KR20220167605A - Security apparatus and method for smartwork environment - Google Patents

Abstract

Provided are a security device and a method for a smart work environment, and a program stored in a computer-readable recording medium to perform the same. The network security device receives a server list including Internet protocol (IP) address information of authenticated servers, determines received packets as normal and abnormal packets by using the server list, receives a terminal list including IP address information, port information, expiration date information and terminal type information of the authenticated terminals, determines the abnormal packets as valid packets and nonvalid packets through a deep packet analysis method by using the terminal list, blocks the nonvalid packets, and transmits the valid packets to a target terminal. Therefore, the present invention is capable of guaranteeing the confidentiality and security of packets transmitted and received between a UC&C system and an Internet network.

Description

A security device for a smart work environment and a program stored in a computer readable recording medium to perform the same {SECURITY APPARATUS AND METHOD FOR SMARTWORK ENVIRONMENT}

The present invention relates to a network security device for a smart work environment, and more specifically, it is located at the junction of a UC&C (Unified communications & Collaboration) system for smart work service and the Internet network, and is located at the interface of the voice, which is the core of work for smart work. It relates to a network security device and method for detecting and blocking violations of protocols used for calls, video calls, chatting, and file sharing, and a computer-readable recording medium for storing them.

As the number of companies implementing the 52-hour work week and the flexible work system due to COVID-19 increases rapidly, the smart work service environment through UC&C (Unified Communications & Collaboration) solutions is increasing. In addition, since smart work services such as telework and remote work are operated in the Internet environment, they are exposed to various Internet network and service security vulnerabilities.

However, currently most smart work service companies rely on the security system of the data firewall, but the IP/Port-based security policy of the data firewall prevents eavesdropping, hacking, and business disruption due to the vulnerability of the protocol used in UC&C. There is a defenseless problem in the attack of the back. In other words, a security solution specialized for UC&C system for smart work service is required.

A technical problem to be solved by the present invention is a UC&C (Unified Communications & Collaboration) system for smart work service and a network security device that detects and blocks violations of protocols for smart work located at the junction of the Internet network and a method, and a computer readable recording medium storing the same.

Another technical problem to be solved by the present invention is to provide a network security device and method using DPI (Deep Packet Inspection) technology and state-based service flow monitoring technology, and a computer-readable recording medium for storing the same are doing

The technical problem to be solved by the present invention is not limited to the above.

A security device for a smart work environment according to an embodiment of the present invention includes one or more processors; and one or more memories storing instructions for causing the one or more processors to perform operations when executed by the one or more processors, wherein the one or more processors include IP (Internet Protocol) address information of authenticated servers. A terminal list that receives a server list, determines normal packets and abnormal packets for received packets using the server list, and includes IP address information, port information, valid period information, and terminal type information of authenticated terminals. may be received, and a valid packet and an invalid packet may be discriminated from the abnormal packet through a deep packet analysis method using the terminal list, the invalid packet may be blocked, and the valid packet may be transmitted to a target terminal.

As an embodiment, the one or more processors update the server list based on the determination result of the normal packet and the abnormal packet, and update the terminal list based on the determination result of the valid packet and the invalid packet. can do.

As an embodiment, the received packet may include at least one of a Session Initiation Protocol (SIP) packet, a Message Session Relay Protocol (MSRP) packet, and a Hypertext Transfer Protocol (HTTP) packet.

As an embodiment, the one or more processors form analysis data based on analysis information in a process of determining the normal packet and the abnormal packet, form statistical data for each predetermined period based on the analysis data, and Learning data may be formed from the analysis data and the statistical data using a learning algorithm, and the server list may be periodically updated using the learning data.

As an embodiment, the one or more processors form analysis data based on analysis information in a process of determining the valid packet and the invalid packet, and form statistical data for each predetermined period based on the analysis data; Learning data may be formed from the analysis data and the statistical data using a machine learning algorithm, and the terminal list may be periodically updated using the learning data.

one or more processors according to an embodiment of the present invention; and one or more memories storing instructions for causing the one or more processors to perform operations when executed by the one or more processors. Receiving a server list including; discriminating between normal packets and abnormal packets with respect to received packets using the server list; Receiving a terminal list including IP address information, port information, valid period information, and terminal type information of authenticated terminals; discriminating valid packets and invalid packets from the abnormal packets using the terminal list through a deep packet analysis method; and blocking the invalid packet and transmitting the valid packet to a target terminal.

one or more processors according to an embodiment of the present invention; And when executed by the one or more processors, a computer program stored in a computer-readable recording medium so as to be executable by a computer including one or more memories in which instructions for causing the one or more processors to perform operations are stored, the IP of the authenticated servers Receiving a server list including (Internet Protocol) address information; discriminating between normal packets and abnormal packets with respect to received packets using the server list; Receiving a terminal list including IP address information, port information, valid period information, and terminal type information of authenticated terminals; discriminating valid packets and invalid packets from the abnormal packets using the terminal list through a deep packet analysis method; and blocking the invalid packets and transmitting the valid packets to a target terminal.

A security device and method for a smart work environment and a computer-readable recording medium storing the same according to an embodiment of the present invention are a server list (white list) based detection method and a terminal list based detection method for network security. can perform detection and blocking functions for abnormal attack messages. Accordingly, confidentiality and security of packets transmitted and received between the UC&C system and the Internet network can be guaranteed, and the UC&C system can be protected from network attacks from the outside.

In addition, the network security apparatus and method according to an embodiment of the present invention may periodically update a security profile based on analysis information in a process of determining normal packets, abnormal packets/valid packets, and invalid packets. In this way, it is possible to minimize the false detection rate according to the discrimination criterion that changes according to the season, time, and weather.

In addition, the network security apparatus and method according to an embodiment of the present invention may perform a function of detecting and blocking invalid packets using DPI technology and state-based service flow monitoring technology. In this way, invalid packets can be detected in various ways, and thus the detection rate for invalid packets can be improved.

1 is an exemplary diagram showing the configuration of a network security environment for a smart work environment according to an embodiment of the present invention.
2 is a conceptual diagram of developing an integrated application security solution according to an embodiment of the present invention.
3 is a conceptual diagram of UC&C protocol vulnerability analysis according to an embodiment of the present invention.
4 is a conceptual diagram of major common technologies for developing security algorithms for each UC&C service according to an embodiment of the present invention.
5 is an exemplary diagram showing the configuration of a network security device according to an embodiment of the present invention.
6 is a conceptual diagram of a packet filtering flow for implementing a security algorithm according to an embodiment of the present invention.
7 is a flowchart of an SIP packet security algorithm according to an embodiment of the present invention.
8 is a flowchart of SIP packet filtering according to an embodiment of the present invention.
9 is a flowchart of an ACL algorithm of a SIP packet according to an embodiment of the present invention.
10 is a flowchart showing a flooding algorithm of SIP packets according to an embodiment of the present invention.
11 is a flowchart showing a call gapping algorithm for SIP packets according to an embodiment of the present invention.
12 is a flowchart showing an SRTP algorithm during SIP processing according to an embodiment of the present invention.
13 is a flowchart showing an MSRP packet security algorithm according to an embodiment of the present invention.
14 is a flow chart showing an MSRP packet filtering flow according to an embodiment of the present invention.
15 is a flowchart showing ACL security of MSRP packets according to an embodiment of the present invention.
16 is a flowchart showing DDoS security of MSRP packets according to an embodiment of the present invention.
17 is a flowchart showing an HTTP packet security algorithm according to an embodiment of the present invention.
18 is a flowchart showing a filtering flow of HTTP packets according to an embodiment of the present invention.
19 is a flowchart showing ACL security of HTTP packets according to an embodiment of the present invention.
20 is a flowchart showing DDoS security of HTTP packets according to an embodiment of the present invention.
21 is a flowchart showing header security of an HTTP packet according to an embodiment of the present invention.
22 is a flowchart from packet reception to transmission according to an embodiment of the present invention.
23 is a flowchart showing ACL security in a packet processing process according to an embodiment of the present invention.
24 is a flowchart showing DDoS security in a packet processing process according to an embodiment of the present invention.
25 is a flowchart showing a forwarding/blocking procedure of a packet processing process according to an embodiment of the present invention.
26 is a block diagram of a UC&C integrated security system according to an embodiment of the present invention.
27 is a conceptual diagram of a UC&C protocol integrated security platform according to an embodiment of the present invention.
28 is a conceptual diagram of a PFM block according to an embodiment of the present invention.
29 is a conceptual diagram of a SIPSB block according to an embodiment of the present invention.
30 is a conceptual diagram of an MSRPSB block according to an embodiment of the present invention.
31 is a conceptual diagram of an HTTPSB block according to an embodiment of the present invention.
32 is an exemplary view of library configuration according to an embodiment of the present invention.
33 is a structural diagram of an Eclipse-based development framework according to an embodiment of the present invention.
34 is a conceptual diagram of spring framework-based development according to an embodiment of the present invention.
35 is an exemplary diagram of a web GUI for administrators according to an embodiment of the present invention.
36 is a configuration diagram of an operation management function for administrators according to an embodiment of the present invention.
37 is a flowchart showing a procedure of a network security method according to an embodiment of the present invention.

이하, 첨부된 도면들을 참조하여 본 발명의 바람직한 실시 예를 상세히 설명할 것이다. 그러나 본 발명의 기술적 사상은 여기서 설명되는 실시 예에 한정되지 않고 다른 형태로 구체화될 수도 있다. 오히려, 여기서 소개되는 실시 예는 개시된 내용이 철저하고 완전해질 수 있도록 그리고 당업자에게 본 발명의 사상이 충분히 전달될 수 있도록 하기 위해 제공되는 것이다.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. However, the technical idea of the present invention is not limited to the embodiments described herein and may be embodied in other forms. Rather, the embodiments introduced herein are provided so that the disclosed content will be thorough and complete, and the spirit of the present invention will be sufficiently conveyed to those skilled in the art.

In this specification, when an element is referred to as being on another element, it means that it may be directly formed on the other element or a third element may be interposed therebetween.

In addition, although terms such as first, second, and third are used to describe various elements in various embodiments of the present specification, these elements should not be limited by these terms. These terms are only used to distinguish one component from another. Therefore, what is referred to as a first element in one embodiment may be referred to as a second element in another embodiment. Each embodiment described and illustrated herein also includes its complementary embodiments. In addition, in this specification, 'and/or' is used to mean including at least one of the elements listed before and after.

In the specification, expressions in the singular number include plural expressions unless the context clearly dictates otherwise. In addition, the terms "comprise" or "having" are intended to designate that the features, numbers, steps, components, or combinations thereof described in the specification exist, but one or more other features, numbers, steps, or components. It should not be construed as excluding the possibility of the presence or addition of elements or combinations thereof.

In addition, in this specification, "connection" is used to mean both indirectly and directly connecting a plurality of components. In addition, "connection" is a concept including physical connection as well as electrical connection.

In addition, in the following description of the present invention, if it is determined that a detailed description of a related known function or configuration may unnecessarily obscure the subject matter of the present invention, the detailed description will be omitted.

A security device for a smart work environment according to an embodiment of the present invention may also be referred to as a network security device.

1 is an exemplary view showing the configuration of a network security environment according to an embodiment of the present invention.

As shown in FIG. 1 , the network security environment 100 may include a protection target area (PA), a security area (SZ), and a service/attack area (SA).

When building Unified Communications & Collaboration (UC&C) for smart work, it may be aimed at developing a software-based Unified Application security solution to protect the UC&C server 110 and services from external attacks.

2 is a conceptual diagram of developing an integrated application security solution according to an embodiment of the present invention.

As shown in FIG. 2, it is possible to analyze security vulnerabilities of UC&C service protocols (SIP, MSRP, HTTP, etc.) and develop optimal security algorithms for each UC&C service. UC&C protocol integrated security platform based on Deep Packet Inspection (DPI) can be developed, and operation management functions for administrators can be developed.

According to an embodiment, it is possible to analyze security vulnerabilities for each service (S210), develop a security algorithm for each service (S220), develop an integrated security platform (S230), and develop an operation management function for an administrator (S240). there is.

In the service-specific security vulnerability analysis step (S210), VoIP (Voice over Internet Protocol) vulnerabilities such as service denial, call eavesdropping, call interception, etc. are analyzed, buffer overflow, replay attack, remote code execution, etc. You can analyze MSRP (Message Session Relay Protocol) vulnerabilities and HTTP (Hypertext Transfer Protocol) vulnerabilities such as abnormal web requests, content tampering, and unauthorized service access.

In the service-specific security algorithm development step (S220), call service security algorithms such as SIP standard security algorithm, SIP flooding security algorithm, and call type security algorithm are developed, MSRP standard security algorithm, MSRP flooding security algorithm, and chat/file session security. Chatting/file service security algorithms such as algorithms can be developed, and bulletin board/notice service security algorithms such as HTTP standard security algorithms, HTTP Flooding security algorithms, and message spam security algorithms can be developed.

In the integrated security platform development step (S230), SIP/RTP security platforms such as SIP/SDP (Session Description Protocol) security platform, RTP (Real-Time Transport Protocol) security platform, SIP session security platform are developed, and MSRP security platform , XML (eXtensible Markup Language) security platform, MSRP session security platform, etc. can be developed, and HTTP security platform, XML security platform, and HTTP session security platform can be developed.

In the operation management function development step for administrators (S240), a security policy setting function, an attack detection/blocking confirmation function, and the like may be developed.

3 is a conceptual diagram of UC&C protocol vulnerability analysis according to an embodiment of the present invention.

As shown in FIG. 3, using a vulnerability analysis tool 310 such as a scanning tool 311, a detection tool 312, an attack tool 313, etc. Vulnerability analysis of the service protocol 320 may be performed.

As a vulnerability analysis tool, Acunetix, Retina CS community, SiVuS (SiP Vulnerability Scanner), SIPP, SIP (VoIP) protocol vulnerability analysis for call service, MSRP vulnerability analysis for chatting and file sharing, bulletin board, HTTP vulnerability analysis for notification service can be used.

Acunetix is open-source software that can help scan websites and web applications, including custom applications for hidden vulnerabilities and security flaws.

The Retina CS community supports vulnerability scans of mobile devices, web applications, virtualized applications, servers, and private clouds, and can investigate vulnerabilities, configuration issues, and missing patches.

SiVuS supports SIP protocol and can support SIP component scanning and vulnerability inspection/attack.

SIPP is a SIP-based traffic generator, and can be mainly used to test the performance of various SIP servers.

In the SIP (VoIP) protocol vulnerability analysis for call service, vulnerabilities such as service denial, call eavesdropping, service misuse, call interception, and Internet phone spam attack can be analyzed.

In MSRP vulnerability analysis for chatting and file sharing, vulnerabilities such as buffer overflow, replay attack, remote code execution, and denial of service attack can be analyzed.

In the HTTP vulnerability analysis for bulletin boards and notice services, vulnerabilities such as abnormal web requests, content tampering, unauthorized service access, continuous authentication attempts, and service denial attacks can be analyzed.

4 is a conceptual diagram of major common technologies for developing security algorithms for each UC&C service according to an embodiment of the present invention.

As shown in FIG. 4, in developing security algorithms for each UC&C service, deep packet analysis technology and state-based service flow monitoring technology can be used.

Deep packet analysis technology analyzes packet protocol headers and payloads in real time, checks packet structure, parameter values, type errors and validity for each protocol, identifies network traffic through service keys, and based on the network address of transmitted and received packets. It manages traffic identification and interworking service entries through hash management, and can monitor transmission and reception packets through protocol DPI map management for each service entry.

The state-based service flow monitoring technology can monitor the service state through the analysis of transmission and reception protocol messages, monitor the state-based service protocol flow, and detect and block abnormal service flows.

5 is an exemplary diagram showing the configuration of a network security device according to an embodiment of the present invention.

As shown in FIG. 5, the network security device 500 may include one or more processors 510, one or more memories 520, and a transceiver 530. As an embodiment, at least one of these components of the network security device 500 may be omitted, or another component may be added to the network security device 500. Additionally, 　 or alternatively, 　 some components may be integrated and implemented, or 　 may be implemented as a singular or plural entity. At least some of the internal and external components of the network security device 500 are system bus, GPIO (general purpose input/output), SPI (serial peripheral interface) or MIPI (mobile industry processor interface) They are connected to each other through, etc., and can send and receive data and/or signals. As an embodiment, the network security device 500 determines normal packets and abnormal packets using machine learning, in particular, a deep reinforcement learning algorithm such as deep learning, and identifies valid packets and abnormal packets among abnormal packets. Invalid packets can be identified.

One or more processors 510 may control at least one component of the network security device 500 connected to the processor 510 by driving software (eg, commands, programs, etc.). In addition, the processor 510 may perform operations such as various calculations, processing, data generation, and processing related to the present invention. In addition, the processor 510 may load data or the like from one or more memories 520 or store data in one or more memories 520 .

One or more processors 510 may receive a server list including IP (Internet Protocol) address information of authenticated servers. According to an embodiment, the server list may be a white list including “IP” address information of “validation verified (certified)” external servers.

One or more processors 510 may determine normal packets and abnormal packets with respect to received packets using the server list. According to an embodiment, the one or more processors 510 determine that the 　IP address information from which the received packet was sent is included in the server list and the packet is determined as a normal packet, and the 　IP address information from which the received packet was sent is the server list. If it is not included in the list, the corresponding packet can be determined as an abnormal packet. For example, the received packet may include at least one of a Session Initiation Protocol (SIP) packet, a Message Session Relay Protocol (MSRP) packet, and a Hypertext Transfer Protocol (HTTP) packet, but is not limited thereto.

One or more processors 510 may receive a terminal list including IP address information, port information, valid period information, and terminal type information of the authenticated terminals. According to an embodiment, the one or more processors 510 may receive a terminal list including IP address information, port information, valid period information, and terminal type information of terminals inside the system including the network security device 500. can For example, the terminal type information may be capability information indicating the type of packets that the terminal can process, such as whether a specific terminal is a terminal capable of receiving only calls or a terminal capable of receiving calls and messages.

One or more processors 510 may determine an abnormal packet into a valid packet and an invalid packet through a deep packet analysis method using the terminal list. According to an embodiment, the one or more processors 510 analyzes abnormal packets through a deep packet analysis method and analyzes the destination information, that is, the packet destination's IP address information, the destination port information, the destination IP address validity period information, and the destination. It is possible to obtain terminal type information, compare destination information with a terminal list, determine valid packets if the destination information is included in the terminal list, and determine invalid packets if destination information is not included in the terminal list. there is.

In addition, the one or more processors 510 periodically/non-periodically update the server list based on the determination result of normal packets and abnormal packets, and periodically/non-periodically update the terminal list based on the determination result of valid packets and invalid packets. It can be updated periodically. In addition, the one or more processors 510 form analysis data based on the analysis information in the process of determining valid packets and invalid packets, form statistical data for each predetermined period based on the analysis data, and use a machine learning algorithm. Learning data may be formed from the analysis data and statistical data using the learning data, and the terminal list may be periodically updated using the learning data.

One or more processors 510 may block “invalid packets” and transmit “valid packets” to the target terminal. According to an embodiment, the one or more processors 510, if determined to be an invalid packet, deletes the corresponding packet and blocks it from being transmitted any further, and if determined to be a valid packet, sends the corresponding packet to the destination's IP address information, destination port Information may be used to transmit to the destination terminal.

One or more memories 520 may store various data. Data stored in the memory 520 is obtained, processed, or used by at least one component of the network security device 500, and may include software (eg, commands, programs, etc.). Memory 520 may include volatile and/or non-volatile memory. In the present invention, a command or a program is software stored in the memory 520, so that an operating system for controlling the resources of the network security device 500, an application and/or an application can utilize the resources of the network security device 500. It may include middleware that provides various functions to applications. According to an embodiment, the one or more memories 520 may store the above-described server list, terminal list, received packets, analysis data, statistical data, learning data, and the like.

In addition, the one or more memories 520 may store instructions that, when executed by the one or more processors 510, cause the one or more processors 510 to perform operations.

According to one embodiment, the network security device 500 may further include a transceiver 530. The transceiver 530 may perform wireless or wired communication between the network security device 500 and/or other devices. For example, the transceiver 530 may be configured to use eMBB (enhanced mobile broadband), URLLC (Ultra Reliable Low-Latency Communications), MMTC (Massive Machine Type Communications), LTE (long-term evolution), LTE-A (LTE Advance), UMTS (Universal Mobile Telecommunications System), GSM (Global System for Mobile communications), CDMA (code division multiple access), WCDMA (wideband CDMA), WiBro (Wireless Broadband), WiFi (wireless fidelity), Bluetooth, NFC ( Near field communication), Global Positioning System (GPS), or Global Navigation Satellite System (GNSS) may perform wireless communication. For example, the transceiver 530 may perform wired communication according to a method such as a universal serial bus (USB), a high definition multimedia interface (HDMI), a recommended standard 232 (RS-232), or a plain old telephone service (POTS). there is.

According to an embodiment, the network security device 500 may be a device of various types. For example, the network security device 500 may be a portable communication device, a computer device, or a device according to one or more combinations of the foregoing devices. The network security device 500 of the present invention is not limited to the above devices.

Various embodiments of the network security device 500 according to the present invention may be combined with each other. Each embodiment may be combined according to the number of cases, and the embodiment of the network security device 500 made in combination also belongs to the scope of the present invention. In addition, internal/external components of the network security device 500 according to the present invention described above may be added, changed, replaced, or deleted according to embodiments. In addition, internal/external components of the aforementioned network security device 500 may be implemented as hardware components.

6 is a conceptual diagram of a packet filtering flow for implementing a security algorithm according to an embodiment of the present invention.

As shown in FIG. 6, the network security device 500 may use a deep packet analysis (DPI) method to implement a security algorithm. To this end, a Service Access Filtering Engine, a Service Flooding Filtering Engine, a Protocol Anomaly Filtering Engine, a Signature Matching Engine, and a Policy Filtering Engine are used. Filtering Engine), 　Contents Filtering Engine, 　Session Filtering Engine, 　Service Flow Filtering Engine, and the like can be used. By using the engines described above, received packets can be filtered to generate an alarm when an abnormal situation is detected, record information about the abnormal situation (History), and form statistical information (Statistics).

7 is a flowchart of a security algorithm for a "SIP" packet according to an embodiment of the present invention.

As shown in FIG. 7, when the network security device 500 receives the SIP packet (SP), the ACL (Access Control List), DoS (Denial of Service)/DDoS (Distributed Denial of Service), SIP (Session Initiation Protocol) ), RTP (Real-time Transport Protocol), and VoIP (Voice over Internet Protocol) are sequentially used to verify packets, and if any one of them fails to pass verification, the corresponding packet is blocked. is transmitted to the destination only.

8 is a flowchart of filtering a “SIP” packet according to an embodiment of the present invention.

As shown in FIG. 8, the network security device 500 may develop an "ACL" algorithm for the "IP/port" of the authenticated server/terminal. The ACL of the authenticated server is set in advance by the administrator using the IP address and port, and the ACL of the authenticated terminal through the SIP REGISTER Transaction is the phone number, IP address information, port information, expiration date information, It may be composed of terminal type information and the like.

9 is a flowchart of an “ACL” algorithm of a “SIP” packet according to an embodiment of the present invention.

As shown in FIG. 9, the network security device 500 analyzes the message in the dynamic ACL 　 control process of the SIP 　 message (packet) process, and searches the server list through the 　 IP address from which the 　 message was received. you can check If the “IP” address that received the message is in the server list, the “SIP” message can be passed because it is an authenticated server. If the “IP” address that received the message is not in the server list, the terminal list is checked using the phone number in the message. If the “phone number” is not in the terminal list, the message is discarded. It can be compared with IP/address information/port information.

10 is a flowchart showing a flooding algorithm of SIP packets according to an embodiment of the present invention.

As shown in FIG. 10, the network security device 500 can detect and block an attack through a Flooding Security Policy set for each message type (Method) during the SIP message processing process. According to one embodiment, the network security device 500 counts each SIP message type every second, and drops the corresponding message for a period within 1 second if it is higher than a set value (eg, 50, 100, 1000, etc.) Drop) can be done.

The network security device 500 may apply security algorithms for SIP standards and various VoIP attacks. According to an embodiment, the network security device 500 may detect and block a SIP call gapping attack through the maximum number of hand signals set for a specific received number during the SIP message processing process. For example, the network security device 500 searches for a Call Gapping hash through the received SIP message, adds it to the hash if it is not present, and checks whether it is in a Drop state if present. If it is not in the drop state, the selected condition can be checked. The network security device 500 may change the status to Drop when the Call Gapping max value is reached, and start a Drop Timer for a set time.

11 is a flowchart showing a call gapping algorithm for SIP packets according to an embodiment of the present invention.

As shown in FIG. 11, the network security device 500 may set a Secure-RTP (SRTP) security algorithm for eavesdropping prevention. According to an embodiment, the network security device 500 may prevent eavesdropping through SRTP security settings set for a specific service area during a SIP message processing process. For example, the network security device 500 may determine four media relay methods according to media capabilities negotiated through SDP (Session Description Protocol) parsing and SDP Offer and Answer processes in the received SIP message. Negotiated media relaying methods include bypassing RTP as it is, encrypting RTP to SRTP, decrypting SRTP and forwarding it to RTP, bypassing SRTP, and encrypting/decrypting SRTP.

12 is a flowchart showing an SRTP algorithm during SIP processing according to an embodiment of the present invention.

As shown in FIG. 12, the network security device 500 may configure a VoIP service configuration and set a security algorithm for each type. According to an embodiment, the network security device 500 may detect and block VoIP service attacks using VoIP service configurations such as TRUNK and REALM and security policies set for each VoIP service type such as incoming call and international call.

13 is a flow chart showing an MSRP packet security algorithm according to an embodiment of the present invention, and FIG. 14 is a flow chart showing an MSRP packet filtering flow according to an embodiment of the present invention.

The network security device 500 may set the MSRP ACL algorithm received from the registered terminal IP address and port. According to an embodiment, the ACL list of the terminal registered through the terminal provisioning process may include phone number and IP address information, port information, valid period information, terminal type information, and the like. For example, the network security device 500 may check the server list through the IP address from which the message was received through message analysis in the ACL Control process of the MSRP message processing process. If the IP address where the message was received is in the server list, it can be passed because it is an authenticated server. IP address information and port information can be compared with IP address information and port information of the corresponding terminal list.

15 is a flowchart showing ACL security of MSRP packets according to an embodiment of the present invention.

As shown in Figure 15, the network security device 500 may set the MSRP security algorithm for DoS / DDoS attack detection and blocking. According to an embodiment, the network security device 500 may detect and block attacks through Flooding Security Policy set for each system/device/IP during MSRP message processing. The network security device 500 counts each MSRP message for each check time, and if it is higher than a preset value (eg, 10, 100, 1000, etc.), the message can be dropped during the period within the check time.

16 is a flowchart showing DDoS security of MSRP packets according to an embodiment of the present invention.

As shown in FIG. 16, the network security device 500 may set MSRP standards and security algorithms for various chat/file service attacks. According to one embodiment, the network security device 500 may perform attack detection and blocking when the message parsing process does not conform to the MSRP standard during the MSRP message processing process. In addition, the network security device 500 may detect and block chatting/file service attacks using a security policy set based on chatting or file service settings and terminal registration information and capabilities.

The network security device 500 may set a spam security algorithm based on non-standard XML and prohibited words. According to one embodiment, in the process of processing an MSRP message, if the XML parsing process, which is the content of the MSRP, does not conform to the standard, attack detection and blocking may be performed. In addition, the network security device 500 may detect and block chat spam attacks using prohibited words registered in the security policy.

The network security device 500 may set a security algorithm for each MSRP Session service configuration and type. According to an embodiment, the network security device 500 can detect and block MSRP service attacks using MSRP service configurations and security policies set for each MSRP service type, such as file transfer, file sharing, and chatting.

17 is a flow chart showing an HTTP packet security algorithm according to an embodiment of the present invention, and FIG. 18 is a flow chart showing a filtering flow of HTTP packets according to an embodiment of the present invention.

The network security device 500 may set bulletin board (notice)/profile/file download service security algorithms.

19 is a flowchart showing ACL security of HTTP packets according to an embodiment of the present invention.

As shown in FIG. 19, the network security device 500 may set the HTTP ACL algorithm received from the authentication server and terminal IP address information and port information. According to an embodiment, the white list of terminals registered through the terminal provisioning process may include phone number information, IP address information, port information, valid period information, terminal type information, and the like.

20 is a flowchart showing DDoS security of HTTP packets according to an embodiment of the present invention.

As shown in FIG. 20, the network security device 500 may set an HTTP security algorithm to detect and block DoS/DDoS attacks. According to an embodiment, the network security device 500 may detect and block an attack through a Flooding Security Policy set for each system/device during HTTP message processing. The network security device 500 counts each HTTP message for each check time, and if it is higher than a preset value (eg, 10, 100, 1000, etc.), the corresponding message can be dropped during the period within the check time.

21 is a flowchart showing header security of an HTTP packet according to an embodiment of the present invention.

As shown in FIG. 21, the network security device 500 may set a spam message security algorithm based on non-standard XML and prohibited words. According to an embodiment, the network security device 500 may detect and block an attack when it does not conform to a standard in the process of parsing XML, which is content of HTTP, during the process of processing an HTTP message. In addition, the network security device 500 may detect and block spam attacks using prohibited words registered in the security policy.

The network security device 500 may configure HTTP session service configuration and set security algorithms for each type. According to an embodiment, the network security device 500 may detect and block HTTP service attacks by using HTTP service configuration and security policies set for each HTTP service type, such as bulletin board, notice, and file download.

22 is a flowchart from packet reception to transmission according to an embodiment of the present invention.

As shown in FIG. 22, the network security device 500 may set a system kernel layer security algorithm. According to an embodiment, the network security device 500 may set transmission IP address information of the received packet, port information, and protocol-based kernel level filtering algorithm. The white list registered through the provisioning process of the terminal and the SIP register process may include remote IP address information, port information, local IP address information, port information, protocol information, and the like.

23 is a flowchart showing ACL security in a packet processing process according to an embodiment of the present invention.

As shown in FIG. 23, the network security device 500 checks remote IP address information and port information through packet analysis in the ACL Control process of the packet processing process received in the kernel layer and through the IP address that received the packet. can do. If the remote IP address information and port information are not on the white list, received packets are blocked. If they are on the white list, protocols can be compared and compared with remote IP address information and port information.

24 is a flowchart showing DDoS security in a packet processing process according to an embodiment of the present invention.

As shown in FIG. 24, the network security device 500 may set a security algorithm for detecting and blocking DoS/DDoS attacks. According to an embodiment, the network security device 500 may detect and block an attack through a Flooding Security Policy set for each system/service while processing a received packet in a kernel layer. The network security device 500 counts each packet for every check time, and if it is higher than a preset value (eg, 100, 200, 300, etc.), the corresponding message may be dropped during the check time period.

25 is a flowchart showing a forwarding/blocking procedure of a packet processing process according to an embodiment of the present invention.

As shown in FIG. 25, the network security device 500 may classify by service protocol (SIP, MSRP, HTTP) and then set an upper delivery function. According to an embodiment, the network security device 500 may analyze the received packets, classify them according to SIP, MSRP, and HTTP protocols, and then transfer them to a processing process for each protocol.

The network security device 500 may set a function of storing packets in a queue until a packet processing (forward/drop) decision is made. According to an embodiment, the network security device 500 copies the received packet and forwards it to an upper process, stores the original packet in a packet queue, and then refers to the queue when the upper process receives a processing result.

The network security device 500 may set an algorithm for determining packet processing (forward/drop) through a security policy for each service. According to an embodiment, the network security device 500 transfers the processing result of each packet to the PFM module in the kernel using the Service Security Policy set for each service type in the SIP, MSRP, and HTTP protocol packet processing processes, It can be used to determine the processing (forwarding/blocking) of the corresponding packet.

26 is a block diagram of a UC&C integrated security system according to an embodiment of the present invention.

As shown in FIG. 26, the network security device 500 includes a web server, a database, a security block, and a character device driver of the application layer, and a kernel It can contain the Linux kernel of the layer.

According to an embodiment, a Packet Filter Module (PFM) is a kernel module and may perform ACL flooding filtering and packet queuing.

According to an embodiment, IPC is a kernel module of middleware and can perform inter-block communication.

According to an embodiment, a Module Communicate Block (MCB) may transmit setting information and receive statistical/alarm information and store them in a database in conjunction with PFM.

According to one embodiment, the SIP Security Block (SIPSB) is a SIP packet filtering block, the MSRPSB (MSRP Security Block) is an MSRP packet filtering block, and the HTTPSB ((HTTP Security Block) is an HTTP packet filtering block.

According to an embodiment, a data management block (DMB) may create periodic statistics and perform history management.

According to one embodiment, a process management block (PMB) may monitor and start a process.

According to one embodiment, the web server is an operation management web server for administrators, and a DBMS (MariaDB) may store various data.

27 is a conceptual diagram of a UC&C protocol integrated security platform according to an embodiment of the present invention, and FIG. 28 is a conceptual diagram of a PFM block according to an embodiment of the present invention.

The network security device 500 may set packet reception and forwarding functions, access control functions through ACL, and DDoS attack detection and blocking functions such as TCP SYN, ICMP, and PING. According to an embodiment, the network security device 500 may set a flooding detection and blocking function for packet processing capacity of the entire system and a packet separation processing function for each protocol.

29 is a conceptual diagram of a SIPSB block according to an embodiment of the present invention.

As shown in FIG. 29 , the network security device 500 may set up a SIP security platform for SIP standard message processing and an SDP security platform for SDP/RTP standard message processing. According to an embodiment, the network security device 500 may set a session security platform for call management and a VoIP service security platform for various call services.

30 is a conceptual diagram of an MSRPSB block according to an embodiment of the present invention.

As shown in Figure 30, the network security device 500 may set the MSRP security platform for MSRP standard message processing, and set the MSRP session security platform for session management. According to one embodiment, the network security device 500 may set an XML security platform for XML content processing, and set an MSRP Service security platform for various chatting and file sharing services.

31 is a conceptual diagram of an HTTPSB block according to an embodiment of the present invention.

As shown in FIG. 31, the network security device 500 may configure an HTTP security platform for HTTP standard message processing and an HTTP session security platform for HTTP session management. According to an embodiment, the network security device 500 may set an XML security platform for XML content processing and an HTTP Service security platform for services such as various bulletin board notices.

The network security device 500 may set a management platform, and may set an IPC and management platform for interworking between blocks, and a Config function for setting systems, services, and security policies. According to an embodiment, the network security device 500 may set a report function for managing and storing alarms, history, and statistics, and set a DBMS management function for storing settings, subscribers, alarms, and statistics.

32 is an exemplary view of library configuration according to an embodiment of the present invention.

As shown in FIG. 32, the network security device 500 may define a development environment and framework structure to develop an operation management function for administrators. According to one embodiment, the network security device 500 may set a web application using an open source-based library.

33 is a structural diagram of an Eclipse-based development framework according to an embodiment of the present invention.

As shown in FIG. 33, the network security device 500 can design/develop and test in a local development environment using Eclipse, a web application development tool, set an actual service environment in the development server, and then proceed with testing and development.

34 is a conceptual diagram of spring framework-based development according to an embodiment of the present invention.

As shown in FIG. 34 , the network security device 500 may configure a processing flow for each web application layer based on the Spring framework, and may divide development targets, configuration targets, and spring parts for each layer.

35 is an exemplary diagram of a web GUI for administrators according to an embodiment of the present invention.

As shown in FIG. 35, the network security device 500 may configure a web GUI for administrators in order to configure management functions for administrators.

36 is a configuration diagram of an operation management function for administrators according to an embodiment of the present invention.

As shown in FIG. 36, the network security device 500 can be configured to implement a Dashboard function as an operation management function for administrators. According to an embodiment, the Dashboard function may include a function of checking SIP, RTP, MSRP, HTTP session information, a function of checking system resources, attack detection alarm information, statistics, alarms, and a real-time chart function of session information. there is.

In addition, the network security device 500 can be configured to implement a security function as an operation management function for administrators. According to an embodiment, the security function may include an ACL policy management function for each IP, port, and protocol, a DoS/DDoS policy management function for each protocol, and a security policy management function for each service.

In addition, the network security device 500 can be set to implement a report function. According to an embodiment, the report function may include a service, alarm statistics information search and management function, service, alarm history information search and management function, statistics, history information file output function, and the like.

In addition, the network security device 500 can be configured to implement a configuration function. According to an embodiment, the configuration function may include a setting and management function for each service, administrator information, a history management function, a system setting and management function, a DB data, log file backup management function, and the like.

The technical development goals and contents of the host organization of the present invention include analyzing security vulnerabilities of UC&C service protocols (SIP, MSRP, HTTP, etc.), developing optimal security algorithms for each UC&C service, and developing a DPI-based UC&C protocol integrated security platform. development and production of Unified Application security solution prototypes for UC&C services.

As a method for analyzing UC&C service protocol security vulnerabilities, vulnerabilities of SIP (VoIP) for call services are analyzed, vulnerabilities of MSRP (Message Session Relay Protocol) are analyzed for chatting and file sharing, and HTTP for bulletin boards and notice services are analyzed. vulnerabilities can be analyzed.

As a method for developing optimal security algorithms for each UC&C service, Internet phone security algorithms are developed, chat and file (photo) service security algorithms are developed, bulletin board (notice)/profile/file download service security algorithms are developed, Develop system kernel layer security algorithms

As a DPI-based UC&C protocol integrated security platform development method, kernel security platform (Packet Filter Module) development, SIP Security platform development, MSRP Security platform development, HTTP Security platform development, Management platform development can

As a method for producing a prototype of the Unified Application security solution for UC&C service, the operation management function for administrators of the participating organizations and matching and testing are performed, the Unified Application security solution function for UC&C service is tested, and the Unified Application security solution prototype for UC&C service is tested. can be produced

As for the technology development goals and contents of the participating organizations of the present invention, it is possible to develop operation management functions for administrators and produce prototypes of Unified Application security solutions for UC&C services.

As a method of developing operation management functions for administrators, Dashboard functions can be developed, Security functions can be developed, Report functions can be developed, and Configuration functions can be developed.

As a method of producing a prototype of the Unified Application security solution for UC&C service, it is necessary to perform matching and testing with the host organization's UC&C protocol integrated security platform, test the function of the Unified Application security solution for UC&C service, and test the Unified Application security solution prototype for UC&C service. can be produced

37 is a flowchart showing a procedure of a network security method according to an embodiment of the present invention. Although process steps, method steps, algorithms, etc. are described in a sequential order in the flowchart of FIG. 37, such processes, methods, and algorithms may be configured to operate in any suitable order. In other words, the steps of the processes, methods and algorithms described in the various embodiments of the invention need not be performed in the order described herein. Also, although some steps are described as being performed asynchronously, in other embodiments some of these steps may be performed concurrently. Further, illustration of a process by depiction in the drawings does not mean that the illustrated process is exclusive of other changes and modifications thereto, and that any of the illustrated process or steps thereof may be one of various embodiments of the present invention. It is not meant to be essential to one or more, and it does not imply that the illustrated process is preferred.

As shown in Fig. 37, in step S3710, a server list is received. For example, referring to FIGS. 1 to 36 , one or more processors 510 of the network security device 500 store a server list including IP address information of authenticated servers in one or more memory according to a request of a manager or the like. (520).

In step S3720, normal packets and abnormal packets are discriminated. For example, referring to FIGS. 1 to 36, one or more processors 510 of the network security device 500 use the server list received in step S3710 to normalize packets received by the transceiver 530. Packets and abnormal packets can be identified. According to an embodiment, the network security device 500 uses IP address information of received packets to determine if the IP address is included in the server list as a normal packet, and if the server list does not include the IP address. It can be determined as an abnormal packet.

In step S3730, a terminal list is received. For example, referring to FIGS. 1 to 36, one or more processors 510 of the network security device 500, according to a request from an administrator or the like, IP address information, port information, valid period information and terminals of authenticated terminals. A list of terminals including type information of may be received from one or more memories 520 .

In step S3740, valid packets and invalid packets are discriminated. For example, referring to FIGS. 1 to 36, one or more processors 510 of the network security device 500 use the terminal list received in step S3730 for packets determined as abnormal packets in step S3720. A valid packet and an invalid packet can be determined through the deep packet analysis method.

In step S3750, invalid packets are blocked, and valid packets are transmitted to the target terminal. For example, referring to FIGS. 1 to 36, one or more processors 510 of the network security device 500 blocks packets determined to be invalid packets in step S3740, and determines valid packets in step S3740. Packets may be transmitted to a target terminal using IP address information and port information included in the packet.

Various embodiments of the present invention may be implemented as software in a machine-readable storage medium. The software may be software for implementing various embodiments of the present invention. Software can be inferred from various embodiments of the present invention by programmers skilled in the art. For example, software may be a program containing machine-readable instructions (eg, code or code segments). A device is a device capable of operating according to a command called from a storage medium, and may be, for example, a computer. As an embodiment, the device may be a network security device 500 according to embodiments of the present invention. As an example, a processor of a device may execute a called command to cause components of the device to perform a function corresponding to the command. As an example, the processor may be one or more processors 510 according to embodiments of the invention. The storage medium may mean any type of recording medium in which data that can be read by a device is stored. The storage medium may include, for example, ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, and the like. As an example, the storage medium may be one or more memories 124 . As an example, the storage medium may be implemented in a distributed form such as a computer system connected through a network. The software may be distributed, stored, and executed on a computer system or the like. The storage medium may be a non-transitory storage medium. A non-transitory storage medium refers to a tangible medium regardless of whether data is stored semi-permanently or temporarily, and does not include a signal propagated temporarily.

In the above, the present invention has been described in detail using preferred embodiments, but the scope of the present invention is not limited to specific embodiments, and should be interpreted according to the appended claims. In addition, those skilled in the art should understand that many modifications and variations are possible without departing from the scope of the present invention.

100: network security environment 110: UC&C server
310: analysis tool 311: scanning tool
312: detection tool 313: attack tool
320: service protocol 321: VoIP
322: HTTP 323: MSRP
500: network security device 510: processor
520: memory 530: transceiver
PA: Area to be protected SZ: Security area
SA: service/attack area SP: SIP packets

Claims (7)

In the network security device,
one or more processors; and
one or more memories storing instructions that, when executed by the one or more processors, cause the one or more processors to perform operations;
The one or more processors,
Receiving a server list including IP (Internet Protocol) address information of authenticated servers;
Using the server list, a normal packet and an abnormal packet are discriminated for received packets;
Receiving a terminal list including IP address information, port information, valid period information, and terminal type information of authenticated terminals;
Using the terminal list, the abnormal packet is determined as a valid packet and an invalid packet through a deep packet analysis method;
Blocking the invalid packet and transmitting the valid packet to a target terminal;
Security device for smart work environment.
According to claim 1,
The one or more processors,
Updating the server list based on the determination result of the normal packet and the abnormal packet, and updating the terminal list based on the determination result of the valid packet and the invalid packet.
Security device for smart work environment.
According to claim 1,
The received packet is
Including at least one packet of a Session Initiation Protocol (SIP) packet, a Message Session Relay Protocol (MSRP) packet, and a Hypertext Transfer Protocol (HTTP) packet,
Security device for smart work environment.
According to claim 1,
The one or more processors,
Forming analysis data based on analysis information in a process of determining the normal packet and the abnormal packet;
Forming statistical data for each predetermined period based on the analysis data;
Forming learning data from the analysis data and the statistical data using a machine learning algorithm,
Periodically updating the server list using the learning data,
Security device for smart work environment.
According to claim 1,
The one or more processors,
Forming analysis data based on analysis information in a process of determining the valid packet and the invalid packet;
Forming statistical data for each predetermined period based on the analysis data;
Forming learning data from the analysis data and the statistical data using a machine learning algorithm,
Periodically updating the terminal list using the learning data,
Security device for smart work environment.
one or more processors; and
As a network security method using a network security device including one or more memories storing instructions for causing the one or more processors to perform operations when executed by the one or more processors,
Receiving a server list including IP (Internet Protocol) address information of authenticated servers;
discriminating between normal packets and abnormal packets with respect to received packets using the server list;
Receiving a terminal list including IP address information, port information, valid period information, and terminal type information of authenticated terminals;
discriminating valid packets and invalid packets from the abnormal packets using the terminal list through a deep packet analysis method; and
Blocking the invalid packet and transmitting the valid packet to a target terminal,
Security method for smart work environment.
one or more processors; And a computer program stored in a computer-readable recording medium so as to be executable by a computer including one or more memories in which instructions for causing the one or more processors to perform operations when executed by the one or more processors are stored,
Receiving a server list including IP (Internet Protocol) address information of authenticated servers;
discriminating between normal packets and abnormal packets with respect to received packets using the server list;
Receiving a terminal list including IP address information, port information, valid period information, and terminal type information of authenticated terminals;
discriminating valid packets and invalid packets from the abnormal packets using the terminal list through a deep packet analysis method; and
A computer program for a smart work environment stored in a computer-readable recording medium to perform the step of blocking the invalid packet and transmitting the valid packet to the target terminal.

Images