KR102609368B1 - System for controlling network access and method of the same - Google Patents

Abstract

A router according to an embodiment disclosed in this document includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing a target application and a connection control application, The memory, when executed by the processor, causes the router to detect a data packet transmission event of a node or the target application through the access control application, and the data packet transmission event includes MAC address information of the node, identification of the node, A data flow that includes at least one of information and identification information of the target application, corresponds to at least one of MAC address information of the node, identification information of the node, and identification information of the target application, and is received from an external server. Check the existence of and determine whether to perform the protocol check of the data packet on its own or through the external server based on the protocol information included in the data flow, and check the protocol on its own or through the external server. Commands configured to check the protocol and transmit the data packet when the protocol check of the data packet is completed may be stored.

Description

System for controlling network access and method related thereto {SYSTEM FOR CONTROLLING NETWORK ACCESS AND METHOD OF THE SAME}

Embodiments disclosed in this document relate to a system and method for controlling network access.

Multiple devices can communicate data over a network. For example, a terminal can transmit or receive data to and from a server via the Internet. Networks may include public networks such as the Internet as well as private networks such as intranets.

Terminals and nodes other than those commonly used by users, such as industrial terminals and IoT (Internet of Things), are connected to a router for connection and communication with wired and wireless networks.

The router can be connected to a telecommunication company's wireless network using wireless communication technology such as LTE/5G, or access the service through an ISP (Internet Service Provider) through a wired network. The terminal that actually performs communication is wired or WIFI, It can be connected to the router through various connection methods such as LoRa (Long Range) and Serial.

Technology that performs network access control in response to network access events of applications that are the actual communication targets of nodes based on tunneling or channels and channels containing them can prevent unauthorized or unsafe targets from accessing the network in advance. You can.

Because industrial terminals and IoT terminals are low-power or low-spec terminals or use their own operating systems, problems may occur in which network access control applications cannot be installed.

To solve these problems, telecommunication companies and ISPs perform network access control between the Internet or services through gateways connected to routers, and traditional firewalls, IPS (Intrusion Prevention System), and DPI (Deep Packet Inspection) technologies are used. A method is used to manually register the service IP policy that can be accessed based on the assigned IP based on unique information to identify the router (e.g. USIM-based Subscriber ID), but in reality, the terminal that is the subject of communication There may be limitations to directly controlling network access.

In addition, when a permitted application connects to a destination service and transmits and receives actual data packets, it can be determined whether the data packet communicates using the permitted protocol based on the application and destination IP and port information, which is information identified by the network access control application. Uncontrollable problems may arise.

The protocol is an application layer rather than a protocol that operates on the transport layer (Layer 4, Transport Layer) such as IP (Internet Protocol)-based TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) at the 7th layer of OSI (Open Systems Interconnection). In addition to protocols defined by IETF (Internet Engineering Task Force) standards such as HTTP (HyperText Transfer Protocol) at (Layer 7, Application Layer), it can refer to a series of specifications for the application that is the actual communication target to transmit and receive data packets.

IPS (Intrusion Prevention System), one of the traditional network perimeter technologies that does not control application identification and network access at the node, transmits and receives only data packets of known protocols based on predefined DPI (Deep Packet Inspection) rules or pattern information. However, this network border technology has low performance because it processes all data packets sent by the node after receiving them, and it cannot identify which target is actually communicating, so it provides various identification information ( There is a problem where effective protocol transmission and reception control is impossible in combination with (e.g. users, nodes, applications).

Various embodiments disclosed in this document are intended to provide a system and method for solving the above-described problems in a network environment.

A router according to an embodiment disclosed in this document includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing a target application and a connection control application, The memory, when executed by the processor, causes the router to detect a data packet transmission event of a node or the target application through the access control application, and the data packet transmission event includes MAC address information of the node, identification of the node, A data flow that includes at least one of information and identification information of the target application, corresponds to at least one of MAC address information of the node, identification information of the node, and identification information of the target application, and is received from an external server. Check the existence of and determine whether to perform the protocol check of the data packet on its own or through the external server based on the protocol information included in the data flow, and check the protocol on its own or through the external server. Commands configured to check the protocol and transmit the data packet when the protocol check of the data packet is completed may be stored.

A server according to an embodiment disclosed in this document includes a communication circuit, a memory for storing a database, and a processor operatively connected to the communication circuit and the memory, wherein the processor stores data from a connection control application of a router. Receiving a packet protocol inspection request, wherein the data packet protocol inspection request includes data packets collected up to an inspection range required for protocol inspection and identification information of a data flow corresponding to the data packet, corresponding to the identification information of the data flow. Based on the protocol information included in the data flow, the protocol of the collected data packets is inspected up to the inspection range required for the protocol inspection, and when the inspection is completed, the protocol inspection status of the data flow is updated to the completed status, and the updated data It may be configured to transmit a flow to the router.

A method of operating an access control application installed on a router according to an embodiment disclosed in this document includes detecting a data packet transmission event of a node or target application, wherein the data packet transmission event includes MAC address information of the node, Data that includes at least one of identification information and identification information of the target application, corresponds to at least one of MAC address information of the node, identification information of the node, and identification information of the target application, and is received from an external server. The operation of checking whether a flow exists, based on the protocol information included in the data flow, whether to perform the protocol check of the data packet itself or through the external server to check the protocol itself or the external server It may include an operation of checking a protocol through a server and an operation of transmitting the data packet when the protocol check of the data packet is completed.

According to the embodiments disclosed in this document, it includes a minimum authentication step to identify a node connected to the router, and performs network access control based on data flow information provided through a controller in the router relaying actual communication. Methods for performing it can be provided.

In addition, according to the embodiments disclosed in this document, when a node is connected to a router through a physical interface, the router can identify the MAC (Media Access Control) address in Layer 2 included in the terminal's network connection request data packet. You can.

In addition, according to embodiments disclosed in this document, when a network connection event occurs with an identified MAC address, the router checks whether the controller can be accessed and creates a channel based on the result or a network connection event based on the created channel. Access may be permitted.

In addition, according to the embodiments disclosed in this document, the network access of nodes connected to the router can be unified and controlled through an access control application installed on the router, so that the node's network access can be controlled more efficiently and safely.

In addition, according to embodiments disclosed in this document, when relaying a node's communication through a proprietary protocol that does not know the MAC address, a connection relay application for retransmitting the native protocol to the IP protocol is included in the router to relay the connection. A structure can be provided that allows the application to handle network connection requests and various communications on behalf of the node.

In addition, according to the embodiments disclosed in this document, when a node authenticates itself through a native protocol through a connection relay application and receives a network connection request through a connection relay application, the access control application communicates the basic communication subject. Since it is possible to limit to target applications, network access control can be performed by relaying communications on a per-application basis.

Additionally, according to embodiments disclosed in this document, communication of an application that communicates using an unauthorized protocol can be identified or blocked.

Additionally, according to the embodiments disclosed in this document, problems inherent in TCP/IP-based network security technology can be resolved and a secure network connection can be provided.

In addition, according to embodiments disclosed in this document, the access control application can monitor whether communication is performed using a protocol permitted by the controller according to data packet transmission and reception events after the network connection of the actual communication target application is permitted, and whether allowed is not permitted. If an unsuitable protocol is used, network access can be blocked, or if a dangerous protocol is used, the control flow can be disarmed and isolated, making it impossible to maintain network access, or technology can be provided to isolate it from the network.

In addition, various effects that can be directly or indirectly identified through this document may be provided.

Figure 1 shows an environment including multiple networks.
Figure 2 shows an architecture within a network environment according to various embodiments.
3 is a functional block diagram showing a database stored in a controller according to various embodiments.
Figure 4 shows a functional block diagram of a router according to various embodiments.
Figure 5 explains an operation for controlling transmission of data packets according to various embodiments.
Figure 6 shows a signal flow diagram for controller connection according to various embodiments.
7 shows a signal flow diagram for user authentication according to various embodiments.
Figure 8 shows a signal flow diagram for changing channel state information according to various embodiments.
Figure 9 shows a signal flow diagram for network access according to various embodiments.
10A and 10B illustrate signal flow diagrams for processing transmission of data packets according to various embodiments.
11A and 11B illustrate signal flow diagrams for processing reception of data packets according to various embodiments.
Figure 12 shows a signal flow diagram for control flow update according to various embodiments.
13 shows a signal flow diagram for disconnection according to various embodiments.
Figure 14 shows a flowchart showing a method of operating a connection control application according to various embodiments.
Figure 15 shows a flowchart showing a method of operating a server according to various embodiments.
Figure 16 is a diagram showing the structure of a data packet according to various embodiments.

BRIEF DESCRIPTION OF THE DRAWINGS Various embodiments of the present invention are described below with reference to the accompanying drawings. However, this is not intended to limit the present invention to specific embodiments, but should be understood to include various modifications, equivalents, and/or alternatives to the embodiments of the present invention.

In this document, the singular form of a noun corresponding to an item may include one or plural items, unless the relevant context clearly indicates otherwise. In this document, “A or B”, “at least one of A and B”, “at least one of A or B”, “A, B or C”, “at least one of A, B and C” and “A, Each of phrases such as “at least one of B, or C” may include any one of the items listed together in the corresponding phrase, or any possible combination thereof. Terms such as "first", "second", or "first" or "second" may be used simply to distinguish one component from another, and to refer to that component in other respects (e.g., importance or order) is not limited. One (e.g., first) component is said to be “coupled” or “connected” to another (e.g., second) component, with or without the terms “functionally” or “communicatively.” When mentioned, it means that any of the components can be connected to the other components directly (e.g. wired), wirelessly, or through a third component.

Each component (eg, module or program) described in this document may include singular or plural entities. According to various embodiments, one or more of the corresponding components or operations may be omitted, or one or more other components or operations may be added. Alternatively or additionally, multiple components (eg, modules or programs) may be integrated into a single component. In this case, the integrated component may perform one or more functions of each component of the plurality of components in the same or similar manner as those performed by the corresponding component of the plurality of components prior to the integration. . According to various embodiments, operations performed by a module, program, or other component may be executed sequentially, in parallel, iteratively, or heuristically, or one or more of the operations may be executed in a different order, or omitted. Alternatively, one or more other operations may be added.

The term “module” used in this document may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as logic, logic block, component, or circuit, for example. A module may be an integrated part or a minimum unit of the parts or a part thereof that performs one or more functions. For example, according to one embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of this document may be implemented as software (e.g., a program or application) including one or more instructions stored in a storage medium (e.g., memory) that can be read by a machine. For example, the processor of the device may call at least one instruction among one or more instructions stored from a storage medium and execute it. This allows the device to be operated to perform at least one function according to the at least one instruction called. The one or more instructions may include code generated by a compiler or code that can be executed by an interpreter. A storage medium that can be read by a device may be provided in the form of a non-transitory storage medium. Here, 'non-transitory' only means that the storage medium is a tangible device and does not contain signals (e.g. electromagnetic waves), and this term refers to cases where data is semi-permanently stored in the storage medium. There is no distinction between temporary storage cases.

Methods according to various embodiments disclosed in this document may be provided and included in a computer program product. Computer program products are commodities and can be traded between sellers and buyers. A computer program product may be distributed in the form of a machine-readable storage medium (e.g. compact disc read only memory (CD-ROM)) or through an application store or between two user devices (e.g. smartphones). It may be distributed in person or online (e.g., downloaded or uploaded). In the case of online distribution, at least a portion of the computer program product may be at least temporarily stored or temporarily created in a machine-readable storage medium, such as the memory of a manufacturer's server, an application store server, or a relay server.

Figure 1 shows an environment including multiple networks.

Referring to FIG. 1, the first network 10 and the second network 20 may be different networks. For example, the first network 10 may be a public network such as the Internet, and the second network 20 may be a private network such as an intranet or VPN.

The first network 10 may include a source node 101. In FIG. 1 and the embodiments described below, the 'source node' may be various types of devices capable of performing data communication. For example, the source node 101 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, or a virtual reality (VR) device. , or home appliances and is not limited to the above-mentioned devices. For example, the source node 101 may include a server or gateway that can transmit data packets through an application. The source node 101 may also be referred to as an ‘electronic device’ or a ‘terminal’. Meanwhile, the destination node 102 may include the same or similar device as the above-described source node 101. As another example, the destination node 102 may be substantially the same as the destination network.

The source node 101 may attempt to access the second network 20 and transmit data to the destination node 102 included in the second network 20. The source node 101 may transmit data to the destination node 102 through a router or gateway 103.

If the connection of the source node 101 to the first network 10 is approved, the source node 101 can communicate with all servers included in the first network 10, and therefore the source node 101 is malicious. ) may be exposed to program attacks. For example, the source node 101 may be infected with malicious code 110c, as well as trusted and/or secure applications such as Internet web browsers 110a and business applications 110b. ) It is possible to receive data from untrusted or unsecured applications, such as the business application 110d.

The source node 101 infected by a malicious program may attempt to connect to the second network 20 and/or transmit data. If the second network 20 is formed based on IP, such as a VPN, it may be difficult for the second network 20 to individually monitor a plurality of devices included in the second network 20, and application at the OSI layer may be difficult. Security at the layer or transport layer may be vulnerable. Additionally, if the source node 101 includes a malicious application after the channel has already been created, the data of the malicious application will be transmitted to another electronic device (e.g., the destination node 102) within the second network 20. You can.

Figure 2 shows an architecture within a network environment according to various embodiments.

Referring to FIG. 2, nodes 231 and 232 may be various types of devices capable of performing data communication. For another example, the nodes 231 and 232 may be connected to portable devices such as smartphones or tablets, computer devices such as desktops or laptops, multimedia devices, medical devices, cameras, wearable devices, and virtual reality (VR) devices. ) may include devices, or home appliances, and is not limited to the above-mentioned devices. For example, nodes 231 and 232 may include servers or gateways capable of transmitting data packets through an application. Nodes 231 and 232 may also be referred to as ‘electronic devices’ or ‘terminals.’ According to the embodiment, the nodes 231 and 232 may include a plurality of nodes (eg, the first node 231 and the second node 232).

Router 201 may be connected to nodes 231 and 232. For example, the router 201 can provide a structure in which communication is possible only when a data flow authorized by the controller 202 exists in order for the connected nodes 231 and 232 to access the services 233 and 234, If a data flow does not exist, a structure in which the nodes 231 and 232 cannot communicate may be provided. Additionally, the router 201 may include an access control application 211 and a network driver to control network access of nodes 231 and 232 connected to the router 201.

According to the embodiment, the router 201 may detect the network connection of the first node 231 through the access relay application 212, and then the data packet or service processing request of the access relay application 212 is controlled by connection control. It can be controlled through the application 211. According to another embodiment, the router 201 may directly detect and control the network connection of the second node 232 through the access control application 211.

According to the embodiment, when a network connection request occurs from the nodes 231 and 232, the router 201 can check whether connection is possible with the controller 202, and only if connection is possible, data generated by the controller 202 Data packets can be transmitted to the gateway 203 located at the border of the network providing services 233 and 234 through flow information.

According to the embodiment, when the nodes 231 and 232 or the access relay application 212 communicate with the services 233 and 234 or the gateway 203 through a channel based on a previously granted certificate, the router (201) can be controlled to check the certificate and create a channel only in the case of an accepted certificate. Therefore, the router 201 does not create a channel with the nodes 231, 232 or the access relay application 212 directly with the service 233, 234 or the gateway 203, but connects the channel by relaying the channel. Control can be performed.

According to the embodiment, when the router 201 performs a service request with the services 233 and 234 of the nodes 231 and 232 or the access relay application 212, the router 201 checks the service request and determines the allowed protocol and unnecessary service requests. Service requests from the nodes 231 and 232 or the connection relay application 212 can be relayed and processed in the form of limiting or filtering.

According to the embodiment, the router 201 may include a connection relay application 212 that relays the network connection of the nodes 231 and 232 connected to the router 201. For example, the connection relay application 212 may be an application for relaying the network connection of the nodes 231 and 232 that communicate using a proprietary protocol such as WIFI, LoRa, or serial communication or a protocol operating in a relay format. In this case, in order for the nodes 231 and 232 to connect to the destination network, a data flow authorized by the controller 202 must exist, and if the data flow does not exist, the connection relay application 212 cannot perform communication. It can provide structure.

According to the embodiment, the router 201 may include a connection control application 211 and a network driver for network connection of the connection relay application 212. When a network connection received from a connection relay application occurs, the router 201 checks whether connection is possible from the controller 202, and exists at the border of the network to be connected through the data flow generated by the controller 202 only if connection is possible. Data packets can be transmitted to the gateway 203.

Additionally, devices providing services 233 and 234 may be various types of devices capable of performing data communication. As another example, devices providing services 233, 234 include portable devices such as smartphones or tablets, computer devices such as desktops or laptops, multimedia devices, medical devices, cameras, wearable devices, It may include a virtual reality (VR) device, or a home appliance device, and is not limited to the aforementioned devices. For example, a device providing services 233, 234 may include a server or gateway that can transmit data packets through an application. Devices that provide services 233 and 234 may also be referred to as 'electronic devices' or 'terminals'.

The nodes 231 and 232 are controlled by the access control application 211 included in the router 201 and can transmit data packets to devices providing services 233 and 234 or, conversely, receive data packets. Some of the applications contained in nodes 231 and 232 may be trusted and/or secure applications, such as web browsers or business applications, while others may be untrusted or unsecured malicious programs, so in embodiments The network access system according to the present invention can block access to devices providing services 233 and 234 of unauthorized programs (applications) through network access control of the access control application 211 and isolate the programs.

Controller 202 may be, for example, a server (or cloud server). The controller 202 can ensure reliable data transmission within a network environment by managing data transmission between the router 201 and devices providing services 233 and 234. For example, the controller 202 may allow the authorized router 201 (or the access control application 211) to access the network through policy information or blacklist information. The controller 202 may provide authentication information to perform authentication between the router 201 and devices providing services 233 and 234. Accordingly, the access control application 211 of the router 201 can prevent unauthorized nodes 231 and 232 from transmitting data packets for unauthorized purposes.

According to the embodiment, the network connection of the nodes 231 and 232 may be blocked from the access control application 211, the controller 202, or the gateway 203. According to one embodiment, the controller 202 is a connection control application (e.g., registration, authorization, authentication, renewal, termination) to perform various operations (e.g., registration, approval, authentication, renewal, termination) associated with the network connection of the router 201 or the access control application 211. 211) and control data packets can be transmitted and received. The flow through which control data packets are transmitted (e.g., 220) may be referred to as a 'control flow'. According to an embodiment, the controller 202 can maintain a secure network state at all times by immediately reclaiming a channel according to a security event received from a linked system (e.g., router 201, gateway 203). Additionally, the above structure can be applied substantially in the same way to the relationship between the gateway 203 and the controller 202.

According to the embodiment, the controller 202 may communicate with the communication service 206, and when the router 201 operates while connected to a wireless communication provider or an Internet Service Provider (ISP) provider's own network, the router 201 ) can be requested to check whether router access is allowed to the communication service 206 and the result can be received to check whether it is a valid target that can be connected.

According to various embodiments, the router 201 may include a connection relay application 212, a connection control application 211, and a network driver (not shown) for managing the network connection of the nodes 231 and 232. . For example, when a connection event occurs from the nodes 231 and 232 to a device providing services 233 and 234, the connection control application 211 may determine whether the nodes 231 and 232 can be connected. . If the nodes 231 and 232 are connectable, the connection control application 211 can send data packets to the devices providing services 233 and 234, and receive data packets from the devices providing services 233 and 234. You can receive it. The access control application 211 can control the transmission of data packets within the router 201 through a kernel including an operating system and a network driver.

According to the embodiment, the connection relay application 212 may be referred to as a target application. That is, the router 201 may include various applications (eg, target applications) in addition to the connection relay application 212. Accordingly, the connection control application 211 of the router 201 can control the network connection of the target application. That is, the operations shown in FIGS. 6 to 14 of this document can be performed substantially the same even when the access control application 211 controls network access of the target application as well as the access relay application 212.

3 is a functional block diagram showing a database stored in a controller according to various embodiments. Although FIG. 3 shows only the memory 330, the controller includes a communication circuit for performing communication with an external electronic device (e.g., the communication circuit 430 in FIG. 4) and a processor for controlling the overall operation of the controller (e.g., FIG. It may further include 4 processors 410).

The administrator can access the controller 202 and set a connection-oriented policy to control access between the access control application 211 and the gateway 203 and devices providing services 233 and 234, so that the session can be established at the service end. You can control network access more precisely and safely than managing .

The access policy database 311 may include information for identification (router unique identification information, USIM identification information connected to the router, MAC address, etc.) and authentication (e.g., certificate) of the router 201. For example, when a network connection request is made by the access control application 211, the controller 202 identifies the network (e.g., the network to which the router 201 belongs) based on the policy of the access policy database 311. , the network to which the device providing the services 233, 234 belongs), the node and/or application (e.g., the application included in the node connected to the router 201) to the destination (e.g., the network providing the services 233, 234). It is possible to determine whether connection to the device or router 201 is possible. According to the embodiment, the controller 202 provides a method for identifying a connection target and identification information (e.g., a MAC address-based identification method of the node, an identification method based on authentication information transmitted by the node when requesting network access, within the router 201). How to identify the application requesting network access and, accordingly, destination IP and port information included in the IP header, protocol information (e.g. TCP, UDP, etc.), MAC address, application identification information, IP assigned to the node, and identification of the received network interface. information, etc.), you can check whether connection is possible and create a data flow.

If the router 201 needs a channel to connect to the gateway 203 on the connection path according to the connection policy, the channel policy database 312 provides channel type (tunneling or channel, etc.) and encryption method and level information. may include. For example, the controller 202 may provide an optimal channel for the router 201 to communicate with the gateway 203 based on a channel policy when a node connected to the router 201 requests network access.

The blacklist policy database 313 is a target (e.g., node ID (identifier), IP address) identified through analysis of security event risk, occurrence cycle, and/or behavior among security events periodically collected from the router 201. , a media access control (MAC) address, or at least one of the router's identification information) may indicate a blacklist registration policy for blocking access.

According to the embodiment, the blacklist policy database 313 determines the risk level of nodes, users, and applications that use the protocol according to the protocol inspection results and includes information to determine whether to temporarily or permanently isolate them depending on the risk level. You can.

The blacklist database 314 may include a list of targets blocked by the blacklist policy database 313. For example, the controller 202 includes the identification information (e.g., router unique identification information, USIM identification information connected to the router, MAC address, etc.) of the router 201 requesting network access in the blacklist database 314. If so, the router 201 can be isolated by rejecting the network access request.

The control flow table 315 is an example of a session table for managing the flow (eg, control flow) of control data packets generated between the router 201 and the controller 202. When successfully connecting to the controller 202, control flow information may be generated by the controller 202. The control flow information may include identification information of the control flow, and information on the router 201 identified when connecting to and authenticating the controller. For example, when access to a device providing services 233 and 234 is requested from the router 201, the controller 202 can retrieve control flow information through the control flow identification information received from the router 201. and whether the router 201 or a node connected to the router 201 can access the device providing the services 233 and 234 by mapping the identification information included in the searched control flow information to the connection policy database 311. , it is possible to determine (determine) whether to create a data flow for data packet transmission.

According to one embodiment, a control flow may have an expiration time. The router 201 must update the expiration time of the control flow, and if the expiration time is not updated within a certain period of time, the control flow (or control flow information) may be removed. Additionally, if it is determined that immediate connection blocking is necessary according to security events collected from the router 201, the controller 202 may remove the control flow according to the connection termination request from the router 201. When the control flow is removed, the previously created data flow is also removed, so the connection to the router 201 may be blocked. That is, if the control flow is removed, the logical connection of the router 201 may be disconnected, making it virtually impossible to transmit and receive data packets.

The data flow table 316 is a table for managing the flow (eg, data flow) in which detailed data packets are transmitted between the node connected to the router 201 and the gateway 203. Data flow can be managed in units of network connections of nodes connected to the router 201.

Since data flow identification information (e.g., ID) for identifying a data flow, identification information of the router 201, and MAC address information of a node connected to the router 201 can create one or more logical connections, the data flow table 316 can be managed based on control flow ID.

According to the embodiment, the data flow table 316 includes a method for identifying the data flow of an authorized target and identification information (e.g., an identification method based on the MAC address of the node, an identification method based on authentication information transmitted by the node when requesting network access). , How to identify the application requesting network access within the router, and accordingly, destination IP and port information included in the IP header, protocol information (e.g. TCP, UDP, etc.), MAC address, application identification information, IP assigned to the node, and received It may include detailed management unit information such as network interface identification information, etc.).

According to an embodiment, the data flow table 316 may include authentication information. For example, authentication information is a series of information to check whether an allowed node has transmitted a data packet, and the authentication information is checked for each protocol (e.g., for TCP, TCP SYN packet inspection, and for UDP, data packet star authentication information check or authentication information test at regular intervals (or cycles), inspection method, etc.), information for decrypting authentication information, algorithm information for generating and verifying authentication information, and a series of information included in the algorithm (e.g. HMAC OTP When creating, information such as Secret Key, etc.) may be included. According to an embodiment, authentication information may be determined (or generated) based on the authentication policy database 317.

According to an embodiment, the data flow table 316 may include protocol information for checking the protocol corresponding to the data flow. For example, protocol information may be information set based on the protocol policy 318. For another example, the data flow table 316 may include a protocol identification signature and version information, header information, and protocol information for identifying protocol information. As another example, the data flow table 316 checks the data packet to a certain extent (length) as necessary to identify the protocol, provides information on whether to process it as a normal protocol, and provides protocol inspection to the network access control application. information about whether to perform this test or whether to do it by sending data packet information to the controller, whether to check the protocol at the time of a network connection attempt or periodically, and status information about whether the test is complete or whether more tests are needed. It can include at least one of them.

According to an embodiment, the data flow table 316 may include certificate information issued in advance to process a channel creation request from an authorized connection target (node, connection relay application, or proxy).

According to the embodiment, the data flow table 316 may be equally stored in the router 201 or the gateway 203.

The authentication policy database 317 determines whether to authenticate network access based on the identification information of the node when connecting to the network of the node connected to the router 201 according to the access policy 311, and a series of information related to the authentication method when performing authentication. may include information. Additionally, the authentication policy database 317 may include certificate information previously issued by a connection target (e.g., node or connection relay application) to create a channel.

The protocol policy database 318 may include protocol information with which a target application (eg, access relay application 212) can communicate. For example, the protocol policy database 318 may include a protocol identification signature and version information, header information, and protocol information to identify protocol information included when transmitting or receiving a data packet. For another example, the protocol policy database 318 identifies the protocol by examining the data packet to a certain extent (length) as necessary, provides information on whether to process it as a normal protocol, at the time of a network connection attempt, or periodically. Information about whether the protocol will be checked, whether the protocol check will be performed by a network access control application or by sending data packet information to the controller, disconnection of the network or control flow if the protocol is not followed, and information related to isolation. It may contain at least one of the information.

The channel table 319 may include identification information of a channel created between the router 201 and the gateway 203 and the IP of the channel. For example, the controller 202 may determine whether a channel has been created between the router 201 and the gateway 203 based on the channel table 319. In addition, the channel table 319 is a table for managing channels connected between the router 201 and the gateway 203, and includes a channel ID for managing and identifying the channel when a valid channel exists, and control between the gateway and the controller. It can be composed of a control flow ID for and additional information to manage TEP (tunnel end point), TSP (tunnel start point), channel algorithm and type, encryption level, etc.

The security check policy database 320 contains security check information for validating the router 201 (e.g., the execution or installation location of the operating system and major applications, signatures, fingerprints, hashes, registry, etc., unique information of the operating system and applications, operating system and a series of information for binary analysis of major applications, such as executable files, libraries and a series of files or processes referenced by the executable, memory information, and a malware detection tool or pattern DB to check whether the application and operating system are safe. Information, the router's hardware and operating system configuration information and version information, information on physically connectable devices, etc.) and security check cycle, and whether or not the control flow is released when the security check fails.

Figure 4 shows a functional block diagram of a router according to various embodiments.

Referring to FIG. 4 , the router 201 may include a processor 410, a memory 420, and a communication circuit 430. According to one embodiment, the router 201 may further include a display 440 to interface with the user. According to the embodiment, a node connected to the router 201 may include the same or similar configuration as the router 201.

The processor 410 may control the overall operation of the router. In various embodiments, the processor 410 may include one processor core (single core) or may include a plurality of processor cores. For example, the processor 410 may include multi-core, such as dual-core, quad-core, or hexa-core. Depending on embodiments, the processor 410 may further include a cache memory located internally or externally. Depending on embodiments, the processor 410 may be configured with one or more processors. For example, the processor 410 may include at least one of an application processor, a communication processor, or a graphical processing unit (GPU).

All or a portion of processor 410 is electrically or operatively coupled to other components within the router (e.g., memory 420, communication circuitry 430, or display 440). It can be (coupled with) or connected to. The processor 410 may receive commands from other components of the router, interpret the received commands, and perform calculations or process data according to the interpreted commands. The processor 410 may interpret and process messages, data, commands, or signals received from the memory 420, the communication circuit 430, or the display 440. Processor 410 may generate new messages, data, instructions, or signals based on received messages, data, instructions, or signals. Processor 410 may provide processed or generated messages, data, instructions, or signals to memory 420, communication circuit 430, or display 440.

The processor 410 can process data or signals generated or generated by a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may record (or store) or update instructions, data, or signals to the memory 420 in order to execute or control a program.

The memory 420 may store commands for controlling the router, control command codes, control data, or user data. For example, the memory 420 may include at least one of an application program, an operating system (OS), middleware, or a device driver.

Memory 420 may include one or more of volatile memory or non-volatile memory. Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM). It can be included. Non-volatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, etc.

The memory 420 uses non-volatile media such as a hard disk drive (HDD), solid state disk (SSD), embedded multi media card (eMMC), and universal flash storage (UFS). More may be included.

According to one embodiment, the memory 420 may store the access control application 211 of FIG. 2. The connection control application 211 may perform control flow creation and update functions with the controller 202. To this end, the access control application 211 may include one or more security modules.

According to one embodiment, the memory 420 may store some of the information included in the controller's memory (eg, memory 330 in FIG. 3). For example, memory 420 may store data flow table 316 described in FIG. 3 .

Communication circuitry 430 establishes a wired or wireless communication connection between the router and an external electronic device (e.g., controller 202 of FIG. 2, a device providing services 233, 234), and performs communication over the established connection. can support. According to one embodiment, the communication circuit 430 may be a wireless communication circuit (e.g., a cellular communication circuit, a short-range wireless communication circuit, or a global navigation satellite system (GNSS) communication circuit) or a wired communication circuit (e.g., a local area network (LAN) ) communication circuit, or power line communication circuit), and using the corresponding communication circuit, a short-range communication network such as Bluetooth, WiFi direct, or IrDA (infrared data association) or a long-distance communication such as a cellular network, the Internet, or a computer network It can communicate with external electronic devices through a network. The various types of communication circuits 430 described above may be implemented as one chip or may be implemented as separate chips.

The display 440 can output content, data, or signals. In various embodiments, the display 440 may display image data processed by the processor 410. Depending on embodiments, the display 440 may be configured with an integrated touch screen by being combined with a plurality of touch sensors (not shown) capable of receiving touch input, etc. When the display 440 is configured as a touch screen, a plurality of touch sensors may be placed above the display 440 or below the display 440.

A server (eg, controller) according to one embodiment may include a processor 410, memory 420, and communication circuit 430. The processor 410, memory 420, and communication circuit 430 included in the server may be substantially the same as the processor 410, memory 420, and communication circuit 430 described above.

Figure 5 explains an operation for controlling transmission of data packets according to various embodiments.

Referring to FIG. 5, the access control application 211 detects a network connection request for a device providing services 233 and 234 from nodes 231 and 232 connected to the router 201, and connects the router 201 or The connection control application 211 may determine whether it is connected to the controller 202. If the router 201 or the access control application 211 is not connected to the controller 202, the access control application 211 may block the transmission of data packets in the kernel or network driver that includes the operating system. there is. Through the access control application 211, the router 201 can block access of malicious nodes in advance at the application layer of the OSI layer.

Nodes 231 and 232 connected to the router 201 must connect to the controller 202 to perform authentication, and when connecting devices providing services 233 and 234 after performing authentication, the connection network information is sent to the controller 202. ) to check whether connection is possible, and if connection is possible, data packets can be transmitted to the device providing the service (233, 234).

The router 201 can block channel creation requests using unauthorized certificates, and even if network access is permitted by data flow, in order to access the actual service, the service request information is checked to determine if the unauthorized access target is connected to the service. You can block the request from being performed.

The gateway 203 checks the data packet received from the router 201 through the controller 202, and allows sending a response data packet to the router 201 if it is a data packet transmitted by the authorized router 201. can do. For example, the gateway 203 can check whether a channel is created with the router 201 from which the data packet was received, and forward the data packet to the destination only when the channel is created.

As a result, unauthorized nodes are basically unable to communicate with each other, and even authorized nodes cannot transmit and receive data packets unless a channel determined by the controller 202 is created, according to the embodiment disclosed in this document. The network access control system may provide a state in which nodes connected to the router 201 are isolated from each other before authenticating their connection to the controller 202.

Figure 6 shows a signal flow diagram for controller connection according to various embodiments.

In order for the router 201 to connect to or receive a network, it needs to be authorized by the controller 202, so the access control application 211 of the router 201 requests the controller 202 to create a control flow, thereby enabling the router ( 201), you can try to connect to the controller.

Referring to FIG. 6, the router 201 can detect a controller connection event. For example, when the access control application 211 is installed and executed within the router 201, the router 201 may detect that a connection to the controller 202 is requested.

In operation 605, the router 201 may request controller connection to the controller 202. For example, the access control application 211 may transmit identification information of the access control application 211 to the controller 202. Additionally, the access control application 211 may use identification information of the router 201 (e.g., at least one of router unique identification information, USIM identification information connected to the router, and MAC address) and/or random information generated by the network system itself. Additional identification information may be transmitted.

In operation 610, the controller 202 may identify whether the object requesting controller connection (e.g., the access control application 211 or the router 201) can be connected. For example, the controller 202 stores the information requested by the access control application 211 for access (e.g., at least one of router unique identification information, USIM identification information connected to the router, and MAC address) in the access policy database 311. By checking whether the router 201 is in a connectable state and whether the identification information of the router 201 (at least one of the router unique identification information, USIM identification information connected to the router, and MAC address) is included in the blacklist database 314, It can be confirmed whether the router 201 is accessible.

According to the embodiment, when the router 201 operates while connected to the unique network of a wireless communication service provider or an Internet Service Provider (ISP) service provider, the controller 202 checks whether the router 201 is a valid target that can be accessed. In order to do so, the connected communication service can be requested to check whether the router 201 is allowed to access the router 201 and the result can be received.

If a connection is available, at operation 615, the controller 202 may create a control flow between the router 201 (or the connection control application 211) and the controller 202. In this case, the controller 202 generates control flow identification information in the form of a random number and controls the identification information of the router 201 (e.g., at least one of router unique identification information, USIM identification information connected to the router, and MAC address). It can be stored in the flow table 315. The information stored in the control flow table 315 may be used to authenticate the certificate of the router 201, update information of the router 201, check a policy for network access of the router 201, and/or check validity.

In operation 620, the controller 202 collects accessible data based on the access policy database 311 corresponding to the identified information (e.g., at least one of router unique identification information, USIM identification information connected to the router, and MAC address). You can create flows. In addition, the controller 202 provides the connection completion status as a result of the connection and the control flow identification information for identifying the control flow when the router 201 requests additional certificate authentication and continuously updates the router 201 information to the access control application 211. May return (action 625).

According to an embodiment, the controller 202 collects information for validating the router 201 based on the security check policy 320 (e.g., execution or installation location of the operating system and major applications, signature, fingerprint, hash, Unique information of the operating system and applications such as the registry, a series of information for binary analysis of the operating system and major applications, executable files, libraries and a series of files or processes referenced by the executable files, memory information, and whether the application and operating system are safe. Security inspection information can be transmitted to the router 201 by checking at least one of malware detection tool or pattern DB information for inspection, hardware and operating system configuration information and version information of the router, and information on physically connectable devices.

In operation 625, the controller 202 may transmit control flow identification information to the router 201 in response to the controller connection request. Depending on the embodiment, if the object requesting controller connection is unconnectable or included in the blacklist, the controller 202 may transmit unconnection information in operation 625 without generating a control flow. In one embodiment, the controller 202 may additionally transmit the confirmed security check information to the access control application 211 by performing operation 620.

In operation 630, the access control application 211 may perform a security check. For example, when the router 201 receives security check information from the controller 202, the received security check information (e.g., operation or installation location of the operating system and major applications, signature, fingerprint, hash, registry, etc.) Unique information, a series of information for binary analysis of the operating system and major applications, executable files, libraries and a series of files or processes referenced by the executable, memory information, and malware detection to check whether the application and operating system are safe. A security check may be performed based on at least one of tool or pattern DB information, router hardware and operating system configuration information and version information, and physically connectable device information.

In operation 635, the access control application 211 may transmit the security check result to the controller 202. For example, the access control application 211 may transmit the result of performing a security check based on the security check information to the controller 202.

At operation 640, controller 202 may check the security check results. For example, the controller 202 may check whether the operating system and application information included in the router 201 are valid according to the security check policy based on the received security check result information. According to the embodiment, the inspection results of the operating system and application of the router 201 are obtained through a harmful application inspection module (static inspection or AI-based inspection) included in the controller 202 or existing in another system connected to the controller 202. You can judge whether it is normal or not.

According to the embodiment, if the check of the operating system and application of the router 201 is not normal, the controller 202 may evaluate the risk level of the security check result based on the security check policy 320 and according to the risk level. You can block the connection to the router 201 by disabling the control flow, or isolate the connection to the router 201 by adding it to the blacklist. Additionally, in this case, the controller 202 may return a connection unavailable result to the router 201.

In operation 645, the controller 202 may process the channel and data flow if the operating system and application checks of the router 201 are normal. For example, the controller 202 may provide a method and identification information (e.g., MAC address of the node) to identify the permitted access target in order to allow access in advance to the node connected to the router 201 or the access relay application 212. Based identification method, identification method based on authentication information transmitted by the node when requesting network access, identification method of application requesting network access within the router 201, and destination IP and port information included in the IP header accordingly, protocol information, MAC address, A data flow including at least one of application identification information, an IP assigned to a node, and received network interface identification information) and whether a channel is needed between the router 201 and the gateway 203 can be created.

According to the embodiment, the protocol information included in the data flow is information for examining the protocol of data packets transmitted and received by the application, and includes protocol identification signature and version information, and header information to identify protocol information included when transmitting and receiving data packets. , may include protocol information. In addition, according to another embodiment, the protocol information identifies the protocol by examining the data packet to a certain extent (length) as necessary, information on whether to process it as a normal protocol, and a network access control application to perform the protocol inspection. at least one of the following: information about whether to transmit data packet information to the controller, information about when a network connection is attempted or whether to periodically check the protocol, and status information about whether the test is complete or whether more tests are needed. It may further include.

According to an embodiment, the data flow generated by the controller 202 may include certificate information to confirm whether the connection target is permitted when creating a channel.

Additionally, the controller 202 may check the gateway 203 to which the router 201 can access the network in the channel policy database 312 in order to allow the router 201 to access the network. For example, if there is a basic accessible gateway 203, the controller 202 sets the type of channel (e.g. tunnel, channel) that can be connected between the router 201 and the gateway 203 and a series of information for creating the channel. Channel information including (authentication information, encryption algorithm, Tunnel End Point IP, etc.) can be created.

According to the embodiment, a channel is not created between the router 201 and the gateway 203, but between the gateway 203 existing in the wireless network of a telecommunication company or ISP network that exists in the network to which the router 201 belongs. When connecting through a pre-connected channel or when connecting through another channel technology between the router 201 and the gateway 203, the controller 202 may not transmit separate channel creation information to the router.

In operation 650, the controller 202 may transmit the generated channel and data flow information to the router 201. According to the embodiment, the controller 202 may also transmit the generated channel and data flow information to the gateway 203. According to the embodiment, if a data flow is not created, the controller 202 may transmit a connection failure result to the router 201 and not transmit the data flow.

In operation 655, the access control application 211 may process a result value according to the received response. For example, when connection to the controller 202 is completed, a network connection request for a destination network of a node connected to the router 201 may be controlled by the controller 202.

According to another embodiment, controller 202 may determine that router 201 is unreachable. For example, if the router 201 and/or identification information of the network to which the router 201 belongs is included in the blacklist database, the controller 202 may determine that the router 201 is inaccessible. In this case, the controller 202 may not generate a control flow in operation 615 and may transmit a response indicating that controller connection is not possible in operation 625. Additionally, in this case, operations 630 to 650 may not be performed. Depending on the embodiment, if a retry of controller connection is required, the connection control application 211 may perform operation 605 again.

In addition, the access control application 211 can update the data flow of the router 201 when a data flow received from the controller 202 exists and transmit data packets based on a pre-allowed data flow when connecting to the network. Data flow can be managed so that Afterwards, when a data packet transmission request is detected, the access control application 211 may process the data packet to be transmitted based on the received data flow.

According to the embodiment, when the connection control application 211 receives network connection release information from the controller 202, it may terminate the application or block all network connections of the application.

According to the embodiment, when there is channel information received from the controller 202 and a channel to be created, the access control application 211 requests the gateway 203 to create a channel based on the channel information to create a channel. can be created.

Figure 7 shows a signal flow diagram for certificate authentication according to various embodiments.

The router 201 may perform user authentication through a UI (User Interface), but in the case of the router 201 operating in the form of a server, authentication may be performed based on a previously issued certificate rather than user authentication without a UI. It may be possible. In this case, the router 201 must be able to perform authentication based on a certificate in a situation where there is no UI.

In operation 705, the access control application 211 of the router 201 may perform router certificate authentication to receive detailed network access rights after creating a control flow with the controller 202. For example, the access control application 211 of the router 201 may transmit authentication information generated through a certificate set in the router 201 to the controller 202 and request certificate authentication.

At operation 710, controller 202 may verify certificate authentication. For example, the controller 202 determines whether a certificate is available for access based on information requested for authentication by the access control application 211 (e.g., authentication identification information, electronic signature information, etc.) and router information corresponding to the certificate (e.g., router-specific information). It is possible to check whether at least one of identification information, USIM identification information connected to the router, and MAC address) is accessible according to the policy. Additionally, the controller 202 can check whether the certificate identification information is included in the blacklist 314 and check whether the certificate requesting authentication is blocked. According to the embodiment, when connection is impossible or the certificate is included in the blacklist, the controller 202 may transmit connection inaccessibility information to the router 201 (operation 725).

According to the embodiment, when the router 201 operates while connected to a wireless communication service provider or an Internet Service Provider (ISP) service provider's own network, the controller 202 checks whether the router 201 is a valid connectionable target. To do this, you can request a connection to the router to be checked for connection to the connected communication service and receive the result.

In operation 715, if the certificate is accessible, the controller 202 may search for a control flow corresponding to the transmitted control flow identification information and add the certificate identification information to the searched control flow. According to the embodiment, the controller 202 may return the certificate authentication completion status and the access policy information of the authenticated certificate to the router 201 as a result of certificate authentication (operation 725).

In operation 720, the controller 202 selects an accessible data flow based on the access policy database 311 corresponding to the identified information (certificate identification information, router unique identification information, USIM identification information connected to the router, MAC address, etc.). Information can be generated.

According to an embodiment, the controller 202 collects information for validating the router 201 based on the security check policy 320 (e.g., execution or installation location of the operating system and major applications, signature, fingerprint, hash, Unique information of the operating system and applications such as the registry, a series of information for binary analysis of the operating system and major applications, executable files, libraries and a series of files or processes referenced by the executable files, memory information, and whether the application and operating system are safe. Security inspection information can be transmitted to the router 201 by checking at least one of malware detection tool or pattern DB information for inspection, hardware and operating system configuration information and version information of the router, and information on physically connectable devices.

In operation 725, the controller 202 may transmit information indicating that the certificate is authenticated to the router 201 in response to the certificate authentication request. In one embodiment, the controller 202 may transmit the security check information generated by performing operation 720 to the access control application 211.

In operation 730, the access control application 211 may perform a security check. For example, when the router 201 receives security check information from the controller 202, the received security check information (e.g., operation or installation location of the operating system and major applications, signature, fingerprint, hash, registry, etc.) Unique information, a series of information for binary analysis of the operating system and major applications, executable files, libraries and a series of files or processes referenced by the executable, memory information, and malware detection to check whether the application and operating system are safe. A security check may be performed based on at least one of tool or pattern DB information, router hardware and operating system configuration information and version information, and physically connectable device information).

In operation 735, the access control application 211 may transmit the security check result to the controller 202. For example, the access control application 211 may transmit the result of performing a security check based on the security check information to the controller 202.

At operation 740, controller 202 may check the security check results. For example, the controller 202 may check whether the operating system and application information included in the router 201 are valid according to the security check policy based on the received security check result information. According to the embodiment, the inspection results of the operating system and application of the router 201 are obtained through a harmful application inspection module (static inspection or AI-based inspection) included in the controller 202 or existing in another system connected to the controller 202. You can judge whether it is normal or not.

According to the embodiment, if the check of the operating system and application of the router 201 is not normal, the controller 202 may evaluate the risk level of the security check result based on the security check policy 320 and according to the risk level. You can block the connection to the router 201 by disabling the control flow, or isolate the connection to the router 201 by adding it to the blacklist. Additionally, in this case, the controller 202 may return a connection unavailable result to the router 201.

In operation 745, the controller 202 may process the channel and data flow if the operating system and application checks of the router 201 are normal. For example, the controller 202 may provide a method and identification information (e.g., MAC address of the node) to identify the permitted access target in order to allow access in advance to the node connected to the router 201 or the access relay application 212. Based identification method, identification method based on authentication information transmitted by the node when requesting network access, identification method of application requesting network access within the router 201, and destination IP and port information included in the IP header accordingly, protocol information, MAC address, A data flow including at least one of application identification information, an IP assigned to a node, and received network interface identification information) and whether a channel is needed between the router 201 and the gateway 203 can be created.

According to the embodiment, the protocol information included in the data flow is information for examining the protocol of data packets transmitted and received by the application, and includes protocol identification signature and version information, and header information to identify protocol information included when transmitting and receiving data packets. , may include protocol information. In addition, according to another embodiment, the protocol information identifies the protocol by examining the data packet to a certain extent (length) as necessary, information on whether to process it as a normal protocol, and a network access control application to perform the protocol inspection. at least one of the following: information about whether to transmit data packet information to the controller, information about when a network connection is attempted or whether to periodically check the protocol, and status information about whether the test is complete or whether more tests are needed. It may further include.

According to an embodiment, the data flow generated by the controller 202 may include certificate information to confirm whether the connection target is permitted when creating a channel.

Additionally, the controller 202 may check the gateway 203 to which the router 201 can access the network in the channel policy database 312 in order to allow the router 201 to access the network. For example, if there is a basic accessible gateway 203, the controller 202 sets the type of channel (e.g. tunnel, channel) that can be connected between the router 201 and the gateway 203 and a series of information for creating the channel. Channel information including (authentication information, encryption algorithm, Tunnel End Point IP, etc.) can be created.

According to the embodiment, a channel is not created between the router 201 and the gateway 203, but between the gateway 203 existing in the wireless network of a telecommunication company or ISP network that exists in the network to which the router 201 belongs. When connecting through a pre-connected channel or when connecting through another channel technology between the router 201 and the gateway 203, the controller 202 may not transmit separate channel creation information to the router.

In operation 750, the controller 202 may transmit the generated channel and data flow information to the router 201. According to the embodiment, the controller 202 may also transmit the generated channel and data flow information to the gateway 203. According to the embodiment, if a data flow is not created, the controller 202 may transmit a connection failure result to the router 201 and not transmit the data flow.

In operation 755, the access control application 211 may process a result value according to the received response. For example, the access control application 211 may store the received control flow identification information and display a user interface screen to the user indicating that certificate authentication is complete. Once certificate authentication is completed, the network connection request of the router 201 to the destination network can be controlled by the controller 202.

According to another embodiment, the controller 202 may determine that certificate authentication of the router 201 is not possible. For example, if the router 201 and/or the identification information of the network to which the router 201 belongs is included in the blacklist database, the controller 202 may determine that the router 201 is inaccessible and certificate authentication is not possible. . In this case, the controller 202 may not reflect the certificate identification information in operation 715 and may transmit a response indicating that controller connection is impossible in operation 725. Additionally, in this case, operations 730 to 750 may not be performed.

In addition, the access control application 211 can update the data flow of the router 201 when a data flow received from the controller 202 exists and transmit data packets based on a pre-allowed data flow when connecting to the network. Data flow can be managed so that

According to the embodiment, when the connection control application 211 receives network connection release information from the controller 202, it may terminate the application or block all network connections of the application.

Figure 8 shows a signal flow diagram for changing channel state information according to various embodiments.

The access control application 211 of the router 201 changes the channel status information to the controller 202 when the channel status changes, such as when channel creation is completed, channel creation fails, or the connection to the created channel is released. You can request.

In operation 805, the access control application 211 may detect a channel state information change event when channel creation is completed, channel creation fails, or the connection to the created channel is released.

In operation 810, the access control application 211 may transmit channel state information to the controller 202. For example, the access control application 211 may transmit channel identification information when channel creation is completed and IP information if a unique IP assigned at the time of channel creation exists. For another example, the access control application 211 may transmit channel identification information to the controller 202 when channel creation fails or the channel is released.

At operation 815, controller 202 may update channel status and data flow. For example, the controller 202 may update the channel state based on channel state information received from the router 201 and IP information assigned to the router 201.

According to the embodiment, when channel creation is completed, the controller 202 provides a method and identification information for identifying permitted access targets in order to allow access in advance to the node connected to the router 201 or the access relay application 212. (Example: MAC address-based identification method of the node, identification method based on authentication information transmitted by the node when requesting network access, identification method of application requesting network access within the router 201, and destination IP and port information included in the IP header accordingly , at least one of protocol information, MAC address, application identification information, IP assigned to the node, and received network interface identification information) and whether a channel is needed between the router 201 and the gateway 203 to generate a data flow. You can.

According to the embodiment, the protocol information included in the data flow is information for examining the protocol of data packets transmitted and received by the application, and includes protocol identification signature and version information, and header information to identify protocol information included when transmitting and receiving data packets. , may include protocol information. In addition, according to another embodiment, the protocol information identifies the protocol by examining the data packet to a certain extent (length) as necessary, information on whether to process it as a normal protocol, and a network access control application to perform the protocol inspection. at least one of the following: information about whether to transmit data packet information to the controller, information about when a network connection is attempted or whether to periodically check the protocol, and status information about whether the test is complete or whether more tests are needed. It may further include.

According to an embodiment, the data flow generated by the controller 202 may include certificate information to confirm whether the connection target is permitted when creating a channel.

According to an embodiment, when a channel is released or channel creation fails, the controller 202 may remove previously created channel information and data flows.

In operations 820 and 825, the controller 202 may transmit the updated data flow to the router 201 and the gateway 203. Additionally, the controller 202 may also transmit updated channel information.

Figure 9 shows a signal flow diagram for network access according to various embodiments.

After the router 201 is authorized by the controller 202, the router 201 transmits trusted data by controlling the network access of nodes connected to the router 201 through the access control application 211 of the router 201. can be guaranteed.

Referring to FIG. 9 , in operation 905, the access control application 211 may detect a network connection event of a node connected to the router 201. For example, the access control application 211 may receive a network connection event received from a network interface built into the router 201 from the network kernel of the operating system.

In operation 910, the connection control application 211 receives data packets (e.g., TCP Session creation, first UDP packet or consecutive UDP packets) for network connection between the service and the connection relay application 212 in the node or router 201. flow, etc.), at least one or more of the node authentication information included in the data packet, the MAC address or the identification information of the connection relay application 212, the destination IP and port information included in the IP header, and the protocol information. Based on this, you can check whether a data flow exists. According to an embodiment, when a data flow exists but is invalid (e.g., data packet transmission is not possible, data packets are not received from a network interface authorized on the data flow, or a channel for data packet transmission does not exist) at least one of), the access control application 211 may drop a data packet. According to another embodiment, when a data flow exists, the access control application 211 may transmit data packets based on the data flow. According to an embodiment, the access control application 211 of the router 201 may perform a network connection request in operation 915 without performing operation 910.

When the data flow needs to be updated, such as when the data flow does not exist or when the authentication time has expired and needs to be updated, in operation 915, the access control application 211 may request network access from the controller 202. For example, a network connection request may include control flow identification information, destination network identification information, and port information. Additionally, the network connection request may include at least one or more identification information among node authentication information included in the data packet, MAC address included in the data packet, or identification information of the access relay application 212. According to the embodiment, the network connection request may further include at least one of protocol information (eg, TCP, UDP, etc.), an IP assigned to the node, and received network interface identification information. According to an embodiment, the protocol information included in the network connection request may be different from the protocol information included in the data flow.

In operation 920, the controller 202 collects the connection request identification information (e.g., node authentication information, MAC address, connection relay) from the connection policy corresponding to the identified information (e.g., router, channel information) based on the control flow identification information. It is possible to check whether connection is possible based on the identification information of the application 212, destination IP and service port information, protocol information, and received network interface identification information). Depending on the embodiment, when network connection is not possible, the controller 202 may transmit a connection failure result to the connection control application 211 of the router 201 (operation 940).

If the connection is available, at operation 925 the controller 202 may check the authentication policy 317. For example, if the node must perform authentication based on the authentication policy 317, the controller 202 may use the authentication method included in the authentication policy 317 (e.g., for TCP, TCP SYN packet authentication, UDP). (authentication by data packet or authentication at regular intervals (or cycles), authentication method and timing, etc.), information for decoding authentication information, algorithm information for verifying authentication information, and a series of information included in the algorithm (e.g. HMAC OTP generation) Authentication of node authentication information can be performed according to information such as Secret Key, etc.). According to an embodiment, if authentication fails, the controller 202 may deny network access (operation 940).

According to an embodiment, if authentication must be performed but node authentication information is not present in the network connection request, the controller 202 may deny the network connection (act 940).

According to the embodiment, when authentication must be performed in the router 201, the controller 202 does not perform authentication, but generates authentication information based on the authentication policy 317 and includes it in the data flow to transmit the authentication information to the router 201. (Operation 940).

If access is possible and authentication is complete, in operation 930, the controller 202 may check the channel policy database 312 and the service policy database 318 to allow the router 201 to access the network. For example, the controller 202 can determine whether a gateway 203 exists on the path to the destination service and whether a channel is needed between the gateway 203 and the router 201 based on the channel policy database 312. And, if a channel is needed, you can check whether the channel has been created. According to the embodiment, the controller 202 may check whether a channel has been created based on the channel table 319.

According to the embodiment, when a channel has been created or when channel creation is not necessary, the controller 202 selects an allowed connection target in advance to allow the node connected to the router 201 or the connection relay application 212 to access the connection. Method for identification and identification information (e.g., identification method based on the node's MAC address, identification method based on authentication information transmitted by the node when requesting network access, identification method for the application requesting network access within the router 201, and accordingly in the IP header) At least one of the included destination IP and port information, protocol information, MAC address, application identification information, IP assigned to the node, and received network interface identification information) and whether a channel is needed between the router 201 and the gateway 203. You can create a data flow that includes

According to the embodiment, the protocol information included in the data flow is information for examining the protocol of data packets transmitted and received by the application, and includes protocol identification signature and version information, and header information to identify protocol information included when transmitting and receiving data packets. , may include protocol information. In addition, according to another embodiment, the protocol information identifies the protocol by examining the data packet to a certain extent (length) as necessary, information on whether to process it as a normal protocol, and a network access control application to perform the protocol inspection. at least one of the following: information about whether to transmit data packet information to the controller, information about when a network connection is attempted or whether to periodically check the protocol, and status information about whether the test is complete or whether more tests are needed. It may further include.

According to an embodiment, the data flow generated by the controller 202 may include certificate information to confirm whether the connection target is permitted when creating a channel. In this case, the controller 202 may transmit the generated data flow to the router 201 and the gateway 203. However, if the data flow has already been created, the controller 202 may not create the data flow again.

According to the embodiment, when a channel has not been created and channel creation is necessary, the controller 202 sets the type of channel (tunnel, channel, etc.) that can be connected between the router 201 and the gateway 203 and a series of channels for creating the channel. Channel information including information (e.g., authentication information, encryption algorithm, Tunnel End Point IP, etc.) may be created, and the created channel information may be transmitted to the router 201 and the gateway 203 (operations 935 and 940).

In operation 945, the access control application 211 may process a result value for the response received from the controller 202. For example, when the access control application 211 receives a network connection unavailable result from the controller 202, the node connected to the router 201 may drop the data packet that the node connected to the router 201 wants to transmit. For another example, when a data flow is received from the controller 202 and authentication is completed, the access control application 211 may transmit a data packet based on the received data flow. In this case, the access control application 211 may update the existing data flow with the received data flow.

According to an embodiment, when channel information is received from the controller 202, the access control application 211 may request channel creation to the gateway 203 based on the received channel information. In this case, when channel creation with the gateway 203 is completed, the access control application 211 may transmit information indicating that channel creation is complete to the controller 202 (e.g., operation shown in FIG. 8).

According to the embodiment, when network access is possible but authentication is not completed and authentication information is received from the controller 202, the access control application 211 decrypts the node authentication information based on the authentication information and performs authentication. You can. For example, when authentication is completed, the access control application 211 may transmit a data packet based on the data flow. As another example, if authentication fails, the access control application 211 may drop the data packet.

10A and 10B illustrate signal flow diagrams for processing transmission of data packets according to various embodiments.

Referring to FIG. 10A, in operation 1005, the access control application 211 may detect a data packet transmission event of a node or target application.

In operation 1010, the access control application 211 may check whether a data flow corresponding to the data packet that the node or target application wants to transmit exists. For example, the access control application 211 may check whether a data flow exists corresponding to at least one of node identification information, target application identification information, MAC address, destination IP, and port information. According to an embodiment, if a data flow exists but is not valid (e.g., in a transmission-impossible state, network connection was previously rejected from the controller 202), or if the data flow does not exist, the access control application 211 controls the data flow. Packets can be dropped.

If a valid data flow exists, in operation 1015, the access control application 211 may check whether protocol inspection is necessary based on protocol information included in the data flow. For example, the access control application 211 requires a protocol check according to the protocol check status included in the protocol information (whether the protocol check is needed, whether the protocol check is completed by a previous data packet transmission check, whether the protocol check is needed periodically, etc.) You can check whether it was done or not. According to an embodiment, the access control application 211 may transmit a data packet when protocol checking is not required.

According to the embodiment, when a protocol check is necessary and the access control application 211 directly performs the protocol check, the access control application 211 may perform operation 1020. According to another embodiment, when a protocol check is necessary and the controller 202 performs the protocol check, the access control application 211 may perform operation 1045 of FIG. 10B.

In operation 1020, the access control application 211 may check the protocol of the data packet based on protocol information included in the data flow. For example, the access control application 211 may check whether the data packet includes signature and version information, header information, and protocol information to identify whether the protocol is allowed. According to the embodiment, the access control application 211 may inspect data packets up to the inspection range (length) required for protocol inspection based on protocol information.

According to an embodiment, if the protocol check fails, the access control application 211 may drop the data packet, remove the data flow, and transmit the protocol check result including identification information of the control flow to the controller 202 (operation 1025 ).

According to the embodiment, if the test is successful, the access control application 211 may change the transmission protocol test status to completed and transmit the data packet.

At operation 1030, the controller 202 may determine risk information based on the received protocol check results, protocol policy, and blacklist policy. For example, if the risk degree is in the first range (e.g., if the risk degree is low), the controller 202 removes the data flow and sends the removal information of the data flow to the router 201 and the gateway associated with the router 201. It may be transmitted to (203) (operation 1035). For another example, if the risk level is in the second range (e.g., high risk level), the controller 202 removes the control flow, channel, and data flow so that the router 201 can no longer maintain network connectivity. , the removed control flow, data flow, and channel information may be transmitted to the router 201 and the gateway 203 (operation 1035). As another example, if the risk level is in the third range (e.g., if the risk level is severe), the controller 202 removes control flows, channels, and data flows so that the router 201 can no longer maintain network connectivity. and transmits the removed control flow, data flow, and channel information to the router 201 and the gateway 203 (operation 1035), and blacklists the router 201 and the users of the router 201 so that they can no longer access it (314). ) can be added to .

In operation 1040, the access control application 211 may process the result received from the controller 202. For example, when receiving network connection disconnection information from the controller 202, the access control application 211 may terminate the node or target application or block all network connections of the node or target application.

Referring to FIG. 10B, operations 1005 to 1015 may be substantially the same as the operations shown in FIG. 10A.

In operation 1045, the access control application 211 may perform a protocol check request to the controller 202. For example, the access control application 211 collects data packets up to the inspection range required for protocol inspection based on the protocol information included in the data flow, transmits them to the controller 202, and provides identification information of the data flow corresponding to the data packet. can be transmitted. According to an embodiment, the inspection range required for protocol inspection may include some, all, or a plurality of data packets as needed. According to the embodiment, when the access control application 211 requests a protocol check from the controller 202, the data packet is transmitted and processed, and when the protocol check result is received from the controller 202, the node or target application is based on the protocol check result. You can control network access.

At operation 1045, the controller 202 may check the protocol of the data packet based on protocol information included in the data flow. For example, the controller 202 may check whether the received data packet includes signature and version information, header information, and protocol information to identify whether the protocol is allowed.

According to the embodiment, if the test is successful, the controller 202 may change the transmission protocol test status of the data flow to completed and transmit the data flow to the access control application 211.

If the check fails, in operation 1050, the controller 202 may determine risk information based on the protocol check results, protocol policy, and blacklist policy. For example, if the risk degree is in the first range (e.g., if the risk degree is low), the controller 202 removes the data flow and sends the removal information of the data flow to the router 201 and the gateway associated with the router 201. 203 (operation 1055). For another example, if the risk level is in the second range (e.g., high risk level), the controller 202 removes the control flow, channel, and data flow so that the router 201 can no longer maintain network connectivity. , the removed control flow, data flow, and channel information may be transmitted to the router 201 and the gateway 203 (operation 1055). As another example, if the risk level is in the third range (e.g., if the risk level is severe), the controller 202 removes control flows, channels, and data flows so that the router 201 can no longer maintain network connectivity. and transmits the removed control flow, data flow, and channel information to the router 201 and the gateway 203 (operation 1055), and blacklists the router 201 and the users of the router 201 so that they can no longer access it (314). ) can be added to .

In operation 1060, the access control application 211 may process the result received from the controller 202. For example, when receiving network connection disconnection information from the controller 202, the access control application 211 may terminate the node or target application or block all network connections of the node or target application.

11A and 11B illustrate signal flow diagrams for processing reception of data packets according to various embodiments.

Referring to FIG. 11A, in operation 1105, the access control application 211 may detect a data packet reception event of a node or target application.

In operation 1110, the access control application 211 may check whether a data flow corresponding to the data packet that the node or target application wants to receive exists. For example, the access control application 211 may check whether a data flow exists corresponding to at least one of node identification information, target application identification information, MAC address, source IP, and port information. According to an embodiment, if a data flow exists but is not valid (e.g., in a reception unavailable state, network connection was previously rejected from the controller 202), or if the data flow does not exist, the access control application 211 stores the data. Packets can be dropped.

If a valid data flow exists, in operation 1115, the access control application 211 may check whether protocol inspection is necessary based on protocol information included in the data flow. For example, the access control application 211 requires a protocol check according to the protocol check status included in the protocol information (whether a protocol check is needed, whether the protocol check is completed by a previous data packet reception check, whether a protocol check is needed periodically, etc.). You can check whether it was done or not. According to an embodiment, the access control application 211 may receive data packets when protocol checking is not required.

According to the embodiment, when a protocol check is necessary and the access control application 211 directly performs the protocol check, the access control application 211 may perform operation 1120. According to another embodiment, when a protocol check is necessary and the controller 202 performs the protocol check, the access control application 211 may perform operation 1145 of FIG. 11B.

In operation 1120, the access control application 211 may check the protocol of the data packet based on protocol information included in the data flow. For example, the access control application 211 may check whether the data packet includes signature and version information, header information, and protocol information to identify whether the protocol is allowed. According to the embodiment, the access control application 211 may inspect data packets up to the inspection range (length) required for protocol inspection based on protocol information.

According to an embodiment, if the protocol check fails, the access control application 211 may drop the data packet, remove the data flow, and transmit the protocol check result including identification information of the control flow to the controller 202 (operation 1125 ).

According to the embodiment, if the test is successful, the access control application 211 may change the reception protocol test status to complete and receive the data packet.

At operation 1130, the controller 202 may determine risk information based on the received protocol check results, protocol policy, and blacklist policy. For example, if the risk degree is in the first range (e.g., if the risk degree is low), the controller 202 removes the data flow and sends the removal information of the data flow to the router 201 and the gateway associated with the router 201. 203 (operation 1135). For another example, if the risk level is in the second range (e.g., high risk level), the controller 202 removes the control flow, channel, and data flow so that the router 201 can no longer maintain network connectivity. , the removed control flow, data flow, and channel information may be transmitted to the router 201 and the gateway 203 (operation 1135). As another example, if the risk level is in the third range (e.g., if the risk level is severe), the controller 202 removes control flows, channels, and data flows so that the router 201 can no longer maintain network connectivity. and transmits the removed control flow, data flow, and channel information to the router 201 and the gateway 203 (operation 1135), and blacklists the router 201 and the users of the router 201 so that they can no longer access it (314). ) can be added to .

In operation 1140, the access control application 211 may process the result received from the controller 202. For example, when receiving network connection disconnection information from the controller 202, the access control application 211 may terminate the node or target application or block all network connections of the node or target application.

Referring to FIG. 11B, operations 1105 to 1115 may be substantially the same as the operations shown in FIG. 11A.

In operation 1145, the access control application 211 may perform a protocol check request to the controller 202. For example, the access control application 211 collects data packets up to the inspection range required for protocol inspection based on the protocol information included in the data flow, transmits them to the controller 202, and provides identification information of the data flow corresponding to the data packet. can be transmitted. According to an embodiment, the inspection range required for protocol inspection may include some, all, or a plurality of data packets as needed. According to the embodiment, when the access control application 211 requests a protocol check from the controller 202, the data packet is received and processed, and when the protocol check result is received from the controller 202, the node or target application is based on the protocol check result. You can control network access.

At operation 1145, the controller 202 may check the protocol of the data packet based on protocol information included in the data flow. For example, the controller 202 may check whether the received data packet includes signature and version information, header information, and protocol information to identify whether the protocol is allowed.

According to the embodiment, if the test is successful, the controller 202 may change the reception protocol test status of the data flow to completed and transmit the data flow to the access control application 211.

If the check fails, in operation 1150, the controller 202 may determine risk information based on the protocol check results, protocol policy, and blacklist policy. For example, if the risk degree is in the first range (e.g., if the risk degree is low), the controller 202 removes the data flow and sends the removal information of the data flow to the router 201 and the gateway associated with the router 201. 203 (operation 1155). For another example, if the risk level is in the second range (e.g., high risk level), the controller 202 removes the control flow, channel, and data flow so that the router 201 can no longer maintain network connectivity. , the removed control flow, data flow, and channel information may be transmitted to the router 201 and the gateway 203 (operation 1155). As another example, if the risk level is in the third range (e.g., if the risk level is severe), the controller 202 removes control flows, channels, and data flows so that the router 201 can no longer maintain network connectivity. and transmits the removed control flow, data flow, and channel information to the router 201 and the gateway 203 (operation 1155), and blacklists the router 201 and the users of the router 201 so that they can no longer access it (314). ) can be added to .

In operation 1160, the access control application 211 may process the result received from the controller 202. For example, when receiving network connection disconnection information from the controller 202, the access control application 211 may terminate the node or target application or block all network connections of the node or target application.

Figure 12 shows a signal flow diagram for updating a control flow of a router according to various embodiments.

Referring to FIG. 12, in operation 1205, the access control application 211 may detect a control flow update event.

According to an embodiment, when a control flow update event is detected, the access control application 211 collects the security check information received from the controller 202 (e.g., execution or installation location of the operating system and major applications, signature, fingerprint, hash, Unique information of the operating system and applications such as the registry, a series of information for binary analysis of the operating system and major applications, executable files, libraries and a series of files or processes referenced by the executable files, memory information, and whether the application and operating system are safe. A security check is performed based on at least one of malware detection tool or pattern DB information, router hardware and operating system configuration information and version information, and physically connectable device information) and transmits the results to the controller 202. You can.

In operation 1210, the access control application 211 may request a control flow update from the controller 202 based on control flow identification information. According to the embodiment, the access control application 211 may transmit the security check results to the controller 202.

In operation 1215, the controller 202 may check whether a control flow exists in a control flow table (e.g., control flow table 315 of FIG. 3) based on the received control flow identification information. Depending on the embodiment, when the control flow does not exist (e.g., when the connection is disconnected by another security system, when the connection is disconnected due to its own risk detection, etc.), the controller 202 determines that the connection of the router 201 is valid. Since this is not done, a connection failure result can be transmitted to the access control application 211 (operation 1225).

According to the embodiment, if a control flow exists, the controller 202 checks whether the operating system and application information included in the router is valid according to the security check policy based on the received security check result information, or checks whether the operating system and application information included in the router is valid. Through the harmful application inspection module (static inspection or AI-based inspection) included in or existing in other systems connected to the controller, it is possible to determine whether the inspection results of the router's operating system and application are normal. In this case, if the test result is abnormal, the controller 202 may remove the control flow, dependent channel information, and data flow and transmit the removed information to the router 201 and gateway 203 (operations 1220 and 1225 ).

According to the embodiment, if the inspection result is normal, the controller 202 may update the update time, check the data flow dependent on the control flow, perform re-authentication of the data flow, or return the data flow to the router 201. There is (action 1225).

In operation 1230, the access control application 211 of the router 201 may process the result of the response received from the controller 202. For example, the access control application 211 may block all network connections of nodes connected to the router 201 when the control flow update result is impossible. For another example, the connection control application 211 may update the data flow if the control flow update result is normal and an updated data flow exists.

Figure 13 shows a signal flow diagram for disconnection of a router according to various embodiments.

Referring to FIG. 13, in operation 1305, the router 201 terminates the router 201, terminates the connection control application 211, no longer uses the network connection, and terminates the connection based on information identified from the interworking system. At least one of the requests can be detected. In this case, in operation 1310, the router 201 or the access control application 211 may request the controller 202 to remove the control flow.

At operation 1315, the controller 202 may remove the identified control flow based on the received control flow identification information.

In operation 1320, the controller 202 may remove all data flows dependent on the removed control flow. Accordingly, the router 201 can no longer connect to the destination network based on the removed data flow. Additionally, the controller 202 performs a request to remove the channel and data flow to the gateway 203, which relays all data flows dependent on the removed control flow, thereby establishing a state in which data packets can no longer be transmitted to the destination network. can be provided.

Figure 14 is a flowchart showing a method of operating an access control application installed on a router according to various embodiments. The operations shown in FIG. 14 can be performed through the access control application 211 installed in the router 201 of FIG. 2.

Referring to FIG. 14, in operation 1405, the access control application 211 may detect a data packet transmission event of a node or target application.

In operation 1410, the access control application 211 may check the existence of a data flow received from an external server that corresponds to at least one of the MAC address information of the node, the identification information of the node, and the identification information of the target application.

In operation 1415, the access control application 211 determines whether to perform the protocol check of the data packet itself or through an external server based on the protocol information included in the data flow, and checks the protocol itself or uses an external server. You can check the protocol through

In operation 1420, the access control application 211 may transmit the data packet when the protocol check of the data packet is completed.

Figure 15 is an operation flowchart showing a server operation method according to various embodiments. The operations shown in FIG. 15 may be performed through the controller 202 of FIG. 2.

Referring to FIG. 15, in operation 1505, the server may receive a data packet protocol inspection request from the router's access control application.

In operation 1510, the server may check the protocol of the collected data packets up to the inspection range required for protocol inspection based on the protocol information included in the data flow corresponding to the identification information of the data flow.

In operation 1515, when the inspection is completed, the server may update the protocol inspection status of the data flow to a completed status and transmit the updated data flow to the router.

Figure 16 shows an example data packet according to various embodiments.

Referring to FIG. 16, a data packet 1605 capable of identifying a MAC address among nodes connected to the router 201 may include a MAC address along with an IP header.

A UDP data packet 1610 including a node header may include an IP header, a node header (Device Header), and a payload. For example, the node header 1615 may include node identification information and node authentication information.

The TCP data packet 1615 including the node header may include an IP header, a TCP header, a node header, and a payload. For example, node header 1620 may include node identification information and node authentication information.

According to the embodiment, the node authentication information may be information for commonly authenticating all network connections transmitted from the node, or for authenticating by network connection unit (destination IP and port).

The node inserts the node identification information and authentication information given in advance by the controller 202 (e.g., for TCP, inserting TCP SYN packets, for UDP, inserting authentication information for each data packet, or at regular intervals (or cycles). Authentication information insertion, insertion method and timing, etc.), information for encryption of authentication information, algorithm information for generating authentication information, and a series of information included in the algorithm (e.g. information such as Secret Key when generating HMAC OTP). ), a node header can be created and transmitted by including it in a data packet. The node header included in the data packet may be authenticated by the router 201 or the controller 202 to check whether it is a normally transmitted data packet.

The above description is merely an illustrative explanation of the technical idea disclosed in this document, and those skilled in the art in the technical field to which the embodiments disclosed in this document belong will understand without departing from the essential characteristics of the embodiments disclosed in this document. Various modifications and variations will be possible.

Accordingly, the embodiments disclosed in this document are not intended to limit the technical ideas disclosed in this document, but rather to explain them, and the scope of the technical ideas disclosed in this document is not limited by these embodiments. The scope of protection of the technical ideas disclosed in this document shall be interpreted in accordance with the claims below, and all technical ideas within the equivalent scope shall be interpreted as being included in the scope of rights of this document.

Claims (14)

In the router,
communication circuit; a processor operatively connected to the communication circuit; and a memory operatively connected to the processor, storing a target application, a connection control application, and a proxy, wherein the memory, when executed by the processor, causes the router to:
A data packet transmission event of a node or the target application is detected through the access control application, and the data packet transmission event includes at least one of MAC address information of the node, identification information of the node, and identification information of the target application. Contains,
Corresponding to at least one of the MAC address information of the node, the identification information of the node, and the identification information of the target application, and confirming the existence of a data flow received from an external server,
Based on the protocol information included in the data flow, determine whether to perform the protocol check of the data packet itself or through the external server,
Based on the protocol information, collect the data packets up to the inspection range required for protocol inspection, and inspect the protocol on its own or through the external server based on the collected data packets,
A router, storing instructions, configured to transmit the data packet when protocol checking of the data packet is completed. The method of claim 1, wherein the commands allow the router to:
Check whether a protocol check is necessary based on the protocol information included in the data flow through the access control application,
A router configured to transmit a data packet intended to be transmitted by a node or the target application when the protocol check is not necessary. According to claim 1,
The data flow includes certificate information used to check whether a channel can be created,
The commands determine whether the node or the target application is capable of creating a channel based on the certificate information through the proxy when the router receives a channel creation request from the node or the target application through the access control application. Check,
A router configured to process service requests from the node or the target application based on the created channel. The method of claim 1, wherein the commands allow the router to:
When performing a protocol check of the data packet on its own, signature information, version information, and header information to identify whether the protocol is allowed for the data packet based on the protocol information included in the data flow through the access control application. and check whether at least one of the protocol information is included,
A router, configured to drop the data packet if a protocol check of the data packet fails. The method of claim 4, wherein the commands allow the router to:
A router, configured to inspect the data packet to an inspection range required for protocol inspection based on protocol information included in the data flow through the access control application. The method of claim 4, wherein the commands allow the router to:
If the protocol check of the data packet fails, transmit the protocol check result to the external server,
A router, configured to receive removal information of the data flow or connection blocking information with the external server determined in relation to a risk level of the protocol check result from the external server. The method of claim 1, wherein the commands allow the router to:
When checking a protocol through the external server, transmitting the collected data packets to the external server through the access control application and performing a protocol inspection request,
A router configured to receive a protocol check result from the external server and control network access of the node or the target application based on the received protocol check result. The method of claim 7, wherein the commands allow the router to:
When an updated data flow with a protocol check complete status is received from the external server, transmitting a data packet of the node or the target application based on the updated data flow through the connection control application,
When receiving removal information of the data flow determined in relation to the risk level of the protocol check result from the external server or information blocking the connection to the external server, network connection of the node or the target application is established through the access control application. Routers configured to block. The method of claim 1, wherein the commands allow the router to:
Detect a data packet reception event through the access control application,
Check whether a data flow corresponding to the received data packet and received from an external server exists,
Based on the protocol information included in the data flow, determine whether to perform the protocol check of the received data packet on its own or through the external server, and check the protocol itself or check the protocol through the external server. ,
The router, configured to change the received protocol check state for the data flow to a completed state when the protocol check of the received data packet is completed. On the server,
communication circuit; memory to store the database; and a processor operatively connected to the communication circuit and the memory, the processor comprising:
Receiving a data packet protocol inspection request from a connection control application of a router, the data packet protocol inspection request including data packets collected up to an inspection range required for protocol inspection and identification information of a data flow corresponding to the data packet,
Checking the protocol of the collected data packets to the inspection range necessary for the protocol inspection based on the protocol information included in the data flow corresponding to the identification information of the data flow,
The server, configured to update the protocol inspection status of the data flow to a completed state when the inspection is completed, and transmit the updated data flow to the router. 11. The method of claim 10, wherein the processor:
Based on the protocol information included in the data flow, at least one of signature information, version information, header information, and protocol information for identifying whether the protocol is allowed in the data packet collected up to the inspection range required for the protocol inspection is included. A server configured to check whether a server exists. 11. The method of claim 10, wherein the processor:
If the protocol check fails, determine the degree of protocol check risk based on the protocol policy and blacklist policy included in the database,
If the risk level is in a first range, remove the data flow and transmit removal information of the data flow to the router and a gateway associated with the router,
If the risk level is in the second range, remove the data flow, block the node's connection, remove the channel between the router and the gateway, and transmit the result to the router and the gateway,
If the risk level is in the third range, the server is configured to block the connection of the router and add the identification information of the router to a blacklist. 11. The method of claim 10, wherein the processor:
A protocol check result is received from the access control application of the router, and the protocol check result is a result of the access control application performing a protocol check on its own based on the data flow,
Determine the degree of risk of the protocol inspection result based on the protocol inspection result, the protocol policy and the blacklist policy included in the database,
A server configured to determine a degree of blocking network access of the router according to the degree of risk. In the method of operating the access control application installed on the router,
Detecting a data packet transmission event of a node or a target application, the data packet transmission event including at least one of MAC address information of the node, identification information of the node, and identification information of the target application;
An operation of checking the existence of a data flow received from an external server and corresponding to at least one of MAC address information of the node, identification information of the node, and identification information of the target application;
An operation of determining whether to perform a protocol check of the data packet independently or through the external server based on protocol information included in the data flow;
An operation of collecting the data packets up to the inspection range required for protocol inspection based on the protocol information, and inspecting the protocol on its own or through the external server based on the collected data packets; and
Transmitting the data packet when the protocol check of the data packet is completed; Method, including.

Images