US20200014689A1 - Usb device for network security - Google Patents

Usb device for network security Download PDF

Info

Publication number
US20200014689A1
US20200014689A1 US16/505,318 US201916505318A US2020014689A1 US 20200014689 A1 US20200014689 A1 US 20200014689A1 US 201916505318 A US201916505318 A US 201916505318A US 2020014689 A1 US2020014689 A1 US 2020014689A1
Authority
US
United States
Prior art keywords
data
determination unit
unit
transmission
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US16/505,318
Other versions
US10547619B1 (en
Inventor
Young Hoon Park
Dae Yong JI
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wisehub Systems Corp
Original Assignee
Young Hoon Park
Dae Yong JI
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Young Hoon Park, Dae Yong JI filed Critical Young Hoon Park
Publication of US20200014689A1 publication Critical patent/US20200014689A1/en
Application granted granted Critical
Publication of US10547619B1 publication Critical patent/US10547619B1/en
Assigned to WISEHUB SYSTEMS CORP. reassignment WISEHUB SYSTEMS CORP. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: JI, DAE YONG, PARK, YOUNG HOON
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/088Access security using filters or firewalls
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2213/00Indexing scheme relating to interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F2213/38Universal adapter
    • G06F2213/3812USB port controller

Definitions

  • the present disclosure relates to a USB (Universal Serial Bus) device for network security that may be connected to an information device such as a computer to store information therein and to prevent automatic transmission of internal information therein to the information device.
  • USB Universal Serial Bus
  • a USB (Universal Serial Bus) device is a portable storage device that may be connected to an information device such as a computer to transfer or store data therein.
  • the USB device is widely used because it is easy to carry and easy to manipulate the USB device.
  • USB device internal information In modern society, interest and need for network security is increasing day by day. In this security field, it is necessary to prevent USB device internal information from being automatically recorded on a connected computer or the like even when USB device is connected to the computer or the like.
  • One purpose of the present disclosure is to provide a USB device for network security that can prevent internal information in the USB device from being automatically recorded on a computer connected thereto even when the USB device is connected to the computer or the like.
  • a portable universal series bus (USB) device for network security, wherein the USB device is connected to an external information device and stores information therein, wherein the USB device includes: a wireless communication unit configured for transmitting and receiving data to and from an external server in a wireless communication manner; a first storage unit configured for storing a driving program, a driving application, or a driving command therein; a second storage unit configured for storing data received from the information device and the server therein; and a control unit configured for controlling the wireless communication unit, the first storage unit and the second storage unit using the driving program, the driving application, or the driving command, wherein the control unit includes: a communication controller configured for controlling wireless communication between the wireless communication unit such that the USB device performs data communication with the server; a data processor configured for controlling a data processing operation using the driving program, the driving application or the driving command, or using an application program or an application supplied from the information device; and a transmission controller configured for: receiving data from the information device under control of the data processor; and
  • the transmission controller includes: an input unit configured for receiving data from the information device or the data processor; a first determination unit configured for determining, based on a first token including identifying information among tokens of the data received from the input unit, whether the received data is generated from the data processor or from the information device; a data transmission-disabling unit configured for blocking transmission of the data received from the first determination unit to the information device and for storing a log of the transmission-blocked data in the second storage unit; and a first data transmission unit configured for transmitting the data received from the first determination unit to the data processor and for storing a log of the transmitted data in the second storage unit, wherein when the first determination unit determines that the data received from the input unit is generated from the data processor, the first determination unit transmits the corresponding data to the data transmission-disabling unit, wherein when the first determination unit determines that the data received from the input unit is generated from the information device, the first determination unit transmits the corresponding data to the first data transmission unit.
  • the transmission controller includes: an input unit configured for receiving data from the information device or the data processor; a first determination unit configured for determining, based on a first token including identifying information among tokens of the data received from the input unit, whether the received data is generated from the data processor or from the information device; a second determination unit configured for receiving the data from the first determination unit and for determining whether allowance of data special transmission to the information device is set in the first storage unit or the second storage; a third determination unit configured for receiving the data from the second determination unit, and for receiving a server setting condition for the data special transmission from the server via the wireless communication unit, and then for determining whether the data received from the second determination unit satisfies the server setting condition; a data transmission-disabling unit configured for blocking transmission of the data received from the first determination unit or the third determination unit to the information device and for storing a log of the transmission-blocked data in the second storage unit; a first data transmission unit configured for transmitting the data received from the first determination unit to the data processor, and for a first token
  • the server setting condition includes at least one selected from a group consisting of data transmission timing, data type, and data capacity.
  • the transmission controller includes: an input unit configured for receiving data from the information device or the data processor; a first determination unit configured for determining, based on a first token including identifying information among tokens of the data received from the input unit, whether the received data is generated from the data processor or from the information device; a second determination unit configured for receiving the data from the first determination unit and for determining whether allowance of data special transmission to the information device is set in the first storage unit or the second storage; a fourth determination unit configured for receiving the data from the second determination unit and for determining whether the USB device is connected to the server via the wireless communication unit; a third determination unit configured for receiving the data from the fourth determination unit, and for receiving a server setting condition for the data special transmission from the server via the wireless communication unit, and then for determining whether the data received from the fourth determination unit satisfies the server setting condition; a fifth determination unit configured for receiving the data from the fourth determination unit, and for receiving a user setting condition from the data processor, and for determining whether the data received from the fourth determination unit satisfies
  • the device further includes an authentication unit configured for storing authentication information therein, wherein the control unit transmits the authentication information to the server via the wireless communication unit to access the server, wherein upon confirming the authentication information, the server allows the USB device to connect thereto.
  • an authentication unit configured for storing authentication information therein, wherein the control unit transmits the authentication information to the server via the wireless communication unit to access the server, wherein upon confirming the authentication information, the server allows the USB device to connect thereto.
  • the second storage unit includes a volatile memory connected to the control unit, and a nonvolatile memory connected to the volatile memory, wherein the volatile memory performs a buffer function to match a data transmission rate via the wireless communication unit with a data storage rate of the nonvolatile memory.
  • the transmission controller of the control unit may transmit data generated from the computer connected to the USB device to an internal portion of the USB device.
  • the transmission controller of the control unit may prevent the internal information generated from the USB device from being transmitted to the computer, although the transmission of the internal data to the computer is allowed only in an exceptional case.
  • the internal information in the USB device may not be recorded on the external computer. This may significantly improve security.
  • FIG. 1 is a block diagram illustrating a USB device for network security according to an embodiment of the present disclosure.
  • FIG. 2A to FIG. 2C are flow charts illustrating embodiments of a transmission controller shown in FIG. 1 .
  • FIG. 3 is a flow chart for illustrating a method for updating firmware of a USB device for network security according to the present disclosure.
  • FIG. 4 shows a diagram of a security searcher.
  • first element or layer when a first element or layer is referred to as being present “on” a second element or layer, the first element may be disposed directly on the second element or may be disposed indirectly on the second element with a third element or layer being disposed between the first and second elements or layers. It will be understood that when an element or layer is referred to as being “connected to”, or “coupled to” another element or layer, it can be directly on, connected to, or coupled to the other element or layer, or one or more intervening elements or layers may be present. In addition, it will also be understood that when an element or layer is referred to as being “between” two elements or layers, it can be the only element or layer between the two elements or layers, or one or more intervening elements or layers may also be present.
  • FIG. 1 is a block diagram illustrating a USB device for network security according to an embodiment of the present disclosure.
  • the USB device 1000 for network security refers to a storage device being connected to information devices such as a computer, a notebook, and a tablet PC and capable of storing information therein.
  • information devices such as a computer, a notebook, and a tablet PC
  • the information device is referred to as a computer.
  • the present disclosure is not limited thereto.
  • the computer described herein should be interpreted as including all types of information devices.
  • the USB device 1000 for network security includes a control unit 1100 , a wireless communication unit 1200 , an authentication unit 1300 , a first storage unit 1400 and a second storage unit 1500 .
  • the control unit 1100 may drive application programs, applications and control instructions stored in the first storage unit 1400 to control the wireless communication unit 1200 , the authentication unit 1300 , and the second storage unit 1500 .
  • control unit 1100 may include a communication controller 1110 , a data processor 1120 , and a transmission controller 1130 .
  • the communication controller 1110 controls wireless communication operations between a server 100 and the USB device 1000 for network security according to the present disclosure.
  • the communication controller 1110 may perform data transmission/reception with the server 100 .
  • the communication controller 1110 may control the operation of the wireless communication unit 1200 and the authentication unit 1300 .
  • the communication controller 1110 transmits authentication information stored in the authentication unit 1300 to the server 100 in a mobile communication or wireless Internet communication manner to control connection between the USB device 1000 for network security according to the present disclosure and the server 100 .
  • the communication controller 1110 may receive data from the server 100 or transmit data supplied from the data processor 1120 to the server 100 based on a control command from the data processor 1120 .
  • the data processor 1120 may be configured to control an data processing operation using operating system and information, application programs, applications, control instructions stored in the first storage unit 1400 or using an application program, an application program, or the like provided from the computer 200 directly connected to the USB device 1000 for network security according to the present disclosure via the transmission controller 1130 .
  • the data processor 1120 may store data or programs supplied from the server 100 and the computer 200 into the second storage unit 1500 .
  • the transmission controller 1130 may receive data from the computer 200 or prevent the data transmission from the USB device 1000 to the computer 200 for network security according to the present disclosure, based on the control command from the data processor 1120 . However, in exceptional cases, for example, when there is an instruction from the server 100 or when the user's setting condition is satisfied, the transmission controller 1130 may transmit data from the data processor 1120 to the computer 200 . The operation of the transmission controller 1130 will be described later with reference to FIG. 2 .
  • the wireless communication unit 1200 may transmit and receive data to and from the server 100 in the wireless communication manner.
  • the wireless communication unit 1200 may include a mobile communication module and a wireless Internet module.
  • the authentication unit 1300 may store authentication information such as MNO (Mobile Network Operator) information used in the wireless communication, and information necessary for other communication.
  • the control unit 1100 may transmit authentication information stored in the authentication unit 1300 to the server 100 to access the server 100 via the wireless communication unit 1200 .
  • the server 100 may allow the USB device 1000 for the network security to access the server.
  • the authentication unit 1300 refers to a chip that stores various information.
  • the authentication unit 1300 may include a user identity module, a subscriber identity module, a universal subscriber identity module, and an embedded subscriber identity module.
  • the first storage unit 1400 may store therein the operating system and information required for the control unit 1100 to operate, multiple application programs or applications, and instructions for controlling data. At least some of the application programs may be provided from the external server 100 via the wireless communication unit 1200 .
  • the first storage unit 1400 may be embodied as at least one storage medium selected from a flash memory type, a hard disk type, an solid state disk (SSD) type, a silicon disk drive (SDD) type, a multimedia card micro type, a card type memory (SD or XD memory, etc.), RAM (random access memory), SRAM (static random access memory), ROM (read-only memory), EEPROM (electrically erasable programmable read-only memory), PROM (programmable read-only memory), a magnetic memory, a magnetic disk, and an optical disc.
  • a flash memory type a hard disk type
  • SSD solid state disk
  • SDD silicon disk drive
  • multimedia card micro type a card type memory
  • SD or XD memory etc.
  • RAM random access memory
  • SRAM static random access memory
  • ROM read-only memory
  • EEPROM electrically erasable programmable read-only memory
  • PROM programmable read-only memory
  • the control unit 1100 may store these data in the second storage unit 1500 .
  • the second storage unit 1500 may include a volatile memory device coupled to the control unit 1500 and a non-volatile memory device coupled to the volatile memory device.
  • the volatile memory device RAM may function as a buffer to match the data transmission rate via the wireless communication with the data storage rate of the nonvolatile memory device.
  • the volatile memory device may include at least one selected from DRAM, SRAM, etc.
  • the nonvolatile memory device may include a flash memory or the like.
  • FIG. 2A is a flow chart illustrating a first embodiment of the transmission controller shown in FIG. 1 .
  • the transmission controller 1130 may send and receive data to and from the data processor 1120 and the computer 200 .
  • the transmission controller 1130 may include an input unit 1130 a, a first determination unit 1130 b, a data transmission-disabling unit 1130 e, and a first data transmission unit 1130 d.
  • the input unit 1130 a may receive data from the computer 200 and the data processor 1120 and provide the data to the first determination unit 1130 b.
  • the first determination unit 1130 b determines, based on a first token including identification information among tokens of the data received from the input unit 1130 a, whether the corresponding data is generated from the data processor 1120 or is generated from the computer 200 . If the corresponding data is generated from the data processor 1120 , the corresponding data may be transmitted to the data transmission-disabling unit 1130 e. If the corresponding data is data generated from the computer 200 , the corresponding data may be transmitted to the data transmission unit 1130 d.
  • the data transmission-disabling unit 1130 e blocks transmission of data received from the first determination unit 1130 b to the computer 200 .
  • the data transmission-disabling unit 1130 e may store a log of the blocked data in the second storage unit 1500 .
  • the first data transmission unit 1130 d may transmit the data received from the first determination unit 1130 b to the data processor 1120 and may store a log of the transmitted data may in the second storage unit 1500 .
  • the network security can be improved by blocking the transmission of data generated from the USB device 1000 for the network security to the computer 200 using the transmission controller 1130 .
  • FIG. 2B is a flow chart illustrating a second embodiment of the transmission controller shown in FIG. 1 .
  • the transmission controller 1130 may include an input unit 1130 a, a first determination unit 1130 b, a second determination unit 1130 c, a data transmission-disabling unit 1130 e, a first data transmission unit 1130 d, a third determination unit 1130 h, and a second data transmission unit 1130 i.
  • the input unit 1130 a may receive data from the computer 200 and the data processor 1120 and provide the same to the first determination unit 1130 b.
  • the first determination unit 1130 b determines, based on a first token including identification information among tokens of data received from the input unit 1130 a, whether the corresponding data is data generated from the data processor 1120 or is data generated from the computer 200 . If the corresponding data is data generated from the data processor 1120 , the corresponding data may be transmitted to the second determination unit 1130 c. If the corresponding data is data generated from the computer 200 , the corresponding data may be transmitted to the data transmission unit 1130 d.
  • the first data transmission unit 1130 d may transmit the data received from the first determination unit 1130 b to the data processor 1120 and may store a log of the transmitted data in the second storage unit 1500 .
  • the second determination unit 1130 c determines, via the data processor 1120 , whether allowance of data special transmission from the USB device 1000 for the network security to the computer 200 is set in the first storage unit 1400 or the second storage unit 1500 . If the allowance of the data special transmission is not set, the second determination unit 1130 c transmits the corresponding data to the data transmission-disabling unit 1130 e.
  • the second determination unit 1130 c transmits the corresponding data to the third determination unit 1130 h.
  • the third determination unit 1130 h receives the data from the second determination unit 1130 c
  • the third determination unit 1130 h receives a server setting condition for the data special transmission from the server 100 via the wireless communication unit 1200 and the data processor 1120 .
  • the third determination unit may determine whether the data received from the second determination unit 1130 c satisfies the server setting condition.
  • the server setting condition may include one or more conditions selected from data transmission timing, data type, data capacity, and so on.
  • the third determination unit 1130 h may transmit the corresponding data to the second data transmission unit 1130 i. If the received data does not satisfy the server setting condition, the corresponding data may be transmitted to the data transmission-disabling unit 1130 e.
  • the second data transmission unit 1130 i transmits the data received from the third determination unit 1130 h to the computer 200 .
  • the second data transmission unit 1130 i may store a log of the transmitted data in the second storage unit 1500 .
  • the data transmission-disabling unit 1130 e blocks the transmission of the data received from the first determination unit 1130 b and the third determination unit 1130 h to the computer 200 .
  • the data transmission-disabling unit 1130 e may store a log of blocked data into the second storage unit 1500 .
  • FIG. 2C is a flow chart illustrating a third embodiment of the transmission controller shown in FIG. 1 .
  • the transmission controller 1130 may include an input unit 1130 a, a first determination unit 1130 b, a second determination unit 1130 c, a data transmission-disabling unit 1130 e, a first data transmission unit 1130 d, a third determination unit 1130 h, a second data transmission unit 1130 i, a fourth determination unit 1130 f, and a fifth determination unit 1130 k.
  • the input unit 1130 a may receive data from the computer 200 and the data processor 1120 and provide the same to the first determination unit 1130 b.
  • the first determination unit 1130 b determines, based on a first token including identifying information among tokens of the data received from the input unit 1130 a, whether the corresponding data is data generated from the data processor 1120 or is data generated from the computer 200 . If the corresponding data is data generated from the data processor 1120 , the corresponding data may be transmitted to the second determination unit 1130 c. If the corresponding data is data generated from the computer 200 , the corresponding data may be transmitted to the data transmission unit 1130 d.
  • the first data transmission unit 1130 d transmits the data received from the first determination unit 1130 b to the data processor 1120 , and stores a log of the transmitted data in the second storage unit 1500 .
  • the second determination unit 1130 c determines, via the data processor 1120 , whether allowance of data special transmission from the USB device 1000 for the network security to the computer 200 is set in the first storage unit 1400 or the second storage unit 1500 . If the allowance of the data special transmission is not set, the second determination unit 1130 c transmits the corresponding data to the data transmission-disabling unit 1130 e. If the allowance of the data special transmission is set, the corresponding data may be transmitted to the fourth determination unit 1130 f.
  • the fourth determination unit 1130 f may determine whether the connection between the server 100 and the USE device 1000 via the wireless communication unit 1200 is established or not. If the connection between the server 100 and the USE device 1000 via the wireless communication unit 1200 is established, the fourth determination unit 1130 f transmits the corresponding data to the third determination unit 1130 h. If the connection between the server 100 and the USE device 1000 via the wireless communication unit 1200 is not established, the fourth determination unit 1130 f may transmit the corresponding data to the fifth determination unit 1130 k.
  • the third determination unit 1130 h receives a server setting condition for the data special transmission from the server 100 via the wireless communication unit 1200 and the data processor 1120 . Then, the third determination unit 1130 h may determine whether the data received from the fourth determination unit 1130 f satisfies the server setting condition.
  • the server setting condition may include one or more conditions selected from data transmission timing, data type, data capacity, and so on.
  • the third determination unit 1130 h determines that the data received from the fourth determination unit 1130 f satisfies the server setting condition, the corresponding data may be transmitted to the second data transmission unit 1130 i. When the received data does not satisfy the server setting condition, the corresponding data may be transmitted to the data transmission-disabling unit 1130 e.
  • the fifth determination unit 1130 k receives the data from the fourth determination unit 1130 f
  • the fifth determination unit 1130 k receives a user setting condition from the data processor 1120 . Then, the fifth determination unit 1130 k may determine whether the data received from the fourth determination unit 1130 f satisfies the user setting condition.
  • the user setting condition may include one or more conditions selected from data transmission timing, data type, data capacity, and so on.
  • the fifth determination unit 1130 k determines that the data received from the fourth determination unit 1130 f satisfies the user setting condition
  • the corresponding data may be transmitted to the second data transmission unit 1130 i. If the received data does not satisfy the user setting condition, the corresponding data may be transmitted to the data transmission-disabling unit 1130 e.
  • the second data transmission unit 1130 i transmits the data received from the third determination unit 1130 h or the fifth determination unit 1130 k to the computer 200 , and stores a log of the transmitted data in the second storage unit 1500 .
  • the data transmission-disabling unit 1130 e blocks transmission of the data received from the first determination unit 1130 b or the third determination unit 1130 h to the computer 200 , and stores a log of the blocked data in the second storage unit 1500 .
  • FIG. 3 is a flow chart for illustrating a method for updating firmware of the USB device for network security according to the present disclosure.
  • FIG. 4 shows a diagram of a security searcher.
  • the computer 200 may load a driver for driving the USB device 1000 for the network security.
  • the driver may then read firmware and control program stored in the first storage unit 1400 and determine whether update thereof is required. If the update is required, the driver may update the firmware and control program and store the updated firmware and control program into the first storage unit 1400 .
  • control unit 1100 may open a security searcher window as shown in FIG. 4 .
  • the transmission controller of the control unit may transmit data generated from the computer connected to the USB device to an internal portion of the USB device.
  • the transmission controller of the control unit may prevent the internal information generated from the USB device from being transmitted to the computer, although the transmission of the internal data to the computer is allowed only in an exceptional case.
  • the internal information in the USB device may not be recorded on the external computer. This may significantly improve security.

Abstract

An USB device includes: a wireless communication unit; a storage unit configured for storing a driving program, a driving application, a driving command, and/or data received from an external information device and/or a server therein; and a control unit configured for controlling the wireless communication unit, the storage unit, wherein the control unit includes: a data processor configured for controlling a data processing operation using the driving program, the driving application or the driving command; and a transmission controller configured for: receiving data from the information device under control of the data processor; and selectively allowing or disallowing data transmission from the data processor to the information device.

Description

    CROSS-REFERENCE TO RELATED APPLICATION
  • This application claims a benefit under 35 U.S.C. § 119(a) of Korean Patent Application No. 10-2018-0079160 filed on Jul. 9, 2018, on the Korean Intellectual Property Office, the entire disclosure of which is incorporated herein by reference for all purposes.
    • BACKGROUND 1. Field
  • The present disclosure relates to a USB (Universal Serial Bus) device for network security that may be connected to an information device such as a computer to store information therein and to prevent automatic transmission of internal information therein to the information device.
    • 2. Description of Related Art
  • A USB (Universal Serial Bus) device is a portable storage device that may be connected to an information device such as a computer to transfer or store data therein. The USB device is widely used because it is easy to carry and easy to manipulate the USB device.
  • However, when the USB device is connected to a computer or the like, and the information stored in the USB device is opened, the corresponding information is automatically recorded on the computer. Thus, the security is weak.
  • In modern society, interest and need for network security is increasing day by day. In this security field, it is necessary to prevent USB device internal information from being automatically recorded on a connected computer or the like even when USB device is connected to the computer or the like.
    • SUMMARY
  • This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify all key features or essential features of the claimed subject matter, nor is it intended to be used alone as an aid in determining the scope of the claimed subject matter.
  • One purpose of the present disclosure is to provide a USB device for network security that can prevent internal information in the USB device from being automatically recorded on a computer connected thereto even when the USB device is connected to the computer or the like.
  • In one aspect of the present disclosure, there is proposed a portable universal series bus (USB) device for network security, wherein the USB device is connected to an external information device and stores information therein, wherein the USB device includes: a wireless communication unit configured for transmitting and receiving data to and from an external server in a wireless communication manner; a first storage unit configured for storing a driving program, a driving application, or a driving command therein; a second storage unit configured for storing data received from the information device and the server therein; and a control unit configured for controlling the wireless communication unit, the first storage unit and the second storage unit using the driving program, the driving application, or the driving command, wherein the control unit includes: a communication controller configured for controlling wireless communication between the wireless communication unit such that the USB device performs data communication with the server; a data processor configured for controlling a data processing operation using the driving program, the driving application or the driving command, or using an application program or an application supplied from the information device; and a transmission controller configured for: receiving data from the information device under control of the data processor; and selectively allowing or disallowing data transmission from the data processor to the information device.
  • In one implementation, the transmission controller includes: an input unit configured for receiving data from the information device or the data processor; a first determination unit configured for determining, based on a first token including identifying information among tokens of the data received from the input unit, whether the received data is generated from the data processor or from the information device; a data transmission-disabling unit configured for blocking transmission of the data received from the first determination unit to the information device and for storing a log of the transmission-blocked data in the second storage unit; and a first data transmission unit configured for transmitting the data received from the first determination unit to the data processor and for storing a log of the transmitted data in the second storage unit, wherein when the first determination unit determines that the data received from the input unit is generated from the data processor, the first determination unit transmits the corresponding data to the data transmission-disabling unit, wherein when the first determination unit determines that the data received from the input unit is generated from the information device, the first determination unit transmits the corresponding data to the first data transmission unit.
  • In one implementation, the transmission controller includes: an input unit configured for receiving data from the information device or the data processor; a first determination unit configured for determining, based on a first token including identifying information among tokens of the data received from the input unit, whether the received data is generated from the data processor or from the information device; a second determination unit configured for receiving the data from the first determination unit and for determining whether allowance of data special transmission to the information device is set in the first storage unit or the second storage; a third determination unit configured for receiving the data from the second determination unit, and for receiving a server setting condition for the data special transmission from the server via the wireless communication unit, and then for determining whether the data received from the second determination unit satisfies the server setting condition; a data transmission-disabling unit configured for blocking transmission of the data received from the first determination unit or the third determination unit to the information device and for storing a log of the transmission-blocked data in the second storage unit; a first data transmission unit configured for transmitting the data received from the first determination unit to the data processor, and for storing a log of the transmitted data in the second storage unit; and a second data transmission unit configured for transmitting the data received from the third determination unit to the information device and for storing a log of the transmitted data in the second storage unit, wherein when the first determination unit determines that the data received from the input unit is generated from the information device, the first determination unit transmits the corresponding data to the first data transmission unit, wherein when the first determination unit determines that the data received from the input unit is generated from the data processor, the first determination unit transmits the corresponding data to the second determination unit, wherein when the second determination unit determines that the allowance of the data special transmission is not set, the second determination unit transmits the corresponding data to the data transmission-disabling unit; wherein when the second determination unit determines that the allowance of the data special transmission is set, the second determination unit transmits the corresponding data to the third determination unit, wherein when the third determination unit determines that the data received from the second determination unit satisfies the server setting condition, the third determination unit transmits the corresponding data to the second data transmission unit, wherein when the third determination unit determines that the data received from the second determination unit does not satisfy the server setting condition, the third determination unit transmits the corresponding data to the data transmission-disabling unit.
  • In one implementation, the server setting condition includes at least one selected from a group consisting of data transmission timing, data type, and data capacity.
  • In one implementation, the transmission controller includes: an input unit configured for receiving data from the information device or the data processor; a first determination unit configured for determining, based on a first token including identifying information among tokens of the data received from the input unit, whether the received data is generated from the data processor or from the information device; a second determination unit configured for receiving the data from the first determination unit and for determining whether allowance of data special transmission to the information device is set in the first storage unit or the second storage; a fourth determination unit configured for receiving the data from the second determination unit and for determining whether the USB device is connected to the server via the wireless communication unit; a third determination unit configured for receiving the data from the fourth determination unit, and for receiving a server setting condition for the data special transmission from the server via the wireless communication unit, and then for determining whether the data received from the fourth determination unit satisfies the server setting condition; a fifth determination unit configured for receiving the data from the fourth determination unit, and for receiving a user setting condition from the data processor, and for determining whether the data received from the fourth determination unit satisfies the user setting condition; a data transmission-disabling unit configured for blocking transmission of the data received from the first determination unit or the third determination unit to the information device and for storing a log of the transmission-blocked data in the second storage unit; a first data transmission unit configured for transmitting the data received from the first determination unit to the data processor, and for storing a log of the transmitted data in the second storage unit; and a second data transmission unit configured for transmitting the data received from the third or fifth determination unit to the information device and for storing a log of the transmitted data in the second storage unit, wherein when the first determination unit determines that the data received from the input unit is generated from the information device, the first determination unit transmits the corresponding data to the first data transmission unit, wherein when the first determination unit determines that the data received from the input unit is generated from the data processor, the first determination unit transmits the corresponding data to the second determination unit, wherein when the second determination unit determines that the allowance of the data special transmission is not set, the second determination unit transmits the corresponding data to the data transmission-disabling unit; wherein when the second determination unit determines that the allowance of the data special transmission is set, the second determination unit transmits the corresponding data to the fourth determination unit, wherein when the fourth determination unit determines that a connection between the server and the USB device is established, the fourth determination unit transmits the data received from the second determination unit to the third determination unit, wherein when the fourth determination unit determines that a connection between the server and the USB device is not established, the fourth determination unit transmits the data received from the second determination unit to the fifth determination unit, wherein when the third determination unit determines that the data received from the fourth determination unit satisfies the server setting condition, the third determination unit transmits the corresponding data to the second data transmission unit, wherein when the third determination unit determines that the data received from the fourth determination unit does not satisfy the server setting condition, the third determination unit transmits the corresponding data to the data transmission-disabling unit, wherein when the fifth determination unit determines that the data received from the fourth determination unit satisfies the user setting condition, the fifth determination unit transmits the corresponding data to the second data transmission unit, wherein when the fifth determination unit determines that the data received from the fourth determination unit does not satisfy the user setting condition, the fifth determination unit transmits the corresponding data to the data transmission-disabling unit.
  • In one implementation, the device further includes an authentication unit configured for storing authentication information therein, wherein the control unit transmits the authentication information to the server via the wireless communication unit to access the server, wherein upon confirming the authentication information, the server allows the USB device to connect thereto.
  • In one implementation, the second storage unit includes a volatile memory connected to the control unit, and a nonvolatile memory connected to the volatile memory, wherein the volatile memory performs a buffer function to match a data transmission rate via the wireless communication unit with a data storage rate of the nonvolatile memory.
  • According to the present disclosure, the transmission controller of the control unit may transmit data generated from the computer connected to the USB device to an internal portion of the USB device. However, the transmission controller of the control unit may prevent the internal information generated from the USB device from being transmitted to the computer, although the transmission of the internal data to the computer is allowed only in an exceptional case. Thus, even when the USB device in accordance with the present disclosure is connected to the external computer, the internal information in the USB device may not be recorded on the external computer. This may significantly improve security.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The accompanying drawings, which are incorporated in and form a part of this specification and in which like numerals depict like elements, illustrate embodiments of the present disclosure and, together with the description, serve to explain the principles of the disclosure.
  • FIG. 1 is a block diagram illustrating a USB device for network security according to an embodiment of the present disclosure.
  • FIG. 2A to FIG. 2C are flow charts illustrating embodiments of a transmission controller shown in FIG. 1.
  • FIG. 3 is a flow chart for illustrating a method for updating firmware of a USB device for network security according to the present disclosure.
  • FIG. 4 shows a diagram of a security searcher.
    •  DETAILED DESCRIPTIONS
  • For simplicity and clarity of illustration, elements in the figures are not necessarily drawn to scale. The same reference numbers in different figures denote the same or similar elements, and as such perform similar functionality. Also, descriptions and details of well-known steps and elements are omitted for simplicity of the description. Furthermore, in the following detailed description of the present disclosure, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure. However, it will be understood that the present disclosure may be practiced without these specific details. In other instances, well-known methods, procedures, components, and circuits have not been described in detail so as not to unnecessarily obscure aspects of the present disclosure.
  • Examples of various embodiments are illustrated and described further below. It will be understood that the description herein is not intended to limit the claims to the specific embodiments described. On the contrary, it is intended to cover alternatives, modifications, and equivalents as may be included within the spirit and scope of the present disclosure as defined by the appended claims.
  • The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the present disclosure. As used herein, the singular forms “a” and “an” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises”, “comprising”, “includes”, and “including” when used in this specification, specify the presence of the stated features, integers, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, operations, elements, components, and/or portions thereof. As used herein, the term “and/or” includes any and all combinations of one or more of the associated listed items. Expression such as “at least one of” when preceding a list of elements may modify the entire list of elements and may not modify the individual elements of the list.
  • It will be understood that, although the terms “first”, “second”, “third”, and so on may be used herein to describe various elements, components, regions, layers and/or sections, these elements, components, regions, layers and/or sections should not be limited by these terms. These terms are used to distinguish one element, component, region, layer or section from another element, component, region, layer or section. Thus, a first element, component, region, layer or section described below could be termed a second element, component, region, layer or section, without departing from the spirit and scope of the present disclosure.
  • In addition, it will also be understood that when a first element or layer is referred to as being present “on” a second element or layer, the first element may be disposed directly on the second element or may be disposed indirectly on the second element with a third element or layer being disposed between the first and second elements or layers. It will be understood that when an element or layer is referred to as being “connected to”, or “coupled to” another element or layer, it can be directly on, connected to, or coupled to the other element or layer, or one or more intervening elements or layers may be present. In addition, it will also be understood that when an element or layer is referred to as being “between” two elements or layers, it can be the only element or layer between the two elements or layers, or one or more intervening elements or layers may also be present.
  • Unless otherwise defined, all terms including technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this inventive concept belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
  • FIG. 1 is a block diagram illustrating a USB device for network security according to an embodiment of the present disclosure.
  • Referring to FIG. 1, the USB device 1000 for network security according to an embodiment of the present disclosure refers to a storage device being connected to information devices such as a computer, a notebook, and a tablet PC and capable of storing information therein. For convenience of description, by way of example, the information device is referred to as a computer. However, the present disclosure is not limited thereto. The computer described herein should be interpreted as including all types of information devices.
  • The USB device 1000 for network security according to an embodiment of the present disclosure includes a control unit 1100, a wireless communication unit 1200, an authentication unit 1300, a first storage unit 1400 and a second storage unit 1500.
  • The control unit 1100 may drive application programs, applications and control instructions stored in the first storage unit 1400 to control the wireless communication unit 1200, the authentication unit 1300, and the second storage unit 1500.
  • In one embodiment, the control unit 1100 may include a communication controller 1110, a data processor 1120, and a transmission controller 1130.
  • The communication controller 1110 controls wireless communication operations between a server 100 and the USB device 1000 for network security according to the present disclosure. The communication controller 1110 may perform data transmission/reception with the server 100. For example, the communication controller 1110 may control the operation of the wireless communication unit 1200 and the authentication unit 1300. Specifically, the communication controller 1110 transmits authentication information stored in the authentication unit 1300 to the server 100 in a mobile communication or wireless Internet communication manner to control connection between the USB device 1000 for network security according to the present disclosure and the server 100. Further, the communication controller 1110 may receive data from the server 100 or transmit data supplied from the data processor 1120 to the server 100 based on a control command from the data processor 1120.
  • The data processor 1120 may be configured to control an data processing operation using operating system and information, application programs, applications, control instructions stored in the first storage unit 1400 or using an application program, an application program, or the like provided from the computer 200 directly connected to the USB device 1000 for network security according to the present disclosure via the transmission controller 1130. In one example, the data processor 1120 may store data or programs supplied from the server 100 and the computer 200 into the second storage unit 1500.
  • The transmission controller 1130 may receive data from the computer 200 or prevent the data transmission from the USB device 1000 to the computer 200 for network security according to the present disclosure, based on the control command from the data processor 1120. However, in exceptional cases, for example, when there is an instruction from the server 100 or when the user's setting condition is satisfied, the transmission controller 1130 may transmit data from the data processor 1120 to the computer 200. The operation of the transmission controller 1130 will be described later with reference to FIG. 2.
  • The wireless communication unit 1200 may transmit and receive data to and from the server 100 in the wireless communication manner. The wireless communication unit 1200 may include a mobile communication module and a wireless Internet module.
  • The authentication unit 1300 may store authentication information such as MNO (Mobile Network Operator) information used in the wireless communication, and information necessary for other communication. The control unit 1100 may transmit authentication information stored in the authentication unit 1300 to the server 100 to access the server 100 via the wireless communication unit 1200. Upon verifying the authentication information, the server 100 may allow the USB device 1000 for the network security to access the server.
  • In one embodiment, the authentication unit 1300 refers to a chip that stores various information. The authentication unit 1300 may include a user identity module, a subscriber identity module, a universal subscriber identity module, and an embedded subscriber identity module.
  • The first storage unit 1400 may store therein the operating system and information required for the control unit 1100 to operate, multiple application programs or applications, and instructions for controlling data. At least some of the application programs may be provided from the external server 100 via the wireless communication unit 1200.
  • In one embodiment, the first storage unit 1400 may be embodied as at least one storage medium selected from a flash memory type, a hard disk type, an solid state disk (SSD) type, a silicon disk drive (SDD) type, a multimedia card micro type, a card type memory (SD or XD memory, etc.), RAM (random access memory), SRAM (static random access memory), ROM (read-only memory), EEPROM (electrically erasable programmable read-only memory), PROM (programmable read-only memory), a magnetic memory, a magnetic disk, and an optical disc.
  • When the USB device 1000 for network security according to the present disclosure receives data from the server 100 via wireless communication or when the USB device 1000 for network security according to the present disclosure receives data from the computer 200 directly connected to the USB device 1000, the control unit 1100 may store these data in the second storage unit 1500.
  • In one embodiment, the second storage unit 1500 may include a volatile memory device coupled to the control unit 1500 and a non-volatile memory device coupled to the volatile memory device. In this case, the volatile memory device RAM may function as a buffer to match the data transmission rate via the wireless communication with the data storage rate of the nonvolatile memory device. The volatile memory device may include at least one selected from DRAM, SRAM, etc. The nonvolatile memory device may include a flash memory or the like.
  • Hereinafter, referring to FIG. 2A, an operation of the transmission controller 1130 of the control unit 1100 will be described in detail.
  • FIG. 2A is a flow chart illustrating a first embodiment of the transmission controller shown in FIG. 1.
  • Referring to FIG. 2A together with FIG. 1, the transmission controller 1130 may send and receive data to and from the data processor 1120 and the computer 200.
  • In one embodiment, the transmission controller 1130 according to the first embodiment may include an input unit 1130 a, a first determination unit 1130 b, a data transmission-disabling unit 1130 e, and a first data transmission unit 1130 d.
  • The input unit 1130 a may receive data from the computer 200 and the data processor 1120 and provide the data to the first determination unit 1130 b.
  • The first determination unit 1130 b determines, based on a first token including identification information among tokens of the data received from the input unit 1130 a, whether the corresponding data is generated from the data processor 1120 or is generated from the computer 200. If the corresponding data is generated from the data processor 1120, the corresponding data may be transmitted to the data transmission-disabling unit 1130 e. If the corresponding data is data generated from the computer 200, the corresponding data may be transmitted to the data transmission unit 1130 d.
  • The data transmission-disabling unit 1130 e blocks transmission of data received from the first determination unit 1130 b to the computer 200. The data transmission-disabling unit 1130 e may store a log of the blocked data in the second storage unit 1500.
  • The first data transmission unit 1130 d may transmit the data received from the first determination unit 1130 b to the data processor 1120 and may store a log of the transmitted data may in the second storage unit 1500.
  • In this way, the network security can be improved by blocking the transmission of data generated from the USB device 1000 for the network security to the computer 200 using the transmission controller 1130.
  • FIG. 2B is a flow chart illustrating a second embodiment of the transmission controller shown in FIG. 1.
  • Referring to FIG. 2B together with FIG. 1, the transmission controller 1130 according to the second embodiment may include an input unit 1130 a, a first determination unit 1130 b, a second determination unit 1130 c, a data transmission-disabling unit 1130 e, a first data transmission unit 1130 d, a third determination unit 1130 h, and a second data transmission unit 1130 i.
  • The input unit 1130 a may receive data from the computer 200 and the data processor 1120 and provide the same to the first determination unit 1130 b.
  • The first determination unit 1130 b determines, based on a first token including identification information among tokens of data received from the input unit 1130 a, whether the corresponding data is data generated from the data processor 1120 or is data generated from the computer 200. If the corresponding data is data generated from the data processor 1120, the corresponding data may be transmitted to the second determination unit 1130 c. If the corresponding data is data generated from the computer 200, the corresponding data may be transmitted to the data transmission unit 1130 d.
  • The first data transmission unit 1130 d may transmit the data received from the first determination unit 1130 b to the data processor 1120 and may store a log of the transmitted data in the second storage unit 1500. When the second determination unit 1130 c receives data from the first determination unit 1130 b, the second determination unit 1130 c determines, via the data processor 1120, whether allowance of data special transmission from the USB device 1000 for the network security to the computer 200 is set in the first storage unit 1400 or the second storage unit 1500. If the allowance of the data special transmission is not set, the second determination unit 1130 c transmits the corresponding data to the data transmission-disabling unit 1130 e. If the allowance of the data special transmission is set, the second determination unit 1130 c transmits the corresponding data to the third determination unit 1130 h. When the third determination unit 1130 h receives the data from the second determination unit 1130 c, the third determination unit 1130 h receives a server setting condition for the data special transmission from the server 100 via the wireless communication unit 1200 and the data processor 1120. Then, the third determination unit may determine whether the data received from the second determination unit 1130 c satisfies the server setting condition. The server setting condition may include one or more conditions selected from data transmission timing, data type, data capacity, and so on. If the data received from the second determination unit 1130 c satisfies the server setting condition, the third determination unit 1130 h may transmit the corresponding data to the second data transmission unit 1130 i. If the received data does not satisfy the server setting condition, the corresponding data may be transmitted to the data transmission-disabling unit 1130 e.
  • The second data transmission unit 1130 i transmits the data received from the third determination unit 1130 h to the computer 200. The second data transmission unit 1130 i may store a log of the transmitted data in the second storage unit 1500.
  • The data transmission-disabling unit 1130 e blocks the transmission of the data received from the first determination unit 1130 b and the third determination unit 1130 h to the computer 200. The data transmission-disabling unit 1130 e may store a log of blocked data into the second storage unit 1500.
  • FIG. 2C is a flow chart illustrating a third embodiment of the transmission controller shown in FIG. 1.
  • Referring to FIG. 2C together with FIG. 1, the transmission controller 1130 according to the third embodiment may include an input unit 1130 a, a first determination unit 1130 b, a second determination unit 1130 c, a data transmission-disabling unit 1130 e, a first data transmission unit 1130 d, a third determination unit 1130 h, a second data transmission unit 1130 i, a fourth determination unit 1130 f, and a fifth determination unit 1130 k.
  • The input unit 1130 a may receive data from the computer 200 and the data processor 1120 and provide the same to the first determination unit 1130 b.
  • The first determination unit 1130 b determines, based on a first token including identifying information among tokens of the data received from the input unit 1130 a, whether the corresponding data is data generated from the data processor 1120 or is data generated from the computer 200. If the corresponding data is data generated from the data processor 1120, the corresponding data may be transmitted to the second determination unit 1130 c. If the corresponding data is data generated from the computer 200, the corresponding data may be transmitted to the data transmission unit 1130 d.
  • The first data transmission unit 1130 d transmits the data received from the first determination unit 1130 b to the data processor 1120, and stores a log of the transmitted data in the second storage unit 1500.
  • When the second determination unit 1130 c receives the data from the first determination unit 1130 b, the second determination unit 1130 c determines, via the data processor 1120, whether allowance of data special transmission from the USB device 1000 for the network security to the computer 200 is set in the first storage unit 1400 or the second storage unit 1500. If the allowance of the data special transmission is not set, the second determination unit 1130 c transmits the corresponding data to the data transmission-disabling unit 1130 e. If the allowance of the data special transmission is set, the corresponding data may be transmitted to the fourth determination unit 1130 f.
  • When the fourth determination unit 1130 f receives the data from the second determination unit 1130 c, the fourth determination unit 1130 f may determine whether the connection between the server 100 and the USE device 1000 via the wireless communication unit 1200 is established or not. If the connection between the server 100 and the USE device 1000 via the wireless communication unit 1200 is established, the fourth determination unit 1130 f transmits the corresponding data to the third determination unit 1130 h. If the connection between the server 100 and the USE device 1000 via the wireless communication unit 1200 is not established, the fourth determination unit 1130 f may transmit the corresponding data to the fifth determination unit 1130 k.
  • When the third determination unit 1130 h receives the data from the fourth determination unit 1130 f, the third determination unit 1130 h receives a server setting condition for the data special transmission from the server 100 via the wireless communication unit 1200 and the data processor 1120. Then, the third determination unit 1130 h may determine whether the data received from the fourth determination unit 1130 f satisfies the server setting condition. The server setting condition may include one or more conditions selected from data transmission timing, data type, data capacity, and so on. The third determination unit 1130 h determines that the data received from the fourth determination unit 1130 f satisfies the server setting condition, the corresponding data may be transmitted to the second data transmission unit 1130 i. When the received data does not satisfy the server setting condition, the corresponding data may be transmitted to the data transmission-disabling unit 1130 e.
  • When the fifth determination unit 1130 k receives the data from the fourth determination unit 1130 f, the fifth determination unit 1130 k receives a user setting condition from the data processor 1120. Then, the fifth determination unit 1130 k may determine whether the data received from the fourth determination unit 1130 f satisfies the user setting condition. The user setting condition may include one or more conditions selected from data transmission timing, data type, data capacity, and so on. When the fifth determination unit 1130 k determines that the data received from the fourth determination unit 1130 f satisfies the user setting condition, the corresponding data may be transmitted to the second data transmission unit 1130 i. If the received data does not satisfy the user setting condition, the corresponding data may be transmitted to the data transmission-disabling unit 1130 e.
  • The second data transmission unit 1130 i transmits the data received from the third determination unit 1130 h or the fifth determination unit 1130 k to the computer 200, and stores a log of the transmitted data in the second storage unit 1500.
  • The data transmission-disabling unit 1130 e blocks transmission of the data received from the first determination unit 1130 b or the third determination unit 1130 h to the computer 200, and stores a log of the blocked data in the second storage unit 1500.
  • FIG. 3 is a flow chart for illustrating a method for updating firmware of the USB device for network security according to the present disclosure. FIG. 4 shows a diagram of a security searcher.
  • Referring to FIG. 3 and FIG. 4, when the USB device 1000 for network security according to the present disclosure is connected to the computer 200, the computer 200 may load a driver for driving the USB device 1000 for the network security.
  • The driver may then read firmware and control program stored in the first storage unit 1400 and determine whether update thereof is required. If the update is required, the driver may update the firmware and control program and store the updated firmware and control program into the first storage unit 1400.
  • If the update is not required, or if the updated firmware and control program is stored on the first storage unit 1400, the control unit 1100 may open a security searcher window as shown in FIG. 4.
  • According to the present disclosure, the transmission controller of the control unit may transmit data generated from the computer connected to the USB device to an internal portion of the USB device. However, the transmission controller of the control unit may prevent the internal information generated from the USB device from being transmitted to the computer, although the transmission of the internal data to the computer is allowed only in an exceptional case. Thus, even when the USB device in accordance with the present disclosure is connected to the external computer, the internal information in the USB device may not be recorded on the external computer. This may significantly improve security.
  • While the present disclosure has been described with reference to preferred embodiments, those skilled in the art will appreciate that the present disclosure may be variously modified and changed without departing from the spirit and scope of the present disclosure set forth in the following claims.

Claims (8)

1. A universal series bus (USB) device for network security, wherein the USB device is connected to an external information device and stores information therein, the USB device comprising:
a wireless communication unit configured for transmitting and receiving data to and from an external server in a wireless communication manner;
a first storage unit configured for storing a driving program, a driving application, or a driving command therein;
a second storage unit configured for storing data received from the information device and the server therein; and
a control unit configured for controlling the wireless communication unit, the first storage unit and the second storage unit using the driving program, the driving application, or the driving command,
wherein the control unit comprises a communication controller configured for controlling wireless communication between the wireless communication unit such that the USB device performs data communication with the server; a data processor configured for controlling a data processing operation using the driving program, the driving application or the driving command, or using an application program or an application supplied from the information device; and a transmission controller configured for receiving data from the information device under control of the data processor and selectively allowing or disallowing data transmission from the data processor to the information device,
wherein the transmission controller comprises:
an input unit configured for receiving data from the information device or the data processor;
a first determination unit configured for determining, based on a first token including identifying information among tokens of the data received from the input unit, whether the received data is generated from the data processor or from the information device;
a data transmission-disabling unit configured for blocking transmission of the data received from the first determination unit to the information device and for storing a log of the transmission-blocked data in the second storage unit; and
a first data transmission unit configured for transmitting the data received from the first determination unit to the data processor and for storing a log of the transmitted data in the second storage unit,
wherein when the first determination unit determines that the data received from the input unit is generated from the data processor, the first determination unit transmits the corresponding data to the data transmission-disabling unit,
wherein when the first determination unit determines that the data received from the input unit is generated from the information device, the first determination unit transmits the corresponding data to the first data transmission unit.
2. A universal series bus (USB) device for network security, wherein the USB device is connected to an external information device and stores information therein, the USB device comprising:
a wireless communication unit configured for transmitting and receiving data to and from an external server in a wireless communication manner;
a first storage unit configured for storing a driving program, a driving application, or a driving command therein;
a second storage unit configured for storing data received from the information device and the server therein; and
a control unit configured for controlling the wireless communication unit, the first storage unit and the second storage unit using the driving program, the driving application, or the driving command,
wherein the control unit comprises a communication controller configured for controlling wireless communication between the wireless communication unit such that the USB device performs data communication with the server; a data processor configured for controlling a data processing operation using the driving program, the driving application or the driving command, or using an application program or an application supplied from the information device; and a transmission controller configured for receiving data from the information device under control of the data processor and selectively allowing or disallowing data transmission from the data processor to the information device,
wherein the transmission controller comprises:
an input unit configured for receiving data from the information device or the data processor;
a first determination unit configured for determining, based on a first token including identifying information among tokens of the data received from the input unit, whether the received data is generated from the data processor or from the information device;
a second determination unit configured for receiving the data from the first determination unit and for determining whether allowance of data special transmission to the information device is set in the first storage unit or the second storage;
a third determination unit configured for receiving the data from the second determination unit, and for receiving a server setting condition for the data special transmission from the server via the wireless communication unit, and then for determining whether the data received from the second determination unit satisfies the server setting condition;
a data transmission-disabling unit configured for blocking transmission of the data received from the first determination unit or the third determination unit to the information device and for storing a log of the transmission-blocked data in the second storage unit;
a first data transmission unit configured for transmitting the data received from the first determination unit to the data processor, and for storing a log of the transmitted data in the second storage unit; and
a second data transmission unit configured for transmitting the data received from the third determination unit to the information device and for storing a log of the transmitted data in the second storage unit,
wherein when the first determination unit determines that the data received from the input unit is generated from the information device, the first determination unit transmits the corresponding data to the first data transmission unit,
wherein when the first determination unit determines that the data received from the input unit is generated from the data processor, the first determination unit transmits the corresponding data to the second determination unit,
wherein when the second determination unit determines that the allowance of the data special transmission is not set, the second determination unit transmits the corresponding data to the data transmission-disabling unit;
wherein when the second determination unit determines that the allowance of the data special transmission is set, the second determination unit transmits the corresponding data to the third determination unit,
wherein when the third determination unit determines that the data received from the second determination unit satisfies the server setting condition, the third determination unit transmits the corresponding data to the second data transmission unit,
wherein when the third determination unit determines that the data received from the second determination unit does not satisfy the server setting condition, the third determination unit transmits the corresponding data to the data transmission-disabling unit.
3. The USB device of claim 2, wherein the server setting condition includes at least one selected from a group consisting of data transmission timing, data type, and data capacity.
4. A universal series bus (USB) device for network security, wherein the USB device is connected to an external information device and stores information therein, the USB device comprising:
a wireless communication unit configured for transmitting and receiving data to and from an external server in a wireless communication manner;
a first storage unit configured for storing a driving program, a driving application, or a driving command therein;
a second storage unit configured for storing data received from the information device and the server therein; and
a control unit configured for controlling the wireless communication unit, the first storage unit and the second storage unit using the driving program, the driving application, or the driving command,
wherein the control unit comprises a communication controller configured for controlling wireless communication between the wireless communication unit such that the USB device performs data communication with the server; a data processor configured for controlling a data processing operation using the driving program, the driving application or the driving command, or using an application program or an application supplied from the information device; and a transmission controller configured for receiving data from the information device under control of the data processor and selectively allowing or disallowing data transmission from the data processor to the information device,
wherein the transmission controller comprises:
an input unit configured for receiving data from the information device or the data processor;
a first determination unit configured for determining, based on a first token including identifying information among tokens of the data received from the input unit, whether the received data is generated from the data processor or from the information device;
a second determination unit configured for receiving the data from the first determination unit and for determining whether allowance of data special transmission to the information device is set in the first storage unit or the second storage;
a fourth determination unit configured for receiving the data from the second determination unit and for determining whether the USB device is connected to the server via the wireless communication unit;
a third determination unit configured for receiving the data from the fourth determination unit, and for receiving a server setting condition for the data special transmission from the server via the wireless communication unit, and then for determining whether the data received from the fourth determination unit satisfies the server setting condition;
a fifth determination unit configured for receiving the data from the fourth determination unit, and for receiving a user setting condition from the data processor, and for determining whether the data received from the fourth determination unit satisfies the user setting condition;
a data transmission-disabling unit configured for blocking transmission of the data received from the first determination unit or the third determination unit to the information device and for storing a log of the transmission-blocked data in the second storage unit;
a first data transmission unit configured for transmitting the data received from the first determination unit to the data processor, and for storing a log of the transmitted data in the second storage unit; and
a second data transmission unit configured for transmitting the data received from the third or fifth determination unit to the information device and for storing a log of the transmitted data in the second storage unit,
wherein when the first determination unit determines that the data received from the input unit is generated from the information device, the first determination unit transmits the corresponding data to the first data transmission unit,
wherein when the first determination unit determines that the data received from the input unit is generated from the data processor, the first determination unit transmits the corresponding data to the second determination unit,
wherein when the second determination unit determines that the allowance of the data special transmission is not set, the second determination unit transmits the corresponding data to the data transmission-disabling unit;
wherein when the second determination unit determines that the allowance of the data special transmission is set, the second determination unit transmits the corresponding data to the fourth determination unit,
wherein when the fourth determination unit determines that a connection between the server and the USB device is established, the fourth determination unit transmits the data received from the second determination unit to the third determination unit,
wherein when the fourth determination unit determines that a connection between the server and the USB device is not established, the fourth determination unit transmits the data received from the second determination unit to the fifth determination unit,
wherein when the third determination unit determines that the data received from the fourth determination unit satisfies the server setting condition, the third determination unit transmits the corresponding data to the second data transmission unit,
wherein when the third determination unit determines that the data received from the fourth determination unit does not satisfy the server setting condition, the third determination unit transmits the corresponding data to the data transmission-disabling unit,
wherein when the fifth determination unit determines that the data received from the fourth determination unit satisfies the user setting condition, the fifth determination unit transmits the corresponding data to the second data transmission unit,
wherein when the fifth determination unit determines that the data received from the fourth determination unit does not satisfy the user setting condition, the fifth determination unit transmits the corresponding data to the data transmission-disabling unit.
5. The USB device of claim 2, further comprising an authentication unit configured for storing authentication information therein,
wherein the control unit transmits the authentication information to the server via the wireless communication unit to access the server,
wherein upon confirming the authentication information, the server allows the USB device to connect thereto.
6. The USB device of claim 3, further comprising an authentication unit configured for storing authentication information therein,
wherein the control unit transmits the authentication information to the server via the wireless communication unit to access the server,
wherein upon confirming the authentication information, the server allows the USB device to connect thereto.
7. The USB device of claim 5, further comprising an authentication unit configured for storing authentication information therein,
wherein the control unit transmits the authentication information to the server via the wireless communication unit to access the server,
wherein upon confirming the authentication information, the server allows the USB device to connect thereto.
8. A universal series bus (USB) device for network security, wherein the USB device is connected to an external information device and stores information therein, the USB device comprising:
a wireless communication unit configured for transmitting and receiving data to and from an external server in a wireless communication manner;
a first storage unit configured for storing a driving program, a driving application, or a driving command therein;
a second storage unit configured for storing data received from the information device and the server therein; and
a control unit configured for controlling the wireless communication unit, the first storage unit and the second storage unit using the driving program, the driving application, or the driving command,
wherein the control unit comprises a communication controller configured for controlling wireless communication between the wireless communication unit such that the USB device performs data communication with the server; a data processor configured for controlling a data processing operation using the driving program, the driving application or the driving command, or using an application program or an application supplied from the information device; and a transmission controller configured for receiving data from the information device under control of the data processor and selectively allowing or disallowing data transmission from the data processor to the information device,
wherein the second storage unit includes a volatile memory connected to the control unit, and a nonvolatile memory connected to the volatile memory,
wherein the volatile memory performs a buffer function to match a data transmission rate via the wireless communication unit with a data storage rate of the nonvolatile memory.
US16/505,318 2018-07-09 2019-07-08 USB device for network security Active US10547619B1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020180079160A KR101980487B1 (en) 2018-07-09 2018-07-09 Usb device for network security
KR10-2018-0079160 2018-07-09

Publications (2)

Publication Number Publication Date
US20200014689A1 true US20200014689A1 (en) 2020-01-09
US10547619B1 US10547619B1 (en) 2020-01-28

Family

ID=66678515

Family Applications (1)

Application Number Title Priority Date Filing Date
US16/505,318 Active US10547619B1 (en) 2018-07-09 2019-07-08 USB device for network security

Country Status (2)

Country Link
US (1) US10547619B1 (en)
KR (1) KR101980487B1 (en)

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7644211B2 (en) * 2004-12-07 2010-01-05 Cisco Technology, Inc. Method and system for controlling transmission of USB messages over a data network between a USB device and a plurality of host computers
KR100676087B1 (en) * 2005-03-24 2007-02-01 케이비 테크놀러지 (주) Secure data storage apparatus with USB interface, and method thereof
US7886353B2 (en) * 2005-03-25 2011-02-08 Microsoft Corporation Accessing a USB host controller security extension using a HCD proxy
US7761618B2 (en) * 2005-03-25 2010-07-20 Microsoft Corporation Using a USB host controller security extension for controlling changes in and auditing USB topology
KR20070016029A (en) * 2005-08-02 2007-02-07 최성필 Portable usb storage device for providing computer security function and method for operating the device
US20090049307A1 (en) * 2007-08-13 2009-02-19 Authennex, Inc. System and Method for Providing a Multifunction Computer Security USB Token Device
JP2009070298A (en) * 2007-09-14 2009-04-02 Fujitsu Ltd Storage device, data management unit, storage medium management method, and computer program
KR100940508B1 (en) * 2007-12-12 2010-02-10 (주)세이퍼존 USB memory management system
US7930446B2 (en) * 2007-12-28 2011-04-19 Intel Corporation Methods and apparatuses for wireless network communication wherein a universal serial bus request block (URB) is generated that will vary parameters that controls wireless transmission commands between devices
US8316228B2 (en) * 2008-12-17 2012-11-20 L-3 Communications Corporation Trusted bypass for secure communication
US20120079563A1 (en) * 2009-03-24 2012-03-29 G2, Labs LLC. Method and apparatus for minimizing network vulnerability via usb devices
KR101070766B1 (en) * 2010-01-28 2011-10-07 주식회사 세미닉스 Usb composite apparatus with memory function and hardware security module
US9734358B2 (en) * 2015-01-02 2017-08-15 High Sec Labs Ltd Self-locking USB protection pug device having LED to securely protect USB jack
US10248597B2 (en) * 2015-10-30 2019-04-02 Response Technologies, Ltd. USB communication control module, security system, and method for same
US20170222964A1 (en) * 2016-01-28 2017-08-03 The Agreeable Company, LLC Methods and systems for verification of in-person meetings
US10721166B2 (en) * 2017-12-08 2020-07-21 International Business Machines Corporation Ensuring data locality for secure transmission of data

Also Published As

Publication number Publication date
KR101980487B1 (en) 2019-05-20
US10547619B1 (en) 2020-01-28

Similar Documents

Publication Publication Date Title
CN106462509B (en) Apparatus and method for securing access protection schemes
TWI426389B (en) System and method for updating read-only memory in smart card memory modules
US11334510B1 (en) Systems and methods for combination write blocking with connection interface control devices
US20050177709A1 (en) Apparatus and method for updating firmware
US9232006B2 (en) Remote access to a data storage device
US10037206B2 (en) Methods and systems for state switching
US9794330B2 (en) Server, server management system and server management method
CN102609741A (en) Mobile device and method for exchange data between internal and external storage cards
US20140137266A1 (en) Access system and method thereof
US11853604B2 (en) Computational storage device, method, and data processing system executing operation in accordance with information in command
JP5225054B2 (en) IC card
US8370535B2 (en) Routing commands within a multifunctional device
US10547619B1 (en) USB device for network security
US10416891B2 (en) Systems and methods for transitioning and updating/tailoring machine instructions from a first system with an older or initial one or set of components to a second system or platform with one or more different components and new or modified operations or functions along with additional potential applications including use in network security and intrusion detection
US20080301288A1 (en) Method and device for monitoring a transaction
US20040186953A1 (en) Write protection for computer long-term memory devices with multi-port selective blocking
US20140372653A1 (en) Storage Device with Multiple Interfaces and Multiple Levels of Data Protection and Related Method Thereof
US20130340068A1 (en) Memory device comprising a plurality of memory chips, authentication system and authentication method thereof
US20100318728A1 (en) Solid state drive device
US20200410085A1 (en) Usb mass storage device access control method and access control apparatus
US11175833B2 (en) Method for controlling a data storage device based on a user profile, and associated data storage device
US20200133837A1 (en) Memory controller and memory system
US8850600B2 (en) Data storage device and data storage system including the same
JP5214291B2 (en) IC card and IC card control method
CN110597646A (en) Data reading and writing method and system, electronic equipment and storage medium

Legal Events

Date Code Title Description
FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO SMALL (ORIGINAL EVENT CODE: SMAL); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: WISEHUB SYSTEMS CORP., KOREA, REPUBLIC OF

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:PARK, YOUNG HOON;JI, DAE YONG;REEL/FRAME:058566/0779

Effective date: 20211216

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2551); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

Year of fee payment: 4