KR20170080958A - System for maintaining and enhancing security of Internet of Things(IoT) network - Google Patents

System for maintaining and enhancing security of Internet of Things(IoT) network Download PDF

Info

Publication number
KR20170080958A
KR20170080958A KR1020150191029A KR20150191029A KR20170080958A KR 20170080958 A KR20170080958 A KR 20170080958A KR 1020150191029 A KR1020150191029 A KR 1020150191029A KR 20150191029 A KR20150191029 A KR 20150191029A KR 20170080958 A KR20170080958 A KR 20170080958A
Authority
KR
South Korea
Prior art keywords
iot
internet
gateway
information
attacker
Prior art date
Application number
KR1020150191029A
Other languages
Korean (ko)
Inventor
정현철
김동현
Original Assignee
(주)노르마
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)노르마 filed Critical (주)노르마
Priority to KR1020150191029A priority Critical patent/KR20170080958A/en
Publication of KR20170080958A publication Critical patent/KR20170080958A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Technology Law (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

According to an embodiment of the present invention,
(IoT) device collecting information for screening an attacker or a vulnerable gateway; And selecting a gateway vulnerable to an attack based on the collected selection information, the method comprising the steps of: (a) collecting the information; (IoT) device among all the Internet (IoT) devices connected to the gateway in the local network to which the attacker belongs, or any Internet Internet (IoT) device connected to the gateway vulnerable to attacks (IoT) device is executed by the at least one Internet (IoT) device.

Figure P1020150191029

Description

[0001] The present invention relates to a system for maintaining and enhancing the security of an Internet (IoT) network,

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a system, a method, and a recording medium on which a program is recorded for securing and enhancing the security of an Internet (IoT) network.

Computers that use the network manage the translation table between the IP address and the MAC address, called the Addressing Protocol (ARP) table.

On the other hand, an ARP spoofing attack in which attackers attack the ARP table as if they are gateways is often performed, and countermeasures against such ARP spoofing attacks are disclosed (see, for example, 2011-0060271).

However, there is no effective countermeasure against the ARP spoofing attack in the Internet (IoT) network composed of a mobile environment in which operations such as roaming are performed.

In addition, there are inherent limitations on the Internet (IoT) devices, because their available resources are so small that the capacity of the programs required for security should not be large.

According to an embodiment of the present invention, there is provided a system, method, and system for maintaining and enhancing security of an Internet (IoT) network capable of effectively monitoring the security of an IoT network while using a small amount of memory, And a recording medium on which the program is recorded.

According to one embodiment of the present invention

On computer

(IoT) device collecting information (hereinafter referred to as 'selection information') for selecting an attacker or a gateway vulnerable to an attack; And

Selecting a gateway that is vulnerable to an attack or an attacker based on the collected selection information, the method comprising the steps of:

The information collecting step may be performed by at least one Internet (IoT) device among all the Internet (IoT) devices connected to the gateway in the local network to which the attacker belongs, (IoT) device, wherein at least one Internet (IoT) device among the Internet (IoT) devices is executed.

According to another embodiment of the present invention

A system for securing and enforcing a Secure Internet (IoT) network comprising a gateway and a plurality of Internet (IoT) devices

Wherein at least one of the plurality of Internet < RTI ID = 0.0 > (IoT) < / RTI &

Collecting information (hereinafter, referred to as 'selection information') for selecting an attacker or a gateway vulnerable to attack,

Performs an operation of selecting an attacker or a gateway vulnerable to attack based on the collected selection information,

Wherein the collecting of information is performed by at least one Internet (IoT) device among all the Internet (IoT) devices connecting to the gateway in the local network to which the attacker belongs, A system is provided for maintaining and enhancing security of an Internet (IoT) network, characterized in that the Internet (IoT) device is an operation performed by at least one Internet (IoT) device.

According to one or more embodiments of the present invention, the security of the Internet of Things (IoT) can be maintained by using the device itself constituting the Internet (IoT) and by the firmware information about the gateway alone. It is possible to effectively monitor the security of the IoT network while using less and consuming less power.

In addition, according to one or more embodiments of the present invention, ARP spoofing can be effectively prevented by correctly distinguishing between roaming in the Internet (IoT) network to which the mobile device belongs and the case of ARP spoofing.

FIG. 1 is a diagram for explaining a system for maintaining and enhancing security of an Internet (IoT) network according to an embodiment of the present invention.
2 is a diagram illustrating a method for securing and enforcing a Secure Internet (IoT) network including a gateway and a plurality of Internet (IoT) devices according to an embodiment of the present invention.
3 is a diagram for explaining a program for executing a method for securing and enhancing security of an Internet (IoT) network according to an embodiment of the present invention.
4 is a diagram for explaining an ARP spoofing prevention system for IoT security in an Internet (IoT) network according to an embodiment of the present invention.
FIG. 5 is a diagram for explaining an operation of selecting and blocking an attacker according to an embodiment of the present invention.
6 is a diagram for explaining roaming operation according to an embodiment of the present invention.
7 is a diagram for explaining an ARP spoofing prevention method for IoT security in the Internet of Things (IoT) network.

BRIEF DESCRIPTION OF THE DRAWINGS The above and other objects, features, and advantages of the present invention will become more readily apparent from the following description of preferred embodiments with reference to the accompanying drawings. However, the present invention is not limited to the embodiments described herein but may be embodied in other forms. Rather, the embodiments disclosed herein are provided so that the disclosure can be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.

Also, terms used herein are for the purpose of illustrating embodiments and are not intended to limit the invention. In the present specification, the singular form includes plural forms unless otherwise specified in the specification. The terms "comprises" and / or "comprising" used in the specification do not exclude the presence or addition of one or more other elements.

Hereinafter, the present invention will be described in detail with reference to the drawings. In describing the specific embodiments below, various specific details have been set forth in order to explain the invention in greater detail and to assist in understanding it. However, it will be appreciated by those skilled in the art that the present invention may be understood by those skilled in the art without departing from such specific details. In some instances, it should be noted that portions of the invention that are not commonly known in the description of the invention and are not significantly related to the invention do not describe confusing reasons for explaining the present invention.

1 is a diagram illustrating a system for securing and enforcing a Secure Internet (IoT) network including a gateway and a plurality of Internet (IoT) devices according to an embodiment of the present invention.

Referring to FIG. 1, a system for securing and enforcing a Secure Internet (IoT) network including a gateway and a plurality of Internet (IoT) devices includes a plurality of local networks LN1 and LN2 and a security server 100 ).

Each of the plurality of local networks (LN1, LN2) includes a gateway and a plurality of Internet (IoT) devices. That is, the local network LN1 includes a gateway 10 and a plurality of Internet IoT devices 20, 30 and 40, and the local network LN2 includes a gateway 60 and a plurality of Internet destinations IoT ≪ / RTI > devices 70,80.

The security server 100 receives the selection information from each of the object Internet devices belonging to the plurality of local networks LN1 and LN2 and performs an operation of selecting an attacker or a gateway vulnerable to attack. In detail, the security server 100 stores the firmware DB (including the type of the firmware, the firmware version information, the number of attacks, the degree of security vulnerability, etc.) and the MAC address DB Stores and manages them, and selects attackers or vulnerable gateways using these DBs.

The security server 100 compares the information included in the selection information with the firmware DB and the MAC address DB to select an attacker or a gateway vulnerable to attack.

At least one of the object Internet devices belonging to the plurality of local networks (LN1, LN2) performs the operation according to the present invention.

Hereinafter, the configuration, operation, and effect of the Internet (IoT) device 20 will be described by taking, as an example, the Internet (IoT) device 20 among the Internet Internet (IoT) devices belonging to the plurality of local networks LN1 and LN2.

The object Internet (IoT) device 20 performs an operation of collecting information for selecting an attacker or a gateway vulnerable to attack (hereinafter, 'selection information'), and the security server 100 receives such selection information , An attacker or a gateway vulnerable to an attack.

In this embodiment, the collecting operation of the sorting information has been described as being performed by the object Internet (IoT) device 20, but this is an illustrative example and it is possible to use at least one of all the Internet (IoT) devices connecting to the gateway in the local network (IoT) device, among all Internet (IoT) devices that are connected to a gateway (IoT) device that is vulnerable to attack or that is performed by an Internet (IoT) device.

Here, the selection information includes information on the firmware of the gateway 10 to which the Internet (IoT) device 20 that collects the selection information is connected.

For example, the information about the firmware may be the type and version information for the firmware.

The Internet (IoT) device 20 may obtain information about the firmware stored in the gateway 10. Information on the firmware stored in the gateway 10 may be in the form of HTML code, and the Internet (IoT) device 20 may obtain HTML code including information on such firmware.

In addition, the object Internet (IoT) device 20 can transmit MAC addresses included in the ARP table stored in the Internet 20 itself to the security server 100 by including them in the selection information.

In addition, the object Internet (IoT) device 20 may include information on an attacker that the attacker 20 has determined to be an attacker, and may transmit the information to the security server 100 by including it in the selection information. The process of determining the attacker will be described with reference to FIG. 3 to FIG.

According to one embodiment of the present invention, the selection information further includes an ARP table (including information on a MAC address) owned by the Internet (IoT) device 20 for collecting selection information, an object And a MAC address for all Internet (IoT) devices connecting to the gateway 10 to which the Internet (IoT) device 20 is connected.

The selection information according to an embodiment of the present invention may be collected when it is collected from time to time, when the gateway is changed, when the ARP table is changed, or when a MAC address for the attacker is acquired.

Upon receiving the selection information from the Internet (IoT) device 20, the security server 100 compares the data included in the received selection information with the firmware DB or the MAC address DG.

For example, when the selection information includes firmware information for the gateway 10, the security server 100 refers to the firmware DB to determine whether the firmware of the gateway 10 is a vulnerable type or vulnerable version . Since the firmware database includes information on the type and version of the firmware which is frequently attacked, the security server 100 can determine whether the firmware of the gateway 10 is vulnerable to attack by referring to the firmware DB.

In addition, when the MAC address of the Internet (IoT) devices is included in the selection information, the security server 100 refers to the MAC address DB to determine whether or not the MAC address is the attacker's MAC address. Since the MAC address of the attacker includes the MAC address of the attacker, the security server 100 can select the attacker from among the Internet IoT designs included in the local network LN1 by referring to the MAC address DB.

When the attacker's MAC address is included in the selection information, for example, the security server 100 adds the attacker's MAC address to the MAC address DB managed by the security server 100 itself.

Although the Internet (IoT) device 20 has been described above as an example, other Internet Internet (IoT) devices may have the same configuration, function, and effect.

2 is a diagram illustrating a method for securing and enforcing a Secure Internet (IoT) network including a gateway and a plurality of Internet (IoT) devices according to an embodiment of the present invention.

Referring to FIG. 2, a method for securing and enforcing a secure Internet (IoT) network including a gateway and a plurality of Internet (IoT) devices according to an embodiment of the present invention, Can be implemented in the same system.

Hereinafter, it will be assumed that a method for securing and enforcing security of an Internet (IoT) network including a gateway according to an embodiment of the present invention and a plurality of Internet (IoT) devices is implemented in a system as shown in FIG. 1 , A method for securing and enforcing a secure Internet (IoT) network including a gateway and a plurality of Internet (IoT) devices according to an embodiment of the present invention will be described.

2, a method for securing and enforcing a Secure Internet (IoT) network including a gateway and a plurality of Secure Internet (IoT) devices, according to an embodiment of the present invention, A step S103 of collecting the collected selection information to the security server 100 (S103), a step S103 of collecting the selection information (for example, information for selecting the gateway vulnerable to an attacker or an attacker) (S105). If the security server 100 selects an attacker or a gateway vulnerable to the attack, the information about the attacker or the gateway vulnerable to the attack is transmitted to the object Internet (IoT) device (S107).

Also, a method for securing and enhancing security of an Internet (IoT) network including a gateway and a plurality of Internet (IoT) devices according to an embodiment of the present invention includes: Further comprising the step of informing the user that the Internet (IoT) device is an attacker or a vulnerable gateway.

In step S107, when the security server 100 selects an attacker or a gateway vulnerable to an attack, the security server 100 selects one of the Internet (IoT) devices belonging to the local network including the selected attacker or a vulnerable gateway And notifies any one device of the fact.

FIG. 3 is a diagram for explaining a program for executing a method for securing and enhancing security of an Internet (IoT) network according to an embodiment of the present invention.

3, an Internet Internet (IoT) device 20 according to an embodiment of the present invention includes a processor 21, a memory 23, and a LAN card 25 for wireless communication. The memory 23 stores various programs 22 and a program 24 for executing a method for securing and enhancing the Internet of Things (IoT) network according to an embodiment of the present invention. The programs stored in the memory 23 are coupled to the corresponding hardware under the control of the processor 21 and operate.

The program 24 for executing the method for maintaining and enhancing the security of the Internet (IoT) network according to the embodiment of the present invention is also provided with the LAN card 25 for wireless communication To perform an operation according to the present invention.

A program 24 for executing a method for maintaining and enhancing the security of the Internet (IoT) network collects the selection information and transmits the collected information to the security server 100.

A program 24 for executing a method for securing and enforcing the Internet of Things (IoT) network is configured to update the ARP table managed and stored by the Internet of Things (IoT) device 20, (MAC address list included in the ARP table, firmware information for the gateway, and the MAC address of the attacker), and transmits the selected information to the security server (00).

Although the foregoing has been described by way of example with respect to the Internet (IoT) device 20, it is to be understood that this is exemplary and may also be used to secure the Internet (IoT) network to other Internet (IoT) devices 30, And a method for implementing the method for enhancing the performance of the system.

Hereinafter, with reference to FIG. 4 to FIG. 7, embodiments for obtaining information (MAC address) about an attacker by taking the object Internet (IoT) device 20 as an example will be described.

4 is a diagram for explaining an ARP spoofing prevention system for IoT security in an Internet (IoT) network according to an embodiment of the present invention.

Referring to FIG. 4, an ARP spoofing prevention system (hereinafter referred to as 'ARP spoofing prevention system') for IoT security in an Internet Internet (IoT) network according to an embodiment of the present invention includes a gateway (GW) (IoT) devices 20, 30, and 40. The Internet < RTI ID = 0.0 > (IoT)

The gateway (GW) 10 and the plurality of Internet (IoT) devices 20, 30 and 40 form a local network with each other, and a plurality of Internet (IoT) devices 20, 30 and 40 (GW) 10 or connected to an external Internet network.

The gateway (GW) 10 and the plurality of Internet (IoT) devices 20, 30, and 40 have a MAC address and an IP address, respectively, as shown in FIG. The MAC address and the IP address shown in Fig. 4 are values arbitrarily selected for the purpose of explanation of the present invention.

Hereinafter, for the purpose of explanation of the present invention, a configuration, operation, and effect of an Object Internet (IoT) device 20 among a plurality of Internet Internet (IoT) devices 20, 30, do.

The Internet of Things (IoT) device 20 may be configured to allow a predefined event to occur at one or more of its own 20 or other Internet (IoT) devices 30, 40, ..., ) Scanning the IP and MAC addresses of all the Internet (IoT) devices 30, 40, ... connected to the gateway 10 when the gateway 10 to which the device 20 is connected is changed .

The predetermined event may be, for example, when it is desired to transmit important data. Whether or not it is important data is predetermined by the user in advance. For example, data sent to a specific destination can be defined as important data. Data sent to the bank as specific destination data to be transmitted can all be defined as important data. In this case, each time the object Internet (IoT) device 20 transmits data to the bank, it scans the IP and the MAC address to perform an operation of selecting an attacker.

The Internet (IoT) device 20 is used to communicate with other Internet (IoT) devices 30, 40, ... belonging to the local network or devices (not shown) belonging to the external Internet network Store and manage Address Resolution Protocol (ARP) tables.

The address determination protocol (ARP) table includes the MAC address and the IP address of each of the Internet 10 (IoT) devices 30, 40, ..., and the gateway 10 belonging to the local network.

The Internet (IoT) device 20 is a device that allows a predefined event to be sent to one or more of its own 20 or other matter Internet (IoT) devices 10, 30, 40, (IoT) devices 30, 40, ... connected to the gateway 10, and updates the address determination protocol (ARP) table.

The Internet (IoT) device 20 is also connected to all of the Internet (IoT) devices 10, 30, 40, ... in the local network when the gateway 10 is changed to another Internet (IoT) ), And updates the address determination protocol (ARP) table.

The normal object Internet (IoT) device 20 is a device that allows a predefined event to occur in its own 20 or other Internet (IoT) devices 10, 30, 40, (I.e., the gateway is changed to another device), and updates the address determination protocol (ARP) table when an event occurs or a gateway is changed.

The object Internet (IoT) device 20 selects an object Internet (IoT) device having a duplicated MAC address as a result of scanning IP and MAC addresses, and performs an operation of processing the object Internet (IoT) device as an attacker.

In detail, the Internet (IoT) device 20 has a function of, when the address determination protocol (ARP) table is updated (updated) IoT) devices. In the updated address determination protocol (ARP) table, if there is an Internet Internet Protocol (IoT) device having a duplicated MAC address, the device is regarded as an attacker, and an operation to perform subsequent processing is performed. If an attacker device is selected, the subsequent action can be handled according to conventional techniques. That is, in the attacker detection techniques in ARP spoofing, the action on the device detected as an attacker may be in accordance with known techniques.

In this embodiment, the action for the device detected as the attacker is possible according to the known techniques, and alternatively, the action according to the embodiment of the present invention is also possible.

The action according to one embodiment of the present invention for the device detected as an attacker is that when there is an Internet Internet Protocol (IoT) device processed as an attacker, the Internet, which is not an attacker connected to the gateway 10, At least one Internet (IoT) device among the attacker's Internet (IoT) devices performs an operation to inform the user that there is an Internet (IoT) device processed as an attacker. For example, in FIG. 4, if the IoT device 3 (40) is an attacker device, the IoT device 2 (30) can inform the user that the IoT device 3 (40) is an attacker device in the same manner as an alarm or message.

Although the above description has been described by taking the object Internet (IoT) device 20 as an example, it is to be understood that other object Internet (IoT) devices 30 and 40 may have the same function and effect.

Hereinafter, an ARP spoofing prevention program for IoT security in an Internet (IoT) network according to an embodiment of the present invention will be described.

The ARP spoofing prevention program may be provided in the Internet (IoT) device 20 described with reference to FIGS. For example, an ARP spoof prevention program (not shown) may be stored in the memory 23 shown in Fig. 3 and executed under the control of the processor 21. [

The ARP spoofing prevention program for IoT security in the Internet (IoT) network according to an embodiment of the present invention is combined with the LAN card 25 for wireless communication to perform an operation according to the present invention.

The ARP spoofing prevention program for IoT security according to an embodiment of the present invention is a program for preventing an ARP spoofing prevention program for IoT security from occurring when a predefined event is detected in the Internet (IoT) device 20 or other object Internet (IoT) devices 30, 40, (IoT) devices 30, 40, and 40 connected to the gateway 10 when the gateway 10 connected to the Internet 10 (IoT) ... < / RTI >

The ARP spoofing prevention program for IoT security according to an embodiment of the present invention may be applied to other object Internet (IoT) devices 30, 40, ... belonging to the local network or devices And stores and manages the address determination protocol (ARP) table used when communicating with the ARP table.

The ARP spoofing prevention program for IoT security according to an embodiment of the present invention is a program for preventing an ARP spoofing for an IoT device 20 or other object Internet (IoT) devices 10, 30 (IoT) devices 30, 40, ... connected to the gateway 10, if the event occurs in one or more of the Internet (IO) devices 40, ..., , And updates the address determination protocol (ARP) table. Here, the address determination protocol (ARP) table may be stored in the memory 23 although not shown.

The ARP spoofing prevention program for IoT security according to an embodiment of the present invention is also applicable to all of the Internet (IoT) devices 10 (10) belonging to the local network when the gateway 10 is changed to another IoT device , 30, 40, ...) and updates the address determination protocol (ARP) table.

An ARP spoofing prevention program for IoT security according to an embodiment of the present invention is a program for preventing an ARP spoofing prevention program from being transmitted to a destination Internet (IoT) device 20 or other Internet (IoT) devices 10, 30, 40, ...) or monitors whether the MAC address of the gateway to which the Internet (IoT) device 20 is connected is changed (that is, the gateway is changed to another device) When the gateway is changed, the address determination protocol (ARP) table is updated.

The ARP spoofing prevention program for IoT security according to an embodiment of the present invention selects an Internet Internet (IoT) device having a duplicated MAC address as a result of scanning an IP address and a MAC address, and performs an operation for an attacker.

In detail, the ARP spoofing prevention program for IoT security according to an embodiment of the present invention is configured to prevent duplication of the address determination protocol (ARP) table in the updated address determination protocol (ARP) table when the address determination protocol (IoT) device having a MAC address. In the updated address determination protocol (ARP) table, if there is an Internet Internet Protocol (IoT) device having a duplicated MAC address, the device is regarded as an attacker, and an operation to perform subsequent processing is performed.

Although the foregoing has been described by way of example to the Internet (IoT) device 20, it is to be understood that other matter Internet (IoT) devices 30 and 40 may have the same configuration, function, and effect as the example.

FIG. 5 is a diagram for explaining an operation of selecting and blocking an attacker according to an embodiment of the present invention.

4 and 5, the operation of selecting and blocking an attacker according to an exemplary embodiment of the present invention will now be described. In the normal Internet (IoT) device 20, It is determined whether the MAC address of the gateway that is generated by other object Internet (IoT) devices 10, 30, 40, ... or the gateway 20 itself is changed (that is, the gateway is changed to another device) Lt; / RTI >

In this situation, it is assumed that the attacker 50 intrudes into the local network, and the self 50 notifies the IoT device 1 20 that the gateway 50 is a gateway. The IoT device 1 (20) receiving such a notification performs the configuration and operation according to an embodiment of the present invention. That is, since the IoT device 1 (20) corresponds to the case where the gateway is changed, the IP address and the MAC address of all the Internet (IoT) devices 30, 40, ... connected to the gateway 10 are scanned And performs an operation to update the address determination protocol (ARP) table.

In the updated address determination protocol (ARP) table, there is a case where the MAC addresses are different from each other. This is because the attacker 50 has notified the IoT device 1 20 that the self 50 is a gateway.

The following table shows the cases where the IP addresses are different and the MAC addresses are the same.

 IP  Mac address 00:00:01 102.166.0.1 00:00:02  102.166.0.2 00:00:03  102.166.0.3 00:00:04  102.166.0.4 00:00:07 102.166.0.1 .
.
. .
.
.

Referring to Table 1, there is a case where the IP address is different but the MAC address is different. If the gateway is IP: 00: 00: 01, the MAC address is 102.166. In the device with the 0.1, IP: If case 00:00:07, changed to a device with the MAC address of 102.166.0.1, to later gateway Changed IP : 00:00:07, Device with MAC address 102.166.0.1 It can be treated as an attacker.

6 is a diagram for explaining roaming operation according to an embodiment of the present invention.

Referring to Figures 4 and 6, a normal Internet (IoT) device 20 receives a predefined event from its own 20 or other Internet (IoT) devices 10, 30, 40, ... ), Or monitors whether the MAC address of the gateway to which the terminal 20 is connected is changed (that is, the gateway is changed to another device).

In this situation, the gateway 60 and other Internet (IoT) devices 70 and 80 are connected to the other local network where the IoT device 1 20 roams to another local network and the IoT device 1 20 roams It is assumed that it belongs.

 Since the IoT device 1 (20) roams to another local network, it renews its own address determination protocol (ARP) table. Then, check whether there is a device whose MAC address is duplicated in the updated address determination protocol (ARP) table.

In the network situation shown in Fig. 6 (i.e., no attacker exists and the IoT device 1 (20) roams), there is no device whose MAC address is duplicated.

Thereafter, the IoT device 1 (20) performs the operation described with reference to FIG.

That is, the Internet of Things (IoT) device 20 may be configured so that a predefined event occurs at one or more of its own 20 or other Internet (IoT) devices 60, 70, 80, When the gateway 60 to which the Internet IoT device 20 is connected is changed to another device, the IP address of all the Internet IoT devices 70, 80, ... connected to the gateway 60 And scanning the MAC address. Then, the object Internet (IoT) device 20 selects an object Internet (IoT) device having a duplicated MAC address from the result of scanning the IP address and the MAC address, and performs an operation of processing the object Internet (IoT) device as an attacker.

7 is a diagram for explaining an ARP spoofing prevention method for IoT security in an Internet (IoT) network according to an embodiment of the present invention.

Referring to FIG. 7, an ARP spoofing prevention method for IoT security in the Internet of Things (IoT) network may be implemented as an ARP spoofing prevention system for IoT security in the Internet of Things (IoT) network described with reference to FIG. . ≪ / RTI >

Assuming that the ARP spoofing prevention method for IoT security in the Internet (IoT) network according to the embodiment of the present invention is implemented in the system as shown in FIG. 4, The ARP anti-spoofing method for IoT security includes monitoring whether a predefined event occurs in the Internet of Things (IoT) device, or whether the MAC address of the gateway to which the Internet (IoT) device is connected is changed (S101 (IoT) device, or when the MAC address of the gateway to which the Internet (IoT) device is connected is changed (S103), all the objects Internet (IoT) Scanning and updating the IP address and the MAC address of the devices (S105); (IoT) device having a duplicated MAC address in the scanned result (S107), and selecting (S109) an object Internet (IoT) device having an overlapping MAC address as an attacker .

The method also includes providing at least one of the Internet (IoT) devices (non-attacking Internet (IoT) devices) that are not attackers connected to the gateway, IoT) device may inform the user that there is an Internet (IoT) device processed as an attacker.

 While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, And variations are possible.

The scope of the present invention should not be limited to the above-described embodiments, but should be determined by the scope of the appended claims and equivalents thereof.

10, 60: Gateway
20, 30, 40, 50, 70, 80: Object Internet Device
21: Processor
23: Memory
25: LAN card
100: Security server

Claims (9)

On computer
(IoT) device collecting information (hereinafter referred to as 'selection information') for selecting an attacker or a gateway vulnerable to an attack; And
Selecting a gateway that is vulnerable to an attack or an attacker based on the collected selection information, the method comprising the steps of:
Wherein the collecting of the information is performed by at least one Internet (IoT) device among all the Internet (IoT) devices connected to the gateway in the local network to which the attacker belongs, Lt; RTI ID = 0.0 > (IoT) < / RTI > device. The method according to claim 1,
The selection information
And information on firmware of a gateway to which the Internet (IoT) device for collecting the selection information is connected. 3. The method of claim 2,
Wherein the information on the firmware is a type and version information for the firmware. 3. The method of claim 2,
The selection information
Further comprising an ARP table (including information on a MAC address) possessed by the Internet (IoT) device for collecting the selection information 5. The method of claim 4,
The selection information
And a MAC address for Internet (IoT) devices connected to a gateway to which the Internet (IoT) device collecting the selection information is connected. A system for securing and enforcing a Secure Internet (IoT) network comprising a gateway and a plurality of Internet (IoT) devices
Wherein at least one of the plurality of Internet < RTI ID = 0.0 > (IoT) < / RTI &
Collecting information (hereinafter, referred to as 'selection information') for selecting an attacker or a gateway vulnerable to attack,
Performs an operation of selecting an attacker or a gateway vulnerable to attack based on the collected selection information,
The information collecting operation may be performed by at least one Internet (IoT) device among all the Internet (IoT) devices connecting to the gateway in the local network to which the attacker belongs, Wherein the at least one Internet (IoT) device is an operation performed by at least one Internet (IoT) device of the Internet (IoT) device. The method according to claim 6,
The selection information
(IoT) device collecting the selection information includes information on the firmware of the gateway to which the Internet (IoT) device is connected. 8. The method of claim 7,
Wherein the information about the firmware is a firmware type and a version information for the firmware. 9. The method of claim 8,
The selection information may include,
(IoT) device which collects the selection information, and an object Internet (IoT) device connected to a gateway to which an object Internet (IoT) device for collecting the selection information is connected ≪ / RTI > IoT) devices. ≪ RTI ID = 0.0 > [0002] < / RTI >
KR1020150191029A 2015-12-31 2015-12-31 System for maintaining and enhancing security of Internet of Things(IoT) network KR20170080958A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150191029A KR20170080958A (en) 2015-12-31 2015-12-31 System for maintaining and enhancing security of Internet of Things(IoT) network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150191029A KR20170080958A (en) 2015-12-31 2015-12-31 System for maintaining and enhancing security of Internet of Things(IoT) network

Publications (1)

Publication Number Publication Date
KR20170080958A true KR20170080958A (en) 2017-07-11

Family

ID=59355024

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150191029A KR20170080958A (en) 2015-12-31 2015-12-31 System for maintaining and enhancing security of Internet of Things(IoT) network

Country Status (1)

Country Link
KR (1) KR20170080958A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019146956A1 (en) * 2018-01-29 2019-08-01 주식회사 안랩 Apparatus and method for acquiring information of device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019146956A1 (en) * 2018-01-29 2019-08-01 주식회사 안랩 Apparatus and method for acquiring information of device
KR20190091636A (en) * 2018-01-29 2019-08-07 주식회사 안랩 Apparatus and method for obtaining information of device

Similar Documents

Publication Publication Date Title
US11082436B1 (en) System and method for offloading packet processing and static analysis operations
US20210029156A1 (en) Security monitoring system for internet of things (iot) device environments
US7007302B1 (en) Efficient management and blocking of malicious code and hacking attempts in a network environment
US10326777B2 (en) Integrated data traffic monitoring system
EP3522475A1 (en) Apparatus, method and device for encapsulating heterogeneous function equivalent bodies
US8056135B2 (en) Systems and methods for updating content detection devices and systems
US10834596B2 (en) Method for blocking connection in wireless intrusion prevention system and device therefor
JP5878501B2 (en) Method and system for protecting a terminal in a dynamically configured network
CN111010409B (en) Encryption attack network flow detection method
US20170041336A1 (en) Signature rule processing method, server, and intrusion prevention system
CN112583841B (en) Virtual machine safety protection method and system, electronic equipment and storage medium
US9686311B2 (en) Interdicting undesired service
KR20170080958A (en) System for maintaining and enhancing security of Internet of Things(IoT) network
KR101747144B1 (en) Method and system for preventing rogue access point
KR101687811B1 (en) Design of Agent Type's ARP Spoofing Detection Scheme which uses the ARP probe Packet and Implementation of the Security Solution
KR20170080957A (en) ARP SPOOFING DEFENDING SYSTEM FOR IoT Security in IoT Network
US11997070B2 (en) Technique for collecting information relating to a flow routed in a network
US7484094B1 (en) Opening computer files quickly and safely over a network
CN116015876B (en) Access control method, device, electronic equipment and storage medium
CN109314707A (en) ARP on Internet of Things (IoT) network cheats anti-locking system
CN116132194B (en) Method, system and device for detecting and defending unknown attack intrusion of embedded equipment
CN112003839B (en) Equipment anti-identity recognition method and device, electronic device and storage medium
JP4710889B2 (en) Attack packet countermeasure system, attack packet countermeasure method, attack packet countermeasure apparatus, and attack packet countermeasure program
CN113596022A (en) Apparatus and method for identifying malicious sources within a network
GB2590467A (en) Automatic change of password

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E601 Decision to refuse application