KR20170106694A - Method and apprapatus for watching encrypted traffic - Google Patents

Abstract

A method for monitoring an encrypted traffic performed in a traffic monitoring apparatus according to an embodiment of the present invention is disclosed. The method for monitoring an encrypted traffic performed by the traffic monitoring apparatus includes the steps of acquiring communication session information between a user terminal and a server performed in the session information management module, monitoring a communication session between the user terminal and the server, Determining whether to intervene in a communication session between the user terminal and the server, when the communication session control module intervenes in a communication session between the user terminal and the server, A communication session and a second communication session between the user terminal and the traffic monitoring device, the encryption processing module performing encryption handshaking with the server in the first communication session, and in the second communication session, Performing shaking, determining whether the first communication session received through the first communication session Decrypting the first encrypted data received via the first communication session and the second encrypted data received through the second communication session, and performing a security control on the decrypted data by the traffic control module.

Description

[0001] METHOD AND APPARATUS FOR WATCHING ENCRYPTED TRAFFIC [0002]

The present invention relates to communications, and more particularly to monitoring encrypted communications.

A secure sockets layer (SSL) can mean a cryptographic technique to protect TCP / IP communications. SSL encrypted communication was initially used to protect important content and messages transmitted via the web, such as banking, e-commerce, and corporate data. Recently, however, SSL encryption has been widely applied to transmission of various web contents such as social media, entertainment, And is steadily increasing. For example, Twitter, Google Facebook and others are also using SSL encrypted transmissions.

The SSL encryption transmission introduced for content protection prevents the security firewalls used by corporations, educational institutions, public agencies, and telecommunication carriers to prevent the spread of malicious software and malware, and to prevent intrusion and access to harmful sites There is a problem that it is caused. Thus, there may be a need in the art for a solution for monitoring SSL encrypted packets.

Korean Patent Laid-Open Publication No. 10-2015-0053520 (May 2015, May 18, 201) discloses a method of authenticating a server by receiving a certificate from a server.

The present invention has been devised to cope with the above-described background art, and is intended to provide a solution for monitoring encrypted communication.

The present invention is intended to provide a solution for reducing the performance degradation and increasing the stability while monitoring the encrypted communication.

An encryption traffic monitoring method performed in a traffic monitoring apparatus according to an embodiment of the present invention for realizing the above-described problems is disclosed. The method for monitoring an encrypted traffic performed by the traffic monitoring apparatus includes the steps of acquiring communication session information between a user terminal and a server performed in the session information management module, monitoring a communication session between the user terminal and the server, Determining whether to intervene in a communication session between the user terminal and the server, when the communication session control module intervenes in a communication session between the user terminal and the server, A communication session and a second communication session between the user terminal and the traffic monitoring device, the encryption processing module performing encryption handshaking with the server in the first communication session, and in the second communication session, Performing shaking, determining whether the first communication session received through the first communication session Decrypting the first encrypted data received via the first communication session and the second encrypted data received through the second communication session, and performing a security control on the decrypted data by the traffic control module.

Alternatively, the encrypted data may include at least one of secure sockets layer (SSL) encrypted data and transport layer security (TLS) encrypted data.

Alternatively, the step of determining whether or not to intervene in the communication session between the user terminal and the server comprises the steps of: determining whether to intervene in the communication session between the user terminal and the server, The protocol header, and at least a portion of the payload to determine whether to intervene in a communication session between the user terminal and the server.

Alternatively, the step of performing the security control by the traffic control module may include determining whether the user requested URL of the first decrypted data decrypted with the first encrypted data is a preset URL or decrypting the second encrypted data Determining whether a user requested URL of a second decoded data is a preset URL, if at least one of the first communication session and the second communication session is to be terminated if the user requested URL is a preset URL, and And re-encrypting the first decrypted data and delivering it to the user terminal if the user requested URL is not a predetermined URL, or re-encrypting the second decrypted data and delivering the decrypted data to the server.

Alternatively, the step of performing the security control by the traffic control module may include: determining whether the first decrypted data decrypting the first encrypted data or the second decrypted data decrypted the second encrypted data is data related to a predetermined application , Changing the QoS of at least one of the first communication session and the second communication session when the first decoded data or the second decoded data is data related to a predetermined application, Terminating at least one of a first communication session and a second communication session, or transmitting a traffic cutoff message to at least one of a user terminal and a server, and when the first decoded data and the second decoded data are not data related to a predetermined application , Maintaining the first communication session and the second communication session And determining to do so.

Alternatively, the step of determining whether the first decoded data or the second decoded data is data related to a predetermined application may include mapping a name of the application and a signature of a protocol or a payload of the application to a mapping table Analyzing the signature of the protocol or the payload of the first decoded data or the second decoded data and determining whether the signature matches the signature of the protocol or the payload stored in the mapping table; Deciding the decoded data or the second decoded data as data related to a predetermined application.

Alternatively, the step of performing the security control by the traffic control module may include the steps of: performing first security by decrypting the first decrypted data obtained by decrypting the first encrypted data or the second decrypted data decrypted by the second encrypted data, Determining whether the data is related to at least one of group information, preset server information, preset server group information, and preset time information, and determining, based on the determination result, at least one of the first communication session and the second communication session Changing one QoS, terminating at least one of the first communication session and the second communication session, or sending a traffic cutoff message to at least one of the server and the user terminal.

Alternatively, the step of performing security control by the traffic control module may include the steps of: when the traffic control module receives the first decrypted data decrypting the first encrypted data and the second decrypted data decrypting the second decrypted data And forwarding at least one of the first decrypted data and the second decrypted data to the predetermined security apparatus so as to perform a security operation on at least one of the first decrypted data and the second decrypted data.

Alternatively, the method may further include, when receiving the blocking signal from the predetermined security device, blocking at least one of the first communication session and the second communication session.

Alternatively, the method may further include analyzing the decrypted data to perform traffic analysis of the first and second communication sessions.

In addition, a traffic monitoring apparatus for monitoring encrypted traffic according to an embodiment of the present invention is disclosed. The traffic monitoring apparatus monitors the encrypted traffic. The traffic monitoring apparatus monitors a communication session between the user terminal and the server, acquires communication session information between the user terminal and the server, A first communication session between the server and the traffic monitoring device and a second communication session between the user terminal and the traffic monitoring device when intervening in the communication session between the user terminal and the server, A cryptographic processing module that performs cryptographic handshaking with the server in the first communication session and performs cryptographic handshaking with the user terminal in the second communication session; Lt; RTI ID = 0.0 > first < / RTI > encrypted data and the second & About decryption module and the decoded data to decrypt the encrypted data can include traffic control module that performs security control.

Also disclosed is a computer program stored on a computer-readable medium, comprising a plurality of instructions executed by one or more processors in accordance with an embodiment of the present invention. The computer program comprising instructions for: acquiring communication session information between a user terminal and a server in a session information management module; monitoring a communication session between the user terminal and the server in a traffic analysis module; Wherein the communication session control module is operable, when intervening in a communication session between the user terminal and the server, to cause the communication session to perform a first communication session between the server and the traffic monitoring device, Instructions for causing the encryption processing module to perform encryption handshaking with the server in the first communication session and to perform encryption handshaking with the user terminal in the second communication session, Command, a first password received via the first communication session, With respect to the data and the command and a traffic control module and the decoded data to decrypt the second encrypted data received over the second communication session may include myeongryeongreul to to perform a security control.

The present invention can provide a solution for monitoring encrypted communication.

INDUSTRIAL APPLICABILITY The present invention can provide a solution capable of reducing the performance degradation and increasing the stability while monitoring the encrypted communication.

1 is a block diagram of a traffic monitoring apparatus for monitoring encrypted traffic according to an embodiment of the present invention.
2 is a schematic diagram illustrating a traffic surveillance system in accordance with an embodiment of the present invention.
3 is a flowchart of a method for monitoring cryptographic traffic monitoring cryptographic traffic according to an embodiment of the present invention.

Various embodiments are now described with reference to the drawings, wherein like reference numerals are used throughout the drawings to refer to like elements. In this specification, various explanations are given in order to provide an understanding of the present invention. It will be apparent, however, that such embodiments may be practiced without these specific details. In other instances, well-known structures and devices are provided in block diagram form in order to facilitate describing the embodiments.

The terms "component," "module," system, "and the like, as used herein, refer to a computer-related entity, hardware, firmware, software, combination of software and hardware, or execution of software. For example, a component may be, but is not limited to, a process executing on a processor, a processor, an object, an executing thread, a program, and / or a computer. For example, both an application running on a computing device and a computing device may be a component. One or more components may reside within a processor and / or thread of execution, one component may be localized within one computer, or it may be distributed between two or more computers. Further, such components may execute from various computer readable media having various data structures stored therein. The components may be, for example, a signal (e.g., a local system, data from one component interacting with another component in a distributed system, and / or data over a network, such as the Internet, Lt; RTI ID = 0.0 > and / or < / RTI >

The description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features presented herein.

1 is a block diagram of a traffic monitoring apparatus for monitoring encrypted traffic according to an embodiment of the present invention.

The traffic monitoring apparatus 100 for monitoring encrypted traffic according to an embodiment of the present invention includes a first communication interface 110, a second communication interface 120, a session information management module 130, a traffic analysis module 140, A communication session control module 150, an encryption processing module 160, an encryption / decryption module 170, a traffic control module 180, and a memory 190.

The traffic monitoring apparatus 100 for monitoring cryptographic traffic according to an exemplary embodiment of the present invention may include a security device, a firewall, a relay device, and the like located on a communication path between the user terminal 10 and the server 20 . The traffic monitoring apparatus 100 may be installed in a branch office of an internal network of an organization, a company, or the like.

The user terminal 10 may include a personal computer (PC), a note book, a mobile terminal, a smart phone, a tablet PC, And may include any type of terminal capable of being connected to the Internet.

The first communication interface 110 may include a communication interface for communicating with the server 20. The first communication interface 110 performs a function of communicating with the server 20. The first communication interface 110 may include a wired / wireless Internet module for communicating with the server 20. WLAN (Wi-Fi), Wibro (Wireless broadband), Wimax (World Interoperability for Microwave Access), HSDPA (High Speed Downlink Packet Access), LTE (Long Term Evolution) . Wired Internet technologies include XDSL (Digital Subscriber Line), FTTH (Fiber to the home), and PLC (Power Line Communication).

The second communication interface 120 may include a communication interface for the traffic monitoring device 100 to communicate with the user terminal 10. [ The second communication interface 120 performs communication with the user terminal 10. The second communication interface 120 may include a wired / wireless Internet module for communicating with the user terminal 10.

The session information management module 130 may acquire communication session information between the user terminal 10 and the server 20. [ The communication session information may include source IP information, source port information, destination IP information, destination port information, protocol information, and the like. The communication session information includes IP information of a user terminal, port information of a user terminal, IP information of a server, port information of a server, protocol information of a server and a user terminal, subscriber information of a user terminal, identification information of the user terminal, Information, and the like. The user terminal 10 and the server 20 can establish a direct communication session and the traffic monitoring apparatus 100 can intervene in the communication between the user terminal 10 and the server 20 when necessary. The session information management module 130 can acquire information on a communication session between the user terminal 10 and the server 20. [ For this purpose, the session information management module 130 may sense a communication session between the user terminal 10 and the server 20. The session information management module 130 may acquire information of a communication session between the user terminal 10 and the server 20 and store the information in the memory 190. [

The traffic analysis module 140 may monitor a communication session between the user terminal 10 and the server 20 to determine whether to intervene in the communication session between the user terminal and the server. The traffic analysis module 140 intervenes in the communication session between the user terminal 10 and the server 20 when the user terminal 10 and the server 20 perform encrypted communication to transmit and receive the encrypted data Can be determined. The traffic analysis module 140 analyzes at least a part of the IP address information, the port number information, the host information, the protocol header, and the payload included in the server connection request or the server response of the user terminal 10 The server may determine whether to intervene in a communication session between the user terminal and the server. For example, to determine whether to intervene in a session for decryption, the user terminal senses that the user terminal and the server are communicating through a port (for example, 443 port) for encrypted communication, or the user terminal uses a server When detecting handshaking through a server IP address or packet header, the traffic analysis module 140 may decide to intervene in a communication session between the user terminal and the server. The foregoing information is exemplary and the traffic analysis module 140 may decide to intervene in the communication session based on any information that can determine whether the user terminal and the server perform encrypted communications. If the encrypted communication is not detected, the traffic monitoring apparatus 100 does not intervene in a communication session between the user terminal 20 and the server 10, and data received from the user terminal 20 is transmitted to the server 10, Or to allow the data received from the server 10 to be bypassed to the user terminal 20. [

The traffic analysis module 140 analyzes the traffic of the communication session between the user terminal and the server and analyzes the traffic when the secure sockets layer (SSL) or transport layer security (TLS) encrypted data and / You can decide to intervene in the session. The traffic analysis module 140 does not intervene in the communication session between the user terminal and the server when the encrypted traffic and / or protocol is not detected in the communication session between the user terminal and the server, , Or may allow data received from the server to be bypassed to the user terminal.

The traffic analysis module 140 may analyze the traffic of the communication between the user terminal and the server to generate various statistical data. The traffic analysis module 140 may analyze the traffic of the first communication session between the server and the traffic monitoring device and the traffic of the second communication session between the user terminal and the traffic monitoring device to generate statistical data. The traffic analysis module 140 may collect traffic log information based on the L3 layer with respect to the traffic of communication between the user terminal and the server to be bypassed. Also, the traffic analysis module 140 may analyze the decrypted data to collect traffic logging information. The statistical data may include at least one of identification information of a user who uses an application with limited use, identification information of a user who tries to access at a connection time limit, access attempt information of a user whose access is restricted, The ratio of the encryption traffic in the entire communication traffic, and the like. Further, the statistical data may include analysis data according to a combination of URL / application service information or URL / application service information group, user information or user information group, server information or server information group and time information or time information group accessed by the user . The description of the statistical data described above is merely an example, and the statistical data of the present invention may include arbitrary traffic analysis statistical data.

When the traffic analysis module 140 determines to intervene in the communication session between the user terminal and the server, the communication session control module 150 transmits the communication session to the first communication session between the server and the traffic monitoring device, And a second communication session between the traffic monitoring device and the traffic monitoring device. For this purpose, the communication session between the server and the user terminal can be divided into the first communication session and the second communication session by performing handshaking with the server and the user terminal, respectively. According to an embodiment of the present invention, the traffic analysis module 140 intervenes in a communication session between the user terminal and the server when the user terminal and the server use the encrypted communication, And after establishing the second communication session, cause the encryption processing module 160 to perform the encryption handshaking in each communication session.

The encryption processing module 160 performs the encryption handshaking between the server and the traffic monitoring device in the first communication session and the encryption handshaking between the user terminal and the traffic monitoring device in the second communication session. The encryption handshaking may include encryption handshaking to use SSL or TLS encrypted communication. The traffic monitoring apparatus 100 accesses the server 20 as a client by the encryption processing module 160 and performs a client hello operation. In the client hello operation, the encryption processing module 160 generates first random data to be transmitted to the server, and the generated random data and the encryption method usable in the traffic monitoring apparatus 100 are transmitted to the first communication interface 110 To the server 20 via the Internet. In addition, if a session ID exists, the encryption processing module 160 may cause the session ID to be transmitted to the server 20 via the first communication interface 110. The first communication interface 110 receives the second random data generated by the server 20 from the server 20 so that the encryption processing module 160 performs encryption handshaking, the encryption method and the certificate of the client selected by the server . The encryption processing module 160 checks whether the certificate received from the server is issued by a trusted CA and generates a first symmetric key for use in encrypted communication with the server using the public key of the server included in the certificate Exchange secrets with public key cryptography. The encryption processing module 160 may generate the first symmetric key by combining the second random data received from the server 20, the first random data generated by the encryption processing module 160, and secrets. In addition, the server 20 may combine the second random data, the first random data, and the secrets to generate a first symmetric key. Through the above-described operation, the traffic monitoring apparatus 100 can complete the encryption handshaking with the server 20. [

The encryption processing module 160 may perform the encryption handshaking with the user terminal 10 in the second communication session. At this time, the encryption processing module 160 in the second communication session can perform the encryption handshaking with the user terminal 10 by performing the same operation as the operation performed in the server 20 described above. At this time, the encryption processing module 160 can complete the encryption handshaking with the user terminal for generating the second symmetric key by re-signing the certificate of the server 20 with the private CA certificate. According to one embodiment of the present invention, the encryption processing module 160 may perform any encryption handshaking method.

The encryption / decryption module 100 decrypts the first encrypted data received through the first communication session and the second encrypted data received via the second communication session, ) Or the data transmitted to the server (20). The encryption / decryption module 170 decrypts the encrypted data transmitted from the server 20 toward the user terminal 10, and the traffic monitoring device 100 or the predetermined security device 30 performs security control on the data And encrypts the data so that the data is encrypted and transmitted to the user terminal 10 when there is no security problem. The encryption / decryption module 170 decrypts the encrypted data transmitted from the user terminal 10 toward the server 20 so that the traffic monitoring apparatus 100 or the predetermined security apparatus 30 performs security control on the data And encrypts the data so that the data is encrypted and transmitted to the server 20 when there is no security problem. The encryption / decryption module 170 may include an encryption sub-module for encrypting data and a decryption sub-module for decrypting encrypted data. The encryption / decryption module 170 may encrypt data or decrypt encrypted data Can be performed. The encryption / decryption module 170 can encrypt or decrypt data in encrypted communication such as SSL and TSL.

In encrypted communication, a user terminal and a server send and receive encrypted data, and a traffic monitoring device (for example, a security device) located between the server and the user terminal does not perform a security operation on the communication content between the server and the user terminal However, the traffic monitoring apparatus 100 according to the present invention may include an encryption / decryption module 170 capable of decrypting the encrypted data to monitor the contents of the encrypted data.

The encryption / decryption module 170 may decrypt the first encrypted data received from the server using the first symmetric key. The decrypted data can be subjected to security control by the traffic control module 180. Also, the encryption / decryption module 170 may re-encrypt the data decrypted with the second symmetric key before transmitting the data transmitted from the server to the user terminal. Also, the encryption / decryption module 170 may decrypt the second encrypted data received from the user terminal using the second symmetric key. And the security control by the traffic control module 180 can be performed on the data that is being stored. The encryption / decryption module 170 may re-encrypt the decrypted data with the first symmetric key before transmitting the data transmitted from the user terminal 10 to the server 20. The traffic monitoring apparatus 100 decrypts the encrypted data received from the server or the user terminal in the encryption / decryption module 170 and re-encrypts the decrypted data to be transmitted to the user terminal 10 or the server 20, Can maintain the encrypted communication between the server 20 and the user terminal 10 while performing security control on the encrypted communication between the server 20 and the user terminal 10. [

The encryption / decryption module 170 can decrypt the encrypted data transmitted from the server so that the traffic control module 180 or the predetermined security equipment 30 can monitor the contents of the data. Also, the encryption / decryption module 170 may re-encrypt the decrypted data so that the traffic monitoring apparatus 100 can perform encrypted communication with the user terminal 10.

The encryption / decryption module 170 can decrypt the encrypted data transmitted from the user terminal so that the traffic control module 180 or the predetermined security equipment 30 can monitor the contents of the data . In addition, the encryption / decryption module 170 may re-encrypt the decrypted data so that the traffic monitoring apparatus 100 can perform encrypted communication with the server 20.

Accordingly, the traffic monitoring apparatus 100 can decrypt the encrypted data with respect to the encrypted communication between the server 20 and the user terminal 10, monitor the contents of the data to perform security control, And the user terminal 10, the encrypted data can be transmitted.

The traffic control module 180 may perform security control on the decrypted data. The security control may include, but is not limited to, blocking traffic between the server 20 and the user terminal 10, adjusting the QoS, or forwarding the decrypted data to the predetermined security equipment.

The traffic control module 180 may block the communication between the user terminal and the server based on the URL. The traffic control module 180 determines whether the user request URL of the first decrypted data decrypted with the first encrypted data is a preset URL or decides whether the second encrypted data is a user request URL of the decrypted second decryption data It can be determined whether or not the URL is a preset URL. The predetermined URL may be a URL (for example, an obscene site, a gambling site, or the like) where connection of a user terminal can be restricted. The traffic control module 180 determines whether or not the first communication session between the server 20 and the traffic monitoring apparatus 100 and the first communication session between the traffic monitoring apparatus 100 and the user terminal 10, At least one of the second communication session may be terminated. For this, the traffic control module 180 may cause at least one of the server and the user terminal to transmit a message through the first communication interface 110 or the second communication interface 120 to terminate the communication session. If the URL requested by the user is not a predetermined URL, the traffic control module 180 may decide to encrypt the first decrypted data and deliver it to the user terminal, or decrypt the second decrypted data and deliver it to the server have. The traffic control module 180 may block the communication between the user terminal and the server when the URL requested by the user terminal is a blocked URL, and the URL of the data transmitted from the server (the URL requested by the user) If it is a URL, communication between the user terminal and the server can be blocked. The traffic control module 180 can block the URL connection of the user terminal when the user terminal 10 intends to access the URL whose connection is blocked even in the encrypted communication environment. Also, the traffic control module 180 may allow the user terminal to access the URL when the user terminal 10 intends to access the URL that is not blocked.

The traffic control module 180 may block the communication between the user terminal and the server based on the application. The traffic control module 180 may determine whether the first decrypted data obtained by decoding the first encrypted data or the second decrypted data obtained by decoding the second encrypted data is related to the preset application. The predefined applications may include applications that are blocked or restricted from accessing (e.g., P2P applications, WebHard applications, etc., which may be a security threat or may occupy excessive bandwidth). The traffic control module 180 maps the name of the application and the information related to the traffic of the application in advance and stores the information in the memory 190. The traffic control module 180 analyzes the traffic between the user terminal and the server, , It can be determined that the traffic between the user terminal and the server is traffic related to the predetermined application. The traffic control module 180 may map the name of the application and the protocol of the application or the signature of the payload and store the mapping in the mapping table. The traffic control module 180 may analyze the signature of the protocol or the payload of the first decoded data or the second decoded data to determine whether the signature matches the signature of the protocol or the payload stored in the mapping table. The traffic control module 180 can determine that the first decoded data or the second decoded data is data related to the predetermined application. The traffic control module 180 may change the QoS of at least one of the first communication session and the second communication session if the first decoded data or the second decoded data is data associated with a predetermined application (e.g., Communication speed limit, response time delay, etc.), or at least one of the first communication session and the second communication session is terminated, or to transmit a traffic interception message to at least one of the user terminal and the server. The traffic control module 180 determines to maintain the first communication session and the second communication session when the first decoded data and the second decoded data are not related to the predetermined application, 20 can continue to communicate. The traffic control module 180 can block the application connection of the user terminal when the user terminal 10 intends to access the application whose connection is restricted even in the encrypted communication environment. In addition, the traffic control module 180 may allow the user terminal to access the application when the user terminal 10 intends to access the application permitted to access (i.e., an application that is not a predetermined application).

The traffic control module 180 may block or unblock the communication between the user terminal and the server based on user information, server information, and / or time information. In addition, the traffic control module 180 may apply the URL and application-based traffic control described above based on user information, server information, and / or time information. The traffic control module 180 receives the first decrypted data obtained by decrypting the first encrypted data or the second decrypted data decrypted by the second decrypted data by using preset user information, preset server information, It can be determined whether or not the data is related to the set time information. The preset user information and user group information may include user information whose network connection has been blocked (for example, when only the employees of the company are disconnected from outside personnel so as to be able to access an in-house wifi). The user information may be mapped to user terminal identification information such as a MAC address and an IP address of the user terminal and may be pre-stored. The traffic control module 180 refers to the acquired user terminal identification information and a pre- Information can be judged. The preset server information may include server identification information such as the IP address of the server providing the content. The preset time information may include time information about the time when the network connection is blocked (for example, when the in-house wifi is disconnected from 9 o'clock to 6 o'clock, which is a working time). The traffic control module 180 changes the QoS of at least one of the first communication session and the second communication session based on the determination result, or at least one of the first communication session and the second communication session is ended , And may decide to send a traffic interception message to at least one of the server and the user terminal. Also, the traffic control module 180 may perform an operation of controlling the communication session based on the determination result of the user information, the URL, and the determination result of the application. The traffic control module 180 can block the connection of the user terminal when a user whose connection is limited even in an encrypted communication environment tries to connect or attempts to connect at the connection time limit.

The traffic control module 180 can forward the data of the communication between the user terminal and the server to the predetermined security device so that the preset security device 30 can perform the security operation, Security control can be performed on the communication between the user terminal and the server based on the security operation. The predetermined security equipment 30 may include security equipment separate from the traffic monitoring device 100 (for example, security equipment for monitoring non-encrypted communication, etc.). The traffic control module 180 may transmit at least one of the first decoded data and the second decoded data to the predetermined security device 30 in order to allow the predetermined security device 30 to perform the security operation on the data of the communication between the user terminal and the server (30). ≪ / RTI > The forwarding may include delivering the decrypted data to the predefined security equipment 30 via the first communication interface 110, the second communication interface 120, or another communication interface. However, the traffic monitoring apparatus 100 of the present invention decrypts the encrypted communication and forwards the communication contents to the security apparatus, so that the existing security apparatus can perform the security operation even in the encrypted communication environment To be performed. When receiving the blocking signal from the predetermined security device 30, the traffic control module 180 detects a first communication session between the server and the traffic monitoring device, and a second communication session between the traffic monitoring device and the user terminal Or the like.

The memory 190 may store instructions for operation of each module of the present invention. The instructions stored in the memory may be executed by the processor. Each module of the invention may be comprised of a portion of a processor or a set of instructions of a program. The memory 190 stores the criteria (e.g., preset IP address, port information, host information, etc.) that determine whether the traffic monitoring apparatus 100 intervenes in a communication session between the user terminal 10 and the server, , Pre-set URL related information, pre-set application related information (e.g., application name and application data related information mapping information), preset user information (user information mapped with identification information of the user terminal) User group information, preset time information, and the like, and the above description is only an example, and the present invention is not limited thereto.

The memory 190 may be a flash memory type, a hard disk type, a multimedia card micro type, a card type memory (e.g., SD or XD memory), a RAM (Random Access Memory), SRAM (Static Random Access Memory), ROM (Read Only Memory), EEPROM (Electrically Erasable Programmable Read-Only Memory), PROM A disk, and / or an optical disk. The above description is only illustrative, and the present invention is not limited thereto.

The traffic monitoring apparatus 100 according to an exemplary embodiment of the present invention decrypts encrypted data in encrypted communication to perform security surveillance so that security monitoring of traffic can be performed even in an encrypted communication environment. And interfere with the communication session between the server and the server, thereby minimizing the performance degradation due to security monitoring. In addition, since the performance of the traffic monitoring apparatus 100 according to an embodiment of the present invention can be minimized by minimizing performance degradation when necessary, it is possible to increase the monitoring range, thereby preventing attempts to avoid security equipment such as port hopping, Can be monitored. The traffic monitoring apparatus 100 according to an exemplary embodiment of the present invention performs a security operation based on a URL reference, an application reference, a user information reference, or a time information reference, and may correspond to various security policies.

2 is a schematic diagram illustrating a traffic surveillance system in accordance with an embodiment of the present invention.

The traffic monitoring system according to an embodiment of the present invention may include a user terminal 10, a server 20, and a traffic monitoring apparatus 100. Alternatively, it may alternatively comprise a predefined security device 30.

The traffic monitoring apparatus 100 for monitoring cryptographic traffic according to an exemplary embodiment of the present invention may include a security device, a firewall, a relay device, and the like located on a communication path between the user terminal 10 and the server 20 . The traffic monitoring apparatus 100 may be installed in a branch office of an internal network of an organization, a company, or the like. The preset security device 30 may include a security device, a firewall, a relay device, and the like that can monitor communication between the user terminal and the server, and may be configured separately from the traffic monitoring device 100.

The user terminal 10 may include a personal computer (PC), a note book, a mobile terminal, a smart phone, a tablet PC, And may include any type of terminal capable of being connected to the Internet.

The server 20 and the user terminal 10 establish a direct communication session 210 and the traffic monitoring apparatus 100 intervenes in the communication session 210 between the server and the user terminal when necessary, The communication between the server and the user terminal can be monitored by separating the session into a first communication session 230 between the server and the traffic monitoring device and a second communication session 220 between the traffic monitoring device and the user terminal. When the server and the user terminal perform non-encrypted communication, the traffic monitoring apparatus 100 does not intervene in the communication session 210 between the server and the user terminal. However, when the server and the user terminal perform the encrypted communication, (100) may intervene in the communication session (210) of the server and the user terminal.

The session information management module 130 of the traffic monitoring device 100 may obtain communication session information of the communication session 210 between the user terminal and the server in order to intervene in the communication session 210 between the user terminal and the server, . The communication session information includes IP information of the user terminal, port information of the user terminal, IP information of the server, port information of the server, protocol information of the server and the user terminal, host information, subscriber information of the user terminal, And the like.

The traffic analysis module 140 of the traffic monitoring device 100 may monitor the communication session 210 between the user terminal and the server to determine whether to intervene in the communication session 210 between the user terminal and the server as needed. The traffic analysis module 140 may intervene in the communication session between the user terminal 10 and the server 20 when the user terminal 10 and the server 20 perform encrypted communication to transmit and receive the encrypted data You can decide. Encrypted data for security of data has a problem in that existing monitoring devices can not confirm the contents of the data, which disables existing monitoring devices. To do so, a monitoring device capable of monitoring encrypted communication is required. However, when the monitoring apparatus capable of monitoring the encrypted communication participates in the entire communication between the user terminal and the server, the degradation of the communication performance may be a problem. Therefore, according to an embodiment of the present invention, when the communication session 210 between the user terminal and the server performs non-encrypted communication, the traffic monitoring apparatus 100 allows the user terminal and the server to communicate directly, It is possible to intervene in a communication session between the user terminal and the server to provide security surveillance for the traffic while minimizing degradation in communication performance. The traffic analysis module 140 of the traffic monitoring apparatus 100 analyzes the IP address information, the port number information, the host information, the header, and the IP address information included in the server access request or the server response of the user terminal 10 And determine whether to intervene in a communication session between the user terminal and the server based on at least one of at least a portion of the payload. For example, if the user terminal detects that the user terminal and the server are communicating through a port (for example, port 443) for encrypted communication, or if the user terminal attempts to perform handshaking with a server using the SSL encryption scheme, Upon analysis, the traffic analysis module 140 may determine to intervene in a communication session between the user terminal and the server. The foregoing information is exemplary and the traffic analysis module 140 may decide to intervene in the communication session based on any information that can determine whether the user terminal and the server perform encrypted communications.

The communication session control module 150 of the traffic monitoring apparatus 100 may determine that the traffic analysis module 140 has determined to intervene in the communication session 210 between the user terminal and the server, A first communication session 230 of the user terminal and a second communication session 220 between the user terminal and the traffic monitoring device. And then perform handshaking with the server and the user terminal to separate the communication session of the server and the user terminal into the first communication session 230 and the second communication session 220, respectively.

The encryption processing module 160 of the traffic monitoring apparatus 100 performs encryption and hashaking between the server and the traffic monitoring apparatus in the first communication session 230 and performs encryption and hashing between the user terminal and the traffic monitoring apparatus in the second communication session 220. [ Lt; RTI ID = 0.0 > handshaking < / RTI > The encryption handshaking may include encryption handshaking to use SSL or TLS encrypted communication. Concrete encryption handshaking is as described above.

The encryption / decryption module 170 of the traffic monitoring apparatus 100 encrypts the encrypted data so that the traffic control module 180 or the predetermined security equipment 30 can monitor the contents of the data It can be decoded. The encryption and decryption module 170 of the traffic monitoring device 100 decrypts the first encrypted data received via the first communication session 230 and the second encrypted data received via the second communication session 220 The user terminal 10, or the server 20. In this case, In order to monitor the contents of the encrypted data in the encrypted communication for data security, it is necessary to decrypt the encrypted data, and the encryption / decryption module 170 of the traffic monitoring apparatus 100 can decrypt the encrypted data . Also, the encryption / decryption module 170 of the traffic monitoring apparatus 100 encrypts the decrypted data whose contents have been confirmed so that the encrypted communication is continued to secure the data, so that the server 20, The decrypted data may be re-encrypted so that the decrypted data is delivered to the mobile terminal 10.

The traffic control module 180 of the traffic monitoring apparatus can block the communication between the user terminal 10 and the server 20 on the basis of the URL or block or adjust the QoS based on the application. The traffic control module 180 of the traffic monitoring apparatus may block communication between the user terminal 10 and the server 20 based on user information, user group information, server information, server group information, or time information, QoS can be adjusted. In addition, the traffic control module 180 of the traffic monitoring device may perform traffic control based on a combination of a plurality of criteria among the above-described criteria. The traffic control module 180 of the traffic monitoring apparatus may transmit the decrypted data to the predetermined security equipment 30 so that the predetermined security equipment 30 can monitor communication between the user terminal 10 and the server 20. [ And can block the communication between the user terminal and the server or adjust the QoS by receiving the security shutdown signal from the preset security device 30. [

The traffic control module 180 of the traffic monitoring apparatus 100 may check the contents of the decrypted data to determine whether the user terminal desires to access a URL with limited access or whether to use an application with limited use . In addition, the traffic control module 180 checks the contents of the decrypted data to determine whether the user terminal attempting to connect is a user terminal permitted to access, or whether the time when the user terminal attempts to access is permitted can do. In order to determine this, the traffic control module 180 obtains a user request URL (a URL that the user terminal desires to access) from the data received from the user terminal or the data received from the server, It can be determined whether or not the URL matches the set URL. Also, the traffic control module 180 compares the mapping table between the name of the application to be blocked and the information of the application (signature of the protocol or the payload) and the data received from the user terminal or the server, It is possible to judge whether or not the user wants to access the restricted application. The traffic control module 180 obtains the identification information of the user terminal from the data received from the user terminal, judges the user information by referring to the pre-stored mapping table, and determines whether or not the user terminal whose connection is not permitted tries to connect It can be judged.

The traffic control module 180 determines whether the communication between the user terminal 10 and the server 20 should be blocked as a result of the traffic control module 180. In this case, The traffic control module 180 may send a message to the first communication interface 110 or the second communication interface 120 to terminate the communication session to at least one of the server and the user terminal. As shown in FIG.

The traffic monitoring apparatus 100 according to an exemplary embodiment of the present invention decrypts encrypted data in encrypted communication to perform security surveillance so that security monitoring of traffic can be performed even in an encrypted communication environment. And interfere with the communication session between the server and the server, thereby minimizing the performance degradation due to security monitoring. In addition, since the performance of the traffic monitoring apparatus 100 according to an embodiment of the present invention can be minimized by minimizing performance degradation when necessary, it is possible to increase the monitoring range, thereby preventing attempts to avoid security equipment such as port hopping, Can be monitored. The traffic monitoring apparatus 100 according to an exemplary embodiment of the present invention performs a security operation based on a URL reference, an application reference, a user information reference, or a time information reference, and may correspond to various security policies.

3 is a flowchart of a method for monitoring cryptographic traffic monitoring cryptographic traffic according to an embodiment of the present invention.

The method for monitoring encrypted traffic for monitoring encrypted traffic can be performed in the traffic monitoring apparatus 100 according to an embodiment of the present invention.

The traffic monitoring apparatus 100 for monitoring cryptographic traffic according to an exemplary embodiment of the present invention may include a security device, a firewall, a relay device, and the like located on a communication path between the user terminal 10 and the server 20 .

The user terminal 10 may establish a communication session with the server 20 for communication.

The session information management module 130 of the traffic monitoring apparatus 100 may acquire information of a communication session between the user terminal and the server (310). The communication session information includes source IP information, source port information, destination IP information, destination port information, protocol information IP information of a user terminal, port information of a user terminal, IP information of a server, port information of a server, Protocol information, subscriber information of the user terminal, identification information of the user terminal, identification information of the server, and the like.

The traffic analysis module 140 of the traffic monitoring apparatus 100 may monitor a communication session between the user terminal 10 and the server 20 to determine whether to intervene in the communication session between the user terminal and the server 320 ). The traffic analysis module 140 intervenes in the communication session between the user terminal 10 and the server 20 when the user terminal 10 and the server 20 perform encrypted communication to transmit and receive the encrypted data Can be determined. Based on at least one of IP address information, port number information, host information, and protocol information included in a server connection request or a server response of the user terminal 10, It can decide whether or not to intervene in a communication session between the user terminal and the server. For example, if the user terminal detects that the user terminal and the server are communicating through a port (for example, port 443) for encrypted communication, or if the user terminal attempts to perform handshaking with a server using the SSL encryption scheme, Upon analysis, the traffic analysis module 140 may determine to intervene in a communication session between the user terminal and the server. The foregoing information is exemplary and the traffic analysis module 140 may decide to intervene in the communication session based on any information that can determine whether the user terminal and the server perform encrypted communications. The traffic analysis module 140 does not intervene in the communication session between the user terminal and the server but the data received from the user terminal is bypassed to the server when the encrypted traffic is not detected in the communication session between the user terminal and the server Or data received from the server may be bypassed to the user terminal.

When the communication session control module 150 of the traffic monitoring apparatus 100 intervenes in the communication session between the user terminal and the server, the communication session is controlled by the first communication session 230 between the server and the traffic monitoring apparatus, And a second communication session 220 between the traffic monitoring devices (330). For this purpose, the communication session control module 150 may perform handshaking with the server and the user terminal, respectively, to separate the communication session between the server and the user terminal into the first communication session and the second communication session.

The encryption processing module 160 of the traffic monitoring device 100 may perform the encryption handshaking with the server in the first communication session 230 and the encryption handshaking with the user terminal in the second communication session 220 (340). At this time, the encryption processing module 160 can perform encryption handshaking with the server through the certificate of the server, re-sign the server certificate with the private CA certificate, and perform encryption handshaking with the user terminal .

The encryption and decryption module 170 of the traffic monitoring device 100 decrypts the first encrypted data received through the first communication session 230 and the second encrypted data received via the second communication session 220 (350). In order to perform security control on traffic, the contents of the traffic should be viewed. Therefore, the encryption / decryption module 170 may decrypt the encrypted data to allow the traffic control module 180 to perform security control.

The traffic control module 180 may perform security control on the decrypted data (360). The traffic control module 180 can perform security control for communication between the user terminal and the server based on at least one of URL, application, user information, and time information through the decrypted data. The security control may include blocking of communication, QoS adjustment, and the like, but the present invention is not limited thereto. The traffic control module 180 determines whether or not the user request URL is a predetermined URL, whether the application to be accessed by the user terminal is a preset application, whether the user information corresponds to preset user information, Based on whether or not the related information corresponds to the preset time information, it is possible to decide to block the communication between the server and the user terminal or to adjust the QoS.

The traffic control module 180 also determines to forward the decrypted data to the predetermined security device so that the predetermined security device (e.g., external security device, etc.) can perform the security operation on the decrypted data It is possible. The predetermined security device 30 may check the contents of the decrypted data and send a security shutdown signal to the traffic monitoring device 100 to perform security control for communication between the user terminal and the server.

The traffic monitoring apparatus 100 according to an exemplary embodiment of the present invention decrypts encrypted data in encrypted communication to perform security surveillance so that security monitoring of traffic can be performed even in an encrypted communication environment. And interfere with the communication session between the server and the server, thereby minimizing the performance degradation due to security monitoring. In addition, since the performance of the traffic monitoring apparatus 100 according to an embodiment of the present invention can be minimized by minimizing performance degradation when necessary, it is possible to increase the monitoring range, thereby preventing attempts to avoid security equipment such as port hopping, Can be monitored. The traffic monitoring apparatus 100 according to an exemplary embodiment of the present invention performs a security operation based on a URL reference, an application reference, a user information reference, or a time information reference, and may correspond to various security policies.

Those of ordinary skill in the art will understand that information and signals may be represented using any of a variety of different technologies and techniques. For example, data, instructions, commands, information, signals, bits, symbols, and chips that may be referenced in the above description may include voltages, currents, electromagnetic waves, magnetic fields or particles, Particles or particles, or any combination thereof.

Those skilled in the art will appreciate that the various illustrative logical blocks, modules, processors, means, circuits, and algorithm steps described in connection with the embodiments disclosed herein may be embodied directly in electronic hardware, (Which may be referred to herein as "software") or a combination of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends on the design constraints imposed on the particular application and the overall system. Those skilled in the art may implement the described functionality in various ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

The various embodiments presented herein may be implemented as a method, apparatus, or article of manufacture using standard programming and / or engineering techniques. The term "article of manufacture" includes a computer program, carrier, or media accessible from any computer-readable device. For example, the computer-readable medium can be a magnetic storage device (e.g., a hard disk, a floppy disk, a magnetic strip, etc.), an optical disk (e.g., CD, DVD, etc.), a smart card, But are not limited to, devices (e. G., EEPROM, cards, sticks, key drives, etc.). The various storage media presented herein also include one or more devices and / or other machine-readable media for storing information. The term "machine-readable medium" includes, but is not limited to, a wireless channel and various other media capable of storing, holding, and / or transferring instruction (s) and / or data.

It will be appreciated that the particular order or hierarchy of steps in the presented processes is an example of exemplary approaches. It will be appreciated that, based on design priorities, certain orders or hierarchies of steps in processes may be rearranged within the scope of the present invention. The appended method claims provide elements of the various steps in a sample order, but are not meant to be limited to the specific order or hierarchy presented.

The description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features presented herein.

Claims (12)

A method for monitoring an encrypted traffic performed by a traffic monitoring device,
Acquiring communication session information between a user terminal and a server performed in a session information management module;
Monitoring a communication session between the user terminal and the server performed in the traffic analysis module and determining whether to intervene in a communication session between the user terminal and the server;
Wherein the communication session control module separates the communication session into a first communication session between the server and the traffic monitoring device and a second communication session between the user terminal and the traffic monitoring device when intervening in the communication session between the user terminal and the server step;
Performing an encryption handshaking with the server in the first communication session and an encryption handshaking with the user terminal in the second communication session;
Decrypting the first encrypted data received via the first communication session and the second encrypted data received via the second communication session; And
The traffic control module performing security control on the decrypted data;
/ RTI >
A method for monitoring encrypted traffic performed by a traffic monitoring device.
The method according to claim 1,
Wherein the encrypted data comprises at least one of secure sockets layer (SSL) encrypted data and transport layer security (TLS) encrypted data.
A method for monitoring encrypted traffic performed by a traffic monitoring device.
The method according to claim 1,
Wherein determining whether to intervene in a communication session between the user terminal and the server comprises:
Based on at least one of the IP address information, the port number information, the host information, the protocol header, and the payload included in the server connection request or the server response of the user terminal, Lt; RTI ID = 0.0 > a < / RTI > communication session,
A method for monitoring encrypted traffic performed by a traffic monitoring device.
The method according to claim 1,
The step of the traffic control module performing the security control includes:
It is determined whether the user request URL of the first decrypted data decrypted with the first encrypted data is a preset URL or whether the user requested URL of the second decrypted data decrypted with the second encrypted data is a preset URL ;
Causing at least one of the first communication session and the second communication session to end if the user requested URL is a preset URL; And
Encrypting the first decrypted data and transmitting it to the user terminal if the user requested URL is not a predetermined URL, or re-encrypting the second decrypted data and transmitting the decrypted data to the server;
/ RTI >
A method for monitoring encrypted traffic performed by a traffic monitoring device.
The method according to claim 1,
The step of the traffic control module performing the security control includes:
Determining whether the first decrypted data decrypting the first encrypted data or the second decrypted data decrypted the second encrypted data is data related to a predetermined application;
Change the QoS of at least one of the first communication session and the second communication session when the first decoded data or the second decoded data is data related to a predetermined application or change the QoS of at least one of the first communication session and the second communication session, Terminating at least one of the user terminal and the server, or transmitting a traffic blocking message to at least one of the user terminal and the server; And
Determining to maintain the first communication session and the second communication session when the first decrypted data and the second decrypted data are not data related to a predetermined application;
/ RTI >
A method for monitoring encrypted traffic performed by a traffic monitoring device.
6. The method of claim 5,
Wherein the step of determining whether the first decoded data or the second decoded data is data related to a predetermined application comprises:
Mapping a name of the application and a protocol of the application or a signature of a payload and storing the mapping in a mapping table;
Analyzing the protocol of the first decoded data or the second decoded data or the signature of the payload and determining whether the signature matches the signature of the protocol or the payload stored in the mapping table; And
Determining that the first decoded data or the second decoded data is data related to a predetermined application;
/ RTI >
A method for monitoring encrypted traffic performed by a traffic monitoring device.
The method according to claim 1,
The step of the traffic control module performing the security control includes:
The first decrypted data obtained by decrypting the first encrypted data or the second decrypted data obtained by decrypting the second encrypted data may be pre-set user information, preset user group information, preset server information, preset server group information, Determining whether the data is related to at least one of the time information; And
Change at least one of the first communication session and the second communication session based on the determination result, or terminate at least one of the first communication session and the second communication session, or at least one of the server and the user terminal Transmitting a traffic blocking message to one;
/ RTI >
A method for monitoring encrypted traffic performed by a traffic monitoring device.
The method according to claim 1,
The step of the traffic control module performing the security control includes:
The traffic control module may perform a security operation on at least one of the first decrypted data decrypting the first encrypted data and the second decrypted data decrypting the second decrypted data, Forwarding at least one of the data and the second decryption data to the predetermined security equipment;
/ RTI >
A method for monitoring encrypted traffic performed by a traffic monitoring device.
9. The method of claim 8,
Blocking at least one of the first communication session and the second communication session when receiving a security shutdown signal from the predetermined security device;
≪ / RTI >
A method for monitoring encrypted traffic performed by a traffic monitoring device.
The method according to claim 1,
Analyzing the decrypted data to perform traffic analysis of the first and second communication sessions;
≪ / RTI >
A method for monitoring encrypted traffic performed by a traffic monitoring device.
A traffic monitoring apparatus for monitoring encrypted traffic,
A session information management module for acquiring communication session information between the user terminal and the server;
A traffic analysis module for monitoring a communication session between the user terminal and the server and determining whether to intervene in a communication session between the user terminal and the server;
A communication session control module for separating the communication session into a first communication session between the server and the traffic monitoring device and a second communication session between the user terminal and the traffic monitoring device when intervening in the communication session between the user terminal and the server;
An encryption processing module that performs encryption handshaking with the server in the first communication session and performs encryption handshaking with the user terminal in the second communication session;
An encryption decryption module for decrypting the first encrypted data received through the first communication session and the second encrypted data received through the second communication session; And
A traffic control module for performing security control on the decrypted data;
/ RTI >
A traffic monitoring device that monitors encrypted traffic.
21. A computer program stored in a computer-readable medium comprising a plurality of instructions executed by one or more processors,
The computer program comprising:
Instructions for causing the session information management module to obtain communication session information between the user terminal and the server;
Monitoring a communication session between the user terminal and the server in the traffic analysis module to determine whether to intervene in a communication session between the user terminal and the server;
Wherein the communication session control module separates the communication session into a first communication session between the server and the traffic monitoring device and a second communication session between the user terminal and the traffic monitoring device when intervening in a communication session between the user terminal and the server ≪ / RTI >
Instructions for an encryption processing module to perform encryption handshaking with the server in the first communication session and to perform encryption handshaking with the user terminal in the second communication session;
Instructions for decrypting the first encrypted data received over the first communication session and the second encrypted data received over the second communication session; And
Instructions for causing the traffic control module to perform security control on the decrypted data;
/ RTI >
A computer program stored on a computer-readable medium.

Images