KR20230019664A - Method and system for preventing network pharming using big data and artificial intelligence - Google Patents

Abstract

The present invention relates to an artificial intelligence type network pharming blocking method using big data and a system thereof. The artificial intelligence type network pharming blocking method comprises the following steps of: storing an IP address to be blocked; detecting input of a domain name for website access from a terminal of a user through an Internet network; extracting a host file associated with the domain name from the terminal of the user; comparing an IP address corresponding to the host file with the IP address to be blocked; blocking access to the IP address corresponding to the host file when the IP address corresponding to the host file is the same as the IP address to be blocked; transmitting a DNS query packet associated with the domain name to a security DNS server when the IP address corresponding to the host file is not the same as the IP address to be blocked; receiving a website IP address from the security DNS server; comparing the IP address corresponding to the host file extracted from the user terminal with the IP address received from the security DNS server; comparing pre-stored website page content with website page content accessed by the host file when the website IP address received from the security DNS server and the IP address included in the host file are different; allowing access to a website accessed by the host file when the pre-stored website page content and the website page content accessed by the host file are the same; and blocking access to the website accessed by the host file when the pre-stored website page content is different from the website page content accessed by the host file. Therefore, the present invention can reliably prevent network pharming attacks by hackers.

Description

Artificial intelligence network farming blocking method and system using big data {METHOD AND SYSTEM FOR PREVENTING NETWORK PHARMING USING BIG DATA AND ARTIFICIAL INTELLIGENCE}

The present invention relates to a method and system for blocking artificial intelligence network pharming using big data. When used, the present invention relates to an artificial intelligence network pharming blocking method and system using big data that can clearly distinguish domain name server change from network pharming and enhances the accuracy and efficiency of server monitoring.

Due to the convenience of the Internet, the Internet is utilized in all areas of daily life, from economic activities of individuals and companies to simple business processes such as e-mail and file transfer, as well as e-payment, corporate advertising through web servers, and e-commerce. It is becoming.

As the use of the Internet is generalized, various attacks to steal user's personal information and the like are prevalent on the Internet.

An attack on such an Internet network may include, for example, a pharming attack.

When Internet users connect to a specific website, they can access it by entering the domain name instead of the IP address of the website. DNS (domain name server or domain name system, hereinafter DNS) is a A system that converts IP addresses into IP addresses.

However, when a terminal such as a computer converts a domain name into an IP address, it does not search DNS from the beginning, but first refers to a host file inside the computer.

In general, a host file exists in the computer used by users, and this file corresponds to a file that matches IP addresses and domain names.

So, once you find the domain name you want in your hosts file, you no longer ask DNS for an IP address.

1 illustrates a process in which a terminal 100 such as a computer or smart phone accesses a corresponding website 150 through a hosts file in its own device or a hosts file stored in the router 110.

When a user enters a domain name of a specific website, if there is a matching domain name and IP address in a host file (not shown) pre-stored in the terminal 100 or router 110, the terminal 100 sends the DNS server ( 120) is not called, but the website 150 is accessed with the IP address directly found in the hosts file.

The aforementioned pharming attack is an example of exploiting the characteristics of the host file.

That is, when the host file of the user terminal is tampered with due to direct hacking by a hacker or infection with a malicious code, the fake site address intended by the hacker is recorded in the host file.

Therefore, even if the user tries to connect to the Internet by inputting the correct domain address, the terminal refers to the host file and moves to the fake site address, and shows the fake site to the user.

Accordingly, a user may leak personal information by accessing a fake site.

Meanwhile, when the domain name entered by the users is not in the host file, the terminal inquires the DNS server 120 for the IP address corresponding to the domain name to be accessed, as shown in (b) of FIG. DNS query: DNS query)

In this case, the DNS server 120 transmits the corresponding IP address to the user's terminal 100, and the terminal 100 accesses the corresponding website 150 using the received IP address.

However, the pharming attack may induce the terminal 100 to access a website with an incorrect IP address by sending a DNS response packet to the user terminal 100, which is an attack target, faster than the actual DNS server 120.

For example, if it is confirmed that the user sends a DNS Query packet to the DNS server 120 through the terminal 100, the hacker sends a forged DNS Response packet to the user before the DNS server 120 sends the correct DNS Response packet. can send.

At this time, the user's terminal 100 recognizes the DNS response packet sent by the hacker as a correct packet and accesses the website. In this case, the site accessed by the user is not a normal site but a fake site created by the hacker.

However, when the capacity of a website is large, a very large number of DNS servers are used to maintain it, and cloud servers in a rental form are widely used due to the problem of facility cost.

In the case of a cloud server, the DNS server is frequently changed after a certain period of use, and the use of a new DNS server by such change must be distinguished from access to fake sites caused by pharming.

An object of the present invention is to provide an artificial intelligence network pharming blocking method and system using big data configured to reliably prevent network pharming using big data and artificial intelligence technology.

Another object of the present invention is to provide an artificial intelligence network pharming blocking method and system using big data configured to clearly distinguish DNS server change from network pharming when a plurality of DNS servers are used in a website.

Another object of the present invention is to provide an artificial intelligence network pharming blocking method and system using big data configured to increase the accuracy and efficiency of DNS server monitoring.

In order to achieve the above object, an artificial intelligence network farming blocking method using big data according to the present invention includes the steps of storing an IP address to be blocked, and inputting a domain name for website access from a user's terminal through an Internet network. Detecting, extracting a host file associated with the domain name from the user's terminal, comparing the IP address corresponding to the host file with an IP address to be blocked, and the IP address corresponding to the host file Blocking access to the IP address corresponding to the host file if is the same as the IP address to be blocked; and DNS query associated with the domain name if the IP address corresponding to the host file is not identical to the IP address to be blocked. The step of transmitting the packet to the secure DNS server, the step of receiving the website IP address from the secure DNS server, the IP address corresponding to the host file extracted from the user terminal and the IP address received from the secure DNS server In the step of comparing, if the website IP address received from the secure DNS server and the IP address included in the host file are different, the website page content stored in advance and the website page content accessed by the host file are compared. and, if the contents of the previously stored website page and the contents of the website page accessed by the host file are the same, allowing access to the website accessed by the host file; and blocking access to the website accessed by the host file if the content of the website page accessed by the host file is different, wherein the pre-stored website page content is different from two different first website pages. A second website page, wherein the second website page is configured to be accessed by a domain name downstream of a domain name displaying the first website page, and the number of access traffic of the second website page isIt is characterized in that the ratio of the first website page to the number of access traffic is composed of a website page with the smallest.

Preferably, the step of receiving the server identification information of the website accessed by the host file, and if the server identification information is pre-stored fixed server identification information, determines that the server is a secure DNS server.

In addition, if the server identification information is non-fixed server identification information, it may be configured to determine as a non-secure DNS server.

In addition, the first website page content is divided and corresponded by a plurality of DNS servers, and if the server identification information of the plurality of DNS servers is pre-stored fixed server identification information, the website access accessed by the host file It can be configured to allow

Meanwhile, when server identification information of the plurality of DNS servers includes both fixed server identification information and non-fixed server identification information, access to a website accessed by the host file may be blocked.

In addition, when the server identification information of the plurality of DNS servers is configured differently in a predetermined ratio, access to a website accessed by the host file may be blocked.

And, it may be configured to check whether the first website page and the second website page of the secure DNS server are identical at predetermined intervals.

Preferably, the predetermined period is set differently according to the server identification information.

Here, the predetermined period may be configured to vary according to the size of access traffic to the first website page.

In addition, when the server identification information includes non-fixed server identification information, it may be configured to receive information about a period of use of the non-fixed server identification information.

On the other hand, the artificial intelligence network farming blocking system using big data according to the present invention includes a domain name detection module for detecting a domain name input from a user's terminal, and a host file associated with the domain name input from the user terminal. A host file extraction module extracting from the terminal, a secure DNS server management module transmitting and receiving DNS query packets associated with the domain name to the DNS server, and receiving the IP address included in the host file extracted from the user terminal and the secure DNS server. An IP address comparison module for comparing blocked IP addresses, a data storage module for storing blocked IP addresses and website page contents, and a website page contents previously stored in the data storage module and the web accessed by the host file. A page comparison module for comparing site page content, a big data storage module for storing the number of access traffic to the website, and a method for selecting a website page to be stored in the data storage module based on the number of access traffic It includes an artificial intelligence module, compares the IP address corresponding to the hosts file with the IP address to be blocked, and if the IP address corresponding to the hosts file is the same as the IP address to be blocked, the IP address corresponding to the hosts file Connection is blocked, and if the website IP address received from the secure DNS server and the IP address included in the host file are different, the website page content stored in advance and the website page content accessed by the host file are compared. Therefore, if the contents of the previously stored website page and the contents of the website page accessed by the host file are the same, access to the website accessed by the host file is allowed, and the contents of the previously stored website page and the host file If the content of the website page to be accessed is different, the access to the website accessed by the host file is blocked, and the pre-stored website page content includes two different first website pages and a second website page; , The second website page is configured to be accessed by a domain name downstream of a domain name displaying the first website page, and the number of access traffic of the second website page is the number of access traffic of the first website page. It is characterized in that it is composed of website pages with the smallest ratio to .

Preferably, it may be configured to receive server identification information of a website accessed by the host file, and to determine a secure DNS server if the server identification information is pre-stored fixed server identification information.

Here, if the server identification information is non-fixed server identification information, it may be configured to determine a non-secure DNS server.

In addition, the first website page contents are divided and corresponded by a plurality of DNS servers, and if the server identification information of the plurality of DNS servers is pre-stored fixed server identification information, the website access accessed by the host file It can be configured to allow

Meanwhile, when server identification information of the plurality of DNS servers includes both fixed server identification information and non-fixed server identification information, access to a website accessed by the host file may be blocked.

In addition, when the server identification information of the plurality of DNS servers is configured differently in a predetermined ratio, access to a website accessed by the host file may be blocked.

And, it may be configured to check whether the first website page and the second website page of the secure DNS server are identical at predetermined intervals.

Preferably, the predetermined period may be set differently according to the server identification information.

Here, the predetermined period may be configured to vary according to the size of access traffic to the first website page.

In addition, when the server identification information includes non-fixed server identification information, it may be configured to receive information about a period of use of the non-fixed server identification information.

According to the present invention, network pharming attacks by hackers can be reliably prevented.

In addition, when a plurality of DNS servers are used in a website, DNS server change and network pharming can be clearly distinguished.

In addition, accuracy and efficiency of DNS server monitoring can be improved.

The accompanying drawings are for understanding the technical spirit of the present invention together with the detailed description of the invention, and the present invention should not be construed as being limited to the matters shown in the drawings.
1 is a schematic diagram showing a conventional process of accessing a website through a terminal;
2 is a schematic diagram showing a state in which an artificial intelligence network farming blocking system using big data according to the present invention is connected by a user terminal and a network environment;
3 is a block diagram of the network pharming blocking system;
4 is a flowchart illustrating a method for blocking artificial intelligence network pharming using big data according to the present invention.

Hereinafter, the configuration of the present invention will be described in detail with reference to the accompanying drawings.

Prior to this, the terms used in this specification and claims should not be construed as limited in a dictionary sense, and based on the principle that the inventor can appropriately define the concept of terms in order to best explain his/her invention. , It should be interpreted as a meaning and concept consistent with the technical idea of the present invention.

Therefore, the embodiments described in this specification and the configurations shown in the drawings are only preferred embodiments of the present invention and do not represent all of the technical spirit of the present invention, so various equivalents that can replace them at the time of this application It should be understood that water and variations may exist.

2 is a schematic diagram showing a state in which an artificial intelligent network anti-farming system using big data according to the present invention is connected by a user terminal and a network environment, and FIG. 3 is a block diagram of the network anti-farming system, and FIG. It is a flow chart showing an artificial intelligence network pharming blocking method using big data according to the invention.

2 and 3, the artificial intelligence network farming blocking system using big data according to the present invention includes a domain name detection module 32 for detecting a domain name input from a user's terminal 10, and the user terminal ( A host file extraction module 34 that extracts a host file associated with the domain name entered from 10) from the user's terminal 10, and a secure DNS server management module that transmits and receives DNS query packets associated with the domain name to the DNS server. 36, an IP address comparison module 35 that compares the IP address included in the host file extracted from the user terminal 10 with the IP address received from the secure DNS server 50, and the IP address to be blocked A data storage module 37 for storing website page contents, and a page comparison module 38 for comparing website page contents previously stored in the data storage module 37 with website page contents accessed by the host file. ), a big data storage module 33 for storing the number of access traffic to the website, and artificial intelligence for selecting a website page to be stored in the data storage module 37 based on the number of access traffic A module 31 is configured to compare the IP address corresponding to the hosts file with the IP address to be blocked, and if the IP address corresponding to the hosts file is the same as the IP address to be blocked, the IP address corresponding to the hosts file Address access is blocked, and if the website IP address received from the secure DNS server 50 and the IP address included in the host file are different, the website page contents stored in advance and the website accessed by the host file The page content is compared, and if the pre-stored website page content and the website page content accessed by the host file are the same, access to the website accessed by the host file is allowed, and the pre-stored website page content and the website page content If the content of the website page accessed by the host file is different, the website accessed by the host file and the pre-stored website page content includes two different first website pages and a second website page, wherein the second website page is a domain name displaying the first website page. It is configured to be accessed by a downstream domain name of, and the number of access traffic of the second website page is characterized in that the ratio of the number of access traffic to the number of access traffic of the first website page is composed of a website page.

In the system for blocking network pharming according to the present invention, the user's terminal 10 may be physically connected through a network switch (not shown) that accesses the Internet.

In addition, the network pharming blocking system according to the present invention is used when the user's terminal 10 accesses the website server 40 through the IP address of the host file or through the IP address received from the DNS server 50. In the case of accessing the site server 40, it is possible to monitor whether the terminal 10 accesses a normal website.

The user terminal 10 may be a PC or a smartphone terminal, and for security management, a program or app implementing the network pharming blocking method according to the present invention may be stored in the user terminal 10, or a general terminal. It could be.

The domain name detection module 32 is a component that detects a domain name input from the terminal 10 of the user.

Also, the host file extraction module 34 is a component that extracts a host file related to the domain name input from the user terminal 10 from the user's terminal 10 .

The host file extraction module 34 retrieves the IP address of the website corresponding to the domain name through a port mirroring method for the network switch or router 20 through which the user's terminal 10 accesses the Internet. can be extracted.

The host file extraction module 34 analyzes the source IP, destination IP, HTTP method, HTTP header information, etc. of the website to be accessed through the port mirroring technique, and transfers the IP address of the website corresponding to the domain name to the terminal. (10) or is configured to receive transmission from the router (20).

The data storage module 37 corresponds to a database for storing an IP address to be blocked from among IP addresses of websites accessed by a user through the terminal 100 and a domain name corresponding to the IP address.

In addition, the data storage module 37 stores the contents of pages of websites recognized as correct through prior safety verification.

The website page content includes the first website page and the second website page.

The website page content is stored as a hash function of the website for efficient data management.

The hash function is a function that maps data of an arbitrary length to data of a fixed length for the purpose of efficient management of stored data.

At this time, the original data value before mapping is called a key, the data value after mapping is called a hash value or hash code, and the mapping process itself is called hashing.

The basic property of the hash function is that if two hash values are different, the original data value is also determined differently.

The secure DNS server management module 36 is a component that transmits a DNS query packet associated with the domain name to a DNS server and receives an IP address associated with the domain name from the DNS server.

In addition, the secure DNS server management module 36 stores and manages a list of safe DNS servers 50 whose safety is guaranteed by verification among DNS servers.

And, the IP address comparison module 35 compares the IP address extracted by the host file from the user terminal 10 with the IP address received from the secure DNS server 50 and determines whether they are the same. am.

In addition, the page comparison module 38 compares the contents of a website page previously stored in the data storage module 37 with the contents of a website to be accessed by the host file, and determines whether they are the same.

The page comparison module 38 compares the pre-stored website page content with the website page content accessed by the host file using the hash value.

The IP address comparison module 35 compares whether the IP address included in the host file extracted from the user terminal 10 and the IP address received from the secure DNS server 50 match. do.

The secure DNS server refers to a DNS server recognized as a true DNS server through prior safety verification and stored, and a list of the secure DNS servers may be stored in the data storage module 37.

The big data storage module 33 stores the number of access traffic to the website.

The number of access traffic includes both the number of access traffic to the first website page and the number of access traffic to the second website page among the websites.

The number of access traffic to the first and second website pages may change over time, and such changes are stored in the big data storage module 33 .

In addition, the first and second website pages may also be changed according to the number of access traffic.

The artificial intelligence module 31 selects a website page to be stored in the data storage module 37 based on the number of access traffic to the first website page and the second website page.

First, the IP address of the website to be blocked from being accessed through the user terminal 100 and the domain name corresponding to the IP address are stored in the data storage module 37 .

Further, when the domain name of a website to be accessed through the Internet network is input from the user's terminal 10, a host file associated with the domain name is extracted from the user's terminal 10.

At this time, the IP address corresponding to the hosts file is compared with the IP address to be blocked stored in the data storage module 37, and if the IP address corresponding to the hosts file is the same as the IP address to be blocked, the host file Block access to the corresponding IP address.

If the IP address corresponding to the host file is not the same as the IP address to be blocked stored in the data storage module 37, the DNS query packet associated with the domain name through the secure DNS server management module 36 is transmitted to the secure DNS server (50).

Then, the website IP address is received from the secure DNS server 50, and the IP address according to the host file extracted from the user terminal 10 is compared with the IP address received from the secure DNS server 50.

Thus, if the website IP address received from the secure DNS server 50 and the IP address extracted from the host file are identical, access to the website is allowed.

However, if the website IP address received from the secure DNS server 50 and the IP address included in the host file are different from each other, the website page content previously stored in the data storage module 37 and the host Compare the content of the website page accessed by the IP address extracted from the file.

Further, if the contents of the previously stored website page and the contents of the website page accessed by the IP address extracted from the host file are different from each other, access to the website accessed by the host file is blocked.

In addition, this fact can be notified to the user terminal 10, and the IP address stored in the safe DNS server 50 and the domain name corresponding thereto can be transmitted to the user terminal 10.

By comparing the website page contents stored in advance as described above with the website page contents acquired by the newly changed IP address, it is possible to determine whether the DNS server is changed by a real user due to reasons such as expiration of the cloud server usage period. there is.

When the DNS server is changed by a true user, the major substructures such as the initial screen and bulletin board of most websites are not changed to prevent confusion among users. Determine whether or not to change.

As the pre-stored website page content, an initial screen content or structure of the website may be set as the first website page content, and a bulletin board screen accessed by selecting a part of the initial screen as the second website page content. Alternatively, the content or structure of the login screen may be set.

The bulletin board screen or login screen can be accessed by the downstream domain name compared to the domain name for accessing the initial screen of the website.

In the case of a pharming attack, most of them are intended to induce access by tampering with the initial screen of the website, and do not tamper with the lower page of the initial screen.

This is because the pharming attack itself confuses the initial screen of the website in the first place, induces access to it, and leaks personal information.

In the present invention, as the second website page selected by the artificial intelligence module 31, a page having the smallest ratio of the number of access traffic to the number of access traffic to the first website page is selected.

In the case of a page having a high ratio of the number of access traffic to the number of access traffic of the first website page, it is highly likely that the content or structure of the page is changed according to changes in tastes and trends of visitors.

In contrast, with respect to the number of access traffic to the first website page, in the case of a page having the smallest ratio of the number of access traffic, the possibility of changing its content or structure is low. Reliability of comparison work can be increased.

On the other hand, in the case of a DNS server, the identification information of the server provider is included in the DNS Response packet and transmitted.

The server provider may be classified into a provider that typically provides a rental type cloud server and a server provider owned by the website management entity itself.

Here, in the case of a server owned by the website management entity itself, it is common that it does not change even after a period of time, and in the case of a cloud server in the form of a lease, it is highly likely that it will change after a certain period of time.

In the present invention, a server that is owned by the website provider itself and rarely changes is named a "fixed server 52", and a rental type cloud server that is highly likely to change after a certain period of time is a "non-fixed server ( 54)".

Identification information of the fixed server 52 and non-fixed server 54 managed by the pharming blocking system according to the present invention and data related to the provider are stored in the data storage module 37 in advance.

In addition, data on a provider who plans to newly install the fixed server 52 may also be stored in the data storage module 37 .

And, in the DNS response packet of the website accessed by the host file, server identification information for identifying whether the response packet is from the fixed server 52 or the response packet from the non-fixed server 54 is received do.

At this time, if the server identification information is the same as the previously stored identification information of the fixed server 54, the DNS server of the website accessed by the host file is determined as a secure DNS server, and the first website page and the second website Do not perform site page comparison operations.

Thus, if the DNS server providing subject of the website accessed by the host file is identified as the same as the fixed server providing subject stored in the data storage module 37, the page comparison operation as described above is not performed and the secure DNS server By determining that, the system driving efficiency can be increased.

And, it can be determined whether a DNS server is additionally installed by the existing fixed server providing entity or a DNS server is installed by a new fixed server providing entity.

However, if the server identification information is judged to be non-fixed server 54 identification information, it is first determined to be an unsecured DNS server, and the first website page and the second website page comparison operation is performed to determine whether or not pharming. It is configured to judge.

Therefore, considering that the pharming attack is mainly performed using cloud servers, if the server identification information is determined to be the non-fixed server 54, carefully determine whether or not pharming is performed through website comparison work as described above. It consists of

Also, in some cases, the first website page content is divided and corresponded by a plurality of DNS servers 40 .

At this time, in a state where the server identification information of the plurality of DNS servers 40 is the same as the fixed server identification information stored in the data storage module 37, the server included in the DNS Response packet of the website accessed by the host file If the identification information is the same as the fixed server identification information, it may be configured to allow access to the website.

Thus, when a new DNS server is additionally installed by the existing fixed server providing entity, or when it is determined that the DNS server is installed by the new fixed server providing entity whose safety has been previously verified, website access is allowed.

In addition, when the server identification information of the plurality of DNS servers 40 includes both fixed server identification information and non-fixed server identification information, website access by the DNS Response packet of the website accessed by the host file Can be configured to block.

In the case of a fixed server provider, it is common to add a fixed server managed by the same provider when expanding or changing website contents. As described above, the server identification information of the DNS servers 40 is combined with the fixed server identification information If non-fixed server identification information is included together, it is determined to be exceptional, and pharming is carefully determined through the website comparison work as described above.

In addition, when the server identification information of the plurality of DNS servers 40 is configured differently in a predetermined ratio, access to a website accessed by the host file may be blocked.

If it is determined that the server identification information included in the DNS Response packet of the website accessed by the host file does not represent a single server providing entity, but different server providing entities, the website access is blocked and the above It is configured to carefully determine whether or not to pharming through website comparison work such as

The server identification information also means information indicating the provider of the server, and if it is determined to be the DNS server 40 provided by another server provider other than the same fixed server provider or cloud server provider, more careful It is configured to block website access and perform a website comparison operation for judgment.

In addition, whether the first website page and the second website page, designated in advance in the safe DNS server recognized as a secure DNS server by preliminary verification and stored in the data storage module 37, are the same every predetermined period is checked. configured to be checked.

Thus, by performing a website page comparison job at regular intervals, it is configured to check whether the first website page and the second website page have been legitimately changed, thereby increasing the accuracy of anti-pharming blocking.

In addition, the accuracy of the first website page and the second website page data stored in the data storage module 37 can be maintained.

Preferably, the predetermined period may be set differently according to identification information representing the server provider.

Thus, by reflecting the average value of the website page change cycle by the fixed server provider and the website page change cycle by the non-fixed server provider, such as a cloud server, when the website page content is changed more frequently, the website The comparison operation cycle can be set to be short.

Here, the period of the website page comparison operation may be configured to vary according to the size of access traffic to the first website page.

Thus, when the size of access traffic to the first website page, which can be set as the main page of the website, is large, the website page comparison operation period can be set shorter.

Thus, in the case of websites that are frequently accessed by Internet users and generate more data traffic, that is, websites that are more frequently used by people and are more likely to be targets of pharming, the cycle of website page comparison work can be shortened. It is configured to increase safety and the probability of blocking pharming by making it shorter.

In addition, when the server identification information includes non-fixed server 54 identification information, it may be configured to receive information about a period of use of the non-fixed server identification information.

In the case of a non-fixed server used in a rental format such as a cloud server, information about the non-fixed server usage period may be included in the DNS Response packet.

In addition, when the server identification information is changed within the remaining use period of the non-fixed server, the web page comparison operation is performed to carefully determine whether or not to pharming.

On the other hand, referring to FIG. 4, the method for blocking network pharming according to the present invention includes the step of storing the IP address to be blocked (step 10), and inputting the domain name for accessing the website from the user's terminal through the Internet network. Detecting (step 20), extracting the host file associated with the domain name from the user's terminal (step 30), and comparing the IP address corresponding to the host file with the IP address to be blocked (step 40), and if the IP address corresponding to the hosts file is the same as the IP address to be blocked, blocking access to the IP address corresponding to the hosts file (step 100), and blocking the IP address corresponding to the hosts file If it is not the same as the target IP address, transmitting the DNS query packet associated with the domain name to the secure DNS server (step 50), and receiving the website IP address from the secure DNS server (step 60); Comparing the IP address corresponding to the host file extracted from the user terminal 10 with the received IP address (step 70), and the website IP address received from the secure DNS server and the IP included in the host file If the addresses are different, comparing the pre-stored website page content with the website page content accessed by the host file (step 90), and the website accessed by the host file and the pre-stored website page content If the content of the page is the same, allowing access to the website accessed by the host file (step 80), and if the content of the previously stored website page and the content of the website page accessed by the host file are different, the host and blocking access to a website accessed by a file (step 100), wherein the pre-stored website page contents include two different first website pages and second website pages, wherein the second website pages are different from each other. The website page is downstream of the domain name representing the first website page. It is configured to be accessed by a domain name, and the number of access traffic of the second website page is characterized in that it consists of a website page with the smallest ratio to the number of access traffic of the first website page.

In the method for blocking network pharming according to the present invention, the data storage module 37 stores an IP address for which the user wants to block access through the terminal 100 and a domain name corresponding to the IP address. (Step 10) )

Then, when the domain name of the website to be accessed through the Internet network is input from the user's terminal 10, it is detected through the domain name detection module 32. (Step 20)

Thereafter, the host file associated with the domain name is extracted from the user's terminal 10 through the host file extraction module 34. (Step 30)

At this time, the IP address corresponding to the host file is compared with the IP address to be blocked stored in the data storage module 37 (step 40), and if the IP address corresponding to the host file is the same as the IP address to be blocked. , Block access to the IP address corresponding to the host file. (Step 100)

Then, the fact that the connection is blocked is notified to the user terminal 10 (step 110).

If the IP address corresponding to the host file is not the same as the IP address to be blocked, the DNS query packet associated with the domain name is transmitted to the safe DNS server 50 through the secure DNS server management module 36. .(step 50)

In addition, the secure DNS server management module 36 receives the website IP address associated with the domain name from the secure DNS server 50 (step 60).

Then, through the IP address comparison module 35, the IP address according to the host file extracted from the user terminal 10 is compared with the IP address received from the secure DNS server 50. (Step 70)

If the website IP address received from the secure DNS server 50 and the IP address extracted from the host file are the same, access to the website is allowed. (Step 80)

However, if the website IP address received from the secure DNS server 50 and the IP address included in the host file are different from each other, the website page content previously stored in the data storage module 37 and the host Compare the content of the website page accessed by the IP address extracted from the file. (Step 90)

And, if the contents of the website page stored in advance and the contents of the website page accessed by the IP address extracted from the host file are different from each other, access to the website IP address by the host file is blocked (step 100).

And, this fact is notified to the user terminal 10 (step 110).

However, if the contents of the previously stored website page and the contents of the website page accessed by the IP address extracted from the host file are identical to each other, access to the website by the host file is allowed. (Step 80)

By the method according to the present invention, by comparing the website page contents stored in advance as described above with the website page contents acquired by the changed IP address, the DNS server by the real user due to reasons such as expiration of the cloud server usage period. It may be determined whether the IP address is changed or the IP address is changed by pharming.

As described above, when the DNS server is changed by a true user, most of the main substructures such as the initial screen of the website and bulletin board are not changed to prevent users from being confused. It is judged whether the DNS server change is caused by the change or the change is caused by pharming.

As described above, as the pre-stored website page content, the initial screen content or structure of the website may be set and stored as the first website page content, and a bulletin board accessed by selecting a part of the initial screen The content or structure of the screen or login screen may be set and stored as the content of the second website page.

As described above, the bulletin board screen or login screen can be accessed through the downstream domain name compared to the domain name that induces access to the initial screen of the website.

And, as described above, as the second website page, a page having the smallest ratio of the number of access traffic to the number of access traffic to the first website page is selected.

And, in the DNS response packet of the website accessed by the host file, server identification information for identifying whether the response packet is from the fixed server 52 or the response packet from the non-fixed server 54 is received do.

The server identification information is information for identifying the DNS server provider, and is included in the DNS Response packet and transmitted.

The DNS server provider may be classified into a provider providing a rental type of cloud server and a server provider owned by the website management entity itself.

As described above, in the case of a server owned by the website management entity itself, it is common that the server provider does not change even after a period of time. Since the server provider is highly likely to change when the period elapses, it is named "non-fixed server 54".

Identification information of the fixed server 52 and non-fixed server 54 managed by the pharming blocking method according to the present invention and data on the provider subject thereof are stored in the data storage module 37 in advance.

In addition, data on a provider who plans to newly install the fixed server 52 may also be stored in the data storage module 37 .

When the server identification information indicating the server provider is the same as the identification information of the fixed server 54 pre-stored in the data storage module 37, the DNS server of the website accessed by the host file is determined as a safe DNS server.

Thus, when the DNS server providing subject of the website accessed by the host file is identified as the same as the fixed server providing subject stored in the data storage module 37, the first website page and the second website page are compared System operation efficiency can be increased by judging it as a safe DNS server without performing tasks.

In addition, when the server identification information indicating the server provider is the same as the identification information of the fixed server 54 pre-stored in the data storage module 37, a DNS server is additionally installed by the existing fixed server provider or verified in advance It is possible to determine whether a DNS server is installed by the stored new fixed server provisioning entity.

By the way, if the server identification information is determined to be non-fixed server 54 identification information, once it is determined to be an unsecured DNS server, the first website page and the second website page comparison operation is performed to determine whether pharming or not. It is configured to determine more accurately.

Thus, if it is determined that the server is not provided by a pre-stored fixed server providing entity, the page comparison operation is performed to determine whether pharming is performed.

As described above, considering that pharming attacks are mainly performed using cloud servers, if the server identification information is determined to be the non-fixed server 54, whether or not pharming is checked through website page comparison work as described above. It is configured to carefully judge.

Also, in some cases, the first website page content is divided and corresponded by a plurality of DNS servers 40 .

At this time, in a state where the server identification information of the plurality of DNS servers 40 is the same as the fixed server identification information stored in the data storage module 37, the server included in the DNS Response packet of the website accessed by the host file If the identification information is the same as the fixed server identification information, it may be configured to allow access to the website by determining it as a safe website.

Thus, when a new DNS server is additionally installed by the existing fixed server providing entity, or when it is determined that the DNS server is installed by the new fixed server providing entity whose safety has been previously verified, website access is allowed.

In addition, when the server identification information of the plurality of DNS servers 40 includes both fixed server identification information and non-fixed server identification information, website access by the DNS Response packet of the website accessed by the host file configured to block.

As described above, in the case of a fixed server providing entity, it is common to add a fixed server managed by the same providing entity when expanding or changing the contents of a website. As described above, the server identification information of the DNS servers 40 If contains both the identification information of the fixed server 52 and the identification information of the non-fixed server 54, it is determined to be exceptional, and it is configured to carefully determine whether or not to pharming through the website page comparison work as described above.

In addition, when the server identification information of the plurality of DNS servers 40 is configured differently in a predetermined ratio, access to a website accessed by the host file may be blocked.

If it is determined that the server identification information included in the DNS Response packet of the website accessed by the host file does not represent a single server providing entity, but different server providing entities, the website access is blocked and the above It is configured to carefully determine whether or not to pharming through a website page comparison operation such as

Thus, when a plurality of legitimate DNS servers 40 are used to provide a website, when the plurality of DNS servers are used for pharming, access to the website is primarily blocked with the server identification information as described above.

The server identification information also means information indicating the provider of the server, and if it is determined to be the DNS server 40 provided by another server provider other than the same fixed server provider or cloud server provider, more careful It is configured to block website access and perform a website page comparison operation for judgment.

In addition, in a secure DNS server recognized as a secure DNS server by preliminary verification, the first website page and the second website page designated in advance and stored in the data storage module 37 are the same every predetermined period. It is configured to check whether

Thus, by performing a website page comparison operation at regular intervals, it is possible to check whether the first website page and the second website page remain the same or have been legitimately changed, thereby increasing the accuracy of anti-pharming blocking. there is.

Also, the accuracy of the first website page and the second website page stored in the data storage module 37 can be maintained.

The predetermined cycle may be set differently according to the identification information indicating the server provider, and the website page change cycle by the fixed server provider and the website page change cycle by the non-fixed server provider such as a cloud server By applying artificial intelligence technology by reflecting the average value, the period of the website comparison operation can be set to be short when the contents of website pages are changed more frequently.

Here, the period of the website page comparison operation may be configured to vary according to the size of access traffic to the first website page.

Thus, when the size of access traffic to the first website page, which can be set as the main page of the website, is large, the website page comparison operation period can be set shorter.

Thus, in the case of websites that are frequently accessed by Internet users and generate more data traffic, that is, websites that are more frequently used by people and are more likely to be targets of pharming, the cycle of website page comparison work can be shortened. It is configured to increase safety and the probability of blocking pharming by making it shorter.

In addition, when the server identification information includes non-fixed server 54 identification information, it may be configured to receive information about a period of use of the non-fixed server identification information.

As described above, in the case of a non-fixed server used in a rental format such as a cloud server, information about the use period of the non-fixed server may be included in the DNS Response packet.

In addition, when the server identification information is changed within the remaining use period of the non-fixed server, the web page comparison operation is performed to carefully determine whether or not to pharming.

Above, the terms used in the embodiments of the present invention have the same meaning as commonly understood by a person of ordinary skill in the art to which the present invention belongs.

Although the present invention has been described with limited embodiments and drawings, the above embodiments are not intended to limit the technical idea of the present invention but to explain it, so the technical idea of the present invention is not limited to these, and the present invention belongs Various modifications and variations will be possible by those skilled in the art within the scope of equivalents of the technical spirit of the present invention and the claims to be made below.

Therefore, the protection scope of the present invention should be construed according to the claims, and all technical ideas within the scope equivalent thereto should be construed as being included in the scope of the present invention.

And, if it is within the scope of the object of the present invention, all of the components may be configured by selectively combining one or more.

The term "includes" or "consists of" described above means that the corresponding component may be included, and should be interpreted as being able to additionally include other components.

10: user terminal
20: Network switch or router
30: Server for network pharming blocking system
40: DNS server
50: Safe DNS server

Claims (20)

storing an IP address to be blocked;
detecting that a domain name for accessing a website is input from a user's terminal through an Internet network;
extracting a host file associated with the domain name from the terminal of the user;
comparing an IP address corresponding to the host file with an IP address to be blocked;
blocking access to the IP address corresponding to the hosts file when the IP address corresponding to the hosts file is the same as the IP address to be blocked;
transmitting a DNS query packet associated with the domain name to a safe DNS server when the IP address corresponding to the host file is not the same as the IP address to be blocked;
receiving a website IP address from the secure DNS server;
comparing the IP address corresponding to the host file extracted from the user terminal with the IP address received from the secure DNS server;
comparing the previously stored website page content with the website page content accessed by the host file when the website IP address received from the secure DNS server and the IP address included in the host file are different;
allowing access to the website accessed by the host file if the contents of the previously stored website page and the website page accessed by the host file are the same;
and blocking access to the website accessed by the host file when the pre-stored website page content is different from the website page content accessed by the host file.
The pre-stored website page contents include two different first website pages and second website pages;
the second website page is configured to be accessed by a domain name downstream of a domain name representing the first website page;
The artificial intelligence network farming blocking method using big data, characterized in that the number of access traffic of the second website page is composed of website pages having the smallest ratio to the number of access traffic of the first website page. According to claim 1,
receiving server identification information of a website accessed by the host file;
If the server identification information is pre-stored fixed server identification information, artificial intelligence network pharming blocking method using big data, characterized in that configured to determine a secure DNS server. According to claim 2,
If the server identification information is non-fixed server identification information, artificial intelligence network pharming blocking method using big data, characterized in that configured to determine that it is a non-secure DNS server. According to claim 1,
The first website page contents are divided and corresponded by a plurality of DNS servers,
If the server identification information of the plurality of DNS servers is pre-stored fixed server identification information,
Artificial intelligence network pharming blocking method using big data, characterized in that configured to allow access to the website accessed by the host file. According to claim 4,
When the server identification information of the plurality of DNS servers includes both fixed server identification information and non-fixed server identification information,
An artificial intelligence network pharming blocking method using big data, characterized in that configured to block access to websites accessed by the host file. According to claim 5,
When the server identification information of the plurality of DNS servers is configured differently in a predetermined ratio,
An artificial intelligence network pharming blocking method using big data, characterized in that configured to block access to websites accessed by the host file. According to claim 1,
The artificial intelligence network pharming blocking method using big data, characterized in that the first website page and the second website page of the secure DNS server are configured to check whether they are the same at predetermined intervals. According to claim 7,
The artificial intelligence network pharming blocking method using big data, characterized in that the predetermined period is set differently according to the server identification information. According to claim 7,
The artificial intelligence network pharming blocking method using big data, characterized in that the predetermined period is configured to vary according to the size of access traffic to the first website page. According to claim 5,
If the server identification information includes non-fixed server identification information,
Artificial intelligent network pharming blocking method using big data, characterized in that configured to receive information about the period of use of the non-fixed server identification information. a domain name detecting module for detecting a domain name input from a user's terminal;
a host file extraction module for extracting a host file related to the domain name input from the user terminal from the user terminal;
a secure DNS server management module for transmitting and receiving a DNS query packet associated with the domain name to a DNS server;
an IP address comparison module for comparing the IP address included in the host file extracted from the user terminal with the IP address received from the secure DNS server;
a data storage module for storing blocked IP addresses and website page contents;
a page comparison module which compares the website page contents previously stored in the data storage module with the website page contents accessed by the host file;
a big data storage module for storing the number of access traffic to the website;
An artificial intelligence module for selecting a website page to be stored in the data storage module based on the number of access traffic,
Comparing the IP address corresponding to the hosts file with the IP address to be blocked, and blocking access to the IP address corresponding to the hosts file when the IP address corresponding to the hosts file is the same as the IP address to be blocked;
If the website IP address received from the secure DNS server and the IP address included in the host file are different, the website page content stored in advance and the website page content accessed by the host file are compared,
When the pre-stored website page content and the website page content accessed by the host file are identical, access to the website accessed by the host file is allowed;
If the pre-stored website page content and the website page content accessed by the host file are different, blocking access to the website accessed by the host file;
The pre-stored website page contents include two different first website pages and second website pages;
the second website page is configured to be accessed by a domain name downstream of a domain name representing the first website page;
The artificial intelligent network pharming blocking system using big data, characterized in that the number of access traffic of the second website page is composed of website pages having the smallest ratio to the number of access traffic of the first website page. According to claim 11,
An artificial intelligence network using big data, characterized in that it is configured to receive server identification information of a website accessed by the host file, and to determine a secure DNS server if the server identification information is pre-stored fixed server identification information. anti-farming system. According to claim 12,
If the server identification information is non-fixed server identification information, an artificial intelligence network pharming blocking system using big data, characterized in that configured to determine a non-secure DNS server. According to claim 11,
The first website page contents are divided and corresponded by a plurality of DNS servers,
If the server identification information of the plurality of DNS servers is pre-stored fixed server identification information,
An artificial intelligence network pharming blocking system using big data, characterized in that configured to allow access to websites accessed by the host file. 15. The method of claim 14,
When the server identification information of the plurality of DNS servers includes both fixed server identification information and non-fixed server identification information,
An artificial intelligence network pharming blocking system using big data, characterized in that configured to block website access accessed by the host file. According to claim 15,
When the server identification information of the plurality of DNS servers is configured differently in a predetermined ratio,
An artificial intelligence network pharming blocking system using big data, characterized in that configured to block website access accessed by the host file. According to claim 11,
The artificial intelligence network pharming blocking system using big data, characterized in that the first website page and the second website page of the secure DNS server are configured to check whether they are the same at predetermined intervals. 18. The method of claim 17,
The artificial intelligence network pharming blocking system using big data, characterized in that the predetermined period is set differently according to the server identification information. 18. The method of claim 17,
The artificial intelligence network pharming blocking system using big data, characterized in that the predetermined period is configured to vary according to the size of access traffic to the first website page. According to claim 15,
If the server identification information includes non-fixed server identification information,
An artificial intelligent network pharming blocking system using big data, characterized in that it is configured to receive information about the period of use of the non-fixed server identification information.

Images