KR102495372B1 - System for controlling data flow based on application test and method thereof - Google Patents

Abstract

A node according to one embodiment disclosed in the present document comprises: a communication circuit; a processor operatively connected to the communication circuitry; and a memory operatively connected to the processor and storing an access target application and an access control application, wherein when the memory is executed by the processor, the node performs an inspection on a network connection environment of the access target application through the access control application based on data flow information or an application whitelist received from an external server and stores instructions for transmitting inspection results for the connection environment of the connection target application to the external server and the data flow information and the application whitelist can include connection environment inspection information generated by the external server. The present invention provides a system for detecting risks and controlling network access when a safe (or permitted) application connects to a network through an operating system in which a security feature has been disabled or a key system file has been forged or altered or when an attack occurs in the operating system and an operating method thereof.

Description

System for controlling data flow based on application inspection and method therefor {SYSTEM FOR CONTROLLING DATA FLOW BASED ON APPLICATION TEST AND METHOD THEREOF}

Embodiments disclosed in this document relate to a system and method for controlling data flow based on application inspection.

Multiple devices may communicate data over a network. For example, the terminal may transmit or receive data with a server through the Internet. The network may include a private network such as an intranet as well as a public network such as the Internet.

The terminal performs communication with the server by utilizing IP (Internet Protocol)-based TCP (Transmission Control Protocol) or UDP (User Datagram Protocol), and controls the connection between the source IP and destination IP authorized in TCP or UDP technology. Firewall technology may be used. In the case of such IP communication, since there is a problem that IP can be forged or tampered with, in order to solve this problem, virtual private network (VPN) technology and tunneling technology for encrypting data packets between a terminal and a server are used.

Vaccine and malware detection tools may be used to detect and treat risks such as various malware and viruses introduced through a removable storage medium (eg, floppy disk, USB disk) or a network such as the Internet. The characteristics of these tools are that each file or memory area is substituted based on a pre-stored pattern to detect malware and viruses, and when the pattern matches, the file execution is stopped or the file is removed, so that the malware is embedded in the terminal. Prevent the risk from spreading any further or prevent damage caused by the malware. However, due to the development of malware technology, malware detection tools are becoming incapacitated by creating new patterns that bypass the above pattern detection techniques or by making patterns undetectable through self-encryption. For example, as hacking becomes money with the development of virtual currency, various security incidents caused by ransomware that leaks important information or takes hostage of important information through malware are increasing.

To solve this problem, technologies such as EDR (endpoint detection response) exist. EDR detects various malware through execution and behavior tracking of various files and applications (or processes) on the terminal, and isolates the terminal or It is possible to prevent malware from propagating (or spreading) to other terminals connected to the network, and at the same time, it is possible to perform a comprehensive risk response on how malware is introduced into the terminal.

However, since hundreds of applications are running on the device and a large amount of file IO (input output) is occurring in real time, the EDR technology that tracks and inspects a wide area is limited by the physical computing power of the device and from the user's point of view. Since there is a limitation that must operate within a range that does not impede the user experience of the user, the sensitivity for detecting malware is inevitably lowered, and the evolution of malware that bypasses these problems and the blind spot that EDR cannot solve can only happen

Looking at the way malware operates to solve this problem, malware continuously attempts network access to services (or servers) or other terminals connected to the network in order to generate and propagate a large amount of practical risk, and network access is If it is, it spreads the malware or steals and hostages the important information of the connected target.

The data flow-based network access control technology allows permitted applications to access only permitted networks, thereby preventing unauthorized applications such as malware or ransomware from accessing unallowed networks. Therefore, as described above, it is possible to provide a method for solving the problem by utilizing the characteristic that malware accompanies network access.

Elements for executing an application and accessing a network operate on an operating system, and even if an application is safe, a risk factor may occur due to an operating system in which a security function is incapacitated depending on an environment and state of the operating system. For example, when a safe (or allowed) application accesses the network through an operating system whose security features have been disabled or key system files have been forged or tampered with, or when an operating system has been attacked, it detects the risk and enforces network access control. may not be able to

Various embodiments disclosed in this document are intended to provide a system and method for solving the above problems in a network environment.

A node according to an embodiment disclosed in this document includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing a connection target application and an access control application. and the memory, when executed by the processor, the node, through the access control application, checks the network access environment of the application to be connected based on data flow information or application whitelist received from an external server and storing instructions for transmitting a check result of the connection environment of the connection target application to the external server, and the data flow information and the application whitelist include connection environment check information generated in the external server. can

A server according to an embodiment disclosed in this document includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing a database, the memory comprising: When executed by the processor, the server receives a network access request for a service server from an access control application of a node, wherein the network access request includes identification information of a connection target application of the node trying to access a network of the service server and Network information of the service server is included, and based on the database, whether or not the connection target application can access the service server is checked, and if access is possible, identification information of the connection target application and the network of the service server Check whether a valid data flow corresponding to the information and including connection environment inspection information for examining the network connection environment of the connection target application exists, and respond to the network access request based on whether a valid data flow exists may be transmitted to the node, and when connection is not possible, commands may be stored to transmit result information indicating that connection is not possible to the node.

A method of operating a node according to an embodiment disclosed in this document is based on data flow information or an application whitelist received from an external server for an access environment of an application to be connected to the node through an access control application of the node. and transmitting a test result of the connection environment of the connection target application to the external server, wherein the data flow information and the application whitelist check the connection environment generated in the external server information may be included.

A method of operating a server according to an embodiment disclosed in this document includes receiving a network access request for a service server from an access control application of a node, and the network access request is the connection of the node trying to access the network of the service server. An operation of including identification information of a target application and network information of the service server, an operation of checking whether or not the connection target application can access the service server based on the database of the server, and if connection is possible, the connection target Check whether there is a valid data flow corresponding to the identification information of the application and the network information of the service server and including connection environment inspection information for examining the network connection environment of the connection target application, and whether there is a valid data flow An operation of transmitting a response to the network access request to the node based on , and an operation of transmitting result information indicating that connection is impossible to the node when connection is impossible.

According to the embodiments disclosed in this document, when a safe (or permitted) application accesses the network through an operating system in which security functions are disabled, key system files are forged or tampered with, or an attack occurs in the operating system, a risk It is possible to provide a system for detecting and controlling network access and an operation method related thereto.

In addition to this, various effects identified directly or indirectly through this document may be provided.

1 illustrates an architecture within a network environment in accordance with various embodiments.
2 is a functional block diagram illustrating a database stored in a controller according to various embodiments.
3 illustrates control flow information and data flow information included in a database according to various embodiments.
4 is a functional block diagram of a node in accordance with various embodiments.
5 describes an operation of controlling transmission of a data packet according to various embodiments.
6 shows a signal flow diagram for controller connection according to various embodiments.
7 shows a signal flow diagram for user authentication according to various embodiments.
8 illustrates a user interface screen for accessing a controller according to various embodiments.
9 shows a signal flow diagram for network access according to various embodiments.
10 shows a signal flow diagram for checking a connection environment according to various embodiments.
11 illustrates a user interface screen for network access control according to various embodiments.
12 shows a signal flow diagram for control flow update according to various embodiments.
13 shows a signal flow diagram for control flow cancellation according to various embodiments.
14 shows a signal flow diagram for data flow cancellation according to various embodiments.

Hereinafter, various embodiments of the present invention will be described with reference to the accompanying drawings. However, it should be understood that this is not intended to limit the present invention to the specific embodiments, and includes various modifications, equivalents, and/or alternatives of the embodiments of the present invention.

In this document, the singular form of a noun corresponding to an item may include one item or a plurality of items, unless the context clearly dictates otherwise. In this document, "A or B", "at least one of A and B", "at least one of A or B", "A, B or C", "at least one of A, B and C" and "A, Each of the phrases such as "at least one of B or C" may include any one of the items listed together in the corresponding one of the phrases, or all possible combinations thereof. Terms such as "first", "second", or "first" or "secondary" may simply be used to distinguish a given component from other corresponding components, and may be used to refer to a given component in another aspect (eg, importance or order) is not limited. A (e.g., first) component is said to be "coupled" or "connected" to another (e.g., second) component, with or without the terms "functionally" or "communicatively." When mentioned, it means that the certain component may be connected to the other component directly (eg by wire), wirelessly, or through a third component.

Each component (eg, module or program) of the components described in this document may include singular or plural entities. According to various embodiments, one or more components or operations among corresponding components may be omitted, or one or more other components or operations may be added. Alternatively or additionally, a plurality of components (eg modules or programs) may be integrated into a single component. In this case, the integrated component may perform one or more functions of each of the plurality of components identically or similarly to those performed by a corresponding component of the plurality of components prior to the integration. . According to various embodiments, operations performed by modules, programs, or other components are executed sequentially, in parallel, iteratively, or heuristically, or one or more of the operations are executed in a different order, omitted, or , or one or more other operations may be added.

The term "module" used in this document may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as logic, logic block, component, or circuit, for example. A module may be an integrally constructed component or a minimal unit of components or a portion thereof that performs one or more functions. For example, according to one embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of the present document may be implemented as software (eg, a program or application) including one or more instructions stored in a storage medium (eg, memory) readable by a machine. For example, the processor of the device may call at least one command among one or more commands stored from a storage medium and execute it. This enables the device to be operated to perform at least one function according to the at least one command invoked. The one or more instructions may include code generated by a compiler or code executable by an interpreter. The device-readable storage medium may be provided in the form of a non-transitory storage medium. Here, 'non-temporary' only means that the storage medium is a tangible device and does not contain a signal (e.g. electromagnetic wave), and this term refers to the case where data is stored semi-permanently in the storage medium. It does not discriminate when it is temporarily stored.

Methods according to various embodiments disclosed in this document may be included and provided in a computer program product. Computer program products may be traded between sellers and buyers as commodities. A computer program product is distributed in the form of a device-readable storage medium (eg compact disc read only memory (CD-ROM)), or through an application store or between two user devices (eg smartphones). It can be distributed (e.g., downloaded or uploaded) directly or online. In the case of online distribution, at least part of the computer program product may be temporarily stored or temporarily created in a device-readable storage medium such as a manufacturer's server, an application store server, or a relay server's memory.

1 illustrates an architecture within a network environment according to various embodiments.

A node 201-1 or 201-2 shown in FIG. 1 may be various types of devices capable of performing data communication. For example, the node 201-1 or 201-2 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, a VR (virtual reality) devices, or home appliances, but is not limited to the aforementioned devices. For example, node 201-1 or 201-2 may include a server or gateway capable of transmitting data packets via an application. The node 201-1 or 201-2 may also be referred to as an 'electronic device' or a 'terminal'.

A situation in which the node 201-1 accesses the service server 205-1 or 205-2 through the Internet and the node 201-2 accesses the service servers 205-1 and 205-2 through the intranet this can be assumed.

A node 201-1 or 201-2 may store a connection application 211-1 or 211-2 and a connection control application 212-1 or 212-2. The connection application 211-1 or 211-2 may be referred to as a 'target application' or 'target application'. Since the connection application 211-1 or 211-2 requests access to the network of the service server 205-1 or 205-2, it may also be referred to as a 'connection target application'.

Each of the access applications 211-1 or 211-2 transmits data packets to the service server 205-1 or 205-2 through the gateway 203 under the control of the access control application 212-1 or 212-2. Or conversely, data packets can be received.

Some of the accessing applications (211-1 or 211-2) are allowed and/or secured applications, such as web browsers or business applications, while others are disallowed programs (e.g. malware, ransomware, and other unacceptable applications). unsecured applications) or insecure malicious programs (applications that have been infected with malware, forged or tampered with). According to embodiments, the access control application 212-1 or 212-2 identifies a program (or access application, process of the access application) requesting transmission of data packets, and the data packet of the disallowed program is sent to the node 201. -1 or 201-2) can be prevented from being transmitted to the outside. In addition, according to embodiments, the access control application (212-1 or 212-2) is the access control application (212-1 or 212-2) and the gateway 203 via a channel between the unauthorized program service server 205 -1 or 205-2) can be blocked and the program quarantined. A channel may be referred to as a 'secure session'.

For example, before the access application 211-1 communicates with the service server 205-1 or 205-2, the access control application 212-1 checks whether access is available from the controller 202, and access If possible, authentication with the gateway 203 may be performed through a data packet authenticated by the controller 202 . Upon completion of authentication, the access control application 212-1 may create a channel 220-1 with the gateway 203. Access control application 212-1 prevents disallowed connection applications 211-1 from sending data packets to disallowed destinations, and channels created between node 201-1 and gateway 203. Only allowed data packets can be transmitted through (220-1).

The controller 202 can be, for example, a server (or cloud server, intranet). The controller 202 manages data transmission between the node 201-1 or 201-2, the gateway 203, and the service server 205-1 or 205-2 to ensure reliable data transmission within the network environment. can For example, the controller 202 allows the network access of the authorized node 201-1 or 201-2 (or the access control application 212-1 or 212-2) through policy information or blacklist information. can do.

In addition, the controller 202 mediates the creation of the channel 220-1 between the access control application 212-1 and the gateway 203, or the node 201-1, the gateway 203, or other interlocked security The channel 220-1 may be removed (or retrieved) according to security events collected from a system (not shown). The access control application 212-1 can communicate with the service server 205-1 or 205-2 only through the channel 220-1 authorized by the controller 202, and the authorized channel 220-1 If it does not exist, network access of the node 201-1 and the access control application 212-1 may be blocked.

The controller 202 is a result of the node 201-1 or 201-2 or the access control application 212-1 or 212-2 inspecting the access environment of the access application 211-1 or 211-2. By analyzing the information, it is possible to determine whether it is a harmful access environment. For example, the controller 202 may determine whether it is a harmful access environment by itself or in conjunction with an external system. The controller 202 may determine whether it is a harmful access environment in the form of a simple inspection or artificial intelligence (AI)-based inspection.

In one embodiment, the connection application 211-1 may communicate with the service server 205-1 or 205-2 only through the channel 220-1 authorized by the controller 202, and the authorized channel ( If 220-1) does not exist, network access of the connection application 211-1 may be blocked from the access control application 212-1, the controller 202 or the gateway 203. According to one embodiment, the controller 202 performs various operations (eg, registration, approval, authentication, renewal, or termination) associated with network access of node 201-1 or access control application 212-1. For this purpose, control data packets may be transmitted and received with the connection control application 212-1. A flow through which the control data packet is transmitted (eg, 230) may be referred to as a 'control flow'.

The gateway 203 may be located at a boundary of a network to which the node 201-1 or 201-2 belongs or a boundary of a network to which the service server 205-1 or 205-2 belongs. For example, the gateway 203 may be located at the boundary of an intranet or cloud. According to one embodiment, the gateway 203 may be connected to the controller 202 on a cloud basis. The gateway 203 may forward only authorized data packets among data packets received from the access control application 212-1 or 212-2 to the service server 205-1 or 205-2. A flow in which data packets are transmitted between the access control application 212-1 or 212-2 and the gateway 203 (eg, 240-1 or 240-2) may be referred to as a 'data flow'. .

Data flows can be created not only on a node or IP basis, but also on a more granular basis (e.g., on an application basis). The gateway 203 performs authentication of the access control application 212-1 or 212-2 before channel creation between the access control application 212-1 or 212-2 and the gateway 203, and the access control application 212 Indiscriminate network access can be blocked in advance by forwarding only data packets transmitted through the channel among data packets transmitted from -1 or 212-2 to the service server 205-1 or 205-2.

2 is a functional block diagram illustrating a database stored in the controller 202 according to various embodiments, and FIG. 3 illustrates control flow information 340 and data flow information 350 included in the database.

Referring to FIG. 2 , the controller 202 may store databases 311 to 319 for controlling network access and data transmission in a memory 330 . 2 shows only the memory 330, the controller 202 may be an external electronic device (e.g., the node 201-1 or 201-2 of FIG. 1, the gateway 203, or the service server 205-1 or 205- 2)) further includes a communication circuit (eg, the communication circuit 430 of FIG. 4 ) and a processor (eg, the processor 410 of FIG. 4 ) for controlling the overall operation of the controller 202 for performing communication with the can do. Since the administrator can connect to the controller 202 and set a connection-oriented policy for controlling access between the access control application 212-1 or 212-2 and the service server 205-1 or 205-2, the service unit You can control network access in a more detailed and secure way than managing sessions in .

The access policy database 311 may include information about networks and/or services to which the identified networks, nodes, or applications may access. For example, the controller 202 receives a network access request from the access control application 212-1 or 212-2, the network identified based on the policy of the access policy database 311 (eg, the node 201-1 or 212-2). network to which 201-2 belongs), node 201-1 or 201-2, user (eg, user of node 201-1 or 201-2), and/or application (eg, node 201-1 Alternatively, the access application 211-1 or 211-2 included in 201-2) may determine whether access to the service server 205-1 or 205-2 is possible. In one embodiment, the controller 202 may create a whitelist of applications accessible to specific services (eg, IP and port) based on the access policy database 311 .

The channel policy database 312 connects the node 201-1 or 201-2 and the service server 205-1 or 201-2 (or destination IP and port) on the access path according to the policy of the access policy database 311. It may include information (eg, authentication information, encryption algorithm, and/or Tunnel End Point IP) necessary for channel creation with the gateway 203 existing between The channel policy database 312 may include information for use (eg, whether IP information allocated to nodes is collected and whether alternative processing is performed) when a channel connected in advance through another gateway exists between access paths. there is.

The channel table 318 may include a dedicated channel IP assigned to node 201-1 or 201-2 and channel creation information.

The access environment inspection policy database 313 includes information for inspecting whether an access environment (eg, operating system) is safe when an application permitted to access the network accesses the network according to the policy of the access policy database 311, a node ( Security policies (e.g., firewalls) that must be followed in the access environment (e.g., operating system) accessed by the application (e.g., access application (211-1 or 211-2)) requesting network access from 201-1 or 201-2. activation, anti-virus activation, and/or activation of automatic operating system updates) and security policies (e.g., USB whether a disk is connected and/or whether a camera is used). The connection environment inspection policy database 313 is inspection information for determining that the operating system is safe, and may include unique information such as a signature, fingerprint, hash, or registry for the operating system. The access environment inspection policy database 313 is information for inspecting system files and related processes existing on a path from execution of a connection application to connection to a network, including signatures, fingerprints, hashes, Alternatively, unique information such as a registry and information for analyzing the corresponding binary may be included. The connection environment inspection policy database 313 requests the node 201-1 or 201-2 for inspection conditions including malware detection tool or pattern DB (database) information for inspecting whether the corresponding element is safe, and Information for performing an inspection based on the inspection result information of (201-1 or 201-2) and policy information such as inspection period and timing information may be included.

The access environment database 319 is information that can be expected that the access environment is normal, and unique information such as signature, fingerprint, hash, or registry for the operating system type and version of the operating system to determine the normal access environment, and access application Information for examining system files and related processes that exist on the path from execution of (211-1 or 211-2) to connection to the network, such as signature, fingerprint, hash or registry for each file and process Unique information and information for binary analysis may be included. In addition, the access environment database 319 may include unique information of harmful access environments in which patterns are determined. The access environment database 319 provides information for identifying whether the access environment is normal or abnormal, or whether it is a harmful access environment, based on information obtained as a result of examining the access environment in the node 201-1 or 202-2. can provide

The blacklist policy database 314 is a target identified through analysis of risk, occurrence cycle, and/or behavior of security events among security events periodically collected by the node 201-1 or 201-2 or the gateway 203 ( Example: A blacklist registration policy for blocking access of at least one of a node identifier (ID), an IP address, a media access control (MAC) address, or a user ID) may be indicated. In addition, the blacklist policy is used as information to determine the risk level of an application (e.g., access application (211-1 or 211-2)) according to the access environment inspection result, and to determine whether to isolate the application according to the risk level. can

The blacklist database 315 may include a list of objects blocked by the blacklist policy database 314 . For example, if the identification information of the node 201-1 or 201-2 requesting network access is included in the blacklist database 315, the controller 202 rejects the network access request, thereby blocking the node 201-1 or 201 -2) can be isolated.

The control flow table 316 is an example of a session table for managing a flow of control data packets generated between the connection control application 212-1 or 212-2 and the controller 202 (ie, control flow).

For example, referring to FIG. 3 , when the access control application 212-1 or 212-2 successfully accesses the controller 202, control flow information 340 and control flow ID 342 (or 'control flow Also referred to as 'identification information') may be generated by the controller 202 . The control flow information 340 may include identification information 344 indicating at least one of an IP identified during controller access and authentication, a node, an application, or an object additionally identified through association with a service server. For example, when a network access request from the access control application 212-1 or 212-2 is received, the controller 202 converts the control flow ID and identification information included in the access request to the control flow information 340. By mapping with the flow ID 342 and the identification information 344, whether the access control application 212-1 or 212-2 can access the service server 205-1 or 205-2 and security with the gateway 203 Whether to create a data flow for session creation may be determined.

In addition, the control flow information 340 is commonly applied to all applications attempting network access, and may include connection environment inspection information 345 for inspecting the network connection environment of each application. Access environment inspection information 345 is information for examining whether the access environment (eg, operating system) is safe, and an application requesting network access from the node 201-1 or 201-2 (eg, access application 211-211-2). 1 or 211-2)) and access applications (211-1 or 211- 2) Security policies to be followed when accessing the service server 205-1 or 205-2 (eg, whether a USB disk is connected or not and/or whether a camera is used) may be included. Access environment inspection information 345 is inspection information for determining that the operating system is safe, and includes unique information such as a signature for the operating system, fingerprint, hash, or registry, and a path from the execution of the access application to access the network. As information for examining system files and related processes existing in , it may include unique information such as a signature, fingerprint, hash, or registry for each file and process and information for binary analysis. The access environment inspection information 345 requests the node 201-1 or 201-2 for inspection conditions including malware detection tool or pattern DB (database) information for checking whether the corresponding element is safe, and the node ( Information for performing the inspection based on the inspection result information of 201-1 or 201-2) and policy information such as inspection period and timing information may be included.

In addition, the control flow information 340 may include state information 346 indicating various states such as creation, authentication, renewal, or termination of the control flow.

According to one embodiment, since the control flow has an expiration time, the node 201 needs to update the expiration time of the control flow based on the time information 348, and if the expiration time is not updated for a certain period of time, the control flow ( Alternatively, the control flow information 340 may be removed. In addition, immediate access is blocked according to a security event collected from the node 201-1 or 201-2, the access control application 212-1 or 212-2, another security application (not shown), or the gateway 203. The controller 202 may remove the control flow if it is determined that it is necessary or if a connection termination request is received from them. When the control flow is removed, the associated data flow is also removed, and the gateway 203 connects the access control application 212-1 or 212-2 or the service server 205-1 or 205 of the access application 211-1 or 211-2. Access to -2) can be blocked.

The data flow table 317 is a flow (e.g., data flow ) is a table for managing Data flows can be created in TCP sessions, applications, or more granular units. The data flow table 317 is the access control application 212-1 or 212-2 of the node 201-1 or 201-2, the gateway 203, and the channels of the service server 205-1 or 205-2. and data flow information 350 for managing a session.

Referring to FIG. 3 , data flow information 350 may include a data flow ID 351 for identifying a data flow and a control flow ID 352 when the data flow is dependent on the control flow. In addition, the data flow information 350 is an application (eg, the access control application 212-1 or 212-2) and a gateway (existing between the smallest identification unit of the application and the service server 205-1 or 205-2) 203) may include authorization subject information 353 for determining whether network access is possible based on source IP, destination IP, and service port information of the corresponding data packet. In addition, the data flow information 350 may include state information 355 indicating whether the data flow is in a usable and valid state, and time information 356 indicating an authentication expiration time required when periodically authenticating the data flow. there is. In addition, the data flow information 350 may further include connection environment check information 354 . The access environment check information 354 may be information for examining the network access environment of the access application 211-1 or 211-2. The access environment inspection information 354 includes security policies (eg, firewall activation, antivirus activation, and/or operating system automatic update activation) and access applications (211-1 or 211-2) that must be followed in the access environment (eg, operating system). When accessing the service server 205-1 or 205-2, security policies to be followed (eg, whether a USB disk is connected or not and/or whether a camera is used) may be included. Access environment inspection information 354 is inspection information for determining that the operating system is safe, and includes unique information such as a signature for the operating system, fingerprint, hash, or registry, and a path from the execution of the access application to access the network. As information for examining system files and related processes existing in , it may include unique information such as a signature, fingerprint, hash, or registry for each file and process and information for binary analysis. The connection environment inspection information 354 requests the node 201-1 or 201-2 for inspection conditions including malware detection tool or pattern DB (database) information for checking whether the corresponding element is safe, and the node ( Information for performing the inspection based on the inspection result information of 201-1 or 201-2) and policy information such as inspection period and timing information may be included.

The structure of the data flow table 317 stored in the controller 202 can be applied to the node 201-1 or 201-2 and the gateway 203, respectively.

4 shows a functional block diagram of a node 201-1 or 201-2 according to various embodiments. At least some of the configurations shown in FIG. 4 may be applied to the controller 202, the gateway 203, or the service server 205-1 or 205-2.

Referring to FIG. 4 , a node 201-1 or 201-2 may include a processor 410, a memory 420, and a communication circuit 430. According to one embodiment, the node 201-1 or 201-2 may further include a display 440 to provide a user interface.

The processor 410 may control the overall operation of the node. In various embodiments, the processor 410 may include a single processor core or may include a plurality of processor cores. For example, the processor 410 may include multi-cores such as dual-core, quad-core, and hexa-core. According to embodiments, the processor 410 may further include an internal or external cache memory. According to embodiments, the processor 410 may be configured with one or more processors. For example, the processor 410 may include at least one of an application processor, a communication processor, or a graphical processing unit (GPU).

All or part of processor 410 is electrically connected to other components (eg, memory 420, communication circuit 430, or display 440) in node 201-1 or 201-2. ) or operatively coupled with or connected to. The processor 410 may receive commands from other components, interpret the received commands, and perform calculations or process data according to the interpreted commands. The processor 410 may interpret and process messages, data, commands, or signals received from the memory 420 , the communication circuit 430 , or the display 440 . The processor 410 may generate a new message, data, command, or signal based on the received message, data, command, or signal. Processor 410 may provide processed or generated messages, data, instructions, or signals to memory 420 , communication circuitry 430 , or display 440 .

The processor 410 may process data or signals generated or generated by a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may record (or store) or update instructions, data, or signals in the memory 420 to execute or control a program.

The memory 420 may store commands for controlling nodes, control command codes, control data, or user data. For example, the memory 420 may include at least one of an application program, an operating system (OS), middleware, or a device driver. The memory 420 may include one or more of volatile memory and non-volatile memory. Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM). can include The nonvolatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, and the like. The memory 420 uses a nonvolatile medium such as a hard disk drive (HDD), a solid state disk (SSD), an embedded multi media card (eMMC), or a universal flash storage (UFS). can include more.

According to one embodiment, the memory 420 may store the connection application 211-1 or 211-2 and the access control application 212-1 or 212-2 of FIG. 1 . The access control application 212-1 or 212-2 may perform a network connection with the gateway 203 and creation of a channel 220-1, and a control flow creation and update function with the controller 202. To this end, the access control application 212-1 or 212-2 may include one or more security modules. In one embodiment, the memory 420 may store the control flow information 340 and data flow information 350 of FIG. 3 .

In one embodiment, the connection application 211-1 or 211-2 may include one or more security modules to create a channel 220-1 with the gateway 203.

The communication circuit 430 establishes a wired or wireless communication connection between the node 201-1 or 201-2 and an external electronic device (eg, the controller 202 or the gateway 203), and performs communication through the established connection. can support According to one embodiment, the communication circuit 430 may be a wireless communication circuit (eg, cellular communication circuit, short-range wireless communication circuit, or global navigation satellite system (GNSS) communication circuit) or a wired communication circuit (eg, a local area network (LAN)). ) communication circuit, or power line communication circuit), and using a corresponding communication circuit among them, a short-distance communication network such as Bluetooth, WiFi direct, or IrDA (infrared data association) or a cellular network, a long-distance communication such as the Internet, or a computer network It may communicate with an external electronic device through a network. The various types of communication circuits 430 described above may be implemented as a single chip or may be implemented as separate chips.

The display 440 may output content, data, or signals. In various embodiments, the display 440 may display image data processed by the processor 410 . According to embodiments, the display 440 may be configured as an integral touch screen by being combined with a plurality of touch sensors (not shown) capable of receiving a touch input. When the display 440 is configured as a touch screen, a plurality of touch sensors may be disposed above the display 440 or below the display 440 .

5 describes an operation of controlling transmission of a data packet according to various embodiments.

Referring to FIG. 5, the access control application 212 detects a network access request to the service server 205 from the target application 211 included in the node 201, and the node 201 or the access control application 212 ) can determine whether or not the controller 202 is in a connected state. When the node 201 or the access control application 212 is not connected to the controller 202, the access control application 212 may block transmission of data packets in a kernel or network driver included in an operating system. The access control application 212 can only transmit data packets for requesting access to the controller 202, and no data packets are transmitted to the service server 205 when not connected to the controller 202. The access control application 212 accesses the controller 202 to perform identification and authentication on the target application 211, and after the authentication is performed, the service server of the target application 211 queries the controller 202 for access network information. It is possible to check whether access to 205 is possible, and only authorized applications can access the service server 205 . Through the access control application 212, the node 201 can block access of malicious applications (eg, ransomware or malware) in advance in the application layer among the 7 layers of open system interconnection (OSI). there is.

In one embodiment, transmission from the access control application 212 if the access control application 212 has not been authenticated by the gateway 203 or if a channel between the access control application 212 and the gateway 203 has not been created. Data packets to be transmitted may be blocked by the gateway 203. Depending on the embodiment, even if the access control application 212 is not authenticated by the gateway 203, a data packet transmitted from the access control application 212 may not be blocked by the gateway 203.

According to another embodiment, if the access control application 212 is not installed on the node 201 or if a malicious application bypasses control of the access control application 212, unauthorized data packets may be transmitted from the node 201. there is. In this case, since the gateway 203 present at the boundary of the network blocks data packets that are received as an unauthorized secure session and data packets that do not have a data flow, the data packets transmitted from the node 201 (e.g., TCP session data packets for generation) may not reach the service server 205 . In other words, node 201 can be isolated from service server 205 .

6 shows a signal flow diagram for controller connection according to various embodiments.

Since the node 201 needs to be authorized by the controller 202 to access the network, the access control application 212 of the node 201 requests the controller 202 to create a control flow so that the node 201 You can try to connect to the controller of

Referring to FIG. 6 , in operation 605 , node 201 may detect a controller connection event. For example, when connection control application 212 is installed and/or executed within node 201, node 201 may detect that a connection to controller 202 is being requested.

At operation 610 , node 201 may request controller connection from controller 202 . For example, the connection control application 212 can transmit identification information of the connection control application 212 to the controller 202 . Additionally, the access control application 212 may include identification information of the node 201 (eg, terminal ID, IP address, MAC address), type, location, environment, identification information of the network to which the node 201 belongs, and/or network Arbitrary identification information generated by the system itself may be further transmitted.

In operation 615 , the controller 202 may identify whether or not the controller access of the target (eg, the access control application 212 and the node 201 ) requesting the controller connection is possible. According to one embodiment, the controller 202 controls whether information received from the node 201 is included in the access policy database 311, the node 201, the network to which the node 201 belongs, and/or access control. Based on at least one of whether the identification information of the application 212 is included in the blacklist database 315 , it is possible to determine whether the controller access of the object requesting the controller access is possible.

If the controller 202 can create a control flow between the node 201 (or the connection control application 212 ) and the controller 202 , the controller 202 can create a control flow. In this case, the controller 202 generates control flow identification information in the form of random numbers, and converts identification information of at least one of the node 201, the network to which the node 201 belongs, or the access control application 212 into a control flow table ( 316) can be stored. Information (e.g., control flow information 340) stored in the control flow table 316 is used for user authentication of the node 201, information update of the node 201, policy check for network access of the node 201, and/or Or it can be used for validation.

At operation 620, the controller 202 may check the access policy and channel policy. The controller 202 may check an access policy corresponding to information identified in the access policy database 311 (eg, node 201 and source network information to which the node 201 belongs). The controller 202 may generate whitelist information of accessible applications and access environment check information for common use based on the checked access policy. The controller 202 may generate an application whitelist including access environment check information. The access environment inspection information may be information for inspecting the network connection environment of an application according to the access environment inspection policy of the access environment inspection policy database 313 . Access environment inspection information includes security policies that must be followed in the access environment (eg, operating system) (eg, firewall activation, vaccine activation, and/or operating system automatic update activation) and security policies that must be followed when an application accesses the service server (eg, firewall activation, vaccine activation, and/or operating system automatic update activation). eg whether or not a USB disk is connected and/or whether a camera is being used). In addition, the access environment inspection information is inspection information for determining that the operating system is safe, and information for inspecting unique information such as a signature, fingerprint, hash, or registry for the operating system, and related processes, for each file and process. Unique information such as a signature, fingerprint, hash, or registry and information for analyzing the corresponding binary may be included. In addition, the connection environment inspection information requests the node 201 for inspection conditions such as malware detection tool or pattern DB information to inspect whether the corresponding element is safe, and the node 201 performs inspection based on the inspection result information. It may include information to perform, and inspection period and timing information. The above-described information may also be included in connection environment inspection information for common use. The controller 202 displays a connection completion status as a connection result, a control flow ID for identifying a control flow when requesting user authentication from the node 201 and continuously updating node information, a generated application whitelist, and connection for common use. Environment check information may be returned to node 201 .

The controller 202 may check the channel policy through the IP of the node 201 identified in the channel policy database 312 . The controller 202 lists the channel types and gateways to which the node 201 can connect based on the identified channel policy, and checks the status (eg, throughput and/or failure) of the listed gateways to catalog them. Among the selected gateways, one channel and one gateway optimized for the node 201 can be identified.

In other embodiments, the controller 202 may not perform operation 620. For example, if it is not possible to access the controller of the object requesting access, the controller 202 may not perform operation 620 .

At operation 625 , the controller 202 may transmit a response to the controller connection request to the node 201 . In one embodiment, the controller 202 may transmit control flow information 340 including control flow identification information to the node 201 in response to the controller connection request. In one embodiment, the controller 202 may transmit the whitelist generated through the execution of operation 620 to the connection control application 212 . In one embodiment, the controller 202 may transmit information for creating a channel including the identified gateway and channel authentication information to the node 201 through the execution of operation 620 . Depending on the embodiment, when access is made through a pre-connected channel between the node 201 and the gateway 203, or when access is made between the node 201 and the gateway 203 through another channel technology, the controller 202 ) may not transmit separate channel creation information to the node 201. Depending on the embodiment, if the target for which access to the controller is requested is unavailable or included in the blacklist, the controller 202 may notify controller access failure in response to the controller access request without generating a control flow.

In one embodiment, node 201 may process the resulting value according to the received response. For example, the connection control application 212 may store the received control flow identification information and display a user interface screen indicating completion of the controller connection to the user. When the controller connection is completed, the network access request of the node 201 to the service server 205 may be controlled by the controller 202 .

Depending on the embodiment, the controller 202 may determine that the node 201 is inaccessible. For example, when the controller connection unavailability information is received, the node 201 may stop or terminate the execution of the connection control application 212 or output a user interface screen indicating that the controller connection is unavailable to the user. For example, the user interface screen may include a user interface indicating that access to the node 201 is blocked and guiding isolation release through an administrator (eg, the controller 202).

In one embodiment, connection control application 212 of node 201, controller 202, and gateway 203 may further perform operations 630-650. Depending on the embodiment, the access control application 212 of the node 201, the controller 202, and the gateway 203 may perform all or part of operations 630 to 670.

At operation 630, the access control application 212 may determine whether channel creation is necessary. For example, the controller 202 may transmit information for creating a channel (eg, gateway and channel authentication information) to the node 201 . Upon receiving information for channel creation from the controller 202, the access control application 212 may determine that channel creation is necessary. As another example, the controller 202 may not transmit separate channel creation information to the node 201 . Connection control application 212 may determine that channel creation is not required if channel creation information is not received from controller 202 .

At operation 635 , access control application 212 may request gateway 203 to create a channel. For example, when it is determined that channel creation is necessary, the access control application 212 may request the gateway 203 to create the channel. The access control application 212 may transmit a channel creation request including channel creation information (eg, gateway and channel authentication information) received from the controller 202 to the gateway 203 .

In operation 640, the gateway 203 may create a channel based on information for channel creation. At operation 645 , gateway 203 may transmit a response including a channel creation result to access control application 212 . The channel creation result may include information indicating completion of channel creation, a dedicated channel IP allocated to the node 201, and corresponding channel creation information.

At operation 650, the access control application 212 may perform a check of the application. When it is determined that channel creation is unnecessary, or when a response including a channel creation result is received from the gateway 203, the access control application 212 may perform an application inspection. For example, when a whitelist is received from the controller 202 , the access control application 212 may check whether an application included in the whitelist is installed in the node 201 . In the case of an access application installed in the node 201, the access control application 212 may perform an inspection of the access environment of the corresponding application based on access environment inspection information included in the whitelist. As another example, when the access control application 212 receives commonly applied access environment inspection information from the controller 202, the connection environment of the corresponding application may be inspected based on the received access environment inspection information. .

At operation 655 , the access control application 212 may send the application's test results to the controller 202 . The access control application 212 may transmit a test result of the connection environment of the connection application to the controller 202 .

In operation 660, the controller 202 registers the dedicated channel IP allocated to the node 201 and corresponding channel creation information in the channel table 318 when the channel creation is completed according to the result of the channel creation process, and the node 201 The transmitted information may be updated to the identified control flow information 340 .

The controller 202 checks whether the corresponding connection environment information is valid in the access environment database 319 according to the connection environment inspection policy based on the connection environment inspection result information received from the node 201, or the controller 202 ) or a harmful access environment inspection module present in another system connected to the controller 202, it is possible to determine whether the connection environment inspection result is normal.

For example, if the connection environment check result is normal, the controller 202 provides source IP, destination IP, and service port information so that the node 201 can control the service processing request through the gateway 203 without a network access request procedure. , and a data flow (or data flow information 350) including connection environment inspection information 354 for continuously inspecting the corresponding connection environment.

As another example, if the access environment inspection result is not normal, the controller 202 evaluates the risk level of the access environment inspection result according to the access environment inspection policy, releases the control flow according to the risk level, and Node 201 can be isolated by blocking or adding node 201 to a blacklist.

At operation 665 , the controller 202 may transmit a response to the connection control application 212 transmission of the connection application check result. For example, controller 202 can send data flow information 350 to connection control application 212 . Also, at operation 670 , the controller 202 may transmit the data flow information 350 to the gateway 203 .

The access control application 212 may update the data flow information 350 stored in the node 201 when receiving the updated data flow information 350 from the controller 202 . The access control application 212 may terminate the connection application 211 or block all network access of the connection application 211 when receiving network connection release information from the controller 202 .

According to the operations of FIG. 6 , when the node 201 is normally connected to the controller 202 , all network access requests generated by the node 201 are checked through the controller 202 to determine whether or not they are authorized. After the node 201 normally accesses the controller 202 and before user authentication, an access policy corresponding to an unidentified user (guest) may be applied to the node 201 .

7 illustrates a signal flow diagram for user authentication according to various embodiments, and FIG. 8 illustrates a user interface screen for controller access according to various embodiments. Operations shown in FIG. 7 may be implemented after the signal flow diagram of FIG. 6 , for example.

In order for the node 201 to receive detailed access rights to the destination network, the access control application 212 of the node 201 may authenticate the user of the node 201 from the controller 202 .

Referring to FIG. 7 , in operation 705 , node 201 may receive an input for user authentication. An input for user authentication may be, for example, a user input for inputting a user ID and password. For another example, the input for user authentication may be a user input (eg, biometric information) for stronger authentication.

For example, referring to FIG. 8 , when the access control application 212 is executed, the node 201 may display a user interface screen 810 for receiving information required for controller access. The user interface screen 810 includes an input window 811 for inputting controller access information (eg, IP or domain), an input window 812 for inputting a user ID, and/or an input window for inputting a password ( 813) may be included. After information is input to the input windows 811 , 812 , and 813 , the node 201 may detect a controller connection event by receiving an input to the button 814 or 815 for user authentication. For example, if controller connection information, user ID, and password are entered, node 201 may receive an input to button 814 for accessing the controller as a user. As another example, when only the controller access information is input and the user ID and password are not input, the node 201 may receive an input for a button 815 for accessing the controller as a guest.

At operation 710 , node 201 may request user authentication from controller 202 . For example, the access control application 212 provides input information for user authentication (eg, controller access information, user ID, and/or password entered into the input windows 811, 812, and 813 of FIG. 8) to the controller. (202). If the control flow between the node 201 and the controller 202 has already been created, the access control application 212 may transmit input information for user authentication together with control flow identification information.

At operation 715 , controller 202 may authenticate the user based on the information received from node 201 . For example, the controller 202 may use the user ID, password, and/or enhanced authentication information included in the received information and a database included in the memory of the controller 202 (eg, the access policy database 311 of FIG. 2 ). ) or the blacklist database 315), it is possible to determine whether the user can access according to the access policy and whether the user is included in the blacklist.

When the user is authenticated, the controller 202 checks the control flow information 340 in the control flow table 316 based on the control flow identification information transmitted by the node 201, and in the checked control flow information 340 User identification information (e.g. user ID) can be added. The added user identification information can be used for the authenticated user's controller access or network access.

As another example, if the controller 202 does not receive the user ID, password, and/or enhanced authentication information from the node 201 and receives only the controller access information, the controller 202 cannot authenticate the user, An unidentified user (or, An access policy corresponding to the guest) may be applied.

In operation 720, the controller 202 determines information (eg, node 201, user, or origin network information to which node 201 belongs) identified in access policy database 311 and channel policy database 312 and corresponds to You can check the access policy.

The controller 202 may generate whitelist information of an accessible application and access environment check information for common use based on the access policy checked in the access policy database 311 . The controller 202 may generate an application whitelist including access environment check information. The access environment inspection information may be information for inspecting the network connection environment of an application according to the access environment inspection policy of the access environment inspection policy database 313 . Access environment inspection information includes security policies that must be followed in the access environment (eg, operating system) (eg, firewall activation, vaccine activation, and/or operating system automatic update activation) and security policies that must be followed when an application accesses the service server (eg, firewall activation, vaccine activation, and/or operating system automatic update activation). eg whether or not a USB disk is connected and/or whether a camera is being used). In addition, the access environment inspection information is inspection information for determining that the operating system is safe, and information for inspecting unique information such as a signature, fingerprint, hash, or registry for the operating system, and related processes, for each file and process. Unique information such as a signature, fingerprint, hash, or registry and information for analyzing the corresponding binary may be included. In addition, the connection environment inspection information requests the node 201 for inspection conditions such as malware detection tool or pattern DB information to inspect whether the corresponding element is safe, and the node 201 performs inspection based on the inspection result information. It may include information to perform, and inspection period and timing information. The above-described information may also be included in connection environment inspection information for common use. For example, connection environment inspection information for common use may be commonly used to inspect the network connection environment of an application attempting (or requesting) network access. For example, connection environment inspection information included in the application whitelist may be used to inspect the network connection environment of applications included in the whitelist. The controller 202 displays a connection completion status as a connection result, a control flow ID for identifying a control flow when requesting user authentication from the node 201 and continuously updating node information, a generated application whitelist, and connection for common use. Environment check information may be returned to node 201 .

The controller 202 may check the channel policy through the IP of the node 201 identified in the channel policy database 312 . The controller 202 lists the channel types and gateways to which the node 201 can connect based on the identified channel policy, and checks the status (eg, throughput and/or failure) of the listed gateways to catalog them. Among the selected gateways, one channel and one gateway optimized for the node 201 can be identified.

In other embodiments, the controller 202 may not perform operation 620. For example, if access to the controller of the target requesting access is not possible, the controller 202 may not perform operation 720 .

At operation 725 , controller 202 may transmit a response to the user authentication request to node 201 . In one embodiment, the controller 202 may transmit information indicating that the user is authenticated to the node 201 in response to the user authentication request. In one embodiment, the controller 202 may transmit the whitelist generated through the execution of operation 720 to the access control application 212 . In one embodiment, the controller 202 may transmit information for creating a channel including the identified gateway and channel authentication information to the node 201 through operation 720 . Depending on the embodiment, when access is made through a pre-connected channel between the node 201 and the gateway 203, or when access is made between the node 201 and the gateway 203 through another channel technology, the controller 202 ) may not transmit separate channel creation information to the node 201. Depending on the embodiment, if the object for which access to the controller is requested is unavailable or is included in the blacklist, the controller 202 may notify the controller 202 of inability to access the controller in response to the user authentication request.

In one embodiment, node 201 may process the resulting value for user authentication according to the received response. For example, the node 201 may output a user interface screen indicating completion of user authentication to the user through the display 440 .

According to another embodiment, the controller 202 may determine that user authentication is impossible. For example, if the user's identification information is included in the blacklist database, the controller 202 may determine that user authentication is impossible. In this case, in operation 725, the controller 202 may transmit information indicating that user authentication is not possible to the node 201, and the node 201 may stop or terminate execution of the access control application 212, or user authentication. A user interface screen indicating this failure may be output through a display. For example, referring to FIG. 8 , node 201 may display user interface screen 820 via access control application 212 . The user interface screen 820 may include a user interface 825 indicating that access to the node 201 is blocked and guiding isolation release through an administrator (eg, the controller 202).

In one embodiment, connection control application 212 of node 201, controller 202, and gateway 203 may further perform operations 730-750. Depending on the embodiment, the access control application 212 of the node 201, the controller 202, and the gateway 203 may perform all or part of operations 730 to 770.

At operation 730, the access control application 212 may determine whether channel creation is necessary. For example, the controller 202 may transmit information for creating a channel (eg, gateway and channel authentication information) to the node 201 . Upon receiving information for channel creation from the controller 202, the access control application 212 may determine that channel creation is necessary. As another example, the controller 202 may not transmit separate channel creation information to the node 201 . Connection control application 212 may determine that channel creation is not required if channel creation information is not received from controller 202 .

At operation 735 , access control application 212 may request gateway 203 to create a channel. For example, when it is determined that channel creation is necessary, the access control application 212 may request the gateway 203 to create the channel. The access control application 212 may transmit a channel creation request including channel creation information (eg, gateway and channel authentication information) received from the controller 202 to the gateway 203 .

In operation 740, the gateway 203 may create a channel based on information for channel creation. At operation 745 , the gateway 203 may send a response including the channel creation result to the access control application 212 . The channel creation result may include information indicating completion of channel creation, a dedicated channel IP allocated to the node 201, and corresponding channel creation information.

At operation 750, the access control application 212 may perform a check of the application. When it is determined that channel creation is unnecessary, or when a response including a channel creation result is received from the gateway 203, the access control application 212 may perform an application inspection. For example, when a whitelist is received from the controller 202 , the access control application 212 may check whether an application included in the whitelist is installed in the node 201 . In the case of an access application installed in the node 201, the access control application 212 may perform an inspection of the access environment of the corresponding application based on access environment inspection information included in the whitelist. As another example, when the access control application 212 receives commonly applied access environment inspection information from the controller 202, the connection environment of the corresponding application may be inspected based on the received access environment inspection information. .

At operation 755 , the access control application 212 may send the application's test result to the controller 202 . The access control application 212 may transmit a test result of the connection environment of the connection application to the controller 202 .

In operation 760, the controller 202 registers the dedicated channel IP assigned to the node 201 and corresponding channel creation information in the channel table 318 when the channel creation is completed according to the result of the channel creation process, and the node 201 The transmitted information may be updated to the identified control flow information 340 .

The controller 202 checks whether the corresponding connection environment information is valid in the access environment database 319 according to the connection environment inspection policy based on the connection environment inspection result information received from the node 201, or the controller 202 ) or a harmful access environment inspection module present in another system connected to the controller 202, it is possible to determine whether the connection environment inspection result is normal.

For example, if the connection environment check result is normal, the controller 202 provides source IP, destination IP, and service port information so that the node 201 can control the service processing request through the gateway 203 without a network access request procedure. , and a data flow (or data flow information 350) including connection environment inspection information 354 for continuously inspecting the connection environment of the corresponding application.

As another example, if the access environment inspection result is not normal, the controller 202 evaluates the risk level of the access environment inspection result according to the access environment inspection policy, releases the control flow according to the risk level, and Node 201 can be isolated by blocking or adding node 201 to a blacklist.

At operation 765 , the controller 202 may transmit a response to the connection control application 212 transmission of the connection application check result. For example, controller 202 can send data flow information 350 to connection control application 212 . Also, at operation 770 , the controller 202 may transmit the data flow information 350 to the gateway 203 .

The access control application 212 may update the data flow information 350 stored in the node 201 when receiving the updated data flow information 350 from the controller 202 . The access control application 212 may terminate the connection application 211 or block all network access of the connection application 211 when receiving network connection release information from the controller 202 .

9 shows a signal flow diagram for network access according to various embodiments, and operations shown in FIG. 9 may be implemented after the signal flow diagram of FIG. 6 or FIG. 7 , for example.

Referring to FIG. 9 , in operation 905 , node 201 may detect a network connection event. For example, node 201 can detect through access control application 212 that a target application is attempting to connect to service server 205 . Connection control application 212 may perform operation 910 when a network connection event is detected. At operation 910, the access control application 212 may check the data flow. The access control application 212 may perform all or part of operations 915 to 935 in accordance with operation 910 .

In operation 915, the access control application 212 may check whether a data flow corresponding to the identification information, destination IP and/or port information of the connection application exists. Also, at operation 920, the connection control application 212 can check whether the data flow is valid. For example, when it is confirmed that the data flow exists by performing operation 915, the access control application 212 may check whether the corresponding data flow is valid. For example, if there is a valid data flow, connection control application 212 can perform operation 925 . At operation 925, connection control application 212 may send a data packet. As another example, if the data flow exists but is not valid (e.g., if the data packet cannot be transmitted or if the network connection has previously been rejected by the controller 202), the connection control application 212 performs operation 930. can do. At operation 930, the connection control application 212 may drop the data packet.

When performing operation 925 or operation 930, the access control application 212 determines whether or not to check the connection environment whenever a corresponding event (data packet transmission or drop) occurs according to the connection environment check information 354 included in the data flow information 350. It is checked whether or not, and if it is confirmed that the connection environment inspection is performed, operation 935 (connection environment inspection) may be performed.

At operation 940 , the connection control application 212 may request a network connection to the controller 202 . If the data flow does not exist, or if renewal is required because the authentication time of the data flow has expired, or if renewal of the data flow is required for other reasons, the access control application 212 may request the controller 202 to connect to the network. there is.

If there is no data flow, the access control application 212 determines whether the application whitelist received from the controller 202 in the controller access and user authentication process exists, and whether the connection application requesting network access is included in the application whitelist. can be checked. For example, if the application whitelist does not exist, if the connection application requesting network access is not included in the application whitelist, or if there is no access environment check information that can be used in common, the access control application 212 Control flow ID for identifying the control flow generated with the controller 202 before detecting the network connection event without performing the connection environment inspection, identification information of the connection application, destination IP and port of the server to which the connection application wants to access A network access request including information may be transmitted to the controller 202 . As another example, if an application whitelist exists and a connection application requesting network access is included in the application whitelist, or if there is access environment check information that can be used in common, the access control application 212 may set the application whitelist The access environment of the connected application may be inspected based on access environment inspection information included in or commonly available access environment inspection information. The access control application 212 controls the connection environment based on control flow ID, application identification information, destination IP and port information, and access environment inspection information included in the application whitelist or commonly available access environment inspection information. A network access request including a test result may be transmitted to the controller 202 .

If the data flow exists, the access control application 212 returns the result of performing the access environment inspection based on the access environment inspection information included in the data flow along with the control flow ID, application identification information, destination IP and port information. A network access request including the may be transmitted to the controller 202 .

At operation 945 , the controller 202 may check the access policy and channel policy in response to the network access request received from the access control application 212 . The controller 202 controls access policies and channels corresponding to information identified in the access policy database 311 and the channel policy database 312 (eg, node 201, user, or origin network information to which the node 201 belongs). You can check the policy.

Based on the checked access policy, the controller 202 can check whether identification information (eg, destination IP and service port information) requested by the access application is included and whether access to the service server corresponding to the identification information is possible. there is.

If the access of the connection application is not possible, the controller 202 may transmit information indicating that the connection is not possible to the node 201 in operation 955 . In this case, the access control application 212 may output a user interface screen indicating that access is impossible through the display 440 .

When the access application is accessible, the controller 202 may check whether a channel for accessing a target (eg, the service server 205) for which network access is requested is created in the channel table 318. For example, when the channel is not created, the controller 202 can check whether channel creation is necessary to access the service server 205 in the channel policy of the channel policy database 312 . If channel creation is required, the controller 202 may transmit a result indicating network connection failure to the node 201 . As another example, if a channel has been created or it is determined that channel creation is unnecessary in the channel policy, the controller 202 provides information requested by the node 201 for network access in the data flow table 317 (eg, destination IP and service It is possible to check whether there is a valid data flow corresponding to the port information).

If a valid data flow exists, the controller 202 can perform operation 950. If there is no valid data flow, the controller 202 generates a data flow (or data flow information 350) including source IP, destination IP, service port information, and connection environment inspection information for continuously inspecting the corresponding connection environment. )), and operation 950 may be performed.

At operation 950, the controller 202 may perform a connection environment check. The controller 202 may check whether the received network access request includes inspection result information on the connection environment.

If the connection environment inspection result information is not included in the network connection request, the controller 202 transmits status information indicating that connection environment inspection is necessary and data flow information 350 including connection environment inspection information to the node 201. can transmit Thereafter, the node 201 may request the controller 202 to inspect the access environment based on the received information, and may control network access based on a response to the connection environment inspection request received from the controller 202. .

When the access environment inspection result information is included in the network access request, the controller 202 stores the access environment in the access environment database 319 according to the access environment inspection policy based on the access environment inspection result information included in the network access request. It is possible to check whether the information is valid or to determine whether a test result for the corresponding access environment is normal through a harmful access environment inspection module included in the controller 202 or another system connected to the controller 202 .

For example, if the test result for the corresponding connection environment is normal, the controller 202 may transmit the data flow information 350 to the node 201 and the gateway 203 in operations 955 and 960 .

As another example, if the test result for the connection environment is not normal, the controller 202 may return information indicating that network access is impossible to the node 201 . The controller 202 evaluates the risk level of the access environment inspection result according to the access environment inspection policy, and releases the control flow according to the risk level to block the network access of the node 201 or add the node 201 to the blacklist. Thus, the node 201 can be isolated.

In operation 955 , the controller 202 may transmit a response to the network connection request of the connection control application 212 to the node 201 . For example, controller 202 can send data flow information 350 to connection control application 212 . Also, at operation 960 , the controller 202 may transmit the data flow information 350 to the gateway 203 .

When the data flow information 350 is received from the controller 202 , the access control application 212 may update the data flow information 350 stored in the node 201 . The connection control application 212 may drop a data packet when receiving connection failure information (or connection failure information) from the controller 202 . When the connection control application 212 receives connection success information (or connection availability information) from the controller 202, it may transmit a data packet. When the access control application 212 receives status information from the controller 202 indicating that the access environment needs to be checked, the connection environment check information 354 included in the received data flow information 350 determines the access application based on the access environment check information 354. A connection environment inspection may be performed, and a access environment inspection request including the inspection result may be transmitted to the controller 202 . The connection control application 212 may release the connection with the controller 202 when receiving network connection release information (information indicating that the network connection is released) from the controller 202 .

A process in which the access control application 212 requests the controller 202 to check the access environment will be described below with reference to FIG. 10 .

10 shows a signal flow diagram for checking a connection environment according to various embodiments. Operations shown in FIG. 10 may be implemented after the signal flow diagram of FIG. 9 , for example.

At operation 1005, the connection control application 212 may detect a connection environment check event. If an event that requires application inspection (e.g., access environment inspection) occurs during the network access process, the connection environment should be inspected at specified intervals according to the access environment inspection period included in the access environment inspection information of the control flow or data flow. If so, the access control application 212 may detect a connection environment check event.

In operation 1010, the connection control application 212 may request a connection environment inspection to the controller 202 upon detecting a connection environment inspection event. The access control application 212 may transmit to the controller 202 a connection environment inspection request including a result of performing a connection environment inspection based on access environment inspection information included in a control flow or data flow.

In operation 1015, the controller 202 searches the access environment database 319 according to the access environment inspection policy of the access environment inspection policy database 313 based on the access environment inspection result information included in the received access environment inspection request. It can check whether the access environment information is valid or determine whether the inspection result of the corresponding access environment is normal through a harmful access environment inspection module included in the controller 202 or another system connected to the controller 202. there is.

If the test result of the connection environment is not normal, the controller 202 may return test failure information to the node 201 . In addition, the controller 202 evaluates the risk level of the access environment inspection result according to the access environment inspection policy, and releases the control flow according to the risk level to block the node 201 from accessing the network or blacklist the node 201. In addition, the node 201 can be isolated and the gateway 203 can be requested to release the data flow.

If the test result of the connection environment is normal, the controller 202 may return test completion information (or test success information) to the node 201 . In addition, the controller 202 may transmit data flow information 350 to the node 201 and the gateway 203 .

At operation 1020 , the controller 202 may transmit a response to the connection environment check request to the node 201 . When receiving data flow information from the controller 202 , the access control application 212 may update data flow information stored in the node 201 . The access control application 212 may transmit a data packet upon receiving test success information from the controller 202 . The access control application 212 may drop a data packet when receiving test failure information from the controller 202 . When the connection control application 212 receives connection release information from the controller 202 , the connection application 211 may be terminated or all network accesses of the connection application 211 may be blocked.

At operation 1025 , controller 202 may transmit data flow information to gateway 203 . For example, if the test result for the connection environment is normal, the controller 202 may transmit data flow information to the gateway 203 . As another example, when the test result of the connection environment is not normal, the controller 202 may transmit a data flow release request to the gateway 203 .

11 illustrates a user interface screen for network access control according to various embodiments.

Referring to FIG. 11 , the node 201 may display a user interface screen 1110 or 1120 based on the result information on the connection environment inspection request received from the controller 202 through the access control application 212. . For example, the access control application 212 may request a connection environment inspection to the controller 202 as the process of FIG. 9 or 10 is performed, and receive a result of the connection environment inspection request from the controller 202. there is. The connection control application 212 may display a user interface screen 1110 through the display 440 when the network connection is blocked according to the result information received from the controller 202 . The user interface screen 1110 may include a user interface 1115 indicating that network access is blocked and notifying the reason for blocking (eg, vaccine inactivation). The connection control application 212 may display the user interface screen 1120 through the display 440 when the network connection is released according to the result information received from the controller 202 . The user interface screen 1120 may include a user interface 1125 indicating that the network connection is disconnected and the user account is logged out, and notifying the reason for blocking (eg, operating system forgery or tampering).

12 illustrates a signal flow diagram for updating a control flow according to various embodiments.

Referring to FIG. 12 , at operation 1205 , connection control application 212 may request control flow update to controller 202 .

In one embodiment, the access control application 212 may request a control flow update from the controller 202 to maintain the control flow and data flow. In one embodiment, the access control application 212 may request a control flow update including control flow identification information (control flow ID) for each specified period.

When the access control application 212 checks the previously stored data flow information 350 and performs the connection environment check when updating the control flow according to the access environment check information 354 included in the data flow information 350, Based on the access environment inspection information 354, a control flow update may be requested including a result of performing the access environment inspection.

At operation 1210, the controller 202 may update (check) the control flow. For example, the controller 202 may check whether the control flow information 340 indicated by the received identification information exists in the control flow table 316 . When the connection is released by another security system, the update time elapses, or the connection is released due to risk detection, the control flow may not exist. If the control flow does not exist, the controller 202 may return connection unavailable information to the node 201 . When the control flow exists, the controller 202 may check whether data flow information 350 subordinate to the control flow exists. Based on the data flow information 350 , the controller 202 can check whether or not the connection environment is checked when the control flow is updated.

When the access environment check is performed, but the access environment check result information for each data flow or each application is not included in the control flow update request, or the number of applications to be checked in the node 201 is the number of applications to be checked in the controller 202. If the connection environment check cannot be performed, such as when the number of applications to be performed is different, the controller 202 determines that the connection of the corresponding node 201 is invalid and returns connection failure information to the node 201. can

When the access environment check is performed and the access environment check result information is included in the control flow update request, the controller 202 determines the access environment check policy of the access environment check policy database 313 based on the access environment check result information. Accordingly, whether the access environment information is valid in the access environment database 319 is checked, or the inspection result of the access environment is determined through a harmful access environment inspection module included in the controller 202 or another system connected to the controller 202. You can judge whether it is normal or not.

If the test result of the connection environment is not normal, the controller 202 may return test failure information to the node 201 . In addition, the controller 202 evaluates the risk level of the access environment inspection result according to the access environment inspection policy, and releases the control flow according to the risk level to block access of the node 201 or blacklist the node 201. In addition, the node 201 can be isolated and the gateway 203 can be requested to release the data flow.

If the connection environment inspection result is not necessary or if the connection environment inspection result is normal, the controller 202 may update the update time or expiration time of the control flow and search for a data flow subordinate to the control flow. For example, if re-authentication needs to be performed in the searched data flow or there is a data flow to which access is no longer possible, the controller 202 may return corresponding data flow information to the node 201 .

For example, if the update (check) fails, the controller 202 may send connection unavailable information to the node 201 . In this case, the node 201 may terminate the access control application 212 or block the access control application 212 from accessing the network. For another example, if the update (check) succeeds, the controller 202 may update the expiration time of the control flow and the data flow dependent thereon. The controller 202 may transmit updated control flow information and data flow information to the node 201 . In this case, the node 201 may update control flow information 340 and data flow information 350 .

In operation 1215 , the controller 202 may transmit update (check) result information to the connection control application 212 . For example, if the update (check) fails, the controller 202 may transmit unreachable information. For another example, if the update (check) is successful, the controller 202 may transmit the updated control flow information 340 and data flow information 350 subordinate thereto to the access control application 212 . In this case, the node 201 may update control flow information 340 and data flow information 350 .

The access control application 212 may process update (check) result information. If the control flow update result indicates that access is impossible, the access control application 212 may terminate the access application 211 or block all network access of the access application 211 . If the control flow update result indicates normal and there is updated data flow information 350 , the connection control application 212 may update the data flow table 317 in the connection control application 212 .

At operation 1220 , controller 202 may transmit data flow information 350 to gateway 203 . For example, if updating (checking) succeeds, the controller 202 may transmit data flow information 350 subordinate to the updated control flow information to the gateway 203 . As another example, if updating (checking) fails, the controller 202 may transmit a data flow release request to the gateway 203 .

13 illustrates a signal flow diagram for control flow cancellation according to various embodiments.

Referring to FIG. 13 , in operation 1305, the node 201 may request the controller 202 to terminate the control flow. For example, the node 201 may request control flow termination when the connection control application 212 is terminated, when the network connection is not used for a specified amount of time, or when a connection termination request is received from another system.

In operation 1310 , the controller 202 may remove the control flow corresponding to the control flow identification information (control flow ID) received from the node 201 . The controller 202 may also remove the data flow dependent on the removed control flow.

In operation 1315, the controller 202 requests the gateway 203 to remove the data flow, and in operation 1320, the gateway 203 may block the connection control application 212 from accessing the network by removing the data flow. After that, the connection application 211 can no longer transmit data packets to the destination network.

14 illustrates a signal flow diagram for data flow cancellation according to various embodiments.

Referring to FIG. 14 , in operation 1405 the access control application 212 may detect termination of the access application 211 . The access control application 212 may monitor in real time whether the connection application running on the node 201 is terminated.

In operation 1410, the access control application 212 may request the controller 202 to terminate the data flow. For example, the access control application 212 may request data flow termination by transmitting data flow identification information or application information allocated to the terminated connection application 211 to the controller 202 .

At operation 1415 , controller 202 may remove the data flow based on the data flow identification information or application identification information received from node 201 . The controller 202 may identify and search a control flow based on the received data flow identification information or application identification information, and may remove a data flow dependent on the identified and searched control flow.

In operation 1420, the controller 202 requests the gateway 203 to remove the data flow, and in operation 1425, the gateway 203 removes the data flow, thereby providing a service corresponding to the removed data flow of the connection control application 212. Access to the server 205 may be blocked. After that, the connection application 211 can no longer transmit data packets to the destination network.

The above description is only an illustrative example of the technical idea disclosed in this document, and those skilled in the art to which the embodiments disclosed in this document belong will be within the scope of the essential characteristics of the embodiments disclosed in this document. Many modifications and variations will be possible.

Therefore, the embodiments disclosed in this document are not intended to limit the technical idea disclosed in this document, but to explain, and the scope of the technical idea disclosed in this document is not limited by these embodiments. The scope of protection of technical ideas disclosed in this document should be interpreted according to the scope of the following claims, and all technical ideas within the equivalent scope should be construed as being included in the scope of rights of this document.

Claims (19)

In node,
communication circuit;
a processor in operative connection with the communication circuitry; and
and a memory operatively connected to the processor and storing a connection target application and an access control application, wherein the memory, when executed by the processor, causes the node to:
Through the access control application, the network connection environment of the connection target application is inspected based on data flow information or application whitelist received from an external server;
Transmitting inspection result information on the connection environment of the connection target application to the external server;
Receiving a response from the external server whether or not a connection environment examination result, determined based on the examination result information, is normal;
Storing commands for controlling network access of the connection target application based on the response;
The data flow information and the application whitelist include connection environment check information generated by the external server. The method according to claim 1, wherein the instructions are the node,
Detecting network access of the connection target application through the access control application;
Transmits the IP and port information of the service server requested by the connection target application to the external server;
The node configured to receive the data flow information including the access environment inspection information according to the access environment inspection policy of the external server. The method according to claim 1, wherein the instructions are the node,
Through the access control application, access to the external server or authentication is performed to obtain the application whitelist including the access environment check information from the external server and access environment check information commonly applied to applications attempting network access. Node to receive. The method according to claim 1, wherein the instructions are the node,
A node configured to perform update with the external server through the access control application to receive updated data flow information or application whitelist from the external server. The method according to claim 1, wherein the instructions are the node,
Detecting network access of the connection target application through the access control application;
A node configured to perform an examination of the connection environment of the connection target application when a connection environment examination is required based on the data flow information or the application whitelist. The method according to claim 1, wherein the instructions are the node,
Through the access control application, if the connection environment of the connection target application needs to be checked periodically based on the data flow information or the application whitelist, the connection environment of the connection target application is checked according to the inspection period Node. The method according to claim 1, wherein the instructions are the node,
Receiving the application whitelist and connection environment check information commonly applied to applications attempting network access from the external server through the access control application;
The node configured to perform a check on the connection environment of the connection target application when the connection target application is included in the application whitelist or when the commonly applied connection environment check information exists. The method according to claim 1, wherein the instructions are the node,
Receiving data flow information in response to a network access request from the external server through the access control application;
A node configured to transmit a data packet when the network access request is successful and to drop the data packet when the network access request fails. The method according to claim 1, wherein the instructions are the node,
Through the access control application, if a data flow corresponding to the service server to which the connection target application wants to access exists and is valid, a data packet is transmitted, and if the data flow exists but is not valid, the data packet is dropped (drop),
A node configured to perform a connection environment inspection when the connection environment of the connection target application needs to be inspected when the data packet is dropped. The method according to claim 1, wherein the instructions are the node,
The node that terminates the connection target application or blocks network access of the connection target application when information indicating that the connection is to be released is received in response to the connection environment inspection request from the external server. in the server,
communication circuit;
a processor in operative connection with the communication circuitry; and
a memory operably coupled to the processor and storing a database, wherein the memory, when executed by the processor, causes the server to:
Receive a network access request for a service server from an access control application of a node, wherein the network access request includes identification information of a connection target application of the node to access a network of the service server and network information of the service server,
Based on the database, it is confirmed whether the connection target application can access the service server;
If access is possible, check whether there is a valid data flow that corresponds to the identification information of the connection target application and the network information of the service server and includes connection environment inspection information for examining the network connection environment of the connection target application. and transmits a response to the network access request to the node based on whether a valid data flow exists or not;
If access is impossible, transmit result information indicating that access is not possible to the node;
When receiving test result information on the connected environment from the node, storing instructions for determining whether a test result on the connected environment is normal based on the test result information;
The response includes a response for controlling access of the connection target application according to whether the inspection result is normal. The method according to claim 11, wherein the commands are the server,
If access is possible,
When the valid data flow does not exist, generating data flow information including identification information of the connection target application, network information of the service server, and connection environment inspection information;
When the valid data flow exists or when the data flow information is generated, the server determines whether inspection result information on the network access environment of the connection target application exists in the network access request. The method according to claim 12, wherein the instructions are the server,
When the inspection result information does not exist in the network access request, transmits status information indicating that a connection environment inspection is necessary and the data flow information including the connection environment inspection information to the node;
When the test result information exists in the network access request, the server determines whether the test result for the network access environment of the connection target application is normal based on the test result information included in the network access request. . The method according to claim 13, wherein the instructions are the server,
and transmits the data flow information including the identification information of the connection target application, the network information of the service server, and the connection environment inspection information to the node and the gateway when the test result is normal. The method according to claim 13, wherein the instructions are the server,
If the above test results are not normal,
Transmitting result information indicating inability to connect to the node;
Evaluate the risk level of the access environment inspection result based on the database,
According to the risk level, the server blocks network access of the node by releasing the control flow with the access control application or adding the node to a blacklist. The method according to claim 11, wherein the commands are the server,
Receiving a connection environment inspection request from the node;
and determining whether a test result of the network connection environment of the connection target application is normal based on the examination result information of the network connection environment of the connection target application included in the connection environment examination request. The method according to claim 11, wherein the commands are the server,
To generate access environment test information for common use in examining the network access environment of applications attempting network access and accessible application white list information, and transmit the information to the access control application;
The whitelist information includes connection environment examination information for examining network access environments of applications included in the whitelist. In the operating method of the node,
An operation of performing a check based on data flow information or an application whitelist received from an external server for an access environment of a connection target application of the node through an access control application of the node;
Transmitting test result information on the connection environment of the connection target application to the external server;
Receiving, from the external server, a response according to whether a connection environment examination result, determined based on the examination result information, is normal; and
Controlling network access of the connection target application based on the response;
The data flow information and the application whitelist include connection environment check information generated by the external server. In the method of operating the server,
An operation of receiving a network access request for a service server from an access control application of a node, wherein the network access request includes identification information of a connection target application of the node to access a network of the service server and network information of the service server. ,
An operation of checking whether or not access to the service server of the connection target application is possible based on the database of the server;
If access is possible, check whether there is a valid data flow that corresponds to the identification information of the connection target application and the network information of the service server and includes connection environment inspection information for examining the network connection environment of the connection target application. and transmitting a response to the network access request to the node based on whether a valid data flow exists;
If connection is not possible, transmitting result information indicating that connection is impossible to the node; and
When receiving test result information on the connected environment from the node, determining whether a test result on the connected environment is normal based on the test result information;
The operation method of claim 1 , wherein the response includes a response for controlling access of the connection target application according to whether the inspection result is normal.

Images