KR102517981B1 - System for controlling network access based on application inspection and method of the same - Google Patents

Abstract

A node according to an embodiment disclosed herein includes communication circuitry, a processor operatively connected to the communication circuitry, and a memory operatively connected to the processor and storing a target application and an access control application; the memory, when executed by the processor, causes the node, through the access control application, to perform a check for the target application based on a data flow received from an external server or an application whitelist received from the external server; Commands for transmitting a test result for the target application to the external server may be stored, and the data flow and the application whitelist may include application check information generated by the external server.

Description

System for controlling network access based on application inspection and method therefor

Embodiments disclosed in this document relate to a system and method for controlling network access based on application inspection.

Multiple devices may communicate data over a network. For example, the terminal may transmit or receive data with a server through the Internet. The network may include a private network such as an intranet as well as a public network such as the Internet.

Conventionally, vaccines and malware detection tools have been used to detect and treat risks such as various malware and viruses introduced through removable storage media (floppy disks, USB disks, etc.) or networks such as the Internet.

Antivirus and malware detection tools substitute each file or memory area based on a pre-stored pattern to detect malware and viruses, and when the pattern matches, the execution of the corresponding file is stopped or the file is removed to prevent malware from being embedded. It is possible to prevent the risk from multiplying or causing damage to the terminal any more.

Due to the development of malware technology, new patterns that bypass pattern detection techniques are created, or malware detection tools are incapacitated by making patterns undetectable through self-encryption.

Existing malware has been distributed for the purpose of showing off, but with the development of virtual currency (e.g., Bitcoin), the establishment of a hacking economy in which hacking can be monetized leads to leakage of important information or hostage of important information through malware. Various security incidents caused by ransomware are rapidly increasing.

In order to solve the above problems, technologies such as EDR (Endpoint Detection Response) exist. EDR detects various malware through execution and behavior tracking of various files and applications on the terminal, isolates the terminal on which malware is detected, or detects malware. can be prevented from propagating to other terminals connected to the network and at the same time respond to the overall risk of how malware is introduced into the terminal.

However, since hundreds of applications are running on the terminal and a large amount of file I/O (Input/Output) occurs in real time, the EDR technology that tracks and inspects a wide area is limited by the physical computing power of the terminal. Since there is a limit that must operate within a range that does not impede user experience from the perspective of the user and the user, the sensitivity of detecting malware is inevitably lowered, and the evolution of malware that bypasses these problems and EDR cannot solve Blind spots may occur.

Various embodiments disclosed in this document are intended to provide a system and method for solving the above problems in a network environment.

A node according to an embodiment disclosed herein includes communication circuitry, a processor operatively connected to the communication circuitry, and a memory operatively connected to the processor and storing a target application and an access control application; the memory, when executed by the processor, causes the node, through the access control application, to perform a check for the target application based on a data flow received from an external server or an application whitelist received from the external server; Commands for transmitting a test result for the target application to the external server may be stored, and the data flow and the application whitelist may include application check information generated by the external server.

A server according to an embodiment disclosed in this document includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing a database, the memory comprising the processor When executed by the server, the server receives a network access request for a destination network from an access control application of a node, and the network access request includes identification information of a target application of the node trying to access the destination network and identification of the destination network. information, and based on whether the network access request includes the test result for the target application, generate a data flow including application test information or check whether the test result is normal. It can be.

A method of operating an access control application stored in a node according to an embodiment disclosed in this document includes a data flow received from an external server or an application whitelist received from the external server through the access control application for a target application. The method may include performing inspection and transmitting a inspection result of the target application to the external server, and the data flow and the application whitelist may include application inspection information generated by the external server.

According to the embodiments disclosed in this document, it is possible to solve the problem of setting and retrieving policies and to prevent an indirect attack compared to a wide range of IP address-based network security technologies such as NAC.

In addition, according to the embodiments disclosed in this document, since a man in the middle attack (MITM) attack can be blocked in a zero trust network environment, tunnel-based access control can be performed compared to a VPN that only provides section protection.

In addition, according to the embodiments disclosed in this document, problems inherent in TCP/IP-based network security technology can be solved and secure network connection can be provided.

In addition, according to the embodiments disclosed in this document, an attack that generates and propagates a large amount of practical risk with malware attempts to access a network in order to achieve a virtual currency-based hacking economy for reaching an agreement with an object capable of payment. When a network connection is established, malware can be efficiently detected based on the characteristics that accompany the process of spreading malware or stealing and holding hostage important information of the connected target.

In addition, according to the embodiments disclosed in this document, even if it is an allowed application, the application is counterfeited or tampered with, or the act of attempting network access through a detour path, such as attempting network access by executing a file infected with malicious code can block

In addition, according to the embodiments disclosed in this document, it is possible to provide a data flow-based network access control technology that utilizes the characteristic that malware accompanies network access, and it is possible to attempt network access through a detour path. It is possible to solve the problem of tracking a wide range of objects of a terminal inherent in EDR technology.

In addition, according to the embodiments disclosed in this document, in the process of checking whether network access is allowed by identifying applications that are allowed to access the network or by identifying applications that attempt network access, the target applications for network access are identified and The application can be intensively inspected.

In addition, according to the embodiments disclosed in this document, unlike EDR technology that needs to inspect a wide range of terminal targets, malware utilizes the characteristics of network access to propagate a substantial risk, so that only malware attempting network access is identified. Therefore, it is possible to solve the problem of limiting terminal resources and deteriorating user experience caused by inspecting a wide range of objects.

In addition, according to the embodiments disclosed in this document, it is possible to reduce the detection probability and bypass probability of malware by applying more various inspection techniques and patterns instead of intensively inspecting only the network connection target application.

In addition, according to the embodiments disclosed in this document, since malware in the process of attempting network access is a step of attempting to propagate actual danger, the probability for determining whether or not malware is very high, Combined with probability, it can provide a powerful malware detection factor.

In addition, according to the embodiments disclosed in this document, by blocking network access of a terminal where malware is detected, it is possible to prevent malware from accessing the network and spreading danger in advance, and at the same time, even if access is allowed, access is not allowed. Allowed applications can be continuously monitored and if a risk is detected, the application can be disconnected from the network to prevent the risk from spreading.

In addition, according to the embodiments disclosed in this document, a terminal or user is regarded as a state in which malicious behavior can continue through access attempts and blocking, release counts and intervals, and risk scoring (scoring), and the controller By denying access or user authentication, it is possible to provide a network isolation element that fundamentally blocks access to a target service network, and at the same time, it is possible to prevent danger from propagating to terminals in the same network segment.

In addition to this, various effects identified directly or indirectly through this document may be provided.

1 shows an environment including a plurality of networks.
2 illustrates an architecture within a network environment according to various embodiments.
3 is a functional block diagram illustrating a database stored in a controller according to various embodiments.
4 shows a functional block diagram of a node in accordance with various embodiments.
5 describes an operation of controlling transmission of a data packet according to various embodiments.
6 shows a signal flow diagram for controller connection according to various embodiments.
7 illustrates a signal flow diagram for user authentication according to various embodiments.
8 shows a signal flow diagram for network access according to various embodiments.
9 illustrates a signal flow diagram for an application check request according to various embodiments.
10 shows a signal flow diagram for control flow update according to various embodiments.
11 illustrates a signal flow diagram for disconnection according to various embodiments.
12 illustrates a signal flow diagram for termination of application execution according to various embodiments.

Hereinafter, various embodiments of the present invention will be described with reference to the accompanying drawings. However, it should be understood that this is not intended to limit the present invention to the specific embodiments, but to cover various modifications, equivalents, and/or alternatives of the embodiments of the present invention.

In this document, the singular form of a noun corresponding to an item may include one item or a plurality of items, unless the context clearly dictates otherwise. In this document, "A or B", "at least one of A and B", "at least one of A or B", "A, B or C", "at least one of A, B and C" and "A, Each of the phrases such as "at least one of B or C" may include any one of the items listed together in the corresponding one of the phrases, or all possible combinations thereof. Terms such as "first", "second", or "first" or "secondary" may simply be used to distinguish a given component from other corresponding components, and may be used to refer to a given component in another aspect (eg, importance or order) is not limited. A (e.g., first) component is said to be "coupled" or "connected" to another (e.g., second) component, with or without the terms "functionally" or "communicatively." When mentioned, it means that the certain component may be connected to the other component directly (eg by wire), wirelessly, or through a third component.

Each component (eg, module or program) of the components described in this document may include singular or plural entities. According to various embodiments, one or more components or operations among the corresponding components may be omitted, or one or more other components or operations may be added. Alternatively or additionally, a plurality of components (eg modules or programs) may be integrated into a single component. In this case, the integrated component may perform one or more functions of each of the plurality of components identically or similarly to those performed by a corresponding component of the plurality of components prior to the integration. . According to various embodiments, the actions performed by a module, program, or other component are executed sequentially, in parallel, iteratively, or heuristically, or one or more of the actions are executed in a different order, or omitted. or one or more other actions may be added.

The term "module" used in this document may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as logic, logic block, component, or circuit, for example. A module may be an integrally constructed component or a minimal unit of components or a portion thereof that performs one or more functions. For example, according to one embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of this document may be implemented as software (eg, a program or application) including one or more instructions stored in a storage medium (eg, memory) readable by a machine. For example, the processor of the device may call at least one command among one or more commands stored from a storage medium and execute it. This enables the device to be operated to perform at least one function according to the at least one command invoked. The one or more instructions may include code generated by a compiler or code executable by an interpreter. The device-readable storage medium may be provided in the form of a non-transitory storage medium. Here, 'non-temporary' only means that the storage medium is a tangible device and does not contain a signal (e.g. electromagnetic wave), and this term refers to the case where data is stored semi-permanently in the storage medium. It does not discriminate when it is temporarily stored.

Methods according to various embodiments disclosed in this document may be included and provided in a computer program product. Computer program products may be traded between sellers and buyers as commodities. A computer program product is distributed in the form of a device-readable storage medium (eg compact disc read only memory (CD-ROM)), or through an application store or between two user devices (eg smartphones). It can be distributed (e.g., downloaded or uploaded) directly or online. In the case of online distribution, at least part of the computer program product may be temporarily stored or temporarily created in a device-readable storage medium such as a manufacturer's server, an application store server, or a relay server's memory.

1 shows an environment including a plurality of networks.

Referring to FIG. 1 , the first network 10 and the second network 20 may be different networks. For example, the first network 10 may be a public network such as the Internet, and the second network 20 may be a private network such as an intranet or VPN.

The first network 10 may include a source node 101 . In FIG. 1 and embodiments described below, the 'source node' may be various types of devices capable of performing data communication. For example, the source node 101 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, or a virtual reality (VR) device. , or home appliances, but is not limited to the aforementioned devices. For example, source node 101 may include a server or gateway capable of transmitting data packets through an application. The source node 101 may also be referred to as 'electronic device' or 'terminal'. Meanwhile, the destination node 102 may include the same or similar device as the above-described source node 101 . For another example, the destination node 102 can be substantially the same as the destination network.

The source node 101 may attempt access to the second network 20 and transmit data to the destination node 102 included in the second network 20 . The source node 101 may transmit data to the destination node 102 via the gateway 103 .

If access to the first network 10 of the starting node 101 is approved, since the starting node 101 can communicate with all servers included in the first network 10, the starting node 101 is malicious. ) can be exposed from program attacks. For example, the origin node 101 may be infected with malicious code 110c, as well as trusted and/or secure applications such as Internet web browser 110a and business application 110b. ) may receive data of an untrusted or unsecured application such as the business application 110d.

The starting node 101 infected by the malicious program may attempt access to the second network 20 and/or data transmission. When the second network 20 is formed based on IP, such as VPN, it may be difficult to individually monitor a plurality of devices included in the second network 20, and application in the OSI layer Security at the layer or transport layer may be vulnerable. In addition, if the source node 101 includes a malicious application after the channel has already been created, the data of the malicious application will be delivered to another electronic device (eg, the destination node 102) within the second network 20. can

2 illustrates an architecture within a network environment according to various embodiments.

Referring to FIG. 2 , a node 201 may be various types of devices capable of performing data communication. For another example, the node 201 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, a virtual reality (VR) device. , or home appliances, but is not limited to the aforementioned devices. For example, node 201 may include a server or gateway capable of transmitting data packets through an application. The node 201 may also be referred to as an 'electronic device' or a 'terminal'.

Node 201 may store target application 212 and access control application 211 . The target application 212 may transmit a data packet to the service server 205 through the gateway 203 under the control of the access control application 211 or, conversely, may receive the data packet. As some of the target applications 212 may be trusted and/or secured applications, such as web browsers or business applications, while others may be untrusted or unsecured malicious programs, the network access system according to embodiments may be Through the network access control of the access control application 211 , access to the service server 205 of an unauthorized program (application) may be blocked and the corresponding program may be quarantined. For example, before the target application 212 according to the embodiments communicates with the service server 205 , the access control application 211 may check from the controller 202 whether access is possible. If access is possible, the access control application 211 may control data packet transmission of the target application 212 . That is, in order for the target application 212 to access the network, it must go through the access control application 211, and the access control application 211 must be authorized from the controller 202, and the access control application 211 must pass through the target application 212. ) can be transmitted based on the data flow based on the policy of the controller 202.

The controller 202 may be, for example, a server (or cloud server). The controller 202 can ensure reliable data transmission within a network environment by managing data transmission between the node 201, the gateway 203, and the service server 205. For example, the controller 202 may allow the network access of the authorized node 201 (or the access control application 211) through policy information or blacklist information. The controller 202 may provide information enabling the creation of a channel between the node 201 and the gateway 203. Thus, the access control application 211 of the node 201 can prevent disallowed applications from sending data packets for disallowed purposes, and only allowed data packets through the gateway 203 and the created channel. A structure that can be transmitted to this service server 205 can be provided. In addition, the controller 202 may be connected to the harmful application inspection system 206 to provide a structure for checking whether or not there is a harmful application.

According to the embodiment, network access of the target application 212 may be blocked from the access control application 211 , the controller 202 or the gateway 203 . According to one embodiment, the controller 202 is an access control application (eg, registration, authorization, authentication, renewal, termination) associated with network access of the node 201 or access control application 211. 211) and control data packets can be transmitted and received. A flow through which the control data packet is transmitted (eg, 220) may be referred to as a 'control flow'. According to an embodiment, the controller 202 can maintain a secure network state at all times by immediately recovering a channel according to a security event received from an interworking system (eg, node 201, gateway 203, or service server 205). there is.

The gateway 203 may be located at a boundary of a network to which the node 201 belongs or a boundary of a network to which the service server 205 belongs. According to one embodiment, the gateway 203 may be connected to the controller 202 based on a cloud. According to the embodiment, the gateway 203 may relay communication with the service server 205 through the proxy 213 of the data packet received through the authorized channel, and the service server 205 receives the received data from the authorized target. It can provide a structure that allows processing of requested service requests. According to the embodiment, a flow in which data packets are transmitted between the access control application 211 and the gateway 203 may be referred to as a 'data flow'. Data flows can be created in granular units (eg applications) as well as nodes or IP units.

According to the embodiment, the connectivity control technology utilizing a channel creates a channel with the gateway 203 in order for the target application 212 to access the service server 205, and the access control application (existing in the node 201) 211) can prevent disallowed applications from transmitting data packets to disallowed destinations, and provides a structure for transmitting only permitted data packets to the service server 205 through a channel created between gateways 203. can do.

According to various embodiments, node 201 may include a connection control application 211 and a network driver (not shown) for managing the network connection of a target application 212 stored in node 201 . For example, when an access event for the service server 205 of the target application 212 included in the node 201 occurs, the access control application 211 may determine whether the target application 212 can be accessed. . If the target application 212 is accessible, the access control application 211 may send a data packet to the gateway 203 . The access control application 211 may control transmission of data packets through a kernel including an operating system and a network driver within the node 201 .

3 is a functional block diagram illustrating a database stored in a controller according to various embodiments. Although FIG. 3 shows only the memory 330, the controller includes a communication circuit for communicating with an external electronic device (eg, the communication circuit 430 of FIG. 4) and a processor for controlling the overall operation of the controller (eg, FIG. Four processors 410) may be further included.

Since the administrator can connect to the controller 202 and set connection-oriented policies to control access between the access control application 211 and the service server 205, network access is more detailed and secure than session management at the service level. can control.

The access policy database 311 may include information about networks and/or services to which the identified networks, nodes, or applications may access. For example, the controller 202, when requesting network access from the access control application 211, identifies a network based on a policy of the access policy database 311 (eg, a network to which the node 201 belongs), a node, A user (eg, a user of the node 201) and/or an application (eg, a target application 212 included in the node 201) may determine whether access to the service server 205 is possible. According to this, the controller 202 may create a whitelist of target applications 212 accessible to a specific service (eg, IP and port) based on the access policy database 311 .

The channel policy database 312 collects gateway (eg, gateway 203 of FIG. 2) information existing between service servers (eg, service server 205 of FIG. 2) on a connection path according to a policy. can include For example, the channel policy database 312 includes a series of information (authentication information, encryption algorithm, tunnel endpoint, etc.) required for channel creation with the gateway 203 and a channel pre-connected through another gateway between an access path. If so, it can include a series of information for use (such as collection of IP information allocated to nodes and whether or not to process alternatives).

The blacklist policy database 313 is a target (e.g., a node ID (eg, node ID ( identifier), an IP address, a media access control (MAC) address, or a user ID) may indicate a blacklist registration policy for blocking access. In addition, the blacklist policy database 313 may be used as information for determining a risk level of an application according to an application inspection result and whether to temporarily or permanently quarantine the application according to the risk level.

The blacklist database 314 may include a list of objects blocked by the blacklist policy database 313 . For example, the controller 202 may isolate the node 201 by rejecting the network access request when identification information of the node 201 requesting network access is included in the blacklist database 314 .

The control flow table 315 is an example of a session table for managing a flow (eg, control flow) of control data packets generated between the node 201 and the controller 202 . When accessing the controller 202 is successful, control flow information may be generated by the controller 202 . The control flow information may include at least one of control flow identification information, an IP address identified during access to and authentication of a controller, a node ID, and a user ID. For example, when access to the service server 205 is requested from the node 201, the controller 202 may search for control flow information through control flow identification information received from the node 201, and the searched control flow Whether the node 201 can access the service server 205 by mapping at least one of the IP address, node ID, or user ID included in the information to the access policy database 311, data flow for data packet transmission It can be judged (determined) whether it is created or not.

According to one embodiment, a control flow may have an expiration time. The node 201 needs to update the expiration time of the control flow, and if the expiration time is not updated for a certain period of time, the control flow (or control flow information) may be removed. In addition, when it is determined that immediate disconnection is necessary according to the security event collected from the node 201 , the controller 202 may remove the control flow according to the connection termination request of the node 201 . When the control flow is removed, the connection of the node 201 may be blocked because the previously generated data flow is also removed.

The channel table 316 may include a list of channels created between the node 201 and the gateway 203 .

The data flow table 317 is a table for managing a flow (eg, data flow) in which detailed data packets are transmitted between the node 201 and the gateway 203 and the service server 205 . Data flows can be created in TCP sessions, applications, or more granular units. The data flow table 317 may include data flow information for managing channels and sessions of an application (eg, target application 212) of the node 201, the gateway 203, and the service server 205. The data flow table 317 may include an application ID, a destination IP address, and/or a service port for identifying whether a data packet transmitted from a source is an authorized data packet. The data flow table 317 may be managed based on control flow IDs.

In addition, the data flow table 317 may include state information including whether or not the data flow is valid and authorized destination information for determining whether data packets are forwarded based on source IP and destination IP and port information of the data packet. can According to an embodiment, the data flow table 317 may further include information indicating whether a channel is created between the application and the gateway 203 .

According to the embodiment, the data flow table 317 is an execution or installation location of the application for checking the application, unique information of the application such as signature, fingerprint, hash, registry, etc., and a series of information for binary analysis of the application. , libraries referenced by the executable file, and a series of files or processes, and memory information. In addition, the data flow table 317 requests the node 201 for inspection conditions such as a malware detection tool or pattern database information for inspecting whether the application is safe, and the node 201 performs inspection based on the inspection result information. It may further include a series of information, inspection period, and timing information for checking whether or not is normally performed.

According to an embodiment, the data flow table 317 may be equally stored in the node 201 and the gateway 203 .

The application inspection policy database 318 may include information for checking whether an application allowing network access based on the access policy 311 is safe and not falsified or tampered with. For example, the application inspection policy database 318 inspects applications requesting network access from the node 201 to pose a constant risk of attack from unauthorized applications or dangerous applications (eg, malware, ransomware) of the node 201. Inspection information for determining whether or not the information is exposed may include application-specific information such as execution or installation locations of applications, signatures, fingerprints, hashes, and registries. In addition, the application inspection policy database 318 may include an executable file, a library referenced by the executable file, a series of files or processes, and memory information as a set of information for binary analysis of an application. In addition, the application inspection policy database 318 requests the node 201 for inspection conditions such as malware detection tools or pattern database information for inspecting whether the application is safe, and based on the inspection result information of the node 201, It may include policy information such as a series of information and inspection period and timing information for confirming whether the inspection has been performed normally.

The application table 319 may include application-specific information such as signature, fingerprint, hash, and registry for each application to be determined as a normal application and a series of information that can be expected upon application inspection. For example, the application table 319 includes information unique to a harmful application for which a pattern has been determined, and information for identifying whether the application is normal, abnormal, or harmful according to information as a result of examination by the node 201. can include

The harmful application inspection module 320 is included in a controller operated in the form of a simple inspection or AI (Artificial Intelligence) or operated in conjunction with an external system, and analyzes information as a result of inspection by the node 201 to determine whether or not it is a harmful application. It may be a module for judging.

4 shows a functional block diagram of a node in accordance with various embodiments.

Referring to FIG. 4 , a node may include a processor 410 , a memory 420 , and a communication circuit 430 . According to one embodiment, the node may further include a display 440 to interface with a user.

The processor 410 may control the overall operation of the node. In various embodiments, the processor 410 may include a single processor core or may include a plurality of processor cores. For example, the processor 410 may include multi-cores such as dual-core, quad-core, and hexa-core. According to embodiments, the processor 410 may further include an internal or external cache memory. According to embodiments, the processor 410 may be configured with one or more processors. For example, the processor 410 may include at least one of an application processor, a communication processor, or a graphical processing unit (GPU).

All or part of processor 410 is electrically or operatively coupled to other components within the node (e.g., memory 420, communication circuitry 430, or display 440). (coupled with) or connected to. The processor 410 may receive commands from other components of the node, interpret the received commands, and perform calculations or process data according to the interpreted commands. The processor 410 may interpret and process messages, data, commands, or signals received from the memory 420 , the communication circuit 430 , or the display 440 . The processor 410 may generate a new message, data, command, or signal based on the received message, data, command, or signal. Processor 410 may provide processed or generated messages, data, instructions, or signals to memory 420 , communication circuitry 430 , or display 440 .

The processor 410 may process data or signals generated or generated by a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may record (or store) or update instructions, data, or signals in the memory 420 to execute or control a program.

The memory 420 may store commands for controlling nodes, control command codes, control data, or user data. For example, the memory 420 may include at least one of an application program, an operating system (OS), middleware, or a device driver.

The memory 420 may include one or more of volatile memory and non-volatile memory. Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM). can include The nonvolatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, and the like.

The memory 420 uses a nonvolatile medium such as a hard disk drive (HDD), a solid state disk (SSD), an embedded multi media card (eMMC), or a universal flash storage (UFS). can include more.

According to one embodiment, the memory 420 may store the target application 212 and the access control application 211 of FIG. 2 . Also, the memory 420 may store the second target application 216 of FIG. 2 . The access control application 211 may perform control flow creation and update functions with the controller 202 . To this end, the access control application 211 may include one or more security modules.

According to an embodiment, the memory 420 may store some of the information included in the memory of the controller (eg, the memory 330 of FIG. 3 ). For example, the memory 420 may store the data flow table 317 described in FIG. 3 .

The communication circuit 430 establishes a wired or wireless communication connection between the node and an external electronic device (eg, the controller 202, gateway 203 or service server 205 of FIG. 2) and performs communication through the established connection. can support According to one embodiment, the communication circuit 430 may be a wireless communication circuit (eg, cellular communication circuit, short-range wireless communication circuit, or global navigation satellite system (GNSS) communication circuit) or a wired communication circuit (eg, a local area network (LAN)). ) communication circuit, or power line communication circuit), and using a corresponding communication circuit among them, a short-distance communication network such as Bluetooth, WiFi direct, or IrDA (infrared data association) or a cellular network, a long-distance communication such as the Internet, or a computer network It may communicate with an external electronic device through a network. The various types of communication circuits 430 described above may be implemented as a single chip or may be implemented as separate chips.

The display 440 may output content, data, or signals. In various embodiments, the display 440 may display image data processed by the processor 410 . According to embodiments, the display 440 may be configured as an integrated touch screen by being combined with a plurality of touch sensors (not shown) capable of receiving a touch input. When the display 440 is configured as a touch screen, a plurality of touch sensors may be disposed above the display 440 or below the display 440 .

A server (eg, controller) according to an embodiment may include a processor 410 , a memory 420 , and a communication circuit 430 . The processor 410, memory 420, and communication circuit 430 included in the server may be substantially the same as the processor 410, memory 420, and communication circuit 430 described above.

A gateway (eg, the gateway 203 of FIG. 2 ) according to an embodiment may include a processor 410 , a memory 420 , and a communication circuit 430 . The processor 410, memory 420, and communication circuit 430 included in the gateway may be substantially the same as the processor 410, memory 420, and communication circuit 430 described above.

5 describes an operation of controlling transmission of a data packet according to various embodiments.

Referring to FIG. 5 , the access control application 211 detects a request for network access to the service server 205 from the target application 212 included in the node 201, and the node 201 or the access control application 211 ) can determine whether or not the controller 202 is in a connected state. When the node 201 or the access control application 211 is not connected to the controller 202, the access control application 211 may block transmission of data packets in a kernel or network driver including an operating system. there is. Through the access control application 211, the node 201 may block access of malicious applications in advance in the application layer of the OSI layer.

According to the embodiment, when the access control application 211 is not connected to the controller 202 or when a data packet to be transmitted is a data packet to be transmitted based on a channel but the corresponding channel does not exist, Data packets transmitted from the control application 211 are blocked by the gateway 203 and the access control application 211 can only request access to the controller 202 .

According to an embodiment, if the access control application 211 is not installed on the node 201 or if a malicious application bypasses the control of the access control application 211, unauthorized data packets may be transmitted from the node 201. . In this case, since the gateway 203 present at the boundary of the network blocks data packets for which the corresponding channel does not exist, the data packets transmitted from the node 201 (eg, data packets for TCP session creation) are sent to the service server ( 205) may not be reached. In other words, node 201 can be isolated from service server 205 .

6 shows a signal flow diagram for controller connection according to various embodiments.

Since the node 201 needs to be authorized by the controller 202 to access or receive the network, the access control application 211 of the node 201 requests the controller 202 to create a control flow, thereby 201) can try to connect to the controller. According to an embodiment, node 201 may be substantially the same as node 201 of FIG. 2 in which connection control application 211 is installed.

Referring to FIG. 6 , node 201 may detect a controller connection event. For example, when the connection control application 211 is installed and executed within the node 201, the node 201 may detect that a connection to the controller 202 is requested.

At operation 605 , node 201 may request controller connection from controller 202 . For example, the access control application 211 may transmit identification information of the access control application 211 to the controller 202 . Additionally, the access control application 211 may include identification information of the node 201 (eg, terminal ID, IP address, MAC address), type, location, environment, identification information of the network to which the node 201 belongs, and/or network Arbitrary identification information generated by the system itself may be further transmitted.

In operation 610, the controller 202 may identify whether or not the controller connection request (eg, the access control application 211 or the node 201) is accessible. According to one embodiment, the controller 202 determines whether information received from the node 201 is included in the access policy database 311, the node 201, the network to which the node 201 belongs, and/or the connection. Based on at least one of whether the identification information of the control application 211 is included in the blacklist database 314 , it is possible to check whether the controller connection requesting object is accessible.

If the connection is possible, at operation 615 , the controller 202 may create a control flow between the node 201 (or the connection control application 211 ) and the controller 202 . In this case, the controller 202 generates control flow identification information in the form of random numbers, and converts identification information of at least one of the node 201, the network to which the node 201 belongs, or the access control application 211 into a control flow table ( 315) can be stored. Information stored in the control flow table 315 may be used for user authentication of the node 201 , information update of the node 201 , policy check for network access of the node 201 , and/or validation.

In operation 620, the controller 202 is based on the identified information (e.g., node 201, source network information to which node 201 belongs) and corresponding access policy database 311 and channel policy database 312. By doing so, whitelist information of accessible applications can be created. Depending on the embodiment, the controller 202 determines whether there is destination network information to which the node 201 requesting the current connection can basically connect based on the identified information, the access policy database 311 and the channel policy database 312. You can check. In one embodiment, the controller 202 may send the application white list to the connection control application 211 at operation 625 .

According to an embodiment, when the application whitelist is generated, the controller 202 includes information for inspecting the application based on the application inspection policy database 318 (eg, the execution or installation location of the application, signature, fingerprint, hash) , Registry, etc., as a series of information for binary analysis of applications, executable files, libraries referenced by executable files, and a series of files or processes, memory information, and malware detection tools to check whether applications are safe or not. pattern database information, etc.) to create an application whitelist.

In addition, if access is possible, the controller 202 may list channel types and gateways to which the node 201 may be connected. For example, the controller 202 includes the type of node 201 included in the control flow in order for the node 201 to access the destination network, location information, environment, network information including the node 201, and the controller ( Based on at least one or a combination of two or more of the identification information (eg, IP information) of the node 201 identified through 202 and the identification information of the node 201 identified by the node 201, the node 201 You can list the types of channels and gateways that can be connected.

The controller 202 can check the status of the listed gateways, and can identify a channel optimized for the node 201 and the gateway 203 from among the listed gateways. For example, the controller 202 can identify one channel and one gateway 203 . According to the embodiment, when a channel and a gateway 203 accessible to the node 201 exist, the controller 202 generates a channel such as the gateway 203 and channel authentication information for the node 201 to create a channel. Information may be transmitted to node 201 (act 625).

According to the embodiment, it is not a structure in which a channel is created between the node 201 and the gateway 203, but through a pre-connected channel existing at the boundary between the gateway 203 present in the network to which the node 201 belongs and the destination network. In the case of an access structure or in the case of access through another channel technology between the node 201 and the destination network boundary, the controller 202 may not transmit channel creation information to the node 201 .

In operation 625 , the controller 202 may transmit control flow identification information to the node 201 in response to the controller connection request. Depending on the embodiment, if the object requesting controller access is unavailable or is included in the blacklist, the controller 202 may transmit access unavailability information in operation 625 without generating a control flow. In one embodiment, the controller 202 may transmit the application white list generated through the execution of operation 620 to the connection control application 211 .

In operation 630, the access control application 211, when channel creation is required (eg, when channel creation information is received from the controller 202), information for channel creation received from the controller 202 (eg, the gateway 203 ) and a series of information necessary for channel creation, such as channel authentication information), the gateway 203 may be requested to create a channel. The gateway 203 may create a channel in response to the channel creation request of the node 201 . According to the embodiment, when it is determined that channel creation is unnecessary by the controller 202 (eg, when channel creation information is not received from the controller 202 or when channel creation unnecessary information is received from the controller 202) etc.) The access control application 211 may perform operation 640 without performing operations 630 and 635 .

When a channel is created through operation 630, in operation 635, the access control application 211 may check whether a dedicated IP set according to channel creation completion information and channel creation exists. The access control application 211 may transmit channel creation completion information and dedicated IP information to the controller 202 (operation 645).

At operation 640, the access control application 211 may perform a check on the application. For example, the access control application 211 can perform a check for applications based on the white list of accessible applications received from the controller 202 . The access control application 211 may check whether an application exists (or is installed) in the node 201 based on the accessible application information, and performs each inspection based on the application inspection information included in the application whitelist. can be done

At operation 645 , the connection control application 211 may transmit the test results to the controller 202 . For example, the access control application 211 may transmit channel creation completion information and allocated channel identification information (IP information) to the controller 202 . For another example, the access control application 211 may transmit to the controller 202 a result of performing each inspection based on the application inspection information.

At operation 650, the controller 202 may perform inspection result and data flow processing. For example, when the channel creation completion information is received, the controller 202 stores the channel-only IP information allocated to the node 201 and the channel creation completion information in a channel table (eg, the channel table 316 of FIG. 3). It can be registered, and the information transmitted from the node 201 can be updated in the control flow corresponding to the node 201.

The controller 202 checks whether the application information is valid in the application table 319 according to the application inspection policy database 318 based on the received application inspection result, or is included in the controller 202 or the controller 202 Through a harmful application inspection module (eg, harmful application inspection module 320, static inspection, or AI-based inspection) existing in another system (eg, harmful application inspection system 206 of FIG. 2) connected to the application, the inspection result of the application is You can judge whether it is normal or not.

According to the embodiment, if the application test result is normal, the controller 202 may use an access policy (eg, the access policy 311 of FIG. 3 ) and a channel policy (eg, the access policy 311 of FIG. 3 ) to allow access of the node 201 connected to the corresponding network. : In the channel policy 312 of FIG. 3, it is possible to check the gateway 203 where the node 201 is located. In addition, the controller 202 provides source IP, destination IP, service port information, and application inspection information for continuously inspecting applications so that the node 201 can control service processing requests without performing a network access request procedure. You can create data flows that contain In this case, the controller 202 may transmit the generated data flow to the gateway 203 and the connection control application 211 of the node 201 (operations 655 and 660).

According to the embodiment, if the application inspection result is not normal, the controller 202 evaluates the risk level of the application inspection result based on the application inspection policy database 318, releases the control flow according to the risk level, and The connection of the node 201 may be isolated by blocking the connection of the node 201 or by adding it to a blacklist.

In operation 665, the access control application 211 may process the resulting value according to the received response. For example, the connection control application 211 may store the received control flow identification information and display a user interface screen indicating completion of the controller connection to the user. When the controller connection is completed, the request for network connection of the node 201 to the destination network may be controlled by the controller 202 .

According to another embodiment, controller 202 may determine that node 201 is unreachable. For example, if identification information of the node 201 and/or a network to which the node 201 belongs is included in a blacklist database, the controller 202 may determine that the node 201 is inaccessible. In this case, the controller 202 may transmit a response indicating that the controller connection is impossible in operation 625 without generating a control flow in operation 615 . Also, in this case, operations 630 to 660 may not be performed. Depending on the embodiment, if a controller connection needs to be retried, the connection control application 211 may perform operation 605 again.

In addition, the access control application 211 updates the data flow of the node 201 when the data flow received from the controller 202 exists, and transmits the data packet based on the data flow allowed in advance when accessing the network. data flow can be managed. Afterwards, when a data packet transmission request is detected, the access control application 211 may process the data packet to be transmitted based on the received data flow.

According to an embodiment, when receiving network connection release information from the controller 202, the access control application 211 may terminate the application or block all network access of the application.

7 illustrates a signal flow diagram for user authentication according to various embodiments.

In order for the node 201 to be granted detailed access rights to the destination network, the access control application 211 of the node 201 may authenticate the user of the node 201 from the controller 202 . According to an embodiment, node 201 may be substantially the same as node 201 of FIG. 2 in which connection control application 211 is installed.

Referring to FIG. 7 , node 201 may receive an input for user authentication. An input for user authentication may be, for example, a user input for inputting a user ID and password. For another example, the input for user authentication may be a user input (eg, biometric information) for stronger authentication. In this case, the access control application 211 of the node 201 may request user authentication from the controller 202 in operation 705 . If the control flow between the node 201 and the controller 202 has already been created, the access control application 211 may transmit input information for user authentication together with control flow identification information.

At operation 710 , controller 202 may authenticate the user based on the information received from node 201 . For example, the controller 202 may use the user ID, password, and/or enhanced authentication information included in the received information and a database included in the memory of the controller 202 (e.g., the access policy database of FIG. 3). 311 or the blacklist database 314), it is possible to determine whether the user can access according to the access policy and whether the user is included in the blacklist.

If the user is authenticated, in operation 715, the controller 202 may add user identification information (eg, user ID) to identification information of the control flow. The added user identification information can be used for the authenticated user's controller access or network access.

In operation 720, the controller 202 connects from the access policy database 311 and the channel policy database 312 corresponding to the identified information (eg, the node 201 and source network information to which the node 201 belongs). Whitelist information of possible applications can be created. Depending on the embodiment, the controller 202 determines whether there is destination network information to which the node 201 requesting the current connection can basically connect based on the identified information, the access policy database 311 and the channel policy database 312. You can check. In one embodiment, the controller 202 may send the application white list to the connection control application 211 at operation 725 .

According to an embodiment, when the application whitelist is generated, the controller 202 includes information for inspecting the application based on the application inspection policy database 318 (eg, the execution or installation location of the application, signature, fingerprint, hash) , Registry, etc., as a series of information for binary analysis of applications, executable files, libraries referenced by executable files, and a series of files or processes, memory information, and malware detection tools to check whether applications are safe or not. pattern database information, etc.) to create an application whitelist.

In addition, if access is possible, the controller 202 may list channel types and gateways to which the node 201 may be connected. For example, the controller 202 includes the type of node 201 included in the control flow in order for the node 201 to access the destination network, location information, environment, network information including the node 201, and the controller ( A channel to which the node 201 can connect based on at least one of identification information (eg, IP information) of the node 201 identified through 202 and identification information of the node 201 identified by the node 201 Types and gateways can be listed. For another example, the controller 202 provides information on the type of node 201 included in the control flow, location information, environment, network information including the node 201, and controller 201 in order for the node 201 to access the destination network. The node 201 can connect based on a combination of two or more of identification information (eg, IP information) of the node 201 identified through (202) and identification information of the node 201 identified in the node 201 Channel types and gateways can be listed.

The controller 202 can check the status of the listed gateways, and can identify a channel optimized for the node 201 and the gateway 203 from among the listed gateways. For example, the controller 202 can identify one channel and one gateway 203 . According to the embodiment, when a channel and a gateway 203 accessible to the node 201 exist, the controller 202 generates a channel such as the gateway 203 and channel authentication information for the node 201 to create a channel. Information may be transmitted to node 201 (act 725).

According to the embodiment, it is not a structure in which a channel is created between the node 201 and the gateway 203, but through a pre-connected channel existing at the boundary between the gateway 203 present in the network to which the node 201 belongs and the destination network. In the case of an access structure or in the case of access through another channel technology between the node 201 and the destination network boundary, the controller 202 may not transmit channel creation information to the node 201 .

In operation 725, the controller 202 may transmit information indicating that the user is authenticated to the node 201 in response to the user authentication request. In one embodiment, the controller 202 may transmit the application white list generated through the execution of operation 720 to the connection control application 211 .

In operation 730, the access control application 211, when channel creation is required (eg, when channel creation information is received from the controller 202), information for channel creation received from the controller 202 (eg, the gateway 203 ) and a series of information necessary for channel creation, such as channel authentication information), the gateway 203 may be requested to create a channel. The gateway 203 may create a channel in response to the channel creation request of the node 201 . According to the embodiment, when it is determined that channel creation is unnecessary by the controller 202 (eg, when channel creation information is not received from the controller 202 or when channel creation unnecessary information is received from the controller 202) etc.) The access control application 211 may perform operation 740 without performing operations 730 and 735 .

When a channel is created through operation 730, in operation 735, the access control application 211 may check whether a dedicated IP set according to channel creation completion information and channel creation exists. The access control application 211 may transmit channel creation completion information and dedicated IP information to the controller 202 (operation 745).

At operation 740, the access control application 211 may perform a check on the application. For example, the access control application 211 can perform a check for applications based on the white list of accessible applications received from the controller 202 . The access control application 211 may check whether an application exists (is installed) in the node 201 based on the accessible application information, and performs each inspection based on the application inspection information included in the application whitelist. can be done

At operation 745 , the connection control application 211 may transmit the test result to the controller 202 . For example, the access control application 211 may transmit channel creation completion information and allocated channel identification information (IP information) to the controller 202 . For another example, the access control application 211 may transmit to the controller 202 a result of performing each inspection based on the application inspection information.

At operation 750, the controller 202 may perform data flow processing. For example, when the channel creation completion information is received, the controller 202 stores the channel-only IP information allocated to the node 201 and the channel creation completion information in a channel table (eg, the channel table 316 of FIG. 3). It can be registered, and the information transmitted from the node 201 can be updated in the control flow corresponding to the node 201.

The controller 202 checks whether the application information is valid in the application table 319 according to the application inspection policy database 318 based on the received application inspection result, or is included in the controller 202 or the controller 202 Through a harmful application inspection module (eg, harmful application inspection module 320, static inspection, or AI-based inspection) existing in another system (eg, harmful application inspection system 206 of FIG. 2) connected to the application, the inspection result of the application is You can judge whether it is normal or not.

According to the embodiment, if the application test result is normal, the controller 202 may use an access policy (eg, the access policy 311 of FIG. 3 ) and a channel policy (eg, the access policy 311 of FIG. 3 ) to allow access of the node 201 connected to the corresponding network. : In the channel policy 312 of FIG. 3, it is possible to check the gateway 203 where the node 201 is located. In addition, the controller 202 provides source IP, destination IP, service port information, and application inspection information for continuously inspecting applications so that the node 201 can control service processing requests without performing a network access request procedure. You can create data flows that contain In this case, the controller 202 may transmit the generated data flow to the gateway 203 and the connection control application 211 of the node 201 (operations 755 and 760).

According to the embodiment, if the application inspection result is not normal, the controller 202 evaluates the risk level of the application inspection result based on the application inspection policy database 318, releases the control flow according to the risk level, and The connection of the node 201 may be isolated by blocking the connection of the node 201 or by adding it to a blacklist.

In operation 760, the access control application 211 may process the resulting value according to the received response. For example, the access control application 211 may store the received control flow identification information and display a user interface screen indicating completion of user authentication to the user. When user authentication is complete, the request for network access of the node 201 to the destination network may be controlled by the controller 202 .

According to another embodiment, controller 202 may determine that user authentication of node 201 is not possible. For example, if identification information of the node 201 and/or the network to which the node 201 belongs is included in the blacklist database, the controller 202 may determine that the node 201 is inaccessible and user authentication is not possible. . In this case, the controller 202 may not reflect user identification information in operation 715 and may transmit a response indicating that access to the controller is impossible in operation 725 . Also, in this case, operations 730 to 760 may not be performed.

In addition, the access control application 211 updates the data flow of the node 201 when the data flow received from the controller 202 exists, and transmits the data packet based on the data flow allowed in advance when accessing the network. data flow can be managed.

According to an embodiment, when receiving network connection release information from the controller 202, the access control application 211 may terminate the application or block all network access of the application.

8 shows a signal flow diagram for network access according to various embodiments.

After node 201 is authorized by controller 202, node 201 controls the network access of other applications stored in node 201 through node 201's access control application 211 to provide trusted data. delivery can be guaranteed. According to an embodiment, node 201 may be substantially the same as node 201 of FIG. 2 in which connection control application 211 is installed.

Referring to FIG. 8 , in operation 805 , the access control application 211 may detect a network connection event of another application stored in the node 201 (eg, the target application 212 of FIG. 2 ).

In operation 810, the access control application 211 may check the existence of a data flow corresponding to identification information of the application requesting network access, destination network identification information, and port information. Depending on the embodiment, if a data flow exists but is not valid, the access control application 211 may drop the data packet. According to another embodiment, if a data flow exists, the access control application 211 may transmit a data packet based on the data flow. According to the embodiment, the access control application 211 of the node 201 may perform a network access request in operation 815 without performing operation 810 .

According to the embodiment, when a data packet is dropped or transmitted based on whether a data flow exists and is valid, the access control application 211 performs an event of transmitting or dropping a data packet based on application inspection information included in the data flow. , it is possible to check whether application inspection is to be performed when .

When the data flow needs to be updated, such as when the data flow does not exist or when the authentication time expires and renewal is required, in operation 815, the access control application 211 may request the controller 202 to access the network. For example, the network access request may include control flow identification information, destination network identification information, and port information.

According to the embodiment, if there is no data flow, the access control application 211 may check whether the application whitelist received in the controller access of FIG. 6 or the user authentication process of FIG. 7 exists, and the target application requesting network access You can check if this application is included in the whitelist. For example, if the application whitelist does not exist or the target application is not included in the application whitelist, the access control application 211 may perform a network access request to the controller 202 without performing an application check. there is. In this case, the network access request may not include the application check result. For another example, if an application whitelist exists and the target application is included in the application whitelist, the access control application 211 displays a result of performing each inspection based on application inspection information included in the application whitelist. A request for network access including the network connection may be performed to the controller 202 .

According to the embodiment, if the data flow exists but needs to be updated, the access control application 211 sends a network access request including the result of performing each inspection based on the application inspection information included in the data flow to the controller 202 can be performed to

In operation 820, the controller 202 determines the access requested identification information (eg, destination network identification information) in the access policy corresponding to the identified information (eg, node, user, source network identification information) based on the control flow identification information. and port information) and whether the destination network is accessible can be checked. According to an embodiment, the controller 202 may check whether the target application can access the gateway 203 or the service server 205 . Depending on the embodiment, the controller 202 may transmit a connection failure result to the connection control application 211 of the node 201 when the network connection is unavailable (operation 840).

If access is possible, in operation 825, the controller 202 may check whether a channel between the node 201 and the gateway 203 is created based on the channel table. For example, if a channel is not created, the controller 202 can check whether a channel must be created in order to access a corresponding service in a channel policy, and if a channel must be created, the node 201 cannot be accessed. The result may be transmitted (act 840). For another example, if a channel is created or if channel creation is unnecessary, the controller 202 determines whether a valid data flow corresponding to information (destination identification information and service port information) requested by the node 201 exists in the data flow table. You can check.

According to an embodiment, if a valid data flow exists, the controller 202 may perform operation 830 without generating a data flow.

According to an embodiment, when a valid data flow does not exist, the controller 202 may generate a data flow including a source IP, a destination IP, service port information, and application inspection information for continuously inspecting applications.

In operation 830, the controller 202 may check whether the application check result is included in the network access request. For example, if the application inspection result is not included in the network access request, the controller 202 transmits to the node 201 a data flow including status information and application inspection information required by the application inspection request, The node 201 may be configured to perform a test based on the application check information and then request an application test (operations 840, 850, and 855).

According to an embodiment, when the application inspection result is included in the network access request, the controller 202 may inspect the application inspection result. For example, the controller 202 may check whether the application inspection result is normal based on the application inspection policy database (eg, 318 in FIG. 3 ), and the target application is valid in the application table (eg, 319 in FIG. 3 ). The harmful application inspection module included in the controller 202 (eg, 320 in FIG. 3) or another system connected to the controller 202 (eg, the harmful application inspection system 206 in FIG. 2) It is possible to determine whether the inspection result of the target application is normal through a harmful application inspection module (Static inspection or AI-based inspection) existing in . Depending on the embodiment, when the test result of the target application is determined to be normal, the controller 202 may transmit the generated data flow to the node 201 and the gateway 203 (operations 835 and 840).

Depending on the embodiment, when it is determined that the test result of the target application is not normal, the controller 202 may return connection failure information to the node 201 (operation 840). In addition, the controller 202 evaluates the risk level of the application inspection result based on the application inspection policy (eg, 318 in FIG. 3 ) and releases the control flow according to the risk level to block access of the node 201 or black You can isolate the connection of node 201 by adding it to the list.

At operation 845 , the connection control application 211 of the node 201 may process the resulting value of the response received from the controller 202 . For example, when the connection control application 211 receives a network connection failure result from the controller 202, it may drop a data packet to be transmitted by the target application. For another example, when a data flow is received from the controller 202, the access control application 211 may transmit a data packet based on the received data flow. In this case, the access control application 211 may update the existing data flow with the received data flow.

Depending on the embodiment, when application inspection is required (eg, when status information required by the application inspection request is received), the access control application 211 performs each application inspection based on the application inspection information included in the received data flow. The inspection may be performed, and an application inspection request may be performed to the controller 202 including the inspection result (operations 850 and 855). Operations 850 and 855 may not be performed when the application check has been performed prior to operation 815 .

Depending on embodiments, operation 855 may be performed through operations shown in FIG. 9 .

9 illustrates a signal flow diagram for an application check request according to various embodiments.

The access control application 211 may perform inspection of the target application based on application inspection information included in the data flow or application whitelist, transmit the inspection result to the controller 202, and perform an application inspection request, It is possible to determine whether the target application has been normally inspected, and network access of the abnormal target application may be blocked.

At operation 905, the access control application 211 may detect an application check event. For example, if the access control application 211 needs to perform an application inspection in the course of network access, or if it needs to inspect an application running at regular intervals based on application inspection information included in a data flow, application inspection occurs event can be detected. For example, the access control application 211 may detect an application check event through operation 855 of FIG. 8 .

In operation 910, the access control application 211 transmits the result of performing each inspection based on the inspection information to the controller 202 and performs an application inspection request.

At operation 915, the controller 202 may perform an application check. For example, the controller 202 can inspect the application check result. For another example, the controller 202 may check whether the application inspection result is normal based on the application inspection policy database (eg, 318 in FIG. 3 ), and the target application is detected in the application table (eg, 319 in FIG. 3 ). It is possible to check whether it is valid, and the harmful application inspection module included in the controller 202 (eg, 320 in FIG. 3) or another system connected to the controller 202 (eg, the harmful application inspection system 206 in FIG. 2) ), it is possible to determine whether the inspection result of the target application is normal through the harmful application inspection module (Static inspection or AI-based inspection) existing in ).

Depending on the embodiment, if the test result of the target application is determined to be normal, the controller 202 may return test completion information to the node 201 (operation 925).

Depending on the embodiment, when it is determined that the test result of the target application is not normal, the controller 202 may return connection failure information to the node 201 (operation 925). In addition, the controller 202 evaluates the risk level of the application inspection result based on the application inspection policy (eg, 318 in FIG. 3 ) and releases the control flow according to the risk level to block access of the node 201 or black You can isolate the connection of node 201 by adding it to the list. In this case, the controller 202 may request the gateway 203 to remove the previously created data flow (operation 920).

In operation 930 , the connection control application 211 may process the resulting value of the response received from the controller 202 . For example, when receiving network access unavailability information, the access control application 211 may terminate the target application or block all network access of the target application. For another example, when application check completion information is received, the access control application 211 may be in a state capable of transmitting a data packet of a target application.

10 shows a signal flow diagram for control flow update according to various embodiments.

Referring to FIG. 10 , in operation 1005, the access control application 211 may detect a control flow update event.

In operation 1010, the access control application 211 may request a control flow update from the controller 202 based on the control flow identification information.

The access control application 211 may check the data flow upon request for control flow update, and may check whether the application check is performed when the control flow is renewed according to the application check information included in the data flow. When an application check is performed during control flow update, the access control application 211 may request a control flow update including the result of performing each check based on the application check information.

In operation 1015, the controller 202 may check whether a control flow exists in a control flow table (eg, the control flow table 315 of FIG. 3) based on the received control flow identification information. Depending on the embodiment, when the control flow does not exist (eg, when the connection is disconnected by another security system, when the connection is disconnected by its own risk detection, etc.), the controller 202 determines that the connection of the node 201 is valid. Since it does not, a connection failure result may be transmitted to the connection control application 211 (operation 1025).

When a control flow exists, the controller 202 can check a data flow corresponding to the control flow, and based on application check information included in the data flow, it can check whether an application check needs to be performed when the control flow is updated. .

According to the embodiment, if application inspection needs to be performed, but application inspection information by data flow or by application does not exist in the control flow update information, or if the number of applications to be inspected by the node 201 is inspected by the controller 202 In the case where the application check cannot be performed, such as when the number of applications to be performed is different, the controller 202 may return connection unavailable information to the node 201 .

According to the embodiment, when application inspection needs to be performed and the application inspection information is included in the control flow update information, the controller 202 determines the application inspection policy (eg, 318 of FIG. 3 ) based on the application inspection result information. Accordingly, it is checked whether the target application is valid in the application table (eg, 319 in FIG. 3 ) or a harmful application inspection module included in the controller 202 (eg, 320 in FIG. 3 ) or another system connected to the controller 202 ( Example: It is possible to determine whether the inspection result of the target application is normal through a harmful application inspection module (static inspection or AI-based inspection) existing in the harmful application inspection system 206 of FIG. 2 . For example, if the test of the target application is normal, the controller 202 may update the control flow and data flow, and return the updated data flow and control flow update information to the node 201 (operation 1025). ).

According to an embodiment, if the inspection of the target application is not normal, the controller 202 may return inspection failure information to the node 201, evaluate the risk level of the application inspection result according to the application inspection policy, and evaluate the risk level. According to the control flow, the connection of the corresponding node 201 is blocked, or the connection of the node 201 is isolated by adding to the blacklist, and the previously created data flow may be requested to the gateway 203 to be removed (operation 1020).

According to an embodiment, when the application check is not required or the application check is completed, the controller 202 may update the update time included in the control flow and search for data flow information corresponding to the control flow.

According to an embodiment, the controller 202 may return corresponding data flow information when re-authentication needs to be performed among data flows or there is a data flow to which access is no longer possible (operation 1025).

At operation 1030 , the connection control application 211 of the node 201 may process the resulting value of the response received from the controller 202 . For example, the access control application 211 may block all network accesses of applications when the control flow update result is impossible. For another example, the access control application 211 may update the data flow when the control flow update result is normal and updated data flow information exists.

11 illustrates a signal flow diagram for disconnection according to various embodiments.

Referring to FIG. 11 , in operation 1105, the node 201 terminates the node 201, terminates the access control application 211, terminates the target application, no longer uses the network connection, and information identified from the interworking system. At least one of connection termination requests may be detected based on . In this case, at operation 1110, node 201 or access control application 211 may request controller 202 to remove the control flow.

In operation 1115, the controller 202 may remove the identified control flow based on the received control flow identification information.

In operation 1120, the controller 202 may remove all data flows dependent on the removed control flow. Thus, node 201 can no longer connect to the destination network based on the removed data flow.

In operation 1125, the controller 202 may request the gateway 203 to remove all data flows dependent on the removed control flow. The gateway 203 may remove the data flow, and thus data packets corresponding to source network, destination network, and port information included in the removed data flow may no longer be transmitted.

12 illustrates a signal flow diagram for termination of application execution according to various embodiments.

Referring to FIG. 12 , in operation 1205, the access control application 211 of the node 201 may check in real time whether or not the running application is terminated, and may detect an application execution termination event.

Depending on the embodiment, the access control application 211 may check whether a data flow corresponding to terminated application identification information and PID (Process ID and Child Process ID Tree) information exists.

At operation 1210 , the access control application 211 may perform a data flow removal request to the controller 202 . For example, the access control application 211 may transmit identification information of a terminated application or identification information of a data flow corresponding to the terminated application to the controller 202 and may perform a data flow removal request.

In operation 1215, the controller 202 may delete the data flow requested to be removed. In addition, the controller 202 may perform a removal request for the removed data flow to the gateway 203 (operation 1220). The gateway 203 may remove the data flow, and thus data packets corresponding to source network, destination network, and port information included in the removed data flow may no longer be transmitted.

The above description is only an illustrative example of the technical idea disclosed in this document, and those skilled in the art to which the embodiments disclosed in this document belong will be within the scope of the essential characteristics of the embodiments disclosed in this document. Many modifications and variations will be possible.

Therefore, the embodiments disclosed in this document are not intended to limit the technical idea disclosed in this document, but to explain, and the scope of the technical idea disclosed in this document is not limited by these embodiments. The scope of protection of technical ideas disclosed in this document should be interpreted according to the scope of the following claims, and all technical ideas within the equivalent scope should be construed as being included in the scope of rights of this document.

Claims (17)

In node,
communication circuit;
a processor in operative connection with the communication circuitry; and
a memory operably coupled to the processor, wherein the memory stores a target application and a connection control application, wherein the memory, when executed by the processor, causes the node to:
When the target application attempts to access the network, through the access control application,
If there is a data flow or application whitelist received from an external server, the target application is inspected based on the data flow or the application whitelist, and a network access request including the inspection result of the target application is received. to the external server,
If the data flow or application whitelist received from the external server does not exist, perform a network access request to the external server without the test result, receive the data flow or the application whitelist, and inspect the target application and transmits a test result for the target application to the external server;
Control network access of the target application based on whether a test result of the target application received from the external server is normal;
storing instructions for inspecting the target application based on application inspection information when a data packet of the target application is dropped or transmitted;
The data flow and the application whitelist include application inspection information generated by the external server. delete The method of claim 1, wherein the instructions are the node,
Detecting a network access event of the target application through the access control application;
confirming existence of a data flow corresponding to identification information of the target application and identification information of a destination network of the target application and authorized from the external server;
A node that performs a network access request to the external server, transmits a data packet of the target application, or drops the data packet based on whether the data flow exists and whether the application whitelist exists. The method of claim 3, wherein the instructions are the node,
and if the data flow exists but is not valid, inspect the target application based on the application inspection information and drop the data packet. The method of claim 3, wherein the instructions are the node,
If the data flow does not exist, check whether the application whitelist exists,
If the application whitelist exists, check the target application based on the application check information included in the application whitelist;
A node configured to transmit a test result for the target application to the external server and perform a network connection request. The method of claim 5, wherein the instructions are the node,
If the application whitelist does not exist, the network access request is performed without transmitting the test result to the external server;
Receiving a data flow including the application inspection information from the external server;
inspecting the target application based on application inspection information included in the received data flow;
A node configured to transmit a test result of the target application to the external server and perform an application test request. The method of claim 6, wherein the instructions are the node,
Receiving a data flow including whether or not the inspection result is normal as a response to the application inspection request from the external server;
If the test result is normal, the data packet is transmitted;
A node that causes the data packet to be dropped when the test result is not normal. The method of claim 3, wherein the instructions are the node,
and if the data flow exists, inspect the target application based on the application inspection information and transmit the data packet. The method of claim 1, wherein the instructions are the node,
A node that accesses the external server through the access control application or performs user authentication to receive the application whitelist information including the application check information from the external server. The method of claim 1, wherein the instructions are the node,
When an application running in a specific cycle unit needs to be inspected based on the inspection period included in the application inspection information, the target application is inspected based on the application inspection information through the access control application;
A node configured to transmit a test result for the target application to the external server. The method of claim 1, wherein the instructions are the node,
When performing an update with the external server through the access control application, confirm whether or not the application check is performed based on the application check information included in the data flow;
A node configured to inspect the target application, transmit a result of inspection of the target application to the external server, and request the update. in the server,
communication circuit;
a processor in operative connection with the communication circuitry; and
a memory operably coupled to the processor and storing a database, wherein the memory, when executed by the processor, causes the server to:
Receiving a network access request for a destination network from an access control application of a node, the network access request including identification information of a target application of the node that attempted to access the destination network and identification information of the destination network;
Check whether the network access request includes a test result for the target application;
When the network access request includes a test result for the target application, confirms whether the test result is normal and transmits whether the test result is normal to the node;
The server, configured to generate and transmit a data flow including application inspection information to the node when the network access request does not include a inspection result for the target application. The method of claim 12, wherein the processor,
If the network access request includes a test result for the target application, determine whether the target application is valid based on the test result and the database;
Check whether the target application is a harmful application;
A server configured to transmit a confirmation result of the inspection result to the node. delete The method of claim 12, wherein the processor,
When receiving an access request or user authentication request from the access control application, determine whether the access control application is accessible or user authentication is possible based on the database;
generate an application whitelist based on accessible applications, and transmit the generated application whitelist to the node;
Wherein the application whitelist includes the application check information. The method of claim 12, wherein the processor,
When the test result is received from the access control application, check whether the test result is normal;
If the test result is normal, transmits information indicating that the test result is normal to the node;
If the test result is not normal, evaluate the risk level of the test result based on the database, block access of the access control application based on the risk level, or add the node to a blacklist. server. As a method of operating an access control application stored in a node,
When a target application attempts network access, if there is a data flow received from an external server or an application whitelist, the target application is inspected based on the data flow or the application whitelist, Performing a network access request including a test result to the external server;
If the data flow or application whitelist received from the external server does not exist, perform a network access request to the external server without the test result, receive the data flow or the application whitelist, and inspect the target application performing, and transmitting a test result for the target application to the external server;
controlling network access of the target application based on whether a test result of the target application received from the external server is normal; and
inspecting the target application based on application inspection information when the data packet of the target application is dropped or transmitted; including,
The method of claim 1 , wherein the data flow and the application whitelist include application inspection information generated by the external server.

Images