KR102502367B1 - System for controlling network access based on controller and method of the same - Google Patents

Abstract

According to an embodiment disclosed in this document, a node comprises: a communication circuit; a processor operatively connected to the communication circuit; and a memory operatively connected to the processor and storing a connection control application and a target application. The memory can store instructions which, when executed by the processor, cause the node to: receive a data packet through the connection control application; request an external server to update a data flow including session identification information, on the basis of whether there is the data flow corresponding to the received data packet and applied from the external server and whether the session identification information is included in the data packet; and transmit the data packet on the basis of the data flow received from the external server and having the session identification information updated. Therefore, the node can block the transmission of data packets to unauthorized targets.

Description

System for controlling controller-based network access and method therefor

Embodiments disclosed in this document relate to a system and method for controlling a controller-based network connection.

Multiple devices may communicate data over a network. For example, the terminal may transmit or receive data with a server through the Internet. The network may include a private network such as an intranet as well as a public network such as the Internet.

The terminal performs communication with the server by utilizing IP (Internet Protocol)-based TCP (Transmission Control Protocol) or UDP (User Datagram Protocol), and controls the connection between the source IP and destination IP authorized in TCP or UDP technology. Firewall technology may be used. In the case of such IP communication, since data packets are transmitted in plain text, there is a problem in that a third party can easily view important information of the data packet using sniffing technology such as tapping equipment or rouge WiFi. To solve this problem, VPN (Virtual Private Network) technology and tunneling technology for encrypting data packets between the terminal and the server are used.

Tunneling technology may be limited in scope to controlling only network access subordinate to a specific network or service, since tunneling usage and related specifications are all different depending on service servers. In addition, since the tunneling technology needs to set a wide network bandwidth, it may be difficult to control communication of each application running in the terminal and the unit of a service server to which the application wants to access.

In order to compensate for the disadvantages of the tunneling technology, a session technology that can guarantee secure communication more easily and conveniently than tunneling can be considered. For example, protocols such as Transport Layer Security (TLS), Secure Sockets Layer (SSL), Datagram Transport Layer Security (DTLS), Mutual Transport Layer Security (MTLS), or Hyper Text Transfer Protocol over Secure Socket Layer (HTTPS). Session technology may be applied.

In session technology, a terminal and a service server must perform session creation and negotiation procedures in advance. Due to the nature of IP communication based on the 7th layer of OSI (Open Systems Interconnection), the target requesting communication (e.g. terminal or application) ) is a pre-approved safe target, so it is difficult to block unauthorized targets at the network level (i.e., OSI 7 layer). Although the service server can block access from targets that do not satisfy the authentication conditions, this method is only possible after a TCP session or session has been created or a service protocol access procedure (eg HTTP) has been performed. The target's network access cannot be fundamentally blocked or released, and an attacker can launch a DoS (Denial of Service) attack through well-known protocols such as HTTPS and open ports. Furthermore, when a security function included in an application of a terminal is not executed or a risk element exists in the application, there is no method to block the detected threat in a network connection state even if the terminal or the network detects it.

In addition, when a session between the terminal and the service server is created, the encrypted data packets exist at the network boundary of the service server using filtering-based security technologies (e.g., IDS (Intrusion Detection System), IPS (Intrusion Prevention System), NGFW (Next Generation Firewall) )) can cause problems.

In the case of a terminal with mobility, since the source IP continuously changes due to handover, a problem of blocking data packet transmission based on the source IP may occur in the gateway. That is, in the case of a terminal that undergoes frequent handovers, there may be a problem of requiring network access authentication every time an IP is changed.

In addition, when the session is initially created, only the application authorized through the authentication process enables the session, but since it is not known which application was actually matched with and authorized, the session can be terminated immediately when the application is terminated. this doesn't exist

Various embodiments disclosed in this document are intended to provide a system and method for solving the above problems in a network environment.

A node according to an embodiment disclosed herein includes communication circuitry, a processor operatively connected to the communication circuitry, and a memory operatively connected to the processor and storing a connection control application and a target application; When the memory is executed by the processor, the node receives a data packet through the access control application, and the existence of a data flow corresponding to the received data packet and applied from an external server and session identification information in the data packet Perform a data flow update request including the session identification information to the external server based on whether it is included, and transmit the data packet based on the data flow with the session identification information received from the external server updated to store instructions.

A server according to an embodiment disclosed in this document includes communication circuitry, a memory for storing a database, and a processor operatively connected to the communication circuitry and the memory, wherein the processor controls a connection control application of a node. 1 Receives a data flow update request, the first data flow update request includes first session identification information, determines whether to check the first session identification information based on the database, and determines whether to check the first session identification information In case of checking, it is checked whether the first session identification information is identical to the second session identification information received from the gateway or the service server, and if the first session identification information and the second session identification information are identical, data flow update, and if the first session identification information is not checked, update the first session identification information and session creation state in the data flow, and send the updated data flow to the node, the gateway or the service server can be configured to transmit.

A gateway according to an embodiment disclosed in this document includes a communication circuit, a memory for storing a database, and a processor operatively connected to the communication circuit and the memory, wherein the processor receives a service processing request, Check existence of a data flow corresponding to the service processing request and authorized from an external server, and if the data flow exists, check whether session identification information is included in the service processing request. When the service processing request includes the session identification information, perform a data flow update request including the session identification information to the external server, and receive a data flow with the session identification information updated from the external server. can

A method of operating an access control application stored in a node according to an embodiment disclosed in this document includes the steps of receiving a data packet, the existence of a data flow corresponding to the received data packet and applied from an external server, and a session in the data packet Performing a data flow update request including the session identification information to the external server based on whether the identification information is included, based on the data flow in which the session identification information received from the external server is updated It may include transmitting the packet.

A method of operating a server according to an embodiment disclosed in this document includes receiving a first data flow update request from an access control application of a node, the first data flow update request including first session identification information, and the Determining whether to check the first session identification information based on a database; When checking the first session identification information, the first session identification information is identical to second session identification information received from a gateway or a service server. checking whether the first session identification information and the second session identification information are the same, updating the data flow, if the first session identification information is not checked, the first session Updating identification information and a session creation state, and transmitting the updated data flow to the node, the gateway, or the service server.

According to the embodiments disclosed in this document, a system for controlling network access provides a method for allowing only authorized objects to access a network based on a session, and can block transmission of data packets by unauthorized objects.

According to the embodiments disclosed in this document, a system for controlling network access provides a method for detecting a threat to an invalid target and disconnecting the connection, and clarifies an ambiguous network connection disconnection point between an application and a service server. Lifecycle management can be facilitated.

According to the embodiments disclosed in this document, a system for controlling network access blocks data packets transmitted by unauthorized objects through a gateway, thereby preventing DoS attacks and brute force attacks through access to service resources. can

According to the embodiments disclosed in this document, a system for controlling network access overcomes the problems inherent in existing IP communication by implementing a secure network connection lifecycle that includes application network access control, threat blocking, and isolation. and provide a secure network connection.

According to the embodiments disclosed in this document, a system for controlling network access can control data transmission in a transport layer more easily and in detail than tunneling technology that protects data packets in a wide network range.

According to the embodiments disclosed in this document, the gateway may forward data packets between a session-based application and a service server and block other data packets, thereby blocking potentially dangerous elements.

According to the embodiments disclosed in this document, it is possible to create a session with a gateway or a service server without requiring individual modification for each application to access the service server.

According to the embodiments disclosed in this document, it is possible to identify which application created a session with the service server, and when the corresponding application is terminated, the corresponding session can be terminated immediately.

According to the embodiments disclosed in this document, when a session is created in a network access authorization state of a node, there is no way to check whether the corresponding session is actually connected to the destination network, so that a Man In The Middle (MITM) attack can occur. When network access occurs through an abnormal proxy server while destination IP information is forged, it is possible to solve the problem of exposing all data packets or manipulating data packets to connect to another server.

According to the embodiments disclosed in this document, when an application connects to a network, it checks whether the corresponding network connection is transmitted only by the session according to a pre-mapped session policy, and when transmitting data packets, only data packets by the session are transmitted. At the same time as providing the technology, it is possible to identify whether the corresponding session was created by the target application by inspecting the data packet during the session creation process and transmitting session identification information to the controller.

In addition, according to the embodiments disclosed in this document, when an application transmits a data packet in a state in which a session is not created or the transmitted session identification information is different from the session identification information collected from the destination network, whether or not the application passes through a rogue session proxy server. , the network connection can be terminated immediately, and when the application is terminated, the session is immediately removed to prevent communication with the destination network using previously authenticated session information.

In addition, according to the embodiments disclosed in this document, a session for which a session creation data packet is not separately configured can be maintained by inspecting a data packet including session identification information or a service processing request to maintain only an authorized session, and the controller can maintain a node And it is possible to provide a structure capable of transmitting a data packet or service processing request based only on an authorized session by confirming whether a session is normally created based on session identification information received from a gateway or a service server.

In addition, according to the embodiments disclosed in this document, each node, gateway or server continuously tracks session identification information, and the tracked identification information is monitored by a controller to block data packets at the node or process service at the gateway or server. You can manage your network to reject requests or redirect them to other destinations.

In addition, according to the embodiments disclosed in this document, the session is not blocked in advance, but session identification information identified in the controller is compared, and when a disallowed session is generated, the data flow including the session is removed so that nodes and gateways are Alternatively, it may be managed so that communication between servers is not performed.

In addition to this, various effects identified directly or indirectly through this document may be provided.

1 shows an environment including a plurality of networks.
2 illustrates an architecture within a network environment according to various embodiments.
3 is a functional block diagram illustrating a database stored in a controller according to various embodiments.
4 shows a functional block diagram of a node in accordance with various embodiments.
5 describes an operation of controlling transmission of a data packet according to various embodiments.
6 shows a signal flow diagram for controller connection according to various embodiments.
7 illustrates a signal flow diagram for user authentication according to various embodiments.
8 shows a signal flow diagram for network access according to various embodiments.
9 illustrates a signal flow diagram for session processing according to data packet reception according to various embodiments.
10 illustrates a signal flow diagram for session processing according to reception of a service processing request in a gateway or server according to various embodiments.
11 shows a signal flow diagram for control flow update according to various embodiments.
12 illustrates a signal flow diagram for disconnection according to various embodiments.
13 illustrates a signal flow diagram for termination of application execution according to various embodiments.
14 is a flowchart illustrating a method of operating an access control application installed in a node according to various embodiments.
15 is a flowchart illustrating a method of operating a server according to various embodiments.
16 is a flowchart of a method of operating a gateway according to various embodiments.

Hereinafter, various embodiments of the present invention will be described with reference to the accompanying drawings. However, it should be understood that this is not intended to limit the present invention to the specific embodiments, but to cover various modifications, equivalents, and/or alternatives of the embodiments of the present invention.

In this document, the singular form of a noun corresponding to an item may include one item or a plurality of items, unless the context clearly dictates otherwise. In this document, "A or B", "at least one of A and B", "at least one of A or B", "A, B or C", "at least one of A, B and C" and "A, Each of the phrases such as "at least one of B or C" may include any one of the items listed together in the corresponding one of the phrases, or all possible combinations thereof. Terms such as "first", "second", or "first" or "secondary" may simply be used to distinguish a given component from other corresponding components, and may be used to refer to a given component in another aspect (eg, importance or order) is not limited. A (e.g., first) component is said to be "coupled" or "connected" to another (e.g., second) component, with or without the terms "functionally" or "communicatively." When mentioned, it means that the certain component may be connected to the other component directly (eg by wire), wirelessly, or through a third component.

Each component (eg, module or program) of the components described in this document may include singular or plural entities. According to various embodiments, one or more components or operations among the corresponding components may be omitted, or one or more other components or operations may be added. Alternatively or additionally, a plurality of components (eg modules or programs) may be integrated into a single component. In this case, the integrated component may perform one or more functions of each of the plurality of components identically or similarly to those performed by a corresponding component of the plurality of components prior to the integration. . According to various embodiments, the actions performed by a module, program, or other component are executed sequentially, in parallel, iteratively, or heuristically, or one or more of the actions are executed in a different order, or omitted. or one or more other actions may be added.

The term "module" used in this document may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as logic, logic block, component, or circuit, for example. A module may be an integrally constructed component or a minimal unit of components or a portion thereof that performs one or more functions. For example, according to one embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of this document may be implemented as software (eg, a program or application) including one or more instructions stored in a storage medium (eg, memory) readable by a machine. For example, the processor of the device may call at least one command among one or more commands stored from a storage medium and execute it. This enables the device to be operated to perform at least one function according to the at least one command invoked. The one or more instructions may include code generated by a compiler or code executable by an interpreter. The device-readable storage medium may be provided in the form of a non-transitory storage medium. Here, 'non-temporary' only means that the storage medium is a tangible device and does not contain a signal (e.g. electromagnetic wave), and this term refers to the case where data is stored semi-permanently in the storage medium. It does not discriminate when it is temporarily stored.

Methods according to various embodiments disclosed in this document may be included and provided in a computer program product. Computer program products may be traded between sellers and buyers as commodities. A computer program product is distributed in the form of a device-readable storage medium (eg compact disc read only memory (CD-ROM)), or through an application store or between two user devices (eg smartphones). It can be distributed (e.g., downloaded or uploaded) directly or online. In the case of online distribution, at least part of the computer program product may be temporarily stored or temporarily created in a device-readable storage medium such as a manufacturer's server, an application store server, or a relay server's memory.

1 shows an environment including a plurality of networks.

Referring to FIG. 1 , the first network 10 and the second network 20 may be different networks. For example, the first network 10 may be a public network such as the Internet, and the second network 20 may be a private network such as an intranet or VPN.

The first network 10 may include a source node 101 . In FIG. 1 and embodiments described below, the 'source node' may be various types of devices capable of performing data communication. For example, the source node 101 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, or a virtual reality (VR) device. , or home appliances, but is not limited to the aforementioned devices. For example, source node 101 may include a server or gateway capable of transmitting data packets through an application. The source node 101 may also be referred to as 'electronic device' or 'terminal'. Meanwhile, the destination node 102 may include the same or similar device as the above-described source node 101 . For another example, the destination node 102 can be substantially the same as the destination network.

The source node 101 may attempt access to the second network 20 and transmit data to the destination node 102 included in the second network 20 . Source node 101 may transmit data to destination node 102 via gateway 103 and session 105 .

If access to the first network 10 of the starting node 101 is approved, since the starting node 101 can communicate with all servers included in the first network 10, the starting node 101 is malicious. ) can be exposed from program attacks. For example, the origin node 101 may be infected with malicious code 110c, as well as trusted and/or secure applications such as Internet web browser 110a and business application 110b. ) may receive data of an untrusted or unsecured application such as the business application 110d.

The starting node 101 infected by the malicious program may attempt access to the second network 20 and/or data transmission. When the second network 20 is formed based on IP, such as VPN, it may be difficult to individually monitor a plurality of devices included in the second network 20, and application in the OSI layer Security at the layer or transport layer may be vulnerable. In addition, if the source node 101 includes a malicious application after the channel has already been created, the data of the malicious application will be delivered to another electronic device (eg, the destination node 102) within the second network 20. can

2 illustrates an architecture within a network environment according to various embodiments.

Referring to FIG. 2 , a node 201 may be various types of devices capable of performing data communication. For example, the node 201 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, a virtual reality (VR) device, Or it may include a home appliance, but is not limited to the aforementioned devices. For example, node 201 may include a server or gateway capable of transmitting data packets through an application. The node 201 may also be referred to as an 'electronic device' or a 'terminal'.

Node 201 may store a plurality of target applications 212 , 213 and a connection control application 211 . The first target application 212 may transmit a data packet to the first service server 205 through the gateway 203 under the control of the access control application 211 or, conversely, may receive a data packet. The second target application 213 may transmit a data packet to the second service server 206 or receive a data packet under the control of the access control application 211 . Some of the target applications 212, 213 may be trusted and/or secured applications, such as web browsers or business applications, while others may be untrusted or unsecured malicious programs, thus enabling network access according to embodiments. The system blocks access to the service servers 205 and 206 of unauthorized programs (applications) through a session between the access control application 211 and the gateway 203 or a session between the access control application 211 and the service server, and You can isolate that program. For example, before the target applications 212 and 213 according to the embodiments communicate with the service servers 205 and 206 , the access control application 211 may check whether or not the controller 202 is able to connect. If access is possible, the access control application 211 may create a session with the gateway 203 or the second service server 206 . That is, in order for the target applications 212 and 213 to access the network, they must go through the access control application 211, and the access control application 211 must be authorized from the controller 202, and the access control application 211 and the gateway ( 203) or the second service server 206, after the session is created, the access control application 211 may transmit data packets of the target applications 212 and 213 based on the session.

The controller 202 may be, for example, a server (or cloud server). The controller 202 can ensure reliable data transmission within a network environment by managing data transmission between the node 201, the gateway 203, and the service servers 205 and 206. For example, the controller 202 may allow the network access of the authorized node 201 (or the access control application 211) through policy information or blacklist information. In addition, the controller 202 brokers session creation between the access control application 211 or the target applications 212 and 213 and the gateway 203 or the second service server 206, or the node 201 or the gateway 203 Session can be removed according to security events collected from In one embodiment, the target applications 212 and 213 can communicate with the service servers 205 and 206 only through a session authorized by the controller 202, and if the authorized session does not exist, the target application 212 and 213 ) may be blocked from the access control application 211, the controller 202, the gateway 203 or the second service server 206. According to one embodiment, the controller 202 is an access control application (eg, registration, authorization, authentication, renewal, termination) associated with network access of the node 201 or access control application 211. 211) and control data packets can be transmitted and received. A flow through which the control data packet is transmitted (eg, 220) may be referred to as a 'control flow'.

The gateway 203 may be located at a boundary of a network to which the node 201 belongs or a boundary of a network to which the service servers 205 and 206 belong. According to one embodiment, the gateway 203 may be connected to the controller 202 based on a cloud. The gateway 203 may forward only authorized data packets among data packets received from the access control application 211 to the first service server 205 . A flow in which data packets are transmitted between the access control application 211 and the gateway 203 may be referred to as 'data flow'. Data flows can be created in granular units (eg applications) as well as nodes or IP units. The gateway 203 forwards only the data packets transmitted through the session among the data packets transmitted from the access control application 211 to the first service server 205 to block indiscriminate network access in advance.

According to various embodiments, the node 201 may include a connection control application 211 and a network driver (not shown) for managing network access of the target applications 212 and 213 stored in the node 201 . For example, when an access event occurs for the service servers 205 and 206 of the target applications 212 and 213 included in the node 201, the access control application 211 controls the access of the target applications 212 and 213. You can decide if it is possible or not. If the target applications 212 and 213 are accessible, the access control application 211 may transmit a data packet to the gateway 203 or the second service server 206 through the session. The access control application 211 may control transmission of data packets through a kernel including an operating system and a network driver within the node 201 .

3 is a functional block diagram illustrating a database stored in a controller according to various embodiments. Although FIG. 3 shows only the memory 330, the controller includes a communication circuit for communicating with an external electronic device (eg, the communication circuit 430 of FIG. 4) and a processor for controlling the overall operation of the controller (eg, FIG. Four processors 410) may be further included.

Since the administrator can connect to the controller 202 and set connection-oriented policies to control access between the access control application 211 and the service servers 205 and 206, it is more detailed and secure than managing sessions at the service level. You can control network access.

The access policy database 311 may include information about networks and/or services to which the identified networks, nodes, or applications may access. For example, the controller 202, when requesting network access from the access control application 211, identifies a network based on a policy of the access policy database 311 (eg, a network to which the node 201 belongs), a node, A user (eg, a user of the node 201) and/or an application (eg, a target application 212 or 213 included in the node 201) may determine whether access to the service server 205 or 206 is possible. In one embodiment, the controller 202 may create a whitelist of target applications 212 and 213 accessible to a specific service (eg, IP and port) based on the access policy database 311 .

The session policy database 312 stores gateway 203 information, service server 205, 206 information, and data packets present on the network boundary of the service servers 205 and 206 on a connection path without being authenticated for a specified time. or if the session is not created, expiration time information for releasing the connection of the access control application 211, expiration time information for periodic renewal of data flow, or session type for monitoring the session in the gateway 203 At least one of the information may be included. Depending on the embodiment, a session may be created between the access control application 211 and the gateway 203 or between the target applications 212 and 213 and the gateway 203 . Depending on the embodiment, the session may be created between the access control application 211 and the service servers 205 and 206, or between the target applications 212 and 213 and the service servers 205 and 206. Depending on the embodiment, session identification information may be assigned to a session when a node 201 accesses a destination. Accordingly, the session identification information is obtained by detecting a data packet when a service request is performed or a request result is received. You can check. That is, the session identification information may be checked by inspecting the data packet at every transmission and reception depending on whether to inspect the data packet transmitted or received as the corresponding destination identification information on the data flow.

The blacklist policy database 313 is a target (e.g., a node ID (eg, node ID ( identifier), an IP address, a media access control (MAC) address, or a user ID) may indicate a blacklist registration policy for blocking access.

The blacklist database 314 may include a list of objects blocked by the blacklist policy database 313 . For example, the controller 202 may isolate the node 201 by rejecting the network access request when identification information of the node 201 requesting network access is included in the blacklist database 314 .

The control flow table 315 is an example of a session table for managing a flow (eg, control flow) of control data packets generated between the node 201 and the controller 202 . When accessing the controller 202 is successful, control flow information may be generated by the controller 202 . The control flow information may include at least one of control flow identification information, an IP address identified during access to and authentication of a controller, a node ID, and a user ID. For example, when access to the service servers 205 and 206 is requested from the node 201, the controller 202 can search for control flow information through control flow identification information received from the node 201, and retrieved Whether or not the node 201 can access the service servers 205 and 206 by mapping at least one of the IP address, node ID, or user ID included in the control flow information to the access policy database 311, and the gateway 203 ) or whether to generate a data flow for session creation with the service servers 205 and 206 may be determined (determined).

According to one embodiment, a control flow may have an expiration time. The node 201 needs to update the expiration time of the control flow, and if the expiration time is not updated for a certain period of time, the control flow (or control flow information) may be removed. In addition, when it is determined that immediate disconnection is necessary according to the security event collected from the node 201 , the controller 202 may remove the control flow according to the connection termination request of the node 201 . When the control flow is removed, the connection of the node 201 may be blocked because the previously generated data flow is also removed.

The session table 316 is a table for managing sessions created between the access control application 211 or the target applications 212 and 213 and the gateway 203 . Also, the session table 316 is a table for managing sessions created between the access control application 211 or the target applications 212 and 213 and the service servers 205 and 206 . According to an embodiment, the session table 316 may be included in the data flow table 317, and information included in the session table 316 may be applied to the description of the data flow table 317 of FIG. 3 .

The data flow table 317 is a table for managing a flow (eg, data flow) in which detailed data packets are transmitted between the node 201 and the gateway 203 and the service servers 205 and 206 . Data flows can be created in TCP sessions, applications, or more granular units. The data flow table 317 may include an application ID, a destination IP address, and/or a service port for identifying whether a data packet transmitted from a source is an authorized data packet. Since the target applications 212 and 213 of the node 201 can create sessions with one or more gateways 203 or service servers 205 and 206, the data flow table 317 is managed based on the control flow ID. It can be. In addition, the data flow table 317 includes whether or not a session has been created between the target applications 212 and 213 or the access control application 211 and the gateway 203 or the service servers 205 and 206, information related to the session (e.g., Session identification information) may be included. In addition, the data flow table 317 may include state information including whether or not the data flow is valid and authorized destination information for determining whether data packets are forwarded based on source IP and destination IP and port information of the data packet. can

According to an embodiment, the data flow table 317 may be equally stored in the node 201 , the gateway 203 , or the service servers 205 and 206 .

4 shows a functional block diagram of a node in accordance with various embodiments.

Referring to FIG. 4 , a node may include a processor 410 , a memory 420 , and a communication circuit 430 . According to one embodiment, the node may further include a display 440 to interface with a user.

The processor 410 may control the overall operation of the node. In various embodiments, the processor 410 may include a single processor core or may include a plurality of processor cores. For example, the processor 410 may include multi-cores such as dual-core, quad-core, and hexa-core. According to embodiments, the processor 410 may further include an internal or external cache memory. According to embodiments, the processor 410 may be configured with one or more processors. For example, the processor 410 may include at least one of an application processor, a communication processor, or a graphical processing unit (GPU).

All or part of processor 410 is electrically or operatively coupled to other components within the node (e.g., memory 420, communication circuitry 430, or display 440). (coupled with) or connected to. The processor 410 may receive commands from other components of the node, interpret the received commands, and perform calculations or process data according to the interpreted commands. The processor 410 may interpret and process messages, data, commands, or signals received from the memory 420 , the communication circuit 430 , or the display 440 . The processor 410 may generate a new message, data, command, or signal based on the received message, data, command, or signal. Processor 410 may provide processed or generated messages, data, instructions, or signals to memory 420 , communication circuitry 430 , or display 440 .

The processor 410 may process data or signals generated or generated by a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may record (or store) or update instructions, data, or signals in the memory 420 to execute or control a program.

The memory 420 may store commands for controlling nodes, control command codes, control data, or user data. For example, the memory 420 may include at least one of an application program, an operating system (OS), middleware, or a device driver.

The memory 420 may include one or more of volatile memory and non-volatile memory. Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM). can include The nonvolatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, and the like.

The memory 420 uses a nonvolatile medium such as a hard disk drive (HDD), a solid state disk (SSD), an embedded multi media card (eMMC), or a universal flash storage (UFS). can include more.

According to one embodiment, the memory 420 may store the target applications 212 and 213 and the access control application 211 of FIG. 2 . The access control application 211 may perform network connection and session creation with the gateway 203 or service servers 205 and 206 and control flow creation and update functions with the controller 202 . To this end, the access control application 211 may include one or more security modules. In one embodiment, the target applications 212 and 213 may include one or more security modules for session creation with the gateway 203 or service servers 205 and 206 .

According to an embodiment, the memory 420 may store some of the information included in the memory of the controller (eg, the memory 330 of FIG. 3 ). For example, the memory 420 may store the data flow table 317 described in FIG. 3 .

The communication circuit 430 establishes a wired or wireless communication connection between the node and an external electronic device (eg, the controller 202, the gateway 203 or the service servers 205 and 206 of FIG. 2), and through the established connection. Communication can be supported. According to one embodiment, the communication circuit 430 may be a wireless communication circuit (eg, cellular communication circuit, short-range wireless communication circuit, or global navigation satellite system (GNSS) communication circuit) or a wired communication circuit (eg, a local area network (LAN)). ) communication circuit, or power line communication circuit), and using a corresponding communication circuit among them, a short-distance communication network such as Bluetooth, WiFi direct, or IrDA (infrared data association) or a cellular network, a long-distance communication such as the Internet, or a computer network It may communicate with an external electronic device through a network. The various types of communication circuits 430 described above may be implemented as a single chip or may be implemented as separate chips.

The display 440 may output content, data, or signals. In various embodiments, the display 440 may display image data processed by the processor 410 . According to embodiments, the display 440 may be configured as an integrated touch screen by being combined with a plurality of touch sensors (not shown) capable of receiving a touch input. When the display 440 is configured as a touch screen, a plurality of touch sensors may be disposed above the display 440 or below the display 440 .

Meanwhile, a server (eg, a controller) according to an embodiment may include a processor 410 , a memory 420 , and a communication circuit 430 . The processor 410, memory 420, and communication circuit 430 included in the server may be substantially the same as the processor 410, memory 420, and communication circuit 430 described above.

Also, the gateway 203 according to an embodiment may include a processor 410 , a memory 420 , and a communication circuit 430 . The processor 410, memory 420, and communication circuit 430 included in the gateway 203 may be substantially the same as the processor 410, memory 420, and communication circuit 430 described above.

5 describes an operation of controlling transmission of a data packet according to various embodiments.

Referring to FIG. 5 , the access control application 211 detects a request for network access to the first service server 205 from the first target application 212 included in the node 201, and the node 201 or the connection It is possible to determine whether the control application 211 is connected to the controller 202 . When the node 201 or the access control application 211 is not connected to the controller 202, the access control application 211 may block transmission of data packets in a kernel or network driver including an operating system. there is. Through the access control application 211, the node 201 may block access of malicious applications in advance in the application layer of the OSI layer.

In one embodiment, when the access control application 211 is not connected to the controller 202 or a session between the access control application 211 or the first target application 212 and the gateway 203 has not been created. , Data packets transmitted from the access control application 211 are blocked by the gateway 203 and the access control application 211 can only request access to the controller 202 .

In one embodiment, unauthorized data packets may be sent from node 201 if access control application 211 is not installed on node 201 or if a malicious application bypasses control of access control application 211. . In this case, since the gateway 203 present at the boundary of the network blocks data packets that are received as unauthorized sessions and data packets that do not have a data flow, the data packets transmitted from the node 201 (e.g., TCP session creation) The data packet for) may not reach the first service server 205. In other words, node 201 can be isolated from first service server 205 .

In one embodiment, the access control application 211 detects a network connection request to the second service server 206 from the second target application 213 included in the node 201, and the node 201 or the access control It is possible to determine whether the application 211 is connected to the controller 202 . When the node 201 or the access control application 211 is not connected to the controller 202, the access control application 211 may block transmission of data packets in a kernel or network driver including an operating system. there is.

In one embodiment, the connection control application 211 is not connected to the controller 202 or a session between the connection control application 211 or the second target application 213 and the second service server 206 is created. If not, the data packet transmitted from the access control application 211 is blocked by the second service server 206 and the access control application 211 can only request access to the controller 202 .

6 shows a signal flow diagram for controller connection according to various embodiments.

Since the node 201 needs to be authorized by the controller 202 to access or receive the network, the access control application 211 of the node 201 requests the controller 202 to create a control flow, thereby 201) can try to connect to the controller.

According to an embodiment, the gateway or server 210 of FIG. 6 may include the gateway 203 and service servers 205 and 206 of FIG. 2 .

Referring to FIG. 6 , node 201 may detect a controller connection event. For example, when the connection control application 211 is installed and executed within the node 201, the node 201 may detect that a connection to the controller 202 is requested.

At operation 605 , node 201 may request controller connection from controller 202 . For example, the access control application 211 may transmit identification information of the access control application 211 to the controller 202 . Additionally, the access control application 211 may include identification information of the node 201 (eg, terminal ID, IP address, MAC address), type, location, environment, identification information of the network to which the node 201 belongs, and/or network Arbitrary identification information generated by the system itself may be further transmitted.

In operation 610, the controller 202 may identify whether or not the controller connection request (eg, the access control application 211 or the node 201) is accessible. According to one embodiment, the controller 202 determines whether information received from the node 201 is included in the access policy database 311, the node 201, the network to which the node 201 belongs, and/or the connection. Based on at least one of whether the identification information of the control application 211 is included in the blacklist database 314 , it is possible to check whether the controller connection requesting object is accessible.

If the connection is possible, at operation 615 , the controller 202 may create a control flow between the node 201 (or the connection control application 211 ) and the controller 202 . In this case, the controller 202 generates control flow identification information in the form of random numbers, and converts identification information of at least one of the node 201, the network to which the node 201 belongs, or the access control application 211 into a control flow table ( 315) can be stored. Information stored in the control flow table 315 may be used for user authentication of the node 201 , information update of the node 201 , policy check for network access of the node 201 , and/or validation.

In operation 620, the controller 202 connects from the access policy database 311 and the session policy database 312 corresponding to the identified information (eg, node 201 and source network information to which the node 201 belongs). Whitelist information of possible applications can be created. In one embodiment, the controller 202 may send the application white list to the connection control application 211 at operation 625 .

In operation 625 , the controller 202 may transmit control flow identification information to the node 201 in response to the controller connection request. Depending on the embodiment, if the object requesting controller access is unavailable or is included in the blacklist, the controller 202 may transmit access unavailability information in operation 625 without generating a control flow. In one embodiment, the controller 202 may transmit the application white list generated through the execution of operation 620 to the connection control application 211 .

At operation 630, the access control application 211 may perform a check on the application. For example, the access control application 211 can perform a check for applications based on the white list of accessible applications received from the controller 202 . The access control application 211 may check whether the application exists (installed) in the node 201 based on the accessible application information, and in the case of the existing application, integrity and stability are checked according to the validation policy ( Above the application, tampering inspection, code signing inspection, fingerprint inspection) can be performed.

At operation 635 , the access control application 211 may transmit the application check result to the controller 202 . For example, the access control application 211 may transmit information about existing applications and results of validation to the controller 202 .

In operation 640, the controller 202 may check whether the application is valid based on the received application information. If it is a valid application, the controller 202 is a gateway or service server where the node 201 is located in the access policy database 311 and the session policy database 312 to allow access of the node 201 connected to the network. 210) can be found. In addition, the controller 202 may generate a data flow based on source IP, destination IP, and port information so that the node 201 can transmit data packets without a network access request procedure.

The controller 202 may transmit the generated data flow to the gateway or server 210 and the access control application 211 (operations 645 and 650).

In operation 655, the access control application 211 may process the resulting value according to the received response. For example, the connection control application 211 may store the received control flow identification information and display a user interface screen indicating completion of the controller connection to the user. When the controller connection is completed, the request for network connection of the node 201 to the destination network may be controlled by the controller 202 .

According to another embodiment, controller 202 may determine that node 201 is unreachable. For example, if identification information of the node 201 and/or a network to which the node 201 belongs is included in a blacklist database, the controller 202 may determine that the node 201 is inaccessible. In this case, the controller 202 may transmit a response indicating that the controller connection is impossible in operation 625 without generating a control flow in operation 615 . Also, in this case, operations 630 to 650 may not be performed. Depending on the embodiment, if a controller connection needs to be retried, the connection control application 211 may perform operation 605 again.

In addition, the access control application 211 updates the data flow of the node 201 when the data flow received from the controller 202 exists, and transmits the data packet based on the data flow allowed in advance when accessing the network. data flow can be managed.

According to an embodiment, when it is determined that the application does not need to be inspected, operations 630 to 650 may not be performed.

7 illustrates a signal flow diagram for user authentication according to various embodiments.

In order for the node 201 to be granted detailed access rights to the destination network, the access control application 211 of the node 201 may authenticate the user of the node 201 from the controller 202 .

Referring to FIG. 7 , node 201 may receive an input for user authentication. An input for user authentication may be, for example, a user input for inputting a user ID and password. For another example, the input for user authentication may be a user input (eg, biometric information) for stronger authentication. In this case, the access control application 211 of the node 201 may request user authentication from the controller 202 in operation 705 . If the control flow between the node 201 and the controller 202 has already been created, the access control application 211 may transmit input information for user authentication together with control flow identification information.

At operation 710 , controller 202 may authenticate the user based on the information received from node 201 . For example, the controller 202 may use the user ID, password, and/or enhanced authentication information included in the received information and a database included in the memory of the controller 202 (e.g., the access policy database of FIG. 3). 311 or the blacklist database 314), it is possible to determine whether the user can access according to the access policy and whether the user is included in the blacklist.

If the user is authenticated, in operation 715, the controller 202 may add user identification information (eg, user ID) to identification information of the control flow. The added user identification information can be used for the authenticated user's controller access or network access.

The controller 202 may generate accessible application information based on the access policy database 311 or the session policy database 312 in operation 720 . For example, the accessible application information may be an application whitelist generated based on an access policy.

In operation 725, the controller 202 may transmit information indicating that the user is authenticated to the node 201 in response to the user authentication request. In addition, the controller 202 may transmit accessible application information to the access control application 211 .

At operation 730, the access control application 211 may perform a check on the application. For example, the access control application 211 can perform a check for applications based on the white list of accessible applications received from the controller 202 . The access control application 211 may check whether the application exists (installed) in the node 201 based on the accessible application information, and in the case of the existing application, integrity and stability are checked according to the validation policy ( Above the application, tampering inspection, code signing inspection, fingerprint inspection) can be performed.

At operation 735 , the access control application 211 may send the application check result to the controller 202 . For example, the access control application 211 may transmit information about existing applications and results of validation to the controller 202 .

In operation 740, the controller 202 may check whether the application is valid based on the received application information. If it is a valid application, the controller 202 is a gateway or service server where the node 201 is located in the access policy database 311 and the session policy database 312 to allow access of the node 201 connected to the network. 210) can be found. In addition, the controller 202 may generate a data flow based on source IP, destination IP, and port information so that the node 201 can transmit data packets without a network access request procedure.

The controller 202 may transmit the generated data flow to the gateway or server 210 and the access control application 211 (operations 745 and 750).

In operation 755, the access control application 211 may process the resulting value according to the received response. For example, the access control application 211 may store the received control flow identification information and display a user interface screen indicating completion of user authentication to the user. When user authentication is complete, the request for network access of the node 201 to the destination network may be controlled by the controller 202 .

According to another embodiment, controller 202 may determine that user authentication of node 201 is not possible. For example, if identification information of the node 201 and/or the network to which the node 201 belongs is included in the blacklist database, the controller 202 may determine that the node 201 is inaccessible and user authentication is not possible. . In this case, the controller 202 may not reflect user identification information in operation 715 and may transmit a response indicating that access to the controller is impossible in operation 725 . Also, in this case, operations 730 to 750 may not be performed.

In addition, the access control application 211 updates the data flow of the node 201 when the data flow received from the controller 202 exists, and transmits the data packet based on the data flow allowed in advance when accessing the network. data flow can be managed.

According to an embodiment, operations 730 to 750 may not be performed when the application test is not required.

8 shows a signal flow diagram for network access according to various embodiments.

After node 201 is authorized by controller 202, node 201 controls the network access of other applications stored in node 201 through node 201's access control application 211 to provide trusted data. delivery can be guaranteed.

At operation 805 , the access control application 211 may detect a network connection event of another application stored in the node 201 (eg, the target applications 212 and 213 of FIG. 2 ).

In operation 810, the access control application 211 may check the existence of a data flow corresponding to identification information of the application requesting network access, destination network identification information, and port information. Depending on the embodiment, if a data flow exists but is not valid, the access control application 211 may drop the data packet. According to another embodiment, if a data flow exists, the access control application 211 may transmit a data packet based on the data flow. According to the embodiment, the access control application 211 of the node 201 may perform a network access request in operation 815 without performing operation 810 .

When the data flow needs to be updated, such as when the data flow does not exist or when the authentication time expires and renewal is required, in operation 815, the access control application 211 may request the controller 202 to access the network. For example, the network access request may include target application identification information, control flow identification information, destination network identification information, and port information.

In operation 820, the controller 202 determines the access requested identification information (eg, destination network identification information) in the access policy corresponding to the identified information (eg, node, user, source network identification information) based on the control flow identification information. and port information) and whether the destination network is accessible can be checked. According to an embodiment, the controller 202 may check whether the target application can access the gateway or service server 210 . Depending on the embodiment, the controller 202 may transmit a connection failure result to the connection control application 211 of the node 201 when the network connection is unavailable (operation 835).

If access is possible, in operation 825, the controller 202 may check whether session creation between the node 201 and the gateway or service server 210 is possible based on the session policy.

When session creation is possible, the controller 202 may check whether a valid data flow corresponding to identification information and port information of the destination network exists in the data flow table. According to the embodiment, if a valid data flow exists in the data flow table, the controller 202 may transmit the corresponding data flow to the gateway or server 210 and the access control application 211 (operations 830 and 835). According to another embodiment, when a valid data flow does not exist, based on source IP, destination IP and port information so that the target application or access control application 211 can create a session with the gateway or service server 210. You can create data flows. In this case, the controller 202 may transmit the generated data flow to the gateway or server 210 and the access control application 211 (operations 830 and 835). According to another embodiment, when network access is impossible or it is impossible to create a session, the controller 202 may transmit a network connection failure result to the connection control application 211 in operation 835 .

At operation 840 , the connection control application 211 of the node 201 may process the resulting value of the response received from the controller 202 . For example, when the connection control application 211 receives a network connection failure result from the controller 202, it may drop a data packet to be transmitted by the target application. For another example, when a data flow is received from the controller 202, the access control application 211 may transmit a data packet based on the received data flow.

In one embodiment, after performing operation 810, the access control application 211 may perform validation on the access application according to the validation policy. For example, the access control application 211 may further perform an integrity and stability test of the access application (forgery or tampering test, code signing test, fingerprint test, etc.). The access control application 211 may perform operation 815 when the validation result is successful.

9 illustrates a signal flow diagram for session processing according to data packet reception according to various embodiments.

The connection control application 211 of the node 201 examines the data packet received after the initial network connection is allowed from the controller 202 to determine whether a session has been created, and transmits session identification information to the controller 202 normally. You can check whether session creation is complete.

Referring to FIG. 9 , at operation 905 , connection control application 211 of node 201 may detect a data packet reception event. For example, the connection control application 211 may detect that a real data packet is received after the initial network connection is allowed.

In operation 910, the access control application 211 may check existence of a data flow corresponding to the data packet. For example, the access control application 211 may check the existence of a data flow corresponding to the received data packet and the target application. Depending on the embodiment, if the data flow does not exist or if the data flow exists but is not valid, the access control application 211 may drop the data packet.

Depending on the embodiment, if a valid data flow exists, the access control application 21 may check whether a session included in the data flow is checked. For example, if the session test needs to be checked, the access control application 211 may perform operation 915 . For another example, if the session check is unnecessary, the access control application 211 may receive and process the data packet.

At operation 915, the connection control application 211 may examine the data packet. For example, the access control application 211 may check whether session identification information is included in the data packet. Depending on the embodiment, if the session identification information in the data flow being stored in the node 201 does not exist (if it is new session identification information), if it is session identification information different from the previous one, the access control application 211 is the controller ( 202) may perform a data flow update request including session identification information (operation 920). According to embodiments, the data flow update request may include data flow identification information and session identification information. According to another embodiment, the data flow update request may include target application identification information, destination network identification information, and session identification information. Depending on the embodiment, when the session identification information included in the data flow and the session identification information included in the data packet are the same, the access control application 211 may receive and process the data packet.

In operation 925, the controller 202 may determine whether to check the session identification information based on the session policy (eg, the session policy database 312 of FIG. 3). For example, if it is determined not to check the session identification information, the controller 202 updates the session identification information in the data flow, updates the session creation status to creation completion, and updates the updated data flow to the access control application 211 ) and may be transmitted to the gateway or server 210 (operation 930).

For another example, when it is determined to check the session identification information, the controller 202 checks the session identification information received from the gateway or server 210, and the session identification information received from the gateway or server 210 is connected. It is possible to check whether it is the same as the session identification information received from the control application 211 . Depending on the embodiment, if the session identification information is identical to each other, the controller 202 updates the session identification information in the data flow, updates the session creation state to creation completion, and transfers the updated data flow to the access control application 211 and the gateway Alternatively, it may be transmitted to the server 210 (operation 930). Depending on the embodiment, if the session identification information is not the same, the controller 202 deletes the corresponding data flow and returns connection failure information to the access control application 211 so that the node 201 can no longer transmit data packets. It can be controlled so that it does not (operation 930). According to another embodiment, if the session identification information received from the gateway or server 210 does not exist, the controller 202 updates the session identification information in the data flow based on the session identification information received from the node 201. The session creation state may be updated to creation completion, and the updated data flow may be transmitted to the access control application 211 and the gateway or server 210 (operation 930).

In operation 935, the access control application 211 may process a result value of a response received from the controller 202. For example, when an updated data flow is received, the access control application 211 may update a pre-stored data flow with the corresponding data flow. For another example, the access control application 211 may drop the data packet and remove the data flow when access failure information is received.

Then, when transmitting the data packet, the access control application 211 may transmit the data packet through the session based on the updated data flow.

10 illustrates a signal flow diagram for session processing according to reception of a service processing request in a gateway or server according to various embodiments.

Upon receiving the service processing request, the gateway or server 210 checks the service processing request to determine whether a session has been created, and transmits session identification information to the controller 202 to confirm whether the session creation is normally completed.

Referring to FIG. 10 , in operation 1005, the gateway or server 210 may detect a service processing request reception event. For example, the gateway or server 201 may receive a service processing request including one or a plurality of data packets.

In operation 1010, the gateway or server 210 may check existence of a data flow corresponding to the service processing request. For example, the gateway or server 210 includes the source IP included in 5 Tuples information of the IP of the received service processing request. It can be checked whether a data flow corresponding to the destination IP and destination port exists. Depending on the embodiment, if a data flow does not exist or an invalid data flow exists, the gateway or server 210 may drop the service processing request or redirect the service processing request to the destination IP and port specified in the data flow. can

If a valid data flow exists, the gateway or server 210 may check whether a session included in the data flow is checked. For example, if the session check needs to be checked, the gateway or server 210 may perform operation 1015 through a session processing application (eg, a proxy or a service application server). For another example, if the session check is unnecessary, the gateway or the server 210 may receive and process the service processing request.

At operation 1015, the gateway or server 210 may examine the service processing request. For example, the gateway or server 210 determines whether the session identification information is included in the service processing request or the session identification information is included in the service processing request result through the session processing application (eg, proxy or service application server). You can check.

Depending on the embodiment, if the session identification information in the data flow being stored in the gateway or server 210 does not exist (new session identification information), if the session identification information is different from the previous one, the gateway or server 210 A data flow update request including session identification information may be requested to the controller 202 (operation 1020). According to embodiments, the data flow update request may include data flow identification information and session identification information. According to another embodiment, the data flow update request may include target application identification information, destination network identification information, and session identification information. Depending on the embodiment, when the session identification information included in the data flow and the session identification information included in the service processing request are the same, the gateway or server 210 may receive and process the service processing request.

In operation 1025, the controller 202 may determine whether to check the session identification information based on the session policy (eg, the session policy database 312 of FIG. 3). For example, if it is determined not to check the session identification information, the controller 202 updates the session identification information in the data flow, updates the session creation status to creation completion, and updates the updated data flow to the access control application 211 ) and may be transmitted to the gateway or server 210 (operation 1030).

For another example, if it is determined to check the session identification information, the controller 202 checks the session identification information received from the node 201, and the session identification information received from the gateway or server 210 is the node 201 ), it is possible to check whether it is the same as the session identification information received from. Depending on the embodiment, if the session identification information is identical to each other, the controller 202 updates the session identification information in the data flow, updates the session creation state to creation completion, and transfers the updated data flow to the access control application 211 and the gateway Alternatively, it may be transmitted to the server 210 (operation 1030). Depending on the embodiment, if the session identification information is not the same, the controller 202 deletes the corresponding data flow and returns connection failure information to the gateway or server 210 so that the gateway or server 210 can no longer send data packets. It is possible to control not to transmit (operation 1030). According to another embodiment, if the session identification information received from the node 201 does not exist, the controller 202 updates the session identification information in the data flow based on the session identification information received from the gateway or server 210. The session creation state may be updated to creation completion, and the updated data flow may be transmitted to the access control application 211 and the gateway or server 210 (operation 1030).

In operation 1035, the gateway or server 210 may process the result value of the response received from the controller 202. For example, when an updated data flow is received, the gateway or server 210 may update a data flow pre-stored with the corresponding data flow. For another example, the gateway or the server 210 may drop the service processing request and remove the data flow when connection failure information is received.

11 shows a signal flow diagram for control flow update according to various embodiments.

Referring to FIG. 11 , in operation 1105, the access control application 211 may detect a control flow update event.

In operation 1110, the access control application 211 may request a control flow update from the controller 202 based on the control flow identification information.

In operation 1115, the controller 202 may check whether a control flow exists in a control flow table (eg, the control flow table 315 of FIG. 3) based on the received control flow identification information. Depending on the embodiment, when the control flow does not exist (eg, when the connection is disconnected by another security system, when the connection is disconnected by its own risk detection, etc.), the controller 202 determines that the connection of the node 201 is valid. Therefore, a connection failure result may be transmitted to the connection control application 211 (operation 1120).

The controller 202 may update the update time when a control flow exists in the control flow table (eg, the control flow table 315 of FIG. 3 ). In this case, the controller 202 may transmit identification information of the updated control flow to the connection control application 211 (operation 1120).

In one embodiment, the controller 202 is required to perform re-authentication among data flows subordinate to the identified control flow, or if there is a data flow to which access is no longer possible, the controller 202 transmits information about the corresponding data flow to an access control application ( 211) (operation 1120).

At operation 1125 , the connection control application 211 of the node 201 may process the resulting value of the response received from the controller 202 . For example, the access control application 211 may block all network accesses of applications when the control flow update result is impossible. For another example, the access control application 211 may update the data flow when the control flow update result is normal and updated data flow information exists.

12 illustrates a signal flow diagram for disconnection according to various embodiments.

Referring to FIG. 12 , in operation 1205, the node 201 terminates the node 201, terminates the access control application 211, terminates the target application, no longer uses the network connection, and information identified from the interworking system. At least one of connection termination requests may be detected based on . In this case, at operation 1210, node 201 or access control application 211 may request controller 202 to remove the control flow.

In operation 1215, the controller 202 may remove the identified control flow based on the received control flow identification information.

In operation 1220, the controller 202 may remove all data flows dependent on the removed control flow. Thus, node 201 can no longer connect to the destination network based on the removed data flow.

In operation 1225, the controller 202 may request the gateway or server 210 to remove all data flows dependent on the removed control flow. In this case, the gateway or server 210 may control the application to transmit no more data packets by removing the data flow and the session.

13 illustrates a signal flow diagram for termination of application execution according to various embodiments.

Referring to FIG. 13 , in operation 1305, the access control application 211 of the node 201 may check in real time whether or not the running application is terminated, and may detect an application execution end event.

Depending on the embodiment, the access control application 211 may check whether a data flow corresponding to terminated application identification information and PID (Process ID and Child Process ID Tree) information exists.

At operation 1310 , the connection control application 211 may issue a data flow removal request to the controller 202 . For example, the access control application 211 may transmit identification information of a terminated application or identification information of a data flow corresponding to the terminated application to the controller 202 and may perform a data flow removal request.

In operation 1315, the controller 202 may delete the data flow requested to be removed. Also, the controller 202 may perform a removal request for the removed data flow to the gateway or server 210 . Accordingly, data packets corresponding to source network, destination network, and port information included in the removed data flow cannot be transmitted any more. In addition, the gateway or server 210 may provide a state in which the corresponding application cannot transmit data packets to the destination any more by removing the session corresponding to the data flow.

14 is a flowchart of a method of operating an access control application installed in a node according to various embodiments. According to an embodiment, the operations shown in FIG. 14 may be performed through the access control application 211 of the node 201 of FIG. 2 .

Referring to FIG. 14 , at operation 1405 , the connection control application 211 may receive a data packet.

In operation 1410, the access control application 211 may check existence of a data flow corresponding to the received data packet and authorized from an external server.

In operation 1415, the access control application 211 may check whether session identification information is included in the data packet if the data flow exists.

In operation 1420, the access control application 211 may receive a data flow in which session identification information is updated from an external server.

At operation 1425, the access control application 211 may transmit a data packet based on the updated data flow.

15 is a flowchart illustrating a method of operating a server according to various embodiments. Depending on the embodiment, the operations shown in FIG. 15 may be performed through the controller 202 of FIG. 2 .

Referring to FIG. 15 , in operation 1505, the server may receive a first data flow update request. For example, the server may receive a first data flow update request from a node, and the first data flow update request may include first session identification information.

In operation 1510, the server may determine whether to check the first session identification information. For example, the server may determine whether to check the first session identification information based on a session policy included in the database. According to embodiments, when the first session identification information is not checked, the server may update the data flow based on the first session identification information (operation 1515).

When checking the first session identification information, in operation 1520, the server may check whether the first session identification information is the same as the second session identification information received from the gateway or the service server. According to an embodiment, when the first session identification information and the second session identification information are not identical, the server may transmit an update failure result to the node (operation 1525).

When the first session identification information and the second session identification information are the same, in operation 1530, the server may update the data flow. For example, the server may update the first session identification information to the data flow, and update the session creation status of the data flow to complete creation.

At operation 1535, the server may transmit the updated data flow to the node, gateway or service server.

16 is a flowchart of a method of operating a gateway according to various embodiments. Depending on the embodiment, the operations shown in FIG. 16 may be performed through the gateway 203 of FIG. 2 .

Referring to FIG. 16 , in operation 1605, the gateway 203 may receive a service processing request. For example, a service processing request may include one or a plurality of data packets.

In operation 1610, the gateway 203 may confirm existence of a data flow corresponding to the service processing request and authorized from the external server.

In operation 1615, if the data flow exists, the gateway 203 may check whether session identification information is included in the service processing request.

In operation 1620, the gateway 203 may perform a data flow update request including session identification information to the external server.

In operation 1625, the gateway 203 may receive a data flow in which session identification information is updated from an external server.

The above description is only an illustrative example of the technical idea disclosed in this document, and those skilled in the art to which the embodiments disclosed in this document belong will be within the scope of the essential characteristics of the embodiments disclosed in this document. Many modifications and variations will be possible.

Therefore, the embodiments disclosed in this document are not intended to limit the technical idea disclosed in this document, but to explain, and the scope of the technical idea disclosed in this document is not limited by these embodiments. The scope of protection of technical ideas disclosed in this document should be interpreted according to the scope of the following claims, and all technical ideas within the equivalent scope should be construed as being included in the scope of rights of this document.

Claims (18)

In node,
communication circuit;
a processor in operative connection with the communication circuitry; and
a memory operatively connected to the processor and storing a connection control application and a target application, wherein the memory, when executed by the processor, causes the node to:
Receive a data packet through the access control application;
Performing a data flow update request including session identification information to the external server based on existence of a data flow corresponding to the received data packet and authorized from an external server and whether session identification information is included in the data packet do,
and storing instructions for transmitting the data packet based on a data flow in which the session identification information received from the external server is updated. The method of claim 1, wherein the instructions are the node,
If the data flow does not exist, drop the data packet through the access control application;
If the data flow exists, check whether or not the session included in the data flow is checked through the access control application;
If the session check needs to be checked, check whether the session identification information is included in the data packet;
A node configured to receive and process the data packet when the session check is unnecessary. The method of claim 1, wherein the instructions are the node,
The session identification information is included in the data packet,
If the session identification information is not included in the data flow or is session identification information that is different from the previous one, causes the external server to perform the data flow update request. The method of claim 1, wherein the instructions are the node,
Detecting a network access event of the target application through the access control application;
Performing a network access request to the external server, including control flow identification information generated with the external server, identification information of the target application, and identification information of a service server;
Receive a data flow generated from the external server;
The data flow is generated from the external server based on whether it is possible for the target application to access the service server and whether it is possible to create a session between a gateway or the service server and the node. According to claim 1,
The data flow includes the session identification information and a creation state of the session. The method of claim 1, wherein the instructions are the node,
When performing the data flow update request to the external server through the access control application,
The node that transmits the identification information of the data flow and the session identification information to the external server, or transmits the identification information of the network from which the data packet was received and the session identification information. The method of claim 1, wherein the instructions are the node,
Performs a controller access request to the external server through the access control application, the controller access request includes identification information of the node or identification information of the access control application,
Receiving control flow identification information from the external server;
Receive an application whitelist from the external server;
The application whitelist is generated based on the session policy of the external server. The method of claim 1, wherein the instructions are the node,
Detect termination of the target application through the access control application;
Check whether a data flow corresponding to the target application exists;
A node that causes the external server to request identification information of a data flow corresponding to the target application or data flow removal including the identification information of the target application. in the server,
communication circuit;
a memory for storing a database; and
a processor in operative connection with the communication circuitry and the memory, the processor comprising:
Receiving a first data flow update request from an access control application of a node, the first data flow update request including first session identification information;
Determine whether to check the first session identification information based on the database;
When checking the first session identification information, it is checked whether the first session identification information is the same as the second session identification information received from the gateway or the service server, and the first session identification information and the second session identification information are checked. update the data flow if the information is the same;
When the first session identification information is not checked, updating the first session identification information and a session creation state in the data flow;
A server configured to transmit the updated data flow to the node, the gateway or the service server. The method of claim 9, wherein the processor,
Receive a network access request from the access control application, the network access request including identification information of a target application of the node and identification information of a destination network;
determining whether the target application can be accessed based on the database;
If the target application is accessible, check whether session creation between the node and the gateway or the service server is possible based on the database;
Creating a data flow so that the node can create a session with the gateway or the service server;
and transmit the data flow to the access control application. The method of claim 9, wherein the processor,
If the first session identification information is not identical to the second session identification information, delete the data flow;
The server configured to update the data flow based on the first session identification information when the second session identification information does not exist. The method of claim 9, wherein the processor,
receiving a second data flow update request from the gateway or the service server, the data flow update request including the second session identification information;
Determining whether to check the second `session identification information based on the database;
When checking the second session identification information, whether the second session identification information is identical to the first session identification information, and if the second session identification information and the first session identification information are identical, data flow update the
When the second session identification information is not checked, updating the second session identification information and a session creation state in the data flow;
A server configured to transmit the updated data flow to the node, the gateway or the service server. The method of claim 12, wherein the processor,
If the second session identification information is not identical to the first session identification information, delete the data flow;
The server configured to update the data flow based on the second session identification information when the first session identification information does not exist. in the gateway
communication circuit;
a memory for storing a database; and
a processor in operative connection with the communication circuitry and the memory, the processor comprising:
Receive service processing requests;
confirming the existence of a data flow corresponding to the service processing request and authorized from an external server;
If the data flow exists, check whether session identification information is included in the service processing request.
When the session identification information is included in the service processing request, performing a data flow update request including the session identification information to the external server;
A gateway configured to receive a data flow in which the session identification information is updated from the external server. The method of claim 14, wherein the processor,
If the data flow does not exist, drop the service processing request;
configured to check whether the service processing request includes the session identification information;
The service processing request includes one or a plurality of data packets. The method of claim 14, wherein the processor,
The session identification information is included in the service processing request,
and if the session identification information is not included in the data flow or is session identification information different from the previous one, perform a data flow update request to the external server. In the operating method of the access control application stored in the node,
receiving a data packet;
Performing a data flow update request including session identification information to the external server based on existence of a data flow corresponding to the received data packet and authorized from an external server and whether session identification information is included in the data packet doing;
transmitting the data packet based on a data flow in which the session identification information received from the external server is updated; Including, method. In the method of operating the server,
Receiving a first data flow update request from an access control application of a node, the first data flow update request including first session identification information;
determining whether to check the first session identification information based on a database;
When checking the first session identification information, checking whether the first session identification information is identical to second session identification information received from a gateway or a service server;
updating a data flow when the first session identification information and the second session identification information are the same;
updating the first session identification information and a session creation state in the data flow when the first session identification information is not checked; and
transmitting the updated data flow to the node, the gateway or the service server; Including, method.

Images