KR20240065966A - Method for network inspection storing data efficiently and system performing the same - Google Patents

Abstract

The present invention discloses a network inspection method that can most efficiently extract and store network data for security regression inspection and analysis, and a network inspection system that performs the same. According to one aspect of the present invention, a construction module for constructing a strategy database during a predetermined optimization period; and an extraction module that extracts and stores at least a portion of the plurality of packets collected from the network during a predetermined data extraction period using the constructed strategy database, wherein the construction module includes the plurality of packets collected from the network during the optimization period. A first network session creation module that creates a network session based on the packet; a first protocol determination module that determines a protocol of a network session to be optimized, which is a network session created by the first network session creation module during the optimization period; A decision module for determining a data extraction strategy corresponding to the network session to be optimized, wherein the data extraction strategy corresponding to the network session to be optimized extracts certain data from all packets constituting the network session to be optimized. Contains information about what should be done; and a strategy storage module that stores the data extraction strategy in the strategy database by matching the protocol of the network session to be optimized with the data extraction strategy, wherein the extraction module stores the network session based on a plurality of packets collected from the network during the data extraction period. A second network session creation module that creates; a second protocol determination module that determines a protocol of a network session to be extracted, which is a network session created by the second network session creation module during the data extraction period; a search module that searches the strategy database for a data extraction strategy corresponding to the protocol of the network session to be extracted; A network inspection system is provided that includes a data storage module that extracts and stores data from all packets in the extraction target network session according to a data extraction strategy corresponding to the protocol of the extraction target network session.

Description

{Method for network inspection storing data efficiently and system performing the same}

The present invention relates to a network inspection method that can most efficiently extract and store network data for security regression inspection and analysis, and a network inspection system that performs the same. More specifically, it relates to a system and method that can overcome inefficiency by extracting network data from a session based on the protocol of the network session.

Existing network control and management equipment is based on packet information of TCP (transport layer protocol)/UDP (user datagram protocol) or IP (Internet protocol), and determines the specific unit goals of the equipment, such as routing, QoS (Quality of Service), Efforts have been made to achieve DDoS (Distributed Denial of Service) prevention. However, the packet-based approach ignores information according to the communication relationship between upper-level applications and relies only on the information contained in each separate packet, which is simply a temporary information transfer unit, resulting in limitations in processing speed and in applicability to a large extent. Due to limitations, it is provided in the form of a single system for independent goals, such as a router for packet routing, a dedicated system to defend against DDoS attacks, or a Deep Packet Inspection (DPI) system for traffic control. Among these, the DPI system is a method of finding and detecting the signature of the well-known port number and payload used by a specific application or client (for example, a P2P client) and controlling the detected packet. is adopting. By detecting these signatures, it is known which client, i.e., application, is currently generating and/or transmitting packets in the network, and appropriate network control is performed according to a predetermined policy.

However, the conventional DPI system has the disadvantage that the processing overhead is too large because the payload of all transmitted packets must be checked. In other words, in order to detect the payload of all packets, all transmitted packets had to be stored, resulting in a very large storage overhead. Additionally, even if the payload is encrypted, there is a problem of wasting more storage space than necessary, such as having to store all packets.

The present invention is an invention designed to solve these problems, and the technical problem to be achieved by the present invention is to extract and store only the data necessary for security regression testing and analysis from the session of the protocol based on the characteristics of the protocol of the network session, eliminating unnecessary problems. It provides a method and system that can overcome the inefficiency of storing packets.

According to one aspect of the present invention, a construction module for constructing a strategy database during a predetermined optimization period; and an extraction module that extracts and stores at least a portion of the plurality of packets collected from the network during a predetermined data extraction period using the constructed strategy database, wherein the construction module includes the plurality of packets collected from the network during the optimization period. A first network session creation module that creates a network session based on the packet; a first protocol determination module that determines a protocol of a network session to be optimized, which is a network session created by the first network session creation module during the optimization period; A decision module for determining a data extraction strategy corresponding to the network session to be optimized, wherein the data extraction strategy corresponding to the network session to be optimized extracts certain data from all packets constituting the network session to be optimized. Contains information about what should be done; and a strategy storage module that stores the data extraction strategy in the strategy database by matching the protocol of the network session to be optimized with the data extraction strategy, wherein the extraction module stores the network session based on a plurality of packets collected from the network during the data extraction period. A second network session creation module that creates; a second protocol determination module that determines a protocol of a network session to be extracted, which is a network session created by the second network session creation module during the data extraction period; a search module that searches the strategy database for a data extraction strategy corresponding to the protocol of the network session to be extracted; A network inspection system is provided that includes a data storage module that extracts and stores data from all packets in the extraction target network session according to a data extraction strategy corresponding to the protocol of the extraction target network session.

In one embodiment, the decision module calculates a standard security threat detection accuracy by performing a series of network security checks on all packets constituting the optimization target network session, and selects the following [selected] from a plurality of candidate data extraction strategies. One of the candidate data extraction strategies that satisfies [condition] can be determined as the data extraction strategy corresponding to the network session to be optimized.

[Selection conditions]

The difference between the security threat detection accuracy calculated by performing the series of network security checks on data extracted by the candidate data extraction strategy from all packets constituting the optimization target network session and the reference security threat detection accuracy is determined by a predetermined value. Must be below the standard.

In one embodiment, the plurality of candidate data extraction strategies are prioritized, and the data extraction strategy corresponding to the optimization target network session has the highest priority among the candidate data extraction strategies that satisfy the [selection condition]. You can.

In one embodiment, the plurality of candidate data extraction strategies may have lower priorities as the size of data extracted by the strategy increases.

In one embodiment, the plurality of candidate data extraction strategies are, in order of priority from high to low, a strategy for extracting network metadata, a strategy for extracting network metadata and content metadata, network metadata, and content metadata. It may include a strategy for extracting some packets selected by data and predetermined selection criteria, and a strategy for extracting all packets.

In one embodiment, the plurality of candidate data extraction strategies include a strategy of extracting initial K preceding packets from all packets constituting a network session, where K is any random number that satisfies Nmin <= K <= Nmax. is a natural number, and Nmin and Nmax may be predetermined natural numbers that satisfy Nmin < Nmax.

In one embodiment, the plurality of candidate data extraction strategies include a strategy of extracting K subsequent packets from the first payload packet including the payload among all packets constituting the network session, where K is Nmin It is any natural number that satisfies <= K <= Nmax, and Nmin and Nmax may be predetermined natural numbers that satisfy Nmin < Nmax.

In one embodiment, it may further include a security check module that performs a network security check on the extraction target network session based on packets extracted from the extraction target network session.

According to another aspect of the present invention, a computing system includes a construction step of constructing a database for a predetermined optimization period; and an extraction step in which the computing system extracts at least some of the plurality of packets collected from the network during a predetermined data extraction period using the constructed database, wherein the building step includes extracting at least some of the plurality of packets collected from the network during the optimization period. A first network session creation step of creating a network session based on a plurality of collected packets; A first protocol determination step of determining a protocol of a network session to be optimized, which is a network session created in the first network session creation step during the optimization period; A data extraction strategy determination step of determining a data extraction strategy corresponding to the network session to be optimized - where the data extraction strategy corresponding to the network session to be optimized is selected from all packets constituting the network session to be optimized. Includes information about whether data should be extracted; And a storage step of matching the protocol of the network session to be optimized with a data extraction strategy and storing it in the database, wherein the extraction step generates a network session based on a plurality of packets collected from the network during the data extraction period. A second network session creation step; A second protocol determination step of determining the protocol of the network session to be extracted, which is the network session created in the second network session creation step during the data extraction period; A search step of searching the database for a data extraction strategy corresponding to the protocol of the network session to be extracted; A network inspection method is provided that includes a data storage step of extracting and storing data from all packets in the extraction target network session according to a data extraction strategy corresponding to the protocol of the extraction target network session.

In one embodiment, the data extraction strategy determining step includes calculating a standard security threat detection accuracy by performing a series of network security checks on all packets constituting the optimization target network session; And it may include determining one of the candidate data extraction strategies that satisfies the following [selection conditions] among the plurality of candidate data extraction strategies as the data extraction strategy corresponding to the network session to be optimized.

[Selection conditions]

The difference between the security threat detection accuracy calculated by performing the series of network security checks on data extracted by the candidate data extraction strategy from all packets constituting the optimization target network session and the reference security threat detection accuracy is determined by a predetermined value. Must be below the standard.

In one embodiment, the method may further include a security check step of performing a network security check on the extraction target network session based on packets extracted from the extraction target network session.

According to another aspect of the present invention, a computer program installed in a data processing device and recorded on a computer-readable medium for performing the above-described method is provided.

According to another aspect of the present invention, a computing system comprising: a processor; and a memory storing a computer program executed by the processor, wherein the computer program, when executed by the processor, causes the computing system to perform the above-described method.

According to the technical idea of the present invention, the inefficiency of storing packets unnecessarily can be overcome by extracting and storing only the data necessary for security regression testing and analysis from the session of the protocol based on the characteristics of the protocol of the network session.

In addition, by storing data about network sessions in a form optimized for the network session protocol and performing network security checks on them, it is effective in extending the period to respond to zero days and increasing the detection accuracy of security threats. .

In order to more fully understand the drawings cited in the detailed description of the present invention, a brief description of each drawing is provided.
1 is a diagram showing the schematic configuration of a network inspection system according to an embodiment of the present invention.
Figure 2 is a diagram showing the schematic structure of a construction module according to an embodiment of the present invention, and Figure 3 is a diagram showing the schematic structure of an extraction module according to an embodiment of the present invention.
Figure 4 is a diagram showing the schematic configuration of a network session creation module according to an embodiment of the present invention.
Figure 5 is a diagram for explaining sessions, flows, and packets for a network inspection method according to an embodiment of the present invention.
Figure 6 is a flow chart schematically showing the process of determining a data extraction strategy corresponding to a network session.
Figure 7 is a flowchart showing the process of building a strategy database among the network security methods according to an embodiment of the present invention.
Figure 8 is a flowchart showing a process of extracting data from a network session among the network security methods according to an embodiment of the present invention.

Since the present invention can be modified in various ways and can have various embodiments, specific embodiments will be illustrated in the drawings and described in detail in the detailed description. However, this is not intended to limit the present invention to specific embodiments, and should be understood to include all transformations, equivalents, and substitutes included in the spirit and technical scope of the present invention. In describing the present invention, if it is determined that a detailed description of related known technologies may obscure the gist of the present invention, the detailed description will be omitted.

Terms such as first, second, etc. may be used to describe various components, but the components should not be limited by the terms. The above terms are used only for the purpose of distinguishing one component from another.

The terms used in this application are only used to describe specific embodiments and are not intended to limit the invention. Singular expressions include plural expressions unless the context clearly dictates otherwise.

In this specification, terms such as “comprise” or “have” are intended to designate the presence of features, numbers, steps, operations, components, parts, or combinations thereof described in the specification, but are intended to indicate the presence of one or more other It should be understood that this does not exclude in advance the presence or addition of features, numbers, steps, operations, components, parts, or combinations thereof.

Additionally, in this specification, when one component 'transmits' data to another component, the component may transmit the data directly to the other component, or through at least one other component. This means that the data can be transmitted to the other components. Conversely, when one component 'directly transmits' data to another component, it means that the data is transmitted from the component to the other component without going through the other component.

Hereinafter, the present invention will be described in detail focusing on embodiments of the present invention with reference to the attached drawings. The same reference numerals in each drawing indicate the same member.

1 is a diagram showing the schematic configuration of a network inspection system according to an embodiment of the present invention. The network inspection system can perform a network inspection method according to the technical idea of the present invention.

Referring to FIG. 1, the network inspection system 100 according to an embodiment of the present invention includes a construction module 120, an extraction module 130, and a strategy database 150. The network inspection system 100 may further include a packet capture module 110. Additionally, the network inspection system 100 may further include a security inspection module 140. Additionally, the network inspection system 100 may further include a security inspection module 140 and/or a storage device 160. Depending on the embodiment of the present invention, some of the above-described components may not necessarily correspond to components essential for implementation of the present invention, and depending on the embodiment, the network inspection system 100 Of course, it may contain more components than this. For example, the network inspection system 100 may include other components included in the network inspection system 100 (e.g., packet capture module 110, construction module 120, extraction module 130, security inspection module). (140), strategic database 150, storage device 160, etc.) or a control module (not shown) capable of controlling the functions and/or resources of the device or a communication module (not shown) capable of communicating with an external device. It can be included.

In one embodiment, the network inspection system 100 may be a communication device that forms a network by connecting several network units. The network inspection system 100 may be a router, hub, access point, router, etc. Alternatively, the network inspection system 100 may be a system connected to such communication devices (router, hub, access point, router, etc.).

The network inspection system 100 may be equipped with hardware resources and/or software necessary to implement the technical idea of the present invention, and does not necessarily mean one physical component or one device. no. In other words, the network inspection system 100 may mean a logical combination of hardware and/or software provided to implement the technical idea of the present invention, and if necessary, is installed in devices spaced apart from each other to perform each function. It may be implemented as a set of logical configurations to implement the technical idea of the present invention by performing it. Additionally, the network inspection system 100 may refer to a set of components implemented separately for each function or role to implement the technical idea of the present invention.

In this specification, a module may mean a functional and structural combination of hardware for carrying out the technical idea of the present invention and software for driving the hardware. For example, the module may mean a logical unit of hardware resources for executing a predetermined code and the predetermined code, and does not necessarily mean physically connected code or one type of hardware. This can be easily deduced by an average expert in the technical field of the present invention.

The network inspection system 100 may be in the form of a server device or a combination of a server device and software installed on the server device. The server device may be implemented as a single device or a device group consisting of a plurality of devices connected through a predetermined communication interface.

Meanwhile, the storage device 160 may be a device that stores data and/or information necessary to implement the technical idea of the present invention. In one embodiment, the storage device 160 may be a database or non-volatile storage (eg, HDD, SDD, etc.).

The packet capture module 110 can receive and capture a plurality of packets from the network. The packet capture module 110 can be installed at a predetermined location on the network to collect packets moving through the network. According to one embodiment, the packet capture module 110 may be implemented on the network in a tapping mode to receive packets from a device that taps packets from the network as shown in FIG. 1, but is not limited to this. Alternatively, packets on the network may be transmitted to the packet capture module 110 in other ways. It may be implemented on the network in in-line mode so that it passes through the packet capture module 110 and moves on the network.

For example, the packet capture module 110 is located at the front and/or rear end of a gateway existing on a predetermined local area network (LAN) and can collect network data according to the technical idea of the present invention. there is. The packet capture module 110 may be implemented with, for example, a certain NIC (Network Interface Card), but is not limited thereto.

The construction module 120 can build the strategy database 150 during a predetermined optimization period. The optimization period may be a period predetermined by an operator of the network inspection system 100 or a period determined by a predetermined operation policy. Or, it may be a period of time during which certain conditions are satisfied.

The construction module 120 recognizes network sessions occurring in the network during the optimization period, determines a data storage strategy corresponding to the recognized network session, and stores it in the strategy database 150. can be built.

Meanwhile, the strategy database 150 may store a protocol of a network session and a data extraction strategy corresponding to the network session. At this time, the data extraction strategy may include information on what data should be extracted from the full packets constituting the network session to be optimized.

The strategy database 150 may be implemented with at least one table, and will be used to further include a separate DBMS (Database Management System) for searching, storing, and managing information stored in the strategy database 150. It may be possible. In addition, it can be implemented in various ways, such as linked-list, tree, and relational DB, and can be implemented in all data storage media and data structures capable of storing information to be stored in the pattern DB 130. It can be included.

The extraction module 130 can extract and store at least some of the plurality of packets collected from the network during a predetermined data extraction period using the constructed strategy database. The data extraction period may also be a period designated in advance by an operator, etc., or a period determined by a predetermined operation policy. Alternatively, it may be a period during which certain conditions are satisfied. Alternatively, the data extraction period may be at least a portion of the period during which the network inspection system 100 is operated, excluding the optimization period.

The extraction module 130 may recognize a network session occurring in the network during the data extraction period, extract packets constituting the recognized network session or information about the recognized network session, and store them in the storage device 160. And what information to store can be determined based on the strategy database.

Specific operations performed by the construction module 120 and the extraction module 130 will be described in more detail below with reference to FIGS. 2 and 3.

FIG. 2 is a diagram showing the schematic structure of the construction module 120 according to an embodiment of the present invention, and FIG. 3 is a diagram showing the schematic structure of the extraction module 130 according to an embodiment of the present invention. am.

As shown in Figure 2, the construction module 120 may include a first network session creation module 121, a first protocol determination module 122, a decision module 123, and a strategy storage module 124. As shown in FIG. 3, the extraction module 130 includes a second network session creation module 131, a second protocol determination module 132, a search module 133, and a data storage module 134. can do.

First, let's look at the configuration of the construction module 120 with reference to FIG. 2.

The first network session creation module 121 may create a network session based on a plurality of packets collected from the network during the optimization period.

In one embodiment, the first network session creation module 121 may create a session based on a flow, which will be described in detail with reference to FIG. 4.

FIG. 4 is a diagram illustrating the schematic configuration of the first network session creation module 121 according to an embodiment of the present invention.

Referring to FIG. 4, the first network session creation module 121 may include a flow creation module 1211 and a session creation module 1212.

The flow creation module 1211 may generate a plurality of flows based on packets captured by the packet capture module 110. The packet capture module 110 can sequentially output packets to the flow creation module 1211. Then, the flow creation module 1211 can create a flow. Creating a flow may mean generating flow information, as will be described later. Depending on the implementation, the flow creation module 1211 may optionally extract packets included in the flow and store them in the storage device 160. The flow creation module 1211 may store all packets included in the flow, or may store only some packets depending on the embodiment. The flow creation module 1211 temporarily stores the flow and all packets included in the flow in the storage device 160, and may delete all or part of the stored packets after the necessary work is completed.

In this specification, flow refers to a set of IP packets that are continuously delivered within a limited time. Therefore, an IP flow is an application's address pair (sender address, sender port number, receiver address, receiver port number), host pair (sender network address, receiver network address), AS number pair (sender AS number, receiver AS number), etc. It can be defined as a flow of IP packets that are delivered continuously within a limited time specified as . For the concept of this flow and the method of forming the flow, see Korean Patent Application No. 10-2008-0126888 (title of the invention: “Network Control System and Network Control Method”) or Korean Patent Application No. 10-2011-0019891 ( Since the invention is disclosed in detail in prior art documents such as "Network Inspection System and Method for Providing the Same"), detailed description will be omitted in this specification. In addition, regarding the concept of flow and the method of generating flow in this specification, the technical ideas and descriptions disclosed in the above-mentioned prior art documents are included as references in this specification, and may be treated as included in the description of this specification.

Among the properties of packets, a 5-tuple can be used as an example to create a flow. That is, the flow creation module 1211 can receive packets as input on the network and generate a flow, which is a continuous set of packets, or extract some of the packets forming the flow. The condition for generating a flow or detecting a flow packet is to compare the properties of packets (e.g., 5-tuple (Source Address, Destination Address, Source Port, Destination Port, Protocol)) to determine the same properties (e.g., 5-tuple). If a packet with the tuple value does not exist, a new flow can be created, and if a packet with the same value exists, the flow information of that flow can be updated.

A continuous set of packets does not necessarily mean physically consecutive packets, but may be used to include packets with the same attributes that arrived within a temporally limited time.

The flow information includes 5-tuple information of packets, including flow size, duration, i.e., start time (S.T) and end time (E.T) of the flow, and packet count (Packet Count, P.C). , average packet size, average rate, flags (e.g., special signals for the protocol (SYN, FIN, etc.)) and/or follow size, etc. The flow information may be output to the storage device 160 and stored. The flow creation module 1211 may store flow information about a predetermined flow and at least some of the packets included in the flow in correspondence with each other in the storage device 160. This process can be defined as the flow creation module 1211 creating a flow. For example, flow information and packets included in the flow may be stored physically sequentially, or may be stored in various forms such as tables, links, etc. that can be easily searched even if they are physically separated.

When a plurality of flows are created by the flow creation module 1211, the session creation module 1212 can create a network session (hereinafter referred to as a 'session') based on information about the plurality of flows. there is. Creating a session means extracting flows forming the same session from a plurality of created flows, creating session information including identification information for the extracted flows, and storing it in the storage device 160. can do.

In one embodiment, flows and sessions may be created in the following manner.

The flow creation module 1211 determines based on the 5-tuple of the packet, and if the packet is not terminated and is included in the remaining flows (i.e., if the 5-tuple information is the same), it generates the corresponding flow information. You can modify it and indicate that the packet is dependent on the corresponding flow.

If it is determined based on the 5-tuple information of the packet that the packet does not belong to a specific flow, a new flow can be created to indicate that the packet is dependent on the newly created flow.

When a new flow is created, the session creation module 1212 determines based on the 5-tuple information of the flow, modifies the session information if the flow is not terminated and is included in the remaining sessions, and determines whether the flow is included in the session. Dependency can be indicated. If it is determined based on the 5-tuple information of the flow that it does not belong to a specific session, a new session can be created and the flow can be indicated as being dependent on the newly created session. If a packet notifying the end of a session is received, the flow and session containing the packet can be terminated. In the case of a flow or session that remains without termination, if packets included in the flow or session are not received for a certain period of time, the flow and session may be terminated.

Additionally, creating a session may mean including the process of storing at least some of the packets included in the session along with the session information to correspond to the session information.

The concept of how the session creation module 1212 creates a session will be explained with reference to FIG. 5. Figure 5 is a diagram for explaining sessions, flows, and packets for a network inspection method according to an embodiment of the present invention.

Referring to FIG. 5, when a session (S) is formed between certain devices, the session (S) may be composed of at least one flow (F). Additionally, the at least one flow may each consist of at least one packet (P).

According to the technical idea of the present invention, the network inspection system 100 can collect packets passing through a point on a predetermined network. This can be performed by the packet capture module 110.

And the network inspection system 100 can generate a flow based on the packet properties (eg, 5-tuple, etc.) of the collected packets. The flow creation method is the same as described above. The creation of this flow can be performed by the flow creation module 1211. Each flow may consist of only one packet or multiple packets. Additionally, the flow size may be different for each flow.

When a flow is created in this way, the session creation module 1212 can create a session.

To create a session, the session creation module 1212 can check the flow information stored in the storage device 160. Flows included in the same session may have common characteristics. Accordingly, the session creation module 1212 can search for flows with the common characteristics among the flows stored in the storage device 160. Additionally, the temporal priority of each flow can be determined based on flow information (for example, information such as S.T., E.T., etc. included in the flow information). The session creation module 1212 may determine the best flow and last flow of the session based on flag information included in the flow information of each session creation flow.

Accordingly, the session creation module 1212 can extract at least one flow included in a specific session, that is, a session creation flow. The session establishment flow may be one flow or may include multiple flows.

The session creation module 1212 may create a session based on a plurality of flows created by the flow creation module 1211. In other words, session information can be created.

The session information may include an index (identification information) of at least one flow included in the session, that is, each session formation flow. Additionally, various information indicating characteristics of the session may be further included in the session information.

Referring again to FIG. 2, whenever a network session is created by the first network session creation module 121, the first protocol determination module 122 may determine the protocol of the created network session. As is well known, the network session protocol is a communication protocol between two entities that communicate with each other, and examples include HTTP, HTTPS, FTP, and SMTP.

Hereinafter, in order to distinguish it from the network session created by the second network session creation module 131, which will be described later, each network session created by the first network session creation module 121 during the optimization period is connected to the optimization target network. Let’s call it a session.

For example, the first protocol determination module 122 may determine the protocol of the network session to be optimized by performing deep packet inspection (DPI) on the packets constituting the session.

The decision module 123 may determine a data extraction strategy corresponding to the network session to be optimized. As described above, the data extraction strategy corresponding to the network session to be optimized may include information about what data should be extracted from the full packets constituting the network session to be optimized.

A plurality of candidate data extraction strategies that can be selected as the data extraction strategy corresponding to the network session to be optimized may be predetermined, and the decision module 123 selects one of the plurality of predetermined candidate data extraction strategies to optimize the optimization. It can be determined by a data extraction strategy corresponding to the target network session.

The plurality of candidate data extraction strategies may include, for example:

i) Strategy for extracting network meta-data, where network meta-data includes session information and/or flow information

ii) Strategy for extracting content meta-data (here, content meta-data includes content information contained in the session, hash information of the file, and/or header information)

iii) Strategy to extract network meta-data and content meta-data

iv) A strategy to extract some packets selected according to predetermined selection criteria from among the packets that constitute a network session

v) Strategy for extracting some packets selected according to predetermined selection criteria from among network meta-data, content meta-data, and packets constituting a network session

vi) Strategy to extract the entire packets that make up a network session

Of course, there are various candidate data extraction strategies.

Meanwhile, the strategy for extracting some packets selected according to the predetermined selection criteria may include various sub-strategies. For example, the strategy for extracting some packets selected according to the above predetermined selection criteria is the strategy for extracting the initial K preceding packets of the session, the first payload including the payload among all packets constituting the network session. It may include a strategy for extracting K subsequent packets from a packet, a strategy for extracting the last K preceding packets of a session, etc.

Meanwhile, the decision module 123 calculates the standard security threat detection accuracy by performing a series of network security checks on all packets constituting the optimization target network session, and selects the following [selected] from a plurality of candidate data extraction strategies. One of the candidate data extraction strategies that satisfies [condition] can be determined as the data extraction strategy corresponding to the network session to be optimized.

[Selection conditions]

The difference between the security threat detection accuracy calculated by performing the series of network security checks on data extracted by the candidate data extraction strategy from all packets constituting the optimization target network session and the reference security threat detection accuracy is determined by a predetermined value. Must be below the standard.

The series of network security inspections may be a set of security rule sets known at the time of inspection, that is, stored in the network inspection system 100 and applicable. A security rule set may mean including multiple security rules. Additionally, each security rule may include rules that serve as standards for security inspection. For example, there is a bit stream of a specific pattern in the packet, a certain value or text exists at a certain position in the packet, the packet is received on a certain port, and/or the source or destination of the packet is a certain value. At least one rule such as or can be combined to form a security rule. Of course, these security rules can be updated in the network inspection system 100 whenever a new security threat occurs, along with the type or characteristics of the new security threat and the corresponding security rules.

For example, the security threat detection accuracy may be the number of individual security checks in which it is determined that a security threat has occurred when a plurality of predetermined individual network security checks are performed. Alternatively, it may be the result of reflecting a given weight for each security check on the presence or absence of security threats according to each security check.

The predetermined standard value specified in the selection conditions may be a predetermined numerical heavy cloud ratio. For example, the above selection condition may be considered satisfied when the difference between two security threat detection accuracies is less than a predetermined value, and it can also be considered satisfied when the ratio of the two security threat detection accuracies is less than a predetermined value.

By doing this, the network inspection system 100 can select a strategy for extracting network session data to the extent that it can maintain a certain level of security compared to full packet capture.

Meanwhile, the plurality of candidate data extraction strategies are prioritized, and the data extraction strategy corresponding to the optimization target network session may be the highest priority among the candidate data extraction strategies that satisfy the [selection condition].

In particular, the plurality of candidate data extraction strategies may be predetermined so that the priority decreases as the size of data extracted by the strategy increases. For example, the plurality of candidate data extraction strategies include, in order of priority from high to low, a strategy for extracting network metadata, a strategy for extracting network metadata and content metadata, network metadata, and content metadata. and a strategy for extracting some packets selected according to predetermined selection criteria, and a strategy for extracting all packets. Of course, even in this case, the data extraction strategy determined by the decision module 123 can satisfy the above [selection conditions].

By doing this, the network inspection system can select a data extraction strategy that can maintain a certain level of security and minimize data storage costs.

As described above, the plurality of candidate data extraction strategies may include a strategy for extracting initial K preceding packets from all packets constituting a network session. Here, K is a random natural number satisfying N _min <= K <= N _max , and N _min and N _max are predetermined natural numbers satisfying N _min < N _max . In this case, the decision module 123 can extract N _min preceding packets, perform a predetermined series of network security checks, and determine whether the [selection condition] is satisfied. If the [selection condition] is not satisfied, the decision module 123 extracts the preceding packet while increasing K by a predetermined increment, performs the series of network security checks, and determines whether the [selection condition] is satisfied. You can judge. The decision module 123 can determine K, which is the minimum value, while satisfying the [selection condition].

Additionally, in one embodiment, the plurality of candidate data extraction strategies may include a strategy of extracting K subsequent packets from the first payload packet including the payload among all packets constituting the network session. Here, K is a random natural number satisfying N _min <= K <= N _max , and N _min and N _max are predetermined natural numbers satisfying N _min < N _max . In this case as well, the decision module 123 can extract N _min preceding packets, perform a predetermined series of network security checks, and determine whether the [selection condition] is satisfied. If the [selection condition] is not satisfied, the decision module 123 extracts the preceding packet while increasing K by a predetermined increment, performs the series of network security checks, and determines whether the [selection condition] is satisfied. You can judge. The decision module 123 can determine K, which is the minimum value, while satisfying the [selection condition].

Figure 6 is a flowchart schematically showing a process by which the decision module 123 determines a data extraction strategy corresponding to a network session according to an embodiment of the present invention.

Referring to FIG. 6, the decision module 123 can calculate the standard security threat detection accuracy by performing a series of network security checks on all packets constituting the optimization target network session (S100).

When the decision module 123 performs the series of security regression tests on the data extracted by the candidate data extraction strategy (S110) for each of the plurality of predetermined candidate data extraction strategies (s ₁ to s _N ), Security threat detection accuracy can be calculated (S120).

If the above [selection conditions] are satisfied, that is, the security threat detection accuracy and If the difference between the standard security threat detection accuracies is less than a predetermined standard value (S130), the candidate data extraction strategy may be determined as the data extraction strategy corresponding to the network session to be optimized (S140).

Here, candidate data extraction strategy s ₁ , s ₂ , s ₃ , … , s _N each is a predetermined data extraction strategy, and may be a strategy in which priority is lowered as the size of data extracted by the strategy increases.

Referring again to FIG. 2, the strategy storage module 124 may store the protocol of the optimization target network session and the data extraction strategy in the strategy database 150.

Hereinafter, the configuration of the extraction module 130 will be described with reference to FIG. 3.

As shown in FIG. 3, the extraction module 130 includes a second network session creation module 131, a second protocol determination module 132, a search module 133, and a data storage module 134. can do.

The second network session creation module 131 may create a network session based on a plurality of packets collected from the network during the data extraction period. The second network session creation module 131 performs almost the same tasks as the first network session creation module 121 except that it collects packets during the data extraction period and creates a network session, so detailed description will be given below. will be omitted.

Each time a network session is created by the second network session creation module 131, the second protocol determination module 132 may determine the protocol of the created network session.

Additionally, the search module 133 may search the strategy database 150 for a data extraction strategy corresponding to the protocol of the network session to be extracted. The extraction target network session is a network session created by the second network session creation module 131 during the extraction period.

The data storage module 134 may extract data from all packets in the extraction target network session according to a data extraction strategy corresponding to the protocol of the extraction target network session and store it in the storage device 160.

Referring again to FIG. 1, the security check module 140 may perform a network security check on the network session to be extracted based on packets extracted from the network session to be extracted. Methods for performing security checks may vary, and for example, a conventional IDS (Intrusion Detection System) may be used. Of course, the test results of the security check module 140 can be stored in the storage device 160.

Figure 7 is a flowchart showing the process of building a strategy database among the network security methods according to an embodiment of the present invention. Steps S200 to S230 shown in FIG. 7 may be performed repeatedly for a predetermined optimization period.

Referring to FIG. 7, the network security system 100 may create a network session to be optimized based on a plurality of packets collected from the network (S200).

The network security system 100 may determine the protocol of the network session to be optimized, which is the network session created during the optimization period (S210).

The network security system 100 may determine a data extraction strategy corresponding to the network session to be optimized. At this time, as described above, the network security system 100 performs a series of network security checks on all packets constituting the optimization target network session to calculate a standard security threat detection accuracy and a plurality of candidate data extraction strategies. Among the candidate data extraction strategies that satisfy the [selection conditions], one of the candidate data extraction strategies may be determined as the data extraction strategy corresponding to the network session to be optimized.

Thereafter, the network security system 100 may match the protocol of the optimization target network session and the data extraction strategy and store them in the database (S230).

Figure 8 is a flowchart showing a process of extracting data from a network session among the network security methods according to an embodiment of the present invention. Steps S300 to S330 shown in FIG. 8 may be performed repeatedly for a predetermined extraction period.

The network security system 100 may create a network session to be extracted based on a plurality of packets collected from the network (S300).

The network security system 100 may determine the protocol of the network session to be extracted, which is the network session created during the data extraction period (S310).

The network security system 100 may search the strategy database for a data extraction strategy corresponding to the protocol of the network session to be extracted (S320).

The network security system 100 may extract and store data from all packets in the extraction target network session according to a data extraction strategy corresponding to the protocol of the extraction target network session (S330).

Meanwhile, depending on the implementation, the network inspection system 100 may include at least one processor and a memory that stores a program executed by the processor. The processor may include a single core CPU or a multi-core CPU. The memory may include high-speed random access memory and may also include non-volatile memory, such as one or more magnetic disk storage devices, flash memory devices, or other non-volatile solid-state memory devices. Access to memory by processors and other components may be controlled by a memory controller.

Meanwhile, the network inspection method according to an embodiment of the present invention may be implemented in the form of computer-readable program instructions and stored in a computer-readable recording medium. Computer-readable recording media include all types of recording devices that store data that can be read by a computer system.

Program instructions recorded on the recording medium may be those specifically designed and configured for the present invention, or may be known and available to those skilled in the software field.

Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tapes, optical media such as CD-ROMs and DVDs, and floptical disks. Includes magneto-optical media such as ROM, RAM, flash memory, and other hardware devices specifically configured to store and execute program instructions. Additionally, computer-readable recording media can be distributed across computer systems connected to a network, so that computer-readable code can be stored and executed in a distributed manner.

Examples of program instructions include not only machine code such as that created by a compiler, but also high-level language code that can be executed by a device that electronically processes information using an interpreter, for example, a computer.

The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

The description of the present invention described above is for illustrative purposes, and those skilled in the art will understand that the present invention can be easily modified into other specific forms without changing the technical idea or essential features of the present invention. will be. Therefore, the embodiments described above should be understood in all respects as illustrative and not restrictive. For example, each component described as unitary may be implemented in a distributed manner, and similarly, components described as distributed may also be implemented in a combined form.

The scope of the present invention is indicated by the claims described below rather than the detailed description above, and all changes or modified forms derived from the meaning and scope of the claims and their equivalent concepts should be construed as being included in the scope of the present invention. .

Claims (18)

A construction module that builds a strategic database during a predetermined optimization period; and
An extraction module that extracts and stores at least a portion of a plurality of packets collected from the network during a predetermined data extraction period using the constructed strategic database,
The construction module is,
a first network session creation module that creates a network session based on a plurality of packets collected from the network during the optimization period;
a first protocol determination module that determines a protocol of a network session to be optimized, which is a network session created by the first network session creation module during the optimization period;
A decision module for determining a data extraction strategy corresponding to the network session to be optimized, wherein the data extraction strategy corresponding to the network session to be optimized extracts certain data from all packets constituting the network session to be optimized. Contains information about what should be done; and
A strategy storage module that matches the protocol of the optimization target network session with a data extraction strategy and stores it in the strategy database,
The extraction module is,
a second network session creation module that creates a network session based on a plurality of packets collected from the network during the data extraction period;
a second protocol determination module that determines a protocol of a network session to be extracted, which is a network session created by the second network session creation module during the data extraction period;
a search module that searches the strategy database for a data extraction strategy corresponding to the protocol of the network session to be extracted;
A network inspection system comprising a data storage module for extracting and storing data from all packets in the extraction target network session according to a data extraction strategy corresponding to the protocol of the extraction target network session.
According to paragraph 1,
The decision module is,
Calculate the standard security threat detection accuracy by performing a series of network security checks on all packets constituting the optimization target network session,
A network inspection system that determines one of a plurality of candidate data extraction strategies that satisfies the following [selection conditions] as the data extraction strategy corresponding to the network session to be optimized.
[Selection conditions]
The difference between the security threat detection accuracy calculated by performing the series of network security checks on data extracted by the candidate data extraction strategy from all packets constituting the optimization target network session and the reference security threat detection accuracy is determined by a predetermined value. Must be below the standard.
According to paragraph 2,
The plurality of candidate data extraction strategies are prioritized,
A network inspection system in which the data extraction strategy corresponding to the network session to be optimized is the highest priority among the candidate data extraction strategies that satisfy the [selection conditions].
According to paragraph 3,
A network inspection system wherein the priority of the plurality of candidate data extraction strategies decreases as the size of data extracted by the strategy increases.
According to paragraph 4,
The plurality of candidate data extraction strategies are, in order of priority from high to low,
Strategies to extract network metadata,
Strategies to extract network metadata and content metadata;
A strategy for extracting network metadata, content metadata, and some packets selected based on predetermined selection criteria, and
A network inspection system that includes a strategy to extract entire packets.
According to paragraph 4,
The plurality of candidate data extraction strategies are:
It includes a strategy for extracting the initial K preceding packets from all packets constituting the network session,
Here, K is a random natural number satisfying N _min <= K <= N _max , and N _min and N _max are predetermined natural numbers satisfying N _min < N _max . Network inspection system.
According to paragraph 4,
The plurality of candidate data extraction strategies are:
It includes a strategy for extracting K subsequent packets from the first payload packet containing the payload among all packets constituting the network session,
Here, K is a random natural number satisfying N _min <= K <= N _max , and N _min and N _max are predetermined natural numbers satisfying N _min < N _max . Network inspection system.
According to paragraph 1,
A network inspection system further comprising a security inspection module that performs a network security inspection on the extraction target network session based on packets extracted from the extraction target network session.
A construction step in which the computing system builds a database for a predetermined optimization period; and
An extraction step in which the computing system extracts at least some of the plurality of packets collected from the network during a predetermined data extraction period using the constructed database,
The construction stage is,
A first network session creation step of creating a network session based on a plurality of packets collected from the network during the optimization period;
A first protocol determination step of determining a protocol of a network session to be optimized, which is a network session created in the first network session creation step during the optimization period;
A data extraction strategy determination step of determining a data extraction strategy corresponding to the network session to be optimized - where the data extraction strategy corresponding to the network session to be optimized is selected from all packets constituting the network session to be optimized. Includes information about whether data should be extracted; and
A storage step of matching the protocol of the optimization target network session and the data extraction strategy and storing them in the database,
The extraction step is,
A second network session creation step of creating a network session based on a plurality of packets collected from the network during the data extraction period;
A second protocol determination step of determining the protocol of the network session to be extracted, which is the network session created in the second network session creation step during the data extraction period;
A search step of searching the strategy database for a data extraction strategy corresponding to the protocol of the network session to be extracted;
A network inspection method comprising a data storage step of extracting and storing data from all packets in the extraction target network session according to a data extraction strategy corresponding to the protocol of the extraction target network session.
According to clause 9,
The data extraction strategy decision step is,
calculating a standard security threat detection accuracy by performing a series of network security checks on all packets constituting the optimization target network session; and
A network inspection method comprising the step of determining one of a plurality of candidate data extraction strategies that satisfies the following [selection conditions] as the data extraction strategy corresponding to the network session to be optimized.
[Selection conditions]
The difference between the security threat detection accuracy calculated by performing the series of network security checks on data extracted by the candidate data extraction strategy from all packets constituting the optimization target network session and the reference security threat detection accuracy is determined by a predetermined value. Must be below the standard.
According to clause 10,
The plurality of candidate data extraction strategies are prioritized,
A network inspection method wherein the data extraction strategy corresponding to the network session to be optimized is the highest priority among the candidate data extraction strategies that satisfy the [selection conditions].
According to clause 11,
A network inspection method wherein the priority of the plurality of candidate data extraction strategies decreases as the size of data extracted by the strategy increases.
According to clause 12,
The plurality of candidate data extraction strategies are, in order of priority from high to low,
Strategies to extract network metadata,
Strategies to extract network metadata and content metadata;
A strategy for extracting network metadata, content metadata, and some packets selected based on predetermined selection criteria, and
A network inspection method that includes a strategy for extracting entire packets.
According to clause 12,
The plurality of candidate data extraction strategies are:
It includes a strategy for extracting the initial K preceding packets from all packets constituting the network session,
Here, K is a random natural number satisfying N _min <= K <= N _max , and N _min and N _max are predetermined natural numbers satisfying N _min < N _max . Network inspection method.
According to clause 12,
The plurality of candidate data extraction strategies are:
It includes a strategy for extracting K subsequent packets from the first payload packet containing the payload among all packets constituting the network session,
Here, K is a random natural number satisfying N _min <= K <= N _max , and N _min and N _max are predetermined natural numbers satisfying N _min < N _max . Network inspection method.
According to clause 9,
A network inspection method further comprising a security check step of performing a network security check on the extraction target network session based on packets extracted from the extraction target network session.
A computer program installed in a data processing device and recorded on a computer-readable medium for performing the method according to any one of claims 9 to 16. As a computing system,
processor; and
It includes a memory that stores a computer program executed by the processor,
The computer program, when executed by the processor, causes the computing system to perform the method according to any one of claims 9 to 16.