KR20220036312A - Method for providing virtual computing environment, and apparatus implementing the same method - Google Patents

Abstract

A method performed by a computing device to analyze program vulnerabilities in a virtual computing environment according to an embodiment of the present invention is when a request for creating a VDI (Virtual Desktop Infrastructure) for performing security vulnerability analysis is received from a user terminal. , generating a VDI that can access the analysis target program selected by the user among a plurality of analysis target programs, and when the analysis of the analysis target program selected by the user accessing the VDI is completed, the analysis It includes providing information related to vulnerabilities of the selected program to be analyzed using data generated by the method.

Description

Method for providing a virtual computing environment, and apparatus for implementing the same {METHOD FOR PROVIDING VIRTUAL COMPUTING ENVIRONMENT, AND APPARATUS IMPLEMENTING THE SAME METHOD}

The present invention relates to a method of providing a virtual computing environment, and a device for implementing the same. More specifically, it relates to a method of providing a virtual computing environment for analyzing programs subject to hacking, and a device for implementing the same.

Bug bounty is a system that pays a reward to hackers who find vulnerabilities by hacking services provided by companies online and/or programs provided by companies. Previously, bug bounties were mainly applied to services or programs in operation. It was done.

As a result, there were many problems in which system overload occurred due to bug bounty performed by the operating service itself or information was leaked due to hacking.

In addition, there are many cases where there are restrictions on the hacking environment, such as websites and unreleased programs in a network environment that do not allow access to an unspecified number of people, making it difficult to conduct bug bounties for a sufficient number of diverse participants.

Therefore, a bug bounty environment is required to prevent overload and information leakage of systems that provide operational services. Additionally, there is a need for a method that allows users to perform bug bounties without restrictions on attacks in various OS environments and easily configure programs that are subject to bug bounties.

U.S. Patent Publication No. 2018-0007077 (published on January 4, 2018)

The technical problem to be solved by the present invention is to provide a method of providing a virtual computing environment capable of providing a mock hacking environment for analyzing security vulnerabilities of programs, and a device for implementing the same.

Another technical problem to be solved by the present invention is to provide a method of providing a virtual computing environment that can automatically and easily configure a large number of programs subject to security vulnerability analysis, and a device for implementing the same.

Another technical problem that the present invention aims to solve is a method of providing a virtual computing environment that can perform bug bounties without restrictions on attacks in various OS environments and prevent overload of running services and information leakage, and It provides a device for implementation.

Another technical problem that the present invention aims to solve is to receive applications for bug bounty participation for the program to be analyzed as desired from a number of specified or unspecified participants, targeting a large number of programs subject to security vulnerability analysis, and to proceed with the bug bounty. The goal is to provide an online platform that allows this.

The technical problems of the present invention are not limited to the technical problems mentioned above, and other technical problems not mentioned can be clearly understood by those skilled in the art from the description below.

In order to solve the above technical problem, a method performed by a computing device to analyze program vulnerabilities in a virtual computing environment according to an embodiment of the present invention is a VDI (Virtual Desktop) for performing security vulnerability analysis from a user's terminal. When a request for creation of Infrastructure) is received, creating a VDI accessible to an analysis target program selected by the user among a plurality of analysis target programs, and providing access to the analysis target program selected by the user connected to the VDI. When the analysis is completed, it includes providing information related to vulnerabilities of the selected program to be analyzed using the data generated by the analysis.

As an embodiment, the step of creating the VDI may include generating information for connecting to the VDI, and encrypting and storing the generated information in a database.

As an embodiment, it may include transmitting information for connecting to the VDI to the user terminal and providing tunneling between the user terminal and the VDI when a connection request is made from the user terminal to the VDI using the information. You can.

As an embodiment, registering information about each program to be analyzed, creating the program to be analyzed using the registered information, and providing endpoint information of the generated program to be analyzed. Additional steps may be included.

As an embodiment, the information about the program to be analyzed includes at least one of storage information in which the image of the program to be analyzed is stored, request specifications of the program to be analyzed, setting information, environment variables, storage volume, and connection information. can do.

As an embodiment, the step of generating the VDI may include generating the VDI including an image corresponding to the selected analysis target program using information about the registered analysis target program.

As an embodiment, when accessing a program to be analyzed that exists on a restricted network through the VDI, information for accessing the VDI and information about the registered program to be analyzed are used to connect the VDI and the program to be analyzed. The step of establishing a connection may further be included.

As an embodiment, when accessing a program to be analyzed created in the virtual computing environment through the VDI, a step of establishing a connection between the VDI and the program to be analyzed using endpoint information of the program to be analyzed is further performed. It can be included.

In one embodiment, the step of providing information related to vulnerabilities of the selected analysis target program using the data generated by the analysis includes collecting traffic data recorded on the VDI, and based on the traffic data It may include extracting a vulnerability detection pattern of the analysis target program.

In one embodiment, the step of providing information related to vulnerabilities of the selected analysis target program using the data generated by the analysis includes collecting user behavior data generated after the user's analysis is initiated, and It may include extracting a vulnerability detection pattern of the analysis target program based on user behavior data.

In one embodiment, the user behavior data may include at least one of information about tools used by the user for the analysis, key logs, file upload information, network connection information, and user authentication information.

As an embodiment, the VDI may be a virtual computing environment for mock hacking of the analysis target program.

In one embodiment, the method may further include displaying information about the plurality of programs to be analyzed, and receiving the user's selection of at least one of the plurality of programs to be analyzed.

In one embodiment, the step of paying a fee for analysis of the selected analysis target program to the user may be further included.

In order to solve the above technical problem, a computer-readable non-transitory recording medium according to an embodiment of the present invention can store a computer program that causes a computer to perform the method.

In order to solve the above technical problem, a device for providing a virtual computing environment according to an embodiment of the present invention is a communication unit that communicates with an external device, a storage unit, and a VDI (Virtual Desktop Infrastructure) for performing security vulnerability analysis from the user's terminal. ), when a creation request is received, a VDI creation module that creates a VDI accessible to the analysis target program selected by the user among a plurality of analysis target programs, and the analysis target program selected by the user connected to the VDI. When the analysis is completed, a processor including a VDI analysis module provides information related to vulnerabilities of the selected analysis target program using data generated by the analysis.

As an embodiment, the VDI creation module may generate information for the VDI connection, and encrypt and store the generated information in a database.

In one embodiment, the VDI creation module transmits information for the VDI connection to the user terminal, and uses the information to perform tunneling between the user terminal and the VDI when a connection request is made from the user terminal to the VDI. can be provided.

As an embodiment, the VDI analysis module may collect traffic data recorded on the VDI and extract a vulnerability detection pattern of the analysis target program based on the traffic data.

As an embodiment, the VDI analysis module may collect user behavior data generated after the user's analysis is started, and extract a vulnerability detection pattern of the analysis target program based on the user behavior data.

1 is a configuration diagram of a system for providing a virtual computing environment according to an embodiment of the present invention.
Figure 2 is a block diagram showing the configuration of an apparatus for providing a virtual computing environment according to an embodiment of the present invention.
3 and 4 are flowcharts for explaining a method of providing a virtual computing environment according to another embodiment of the present invention.
Figure 5 is an example illustrating the entire business process for program vulnerability analysis according to some embodiments of the present invention.
Figure 6 is an example illustrating a process for each operation performed by a device according to some embodiments of the present invention.
Figure 7 is an example illustrating the flow of operations for creating and deleting VDI according to some embodiments of the present invention.
Figure 8 is an example showing the flow of operations for VDI connection according to some embodiments of the present invention.
Figure 9 is an example showing the flow of operations for registering and creating a program according to some embodiments of the present invention.
Figure 10 is an example showing the flow of operations for program access in VDI according to some embodiments of the present invention.
Figure 11 is an example showing the flow of operations for VDI logging analysis according to some embodiments of the present invention.
12 is a hardware configuration diagram of an example computing device capable of implementing methods according to some embodiments of the present invention.

Hereinafter, preferred embodiments of the present disclosure will be described in detail with reference to the attached drawings. The advantages and features of the present disclosure and methods for achieving them will become clear by referring to the embodiments described in detail below along with the accompanying drawings. However, the technical idea of the present disclosure is not limited to the following embodiments and may be implemented in various different forms. The following embodiments are merely intended to complete the technical idea of the present disclosure and to be used in the technical field to which the present disclosure belongs. It is provided to fully inform those skilled in the art of the scope of the present disclosure, and the technical idea of the present disclosure is only defined by the scope of the claims.

When adding reference numerals to components in each drawing, it should be noted that identical components are given the same reference numerals as much as possible even if they are shown in different drawings. Additionally, in describing the present disclosure, if it is determined that a detailed description of a related known configuration or function may obscure the gist of the present disclosure, the detailed description will be omitted.

Unless otherwise defined, all terms (including technical and scientific terms) used in this specification may be used with meanings that can be commonly understood by those skilled in the art to which this disclosure pertains. Additionally, terms defined in commonly used dictionaries are not interpreted ideally or excessively unless clearly specifically defined. The terminology used herein is for the purpose of describing embodiments and is not intended to limit the disclosure. As used herein, singular forms also include plural forms, unless specifically stated otherwise in the context.

Additionally, in describing the components of the present disclosure, terms such as first, second, A, B, (a), and (b) may be used. These terms are only used to distinguish the component from other components, and the nature, sequence, or order of the component is not limited by the term. When a component is described as being “connected,” “coupled,” or “connected” to another component, that component may be directly connected or connected to that other component, but there is another component between each component. It will be understood that elements may be “connected,” “combined,” or “connected.”

As used in the specification, “comprises” and/or “comprising” refers to the presence of one or more other components, steps, operations and/or elements. or does not rule out addition.

Hereinafter, several embodiments of the present disclosure will be described in detail with reference to the attached drawings.

1 is a configuration diagram of a system for providing a virtual computing environment according to an embodiment of the present invention. Referring to FIG. 1, the system according to an embodiment of the present invention consists of a virtual computing environment providing device 1 and a database server 30, and the virtual computing environment providing device 1 is a user terminal 10 or an administrator terminal. It can be connected to (20). Here, the user terminal 10 may be, for example, a terminal device of a white hacker or a company that connects to the virtual computing environment providing device 1 and performs security vulnerability analysis during a bug bounty. Additionally, the administrator terminal 20 may be, for example, a terminal device of an administrator who has the authority to configure a program that is the subject of security vulnerability analysis.

The virtual computing environment providing device 1 is a device that provides a virtual computing environment for analysis of program vulnerabilities, and may be implemented as a computing device such as a server device, PC, laptop, etc.

The database server 30 may be implemented as a separate DB server connected to the virtual computing environment providing device 1 through a network, and is not limited to a specific type of DB server. As an embodiment, the database server 30 may be implemented as a repository that stores images corresponding to analysis target programs accessible through VDI in the virtual computing environment providing device 1.

In addition, the database server 30 can be implemented as a threat intelligence (TI) DB that stores information related to vulnerabilities of programs provided through log data analysis through VDI connection in the virtual computing environment providing device 1. there is.

When a request for creating a VDI for performing a security vulnerability analysis is received from the user's terminal 10, the virtual computing environment providing device 1 selects an analysis target program selected by the user of the user terminal 10 from among a plurality of analysis target programs. Create an accessible VDI. At this time, the analysis target program selected by the user may be registered and created by the administrator terminal 20.

As an embodiment, the virtual computing environment providing device 1 may allocate information for VDI connection, such as ID, password, IP, port, and VDI ID, to the created VDI. Accordingly, the user terminal 10 is provided with information for VDI connection, and can access the VDI created in the user terminal 10 through this.

When the analysis of the analysis target program selected by the user of the user terminal 10 connected to the VDI is completed, the virtual computing environment providing device 1 uses the data generated by the analysis to determine the vulnerabilities of the selected analysis target program. Provides information. At this time, information related to vulnerabilities of the analysis target program may be provided upon request from the administrator terminal 20.

As an embodiment, the virtual computing environment providing device 1 may extract a vulnerability detection pattern of a program to be analyzed using at least one of traffic data recorded on the VDI and user behavior data generated after user analysis is initiated. .

As described above, by configuring the system according to the embodiment of the present invention, it is possible to provide a simulated hacking environment for analyzing security vulnerabilities of programs. In addition, bug bounties can be performed without restrictions on attacks in various OS environments, and overload of running services and information leaks can be prevented.

Figure 2 is a block diagram showing the configuration of an apparatus for providing a virtual computing environment according to an embodiment of the present invention. Referring to FIG. 2, the device 1 for providing a virtual computing environment according to an embodiment of the present invention includes a communication unit 14, a storage unit 15, and a processor 11, and provides a user terminal through the communication unit 14. (10), it can be connected to the administrator terminal 20, and the database server 30.

The communication unit 14 communicates with the user terminal 10, the administrator terminal 20, and the database server 30 using a wired or wireless communication method. The communication unit 14 may communicate using a wired communication method such as Ethernet, or a wireless communication method such as Wi-Fi or Bluetooth. The method by which the communication unit 14 communicates is not limited to this, and communication may be performed using other communication methods.

The storage unit 15 stores information for accessing the VDI created by the virtual computing environment providing device 1. For example, the storage unit 15 may store information such as ID, password, IP, port, and VDI ID assigned to each VDI as information for the created VDI connection.

Additionally, the storage unit 15 stores information about programs to be analyzed that are connected through the VDI created by the virtual computing environment providing device 1. At this time, the information about the analysis target program stored may include at least one of storage information in which the image of the analysis target program is stored, request specifications of the analysis target program, setting information, environment variables, storage volume, and connection information.

The processor 11 includes a VDI creation module 12 and a VDI analysis module 13, and may further include additional modules related to registration and creation of programs to be analyzed.

When a VDI creation request for performing security vulnerability analysis is received from the user terminal 10, the VDI creation module 12 accesses the analysis target program selected by the user of the user terminal 10 from among a plurality of analysis target programs. Create as much VDI as possible. At this time, VDI may be a virtual computing environment for mock hacking of the analysis target program.

As an embodiment, the VDI creation module 12 may generate information for VDI connection, encrypt and store the generated information in the storage unit 15. At this time, information for VDI connection may include an ID, password, IP, port, and VDI ID assigned to each VDI.

As an embodiment, the VDI creation module 12 transmits information for VDI connection to the user terminal 10, and uses the information to connect the user terminal 10 to the VDI when requesting a connection from the user terminal 10 to the VDI. Tunneling between VDIs can be provided.

As an embodiment, the processor 11 registers information about each program to be analyzed, creates the program to be analyzed using the registered information, and provides endpoint information of the generated program to be analyzed. can be provided. Here, the endpoint information may include, for example, URL information that can access the analysis target program, or IP and port information.

Additionally, the information about the program to be analyzed may include at least one of storage information in which the image of the program to be analyzed is stored, request specifications of the program to be analyzed, setting information, environment variables, storage volume, and connection information.

As an embodiment, the VDI creation module 12 may generate a VDI including an image corresponding to the selected analysis target program using information about the registered analysis target program.

As an embodiment, when accessing a program to be analyzed that exists on a restricted network through a VDI, the processor 11 uses information for VDI access and information about the registered program to be analyzed to connect the VDI and the program to be analyzed. A connection can be established between

As another embodiment, when the processor 11 accesses a program to be analyzed created in a virtual computing environment through a VDI, the processor 11 may establish a connection between the VDI and the program to be analyzed using endpoint information of the program to be analyzed. .

In one embodiment, the VDI analysis module 13 collects traffic data recorded on the VDI in providing information related to vulnerabilities of the selected analysis target program, and detects a vulnerability detection pattern of the analysis target program based on the collected traffic data. can be extracted.

In addition, in providing information related to vulnerabilities of the selected analysis target program, the VDI analysis module 13 collects user behavior data generated after the user's analysis is initiated, and analyzes the analysis target program based on the collected user behavior data. Vulnerability detection patterns can be extracted. Here, the user behavior data may include at least one of, for example, information about tools used by the user within the VDI environment for analysis, key logs entered within the VDI environment, file upload information, network connection information, and user authentication information. there is.

As described above, by configuring the virtual computing environment providing device 1 according to an embodiment of the present invention, a simulated hacking environment for analyzing security vulnerabilities of a program can be provided. In addition, it is possible to easily configure multiple programs that are subject to security vulnerability analysis, allowing bug bounties to be performed without restrictions on attacks in various OS environments.

3 and 4 are flowcharts for explaining a method of providing a virtual computing environment according to another embodiment of the present invention.

The method for providing a virtual computing environment according to an embodiment of the present invention may be executed by the computing device 100 shown in FIG. 12, for example, by the virtual computing environment providing device 1. The computing device 100 that executes the method according to this embodiment may be a computing device equipped with an application execution environment. Note that description of the subject performing some operations included in the method according to the embodiment of the present invention may be omitted, and in such case, the subject is the computing device 100.

Referring to FIG. 3, first, in operation S31, when a request for creating a VDI (Virtual Desktop Infrastructure) for performing security vulnerability analysis is received from the user's terminal 10, among a plurality of analysis target programs, the user A VDI accessible to the selected analysis target program is created. Here, VDI can be provided as a virtual computing environment for mock hacking of the program to be analyzed.

As an embodiment, operation S31 includes, for example, an operation of displaying information about a plurality of programs to be analyzed on a bug bounty platform provided online in the form of a web service, and displaying information about a plurality of programs to be analyzed on the bug bounty platform. It may further include receiving the user's selection for at least one of the options.

As an embodiment, operation S31 may include generating information for VDI connection and encrypting and storing the generated information in a database.

As an embodiment, the method transmits information for VDI connection to the user terminal 10, and tunnels between the user terminal 10 and the VDI when the user terminal 10 requests a connection to the VDI using the information. (tunneling) may include operations provided.

As an embodiment, the method includes an operation of registering information about each program to be analyzed, an operation of generating the program to be analyzed using the registered information, and an endpoint of the generated program to be analyzed. It may include actions in which information is provided. Here, the information about the program to be analyzed may include at least one of storage information in which the image of the program to be analyzed is stored, request specifications of the program to be analyzed, setting information, environment variables, storage volume, and connection information.

As an embodiment, operation S31 may include an operation of generating a VDI including an image corresponding to the selected analysis target program using information about the registered analysis target program.

As an embodiment, the method, when accessing a program to be analyzed that exists on a restricted network through a VDI, uses information for VDI access and information about the registered program to be analyzed to connect the VDI to the program to be analyzed. May include actions where a connection is established.

In addition, the method may include, when accessing a program to be analyzed created in a virtual computing environment through a VDI, establishing a connection between the VDI and the program to be analyzed using endpoint information of the program to be analyzed. .

Next, in operation S32, when the analysis of the analysis target program selected by the user accessing the VDI is completed, information related to the vulnerability of the selected analysis target program is provided using the data generated by the analysis.

As an example, referring to FIG. 4, operation S32 may further include operations S321 and S322.

In operation S321, user behavior data generated after analysis of an analysis target program within the VDI environment is initiated by the user is collected. Next, in operation S322, a vulnerability detection pattern of the analysis target program is extracted based on the collected user behavior data. Here, the user behavior data includes, for example, at least one of information about tools used by the user within the VDI environment for analysis, key logs entered within the VDI environment, file upload information, network connection information, and user authentication information. can do.

As an embodiment, operation S32 may include an operation of collecting traffic data recorded on the VDI, and an operation of extracting a vulnerability detection pattern of a program to be analyzed based on the traffic data.

As an example, operation S32 may further include paying the user a fee for analysis of the selected analysis target program. Specifically, for each security vulnerability of the analysis target program discovered through the user's analysis, a predetermined reward, etc. may be provided to the user. The predetermined reward may be determined according to predetermined criteria according to various criteria such as importance, risk, and/or novelty of the security vulnerability. In one embodiment, the bounty, etc. may be paid on the bug bounty platform.

As described above, by the method of providing a virtual computing environment according to an embodiment of the present invention, a mock hacking environment for analyzing security vulnerabilities of programs can be provided, and bug bounties can be performed without restrictions on attacks in various OS environments.

Figure 5 is an example illustrating the entire business process for program vulnerability analysis according to some embodiments of the present invention. Referring to FIG. 5, the virtual computing environment providing device 1 provides the program through the web service 52 of the bug bounty platform accessed by the corporate manager 511, white hacker 512, and platform manager 513. A process for performing security vulnerability analysis can be provided.

When the corporate manager 511 accesses the web service 52 and inputs information to create its program as a virtual service (522), the virtual computing environment providing device 1 creates a VDI for hacking (532) And, white hackers 512 are able to access the program created as a virtual service through the created VDI.

The white hacker 512 accesses the web service 52, searches the list of programs subject to hacking 541, and attempts a hacking attack 543 by accessing the virtual service of the selected program through the corresponding VDI (542). You can. In other words, the white hacker 512's hacking attack is possible only on the corresponding VDI, and access to the corresponding VDI can be made through the web service 52 in a specific browser environment.

As an example, VDI may be provided as an image created by installing tools necessary for hacking on an OS selected by the white hacker 512 among various OSs.

In addition, VDI can record log data generated by a hacking attack by a white hacker (512), and the log data serves as basis for writing and submitting a report on the hacking attack (544) after the hacking attack is successful. can be used

The platform manager 513 may evaluate (551) the report submitted by the white hacker (512) and pay a reward (552). In addition, the platform manager 513 performs VDI logging analysis 553, which analyzes log data generated by a hacking attack through VDI, detects program vulnerability patterns, and uses its own threat intelligence (TI) By building a DB, you can provide differentiated services. Additionally, the platform manager 513 can create and manage programs subject to bug bounties.

Figure 6 is an example illustrating a process for each operation performed by a device according to some embodiments of the present invention. Referring to FIG. 6, the device 1 for providing a virtual computing environment according to an embodiment of the present invention performs a plurality of operations 61, 62, 63, and 64 for analyzing program vulnerabilities in the virtual computing environment.

As an embodiment, the virtual computing environment providing device 1 includes VDI creation and deletion (61), VDI connection (62), program registration and creation (63), program connection in VDI (64), and VDI Operations such as logging analysis (65) can be performed.

Figure 7 is an example illustrating the flow of operations for creating and deleting VDI according to some embodiments of the present invention. Referring to FIG. 7, the device 1 for providing a virtual computing environment according to an embodiment of the present invention may perform an operation 61 of creating or deleting a VDI according to a request from the user terminal 10.

In the illustrated example, when a request for creating a new VDI is received from the user terminal 10, the web service 71 includes information about VDI specifications such as CPU, Memory, Disk, Protocol, etc. to the VDI API 72. Request the creation of a new VDI (S71).

After the VDI API 72 confirms the delivered VDI specifications and assigns the VDI ID and password to create a new VDI (S72), a new IP and port are assigned to the created VDI (S73).

When the VDI is created, the VDI API 72 delivers (S74) information about the VDI created by the web service 71, such as ID, password, IP, port, VDI ID, etc., and the web service 71 delivers. Information about the received VDI is encrypted and stored in the database.

As an embodiment, when a VDI deletion request is received from the user terminal 10, the web service 71 requests the VDI API 72 to delete the VDI including information about the VDI (S711).

After the VDI API 72 confirms the information about the transmitted VDI and completes the deletion of the VDI (S721), the IP and port allocation for the deleted VDI is released (S731).

When deletion of the VDI is completed, the VDI API 72 transmits the deletion status of the VDI to the web service 71 (S741), and the web service 71 deletes information about the deleted VDI from the database.

Figure 8 is an example showing the flow of operations for VDI connection according to some embodiments of the present invention. Referring to FIG. 8, the virtual computing environment providing device 1 according to an embodiment of the present invention provides a remote desktop gateway 81 and a daemon program 82 at the request of the user terminal 10. The operation 62 of connecting to the VDI can be performed.

In the illustrated example, the user of the user terminal 10 requests a connection to the gateway 81 including information about the VDI received through the web service 71, that is, ID, password, IP, Port, Protocol, etc. S81).

At this time, when the connection request is confirmed by the gateway 81, tunneling is established between the user terminal 10 and the gateway 81 (S82), and the gateway 81 provides information about the VDI to the daemon program 82 of the remote desktop. Request a connection including information (S83).

The daemon program 82 creates a new connection ID and connects to the VDI 73 using information about the delivered VDI (S84). When the connection of the VDI 73 is completed, tunneling between the gateway 81 and the daemon program 82 is established (S85).

Accordingly, two-way communication is achieved between the user terminal 10 and the VDI 73 through tunneling between the user terminal 10 and the gateway 81, and between the gateway 81 and the daemon program 82 (S86), and the user A VDI screen may be displayed on the browser of the terminal 10.

Figure 9 is an example showing the flow of operations for registering and creating a program according to some embodiments of the present invention. Referring to FIG. 9, the device 1 for providing a virtual computing environment according to an embodiment of the present invention performs an operation 63 of registering and creating an analysis target program accessible through VDI at the request of the administrator terminal 20. can do.

In the illustrated example, the manager of the manager terminal 20 requests the program API 92 to create a new analysis target program including information on the analysis target program through the web service 71 (S91). At this time, the program to be analyzed may be driven in a plurality of containers, and information of the program to be analyzed may be registered for each container.

As an embodiment, the information on the analysis target program includes information about the repository where the image of the analysis target program is stored, request specifications such as CPU and memory for running the analysis target program, and setting information (Config) of the analysis target program. ), an environment variable (ENV) of the program to be analyzed, a storage volume (Volume) for storing data and files of the program to be analyzed, and internal link information (Link) of the program to be analyzed.

The program API 92 responds to a request to create a new program to be analyzed, downloads the image from the Repository 95 where the image of the program to be analyzed is stored, and uploads the downloaded image to the private repository 93 (S92) ) do.

In addition, when the image is normally uploaded to the private storage 93, the program API 92 requests the creation of an analysis target program 94 driven by a plurality of containers (S93).

When the creation of the analysis target program 94 is completed, endpoint information such as URL, IP, Port, etc. of the analysis target program is provided from the container (S94), and the program API 92 is the endpoint of the analysis target program. The point information is delivered to the web service 71 (S95), and the web service 71 encrypts and stores the received endpoint information in the database.

Accordingly, it is possible to register and create analysis target programs accessible through VDI at the request of the administrator terminal 20.

As an example, the analysis target program may be connected through VDI by registering only information about programs already configured on a limited network. As another embodiment, the analysis target program may be connected through VDI by registering and creating a private program in a virtual computing environment for hacking.

Figure 10 is an example showing the flow of operations for program access in VDI according to some embodiments of the present invention. Referring to FIG. 10, the device 1 for providing a virtual computing environment according to an embodiment of the present invention performs an operation 64 of accessing a program to be analyzed through a VDI generated at the request of the user terminal 10. , can provide a private bug bounty environment.

As an example, a private bug bounty environment can be provided by accessing the analysis target program 94 existing on the restricted network 642 from the VDI 73 implemented in the hacking zone infrastructure 641.

In this case, when the registration of the analysis target program 94 is completed, the program person in charge of managing the restricted network 642 checks the connection information of the VDI 73, performs inbound connection settings, and hacking zone infrastructure ( The hacking zone manager who manages 641) can check the registration information of the analysis target program 94 and perform outbound connection settings.

As another embodiment, a private bug bounty environment can be provided by accessing the analysis target program 94 virtually created within the hacking zone infrastructure 643 from the VDI 73 implemented in the hacking zone infrastructure 643. .

In this case, when the creation of the virtual analysis target program 94 in the hacking zone infrastructure 643 is completed, the VDI 73 and the program ( 94) Inbound and outbound connections can be made between.

According to the above embodiment, a private bug bounty environment can be provided in which security vulnerability analysis can be performed by accessing analysis target programs existing in a limited network environment or created in a virtual computing environment through VDI.

Figure 11 is an example showing the flow of operations for VDI logging analysis according to some embodiments of the present invention. Referring to FIG. 11, the device 1 for providing a virtual computing environment according to an embodiment of the present invention accesses the analysis target program 94 through the VDI 73 and logs it using data generated when performing security vulnerability analysis. (logging) analysis can be performed.

As an example, the virtual computing environment providing device 1 may collect (111) packet or traffic data recorded when accessing the analysis target program 94 in the VDI 73. Additionally, the virtual computing environment providing device 1 may collect user behavior data generated after the user's analysis of the analysis target program begins.

Once the collection of log data 112 including packet or traffic data and user behavior data is completed as described above, the analysis module 114 collects the CVE vulnerability data provided from the outside and the vulnerability data selected by OWASP (The Open Web Application Security Project). Using web vulnerability pattern information, etc. 113, the vulnerability detection pattern of the analysis target program can be detected, and vulnerability rule set information can be generated based on the detected pattern.

In addition, the analysis module 114 compares and verifies the valid report and log data 112 submitted by, for example, a white hacker by analyzing the results of a hacking attack through VDI, and uses its own threat intelligence (TI: threat intelligence) DB. It can be processed into data for construction.

Through this, it is possible to use data stored in the threat intelligence DB to provide new vulnerability patterns and action guide information to personnel at companies that service the program.

12 is a hardware configuration diagram of an example computing device capable of implementing methods according to some embodiments of the present invention. As shown in FIG. 12, the computing device 100 loads one or more processors 101, a bus 107, a network interface 102, and a computer program 105 performed by the processor 101. It may include a memory 103 that stores a computer program 105 and a storage 104 that stores a computer program 105. However, only components related to the embodiment of the present invention are shown in Figure 12. Accordingly, anyone skilled in the art to which the present invention pertains can recognize that other general-purpose components may be included in addition to the components shown in FIG. 12.

The processor 101 controls the overall operation of each component of the computing device 100. The processor 101 is at least one of a Central Processing Unit (CPU), Micro Processor Unit (MPU), Micro Controller Unit (MCU), Graphic Processing Unit (GPU), or any type of processor well known in the art of the present invention. It can be configured to include. Additionally, the processor 101 may perform operations on at least one application or program to execute methods/operations according to various embodiments of the present invention. Computing device 100 may include one or more processors.

The memory 103 stores various data, instructions and/or information. The memory 103 may load one or more programs 105 from the storage 104 to execute methods/operations according to various embodiments of the present invention. For example, when the computer program 105 is loaded into memory 103, logic (or modules) may be implemented on memory 103. An example of the memory 103 may be RAM, but is not limited thereto.

Bus 107 provides communication functionality between components of computing device 100. The bus 107 may be implemented as various types of buses, such as an address bus, a data bus, and a control bus.

The network interface 102 supports wired and wireless Internet communication of the computing device 100. The network interface 102 may support various communication methods other than Internet communication. To this end, the network interface 102 may be configured to include a communication module well known in the art of the present invention.

Storage 104 may non-transitory store one or more computer programs 105. The storage 104 may include non-volatile memory such as flash memory, a hard disk, a removable disk, or any type of computer-readable recording medium well known in the art to which the present invention pertains.

The computer program 105 may include one or more instructions implementing methods/operations according to various embodiments of the present invention. When the computer program 105 is loaded into the memory 103, the processor 101 can perform methods/operations according to various embodiments of the present invention by executing the one or more instructions.

So far, various embodiments of the present invention and effects according to the embodiments have been mentioned with reference to FIGS. 1 to 12. The effects according to the technical idea of the present invention are not limited to the effects mentioned above, and other effects not mentioned can be clearly understood by those skilled in the art from the description below.

The technical idea of the present invention described so far can be implemented as computer-readable code on a computer-readable medium. The computer-readable recording medium may be, for example, a removable recording medium (CD, DVD, Blu-ray disk, USB storage device, removable hard disk) or a fixed recording medium (ROM, RAM, computer-equipped hard disk). You can. The computer program recorded on the computer-readable recording medium can be transmitted to another computing device through a network such as the Internet and installed on the other computing device, and thus can be used on the other computing device.

In the above, even though all the components constituting the embodiments of the present invention have been described as being combined or operated in combination, the technical idea of the present invention is not necessarily limited to these embodiments. That is, as long as it is within the scope of the purpose of the present invention, all of the components may be operated by selectively combining one or more of them.

Although operations are shown in the drawings in a specific order, it should not be understood that the operations must be performed in the specific order shown or sequential order or that all illustrated operations must be performed to obtain the desired results. In certain situations, multitasking and parallel processing may be advantageous. Moreover, the separation of the various components in the embodiments described above should not be construed as necessarily requiring such separation, and the program components and systems described may generally be integrated together into a single software product or packaged into multiple software products. You must understand that it exists.

Although embodiments of the present invention have been described above with reference to the attached drawings, those skilled in the art will understand that the present invention can be implemented in other specific forms without changing the technical idea or essential features. I can understand that there is. Therefore, the embodiments described above should be understood in all respects as illustrative and not restrictive. The scope of protection of the present invention shall be interpreted in accordance with the claims below, and all technical ideas within the equivalent scope shall be construed as being included in the scope of rights of the technical ideas defined by the present invention.

Claims (20)

In a method performed by a computing device to analyze program vulnerabilities in a virtual computing environment,
When a request for creating a VDI (Virtual Desktop Infrastructure) for performing security vulnerability analysis is received from a user's terminal, creating a VDI accessible to an analysis target program selected by the user among a plurality of analysis target programs; and
When the analysis of the selected program to be analyzed is completed by the user accessing the VDI, providing information related to vulnerabilities of the selected program to be analyzed using the data generated by the analysis.
Method of providing a virtual computing environment. According to claim 1,
The step of creating the VDI is,
Including generating information for the VDI connection, encrypting and storing the generated information in a database,
Method of providing a virtual computing environment. According to paragraph 2,
Transmitting information for the VDI connection to the user terminal, and using the information to provide tunneling between the user terminal and the VDI when requesting a connection from the user terminal to the VDI,
Method of providing a virtual computing environment. According to claim 1,
registering information about each of the analysis target programs;
generating the analysis target program using the registered information; and
Further comprising providing endpoint information of the generated analysis target program,
Method of providing a virtual computing environment. According to clause 4,
Information about the program subject to analysis above,
Containing at least one of storage information where the image of the analysis target program is stored, request specifications of the analysis target program, setting information, environment variables, storage volume, and connection information,
Method of providing a virtual computing environment. According to clause 4,
The step of creating the VDI is,
Comprising the step of generating the VDI including an image corresponding to the selected analysis target program using information about the registered analysis target program,
Method of providing a virtual computing environment. According to clause 4,
When accessing a program to be analyzed that exists on a restricted network through the VDI, establishing a connection between the VDI and the program to be analyzed using information for accessing the VDI and information about the registered program to be analyzed. Containing more,
Method of providing a virtual computing environment. According to clause 4,
When accessing a program to be analyzed created in the virtual computing environment through the VDI, establishing a connection between the VDI and the program to be analyzed using endpoint information of the program to be analyzed, further comprising:
Method of providing a virtual computing environment. According to claim 1,
The step of providing information related to vulnerabilities of the selected analysis target program using the data generated by the analysis,
collecting traffic data recorded on the VDI; and
Comprising the step of extracting a vulnerability detection pattern of the analysis target program based on the traffic data,
Method of providing a virtual computing environment. According to claim 1,
The step of providing information related to vulnerabilities of the selected analysis target program using the data generated by the analysis,
collecting user behavior data generated after the user's analysis is initiated; and
Comprising the step of extracting a vulnerability detection pattern of the analysis target program based on the user behavior data,
Method of providing a virtual computing environment. According to claim 10,
The user behavior data is,
Containing at least one of information about tools used by the user for the analysis, key logs, file upload information, network connection information, and user authentication information,
Method of providing a virtual computing environment. According to claim 1,
The VDI is a virtual computing environment for mock hacking of the analysis target program,
Method of providing a virtual computing environment. According to claim 1,
displaying information about the plurality of programs to be analyzed; and
Further comprising receiving the user's selection of at least one of the plurality of programs to be analyzed,
Method of providing a virtual computing environment. According to claim 1,
Further comprising paying a fee for analysis of the selected analysis target program to the user,
Method of providing a virtual computing environment. A computer program is stored that causes a computer to perform the method of any one of claims 1 to 14,
A non-transitory computer-readable recording medium. In a device for providing a virtual computing environment,
A communication unit that communicates with external devices;
storage unit; and
When a request for creating a VDI (Virtual Desktop Infrastructure) to perform security vulnerability analysis is received from the user's terminal, a VDI creation module that creates a VDI accessible to the analysis target program selected by the user among a plurality of analysis target programs; and
When the analysis of the selected analysis target program is completed by the user accessing the VDI, the VDI analysis module provides information related to vulnerabilities of the selected analysis target program using the data generated by the analysis. Including a processor,
A device that provides a virtual computing environment. According to claim 16,
The VDI creation module is,
Generating information for the VDI connection, encrypting and storing the generated information in a database,
A device that provides a virtual computing environment. According to clause 17,
The VDI creation module is,
Transmitting information for the VDI connection to the user terminal, and using the information to provide tunneling between the user terminal and the VDI when requesting a connection from the user terminal to the VDI,
A device that provides a virtual computing environment. According to claim 16,
The VDI analysis module is,
Collecting traffic data recorded on the VDI and extracting vulnerability detection patterns of the analysis target program based on the traffic data,
A device that provides a virtual computing environment. According to claim 16,
The VDI analysis module is,
Collecting user behavior data generated after the user's analysis is initiated, and extracting vulnerability detection patterns of the analysis target program based on the user behavior data,
A device that provides a virtual computing environment.

Images