KR20230071376A - An apparatus for network monitoring and method thereof - Google Patents

Abstract

The present invention relates to network security monitoring, and more particularly, to a method for a network security monitoring device to monitor network security, and to a network security monitoring device using the method. A method for monitoring network security according to the present invention includes the steps of storing a concentrated monitoring list including information about a first terminal determined to be subject to centralized monitoring among terminals connected to a network, and transmitting and receiving information transmitted and received by the first terminal through the network. Mirroring a packet, mirroring a second packet transmitted and received by a second terminal not determined as an intensive monitoring target through the network, and monitoring the security of the network based on the mirrored first and second packets It may include the step of performing.

Description

Network security monitoring device and method {AN APPARATUS FOR NETWORK MONITORING AND METHOD THEREOF}

The present invention relates to network monitoring, and more particularly, to a method and apparatus for detecting abnormal traffic on a network by intensively monitoring terminals on the network.

A network may consist of a variety of devices with communication links and communication capabilities connected to the communication links. Here, the devices related to the network include personal computers, server computers, notebook computers, tablet PCs, smart phones, and devices having processors, communication interfaces, and user interfaces that are not limited thereto, and also include cameras, printers, and scanners. , sensors, routers, peripheral devices, storage devices, network relay devices, embedded information processing devices, Internet-of-things (IoT) devices, and processors and communication interfaces, but not limited thereto, but not having user interfaces. Devices that do not include

On the other hand, there is always a risk that a device attempting inappropriate communication will access the network. Inappropriate communications include, for example, sending attack packets for Distributed Denial of Service (DDoS), hacking other devices connected on the network, or attempting to hack or disable relays or security devices on the network. . Therefore, in order to monitor and block such inappropriate communication, various security methods may be applied to the network.

As one of various security methods, there is a method of requiring pre-authentication when accessing a network. For example, a method such as giving a user ID and password to a user of a device that wants to access a network and allowing the device to access the network only when the ID and password are normally input. However, although this method is an effective security method for a device having the aforementioned user interface, there is a problem in that it is difficult to apply to a device not having the aforementioned user interface. This is because such devices do not have means for inputting an ID and a password.

Accordingly, a predetermined exception may be applied to network access for a device having no user interface as described above. For example, when a device with a pre-specified MAC address accesses the network, the device's access can be exceptionally allowed without an authentication procedure. However, access paths of devices subject to these exceptions can be easily misused by malicious users. For example, if the MAC address of a device that is allowed access is obtained, the MAC address can be cloned into a malicious device, and through this, improper communication can be attempted by accessing the network without authentication.

In order to block abnormal traffic generated by a malicious device attempting inappropriate communication using an authentication exception, in the prior art, a monitoring device is used to monitor communication packets, and when an abnormal symptom is detected, an administrator checks the device A blocking method was applied. However, with the spread of IoT devices and the consequent expansion of the network, there are obvious limitations to the conventional method that relies on the manager's judgment.

An object according to an embodiment of the present invention to solve the above problems is to provide a network monitoring method and such a device capable of maintaining network security by applying an efficient and effective centralized monitoring policy to a terminal accessing through an authentication exception. is to do

A method for monitoring the security of a network by a network security monitoring apparatus according to an aspect of the present invention for solving the above problems is an intensive monitoring including information about a first terminal determined to be an intensive monitoring target among terminals connected to a network Storing a list, mirroring a first packet transmitted and received by the first terminal through the network, mirroring a second packet transmitted and received by a second terminal not determined as an intensive monitoring target through the network, and performing security monitoring of the network based on the mirrored first and second packets.

The information on the first terminal may include an Internet Protocol (IP) address or a Media Access Control (MAC) address.

The first terminal may be determined as an intensive monitoring target based on whether user authentication is possible in the terminal.

The first terminal may be determined as an intensive monitoring target by the network security management device.

The method for determining the first terminal as the subject of centralized monitoring may include, for at least one user terminal, if user authentication is possible in the user terminal, the user terminal is not determined as the subject of centralized monitoring, and user authentication is performed in the user terminal. If it is impossible or if the user terminal requests an exception to user authentication, the user terminal may be determined as an intensive monitoring target.

The user authentication is performed by at least one of IP address authentication, MAC address authentication, user ID authentication, user password authentication, encryption communication authentication, and authentication by an authentication program installed in the terminal. may be done

The security monitoring includes detecting a first abnormal traffic for the first terminal and detecting a second abnormal traffic for the second terminal, wherein the detection of the first abnormal traffic and the second abnormal traffic Sensing can be in different ways.

The detecting of the first abnormal traffic may include generating a transmission/reception packet pattern by collecting the mirrored first packets according to time series, calculating a matching rate between the transmission/reception packet pattern and a normal pattern, and the matching rate being normal. If the level is not reached, determining that the traffic is abnormal may be included.

The normal pattern may be based on at least one normal state packet transmitted and received by a terminal of the same type as the first terminal in a normal state.

The normal pattern may be based on at least one normal state packet transmitted and received by the first terminal in a state in which the network security monitoring device does not detect an abnormality.

The normal pattern may be obtained by learning at least one normal state packet through machine learning artificial intelligence.

The step of calculating the matching rate may include generating an expected packet pattern according to time series by the machine learning artificial intelligence, comparing the transmitted/received packet pattern with the expected packet pattern, and comparing whether individual packets constituting the packet pattern match each other. steps may be included.

The step of calculating the match rate may include the number of packets determined to match between the transmitted/receive packet pattern and the expected packet pattern, with a larger number as a denominator among the number of individual packets included in the transmitted/received packet pattern and the expected packet pattern. It can be calculated as a numerator.

The method of monitoring network security may further include blocking network access of the first terminal when an abnormality in network security is detected.

The method for monitoring network security may further include notifying a network security management device of a message indicating that abnormal traffic has occurred in the first terminal when an abnormality in network security is detected.

An apparatus for monitoring network security according to an aspect of the present invention includes: a monitoring target management unit for storing a centralized monitoring list including information about a first terminal determined to be an intensive monitoring target among terminals connected to a network; A mirroring packet reception unit configured to mirror and receive a first packet transmitted and received through the network, and mirror and receive a second packet transmitted and received through the network by a second terminal not determined as an intensive monitoring target, and the mirrored first packet It may include a traffic monitoring unit that performs security monitoring of the network based on the packet and the second packet.

The first terminal may be determined based on whether user authentication is possible in the terminal.

The traffic monitoring unit includes a pattern generation unit generating a transmission/reception packet pattern by collecting the mirrored first packets according to a time series, a calculation unit calculating a matching rate between the transmission/reception packet pattern and the normal pattern, and the matching rate falling short of a normal level. In this case, it may include an abnormality determination unit that determines that the traffic is abnormal.

The normal pattern may be obtained by learning at least one normal state packet through machine learning artificial intelligence.

The traffic monitoring determination unit may be configured to block network access of the terminal subject to centralized monitoring when abnormal traffic is detected.

According to a network security monitoring method or network monitoring device according to an embodiment of the present invention, while providing a network monitoring function capable of intensively monitoring inappropriate communications in parallel with conventional network monitoring technology, excessive computing resources are required. suppression to enable effective management.

1 is a conceptual diagram for explaining a network security monitoring procedure according to an embodiment of the present invention;
2A is a communication flowchart for explaining a security monitoring method of a first terminal according to an embodiment of the present invention;
2B is a communication flowchart for explaining a security monitoring method of a second terminal according to an embodiment of the present invention;
3 is a conceptual diagram illustrating a process of designating a first terminal or a second terminal according to an embodiment of the present invention;
4 is a block diagram showing the structure of a network security monitoring device according to an embodiment of the present invention.

Since the present invention can make various changes and have various embodiments, specific embodiments are illustrated in the drawings and described in detail.

However, this is not intended to limit the present invention to specific embodiments, and should be understood to include all modifications, equivalents, and substitutes included in the spirit and scope of the present invention.

Terms such as first and second may be used to describe various components, but the components should not be limited by the terms. These terms are only used for the purpose of distinguishing one component from another. For example, a first element may be termed a second element, and similarly, a second element may be termed a first element, without departing from the scope of the present invention. The terms and/or include any combination of a plurality of related recited items or any of a plurality of related recited items.

It is understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, but other elements may exist in the middle. It should be. On the other hand, when an element is referred to as “directly connected” or “directly connected” to another element, it should be understood that no other element exists in the middle.

Terms used in this application are only used to describe specific embodiments, and are not intended to limit the present invention. Singular expressions include plural expressions unless the context clearly dictates otherwise. In this application, the terms "include" or "have" are intended to designate that there is a feature, number, step, operation, component, part, or combination thereof described in the specification, but one or more other features It should be understood that the presence or addition of numbers, steps, operations, components, parts, or combinations thereof is not precluded.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which the present invention belongs. Terms such as those defined in commonly used dictionaries should be interpreted as having a meaning consistent with the meaning in the context of the related art, and unless explicitly defined in the present application, they should not be interpreted in an ideal or excessively formal meaning. don't

When the term "device" is used in describing the invention in this application, it is intended to describe an embodiment for explaining any function of the present invention that can be implemented as a device, and the function of the device must be independent. It is not meant to be implemented as a single device. Depending on the functional characteristics of the communication network, one device may be implemented with a plurality of devices performing the same function, or conversely, one device may be installed to simultaneously perform the functions of a plurality of devices. Functions of a certain device may be implemented by other devices through software means or by general computers and information processing devices. In addition, when a plurality of devices are used, each device may be connected only to a communication network and may be separated from each other in a physical space. Since this is an area of various embodiments that can be taken by a person skilled in the art in the communication network technology field to implement the same technical idea, any detailed implementation method should be construed as being included in the technical idea area of the present invention.

Hereinafter, with reference to the accompanying drawings, preferred embodiments of the present invention will be described in more detail. In order to facilitate overall understanding in the description of the present invention, the same reference numerals are used for the same components in the drawings, and redundant descriptions of the same components are omitted.

Overview of network monitoring architecture

1 is a conceptual diagram for explaining a network security monitoring procedure according to an embodiment of the present invention. As shown in FIG. 1, the network security monitoring procedure 100 according to an embodiment of the present invention includes a user terminal 110, a network relay device 120, a network security monitoring device 130, a network security management device ( 140), the network 150, and the network relay system 160.

Referring to FIG. 1 , a user terminal 110 may be a terminal attempting access using a network relay system 160 in order to perform predetermined network communication via a network 150 . The user terminal 110 may be a client terminal or an Internet-of-things (IoT) device. The user terminal 110 does not necessarily need to be manipulated by the user, and any terminal device installed in an operating state by the user as an individual or organization to achieve a predetermined purpose may be used.

In order for the user terminal 110 to perform communication through the network 150, it must be relayed by the network relay system 160 constituting the communication network. More specifically, the user terminal 110 may request the network relay device 120 belonging to the relay system 160 to access a network and follow the procedure. The procedure may include issuance of an Internet Protocol (IP) address and establishment of a communication channel.

The network relay device 120 receives a communication packet transmitted from the user terminal 110 and transmits the communication packet to the network 150, and receives a packet transmitted from the network 150 toward the user terminal 110 and transmits the packet to the user terminal 110. It can perform a relaying function to deliver to the terminal 110.

According to an embodiment of the present invention, the network relay device 120 extracts the location and destination of a packet transmitted from a user terminal toward the network 150, designates an optimal path to the location, and selects the route. may be configured to relay the packet by forwarding the data packet to the network 150 according to the For this operation, the network relay device 120 may include a router and a switch. The switch may include a switch that serves as an OSI layer 2, an OSI layer 3, an OSI layer 4, and/or another layer (eg, an OSI layer 7), and performs, for example, a function of setting a packet path on a network. can do. In addition, functions such as load balancing, port forwarding, and QoS may be performed. Switch 324 may be referred to as a network switch, a switching hub, a port switching hub, or the like.

Prior to performing the relay function, the network relay device 120 may perform a user terminal authentication procedure to determine whether the user terminal 110 is a terminal authorized to access a corresponding network. The user terminal authentication procedure is performed in at least one of authentication using an IP address, authentication using a MAC address, authentication using a user ID, authentication using a user password, authentication using encrypted communication, and authentication using an authentication program installed in a terminal. can be done by However, some of the above authentication procedures may be limited according to the type of user terminal 110 . For example, an authentication method using a user ID cannot be used when the user terminal 110 does not have a means for inputting a user ID. In this case, access of the terminal may be permitted by applying an exception to the user authentication procedure.

When the user terminal 110 is connected, communication packets between the user terminal 110 and the network 150 may be observed for security management. To this end, the network relay device 120 may be configured to duplicate (mirror) packets transmitted and received by user terminals, generate mirroring packets, and transmit the mirroring packets to the network security monitoring device 130.

The network relay device 120 may be implemented as a single device, but may also be implemented as an aggregate of a plurality of devices. For example, the network relay device 120 may be implemented as a device group composed of a user terminal authentication device, a router, a switch, and a packet mirroring device. However, it is obvious that even if a device or a group of devices performing the same function as the network relay device 120 of the present invention is separated and implemented in any functional unit, it will fall within the scope of the present invention as long as the technical idea of the present invention is implemented.

According to an embodiment of the present invention, the packet mirroring device belonging to the network repeater 120 may be connected to a switch and may be configured to mirror and obtain almost all packets provided to the network 150 through the switch. Packet mirroring, that is, duplication or capture of packets, can be performed in a switch according to one embodiment of the present invention, and can be performed in a packet mirroring device according to another embodiment. After copying the packet provided to the network 150, the switch may set a port connected to the packet mirroring device as a destination port and provide the packet to the packet mirroring device.

The network security monitoring device 130 may detect abnormal traffic to monitor whether the user terminal 110 attempts inappropriate communication by receiving and analyzing the mirroring packet from the network relay device 120 . Abnormal traffic is, for example, due to an act of transmitting attack packets for DDoS (Distributed Denial of Service), hacking other devices connected on the network, or hacking or incapacitating a network relay or security maintenance device. It may include transmission/reception of generated packets. At this time, the network security monitoring device 130 may detect abnormal traffic for the two different types of user terminals 110 in different ways.

Among the user terminals 110, a terminal that cannot perform an authentication procedure is referred to as a first terminal for convenience, and a terminal capable of performing an authentication procedure is referred to as a second terminal. Since the first terminal is subject to exceptions in performing authentication upon network access, there is a risk of generating abnormal traffic by exploiting the above exceptions. For example, after receiving an exception through a normal procedure and accessing the network, the first terminal may generate abnormal traffic unlike the purpose of the access. Alternatively, the first terminal is an illegal terminal that accesses the network by masquerading as a normal terminal accessing through a predetermined authentication exception. After participating in the network by forging the procedure used by the normal terminal to request an authentication exception, the normal terminal It can generate abnormal traffic by masquerading. For example, a legitimate terminal that cannot perform an authentication procedure may be allowed access to a network without authentication using a whitelist method using the MAC address of the network communication unit equipped by the terminal. By acquiring and copying the MAC address to which it belongs, it is possible to participate in the network by impersonating the legitimate terminal.

Therefore, it is preferable that centralized monitoring by the network security monitoring device 130 is performed on a terminal belonging to the first terminal. A procedure for centralized monitoring of the first terminal will be described later in detail.

Meanwhile, a user terminal 110 that does not belong to the first terminal and can normally perform an authentication procedure having excellent security performance is referred to as a second terminal. For the second terminal, general monitoring used in the prior art may be performed. For example, a performance indicator is generated from the packet by analyzing the packet, the performance indicator data is transmitted to the network security management device 140, and when there is an instruction to block abnormal traffic from the network security management device 140, the network security management device 140 It may be configured to instruct the relay device 120 to block abnormal traffic. A general monitoring procedure for the second terminal will be described later in detail.

That is, the determination of the first terminal as the subject of intensive monitoring is determined based on whether user authentication is possible in the terminal, and when user authentication is possible in the user terminal, the user terminal is not determined as the subject of intensive monitoring, and the It can be summarized as determining the user terminal as an intensive monitoring target when the user terminal cannot perform user authentication or the user terminal requests an exception to user authentication.

Intensive monitoring procedure for the first terminal

2A is a communication flowchart illustrating a security monitoring method of a first terminal according to an embodiment of the present invention. Referring to FIG. 2A, a procedure for performing intensive monitoring on the first terminal will be described in detail.

When the user terminal attempts to access the network through the relay system 160, the user terminal may request 220 access by an authentication exception. In this way, a user terminal having access by an authentication exception is classified as a first terminal 110-1, and a terminal that does not is classified as a second terminal.

3 is a conceptual diagram illustrating a process of designating a first terminal or a second terminal according to an embodiment of the present invention. Referring to FIG. 3, a process of processing an access request due to an authentication exception and a process of designating a first terminal according thereto will be described through an embodiment.

According to an embodiment of the present invention, a user terminal may transmit a message requesting access by using a network communication means having a MAC address identified in advance with a pre-specified IP during a network access process. This request is received by the network relay device 120 (S300) and determines whether to allow network access. At this time, the network relay device 120 may process the exception access request using a whitelist method. According to an embodiment of the present invention, the network relay device 120 stores a database that stores pairs of IP addresses and MAC addresses that allow access, so that a device requesting allocation of a specific IP address is authenticated. It is possible to verify whether or not a specific MAC address that is exception-processed is possessed (S310). At this time, if it is confirmed as a user terminal corresponding to the exception-processed MAC address, the corresponding user terminal can be designated as the first terminal (S320) and the access request can be accepted (S370). The process of designating the second terminal will be separately described later.

Referring back to FIG. 2A , when the access request 220 due to an authentication exception occurs as described above, there is a vulnerability that communication with this terminal will be useful for communication with an unauthorized access terminal that can potentially generate abnormal traffic. . Accordingly, the network relay device 120 transmits the information of the corresponding first terminal 110 - 1 to the network security monitoring device 130 and registers it in the centralized monitoring list ( 221 ). The forwarded information may include at least one of an IP address and a MAC address of the first terminal 110-1. The above information is stored by the network monitoring device 130, and all packets transmitted and received by the first terminal 110-1 through the network relay device 120 in the future are subject to intensive monitoring by the network monitoring device 130. do.

When the first terminal 110-1 transmits a packet to the network (203), the corresponding packet is mirrored by the network relay device 120 to generate a mirroring packet. The mirroring packet is transferred to the network security monitoring device 130 (204) and analyzed whether or not it is abnormal traffic. Meanwhile, the original packet before being mirrored is transmitted to the network (205) along a normal relay path. Even when a packet with the first terminal 110-1 as a receiver is received from the network (206), the packet is mirrored by the network relay device 120 to generate a mirroring packet, and the mirroring packet is monitored for network security. It is passed 207 to device 130 for analysis. Since access of the first terminal 110-1 is currently allowed, the original packet before being mirrored is received by the first terminal according to a normal relay path (208). All packets transmitted and received from the first terminal 110-1 are referred to as first packets for convenience.

The network security monitoring device 130 may collect the mirrored first packets according to time series in order to determine whether the mirrored first packets belong to abnormal traffic. According to an embodiment of the present invention, packet collection according to time series extracts information including packet header information composition, payload capacity, destination IP address, and packet transmission amount per unit time from the first mirrored packet, It can be done in a way that accumulates over time.

As a result of collecting the mirrored first packets as described above, the network security monitoring device 130 may generate a transmission/reception packet pattern. The transmission/reception packet pattern is data for determining how the user terminal 110-1 is currently transmitting/receiving packets to the network, and is used to detect abnormal traffic by comparing it with a normal pattern in the network security monitoring device 130. can be used In this case, the normal pattern may be data in which patterns of packets expected to be transmitted and received by the first terminal in a normal state are arranged in a time series.

According to an embodiment of the present invention, the normal pattern may be data based on at least one normal state packet transmitted and received by a terminal of the same type as the first terminal in a normal state. For example, when the first terminal is a camera device, it may be data collected according to time series of packet patterns generally transmitted and received by a camera device having the same standard as the first terminal.

According to another embodiment of the present invention, the normal pattern may be data based on at least one normal state packet transmitted and received by the first terminal in a state in which the network security monitoring apparatus does not detect an abnormality. For example, if the first terminal has accessed the corresponding network relay device 120 before, the transmitted/received packet patterns collected according to the time series during the normal operation of the first terminal in the past are separately stored, and then the first terminal It can also be used as a reference point for analysis in the process of intensive monitoring of the terminal.

The network security monitoring device 130 may teach at least one normal state packet to machine learning artificial intelligence to obtain the normal pattern. According to an embodiment of the present invention, the machine learning artificial intelligence may be configured to predict a packet generation type in the next sequence by learning an input packet pattern. That is, it can be configured to predict which packet will appear in the next step if the transmitted/received packet belongs to the normal category by learning the normal state packet in the corresponding artificial intelligence.

The network security monitoring device 130 may compare the transmitted/received packet pattern with the normal pattern to calculate a matching rate. It is possible to detect the occurrence of abnormal traffic based on the degree of matching between the expected normal pattern and the actual transmitted/received packet pattern being lowered. According to an embodiment of the present invention, the matching rate may be calculated by sequentially comparing transmission/reception packet patterns collected at unit time intervals with all packets of normal patterns to calculate the degree of matching. According to another embodiment of the present invention, the calculation of the matching rate is performed by generating an expected packet pattern according to a time series by the machine learning artificial intelligence described as the above embodiment, comparing the transmitted/received packet pattern with the expected packet pattern, and It can be calculated by comparing whether individual packets constituting the pattern match, and more specifically, each individual packet includes a range of payload capacity, type of service used, destination IP address, and port used. It can be calculated by comparing whether or not belonging to the same packet category according to attribute information, and repeatedly executing the comparison until the comparison between packet patterns is completed.

The matching rate calculation may be performed by grouping packets for a predetermined unit of time. In addition, the coincidence rate calculation may be continuously and repeatedly performed or may be periodically performed. For example, the transmission/reception packet pattern may be generated by mirroring all transmitted/received first packets, or the transmitted/receive packet pattern may be generated by collecting first packets for 1 second through mirroring at intervals of every 5 seconds. The generation period of the transmission and reception packets may be executed by setting any predetermined unit time and/or execution period by a person skilled in the art according to the performance design requirements of the network security monitoring device 130, all of which are within the technical purpose of the present invention. do not deviate

The result of the matching rate calculation is the denominator of the larger number of individual packets included in the transmitted/received packet pattern and the expected packet pattern, and the number of packets determined to match between the transmitted/received packet pattern and the expected packet pattern as the numerator. It can be derived in the form of a fraction with

A result of the matching rate calculation may be notified from the network security monitoring device 130 to the network security management device 140 (222). The network security management device 140 may be a device that determines whether a security policy is applied through monitoring results. In addition, the network security management device 140 may be a device manipulated by a network security manager to set a network security policy and determine whether to apply the network security policy.

The network security management device 140 may be a subject that determines whether traffic currently being generated from the first terminal belongs to the category of abnormal traffic based on the notified match rate. According to an embodiment of the present invention, if the matching rate between the transmission/reception packet pattern and the normal pattern is less than the normal level, it can be determined as abnormal traffic significantly deviating from the normal pattern. The normal level matching rate is set to 35% in one embodiment of the present invention, but does not necessarily need to be defined as a corresponding value, and an administrator who operates the network security management device 140 can modify it according to the environment of the field. As described above, the abnormal traffic generated through the first packet from the first terminal is referred to as first abnormal traffic for convenience.

The network security management device 140 may instruct the network security monitoring device 130 to block the first or more traffic when detecting the first or more traffic through the above procedure (223). Upon receiving the instruction, the network security monitoring apparatus may transmit the instruction to the network relay apparatus 120 to instruct (212). Accordingly, the network relay device 12 blocks transmission of traffic generated by the first terminal 110-1 that generates abnormal traffic so that it is not transmitted to the network, and transmits the traffic to the network of the first terminal 110-1. It can also be configured to block (213) the access of.

The network security management device 140 may also be configured to notify the network security manager using the network security management device 140 of the fact when the network security management device 140 detects the first or more traffic according to an embodiment of the present invention. there is. The means of notification may be any means that can be applied by a person skilled in the art, displayed on a display attached to the network security management device 140, and a general-purpose computer in which the network security management device 140 is executed as software. Event generation in the device and transmission of a communication message to another device connected to the network security management device 140 through a network may be included in the method. The communication message transmission method may include SMS text message transmission, messenger text message transmission, or E-Mail transmission.

The abnormal traffic detection method described with reference to FIG. 2A is applied to the first terminal, and may be referred to as the first abnormal traffic detection method, and thus is distinguished from the second abnormal traffic detection method described below.

General monitoring procedure for the second terminal

2B is a communication flowchart illustrating a security monitoring method of a second terminal according to an embodiment of the present invention. As described above, one of the characteristics of the present invention is to apply the first abnormal traffic detection method based on the matching rate to the packet pattern of the first terminal requiring intensive monitoring, while the second terminal requiring intensive monitoring is highly sophisticated. It is to implement efficient network monitoring and abnormal traffic monitoring by using a second abnormal traffic detection method in combination with a conventional network monitoring method instead of centralized monitoring that requires computing resources. Referring to FIG. 2B, a procedure for monitoring normal abnormal traffic for the second terminal will be described in detail.

When the user terminal attempts to access the network, the second terminal may request network access authentication (201) according to a prescribed procedure for network access through the relay system 160. The authentication request is made by at least one of authentication using an IP address, authentication using a MAC address, authentication using a user ID, authentication using a user password, authentication using encrypted communication, and authentication using an authentication program installed in a terminal. can If it is determined that the authentication request is legitimate, the network relay device 120 permits the corresponding user terminal to access the network, designates the corresponding user terminal as the second terminal 110-2, and informs the second terminal 110-2 of the authentication approval. 2) can be notified (202).

According to a preferred embodiment of the present invention, the authentication request operates in a manner of executing a network access authentication program, the authentication program is executed in the second terminal, and the user of the second terminal 110-2 receives the user. Receives an ID and a user password, transmits the ID and password from the second terminal 110-2 to the network relay device 120, and the network relay device 120 verifies the user ID and user password , it can be implemented as a method of approving authentication in the case of a legitimate combination. According to another embodiment of the present invention, in the authentication request described above, the network access authentication program may be executed on a web basis through a web page provided by a virtual server embedded in the network relay device 120. In this case, the second terminal 110-2 browses and displays a web page for authentication through a web browser, and displays the user ID and user information from the user of the second terminal 110-2 through the web page. It may be configured to receive a password.

Referring back to FIG. 3 , the network access request of the user terminal is received by the network relay device 120 (S300). As described above, the network relay device 120 may use a whitelist method to discriminate (S310) whether or not an exception access is allowed. According to an embodiment of the present invention, if the exception access target is not the network relay device 120 may transmit a response requesting the user terminal to authenticate the user ID (S330). Communication related to ID authentication is received from the user terminal that has received the response, and it is determined whether the corresponding authentication is successful (S340). If the authentication is successful, the corresponding user terminal is designated as the second terminal (S350) and access is accepted (S370). do. If the authentication fails, it is obvious that access of the corresponding user terminal is rejected (S360).

Referring back to FIG. 2B , when the second terminal 110 - 2 transmits a packet to the network (203 ), the corresponding packet is mirrored by the network repeater 120 to generate a mirroring packet. The mirroring packet is transmitted to the network security monitoring device 130 (204) and analyzed. Meanwhile, the original packet before being mirrored is transmitted to the network (205) along a normal relay path. Even when a packet with the second terminal 110-2 as a receiver is received from the network (206), the packet is mirrored by the network relay device 120 to generate a mirroring packet, which monitors network security. It is passed 207 to device 130 for analysis. Since access of the second terminal 110-2 is currently allowed, the original packet before being mirrored is received by the second terminal according to a normal relay path (208). All packets transmitted and received from the second terminal 110-2 are referred to as second packets for convenience.

The network security monitoring device 130 may analyze statistical characteristics of the mirrored second packet to determine whether the mirrored second packet belongs to abnormal traffic. According to an embodiment of the present invention, the network security monitoring device 130 may derive various statistical values for the second packet by analyzing the mirrored second packet.

For example, the network security monitoring device 130 analyzes the header of the mirrored second packet to determine which protocol the second packet is related to, specifically, whether it is an HTTP packet, a DB related packet, or a TCP related packet. It can distinguish whether it is a packet or not. Also through this. Through this, you can check to which server the request information such as "GET/web address/HTTP/1.1" was sent. This packet header information can be parsed and parsed. "GET" becomes a request message, and "web address" indicates a web address associated with the request. In addition, "HTTP/1.1" means HTTP 1.1 version, and language information (eg, ko-kr) associated with the packet may also be checked and stored. In addition to GET, POST, HEAD, PUT, DELETE, etc. may be transmitted according to the request method, and the network security monitoring device 130 may secure such information together with time information and related IP.

The network security monitoring device 130 also assigns an index to each mirrored second packet, and based on the assigned index, determines which packet it is, whether the corresponding packet is an HTTP-based request packet, or a response packet to it. do. At this time, a comparative analysis with information obtained from packets received in the past is also performed. For example, there may be a response packet received from the network 150 in response to a request packet previously transmitted by the second terminal 110-2, and in this way, at least two or more packets are combined time-sequentially to establish a flow of a session or transaction unit. You can check.

The network security monitoring device 130 may also check which browser the second terminal 110-2 used, information related to the HOST, previous URL address information, and browser support language information through analysis of the mirrored second packet. there is. At this time, it is possible to analyze what type of header (general header, request header, or entity header) the header is, and to parse information indicating the boundary between the header and the payload. In addition, URL (Uniform Resource Locator) (or URI (uniform resource identifier)), source IP (Source_ip), destination IP (Dest_ip), and time information of the mirrored second packet may be analyzed. Here, by checking the URL value, it is possible to check which address the packet is redirected to, such as "https://www.google.co.kr/?gws_rd=ssl". In addition, the source IP may indicate the IP address of the client terminal, and the destination IP may indicate the IP of the server associated with the final destination site of the request. In the case of a response packet, opposite information may be indicated. Time information may be provided in a timestamp format. In addition, length information (length) of the entire packet may be checked.

The network security monitoring device 130 includes packet analysis algorithms corresponding to various protocols, such as HTTP, IP, UDP, TCP, and DNS, for analysis of the mirrored second packet, and is suitable for each protocol. It can adaptively extract URL, source IP, destination IP and time information from packets and use them for analysis.

The network security monitoring device 130 may accumulate and store analysis data of the mirrored second packet derived from the analysis as described above according to time series, and then derive statistics based on this. The statistics may be notified 210 to the network security management device 140 and processed or displayed at the network security management device 140 . According to an embodiment of the present invention, the statistics are calculated so that a security manager using the network security management device 140 can intuitively determine whether abnormal traffic exists on the current network by using various types of preset visualization tools. can be visualized. That is, a meaningful type of graph or table may be created by collecting statistical indicators related to specific parameters. For example, tasks such as creating a list of sessions created by a specific second terminal 110 - 2 in a specific time period or creating a table for database queries generated at that time are performed. That is, since the performance indicators related to the network service are stored together with the time information (time stamp information) of the corresponding packet, a flow map can be created to understand the packet flow in a specific time period in the network relationship. .

According to an embodiment of the present invention, the network security management device 140 may be configured to notify the network security manager using the network security management device 140 of the statistics and/or the visualized statistics. The means of notification may be any means that can be applied by a person skilled in the art, displayed on a display attached to the network security management device 140, and a general-purpose computer in which the network security management device 140 is executed as software. Event generation in the device and transmission of a communication message to another device connected to the network security management device 140 through a network may be included in the method. The communication message transmission method may include SMS text message transmission, messenger text message transmission, or E-Mail transmission.

In addition, according to an embodiment of the present invention, the network security management device 140 may perform a function of detecting the second abnormal traffic generated from the second terminal based on the statistics and/or the visualized statistics. The detection may be implemented automatically when the numerical value of the statistical indicator reaches a pre-specified risk level, and is implemented in the form of a manual operation receiving an input from a network security manager for the network security management device 140. It could be. As described above, the abnormal traffic generated through the second packet from the second terminal is referred to as second abnormal traffic for convenience.

The network security management device 140 may instruct the network security monitoring device 130 to block the second or more traffic when the second or more traffic is detected through the above procedure (211). Upon receiving the instruction, the network security monitoring apparatus may transmit the instruction to the network relay apparatus 120 to instruct (212). Accordingly, the network relay device 12 blocks transmission of traffic generated by the first terminal 110-1 that generates abnormal traffic so that it is not transmitted to the network, and transmits the traffic to the network of the first terminal 110-1. It can also be configured to block (213) the access of.

As described above, the abnormal traffic detection method described with reference to FIG. 2B is applied to the second terminal, and may be referred to as the second abnormal traffic detection method, which is different from the first abnormal traffic detection method described above. , can be used concurrently on the same network.

network security monitoring device

4 is a block diagram showing the structure of a network security monitoring device according to an embodiment of the present invention. The above-described first method for detecting abnormal traffic and the method for detecting second abnormal traffic may be implemented by a network security monitoring device as shown in FIG. 4 . A configuration of a network security monitoring apparatus according to an embodiment of the present invention will be described with reference to FIG. 4 .

The network security monitoring device 460 is a device belonging to the network relay system 400 . The network relay system 400 is a system installed to relay all communications between an external network (not shown) and a user terminal (not shown).

The network security monitoring device 460 may be configured to communicate with the network relay device 440 and the network security management device 450 . The communication may be applied by those skilled in the art, such as communication within the same software program, communication within the same physical computing device, communication between a plurality of software programs executed simultaneously or at a staggered interval, and network communication between physical computing devices spaced apart from each other. It may be implemented by any communication means that can be used.

The network security monitoring device 460 may be configured to receive information of the first terminal, which is a subject of intensive monitoring, from the network relay device 440 . The information may include at least one of an IP address or a MAC address of the first terminal. The information is supplied to the monitoring subject management unit 410 and stored in the form of a centralized monitoring list including information on the first terminal.

The network security monitoring device 460 may be configured to receive and process mirrored packets from the network relay device 440 . The mirrored packet is supplied to the mirroring packet receiving unit 420, to the first abnormal traffic monitoring unit 430 when the packet source is the first terminal, and to the second abnormal traffic monitoring unit 430 when the packet source is the second terminal. (438).

The first abnormal traffic monitoring unit includes a pattern generation unit 432 that generates a transmission/reception packet pattern by collecting mirrored first packets according to time series, a calculation unit 434 that calculates a matching rate between the transmission/reception packet pattern and the normal pattern, and the It may be configured to include an anomaly determining unit 436 that determines that the traffic is abnormal when the matching rate exceeds the risk level. Each unit may be used to implement the first abnormal traffic detection method described above with reference to FIG. 2A. According to an embodiment of the present invention, the pattern generation unit 432 collects transmission and reception packet patterns and generates a normal pattern, and the calculation unit 434 performs machine learning to calculate a matching rate between transmission and reception packet patterns and normal patterns. It may be implemented to operate while being connected to or communicating with artificial intelligence (not shown).

The anomaly determination unit 436 may be configured to notify the network security management device 450 of the occurrence of the abnormal traffic when the first abnormal traffic is detected because it is determined that the matching rate is less than the normal level, and the network relay device It may be configured to send an instruction to block the first or more traffic to 440.

The second abnormal traffic monitoring unit 438 is configured to analyze the mirrored second packet, and may be implemented to implement the second abnormal traffic detection method described above with reference to FIG. 2B. The second abnormal traffic monitor 438 may be configured to notify the network security management device 450 of packet statistics.

According to an embodiment of the present invention, the network security monitoring device 460 sends a blocking instruction for specific traffic transmitted from the network security management device 450, preferably, a blocking instruction for the second abnormal traffic, It can be configured to forward to the relay device 440.

Although it has been described with reference to the drawings and examples, it does not mean that the scope of protection of the present invention is limited by the drawings or examples, and those skilled in the art can understand the spirit of the present invention described in the following claims. And it will be understood that the present invention can be variously modified and changed without departing from the scope.

Claims (21)

A method for a network security monitoring device to monitor security of a network,
Storing a concentrated monitoring list including information about a first terminal determined to be an intensive monitoring target among terminals connected to the network;
mirroring a first packet transmitted and received by the first terminal through the network;
mirroring a second packet transmitted and received by a second terminal not determined as an intensive monitoring target through the network; and
and performing security monitoring of the network based on the mirrored first and second packets.
According to claim 1,
The information about the first terminal includes an Internet Protocol (IP) address or a Media Access Control (MAC) address.
According to claim 1,
The method of monitoring network security, wherein the first terminal is determined as an intensive monitoring target based on whether user authentication is possible in the terminal.
According to claim 3,
The method of monitoring the security of the network, wherein the first terminal is determined as an intensive monitoring target by the network security management device.
According to claim 3,
The method for determining the first terminal as the subject of centralized monitoring may include, for at least one user terminal, if user authentication is possible in the user terminal, the user terminal is not determined as the subject of centralized monitoring, and user authentication is performed in the user terminal. If it is impossible or the user terminal requests an exception for user authentication, determining the user terminal as an intensive monitoring target.
According to claim 5,
The user authentication is performed by at least one of IP address authentication, MAC address authentication, user ID authentication, user password authentication, encryption communication authentication, and authentication by an authentication program installed in the terminal. A method of monitoring the security of a network, which is accomplished.
According to claim 1,
The security monitoring may include detecting a first abnormal traffic for the first terminal; and detecting second abnormal traffic for the second terminal,
The method of monitoring the security of the network, wherein the first abnormal traffic detection and the second abnormal traffic detection are different from each other.
According to claim 7,
The step of detecting the first abnormal traffic,
generating a transmission/reception packet pattern by collecting the mirrored first packets according to time series;
calculating a matching rate between the transmitted/received packet pattern and the normal pattern; and
A method for monitoring security of a network comprising determining that traffic is abnormal when the matching rate is less than a normal level.
According to claim 8,
The normal pattern is based on at least one normal state packet transmitted and received by a terminal of the same type as the first terminal in a normal state.
According to claim 8,
The normal pattern is based on at least one normal state packet transmitted and received by the first terminal in a state in which the network security monitoring device does not detect an abnormality.
According to claim 8,
The method of claim 1 , wherein the normal pattern is obtained by learning at least one steady state packet with machine learning artificial intelligence.
According to claim 11,
The step of calculating the matching rate may include generating an expected packet pattern according to time series by the machine learning artificial intelligence, comparing the transmitted/received packet pattern with the expected packet pattern, and comparing whether individual packets constituting the packet pattern match each other. A method for monitoring the security of a network, comprising the steps of:
According to claim 12,
The step of calculating the coincidence rate is,
The larger number of the transmitted/received packet pattern and the number of individual packets included in the expected packet pattern is used as the denominator, and the number of packets determined to match between the transmitted/received packet pattern and the expected packet pattern is calculated as the numerator. How to monitor your security.
According to claim 1,
A method for monitoring network security, further comprising blocking the network access of the first terminal when an abnormality is detected in the network security.
According to claim 1,
When an abnormality in the network security is detected, a method for monitoring network security further comprising notifying a network security management device of a message indicating that abnormal traffic has occurred in the first terminal.
In the network security monitoring device,
a monitoring target management unit that stores a centralized monitoring list including information about a first terminal determined to be a centralized monitoring target among terminals connected to the network;
A mirroring packet receiving unit configured to mirror and receive a first packet transmitted and received by the first terminal through the network and to mirror and receive a second packet transmitted and received by a second terminal not determined as an intensive monitoring target through the network ; and
Network security monitoring apparatus comprising a traffic monitoring unit for performing security monitoring of the network based on the mirrored first packet and second packet.
17. The method of claim 16,
The first terminal is determined based on whether user authentication is possible in the terminal, network security monitoring device.
17. The method of claim 16,
The traffic monitoring unit,
a pattern generation unit generating a transmission/reception packet pattern by collecting the mirrored first packets according to time series;
a calculation unit calculating a coincidence rate between the transmitted/received packet pattern and the normal pattern; and
Network security monitoring device configured to include an anomaly determination unit that determines that the traffic is abnormal when the matching rate is less than a normal level.
According to claim 18,
The network security monitoring device, wherein the normal pattern is obtained by learning at least one normal state packet with machine learning artificial intelligence.
17. The method of claim 16,
The network security monitoring apparatus of claim 1 , wherein the traffic monitoring determination unit is configured to block network access of the terminal to be monitored intensively when abnormal traffic is detected.
determining a first terminal subject to centralized monitoring and a second terminal not subject to centralized monitoring based on whether user authentication is possible among terminals connected to the network;
perform authentication for the second terminal;
generating a centralized monitoring list including information about the first terminal and transmitting the centralized monitoring list to a network security monitoring device; and
A network relay device configured to block traffic of a first terminal or a second terminal based on a traffic blocking instruction.

Images