KR20170041614A - Apparatus and method for securiting network based on whithlist - Google Patents

Abstract

Disclosed are an apparatus and method for network security based on a white list. The apparatus for network security according to the present invention comprises: a network collection unit which collects network state information, corresponding to a plurality of pieces of traffic generated in a network, based on a network switch; a white list generation unit which generates a white list using resources permitted by a network administrator to use, based on the network state information; an alarm generation unit which transmits an alarm to the network administrator when traffic violating the white list is generated; and a network security unit which blocks the connection of the traffic via the network switch when a blocking request regarding the traffic is received from the network administrator.

Description

FIELD OF THE INVENTION [0001] The present invention relates to a white list-based network security apparatus and method,

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a white list-based network security system, and more particularly to a white list-based network security system capable of defining a whitelist based on communication rules allowed by a network administrator, To a network security apparatus and method.

Although a method for detecting an attack and detecting access based on a blacklist is generally used as a method for network security, such a security method is not applicable to a blacklist-based modified attack, a zero-day attack, and an APT There is a problem in that it can not respond to an attack.

In addition, NAC (Network Access Control) technology, which is a technology that allows only secure devices to be accessed by checking the security status of a device connected to the network, installs a management program on a user's PC, server or device. Programmable Logic Controller) is installed.

In addition, when a separate equipment is used to monitor internal network traffic, it is difficult to realistically manage due to high installation cost and complicated line connection. When the switch mirroring function is utilized, the mirroring function loads the network switch, There is a fear that it may be inhibited. In addition, there is a disadvantage that it is impossible to respond to threats to secure the safety of other equipment when detecting cyber threats.

Korean Registered Patent No. 10-1455167, registered on October 21, 2014 (name: white list-based network switch)

It is an object of the present invention to provide a network security method capable of defining a white list accessible to a network and monitoring and blocking network traffic based on the defined white list.

It is also an object of the present invention to provide a network management environment in which a network administrator can focus on important alarms by omitting repetitive traffic alarms.

It is another object of the present invention to enable a network administrator to effectively perform network security by providing a dashboard for checking the status of network security at a glance.

According to an aspect of the present invention, there is provided a network security apparatus comprising: a network collector for collecting network status information corresponding to a plurality of traffic occurring on a network based on a network switch; A whitelist generating unit for generating a whitelist based on the resource authorized by the network manager based on the network status information; An alarm generating unit for generating an alarm to the network manager when a traffic violating the whitelist occurs; And a network security unit for blocking access to the traffic through the network switch when a blocking request for the traffic is received from the network manager.

At this time, if the alarm according to any one of the plurality of communication rules included in the whitelist is repeatedly generated more than the preset reference number, the alarm generating unit adds any one of the communication rules to the blind list And an alarm control unit for controlling the alarm by the same traffic to be omitted.

In this case, the alarm generating unit may further include an alarm recording unit for recording an alarm log corresponding to an alarm that is omitted by the blind list when at least one communication rule of the plurality of communication rules is added to the blind list have.

The alarm generating unit may further include a blind list management unit for extracting unused communication rules from the at least one communication rule based on the alarm log, can do.

In this case, the network security device may extract a communication rule that has not been used for a predetermined period of time among the plurality of communication rules included in the white list as a white list deletion candidate, and recommends the communication rule to the network administrator. And an additional list recommendation unit for extracting a white list addition candidate to be added to the whitelist based on the traffic log recorded corresponding to the traffic in which the alarm occurs, and recommending the white list addition candidate to the network administrator.

At this time, the network security apparatus switches at least one of the white list deletion candidate and the white list addition candidate to the correction wait state based on the approval of the network administrator, and deletes at least one of deletion and addition And a white list correction unit for performing a correction corresponding to one of the white-list correction units.

At this time, the whitelist generating unit may generate the first type service, the first type service registered in the network, and the first type service registered in the network, And generate the whitelist using at least one of the second type services.

At this time, the whitelist generation unit searches the first type IP among the plurality of client IPs included in the network status information, and searches for the second type IP among the remaining IPs except for the first type IP part; And a service searching unit searching the first type service among a plurality of services included in the network status information and searching for the second type service among the remaining services except for the first type service.

At this time, the communication rule may be configured based on at least one of a server IP, a server port, a protocol, a client IP, and a traffic communication direction.

According to another aspect of the present invention, there is provided a network security method based on a white list, comprising: collecting network status information corresponding to a plurality of traffic occurring on a network based on a network switch; Generating a whitelist using resources allowed to use by the network manager based on the network status information; Generating an alarm to the network manager when traffic violates the whitelist; And blocking access of the traffic through the network switch when a blocking request for the traffic is received from the network manager.

At this time, the step of generating an alarm may include the step of, when an alarm according to any one of the plurality of communication rules included in the whitelist is repeatedly generated more than a preset reference number, And controlling so that an alarm by the same traffic is omitted.

Wherein the step of generating an alarm further includes the step of recording an alarm log corresponding to an alarm that is omitted by the blind list when at least one communication rule of the plurality of communication rules is added to the blind list can do.

At this time, in the step of generating an alarm, a step of extracting a communication rule which is not used during a predetermined alarm generation period of the at least one communication rule based on the alarm log, as a blind list deletion candidate, .

In this case, the network security method may include extracting a communication rule that has not been used for a predetermined period of time among a plurality of communication rules included in the whitelist as a white list deletion candidate, and recommending the communication rule to the network administrator. And a step of extracting a white list addition candidate to be added to the white list based on the traffic log recorded corresponding to the traffic in which the alarm occurs, and recommending the white list addition candidate to the network manager.

At this time, the network security method switches at least one of the white list deletion candidate and the white list addition candidate to the correction waiting state based on the approval of the network administrator, and deletes at least one of deletion and addition And performing a correction corresponding to one of the plurality of correction values.

At this time, the step of generating a whitelist may include the steps of: registering a first type IP registered in the network, a second type IP allowed by the network manager, a first type service registered in the network, And the at least one of the second type services that is not infringed may be used to generate the whitelist.

At this time, the step of generating a whitelist may include searching the first type IP among a plurality of client IPs included in the network status information, searching for the second type IP among remaining IPs excluding the first type IP, ; And searching for the first type service among a plurality of services included in the network status information and searching for the second type service among the remaining services excluding the first type service.

At this time, the communication rule may be configured based on at least one of a server IP, a server port, a protocol, a client IP, and a traffic communication direction.

According to the present invention, a white list accessible to a network can be defined, and a network security method capable of monitoring and blocking network traffic based on the white list can be provided.

In addition, the present invention can provide a network management environment in which a network administrator can concentrate on important alarms by omitting repetitive traffic alarms.

In addition, the present invention can provide a network security status at a glance through a dashboard, thereby enabling a network administrator to effectively perform network security.

1 is a block diagram illustrating a white list-based network security system according to an embodiment of the present invention.
2 is a diagram illustrating an example of the operation of the network security system shown in FIG.
3 is a block diagram showing an example of the network security apparatus shown in FIG.
4 is a block diagram showing an example of the whitelist generating unit shown in FIG.
5 is a block diagram showing an example of the alarm generating unit shown in FIG.
6 is a diagram illustrating an alarm occurrence when a blind list is used according to an embodiment of the present invention.
FIG. 7 is a flowchart illustrating a white list correction procedure according to an exemplary embodiment of the present invention. Referring to FIG.
FIG. 8 is a diagram illustrating an example in which a white list of a plurality of network switches is integratedly managed through the network security apparatus according to the present invention.
FIG. 9 is a flowchart illustrating a network security method based on a white list according to an exemplary embodiment of the present invention.
FIG. 10 is a flowchart illustrating a method for generating a whitelist among network security methods shown in FIG.
FIG. 11 is a flowchart illustrating an alarm generation process according to a blind list among the network security methods shown in FIG.
12 is a flowchart illustrating a method of managing a blind list according to an embodiment of the present invention.
13 is a flowchart illustrating a method of deleting a whitelist according to an embodiment of the present invention.
14 is a flowchart illustrating a method of adding a whitelist according to an embodiment of the present invention.
15 is a flowchart illustrating a process of correcting a whitelist according to at least one of deletion and addition according to an embodiment of the present invention.

The present invention will now be described in detail with reference to the accompanying drawings. Hereinafter, a repeated description, a known function that may obscure the gist of the present invention, and a detailed description of the configuration will be omitted. Embodiments of the present invention are provided to more fully describe the present invention to those skilled in the art. Accordingly, the shapes and sizes of the elements in the drawings and the like can be exaggerated for clarity.

Hereinafter, preferred embodiments according to the present invention will be described in detail with reference to the accompanying drawings.

1 is a block diagram illustrating a white list-based network security system according to an embodiment of the present invention.

1, a white list-based network security system according to an embodiment of the present invention includes a network security device 110, network switches 120-1 to 120-N, terminals 130-1 and 130-2 And a network manager 140.

The network security device 110 generates a whitelist based on the network status information collected through the network switches 120-1 to 120-N and accesses the terminals 130-1 and 130-2 accessing the network And can perform the function of performing network security by controlling.

The network security device 110 collects network status information corresponding to a plurality of traffic occurring on the network based on the network switches 120-1 to 120-N.

In addition, the network security device 110 generates a whitelist using resources permitted to be used by the network manager 140 based on the network status information.

At this time, the first type IP registered in the network, the second type IP permitted by the network manager 140, the first type service registered in the network, and the second type service not violating the security policy of the network At least one can be used to create a whitelist.

At this time, it is possible to search for the first type IP among the plurality of client IPs included in the network status information, and to search for the second type IP among the remaining IPs except for the first type IP.

At this time, the first type service may be searched among the plurality of services included in the network status information, and the second type service may be searched for among the remaining services except for the first type service.

In addition, the network security device 110 generates an alarm to the network manager 140 when traffic that violates the whitelist occurs.

At this time, when an alarm according to any one of the plurality of communication rules included in the whitelist is repeatedly generated more than a preset reference number, any one of communication rules is added to the blind list, Can be omitted.

At this time, when at least one of the plurality of communication rules is added to the blind list, the alarm log corresponding to the alarm that is omitted by the blind list can be recorded.

At this time, unused communication rules for at least one of the at least one communication rule based on the alarm log may be extracted as a blind list deletion candidate and provided to the network administrator 140.

In addition, the network security device 110 blocks access of traffic through the network switches 120-1 to 120-N when a blocking request for traffic is received from the network manager 140. [

In addition, the network security device 110 may extract the communication rules that have not been used for a predetermined period of time among the plurality of communication rules included in the whitelist as candidates for white list deletion and recommend the network rules to the network administrator 140.

At this time, the communication rule may be configured based on at least one of a server IP, a server port, a protocol, a client IP, and a traffic communication direction.

In addition, the network security device 110 may extract a white list addition candidate to be added to the whitelist based on the traffic log recorded in correspondence with the traffic in which the alarm occurs, and recommend the network administrator 140 to the network security device 110.

In addition, the network security device 110 switches at least one of the white list deletion candidate and the white list addition candidate to the correction wait state based on the approval of the network manager 140, and deletes and adds The correction corresponding to at least one of

The network switches 120-1 to 120-N may collect network status information and transmit the network status information to the network security apparatus 110. [ For example, the network switches 120-1 to 120-N may collect network status information based on traffic generated by a client accessing the network for a predetermined period of time.

In addition, the network switches 120-1 to 120-N may monitor the network based on the whitelist generated by the network security apparatus 110, and block the access violating the whitelist.

For example, when the terminal 130-1 accessing the network switch 120-1 is a terminal violating a whitelist, the network switch 120-1 may block access to the terminal 130-1 .

The network manager 140 manages the security of the network through the network security device 110.

At this time, the network manager 140 can be classified as a general person and a security person according to the rights.

At this time, it may mean a person who has the authority to change and apply the whitelist. For example, the general contact person selects information to be performed among the correction information recommended by the network security apparatus 110 and switches to the correction waiting state. The security officer confirms the information in the correction waiting list and applies it to the whitelist Or to approve the application.

By applying this process, some people with the authority of the security officer can quickly respond to information that occurs on the network through a large number of low-privilege general contacts without having to monitor the whitelist at all times. In addition, it is possible to minimize errors in the approval process by double-checking and processing the information generated in the network.

Although not shown in FIG. 1, the network security apparatus 110 according to an embodiment of the present invention can provide information generated in the network to the network administrator 140 through a separate dashboard.

At this time, when the network manager 140 monitors the information generated while performing the security monitoring of the network using the network switches 120-1 to 120-N using the network security apparatus 110, The network manager 140 can organize alarms and information generated through the security device 110 and inform the network manager 140 of the work to be done.

At this time, the dashboard displays alarm list or number of alarms by traffic violating the whitelist through the alarm area, list or number of unregistered terminals (IP, MAC), unregistered services (protocol, server port, List or number of lists or numbers, list or number of unregistered network switches, system errors (problems with the device itself such as CPU usage, temperature, memory usage of network switches or network security devices) Or the like.

At this time, the network manager 140 can perform a security activity with the goal of making the number of all alarms appearing in the alarm area zero. That is, it is possible to check the alarm and to respond to it (reporting to the security officer, system action, etc.) to reduce the number of alarms to be processed. At this time, when the number of alarms becomes 0, the network manager 140 can confirm that there is no need to cope with the highest priority in terms of security, so that it is possible to perform tasks with different priorities. It is also an important role of the dashboard to allow the network administrator 140 to perform other tasks by notifying that the highest priority job is not present as much as notifying that the highest priority job has occurred, The alarm area can be designed.

In addition, the dashboard can indicate how much the white list, the blind list, the IP, the service, etc. are being used according to the time flow through the trend area. At this time, the network manager 140 can check the operation status according to time, such as a change in the amount of traffic corresponding to the communication rules included in the IP list whitelist, which generates the most traffic in the current time zone, through the trend area. The network manager 140 determines whether the traffic that has been allowed through the whitelist but has a trend that does not generally occur in a specific time zone or the amount of traffic corresponding to a certain whitelist has decreased through the trance area Can be noticed.

Also, as the information of the trend area continuously changes, the network manager 140 can confirm that the network switches 120-1 to 120-N and the network security apparatus 110 continue to operate normally. Regions other than the trend area may not change information for a long time. Therefore, the network manager 140 may be unable to detect changes when the network switches 120-1 to 120-N or the network security apparatus 110 are not operating normally while viewing other areas than the trend area. In addition, there may be a doubt as to whether the network switches 120-1 to 120-N or the network security device 110 are operating normally.

Therefore, the network switches 120-1 to 120-N and the network security apparatus 110 are normally operated to the network manager 140 by generating a trend area in which the information changes in a short period of time on the dashboard Can be provided. For example, an effect similar to a shutter sound can be used to tell the digital camera to take a picture.

In addition, the dashboard displays current status of the objects performing security surveillance using the current network switches 120-1 through 120-N and the network security device 110 through the resource area and the information used in connection therewith . The information appearing in the resource area is added to the registered terminal (IP, MAC), the registered service (protocol, server port, traffic transmission direction, etc.), the registered network switch, the whitelist and the blind list, Number of deleted, or deleted number.

The network manager 140 can grasp the status of the current security monitoring target and the change of the recently generated information through the resource area. In addition, when the network manager 140 performs the takeover by means of an announcement or the like from three shifts or one day through the resource area, the status information can be accurately delivered to the handover person.

In addition, the dashboard may indicate a list or information of information that has not yet been confirmed by the network manager 140 through the recommended work area. In other words, among the information recommended by the network security apparatus 110, only the information for which the network administrator 140 has not decided whether or not to approve can be displayed in the recommendation work area.

At this time, in the case of the alarm area, it is possible to indicate the number of tasks that must be urgently responded, and the recommended work area can indicate a task whose priority is lower than that in the alarm area. However, in order to accurately synchronize the on-scene and whitelist information, the network manager 140 may need to quickly process the task information indicated in the recommended task area. That is, if it is confirmed that the number of pieces of information appearing in the recommended work area is 0, the network manager 140 can determine that the current whitelis information matches the situation on the spot, But it has the effect of notifying you that you are done.

2 is a diagram illustrating an example of the operation of the network security system shown in FIG.

Referring to FIG. 2, in order to operate the network security system shown in FIG. 1, a network switch and a network security device may be installed (S210).

At this time, the network switch can perform network security based on the white list or collect network status information.

Also, the network security device can manage and control network security based on the whitelist corresponding to the access control list proposed in the present invention.

Thereafter, the network status information may be collected through the network switch (S220).

At this time, the network status information may include S-tuple-based traffic information, switch status information, and the like.

Thereafter, the network security apparatus may automatically generate the whitelist using the network status information (S230).

In this case, the term white list refers to information about an interval in which mutual communication is permitted with an access control list of a configuration including a server IP, a server port, a protocol, and a client IP.

At this time, the existing existing access control list extraction technique can be used to automatically generate the whitelist.

At this time, in order to actually use the white list automatically generated through the network security device, the network manager needs to check the contents of the whitelist. However, if the auto-generated whitelist contains a lot of content, it may be difficult for the network administrator to check all the contents.

Accordingly, the present invention proposes a method by which a network manager can sequentially confirm contents included in a whitelist based on asset information that can be secured in the field, service information currently in use, and the like, .

To do this, the network security device may automatically generate a whitelist and then search for IP information that is not registered in the network and provide it to the network administrator. That is, since the network manager does not need to confirm the IPs already registered in the network among the IPs already included in the whitelist, only the IPs not yet registered can be provided to the network administrator for confirmation.

At this time, the network administrator can permit registration by selecting IPs to be registered in comparison with the list of assets managed by the network administrator.

Thereafter, the network security apparatus can retrieve service information such as a protocol not registered in the network, a server port, a traffic communication direction, and the like, and provide the retrieved service information to the network manager. Then, the network user can obtain the service list prohibited in the security policy based on the service information provided from the manufacturer of the system and programs used in the network, and can select a service that can be used based on the list.

Thereafter, the network security apparatus can provide the network manager with a whitelist consisting of only the IP and the service which are confirmed by the network manager. At this time, the network manager can confirm the use relationship of the identified IP and services.

In this way, the network security device can directly inform the network manager of the information to be checked against the white list, and clarify the procedure, so that the network manager can check all the white list information without fail.

Thereafter, the network switch can perform security and monitoring of the network based on the white list (S240).

For example, whitelist based surveillance can generate an alarm for traffic that violates the whitelist and block the traffic if the network administrator wants to.

In this case, while performing security and monitoring of the network, synchronization of the information of the whitelist and the actual network status information must be continuously performed to secure more accurate network security.

At this time, unnecessary information can be removed from the white list first to perform synchronization of the white list. For example, if a network security device confirms information for monitoring a network based on a plurality of network switches and a whitelist is generated for an IP or service that is not used for a predetermined period of time, have. The network administrator can confirm that the corresponding IP or service is not actually being used and then delete the information from the whitelist.

For another example, information that has not yet been added to the whitelist can be identified and added. That is, there may be a situation where the user does not directly reflect the newly introduced IP address or service in the whitelist when the user directly creates the whitelist or the network status information used for the automatic white list generation is insufficient. To this end, the network security device analyzes alarms that violate the whitelist, and can suggest to the network administrator information to add to the whitelist among the analyzed information. In this case, when the alarm is analyzed, the access relationship composed only of the previously registered IPs or services, the communication by the IP which is not registered, the communication by the trusted IP, and the communication using the service permitted by the internal network It is possible to suggest the information to the network manager as information to be added to the whitelist.

In addition, when performing security and monitoring of the network and providing alarms, the network administrator can blindly process less important alarms so that the network administrator can focus more on the more important alarms, depending on the authority and role of the network administrator.

At this time, since blind processed alarms are actually generated alarms, they can not be displayed as alarms to the network administrator through the dashboard, and the log of the alarms can be stored and managed.

3 is a block diagram showing an example of the network security apparatus shown in FIG.

1, the network security apparatus 110 includes a communication unit 310, a network collection unit 320, a whitelist generation unit 330, an alarm generation unit 340, a network security unit 350, A deletion list recommendation unit 360, an additional list recommendation unit 370, a whitelist correction unit 380, and a storage unit 390.

The communication unit 310 transmits and receives necessary information to and from the network switch in order to secure the network. In particular, the communication unit 310 according to an embodiment of the present invention can receive network status information, traffic information, and the like from a network switch.

The network collector 320 collects network status information corresponding to a plurality of traffic occurring on the network based on the network switch.

At this time, it is possible to set a predetermined period in advance and collect traffic information and network switch status information on the network using the network switch for a predetermined period of time as network status information.

At this time, the collected network status information can be managed by the network security device, and can be provided to the network manager so that the network administrator can browse the network status information if desired.

The whitelist generating unit 330 generates a whitelist based on the network status information and resources permitted to use by the network administrator.

In this case, the term white list refers to information about an interval in which mutual communication is permitted with an access control list of a configuration including a server IP, a server port, a protocol, and a client IP.

At this time, since the white list is automatically generated by the network security apparatus 110, it is necessary to confirm whether the contents are appropriate from the network administrator. At this time, it is possible to check the services such as the IP address, protocol, server port, and traffic communication direction included in the whitelist.

At this time, at least one of the first type IP registered in the network, the second type IP permitted by the network manager, the first type service registered in the network, and the second type service not violating the security policy of the network Can be used to generate a whitelist.

That is, the first type IP that has already been registered for use in the network, the second type of IP that the network administrator has allowed to use in the future, and the first type that is already registered for use in the network It is possible to construct a whitelist using a second type service which is not in violation of the security policy of the service and the network and can be used in the future.

At this time, the whitelist may be constructed by first searching for a first type of IP, a second type of IP, a first type of service, and a second type of service before generating the whitelist, It is possible to confirm the whitelist by generating the whitelist first and then leaving only the possible lists through the confirmation of the network manager.

For example, in the generated whitelist, only the remaining list is provided to the network manager except for the list configured through the first type IP and the service of the first type already registered in the network. The list can be finally included in the whitelist.

At this time, it is possible to search for the first type IP among the plurality of client IPs included in the network status information, and to search for the second type IP among the remaining IPs except for the first type IP.

At this time, other IPs other than the first type IP may be provided to the network manager, and the IPs selected by the network administrator may be searched by the second type IP. At this time, the network administrator can select the IP to be registered by comparing with the list of assets managed by the network manager.

At this time, the first type service may be searched among the plurality of services included in the network status information, and the second type service may be searched for among the remaining services except for the first type service.

At this time, similarly to the case of searching the second type IP, the service other than the first type service may be provided to the network manager, and the service selected by the network manager may be searched by the second type service. At this time, the network administrator can receive the service information from the maker of the system and the program corresponding to the network, and can select a service that can be used based on the prohibited service list in the security policy.

In this way, all information included in the white list can be checked without fail.

The alarm generator 340 generates an alarm to the network administrator when traffic that violates the whitelist occurs.

At this time, when an alarm according to any one of the plurality of communication rules included in the whitelist is repeatedly generated more than a preset reference number, any one of communication rules is added to the blind list, Can be omitted. By omitting the alarm by the same traffic, the network manager can concentrate more on the alarm of importance, thereby effectively performing the network security.

In addition, the network manager may make it easier to recognize new types of alarms that are not the same, thereby speeding up the response to the alarms.

At this time, when at least one of the plurality of communication rules is added to the blind list, the alarm log corresponding to the alarm that is omitted by the blind list can be recorded. That is, even though the alarm provided to the network administrator by the blind list is omitted, since the alarm is actually generated, information on the alarm can be recorded to provide information on whether or not the alarm continues to occur in the current real time.

At this time, unused communication rules among at least one communication rule based on the alarm log may be extracted as a blind list deletion candidate and provided to the network administrator.

At this time, by using the blind list, an administrator who confirms an alarm in real time can quickly transmit alarm occurrence information to a processor that performs a response to an alarm.

If the processors to which the information is to be transmitted are determined by the characteristics of the alarms, the manager or the surveillance agent monitoring the alarms should be able to confirm the alarms that they should report promptly in addition to the alarms that have been reported. At this time, the blind list allows the surveillance officer to add the characteristics of the reported alarm to the blinds and concentrate on the alarms that he or she is currently reporting.

Also, by confirming that the blind list removes all real-time alarms, the surveillance personnel can first be assured that there are no alarms to report now and can perform other necessary tasks. This can help increase the efficiency of the control work using the security control system.

In addition, an attacker who attacks a network for malicious purposes can perform a number of attacks using a method such as DDoS to hide a fatal attack. In other words, alarms caused by multiple attacks often hide alarms for fatal attacks. In this case, blind lists can effectively identify alarms that can cause fatal damage by omitting alarms of relatively less important characteristics, based on the vulnerability of the damage or the importance of the system to be attacked.

If the network security device determines that the network security device is not an alarm for the alarm generated during the editing process, it may be possible to use a log for the subsequent alarms It can cause a big error in analyzing

Also, whitelists are very important information for network security, so low-privileged users do not have permission to edit the whitelist. However, if an unauthorized administrator monitors the network in real time and if an alarm continues due to a previously detected alarm or information to be added to a future whitelist by newly introduced equipment, It is necessary to have a separate function for omitting an alarm that is judged to be unnecessary.

Therefore, this function can be satisfied by generating a separate blind list which is distinguished from the whitelist.

The network security unit 350 blocks access of traffic through the network switch when a blocking request for traffic is received from the network manager.

The deletion list recommendation unit 360 extracts a communication rule that has not been used for a predetermined period of time among the plurality of communication rules included in the whitelist as a white list deletion candidate and recommends the communication rule to the network administrator.

For example, assuming that the preset period of use is n minutes, if network security is initiated based on the white list and there is no record of communication rule A contained in the whitelist for n minutes, communication rule A is deleted It can be extracted as a candidate and recommended to the network administrator.

At this time, the communication rule may be configured based on at least one of a server IP, a server port, a protocol, a client IP, and a traffic communication direction.

The additional list recommendation unit 370 extracts a white list addition candidate to be added to the white list based on the traffic log recorded corresponding to the traffic in which the alarm occurs, and recommends the white list addition candidate to the network manager.

At this time, as a result of analyzing the traffic log, it is found that the access log including only the previously registered IP or services, the communication by the unregistered IP, the communication by the trusted IP, and the service permitted by the internal network Communication can be extracted as a white list addition candidate in at least one case.

The white list correcting unit 380 switches at least one of the white list deletion candidates and the white list addition candidates to the correction waiting state based on the approval of the network administrator and updates at least one of deletion and addition based on the approval of the final security officer And performs corresponding corrections.

At this time, the final security officer may mean a person who has the authority to actually change and apply the whitelist. For example, the network administrator can select the corrective information recommended by the network security device and select the information to be corrected, and the final security officer can check the information in the correction wait state and actually check the white list Or to approve the application.

Through this process, some people with the authority of the final security officer can quickly respond to information that occurs on the network through a number of unauthorized network administrators without having to monitor the whitelist at all times. In addition, since the information generated in the network can be double checked and processed, it is possible to minimize the mistakes that may occur in the processing.

The storage unit 390 stores various information generated in the network security process according to an embodiment of the present invention as described above.

According to an embodiment, the storage unit 390 may be configured independently of the network security device to support functions for network security. At this time, the storage unit 390 may operate as a separate mass storage and may include a control function for performing operations.

On the other hand, the network security apparatus 110 can store information in the apparatus in which the memory is installed. In one implementation, the memory is a computer-readable medium. In one implementation, the memory may be a volatile memory unit, and in other embodiments, the memory may be a non-volatile memory unit. In one implementation, the storage device is a computer-readable medium. In various different implementations, the storage device may comprise, for example, a hard disk device, an optical disk device, or any other mass storage device.

By using such a network security device, it is possible to define a whitelist that can access the network, and monitor and block network traffic based on this.

In addition, by omitting repetitive traffic alarms, network administrators can provide a network management environment that allows network administrators to focus on critical alarms. By providing dashboards that provide an at-a-glance view of network security status, . ≪ / RTI >

4 is a block diagram showing an example of the whitelist generating unit shown in FIG.

Referring to FIG. 4, the whitelist generation unit 330 shown in FIG. 3 includes an IP search unit 410 and a service search unit 420.

The IP searcher 410 searches for a first type IP among a plurality of client IPs included in the network status information and searches for a second type IP among the remaining IPs except for the first type IP.

At this time, other IPs other than the first type IP may be provided to the network manager, and the IPs selected by the network administrator may be searched by the second type IP. At this time, the network administrator can select the IP to be registered by comparing with the list of assets managed by the network manager.

The service searching unit 420 searches for the first type service among the plurality of services included in the network status information and searches for the second type service among the remaining services excluding the first type service.

At this time, similarly to the case of searching the second type IP, the service other than the first type service may be provided to the network manager, and the service selected by the network manager may be searched by the second type service. At this time, the network administrator can receive the service information from the maker of the system and the program corresponding to the network, and can select a service that can be used based on the prohibited service list in the security policy.

In this way, all information included in the white list can be checked without fail.

5 is a block diagram showing an example of the alarm generating unit shown in FIG.

Referring to FIG. 5, the alarm generator 340 shown in FIG. 3 includes an alarm controller 510, an alarm logger 520, and a blind list manager 530.

At this time, the alarm control unit 510 adds one of the communication rules to the blind list when the alarm according to any one of the plurality of communication rules contained in the whitelist is repeatedly generated more than the preset reference number So that alarms based on the same traffic are omitted. By omitting the alarm by the same traffic, the network manager can concentrate more on the alarm of importance, thereby effectively performing the network security.

In addition, the network manager may make it easier to recognize new types of alarms that are not the same, thereby speeding up the response to the alarms.

The alarm log 520 records an alarm log corresponding to an alarm that is omitted by the blind list when at least one of the plurality of communication rules is added to the blind list. That is, even though the alarm provided to the network administrator by the blind list is omitted, since the alarm is actually generated, information on the alarm can be recorded to provide information on whether or not the alarm continues to occur in the current real time.

The blind list management unit 530 extracts unused communication rules from the at least one communication rule based on the alarm log for a predetermined alarm generation period as a blind list deletion candidate and provides the network rule to the network administrator.

At this time, by using the blind list, an administrator who confirms an alarm in real time can quickly transmit alarm occurrence information to a processor that performs a response to an alarm.

If the processors to which the information is to be transmitted are determined by the characteristics of the alarms, the manager or the surveillance agent monitoring the alarms should be able to confirm the alarms that they should report promptly in addition to the alarms that have been reported. At this time, the blind list allows the surveillance officer to add the characteristics of the reported alarm to the blinds and concentrate on the alarms that he or she is currently reporting.

Also, by confirming that the blind list removes all real-time alarms, the surveillance personnel can first be assured that there are no alarms to report now and can perform other necessary tasks. This can help increase the efficiency of the control work using the security control system.

6 is a diagram illustrating an alarm occurrence when a blind list is used according to an embodiment of the present invention.

Referring to FIG. 6, the alarm occurrence status 610 when the blind list is not used and the alarm occurrence status 620 when the blind list is used can be compared with each other.

612, 613, 614, 615, 617, and 618 of "Attempt from A to B" are generated in the alarm occurrence status 610 when the blind list is not used first, It may be difficult to easily recognize the alarm 616 of "attempt to access from B to C" and the alarm 619 of "attempt to access from C to A" mixed with the alarm. As a result, the alarm information is not transmitted to the person in charge and the alarm can not be properly handled.

In this case, if the communication rule corresponding to "A to B access attempt" is included in the blind list, the alarm information can be easily grasped as in the alarm occurrence status 620 when the blind list is used.

At this time, the information about the omitted alarm is recorded in a separate alarm log so that the network administrator can check the real-time occurrence information of the alarm.

FIG. 7 is a flowchart illustrating a white list correction procedure according to an exemplary embodiment of the present invention. Referring to FIG.

Referring to FIG. 7, the procedure for approving the correction of a white list according to an embodiment of the present invention may first recommend a white list deletion candidate, a white list addition candidate, and the like by the network security device 710.

At this time, the network manager having the general contact person authority confirms the recommendation information, and if the recommended information is judged to be appropriate, the recommendation information can be approved and can be switched to the application wait or correction wait state.

After that, the final security officer with security officer's authority can check the recommendation information that is put on hold or in the correction waiting state, and if the recommended information is judged to be appropriate, the whitelist can be corrected through the final approval process .

Thereafter, the network switch 720 can be secured with the corrected white list.

By correcting the white list through such a correction approval procedure, it is possible to prevent the white list from being maliciously modified or corrected, and it is also possible to minimize the damage caused by the mistakes of the managers in the correction process.

FIG. 8 is a diagram illustrating an example in which a white list of a plurality of network switches is integratedly managed through the network security apparatus according to the present invention.

Referring to FIG. 8, the network security apparatus 810 according to an embodiment of the present invention may combine the white list information applied to each of the plurality of network switches and manage the white list 811 as a single white list. When the whitelist 811 is managed as described above, it may have a form similar to a firewall rule.

At this time, the content of the whitelist to be actually used by each of the network switches 820 and 830 can be determined according to what the terminals (IP, MAC) connected to the network switches 820 and 830 are.

8, network switch 820 1 confirms that asset # 1 is connected and sends asset # 1 to network switch 820 1 in a whitelist 811 managed by network security appliance 810 It is possible to acquire and apply white list information on traffic.

Network switch 830 2 may also obtain and apply white list information for traffic that asset # 2 sends to network switch 830 2 in a whitelist 811 managed by network security appliance 810 .

At this time, it can be assumed that the asset # 1 is moved to the network switch 830 for connection. At this time, the network security device 810 knows the information of the whitelist 821 used in the network switch 1 by the asset # 1. Thus, without further work by the network administrator, the information in the whitelist 821 used in the network switch 1 can be automatically transferred to the network switch 830. [

The network security device 810 stores the whitelist 811 and each network switch 820 and 830 transmits the terminal information connected to the network security device 810 to the network security device 810 . Thereafter, the network security device 810 may transmit information of a whitelist corresponding to each of the network switches 820 and 830 based on the terminal information. This scheme has minimal whitelist information for each network switch 820, 830, so it can be relatively secure against individual network switch hacking and physical downtime.

Alternatively, the network security appliance 810 can transmit and synchronize all of the information in the whitelist 811 to all network switches 820 and 830 while keeping the whitelist 811. At this time, each of the network switches 820 and 830 may store the whitelist 811 in a separate storage location and extract whitelist information to be used based on the terminal information connected thereto. This scheme may be suitable for an environment where the communication state between the network security device 810 and the network switch is unstable or where the movement of assets is frequent.

FIG. 9 is a flowchart illustrating a network security method based on a white list according to an exemplary embodiment of the present invention.

Referring to FIG. 9, a white list-based network security method according to an embodiment of the present invention collects network status information corresponding to a plurality of traffic occurring on a network based on a network switch (S910).

At this time, it is possible to set a predetermined period in advance and collect traffic information and network switch status information on the network using the network switch for a predetermined period of time as network status information.

At this time, the collected network status information can be managed by the network security device, and can be provided to the network manager so that the network administrator can browse the network status information if desired.

In addition, the white list-based network security method according to an exemplary embodiment of the present invention generates a white list using resources permitted to use by the network administrator based on the network status information at step S920.

In this case, the term white list refers to information about an interval in which mutual communication is permitted with an access control list of a configuration including a server IP, a server port, a protocol, and a client IP.

At this time, since the white list is automatically generated by the network security apparatus 110, it is necessary to confirm whether the contents are appropriate from the network administrator. At this time, it is possible to check the services such as the IP address, protocol, server port, and traffic communication direction included in the whitelist.

At this time, at least one of the first type IP registered in the network, the second type IP permitted by the network manager, the first type service registered in the network, and the second type service not violating the security policy of the network Can be used to generate a whitelist.

That is, the first type IP that has already been registered for use in the network, the second type of IP that the network administrator has allowed to use in the future, and the first type that is already registered for use in the network It is possible to construct a whitelist using a second type service which is not in violation of the security policy of the service and the network and can be used in the future.

At this time, the whitelist may be constructed by first searching for a first type of IP, a second type of IP, a first type of service, and a second type of service before generating the whitelist, It is possible to confirm the whitelist by generating the whitelist first and then leaving only the possible lists through the confirmation of the network manager.

For example, in the generated whitelist, only the remaining list is provided to the network manager except for the list configured through the first type IP and the service of the first type already registered in the network. The list can be finally included in the whitelist.

At this time, it is possible to search for the first type IP among the plurality of client IPs included in the network status information, and to search for the second type IP among the remaining IPs except for the first type IP.

At this time, other IPs other than the first type IP may be provided to the network manager, and the IPs selected by the network administrator may be searched by the second type IP. At this time, the network administrator can select the IP to be registered by comparing with the list of assets managed by the network manager.

At this time, the first type service may be searched among the plurality of services included in the network status information, and the second type service may be searched for among the remaining services except for the first type service.

At this time, similarly to the case of searching the second type IP, the service other than the first type service may be provided to the network manager, and the service selected by the network manager may be searched by the second type service. At this time, the network administrator can receive the service information from the maker of the system and the program corresponding to the network, and can select a service that can be used based on the prohibited service list in the security policy.

In this way, all information included in the white list can be checked without fail.

In addition, the white list-based network security method according to an embodiment of the present invention generates an alarm to the network administrator when traffic violates the whitelist (S930).

At this time, when an alarm according to any one of the plurality of communication rules included in the whitelist is repeatedly generated more than a preset reference number, any one of communication rules is added to the blind list, Can be omitted. By omitting the alarm by the same traffic, the network manager can concentrate more on the alarm of importance, thereby effectively performing the network security.

In addition, the network manager may make it easier to recognize new types of alarms that are not the same, thereby speeding up the response to the alarms.

At this time, when at least one of the plurality of communication rules is added to the blind list, the alarm log corresponding to the alarm that is omitted by the blind list can be recorded. That is, even though the alarm provided to the network administrator by the blind list is omitted, since the alarm is actually generated, information on the alarm can be recorded to provide information on whether or not the alarm continues to occur in the current real time.

At this time, unused communication rules among at least one communication rule based on the alarm log may be extracted as a blind list deletion candidate and provided to the network administrator.

At this time, by using the blind list, an administrator who confirms an alarm in real time can quickly transmit alarm occurrence information to a processor that performs a response to an alarm.

If the processors to which the information is to be transmitted are determined by the characteristics of the alarms, the manager or the surveillance agent monitoring the alarms should be able to confirm the alarms that they should report promptly in addition to the alarms that have been reported. At this time, the blind list allows the surveillance officer to add the characteristics of the reported alarm to the blinds and concentrate on the alarms that he or she is currently reporting.

Also, by confirming that the blind list removes all real-time alarms, the surveillance personnel can first be assured that there are no alarms to report now and can perform other necessary tasks. This can help increase the efficiency of the control work using the security control system.

In addition, an attacker who attacks a network for malicious purposes can perform a number of attacks using a method such as DDoS to hide a fatal attack. In other words, alarms caused by multiple attacks often hide alarms for fatal attacks. In this case, blind lists can effectively identify alarms that can cause fatal damage by omitting alarms of relatively less important characteristics, based on the vulnerability of the damage or the importance of the system to be attacked.

If the network security device determines that the network security device is not an alarm for the alarm generated during the editing process, it may be possible to use a log for the subsequent alarms It can cause a big error in analyzing

Also, whitelists are very important information for network security, so low-privileged users do not have permission to edit the whitelist. However, if an unauthorized administrator monitors the network in real time and if an alarm continues due to a previously detected alarm or information to be added to a future whitelist by newly introduced equipment, It is necessary to have a separate function for omitting an alarm that is judged to be unnecessary.

Therefore, this function can be satisfied by generating a separate blind list which is distinguished from the whitelist.

In addition, the white list-based network security method according to an exemplary embodiment of the present invention blocks traffic access through a network switch when a blocking request for traffic is received from a network administrator (S940).

In addition, although not shown in FIG. 9, the white list-based network security method according to an embodiment of the present invention includes a method of transmitting a communication rule that has not been used for a predetermined period of time among a plurality of communication rules included in a whitelist, It is extracted as a list deletion candidate and recommended to the network administrator.

For example, assuming that the preset period of use is n minutes, if network security is initiated based on the white list and there is no record of communication rule A contained in the whitelist for n minutes, communication rule A is deleted It can be extracted as a candidate and recommended to the network administrator.

At this time, the communication rule may be configured based on at least one of a server IP, a server port, a protocol, a client IP, and a traffic communication direction.

Although not shown in FIG. 9, the white list-based network security method according to an exemplary embodiment of the present invention includes a white list addition candidate to be added to a white list based on a traffic log recorded corresponding to traffic generated by an alarm Extract and recommend to the network administrator.

At this time, as a result of analyzing the traffic log, it is found that the access log including only the previously registered IP or services, the communication by the unregistered IP, the communication by the trusted IP, and the service permitted by the internal network Communication can be extracted as a white list addition candidate in at least one case.

Although not shown in FIG. 9, the white list-based network security method according to an exemplary embodiment of the present invention includes at least one of a white list deletion candidate and a white list addition candidate, And performs a correction corresponding to at least one of deletion and addition based on approval of the final security officer.

At this time, the final security officer may mean a person who has the authority to actually change and apply the whitelist. For example, the network administrator can select the corrective information recommended by the network security device and select the information to be corrected, and the final security officer can check the information in the correction wait state and actually check the white list Or to approve the application.

Through this process, some people with the authority of the final security officer can quickly respond to information that occurs on the network through a number of unauthorized network administrators without having to monitor the whitelist at all times. In addition, since the information generated in the network can be double checked and processed, it is possible to minimize the mistakes that may occur in the processing.

Also, although not shown in FIG. 9, the white list-based network security method according to an embodiment of the present invention can transmit / receive necessary information to / from a network switch for network security. Particularly, it is possible to receive network status information, traffic information, and the like from a network switch.

Also, although not shown in FIG. 9, the white list-based network security method according to an embodiment of the present invention stores various information generated in the network security process according to an embodiment of the present invention as described above.

Such a network security method can define a whitelist that can access the network, and monitor and block the network traffic based on this.

In addition, by omitting repetitive traffic alarms, network administrators can provide a network management environment that allows network administrators to focus on critical alarms. By providing dashboards that provide an at-a-glance view of network security status, . ≪ / RTI >

FIG. 10 is a flowchart illustrating a method for generating a whitelist among network security methods shown in FIG.

Referring to FIG. 10, in the process of generating a whitelist among network security methods shown in FIG. 9, a first type IP of a plurality of client IPs included in network status information is searched (S1010).

At this time, the first type IP may correspond to an IP that has already been registered for use in the network.

Thereafter, the second type IP of the remaining IPs excluding the first type IP is searched (S1020).

At this time, the second type IP may correspond to the IP that the network administrator has permitted to use in the network in the future.

Thereafter, the first type service is searched among a plurality of services included in the network status information (S 1030).

At this time, the first type service may correspond to a service already registered for use in the network.

Thereafter, the second type service is searched among the remaining services except for the first type service (S 1040).

At this time, the second type service may correspond to an authorized service which may be used based on a service list prohibited from the security policy provided from the manufacturer of the system and the program corresponding to the network.

Thereafter, a whitelist is generated using at least one of the first type IP, the second type IP, the first type service, and the second type service (S1050).

FIG. 11 is a flowchart illustrating an alarm generation process according to a blind list among the network security methods shown in FIG.

Referring to FIG. 11, among the network security methods shown in FIG. 9, an alarm generation process according to a blind list first waits for traffic to be generated through a network switch (S1110).

Thereafter, it is determined whether or not traffic that violates the communication rule included in the whitelist is generated (S1115).

As a result of the determination in step S1115, if traffic contrary to the communication rule does not occur, it is possible to wait for the traffic to continue to be generated.

If it is determined in step S1115 that traffic contradicts the communication rule, it is determined whether the communication rule violating the traffic is a communication rule included in the blind list (S1125).

As a result of the determination in step S1125, if the communication rule is included in the blind list, it is possible to omit the alarm for the traffic, record the alarm log for the omitted alarm (S1130), and wait for traffic generation.

If it is determined in step S1125 that the communication rule is not included in the blind list, it is determined in step S1135 whether the corresponding traffic is repeatedly generated for a predetermined number of times based on a communication rule that violates the traffic.

As a result of the determination in step S1135, if no more than the preset reference number of times has elapsed, an alarm for traffic may be generated to the network administrator (S1140), and then traffic may be awaited.

If it is determined in step S1135 that the predetermined number of times has been exceeded, the communication rule for the traffic is added to the blind list in step S1150, the alarm is skipped, and an alarm log is recorded in step S1130.

Thereafter, it is possible to wait for the generation of traffic again.

12 is a flowchart illustrating a method of managing a blind list according to an embodiment of the present invention.

Referring to FIG. 12, a method for managing a blind list according to an exemplary embodiment of the present invention first checks at least one communication rule included in the blind list (S1210).

Thereafter, it is determined whether there is an unused communication rule for at least one of the at least one communication rule during a predetermined alarm generation period (S1215).

As a result of the determination in step S1215, if there is no unused communication rule for a predetermined alarm generation period, the blind list may be checked again after waiting for a predetermined period of time (S1220).

If it is determined in step S1215 that there is an unused communication rule during a predetermined alarm generation period, the communication rule is extracted as a blind list deletion candidate and provided to the network administrator in step S1230.

After that, the network manager confirms the blind list deletion candidate provided, and when the deletion request is made, the communication rule corresponding to the blind list deletion candidate is deleted from the blind list (S1240).

13 is a flowchart illustrating a method of deleting a whitelist according to an embodiment of the present invention.

Referring to FIG. 13, a method for deleting a whitelist according to an embodiment of the present invention first checks a plurality of communication rules included in a whitelist (S1310).

Thereafter, it is determined whether there is a communication rule that has not been used for a predetermined period of time among the plurality of communication rules (S1315).

As a result of the determination in step S1315, if there is no unused communication rule for a predetermined period of time, a white list may be checked again after waiting for a predetermined period of time (S1320).

If it is determined in step S1315 that there is a communication rule that has not been used for a predetermined period of time, the communication rule is extracted as a white list deletion candidate and recommended as a communication rule to be deleted to the network administrator in step S1330.

Thereafter, the network manager checks the provided white list deletion candidate, and deletes the communication rule corresponding to the white list deletion candidate from the whitelist (S1340).

14 is a flowchart illustrating a method of adding a whitelist according to an embodiment of the present invention.

Referring to FIG. 14, a method of adding a whitelist according to an embodiment of the present invention first performs network security and searches recorded traffic logs (S1410).

Thereafter, it is determined whether there is a traffic log satisfying the whitelist recommendation condition among the traffic logs (S1415).

For example, in at least one of an access relationship consisting of only pre-registered IP addresses or services, a communication with an IP address not yet registered, a communication with a secured IP, and a communication using a service permitted to use in the internal network It can be determined that the white list recommendation condition is satisfied.

As a result of the determination in step S1415, if there is no traffic log satisfying the white list recommendation condition, after waiting for a predetermined time period (S1420), the traffic logs can be searched again.

If it is determined in step S1415 that there is a traffic log satisfying the white list recommendation condition, the communication rule corresponding to the traffic log is extracted as a white list addition candidate and recommended to the network manager in step S1430.

Thereafter, the network manager confirms the white list addition candidate, and adds the communication rule to the whitelist in the case of addition request (S1440).

15 is a flowchart illustrating a process of correcting a whitelist according to at least one of deletion and addition according to an embodiment of the present invention.

15, a process of correcting a whitelist according to at least one of deletion and addition according to an embodiment of the present invention may be performed by first providing a network administrator with at least one of a white list deletion candidate and a white list addition candidate (S1510).

Thereafter, the network manager approves the correction for the recommended candidates, and switches at least one of the white list deletion candidate and the white list addition candidate to the correction waiting state (S1520).

Thereafter, the final security officer checks at least one candidate that has been brought into the correction wait state and performs an approval to actually perform the correction (S1530).

Thereafter, the network security device performs a correction corresponding to at least one of deletion of the whitelist deletion candidate from the whitelist and addition of the whitelist addition candidate from the whitelist (S1540)

As described above, the network security apparatus and method based on the white list according to the present invention are not limited to the configuration and method of the embodiments described above, but the embodiments may be modified in various ways, All or some of the embodiments may be selectively combined.

110, 710, 810: Network security device
120-1 to 120-N, 720, 820, 830: network switches
130-1, 130-2: Terminal 140: Network Manager
310: communication unit 320: network collecting unit
330: Whitelist generation unit 340: Alarm generation unit
350: Network security section 360: Delete list recommendation section
370: Additional list recommendation section 380: White list correction section
390: storage unit 410:
420: service search unit 510: alarm control unit
520: an alarm recording unit 530: a blind list management unit
610: Alarm occurrence when blind list is not used
611 to 619, 621 to 623: Alarm
620: Alarm occurrence when using blind list
811: White List
821: Whitelist used in Network Switch 1
831: Whitelist used in Network Switch 2

Claims (18)

A network collector for collecting network status information corresponding to a plurality of traffic occurring on a network based on a network switch;
A whitelist generating unit for generating a whitelist based on the resource authorized by the network manager based on the network status information;
An alarm generating unit for generating an alarm to the network manager when a traffic violating the whitelist occurs; And
A network security manager for blocking access of the traffic through the network switch when a blocking request for the traffic is received from the network manager;
Based network security device. The method according to claim 1,
The alarm generating unit
When an alarm according to any one of the plurality of communication rules included in the whitelist is repeatedly generated more than a preset reference number, any one of the communication rules is added to the blind list, And an alarm control unit for controlling the network security device to omit the authentication information. The method of claim 2,
The alarm generating unit
Further comprising an alarm recording unit for recording an alarm log corresponding to an alarm omitted by the blind list when at least one communication rule of the plurality of communication rules is added to the blind list Of network security devices. The method of claim 3,
The alarm generating unit
Further comprising a blind list management unit for extracting unused communication rules from the at least one communication rule based on the alarm log as blind list deletion candidates and providing the extracted communication rules to the network administrator. List-based network security device. The method of claim 2,
The network security device
A deletion list recommendation unit for extracting a communication rule that has not been used for a predetermined period of time among a plurality of communication rules included in the white list as a white list deletion candidate and recommending the extracted communication rule to the network administrator; And
Further comprising a supplement list recommendation unit for extracting a white list addition candidate to be added to the white list based on a traffic log recorded corresponding to the traffic in which the alarm occurs and recommending the white list addition candidate to the network manager. Security device. The method of claim 5,
The network security device
At least one of the white list deletion candidate and the white list addition candidate is switched to the correction waiting state based on the approval of the network administrator and a correction corresponding to at least one of deletion and addition based on the approval of the final security officer is executed And a white list correction unit for detecting the white list based on the white list. The method according to claim 1,
The whitelist generating unit
At least one of a first type IP registered in the network, a second type IP allowed by the network administrator, a first type service registered in the network, and a second type service not violating a security policy of the network And generates the white list by using the white list. The method of claim 7,
The whitelist generating unit
An IP search unit searching for the first type IP among a plurality of client IPs included in the network status information and searching for the second type IP among the remaining IPs except for the first type IP; And
And a service searching unit searching for the first type service among the plurality of services included in the network status information and searching for the second type service among the remaining services excluding the first type service, List-based network security device. The method of claim 5,
The communication rule
A server port, a server port, a protocol, a client IP, and a traffic communication direction. Collecting network status information corresponding to a plurality of traffic occurring on a network based on a network switch;
Generating a whitelist using resources allowed to use by the network manager based on the network status information;
Generating an alarm to the network manager when traffic violates the whitelist; And
Blocking access of the traffic through the network switch when a blocking request for the traffic is received from the network manager
Based network security method. The method of claim 10,
The step of generating the alarm
When an alarm according to any one of the plurality of communication rules included in the whitelist is repeatedly generated more than a preset reference number, any one of the communication rules is added to the blind list, The network security method comprising the steps of: The method of claim 11,
The step of generating the alarm
Further comprising recording an alarm log corresponding to an alarm omitted by the blind list when at least one communication rule of the plurality of communication rules is added to the blind list Network security method. The method of claim 12,
The step of generating the alarm
Further comprising the step of extracting a communication rule not used during a predetermined alarm generation period of the at least one communication rule based on the alarm log as a blind list deletion candidate and providing the communication rule to the network administrator Of network security methods. The method of claim 11,
The network security method
Extracting a communication rule that has not been used for a predetermined period of time among a plurality of communication rules included in the white list as a white list deletion candidate and recommending the communication rule to the network administrator; And
Further comprising the step of extracting a white list addition candidate to be added to the white list based on the traffic log recorded corresponding to the traffic in which the alarm occurs and recommending the extracted white list addition candidate to the network administrator . 15. The method of claim 14,
The network security method
At least one of the white list deletion candidate and the white list addition candidate is switched to the correction waiting state based on the approval of the network administrator and a correction corresponding to at least one of deletion and addition based on the approval of the final security officer is executed The method comprising the steps of: (a) The method of claim 10,
The step of generating the whitelist
At least one of a first type IP registered in the network, a second type IP allowed by the network administrator, a first type service registered in the network, and a second type service not violating a security policy of the network And the white list is generated using the white list. 18. The method of claim 16,
The step of generating the whitelist
Searching for the first type IP among a plurality of client IPs included in the network status information, and searching for the second type IP among remaining IPs except for the first type IP; And
Searching for the first type service among the plurality of services included in the network status information and searching for the second type service among the remaining services excluding the first type service, Based network security method. 15. The method of claim 14,
The communication rule
A server port, a server port, a protocol, a client IP, and a traffic communication direction.

Images