 3 ). table 315). Information stored in the control flow table (e.g., control flow identification information and/or control flow information) is used for user authentication of the node 201, information update of the node 201, policy check for node 201 network access, and/or Or it can be used for validation. In one embodiment, the controller 120 may generate accessable application whitelist information in an access policy matching node 201 .

In operation 720, the controller 202 may generate a whitelist of accessible applications based on identification information of nodes, users, and source networks and matching access policies. When the whitelist is created, the controller 202 provides control flow identification information (e.g., ID) for identifying a control flow when a connection completion status as a result of the connection, a request for user authentication from a subsequent node, and a continuous update of node information are required. The application whitelist may be sent to the access control application 211 of the node 201 (act 725).

In addition, the controller 202 may determine whether to allow a data packet for which authentication has not been performed based on an authentication policy (eg, the authentication policy database 312 of FIG. 3 ). In this case, the controller 202 may check information on whether or not unauthenticated network access is available to determine whether the node 201 will allow network access without data packet authentication based on the authentication policy, and unauthenticated network access is possible. Whether information may be transmitted to the node 201 (operation 725).

When the control flow is generated, in operation 725 , the controller 202 may transmit a response to the controller connection request to the connection control application 211 of the node 201 . In this case, the controller 202 may transmit the generated control flow identification information to the connection control application 211 . In one embodiment, the controller 202 may send accessible application whitelist information to the access control application 211 .

At operation 730, the access control application 211 may perform a check on the application. For example, the access control application 211 may perform a check on the application based on a whitelist of accessible applications received from the controller 202 . The access control application 211 may check whether the application exists (installed) in the node 201 based on the accessible application information, and in the case of the existing application, integrity and stability are checked according to the validation policy ( Above the application, tampering inspection, code signing inspection, fingerprint inspection) can be performed.

At operation 735 , the access control application 211 may send the application check result to the controller 202 . For example, the access control application 211 may transmit information about applications existing in the node 201 and results of validation to the controller 202 .

In operation 740, the controller 202 may check whether the application is valid based on the received application information. If the application included in the received application information is a valid application, the controller 202 selects the gateway 203 where the node 201 is located in the access policy in order to allow access of the node 201 connected to the network including the application. It can be checked, and a data flow can be created in the authentication policy so that the application can allow data packet transmission in advance without data packet authentication. For example, a data flow may be generated based on source IP, destination IP, and port information.

In operation 745 , the controller 202 may transmit the generated data flow to the gateway 203 . For another example, if the generated data flow does not exist, the controller 202 may not transmit the data flow to the gateway 203 .

In operation 750 , the controller 202 may transmit the generated data flow to the node 201 . For another example, if the generated data flow does not exist, the controller 202 may not transmit the data flow to the gateway 203 .

In operation 755 , the connection control application 211 of the node 201 may process the result value of the response received from the controller 202 . For example, the connection control application 211 may store the received control flow identification information and display a user interface screen indicating completion of the controller connection to the user. When the controller connection is completed, the request for network connection of the node 201 to the destination network may be controlled by the controller 202 .

According to another embodiment, controller 202 may determine that node 201 is unreachable. For example, if identification information of the node 201 and/or a network to which the node 201 belongs is included in a blacklist database, the controller 202 may determine that the node 201 is inaccessible. In this case, the controller 202 may transmit a response indicating that access to the controller is impossible in operation 725 without generating a control flow in operation 715 . Also, in this case, operations 730 to 750 may not be performed. Depending on the embodiment, if a controller connection needs to be retried, the connection control application 211 may perform operation 705 again.

In addition, the access control application 211 updates the data flow of the node 201 when the data flow received from the controller 202 exists, and transmits the data packet based on the data flow allowed in advance when accessing the network. data flow can be managed.

Depending on the embodiment, operations 730 to 750 may not be performed when the access control application 211 determines that the inspection of the application is not necessary.

8 shows a signal flow diagram for network connection authentication of a node according to various embodiments.

When the node 201 needs to communicate with a destination network, it needs to check whether authentication is completed in order to communicate with the destination network.

Referring to FIG. 8 , in operation 805, the access control application 211 of the node 201 detects a network access authentication request event of a target application (eg, the target application 212 of FIG. 2) installed on the node 201. can do. For example, the target application may request network access authentication through an application interface (API, RPC, etc.) provided by the access control application 211 . According to the embodiment, when the target application requests network access authentication, identification information of the target application, identification information (IP and port information) of the destination network, authentication information (module or function as identification information at a level more detailed than that of the application, identification information such as data) may be transmitted to the access control application 211 .

In operation 810, the access control application 211 may check whether a data flow corresponding to the identification information of the target application, the identification information of the destination network, and the authentication information exists. Depending on the embodiment, when an authenticated data flow exists or a data flow requiring no authentication exists, the access control application 211 may return a network access authentication success result to the target application. Depending on the embodiment, if the data flow exists but is not valid, the access control application 211 may return a network access authentication failure result to the target application.

In operation 815 when the data flow does not exist or authentication of the data flow is required, the access control application 211 may perform a network access authentication request. For example, the access control application 211 provides the controller 202 with network information based on control flow identification information generated with the controller 202 before the network access event, target application identification information, destination network identification information, and authentication information. You can perform access authentication requests.

In operation 820, the controller 202 may check an access policy matched with information about the identified node 201, user, and source network based on the control flow identification information. For example, the controller 202 determines whether access-requested identification information (eg, target application identification information, destination network identification information) is included in the access policy and whether access to the destination network corresponding to the identification information is possible. You can check. Depending on the embodiment, when network access is impossible, the controller 202 may transmit a result of network connection failure to the connection control application 211 in operation 835 .

If access is possible, in operation 825, the controller 202 may check whether the authentication information transmitted by the node 201 is valid based on the authentication policy (eg, the authentication policy database 312 of FIG. 3). have. For example, the controller 202 checks whether the transmittable identification information included in the authentication policy is the same as the identification information transmitted by the node 201 in order to validate the authentication information, and confirms that the network connection is established with the identification information. It is possible to determine whether or not the authentication information is valid or not through the authentication information generated through the authentication information generation algorithm for network access authentication and the authentication information check algorithm included in the authentication policy.

Depending on the embodiment, when the controller 202 can allow network access by approval of a matched third party (eg, the data owner 206 of FIG. 2) based on the identification information of the node 201, Authentication data packet validation can be performed through authentication confirmation by a third party. Through the above confirmation, the third party can safely manage the data they own and check the record of using the data.

When the verification of the access and authentication policies is complete, in operation 830, the controller 202 determines based on the data flow table (e.g., data flow table 316 of FIG. 3) to allow the node 201 to access the network. With the identification information of the destination network, it is possible to check whether there is a data flow that can be accessed.

If there is no valid data flow in the data flow table, the controller 202 generates a data flow including authentication information generated according to the source IP, destination network identification information, and authentication policy so that the target application can access the network to the destination network. can create

Depending on the embodiment, the authentication information may be information including whether it is possible to always transmit data packets without further authentication renewal and authentication renewal timing. For example, the authentication information is whether to allow network access continuously after allowing network access, or specific conditions (eg TCP SYM Packet, TCP FIN Packet, amount of transmitted data packets, amount of data packets included in data flow) may include whether to release the network connection and re-perform data packet authentication when a rule such as including an update processing character of a data packet included in a data flow) is satisfied. Also, the authentication information may include information for setting the authentication state of the data flow to the authentication required state when the data flow renewal condition is satisfied.

In operation 835, the controller 202 may transmit a response to the network access authentication request of the connection control application 211 (operation 815). For example, if the generated data flow exists, the controller 202 may transmit the generated data flow to the access control application 211 . For another example, if there is a data flow accessible from the data flow table, the corresponding data flow may be transmitted to the node 201 . For another example, when the network access of the target application of the node 201 is impossible or authentication fails, the controller 202 may transmit a connection failure result.

In operation 840 , the connection control application 211 may process the result value of the response received from the controller 202 . For example, when the access control application 211 receives a data flow from the controller 202, it updates the data flow of the node 201 with the received data flow, and returns a successful network access authentication result to the target application. can For another example, the access control application 211 may return a network access authentication failure result to the target application when receiving an authentication failure result or a connection failure result from the controller 202 .

According to an embodiment, the target application may process the data packet according to the network connection authentication result returned from the access control application 211 . For example, upon receiving a successful network access authentication result, the target application may transmit a data packet. For another example, upon receiving a network access authentication failure result, the target application may stop transmitting data packets.

According to the embodiment, when an authentication data packet needs to be inserted as a header in every data packet transmitted according to the authentication policy of the controller 202, the target application can add authentication information to the actually transmitted data packet and transmit it.

9A shows a signal flow diagram for controlling network access of a node according to various embodiments. The operations shown in FIG. 9A may be performed through the connection control application 211 of node 201 of FIG. 2 .

When the node 201 detects a network access event of the target application through the access control application 211, it can control the network access by checking the authentication status and confirming whether the authentication is completed.

Referring to FIG. 9A , in operation 905, the access control application 211 may detect a network access event of the target application. For example, the access control application 211 may detect a network access event of the target application by detecting a data packet to be transmitted by the target application.

In operation 910, the access control application 211 may check whether a data flow corresponding to the data packet exists. For example, the access control application 211 may check whether a data flow corresponding to identification information of the target application and identification information of the destination network exists. For example, a data flow may include an authentication state.

Depending on the embodiment, when an accessible data flow exists and authentication is completed, the access control application 211 may transmit a data packet (operation 915).

Depending on the embodiment, if authentication is completed but there is an unreachable data flow, the access control application 211 may perform a network connection check related to whether data packets can be transmitted (operation 920). For example, the network connection check may be performed through operations shown in FIG. 9B.

Depending on the embodiment, if the data flow exists but is not valid, the access control application 211 may drop the data packet (operation 925).

9B is a signal flow diagram for network connection test of a node according to various embodiments.

If the data flow is authenticated but access is impossible, the access control application 211 may perform a network connection check to transmit a data packet based on the data flow.

Referring to FIG. 9B , in operation 930, the connection control application 211 may detect a network connection check event. For example, the access control application 211 may detect a network connection check event through operation 920 of FIG. 9A.

In operation 935 , the access control application 211 may perform a network connection request to the controller 202 . For example, the access control application 211 may perform a network access request including the controller 202 and generated control flow identification information, target application identification information, and destination network identification information.

In operation 940, the controller 202 determines the access requested identification information (eg, destination network identification information) in the access policy corresponding to the identified information (eg, node, user, source network identification information) based on the control flow identification information. and port information) and whether the destination network is accessible can be checked. Depending on the embodiment, the controller 202 may transmit a connection failure result to the connection control application 211 of the node 201 when network access is impossible (operation 955). Depending on embodiments, the controller 202 may perform operation 925 when a network connection is possible.

If the verification of the access policy is complete, in operation 945, the controller 202 selects the destination network based on the data flow table (e.g., data flow table 316 of FIG. 3) to allow the node 201 to access the network. It is possible to check whether there is a data flow that can be accessed with the identification information of .

If there is no valid data flow in the data flow table, the controller 202 provides a data flow including source IP, destination network identification information, and authentication information generated according to the authentication policy so that the target application can access the destination network. can create

Depending on the embodiment, the authentication information may be information including whether it is possible to always transmit data packets without further authentication renewal and authentication renewal timing. For example, the authentication information is whether to allow network access continuously after allowing network access, or specific conditions (eg TCP SYM Packet, TCP FIN Packet, amount of transmitted data packets, amount of data packets included in data flow) may include whether to release the network connection and re-perform data packet authentication when a rule such as including an update processing character of a data packet included in a data flow) is satisfied. Also, the authentication information may include information for setting the authentication state of the data flow to the authentication required state when the data flow renewal condition is satisfied.

At operation 950 , the controller 202 may transmit the generated data flow to the gateway 203 . For another example, if the generated data flow does not exist, the controller 202 may not transmit the data flow to the gateway 203 .

In operation 955, the controller 202 may transmit a response to the network access request (operation 935) of the connection control application 211. For example, if the generated data flow exists, the controller 202 may transmit the generated data flow to the access control application 211 . For another example, if there is a data flow accessible from the data flow table, the corresponding data flow may be transmitted to the node 201 . For another example, when the network connection of the target application of the node 201 is impossible, the controller 202 may transmit a connection failure result.

In operation 960, the connection control application 211 may process the result value of the response transmitted from the controller 202. For example, when receiving a data flow from the controller 202, the access control application 202 updates the data flow of the node 201 with the received data flow, and transmits and processes the data packet based on the data flow. can For another example, the access control application 211 may drop a data packet when receiving a connection failure result from the controller 202 .

In one embodiment, after performing operation 930, the access control application 211 may perform validation on the access application according to the validation policy. For example, the access control application 211 may further perform an integrity and stability test of the access application (forgery or tampering test, code signing test, fingerprint test, etc.). The access control application 211 may perform operation 935 when the validation result is successful.

10 shows a signal flow diagram for transmitting a data packet of a node according to various embodiments.

The access control application 211 of the node 201 checks whether the corresponding data packet is authenticated and whether renewal is required before transmitting the data packet, and controls not to transmit the data packet if authentication is not performed or renewal is required. have.

At operation 1005, the connection control application 211 may detect a data packet transmission event. For example, the access control application 211 may detect an operation of transmitting a data packet by another application included in the node 201 (eg, the target application 212 of FIG. 2 ).

At operation 1010, access control application 211 may perform a data packet authentication check. For example, the access control application 211 may check authentication information included in the data flow corresponding to the destination network identification information of the data packet requested to be transmitted. The access control application 211 can check whether or not to check whether the authentication data packet is included in each data packet based on the authentication information, and can perform the data packet check if it needs to check whether or not the authentication data packet is included. In this case, the access control application 211 may drop the data packet when there is no authentication data packet included in the data packet or when authentication information included in the data packet is different from authentication information included in the data flow. For another example, if it is not necessary to check whether the authentication data packet is included, the access control application 211 may perform operation 1015.

At operation 1015, connection control application 211 may perform a data packet update check. For example, the access control application 211 may determine whether data packet inspection for authentication renewal is required based on authentication information included in the data flow. For example, when it is necessary to inspect data packets for authentication renewal, the access control application 211 may inspect the data packet requested to be transmitted according to the authentication renewal method included in the authentication information. Depending on the embodiment, the access control application 211, if the data packet requested to be transmitted is a TCP SYN Packet or a TCP FIN Packet, if the amount of transmitted data packets exceeds the amount of data packets included in the data flow, the data When a data flow update condition is satisfied according to a set of rules included in the authentication information, such as including an update processing character (suffix) of a data packet included in the flow, a data flow update procedure may be performed. For example, the access control application 211 may change the update status of the data flow to need update, send information about the data flow to the controller 202 and request an update of the data flow (act 1020).

In operation 1025, the controller 202 may update the data flow based on information about the data flow received from the access control application 211.

At operation 1030 , the controller 202 may transmit the updated data flow to the gateway 203 .

Depending on embodiments, operations 1020 to 1030 may not be performed when data flow update is not required.

If data packet inspection for authentication renewal is not required, in operation 1035, the access control application 211 may transfer the data packet. In addition, when authentication renewal is completed, the access control application 211 may transmit a data packet. In addition, the access control application 211 may transmit the data packet when the inspection of the data packet is completed through operation 1010 or operation 1015 . Depending on the embodiment, the access control application 211 may drop the data packet when the data packet inspection fails in operation 1010 or operation 1015 .

11 shows a signal flow diagram for controlling reception of a data packet by a gateway according to various embodiments.

When a data packet is received, the gateway 203 checks whether the corresponding data packet is authenticated and whether renewal is required before forwarding the data packet, and controls not to forward the data packet if authentication is not performed or renewal is required. have.

At operation 1105, gateway 203 may detect a data packet reception event. For example, gateway 203 may detect data packets transmitted from connection control application 211 of node 201 .

In operation 1110, the gateway 203 may check the source IP of the received data packet and identification information of the destination network, and may check whether a data flow corresponding to the source IP and destination network identification information exists. Depending on the embodiment, the gateway 203 may drop the data packet when a data flow corresponding to the source IP and identification information of the destination network does not exist.

If the data flow exists, at operation 1115, gateway 203 may perform a data packet authentication check. For example, the gateway 203 may check authentication information included in the data flow corresponding to the destination network identification information of the received data packet. The gateway 203 can check whether to check whether the authentication data packet is included in each data packet based on the authentication information, and can perform the data packet check if it needs to check whether or not the authentication data packet is included. In this case, the gateway 203 may drop the data packet when the authentication data packet included in the data packet does not exist or when authentication information included in the data packet is different from authentication information included in the data flow. For another example, when it is not necessary to check whether the authentication data packet is included, the gateway 203 may perform operation 1120.

At operation 1120, gateway 203 may perform a data packet update check. For example, the gateway 203 may determine whether data packet inspection for authentication renewal is required based on authentication information included in the data flow. For example, when it is necessary to inspect a data packet for authentication renewal, the gateway 203 may inspect the received data packet according to an authentication renewal method included in authentication information. Depending on the embodiment, if the received data packet is a TCP SYN Packet or a TCP FIN Packet, the gateway 203 includes the received data packet in the data flow if the amount exceeds the amount of data packet included in the data flow. When the data flow update conditions are satisfied according to a series of rules included in the authentication information, such as including the update processing character (suffix) of the updated data packet, the data flow update procedure may be performed. For example, the gateway 230 may change the update status of the data flow to update required, transmit information about the data flow to the controller 202, and request update of the data flow (operation 1125).

In operation 1130, the controller 202 may update the data flow based on the data flow information received from the gateway 203.

Depending on embodiments, operations 1125 and 1130 may not be performed when data flow update is not required.

If data packet inspection for authentication renewal is not required, at operation 1135, gateway 203 may forward the data packet. Also, when authentication renewal is completed, the gateway 203 may forward the data packet. In addition, the gateway 203 may forward the data packet when the inspection of the data packet is completed through operation 1115 or operation 1120 . Depending on embodiments, the gateway 203 may drop the data packet when the data packet inspection fails in operation 1115 or operation 1120.

12 shows a signal flow diagram for updating a control flow of a node according to various embodiments.

The access control application 211 maintains information about the control flow and data flow of the node 201 and periodically checks the control flow to receive an updated data flow from the controller 202 or to check whether the control flow is valid. can request an update.

Referring to FIG. 12 , in operation 1205, the access control application 211 may detect a control flow update event.

In operation 1210, the access control application 211 may request a control flow update from the controller 202 based on the control flow identification information.

In operation 1215, the controller 202 may check whether a control flow exists in a control flow table (eg, the control flow table 315 of FIG. 3) based on the received control flow identification information. Depending on the embodiment, when the control flow does not exist (eg, when the connection is disconnected by another security system, when the connection is disconnected by its own risk detection, etc.), the controller 202 determines that the connection of the node 201 is valid. Therefore, a connection failure result may be transmitted to the connection control application 211 (operation 1220).

The controller 202 may update the update time when a control flow exists in the control flow table (eg, the control flow table 315 of FIG. 3 ). In this case, the controller 202 may transmit identification information of the updated control flow to the connection control application 211 (operation 1220).

In one embodiment, the controller 202 is required to perform re-authentication among data flows subordinate to the identified control flow, or if there is a data flow to which access is no longer possible, the controller 202 transmits information about the corresponding data flow to an access control application ( 211) (operation 1220).

At operation 1225 , the connection control application 211 of the node 201 may process the resulting value of the response received from the controller 202 . For example, the access control application 211 may block all network accesses of applications when the control flow update result is impossible. For another example, the access control application 211 may update the data flow when the control flow update result is normal and updated data flow information exists.

13 shows a signal flow diagram for disconnection of a node according to various embodiments.

Referring to FIG. 13 , in operation 1305, the node 201 terminates the node 201, terminates the access control application 211, terminates the target application, no longer uses the network connection, and information identified from the interworking system. At least one of connection termination requests may be detected based on . In this case, at operation 1310, node 201 or access control application 211 may request controller 202 to remove the control flow.

In operation 1315, the controller 202 may remove the identified control flow based on the received control flow identification information.

In operation 1320, the controller 202 may remove all data flows dependent on the removed control flow. Thus, node 201 can no longer connect to the destination network based on the removed data flow.

In operation 1325, the controller 202 may request the gateway 203 to remove all data flows dependent on the removed control flow.

14 illustrates a signal flow diagram for termination of application execution of a node according to various embodiments.

Referring to FIG. 14 , in operation 1405, the access control application 211 of the node 201 may check in real time whether or not the running application is terminated, and may detect an application execution end event.

In operation 1410, the access control application 211 may check whether a data flow corresponding to the terminated application identification information and PID (Process ID and Child Process ID Tree) information exists. If a data flow exists, the access control application can delete that data flow. Depending on the embodiment, the access control application 211 may check whether the terminated application exists in the running process list in order to track the termination of the multi-executable application, and if not, the identification information of the terminated application. All data flows corresponding to can be deleted.

In operation 1415, the access control application 211 may request the controller 202 to delete the deleted data flow.

In operation 1420, the controller 202 may delete the data flow requested to be deleted. Also, the controller 202 may perform a removal request for the deleted data flow to the gateway 203 . Accordingly, data packets corresponding to source network, destination network, and port information included in the deleted data flow cannot be transmitted any more.

The above description is only an illustrative example of the technical idea disclosed in this document, and those skilled in the art to which the embodiments disclosed in this document belong will be within the scope of the essential characteristics of the embodiments disclosed in this document. Many modifications and variations will be possible.

Therefore, the embodiments disclosed in this document are not intended to limit the technical idea disclosed in this document, but to explain, and the scope of the technical idea disclosed in this document is not limited by these embodiments. The scope of protection of technical ideas disclosed in this document should be interpreted according to the scope of the following claims, and all technical ideas within the equivalent scope should be construed as being included in the scope of rights of this document.

Claims (12)

In node,
communication circuit;
a processor in operative connection with the communication circuitry; and
a memory operatively connected to the processor and storing a connection control application and a target application, wherein the memory, when executed by the processor, causes the node to:
detecting a network access event through the access control application;
Checking the existence of a data flow corresponding to a data packet to be transmitted by the target application and authorized from an external server, the data flow including authentication status and authentication information;
If the data flow allowed to be transmitted exists, transmit the data packet;
If the data flow that is not allowed to be transmitted exists, perform a network connection check related to whether or not transmission of the data packet is possible based on the authentication state, or whether or not authentication is required included in the authentication information and a data packet for authentication renewal Perform inspection on the data packet based on whether to perform inspection;
When updated to a transmittable data flow, transmit the data packet;
and drop the data packet if the authentication status of the data flow is not valid. The method of claim 1, wherein the instructions are the node,
When performing the network access check, a network access request is made to the external server through the access control application, and the network access request includes identification information of a destination network of the target application and identification information of the target application. do,
Receiving data flow or connection unavailability information from the external server through the access control application;
A node configured to transmit the data packet based on the received data flow or to drop the data packet based on the access unavailability information. The method of claim 1, wherein the instructions are the node,
Through the access control application, a first network access authentication request of the target application is received, and the first network access authentication request includes identification information of the target application, identification information of a destination network of the target application, and authentication information. do,
Through the access control application, check whether an authenticated data flow corresponding to the identification information of the target application, the identification information of the destination network, and the authentication information exists;
If the authenticated data flow exists, returning a network access authentication success result to the target application;
and returning a network access authentication failure result to the target application if the authenticated data flow exists but is not valid. The method of claim 3, wherein the instructions are the node,
If the authenticated data flow does not exist, performing a second network access authentication request to the external server through the access control application;
A node configured to receive a data flow including authentication information from the external server and return a network connection authentication success result to the target application. According to claim 4,
The authentication information is generated based on an authentication policy included in the external server,
The authentication information includes information on whether it is possible to transmit a data packet without additional authentication and information for changing the authentication state of the data flow when an update condition of the data flow is satisfied based on the authentication policy Node, . The method of claim 4, wherein the instructions are the node,
determining whether or not to transmit data packets of the target application without authentication based on the unauthenticated network access availability information received from the external server through the access control application;
When the data packet is transmitted without authentication, a network connection request is made to the external server;
Receiving a data flow including the authentication information from the external server;
A node to transmit the data packet based on the received data flow. The method of claim 3, wherein the instructions are the node,
and perform the first network connection authentication request of the target application through an application interface of the access control application. The method of claim 1, wherein the instructions are the node,
Through the access control application, check whether to check whether an authentication data packet is included in each data packet transmitted based on the authentication information,
If it is necessary to check whether or not an authentication data packet is included in each of the transmitted data packets, the data packet is checked,
and drop the data packet when no authentication data packet exists in the data packet or authentication information included in the data packet is different from authentication information included in the data flow. The method of claim 1, wherein the instructions are the node,
Through the access control application, if data packet inspection for the authentication renewal is required, the data packet is inspected based on the authentication renewal method included in the authentication information;
A node configured to set an update state of the data flow to require update when a data flow update condition included in the authentication information is satisfied. 10. The method of claim 9, wherein the instructions are the node,
When the update status of the data flow is update required, a data flow update request is performed to the external server;
wherein the data flow update request includes the data flow information. delete In the operating method of the access control application installed in the node,
detecting a network connection event through the access control application;
confirming existence of a data flow corresponding to a data packet to be transmitted by the target application and authorized from an external server, the data flow including authentication status and authentication information;
If the data flow allowed to be transmitted exists, the data packet is transmitted; , The data packet is inspected based on whether authentication is required and whether or not to perform a data packet inspection for authentication renewal included in the authentication information, and transmits the data packet when updated to a transmittable data flow, or dropping the data packet if the authentication status of the data flow is invalid; Including, method.

Images