KR20240009323A - Electronic apparatus and method for analyzing traffic using cloud documents - Google Patents

Abstract

Mirroring packets transmitted and received from a client device to an external device; Analyzing whether the mirrored packet is a packet related to a cloud document editing task; Reconstructing a cloud document based on the contents of the analyzed packet; and determining whether the reconstructed cloud document contains confidential information. A traffic analysis method according to an embodiment is disclosed.

Description

{ELECTRONIC APPARATUS AND METHOD FOR ANALYZING TRAFFIC USING CLOUD DOCUMENTS}

This disclosure relates to traffic analysis. More specifically, the present disclosure relates to an apparatus and method for extracting content of HTTP (HyperText Transfer Protocol) traffic on a network, reconstructing a cloud document, and analyzing whether confidential information is leaked.

As network technology has developed dramatically, services that were mainly performed offline, such as document work, are now being performed online. Since many services such as file upload/download, email, chat, and document editing are performed online, efficient network security is required.

Network security has evolved from the existing method of access control using only packet header information (IP protocol information) to a method of inspecting the payload of the packet (e.g., IDS (Intrusion Detection System)/IPS (Intrusion Preventing System)). Furthermore, it has developed into a method of inspecting the headers of L7 (layer 7) protocols such as HTTP, represented by web firewalls.

Recently, since most network services are based on HTTP, there is a need to go further than the web firewall method that simply inspects HTTP headers.

As corporate work shifted from individual work to collaboration work, the use of cloud collaboration programs began to gradually increase. Due to these changes, incidents of confidential documents being leaked not only through the existing USB (Universal Serial Bus) but also through the Internet began to appear. In order to discover the cause of these leaks and perform detailed analysis, a packet analysis technique called network forensics was required. In other words, there was a need for technology to reconstruct and analyze cloud documents edited by users within a company that were analyzed through network forensics technology.

The purpose of an electronic device and a method for analyzing traffic using the same according to an embodiment is to effectively analyze messages.

In addition, an electronic device and a method for analyzing traffic therefrom according to an embodiment are aimed at preventing personal and corporate information from being leaked by extracting content in an HTTP message, reconstructing a cloud document, and analyzing whether confidential information is leaked. Do it as

The problems to be solved by the present invention are not limited to those mentioned above, and other problems not mentioned can be clearly understood by those skilled in the art from the description below.

A method of analyzing traffic by an electronic device according to an embodiment includes:

Mirroring packets transmitted and received from a client device to an external device; Analyzing whether the mirrored packet is a packet related to a cloud document editing task; Reconstructing a cloud document based on the contents of the analyzed packet; and determining whether the reconstructed cloud document contains confidential information.

In one embodiment, analyzing whether the mirrored packet is a packet related to a cloud document task includes determining whether the protocol of the packet is a predetermined protocol; determining whether host information in the header of the packet corresponds to a cloud document editing service; and determining whether the packet contains information related to a cloud document editing task.

In one embodiment, the step of analyzing whether the mirrored packet is a packet related to a cloud document editing task includes, if the packet includes information related to a cloud document editing task, the document of the cloud document editing task service is selected from the packet. Obtaining an identifier; and obtaining at least one of editing action information, editing content information, and editing location information from the packet.

In one embodiment, the editing action information includes information representing at least one of add, delete, modify, and revert, the edit content information includes information representing an edit string, and the edit location information includes the edit location within the document. It may contain information indicating the offset.

In one embodiment, reconstructing a cloud document based on the contents of the analyzed packet may include determining whether a document corresponding to the obtained document identifier of the cloud document editing service exists in a document storage; If a document corresponding to the document identifier exists in the document storage, the cloud document is reconstructed by combining the editing content determined based on the editing behavior information, editing content information, and editing location information with the document content of the document storage, and storing the reconstructed cloud document in the document storage; and when a document corresponding to the document identifier does not exist in the document storage, creating a new document file and reconstructing the cloud document based on editing content determined from editing action information, editing content information, and editing location information, It may include storing the reconstructed cloud document in the document storage.

In one embodiment, determining whether the reconstructed cloud document contains confidential information includes: It may include determining whether the reconstructed cloud document contains confidential information using a neural network previously trained based on the contents of a training document containing confidential information.

In one embodiment, the packet is a first packet, and the method includes updating the reconstructed cloud document based on the contents of the second packet; and determining whether the updated cloud document contains confidential information each time it is updated.

In one embodiment, the method may further include displaying a document identifier and a result of determining whether the document contains the confidential information.

In one embodiment, when the reconstructed cloud document contains confidential information, the method performs at least one of blocking packet transmission and reception operations between the client device and an external device and sending a warning message to the client device. Additional steps may be included.

In one embodiment, the step of determining whether the packet contains information related to a cloud document editing task includes host information, URL information, and method information of the packet and host information, URL information, and method of a predefined filter rule. Identifying a predefined parsing tool according to whether or not the information matches; and determining whether the packet contains information related to cloud document editing, according to the identified predefined parsing tool.

An electronic device according to an embodiment includes a memory that stores one or more instructions; and a processor operating according to the one instruction, wherein the processor mirrors packets transmitted and received from a client device to an external device,

It is possible to analyze whether the mirrored packet is a packet related to a cloud document editing task, reconstruct the cloud document based on the contents of the analyzed packet, and determine whether the reconstructed cloud document contains confidential information. there is.

In one embodiment, when analyzing whether the mirrored packet is a packet related to a cloud document task, the processor determines whether the protocol of the packet is a predetermined protocol, and the host information and URL information of the header of the packet are stored in the cloud document. It may be determined whether the packet corresponds to a document editing task service and whether the packet contains information related to the cloud document editing task.

In one embodiment, when analyzing whether the mirrored packet is a packet related to a cloud document task, if the packet includes information related to a cloud document editing task, the processor provides a cloud document editing task service from the packet. The document identifier of can be obtained, and at least one of editing action information, editing content information, and editing location information can be obtained from the packet.

In one embodiment, when determining whether the packet contains information related to a cloud document editing task, the processor determines whether the packet includes host information, URL information, and method information, and host information and URL of a predefined filter rule. Depending on whether the information and method information match, a predefined parsing tool may be identified, and depending on the identified predefined parsing tool, it may be determined whether the packet contains information related to cloud document editing.

An electronic device and a method of analyzing HTTP traffic thereby according to an embodiment classifies packets associated with a cloud document editing service, determines and infers the content edited by a cloud user, and determines and infers that the edited cloud document contains private and confidential content. By detecting whether the information is included, the administrator can reduce the time consumption caused by directly viewing and judging the contents of the packet or document, and can effectively detect the leakage of confidential documents containing personal information and corporate information.

The effects of the present invention are not limited to those mentioned above, and other effects not mentioned will be clearly understood by those skilled in the art from the description below.

FIG. 1 is a diagram illustrating a client device, a server, and an electronic device for analyzing HTTP traffic, according to an embodiment.
Figure 2 is a flowchart showing a method of analyzing traffic by an electronic device according to an embodiment.
Figure 3 shows a configuration diagram of an electronic device for detecting cloud document contents.
Figure 4 is a diagram showing an example of reconstructing a document based on user action information.
Figure 5 is a diagram illustrating an HTTP message related to a loading action of a cloud document editing service.
Figure 6 is a diagram illustrating an HTTP message related to a user's document creation according to an embodiment.
Figure 7 is a diagram illustrating an HTTP message related to a user's document creation according to an embodiment.
FIG. 8 is a diagram illustrating an HTTP message related to a user's document creation according to an embodiment.
FIG. 9A is a diagram illustrating an HTTP message related to a user's document creation according to an embodiment.
FIG. 9B is a diagram illustrating an HTTP message related to a user attaching an image to a document according to one embodiment.
FIG. 9C is a diagram illustrating an HTTP message related to a user creating an Excel document according to one embodiment.
Figure 10 is a flowchart for explaining a traffic analysis method according to an embodiment.
Figure 11 is a flowchart showing a process in which a user edits a cloud document according to an embodiment.
Figure 12 is a flowchart to explain the packet collection and analysis process according to one embodiment.
Figure 13 is a diagram for explaining a cloud document reconstruction and confidential document classification process according to an embodiment.
FIG. 14 is a block diagram showing the configuration of the electronic device 100 according to an embodiment.

Since the present disclosure can make various changes and have various embodiments, specific embodiments will be illustrated in the drawings and described in detail through detailed description. However, this is not intended to limit the embodiments of the present disclosure, and the present disclosure should be understood to include all changes, equivalents, and substitutes included in the spirit and technical scope of the various embodiments.

In describing the embodiments, if it is determined that detailed descriptions of related known technologies may unnecessarily obscure the gist of the present disclosure, the detailed descriptions will be omitted. In addition, numbers (eg, first, second, etc.) used in the description of the specification are merely identifiers to distinguish one component from another component.

In addition, in this specification, when a component is referred to as "connected" or "connected" to another component, the component may be directly connected or directly connected to the other component, but specifically Unless there is a contrary description, it should be understood that it may be connected or connected through another component in the middle.

In addition, in this specification, components expressed as 'unit (unit)', 'module', etc. are two or more components combined into one component, or one component is divided into two or more components for each more detailed function. It may be differentiated into In addition, each of the components described below may additionally perform some or all of the functions of other components in addition to the main functions that each component is responsible for, and some of the main functions of each component may be different from other components. Of course, it can also be performed exclusively by a component.

FIG. 1 is a diagram illustrating a client device 10, a server 20, and an electronic device 100 for analyzing HTTP traffic, according to an embodiment.

Referring to FIG. 1, the client device 10 and the server 20 can transmit and receive an HTTP message 30 through a network.

In one embodiment, the client device 10 may include various types of devices such as smartphones, desktop PCs, laptops, tablet PCs, and servers that can be connected to the server 20 through a network.

In one embodiment, the network may include a wired network and a wireless network. For example, the network may include various networks such as a local area network (LAN), a metropolitan area network (MAN), and a wide area network (WAN). Additionally, the network may include the known World Wide Web (WWW). However, the network according to the embodiment of the present disclosure is not limited to the networks listed above, and may include at least some of a known wireless data network, a known telephone network, and a known wired and wireless television network.

The HTTP message 30 transmitted and received between the client device 10 and the server 20 may be an HTTP request or an HTTP response. For example, the client device 10 may transmit an HTTP request to the server 20, and the server 20 may generate an HTTP response according to the HTTP request and transmit it to the client device 10.

The electronic device 100 may acquire the HTTP message 30 transmitted and received between the client device 10 and the server 20 and extract header information and content through a parsing process for the HTTP message 30.

As will be described later, header information may include at least one of host information, URL (Uniform Resource Locator) information, and method information. Header information may be included in the header of the HTTP message 30, and content may be included in the body of the HTTP message 30.

To explain the HTTP message 30 in more detail, the HTTP message 30 includes Layer 2 with hardware information, Layer 3 with IP information, Layer 4 with port information, and protocol information such as HTTP. It can be divided into Layer 7, and after analyzing the header of the Layer 7 protocol, it is possible to extract content containing information such as email, chat, and files.

Since Layer 2 to Layer 7 are commonly used protocols, it is relatively easy to extract information. However, since the content is implemented by the server 20 itself, there is no standard document, and therefore, no known parsing tool exists. Some servers 20 express content in json (JavaScript Object Notation), some servers 20 express content in xml (eXtensible Markup Language), and some servers 20 express content in MIME (Multipurpose Internet Mail Extensions), so various types of It is difficult to extract content from the HTTP message 30.

The electronic device 100 according to an embodiment of the present disclosure may extract content from the HTTP message 30 of various servers 20 through filter rules and parsing rules, which will be described later. The operation of the electronic device 100 according to one embodiment will be described with reference to FIGS. 2 to 14.

FIG. 2 is a flowchart showing a method of analyzing traffic by the electronic device 100 according to an embodiment.

In step S210, the electronic device 100 may mirror packets transmitted and received from the client device to the external device.

In one embodiment, the electronic device 100 transmits not only the user's cloud document editing work service, but also all RAW packets that can be generated from file download and messenger services to the outside (e.g., the Internet), in the middle. You can capture packets and copy the packets. The electronic device 100 includes the client device 10 of the cloud editing service and information such as the L7 protocol, URL information, and source/destination IP information of packets flowing from a portion connected to the external interface of the network including the electronic device 100. Data can be stored.

In step S220, the electronic device 100 may analyze whether the mirrored packet is a packet related to a cloud document editing task.

In one embodiment, the electronic device 100 may determine whether the protocol of the packet is a predetermined protocol. At this time, the predetermined protocol may include HTTP. The electronic device 100 may determine whether host information in the packet header corresponds to a cloud document editing service. The electronic device 100 may determine whether the packet contains information related to a cloud document editing task. The electronic device 100 determines whether the host information, URL information, and method information of the packet match the host information, URL information, and method information of the filter rule corresponding to the cloud editing service, and if matching, the packet is stored in the cloud. It can be determined that it contains information related to document editing work.

If the packet contains information related to a cloud document editing task, the electronic device 100 may obtain the document identifier of the cloud document editing task service from the packet. At this time, the electronic device 100 may obtain the document identifier of the cloud document editing service from the packet according to the parsing rule corresponding to the predetermined parsing tool.

The electronic device 100 may obtain at least one of editing behavior information, editing content information, and editing location information from the packet. At this time, the electronic device 100 may obtain at least one of editing behavior information, editing content information, and editing location information from the packet according to a parsing rule corresponding to a predetermined parsing tool. At this time, the editing action information may include information indicating at least one of addition, deletion, modification, and revert. The editing position information may include information indicating the offset, which is the editing position within the document.

According to one embodiment, when the cloud document editing task is related to a string, the editing content information may include information representing the editing string.

According to one embodiment, when a cloud document editing task is related to a table, the editing content information may include a string in the table and information on columns and rows of the table.

According to one embodiment, when a cloud document editing task is related to a picture, the editing content information may include identifier information of the picture (e.g., a file key corresponding to the original raw data of the picture in cloud storage).

In step S230, the electronic device 100 may reconstruct the cloud document based on the contents of the analyzed packet.

The electronic device 100 may determine whether a document corresponding to the obtained document identifier of the cloud document editing service exists in the document storage.

If a document corresponding to the document identifier exists in the document storage, the electronic device 100 reconstructs the cloud document by combining the editing content determined based on the editing behavior information, editing content information, and editing location information with the document content in the document storage. And the reconstructed cloud document can be saved in the document storage.

If a document corresponding to the document identifier does not exist in the document storage, the electronic device 100 creates a new document file and reconstructs the cloud document based on the edit content determined from the edit action information, edit content information, and edit location information. And the reconstructed cloud document can be stored in the document storage.

In step S240, the electronic device 100 may determine whether the reconstructed cloud document contains confidential information.

The electronic device 100 may determine whether the reconstructed cloud document contains confidential information using a neural network previously trained based on the contents of the training document containing confidential information. The training document may be a document containing private and confidential information such as phone number, social security number, address, etc.

Here, the neural network may be Recurrent Neural Networks (RNN) or Long Shot Term Memory network (LSTM). The electronic device 100 can vectorize the contents of the training document in character units (convert the characters into one-hot-vector) and use this as input to classify confidential documents using a neural network.

The electronic device 100 may update the reconstructed cloud document based on the contents of the packet obtained later. The electronic device 100 may determine whether the updated cloud document contains confidential information each time it is updated.

FIG. 3 shows a configuration diagram of an electronic device 100 for detecting cloud document contents.

The electronic device 100 for detecting cloud document content includes a packet mirroring module 310, a packet analysis module 320, a cloud document editing module 330, a cloud document storage 340, and a cloud document content analysis module 350. may include.

The electronic device 100 can copy all packets exchanged between the Internet and the user terminal through the packet mirroring module 310. For example, A and B packets related to cloud document editing may be copied through the packet mirroring module 310.

The electronic device 100 may check whether the packet contains information related to cloud document editing through the packet analysis module 320 and obtain information related to cloud document editing. For example, from A and B packets, “(Write, 0, A)” and “(Write, 1, B)” information can be obtained. At this time, "(Write, 0, A)" is information about the document editing behavior of writing the string "A" in the 0th position, and "(Write, 1, B)" is information about the document editing behavior of writing the string "B" in the 1st position. This may be information about document editing behavior.

The cloud document editing module 330 may reconstruct the document based on information related to cloud document editing obtained through the packet analysis module 320. For example, the cloud document editing module 330 may reconstruct a document containing “AB” content from “(Write, 0, A)” and “(Write, 1, B)” information. The reconstructed document may be stored in the cloud document storage 340.

The cloud document content analysis module 350 can determine whether the content of the document stored in the cloud document storage 340 contains confidential information using an AI model. The results of whether confidential information is included can be sent to the administrator.

Below, specific operations for each module of the electronic device 100 will be described.

When packets generated by cloud document editing service users flow at the interface outside the Internet and the network including the electronic device 100 and the user terminal, the packet mirroring module 310 determines the L7 protocol, URL, and IP source/destination of the flowing packets. It can play a role in storing data such as: The stored packet information may be transmitted to the packet analysis module 320.

When transmitting all RAW packets, including packets related to file downloads and messenger services, as well as packets related to cloud document editing services, to the Internet, the packet mirroring module 310 can intercept packets in the middle and copy the packets. there is.

The packet analysis module 320 can acquire editing location, editing content, and editing behavior information through analysis of packets transmitted from the packet mirroring module 310, and analyze editing behavior based on the obtained information. The analyzed editing behavior can be used to reconstruct the document in the cloud document editing module 330. For example, if "(write, 8, "text")" information is extracted from the packet, the packet analysis module 320 relates the packet to the action of writing a text based on the extracted information, and the 8th position It can be analyzed as being related to the action of overwriting the text "text", starting from .

The cloud document editing module 330 combines the action content with the document content stored in the cloud document storage 340 based on the action content (opening and editing) analyzed in the packet analysis module 320, and then combines the action content with the document content stored in the cloud document storage (340). 340). For example, if the content of the saved document is "TEXT WORD" and the packet information is "(write, 0, "DOCS")", the action content to overwrite the 0th "DOCS" string is analyzed and , the document content can be modified to “DOCS WORD” and the modified document can be stored in the cloud document storage 340. Hereinafter, an example of reconstructing a document based on the user's action information will be described with reference to FIG. 4.

Figure 4 is a diagram illustrating an example of reconstructing a document based on user action information.

Referring to FIG. 4, a document can be reconstructed based on action information (action ID, OFFSET, action content) analyzed from the packet. For example, if the action ID analyzed from the first packet corresponds to "ADD", OFFSET is "1", and the content is "A", the reconstructed document may include the content "A". If the action ID analyzed from the second packet corresponds to "ADD", OFFSET is "2", and the content is "B", the reconstructed document may include the content "AB". If the action ID analyzed from the third packet corresponds to "ADD", OFFSET is "3", and the content is "C", the document may include the content "ABC". If the action ID analyzed from the fourth packet corresponds to "ADD", OFFSET is "4", and the content is "DE", the document may include the content "ABCDE". If the action ID analyzed from the fifth packet corresponds to "DEL", OFFSET is "1", and the deletion range is "2", the document may include the content "CDE". If the action ID analyzed from the sixth packet corresponds to "ADD", OFFSET is "3", and the content is "F", the document may include the content "CDF". If the action ID analyzed from the seventh packet corresponds to "ADD", OFFSET is "4", and the content is "G", the document may include the content "CDFG". If the action ID analyzed from the eighth packet corresponds to "DEL", OFFSET is "1", and the deletion range is "1", the document may include the content "DFG".

Referring again to FIG. 3, the cloud document content analysis module 350 retrieves the content stored in the cloud document editing module and analyzes the confidential document through an artificial intelligence neural network or machine learning trained on the content of the confidential document. It can be determined. For example, if the contents of "Tel: 02-xxx-xxxx" are stored in a document, the contents are entered into the cloud document content analysis module 350, and if it is determined that the trained confidential information features are extracted, the document is classified as confidential. It is determined that it is a document, and the result of whether it is a confidential document can be sent to the administrator.

Figure 5 is a diagram illustrating an HTTP message related to a loading action of a cloud document editing service.

Referring to FIG. 5, the HTTP message 500 of the fetch packet may include host information, URL information, and method information. For example, the header information of the HTTP message 500 may include “office.mybox.naver.com” as host information 510 and “/webword/handler/open?” as URL information 520. It may include “GET” as method information 530.

The electronic device 100 can identify the action of creating or loading a document through host information, URL information, and method information. For example, the electronic device 100 may identify that the HTTP message 500 is related to a document loading behavior based on the host information 510, URL information 520, and method information 530.

The electronic device 100 may obtain information such as a file name 540, document id 550, and document content 560 from the header and payload information of the HTTP message 500. For example, the electronic device 100 obtains “%25….docx” as the file name 540 from the HTTP message 500 and “0d176dff-7556-4ae9-a9e9-9a1cf1cc8153” as the document id (550). , “test document” can be obtained as document content 560.

Figure 6 is a diagram illustrating an HTTP message related to a user's document creation according to an embodiment.

Referring to FIG. 6, an HTTP message 600 of a packet generated when a user directly writes a document after loading the contents of the document is shown.

The electronic device 100 may obtain host information 615, URL information 620, and method information 625 from the box 610 of the HTTP message 600. The electronic device 100 compares the acquired information with the host information, URL information, and method information included in the predefined filter rule information, and if they match, identifies the HTTP message 600 as packet information related to document editing. You can.

The box 630 of the HTTP message 600 may include the action code 635 of the document, OFFSET 640 indicating the action location, sequence number 645, and document content 650.

For example, box 630 in the HTTP message 600 contains "41" as the action code 630 of the document, "[15,15]" as the OFFSET (640), "2" as the sequence number 645, and “write” as document content 650. The electronic device 100 determines that the document action code "41" of the HTTP message 600 is an insertion action, the second action is the sequence number "2", and the 15th position is the OFFSET "[15,15]", and the document content. It can be identified that it is "write" and that the HTTP message 600 represents the action of inserting "write" at the 15th position as the second action in the current document.

Figure 7 is a diagram illustrating an HTTP message related to a user's document creation according to an embodiment.

Referring to FIG. 7, an HTTP message 700 of a packet generated when a user directly writes a document after loading the contents of the document is shown.

The electronic device 100 may obtain host information 715, URL information 720, and method information 725 from the box 710 of the HTTP message 700. The electronic device 100 compares the obtained information with the host information, URL information, and method information included in the predefined filter rule information, and if they match, identifies the HTTP message 700 as packet information related to document editing. You can.

The HTTP message 700 may include an action code 735 of the document included in the box 730, an OFFSET 740 indicating the location of the action, and a sequence number 745.

For example, box 730 in HTTP message 700 contains "41" as the action code 735 of the document, "[21,21]" as OFFSET (740), "3" as sequence number 745, and “documen” as document content 750. The electronic device 100 determines that the document action code "41" of the HTTP message 700 is an insertion action, that it is the 3rd action from the sequence number "3", and that it is the 21st position from OFFSET "[21,21]", and document content. It can be identified that it is “documen” and that the HTTP message 700 represents the action of inserting “documen” at the 21st position as the third action in the current document.

FIG. 8 is a diagram illustrating an HTTP message related to a user's document creation according to an embodiment.

Referring to FIG. 8, an HTTP message 800 of a packet generated when a user directly writes a document after loading the contents of the document is shown.

The electronic device 100 may obtain host information 815, URL information 820, and method information 825 from the box 810 of the HTTP message 800. The electronic device 100 compares the acquired information with the host information, URL information, and method information included in the predefined filter rule information, and if they match, identifies that the HTTP message 800 is packet information related to document editing. You can.

The HTTP message 800 may include an action code 835 of the document included in the box 830, an OFFSET 840 indicating the location of the action, and a sequence number 845.

For example, box 830 in the HTTP message 800 contains "42" as the document's action code (835), "[27,27]" as the OFFSET (840), and "4" as the sequence number (845). It can be included. The electronic device 100 identifies the delete action from the document action code "42" of the HTTP message 800, the 4th action from the sequence number "4", and the 27th position from OFFSET "[27,27]", It can be identified that HTTP message 800 represents the action of deleting the character at position 27 as the fourth action in the current document.

FIG. 9A is a diagram illustrating an HTTP message related to a user's document creation according to an embodiment.

Referring to FIG. 9A, an HTTP message 900 of a packet generated when a user directly writes a document after loading the contents of the document is shown.

The electronic device 100 may obtain host information 904, URL information 906, and method information 908 from the box 902 of the HTTP message 900. The electronic device 100 compares the obtained information with the host information, URL information, and method information included in the predefined filter rule information, and if they match, identifies the HTTP message 900 as packet information related to document editing. You can.

The HTTP message 900 may include an action code 912 of the document included in the box 910, an OFFSET 914 indicating the location of the action, and a sequence number 916.

For example, box 910 in the HTTP message 900 contains "42" as the document's action code 912, "[26,26]" as the OFFSET (914), and "5" as the sequence number (916). It can be included. The electronic device 100 identifies the delete action from the document action code "42" of the HTTP message 900, the 5th action from the sequence number "5", and the 26th position from OFFSET "[26,26]"; It can be identified that HTTP message 900 represents the action of deleting the character at position 26 as the fifth action in the current document.

FIG. 9B is a diagram illustrating an HTTP message related to a user attaching an image to a document according to one embodiment.

Referring to Figure 9b, it shows the HTTP message 920 of the document storage packet and the HTTP message 940 of the image upload packet that occur when the user directly creates the document by attaching an image to the document after loading the contents of the document. .

The electronic device 100 may obtain host information, URL information, and method information from the box 922 of the HTTP message 920. The electronic device 100 compares the obtained information with the host information, URL information, and method information included in the predefined filter rule information, and if they match, identifies the HTTP message 920 as packet information related to document editing. You can.

HTTP message 920 may include image location information 924, sequence number 926, and image identifier 928. The image location information 924, sequence number 926, and image identifier 928 of the HTTP message 920 may be interpreted, and image location information 930, sequence number 932, and image identifier 934 may be obtained. there is.

For example, it may include 1 as the image location information 930, 1 as the sequence number 932, and “1r3ZKbank7CjmDOEZcsgiBUTwTHeVJ8MntFPdJ_Dg” as the image identifier 934. The electronic device 100 identifies the first position from the image location information "1" of the HTTP message 920, identifies the first action from the sequence number "1", and identifies the image from the image identifiers 928 and 934 to send the HTTP message. It can be identified that 920 is the first action in the current document and represents the action of inserting an image at the first position. At this time, the image identifiers 928 and 934 may be the same as the image identifier 942 of the HTTP message 940 of the image upload packet. Image identifiers 928, 934, and 942 may indicate original image data 944 uploaded through an image upload packet. Accordingly, the electronic device 100 can identify that the HTTP message 940 indicates an action of inserting an image of the original image data 944 into the first position based on the image identifier 928.

FIG. 9C is a diagram illustrating an HTTP message related to a user creating an Excel document according to one embodiment.

Referring to FIG. 9C, it shows an HTTP message 950 of a document storage packet that occurs when a user directly writes an Excel document.

The electronic device 100 may obtain host information, URL information, and method information from the box 960 of the HTTP message 950. The electronic device 100 compares the acquired information with the host information, URL information, and method information included in the predefined filter rule information, and if they match, identifies the HTTP message 950 as packet information related to Excel document editing. can do.

HTTP message 950 may include cell location information 962, cell content 964, and sequence number 966.

For example, [3,4,2,3] as cell location information 962, and as cell content 964. "b\", may contain 1 as the sequence number (966). The electronic device 100 selects 3-1 = 2nd column, 4-1 = 3rd row from [3,4] of [3,4,2,3] of the cell location information 962 of the HTTP message 950. (or the 2nd column, 3rd row from [2,3]), the "1" in the sequence number (966) identifies the first action, and the "b" in the cell content (964) identifies the cell position. By identifying the content as "b", it can be identified that the HTTP message 950 represents the action of inserting "b" at the position of the 2nd column and 3rd row as the first action in the current document.

According to one embodiment, when a user copies or cuts cell content, the electronic device 100 selects a from “[a,b]” of “[a,b,c,d]” in the cell location information. The cell position (start cell position) of the -1st column and b-1th row can be identified, and the cell position (end cell position) of the cth column and d row can be identified from [c,d]. 10 is a flowchart explaining a traffic analysis method according to an embodiment.

In step S1005, the user may start editing a cloud document using the user terminal 1000.

In step S1010, the packet mirroring module 1010 of the electronic device 100 may collect packets converted by the user's editing of the cloud document.

In step S1015, the packet mirroring module 1010 may transmit the collected packets to the packet analysis module 1015 of the electronic device 100.

In step S1020, the packet analysis module 1015 analyzes the protocol, host information, URL information, and method information of the collected packets to identify whether the collected packets are packets related to cloud document editing. The packet analysis module 1015 may obtain information related to cloud document editing from packets related to cloud document editing according to a parsing tool selected according to a filter rule. Information related to cloud document editing may include information about at least one of the cloud ID, document action, action location, and action content.

In one embodiment, the rule for selecting one of a plurality of parsing tools may be referred to as a filter rule, and the rule for extracting content from the body of the HTTP message according to the parsing tool selected according to the filter rule is parsed. It can be referenced as a rule.

The electronic device 100 according to one embodiment can effectively parse HTTP messages of various services based on filter rules and parsing rules.

The electronic device 100 may extract header information from the header according to a filter rule to select a parsing tool for extracting content.

For example, “office.mybox.naver.com” can be extracted as a host, and “/webword/handler/open?” can be extracted as a URL. And, "GET" can be extracted as a method. As described above, the electronic device 100 may use “offce.mybox.naver.com”, “/webword/handler/open?” among a plurality of parsing tools. You can select a parsing tool corresponding to "GET".

In step S1025, the packet analysis module 1015 may transmit information related to cloud document editing to the cloud document editing module 1020.

In step S1030, the cloud document editing module 1025 of the electronic device 100 may request a document stored in the cloud document storage using a cloud ID (document ID).

In step S1035, the cloud document storage 1030 may transmit the document content of the document stored with the cloud ID to the cloud document editing module 1025. If a document stored with a cloud ID does not exist, the cloud document storage 1030 may create a document corresponding to the cloud ID and transmit the created document contents to the cloud document editing module 1025.

In step S1040, the cloud document editing module 1025 may reconstruct the document through the order of packets, document editing behavior, document editing content, and document editing location.

In step S1045, the user may continue editing the cloud document using the user terminal 1000.

In step S1050, the packet mirroring module 1010 may collect packets converted by the user's cloud document editing.

In step S1055, the packet mirroring module 1010 may transmit the collected packets to the packet analysis module 1015.

In step S1060, the packet analysis module 1015 analyzes the protocol, host information, URL information, and method information of the collected packets to identify whether the collected packets are packets related to cloud document editing, and provides information related to cloud document editing. It can be obtained.

In step S1065, the packet analysis module 1015 may transmit information related to cloud document editing to the cloud document editing module 1020.

In step S1070, the cloud document editing module 1020 may reconstruct the document through the order of packets, document editing behavior, document editing content, and document editing location. Unlike steps S1030 and S1035 performed after S1025, steps similar to S1030 and S1035 are not performed after S1065 because the document stored with the cloud ID is requested and the contents of the already stored document are received from the cloud document storage.

In step S1075, if no more document editing-related packets are received or a packet indicating document editing is received, the cloud document editing module 1020 stores the reconstructed document in the cloud document storage 1025 with a cloud ID. You can.

In step S1080, the electronic device 100 may identify a pattern of document content using an AI model for a document with a cloud ID stored in the cloud document storage 1025. The electronic device 100 can detect whether a document contains confidential content based on the pattern of the document content.

In step S1085, the electronic device 100 may transmit the detection result of S1080 and the cloud ID to the display of the electronic device 100 or the manager's terminal 1030. The administrator can check whether confidential information has been leaked through cloud document editing by checking the detection result through the display or the administrator's terminal 1030.

Figure 11 is a flowchart showing a process in which a user edits a cloud document according to an embodiment.

Referring to FIG. 11, in step S1110, the user can edit a cloud document using the user terminal.

In step S1120, the user terminal may convert the user's document editing information into packets and transmit them to the Internet. At this time, the packet may include cloud ID, creation order, creation action, creation location, and creation content.

In step S1130, the electronic device 100 can check whether the transmitted packet has arrived at the packet mirroring module 310. When a packet transmitted from a user terminal arrives at the packet mirroring module 310, the electronic device 100 may perform a packet collection and analysis process by mirroring the packet. The packet collection and analysis process will be described with reference to FIG. 12.

If the packet transmitted from the user terminal does not arrive at the packet mirroring module 310, the electronic device 100 may check whether the packet transmitted from the user terminal arrives at the packet mirroring module 310 after a certain period of time.

In step S1140, it is confirmed whether the user has finished creating the document on the user terminal. If document creation is not complete, the process returns to step S1110 and the user can continue editing the cloud document using the user terminal. When document creation is complete, the user can complete editing the cloud document, and no further document editing information may be transmitted externally.

Figure 12 is a flowchart to explain the packet collection and analysis process according to one embodiment.

Referring to FIG. 12, in step S1205, the packet mirroring module 310 may copy the arrived packet and transmit it to the packet analysis module 320.

In step S1210, the packet analysis module 320 may identify whether the protocol of the packet is HTTP. If the protocol of the packet is not HTTP, the packet analysis module 320 may discard the packet. (Step S1215) If the protocol of the packet is HTTP, the packet analysis module 320 may proceed to step S1220.

In step S1220, the packet analysis module 320 may identify whether the host information (and information including URL information) in the packet header is a cloud homepage address. If the host information (and information including URL information) in the packet header is not the cloud homepage address, the packet analysis module 320 may discard the packet. (Step S1225). If the host information in the header of the packet is the cloud homepage address, the packet analysis module 320 may proceed to step S1230.

In step S1230, the packet analysis module 320 may identify whether the packet contains information related to cloud document editing. If the packet analysis module 320 does not have information related to cloud document editing, the packet may be discarded. (Step S1235) The packet analysis module 320 may check whether the host information, URL information, and method information included in the header of the packet match information on filter rules related to predefined cloud document editing. That is, the packet analysis module 320 identifies whether the host, URL, and method information included in the header of the packet matches the host, URL, and method information of the predefined filter rule, and if matched, the packet is related to cloud document editing. It can be identified as containing information. At this time, in step S1220, since it has already been confirmed whether the host information (and information including URL information) is the cloud homepage, the method information (and URL information) excluding the host information (and information including URL information) is related to the cloud homepage. It may be identified whether it matches the information of the filter rule.

In step S1250, the packet analysis module 320 may obtain information related to document editing from the packet. The packet analysis module 320 may obtain information related to document editing according to parsing rules corresponding to predefined parsing tools. The acquired information may be transmitted to the cloud document editing module 330. The acquired information can be used in the process of cloud document reconstruction and confidential document classification. The cloud document reconstruction and confidential document classification process will be described later with reference to FIG. 13. Here, information related to document editing may include cloud ID, editing behavior information, editing location information, editing order information, and editing content information.

Steps S1220 and S1230 described above in FIG. 12 are described as being performed sequentially, but may be integrated in some cases. That is, in step S1230, when determining whether the packet contains information related to cloud document editing, the host information, URL information, and method information included in the header of the packet are filter rule information related to predefined cloud document editing. If it is confirmed that it matches, step S1220 overlaps with determining whether the host information (and information including URL information) is a cloud homepage address in step S1220, so step S1220 can be integrated into step S1230.

Figure 13 is a diagram for explaining a cloud document reconstruction and confidential document classification process according to an embodiment.

In step S1305, the cloud document editing module 330 may obtain a cloud ID from information related to document editing. In step S1310, the cloud document editing module 330 may check whether there is a document with a cloud ID in the cloud document storage 340. If there is no document, the cloud document storage 340 proceeds to step S1315, creates a document with a cloud ID, and then transmits the document contents to the cloud editing module 330. If there is a document, the cloud document storage 340 may transmit the document contents to the cloud editing module 330 in step S1320.

In step S1325, the cloud document editing module 330 may obtain editing behavior, editing content, and editing location information from information related to document editing.

In step S1330, the cloud document editing module 330 reconstructs the document by combining the information transmitted from the cloud document storage 340 and the information obtained in step S1325, and reconstructs the document in the cloud document storage 340 based on the cloud ID. You can save the document.

In step S1335, the cloud document content analysis module 350 may request the content of the document being updated from the cloud document storage 340.

In step S1340, the cloud document content analysis module 350 can classify whether the document is confidential by inputting the content of each document based on an artificial intelligence algorithm that has already learned the content of the document requested by the company.

In step S1345, the cloud document content analysis module 350 may deliver the confidential document classification result to the administrator.

FIG. 14 is a block diagram showing the configuration of the electronic device 100 according to an embodiment.

Referring to FIG. 14 , the electronic device 100 may include a memory 1410, a control unit 1430, a communication unit 1470, and a display 1450.

Memory 1410 may store one or more instructions. In one embodiment, memory 1410 may store filter rules, parsing tools, and parsing rules for parsing HTTP messages. The filter rule includes host information, URL information, and method information corresponding to a predetermined service, the parsing tool is selected according to the filter rule and is a tool for performing a parsing operation, and the parsing rule is a tool that generates an HTTP message in response to the parsing tool. This may be a rule for extracting content from.

The control unit 1430 selects a parsing tool corresponding to header information (e.g., host information, URL information, and method information) extracted from the header among a plurality of parsing tools according to the filter rule, and applies the parsing rule corresponding to the selected parsing tool. Accordingly, content can be extracted from the body of the HTTP message.

The control unit 1430 may operate according to one or more instructions stored in the memory 1410. In one embodiment, the control unit 1430 may be implemented as a processor.

In one embodiment, the control unit 1430 may control the communication unit 1470 to mirror packets transmitted and received from a client device to an external device.

The control unit 1430 may analyze whether the mirrored packet is a packet related to a cloud document editing task.

The control unit 1430 can determine whether the protocol of the packet is a predetermined protocol. The control unit 1430 may determine whether the host information in the packet header corresponds to the cloud document editing service.

The control unit 1430 may determine whether the packet contains information related to the cloud document editing task. The control unit 1430 determines whether the packet contains information related to cloud document editing based on whether the host information, URL information, and method information of the packet match the host information, URL information, and method information of the predefined filter rule. You can identify parsing tools related to cloud document editing that correspond to host information, URL information, and method information.

If the packet includes information related to a cloud document editing task, the control unit 1430 may obtain the document identifier of the cloud document editing service from the packet. The control unit 1430 may obtain at least one of editing action information, editing content information, and editing location information from the packet. At this time, the editing action information may include information indicating at least one of addition, deletion, modification, and revert. Edit content information may include information representing an edit string. The editing position information may include information indicating the offset, which is the editing position within the document.

The control unit 1430 may reconstruct the cloud document based on the contents of the analyzed packet.

The control unit 1430 may determine whether a document corresponding to the obtained document identifier of the cloud document editing service exists in the document storage. If a document corresponding to the document identifier exists in the document storage, the control unit 1430 reconstructs the cloud document by combining the edit content determined based on the edit action information, edit content information, and edit location information with the document content in the document store. Reorganized cloud documents can be saved in document storage.

If the document corresponding to the document identifier does not exist in the document storage, the control unit 1430 creates a new document file and reconstructs the cloud document based on the edit content determined from the edit action information, edit content information, and edit location information. And the reconstructed cloud document can be saved in the document storage.

The control unit 1430 may determine whether the reconstructed cloud document contains confidential information. The control unit 1430 may determine whether the reconstructed cloud document contains confidential information using a neural network previously trained based on the contents of the training document containing confidential information.

Each time the reconstructed cloud document is updated (the edited cloud document is stored in the document storage), the control unit 1430 may determine whether the updated cloud document contains confidential information.

The control unit 1430 may control the display 1450 to display the result of determining whether it contains confidential information and the document identifier.

If the reconstructed cloud document contains confidential information, the control unit 1430 may perform at least one of blocking packet transmission and reception between the client device and the external device and sending a warning message to the client device. In one embodiment, if the content extracted from the HTTP message corresponds to pre-designated leak prevention content, the control unit 1430 blocks messages transmitted and received between the client device 10 and the server 20 or sends messages to the client device 10. By transmitting a warning message through the communication unit 1470, leakage of security information can be prevented.

The communication unit 1470 may receive packets transmitted and received between the client device 10 and the server 20. The communication unit 1470 may transfer (mirror) the received packet to the control unit 1430.

The display 1450 may output at least one of the document content extracted by the control unit 1430, a result of determining whether the document content contains confidential information, and a document identifier.

In one embodiment, if the content extracted from the HTTP message corresponds to pre-designated leak prevention content, the control unit 1430 may notify the administrator terminal through the communication unit 1470 that security information has been leaked.

According to one embodiment, in addition to crimes against confidential leaks such as industrial espionage that can occur in companies, it is possible to effectively detect external leaks of confidential documents within the company that occur through file downloading/sharing as it is converted to a collaborative work-oriented. . In addition, since the contents of the document are analyzed based on machine learning technology, the administrator does not directly view and analyze confidential information to determine whether it is a confidential document, but classifies the contents of the file using machine learning technology with a high-performance classification algorithm. and can provide more efficient detection services. In addition, unless it is disclosed to the outside, users cannot directly know the cloud document content detection operation, which may cause user resistance or reduce mutual trust between labor and management.

Meanwhile, the above-described embodiments of the present invention can be written as a program that can be executed on a computer, and the written program can be stored in a medium.

The media may include, but is not limited to, magnetic storage media (eg, ROM, floppy disk, hard disk, etc.) and optical read media (eg, CD-ROM, DVD, etc.).

Although the specific embodiments have been described above, it will be obvious to those skilled in the art that various modifications are possible without departing from the scope of the present invention.

Claims (15)

In a method of analyzing traffic by an electronic device,
Mirroring packets transmitted and received from a client device to an external device;
Analyzing whether the mirrored packet is a packet related to a cloud document editing task;
Reconstructing a cloud document based on the contents of the analyzed packet; and
A method comprising determining whether the reconstructed cloud document contains confidential information. According to claim 1,
The step of analyzing whether the mirrored packet is a packet related to a cloud document work,
determining whether the protocol of the packet is a predetermined protocol;
determining whether host information in the header of the packet corresponds to a cloud document editing service; and
A method comprising determining whether the packet contains information related to a cloud document editing task. According to claim 2,
The step of analyzing whether the mirrored packet is a packet related to a cloud document editing task is,
If the packet contains information related to a cloud document editing task, obtaining a document identifier of a cloud document editing task service from the packet; and
The method further comprising obtaining at least one of editing action information, editing content information, and editing location information from the packet. According to claim 3,
The editing action information includes information indicating at least one of add, delete, modify, and revert, and the editing position information includes information indicating an offset, which is an editing position within the document,
If the cloud document editing operation involves a string,
The edit content information includes information representing an edit string,
If the above cloud document editing operation involves a table,
The edit content information includes a string in the table and information on columns and rows of the table,
If the cloud document editing operation involves a picture,
A method wherein the edited content information includes identifier information of the picture. According to claim 4,
The step of reconstructing a cloud document based on the contents of the analyzed packet is,
determining whether a document corresponding to the obtained document identifier of the cloud document editing service exists in a document storage;
If a document corresponding to the document identifier exists in the document storage, the cloud document is reconstructed by combining the editing content determined based on the editing behavior information, editing content information, and editing location information with the document content of the document storage, and storing the reconstructed cloud document in the document storage; and
If a document corresponding to the document identifier does not exist in the document storage, create a new document file, reconstruct the cloud document based on edit content determined from edit action information, edit content information, and edit location information, and A method comprising storing the reconstructed cloud document in the document storage. According to claim 1,
The step of determining whether the reconstructed cloud document contains confidential information is,
A method comprising the step of determining whether the reconstructed cloud document contains confidential information using a neural network previously trained based on the contents of a training document containing confidential information. According to claim 1,
The packet is the first packet,
updating the reconstructed cloud document based on the contents of the second packet; and
The method further comprising determining whether the updated cloud document contains confidential information each time it is updated. According to claim 1,
The method further comprising displaying a document identifier and a result of determining whether the confidential information is included. According to claim 1,
If the reconstructed cloud document contains confidential information, the method further includes performing at least one of blocking packet transmission and reception between the client device and an external device and transmitting a warning message to the client device. According to claim 1,
The step of determining whether the packet contains information related to the cloud document editing task is
Identifying a predefined parsing tool according to whether the host information, URL information, and method information of the packet match the host information, URL information, and method information of the predefined filter rule; and
According to the identified predefined parsing tool, determining whether the packet contains information related to cloud document editing. A memory that stores one or more instructions; and
Includes a processor that operates according to the one instruction,
The processor,
Mirrors packets sent and received from the client device to the external device,
Analyze whether the mirrored packet is a packet related to a cloud document editing task,
Based on the contents of the analyzed packet, reconstruct the cloud document,
An electronic device that determines whether the reconstructed cloud document contains confidential information. According to claim 11,
When the processor analyzes whether the mirrored packet is a packet related to a cloud document task,
Determine whether the protocol of the packet is a predetermined protocol, determine whether the host information and URL information of the header of the packet correspond to a cloud document editing work service, and determine whether the packet includes information related to the cloud document editing work. An electronic device characterized in that it determines . According to claim 12,
The processor,
When analyzing whether the mirrored packet is a packet related to cloud document work,
If the packet contains information related to a cloud document editing task, obtain a document identifier of the cloud document editing task service from the packet, and obtain at least one of editing action information, editing content information, and editing location information from the packet. An electronic device characterized in that: According to claim 10,
The processor,
When determining whether the packet contains information related to a cloud document editing operation,
Depending on whether the host information, URL information, and method information of the packet match the host information, URL information, and method information of the predefined filter rule, a predefined parsing tool is identified, and the identified predefined parsing tool is used. Accordingly, an electronic device characterized in that it determines whether the packet contains information related to cloud document editing. A program stored in combination with hardware to execute the method of any one of claims 1 to 10.