WO2008039033A1 - Policy based network management method and system - Google Patents

Policy based network management method and system Download PDF

Info

Publication number
WO2008039033A1
WO2008039033A1 PCT/KR2007/004770 KR2007004770W WO2008039033A1 WO 2008039033 A1 WO2008039033 A1 WO 2008039033A1 KR 2007004770 W KR2007004770 W KR 2007004770W WO 2008039033 A1 WO2008039033 A1 WO 2008039033A1
Authority
WO
WIPO (PCT)
Prior art keywords
client
running
network
control server
utilization rate
Prior art date
Application number
PCT/KR2007/004770
Other languages
French (fr)
Inventor
Nam Ok Won
Original Assignee
Hoide Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hoide Co., Ltd. filed Critical Hoide Co., Ltd.
Publication of WO2008039033A1 publication Critical patent/WO2008039033A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0894Packet rate
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0695Management of faults, events, alarms or notifications the faulty arrangement being the maintenance, administration or management system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/085Retrieval of network configuration; Tracking network configuration history
    • H04L41/0853Retrieval of network configuration; Tracking network configuration history by actively collecting configuration information or by backing up configuration information
    • H04L41/0856Retrieval of network configuration; Tracking network configuration history by actively collecting configuration information or by backing up configuration information by backing up or archiving configuration information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0894Policy-based network configuration management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the present invention relates, in general, to a policy control method and system for a network system and, more particularly, to a policy control method and system for a network system, which can detect traffic attributable to malicious code or viruses and clients running inappropriate programs, and prevent the running of the application programs of the clients and the spreading of harmful traffic.
  • Background Art
  • a network may also be used in a company for the purposes other than work. For example, in the case where someone may download or share mp3 files or video files using P2P or web storage over a network in a company, the specific person who uses P2P or web storage occupies a significant amount of network resources, and the network resources available to other persons are reduced as much as the network resources occupied by the specific person. Furthermore, in the case where files are shared with a number of unspecified persons via P2P, the computer of a person who shares the files functions as a server for sharing the files.
  • the network in the company may be bogged down.
  • client terminals for example, computers
  • a virus for example, viruses
  • a Trojan hacking program for example, a virus
  • adware introduced over the network.
  • Some of the infected client terminals may be controlled by the virus, Trojan hacking program, or adware, and thus causes undesired network traffic. If an infected client terminal secondarily infects peripheral client terminals connected to the network in the company, the business of the company business can be bogged down.
  • an object of the present invention is to provide a policy control method and system for a network system, that can control the network access of each client and the running of application programs (or processes) by acquiring running information about application programs and processes, which are run in a client terminal that accesses a network, and a network utilization rate and applying the running information to a control policy preset for the control of each client. Furthermore, another object of the present invention is to provide a policy control method and system for a network system, which can organize running information, such as application programs and processes, which are run in the client, and the time-based network utilization rate of a client, into a database, and determine the aspects of use of the client and the causes of problems occurring in the client based on the running information.
  • the present invention provides a policy control method for a network system, the network system including one or more clients, an access control server, and a Network Management Server (NMS) for controlling network access of the client, wherein each of the clients is provided with a monitoring program for monitoring running information about processes and application programs, which are run in the client, and a network utilization rate, and providing the running information to the access control server; and the running information is provided to the access control server, and the access control server limits running of one or more entities that belong to the processes and the application programs, which are run in the client, and the network utilization rate and deviate from preset running criteria.
  • NMS Network Management Server
  • the monitoring program may include a network manager for monitoring a network utilization rate of the client; a process manager for monitoring a process utilization rate of the client; an application program manager for monitoring application programs being run in the client; and an interface module for transmitting the running information, collected from the network manager, the process manager and the application program manager, to the access control server.
  • the policy control method further includes a file manager for checking a history file, including an Internet access history and running application history of the client, and providing results of the check to the access control server through the interface module.
  • a file manager for checking a history file, including an Internet access history and running application history of the client, and providing results of the check to the access control server through the interface module.
  • the Internet access history may be any one of URLs and IP addresses that are accessed by the client over an Internet.
  • the NMS is notified of the deviation by the access control server and blocks the network access of the client.
  • the NMS may allocate the client to a preset Virtual LAN (VLAN) region and thus isolate the client.
  • VLAN Virtual LAN
  • the access control server may generate and store a running history of the client based on the running information.
  • the present invention provides a policy control method for a network system, the network system including one or more clients, an access control server, and an NMS for controlling network access of the client, wherein each of the clients is provided with a monitoring program for monitoring running information about processes and application programs, which are run in the client, and a network utilization rate; and the policy control method comprises the steps of the access control server acquiring the running information of the client through the monitoring program; the access control server analyzing the running information, and determining whether the client has violated running criteria preset for processes, application programs, and a network utilization rate; the access control server notifying the access control server of whether the client has violated the running criteria; and the access control server limits running of one or more processes and application programs of the client depending on whether the client has violated the running criteria, and limits network access of the client by controlling the NMS when the network utilization rate has violated the running criteria.
  • the NMS may be notified of the deviation by the access control server and block the network access of the client.
  • the NMS may allocate the client to a preset VLAN region and thus isolate the client by controlling the access control server.
  • the monitoring program includes a network manager for monitoring a network utilization rate of the client; a process manager for monitoring a process utilization rate of the client; an application program manager for monitoring application programs executed in the client; a policy determination module for comparing the running information, collected from the network manager, the process manager and the application program manager, with the running criteria and determining whether the client has violated the running criteria; and an interface module for transmitting results of the determination of the policy determination module and the running information, collected for the client, to the access control server.
  • the monitoring program may further include an anti- virus program, the anti-virus program providing results of inspection of the anti- virus program to the access control server through the interface module.
  • the access control server may generate and store a running history of the client based on the running information.
  • the present invention provides a policy control system for a network system, the network system including one or more clients, an access control server, and an NMS for controlling network access of the client comprising a client
  • the access control server includes a collection module for collecting information about any one of processes and application programs, which are executed in the client, and a network utilization rate of the client; and a policy determination module provided with running criteria for a processor utilization rate of any one of the processes and the application programs of the client and the network utilization rate, and configured to determine one or more items, which belong to the running information of the client and have violated the running criteria, based on the running criteria; wherein the access control server limits running of one or more processes and application programs, which are run in the client, when the processor utilization rate of the client has violated the running criteria, and limits the network access of the client by controlling the NMS when the network utilization rate of the client has violated the running criteria.
  • the client includes a network manager for monitoring the network utilization rate of the client; a process manager for monitoring the process utilization rate of the client; an application program manager for monitoring application programs executed in the client; and a policy determination module for comparing the running information, collected from the network manager, the process manager and the application program manager, with the running criteria, determining whether the client has violated the running criteria, and transmitting results of the determination to the access control server.
  • the policy control system further includes a file manager for checking a history file, including an Internet access history and running application history of the client, and providing results of the check to the access control server through the interface module.
  • a file manager for checking a history file, including an Internet access history and running application history of the client, and providing results of the check to the access control server through the interface module.
  • the Internet access history may be any one of URLs and IP addresses that are accessed by the client over an Internet.
  • the NMS may be notified of the deviation by the access control server and block the network access of the client.
  • the access control server allocates the client to a preset VLAN region and thus isolates the client by controlling the NMS.
  • the network access of each client and the running of application programs (or processes) can be controlled by acquiring running information about application programs and processes, which are run in a client terminal that accesses a network, and a network utilization rate and applying the running information to a control policy preset for the control of each client. Furthermore, the present invention can minimize excessive traffic and the running of undesired application programs, which occur in a client, and leaves the histories of application programs and processes, which has been run in a client, and network information in the policy control server, so that the causes of occurrence of problems can be easily determined when the problems occur in a network system.
  • FIG. 1 is a diagram conceptually showing a policy control method for a network system according to an embodiment of the present invention
  • FIG. 2 is a conceptual block diagram of a network policy control system to which the network policy control method, described in conjunction with FIG. 1, is applied
  • FIG. 3 is a view showing an example of a history file provided in an operating system
  • FIG. 4 is a diagram conceptually showing a policy control method for a network system according to another embodiment of the present invention
  • FIG. 5 is a conceptual block diagram of a network policy control system to which the policy control method, described in conjunction with FIG. 4, is applied.
  • interface module 100 policy control server
  • FIG. 1 conceptually shows a policy control method for a network system according to an embodiment of the present invention.
  • a monitoring program for collecting information for collecting information
  • running information (hereinafter referred to as "running information") about processes, executed in the client 10, application programs, executed in the client 10, and the network utilization rate of a client 10 and providing the running information to a policy control server 100 is provided in the client 10.
  • the policy control server 100 compares the running information, provided from the client 10, with preset running criteria, and determines whether the client 10 has violated the running criteria.
  • the running criteria provided in the policy control server 100 are criteria for the limit network utilization rate of the client 10 connected to a network, the limit processor utilization rate of an application program installed in the client 10, and the limit processor utilization rate of a process being executed in the client 10.
  • the following criteria may be used as the running criteria:
  • the running criteria may be related to application programs and processes the running of which in a client is limited.
  • the processor utilization rate of an application program or a process reaches 98%, the probability that the processor utilization rate has been caused by a virus or malicious code is very high. Furthermore, if the network utilization rate is greater than 0.5% or continuously increases above 0.5%, the probability that the network utilization rate has been caused by a virus or malicious code is very high.
  • the monitoring program provides notification to the policy control server 100.
  • the policy control server 100 may block the network access of the client, or may control the monitoring program and terminate an application program (or process) that causes an excessive processor utilization rate in the client.
  • the policy control server 100 notifies a NMS 200 of information about the client that causes excessive network traffic in order to block the network access of the client 10, and then the NMS 200 blocks the network access of a corresponding client.
  • the monitoring program may check an operating system, installed in the client 10, for a history file in which an Internet access history of the client 10, a running history of a running application, etc. are stored, and notify the policy control server 100 of the results of the check.
  • the history file includes information about target IP addresses or URLs accessed by the client 10 over the network, and includes a list of files opened by the client 10.
  • FIG. 2 is a conceptual block diagram of a network policy control system to which the network policy control method, described in conjunction with FIG. 1, is applied.
  • the monitoring program includes a network manager 10a, a process manager 10b, an application program manager 10c, a file manager 1Od, and an interface module 1Oe.
  • the policy control server 100 includes a collection module 110, a policy determination module 120, and a database 130.
  • the database 130 includes a policy information storage unit 131 and a running criteria information storage unit 132.
  • the process manager 10b monitors processes that are being executed in the client
  • processes include processes that are automatically executed by an operating system installed in the client 10 regardless of the intention of a user who operates the client 10, and the processes of application programs that are run by a user or that are loaded into memory in conjunction with the application programs.
  • an operating system is affected by a virus or malicious code, a malicious process, other than the operating system and processes loaded by a user, is loaded into memory, and uses memory resources or increases network traffic.
  • the process manager 10b acquires a list of processes running in the client 10 and information about the processor utilization rate (or occupation rate) of each process, and provides them to the interface module 1Oe.
  • the application program manager 10c acquires a list of application programs run by a user in the client 10, and provides the list to the interface module 1Oe.
  • the network manager 10a monitors information about the network utilization rate of the client 10, and provides it to the interface module 1Oe.
  • the network manager 10a also acquires information about a port used by the client 10 for network access, and provides it to the interface module 1Oe.
  • a port, used by the client 10 for Internet access is TCP port 80, TCP port 443 and 1863 when MSN messenger is used, and TCP port 4662 and UDP port 4762 when a file sharing program, such as PRUNA, is used. That is, ports differ for respective application programs, and widely used application programs use preset ports.
  • the file manager 1Od checks an operating system, installed in the client 10, for a history file, and provides the results of the check to the interface module 1Oe.
  • a history file is provided in the operating system, as shown in FIG. 3.
  • the illustrated history file includes the site access history of a user and the functions of tasks performed in accessed websites.
  • the file manager 1Od may check the history file on a time basis (for example, an hour basis, a day basis, and so on), or may check the running history of a user when an event (for example, the running of an application program) is generated by the user, and provide the results of the check to the interface module 1Oe.
  • a time basis for example, an hour basis, a day basis, and so on
  • an event for example, the running of an application program
  • the interface module 1Oe converts the running information and the history file information, which are collected from the file manager 1Od, the network manager 10a, the process manager 10b, and the application program manager lOc, into a format that is previously agreed upon with the policy control server 100, and provides them to the policy control server 100.
  • the interface module 1Oe may encrypt the running information (and the history file information), and transmit them to the policy control server 100.
  • the policy control server 100 analyzes the running information and the history information received from the monitoring program, and determines whether the client 10 observes appropriate running criteria based on the results of the analysis.
  • the collection module 110 acquires and parses the running information, received from the interface module 1Oe, in the format that is previously agreed upon with the interface module 1Oe.
  • the running information and the history file information parsed in the collection module 110 are provided to the policy determination module 120.
  • the policy determination module 120 includes the running criteria storage unit 132 provided with running criteria, and the policy information storage unit 131 provided with policy information for controlling a client through the monitoring program or NMS 200 when the client has violated the running criteria.
  • the running criteria information storage unit 132 and the policy information storage unit 131 may be configured to be included in the database 130.
  • the policy determination module 120 compares the running information and history file information of the client 10, provided through the monitoring program, with the running criteria information, and determines whether the client 10 has violated the running criteria. If, as a result of the determination, it is determined that the client 10 has violated the running criteria, the policy determination module 120 searches for policy information corresponding to the running criteria violation item of the client 10, and limits (or blocks) the running of application programs and processes of the client 10 or the network access of the client 10 by controlling the monitoring program or the NMS 200. In this case, if it is determined that a virus or malicious code has infiltrated into the client 10, the policy determination module 120 may isolate the client 10 from the entire network by allocating the client 10 to a Virtual LAN (VLAN) region.
  • VLAN Virtual LAN
  • Whether a virus and/or malicious code has infiltrated into the client 10 may be determined with reference to process information provided by the monitoring program.
  • the virus or malicious code can infiltrate into an operating system, and be automatically executed therein.
  • the process manager 10b detects the execution processes of the virus or malicious code, and transmits the results of the detection to the policy control server 100.
  • the policy control server 100 stops the running of the corresponding process (or application program) by controlling the manager program.
  • the criteria information storage unit 132 is provided with information about processes running in the operating system of the client 10 when a virus or malicious code is executed.
  • FIG. 4 conceptually shows a policy control method for a network system according to another embodiment of the present invention.
  • the illustrated embodiment is similar to that shown in FIG. 1, but further includes a policy determination module for determining a policy in a manager program.
  • the policy determination module checks the running information of the client 10, and thus determines whether the client 10 has violated running criteria and takes measures based on the results of the determination. Accordingly, in the present embodiment, the policy control server 100 is notified of the running information, information about whether the client 10 has violated the running criteria, violated items, and measures taken against the violated items, which have been collected for the client 10, by the manager program, and records them in the database. Accordingly, the criteria information storage unit 132 and the policy information storage unit 131, illustrated in the embodiment of FIG. 1, belong to the monitoring program.
  • the policy control server 100 have only a function of blocking the network access of the client 10 by controlling the NMS 200, and a function of storing the running information, whether the client 10 has violated the running criteria, violated items, and measures taken against the violated items, which are provided from the monitoring program, and calculating statistics thereof.
  • FIG. 5 is a conceptual block diagram of a network policy control system to which the policy control method, described in conjunction with FIG. 4, is applied.
  • the illustrated network policy control system is similar to that shown in FIG. 2, but differs from the network policy control system illustrated in FIG. 2 in that a policy determination module is provided in a monitoring program. Accordingly, the descriptions, made in conjunction with FIG. 2, are appropriately used as descriptions of a network manager 11, a process manager 12, an application program manager 13, and a file manager 14.
  • a policy determination module 15 determines whether the client 10 has violated the running criteria with reference to running information and history information collected from the network manager 11, the process manager 12, the application program manager 13, and the file manager 14. For this purpose, the policy determination module 15 is provided with the running criteria and policy information used for each running criterion. The monitoring program takes corresponding measures when the client 10 has violated the running criteria, and notifies the policy control server 100 of related results, together with running information.
  • the policy determination module 15 includes the following functions:
  • [61] 7) A function of, when the network utilization rate of the client is not reduced even when the measures of 6) have been taken, notifying the policy control server 100 of the fact, and causing the policy control server 100 to block the network access of a corresponding client or isolate the client through allocation to a VLAN region by controlling the NMS 200.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention relates to a policy control method for a network system, which can control the network access of each client and the running of application programs (or processes) by acquiring running information about application programs and processes, which are run in a client terminal that accesses a network, and a network utilization rate and applying the running information to a control policy preset for the control of each client. For this purpose, each of the clients is provided with a monitoring program for monitoring running information about processes, application programs and a network utilization rate, and providing the running in¬ formation to the access control server; and the running information is provided to the access control server, and the access control server limits running of one or more entities that belong to the processes, the application programs and the network utilization rate and deviate from preset running criteria.

Description

Description
POLICY BASED NETWORK MANAGEMENT METHOD AND
SYSTEM
Technical Field
[1] The present invention relates, in general, to a policy control method and system for a network system and, more particularly, to a policy control method and system for a network system, which can detect traffic attributable to malicious code or viruses and clients running inappropriate programs, and prevent the running of the application programs of the clients and the spreading of harmful traffic. Background Art
[2] As networks are deeply concerned in the life and business, a large amount of work in a company are handled via networks. A considerable amount of document data and a considerable number of application programs are transmitted over a network. A network may also be used in a company for the purposes other than work. For example, in the case where someone may download or share mp3 files or video files using P2P or web storage over a network in a company, the specific person who uses P2P or web storage occupies a significant amount of network resources, and the network resources available to other persons are reduced as much as the network resources occupied by the specific person. Furthermore, in the case where files are shared with a number of unspecified persons via P2P, the computer of a person who shares the files functions as a server for sharing the files. In this case, the network in the company may be bogged down. Moreover, most client terminals (for example, computers) connected to a network in a company may be infected with a virus, malicious code, a Trojan hacking program, or adware introduced over the network. Some of the infected client terminals may be controlled by the virus, Trojan hacking program, or adware, and thus causes undesired network traffic. If an infected client terminal secondarily infects peripheral client terminals connected to the network in the company, the business of the company business can be bogged down.
[3] Meanwhile, in the case where individual persons in a company run and use application programs unrelated to business, there arise problems, such as delay in the business schedules of corresponding persons and the deterioration of concentration on business. It is difficult for other persons to recognize this type of affair, and it is impossible to find out problems attributable to such an affair unless continuous monitoring is carried out. Disclosure of Invention Technical Problem [4] Accordingly, an object of the present invention is to provide a policy control method and system for a network system, that can control the network access of each client and the running of application programs (or processes) by acquiring running information about application programs and processes, which are run in a client terminal that accesses a network, and a network utilization rate and applying the running information to a control policy preset for the control of each client. Furthermore, another object of the present invention is to provide a policy control method and system for a network system, which can organize running information, such as application programs and processes, which are run in the client, and the time-based network utilization rate of a client, into a database, and determine the aspects of use of the client and the causes of problems occurring in the client based on the running information. Technical Solution
[5] In order to accomplish the above objects, the present invention provides a policy control method for a network system, the network system including one or more clients, an access control server, and a Network Management Server (NMS) for controlling network access of the client, wherein each of the clients is provided with a monitoring program for monitoring running information about processes and application programs, which are run in the client, and a network utilization rate, and providing the running information to the access control server; and the running information is provided to the access control server, and the access control server limits running of one or more entities that belong to the processes and the application programs, which are run in the client, and the network utilization rate and deviate from preset running criteria.
[6] The monitoring program may include a network manager for monitoring a network utilization rate of the client; a process manager for monitoring a process utilization rate of the client; an application program manager for monitoring application programs being run in the client; and an interface module for transmitting the running information, collected from the network manager, the process manager and the application program manager, to the access control server.
[7] Preferably, the policy control method further includes a file manager for checking a history file, including an Internet access history and running application history of the client, and providing results of the check to the access control server through the interface module.
[8] The Internet access history may be any one of URLs and IP addresses that are accessed by the client over an Internet.
[9] Preferably, when the network utilization rate of the client deviates from a preset reference value, the NMS is notified of the deviation by the access control server and blocks the network access of the client.
[10] When the network utilization rate of the client deviates from a preset reference value, the NMS may allocate the client to a preset Virtual LAN (VLAN) region and thus isolate the client.
[11] The access control server may generate and store a running history of the client based on the running information.
[12] In order to accomplish the above objects, the present invention provides a policy control method for a network system, the network system including one or more clients, an access control server, and an NMS for controlling network access of the client, wherein each of the clients is provided with a monitoring program for monitoring running information about processes and application programs, which are run in the client, and a network utilization rate; and the policy control method comprises the steps of the access control server acquiring the running information of the client through the monitoring program; the access control server analyzing the running information, and determining whether the client has violated running criteria preset for processes, application programs, and a network utilization rate; the access control server notifying the access control server of whether the client has violated the running criteria; and the access control server limits running of one or more processes and application programs of the client depending on whether the client has violated the running criteria, and limits network access of the client by controlling the NMS when the network utilization rate has violated the running criteria.
[13] When the network utilization rate of the client deviates from the running criteria, the NMS may be notified of the deviation by the access control server and block the network access of the client.
[14] When the network utilization rate of the client deviates from the running criteria, the NMS may allocate the client to a preset VLAN region and thus isolate the client by controlling the access control server.
[15] Preferably, the monitoring program includes a network manager for monitoring a network utilization rate of the client; a process manager for monitoring a process utilization rate of the client; an application program manager for monitoring application programs executed in the client; a policy determination module for comparing the running information, collected from the network manager, the process manager and the application program manager, with the running criteria and determining whether the client has violated the running criteria; and an interface module for transmitting results of the determination of the policy determination module and the running information, collected for the client, to the access control server.
[16] The monitoring program may further include an anti- virus program, the anti-virus program providing results of inspection of the anti- virus program to the access control server through the interface module.
[17] The access control server may generate and store a running history of the client based on the running information.
[18] In order to accomplish the above objects, the present invention provides a policy control system for a network system, the network system including one or more clients, an access control server, and an NMS for controlling network access of the client comprising a client, the access control server includes a collection module for collecting information about any one of processes and application programs, which are executed in the client, and a network utilization rate of the client; and a policy determination module provided with running criteria for a processor utilization rate of any one of the processes and the application programs of the client and the network utilization rate, and configured to determine one or more items, which belong to the running information of the client and have violated the running criteria, based on the running criteria; wherein the access control server limits running of one or more processes and application programs, which are run in the client, when the processor utilization rate of the client has violated the running criteria, and limits the network access of the client by controlling the NMS when the network utilization rate of the client has violated the running criteria.
[19] Preferably, the client includes a network manager for monitoring the network utilization rate of the client; a process manager for monitoring the process utilization rate of the client; an application program manager for monitoring application programs executed in the client; and a policy determination module for comparing the running information, collected from the network manager, the process manager and the application program manager, with the running criteria, determining whether the client has violated the running criteria, and transmitting results of the determination to the access control server.
[20] Preferably, the policy control system further includes a file manager for checking a history file, including an Internet access history and running application history of the client, and providing results of the check to the access control server through the interface module.
[21] The Internet access history may be any one of URLs and IP addresses that are accessed by the client over an Internet.
[22] When the network utilization rate of the client deviates from a preset reference value, the NMS may be notified of the deviation by the access control server and block the network access of the client.
[23] Preferably, when the network utilization rate of the client deviates from a preset reference value, the access control server allocates the client to a preset VLAN region and thus isolates the client by controlling the NMS. Advantageous Effects
[24] According to the present invention, the network access of each client and the running of application programs (or processes) can be controlled by acquiring running information about application programs and processes, which are run in a client terminal that accesses a network, and a network utilization rate and applying the running information to a control policy preset for the control of each client. Furthermore, the present invention can minimize excessive traffic and the running of undesired application programs, which occur in a client, and leaves the histories of application programs and processes, which has been run in a client, and network information in the policy control server, so that the causes of occurrence of problems can be easily determined when the problems occur in a network system.
Brief Description of the Drawings
[25] FIG. 1 is a diagram conceptually showing a policy control method for a network system according to an embodiment of the present invention; [26] FIG. 2 is a conceptual block diagram of a network policy control system to which the network policy control method, described in conjunction with FIG. 1, is applied; [27] FIG. 3 is a view showing an example of a history file provided in an operating system; [28] FIG. 4 is a diagram conceptually showing a policy control method for a network system according to another embodiment of the present invention; and [29] FIG. 5 is a conceptual block diagram of a network policy control system to which the policy control method, described in conjunction with FIG. 4, is applied. [30] <Description of reference numerals of principal elements in the drawings>
[31] 10: client 10a, 11: network manager
[32] 10b, 12: process manager 10c, 13: application program manager
[33] 1Od, 14: file manager 15, 120: policy determination module
[34] 1Oe: interface module 100: policy control server
[35] 130: database 132: criteria information storage unit
[36] 131: policy information storage unit 110: collection module
Mode for the Invention
[37] The present invention will be described in detail below with reference to the accompanying drawings. [38] FIG. 1 conceptually shows a policy control method for a network system according to an embodiment of the present invention. [39] In the illustrated embodiment, a monitoring program for collecting information
(hereinafter referred to as "running information") about processes, executed in the client 10, application programs, executed in the client 10, and the network utilization rate of a client 10 and providing the running information to a policy control server 100 is provided in the client 10. The policy control server 100 compares the running information, provided from the client 10, with preset running criteria, and determines whether the client 10 has violated the running criteria. The running criteria provided in the policy control server 100 are criteria for the limit network utilization rate of the client 10 connected to a network, the limit processor utilization rate of an application program installed in the client 10, and the limit processor utilization rate of a process being executed in the client 10.
[40] As an example, the following criteria may be used as the running criteria:
[41] 1) The processor utilization rate must be less than 98%.
[42] 2) The network utilization rate must be less than 0.5%.
[43] Furthermore, the running criteria may be related to application programs and processes the running of which in a client is limited.
[44] If the processor utilization rate of an application program or a process reaches 98%, the probability that the processor utilization rate has been caused by a virus or malicious code is very high. Furthermore, if the network utilization rate is greater than 0.5% or continuously increases above 0.5%, the probability that the network utilization rate has been caused by a virus or malicious code is very high. When the running state of a client exceeds running criteria, the monitoring program provides notification to the policy control server 100. When the client continuously has violated the running criteria for a predetermined period, the policy control server 100 may block the network access of the client, or may control the monitoring program and terminate an application program (or process) that causes an excessive processor utilization rate in the client. In this case, the policy control server 100 notifies a NMS 200 of information about the client that causes excessive network traffic in order to block the network access of the client 10, and then the NMS 200 blocks the network access of a corresponding client. Furthermore, in the present embodiment, the monitoring program may check an operating system, installed in the client 10, for a history file in which an Internet access history of the client 10, a running history of a running application, etc. are stored, and notify the policy control server 100 of the results of the check. The history file includes information about target IP addresses or URLs accessed by the client 10 over the network, and includes a list of files opened by the client 10.
[45] FIG. 2 is a conceptual block diagram of a network policy control system to which the network policy control method, described in conjunction with FIG. 1, is applied.
[46] As shown in this drawing, the monitoring program includes a network manager 10a, a process manager 10b, an application program manager 10c, a file manager 1Od, and an interface module 1Oe. The policy control server 100 includes a collection module 110, a policy determination module 120, and a database 130. The database 130 includes a policy information storage unit 131 and a running criteria information storage unit 132.
[47] The process manager 10b monitors processes that are being executed in the client
10. In general, processes include processes that are automatically executed by an operating system installed in the client 10 regardless of the intention of a user who operates the client 10, and the processes of application programs that are run by a user or that are loaded into memory in conjunction with the application programs. When an operating system is affected by a virus or malicious code, a malicious process, other than the operating system and processes loaded by a user, is loaded into memory, and uses memory resources or increases network traffic. The process manager 10b acquires a list of processes running in the client 10 and information about the processor utilization rate (or occupation rate) of each process, and provides them to the interface module 1Oe. The application program manager 10c acquires a list of application programs run by a user in the client 10, and provides the list to the interface module 1Oe. The network manager 10a monitors information about the network utilization rate of the client 10, and provides it to the interface module 1Oe. The network manager 10a also acquires information about a port used by the client 10 for network access, and provides it to the interface module 1Oe. In general, a port, used by the client 10 for Internet access, is TCP port 80, TCP port 443 and 1863 when MSN messenger is used, and TCP port 4662 and UDP port 4762 when a file sharing program, such as PRUNA, is used. That is, ports differ for respective application programs, and widely used application programs use preset ports. Assuming that the user of the client 10 causes excessive traffic using TCP port 4662 and UDP port 4762, it can be determined that the user of the client 10 performs a file sharing task, which is not related to business. The file manager 1Od checks an operating system, installed in the client 10, for a history file, and provides the results of the check to the interface module 1Oe. In the case of Windows XP, that is, an operating system provided by Microsoft Corporation, a history file is provided in the operating system, as shown in FIG. 3. The illustrated history file includes the site access history of a user and the functions of tasks performed in accessed websites. If "My Computer" item is selected, a list of application programs run by the user or a list of data files (for example, HWP, DOC files, etc.) called by application programs is displayed. The file manager 1Od may check the history file on a time basis (for example, an hour basis, a day basis, and so on), or may check the running history of a user when an event (for example, the running of an application program) is generated by the user, and provide the results of the check to the interface module 1Oe. The interface module 1Oe converts the running information and the history file information, which are collected from the file manager 1Od, the network manager 10a, the process manager 10b, and the application program manager lOc, into a format that is previously agreed upon with the policy control server 100, and provides them to the policy control server 100. In this case, the interface module 1Oe may encrypt the running information (and the history file information), and transmit them to the policy control server 100.
[48] The policy control server 100 analyzes the running information and the history information received from the monitoring program, and determines whether the client 10 observes appropriate running criteria based on the results of the analysis.
[49] The collection module 110 acquires and parses the running information, received from the interface module 1Oe, in the format that is previously agreed upon with the interface module 1Oe. The running information and the history file information parsed in the collection module 110 are provided to the policy determination module 120. The policy determination module 120 includes the running criteria storage unit 132 provided with running criteria, and the policy information storage unit 131 provided with policy information for controlling a client through the monitoring program or NMS 200 when the client has violated the running criteria. The running criteria information storage unit 132 and the policy information storage unit 131 may be configured to be included in the database 130.
[50] The policy determination module 120 compares the running information and history file information of the client 10, provided through the monitoring program, with the running criteria information, and determines whether the client 10 has violated the running criteria. If, as a result of the determination, it is determined that the client 10 has violated the running criteria, the policy determination module 120 searches for policy information corresponding to the running criteria violation item of the client 10, and limits (or blocks) the running of application programs and processes of the client 10 or the network access of the client 10 by controlling the monitoring program or the NMS 200. In this case, if it is determined that a virus or malicious code has infiltrated into the client 10, the policy determination module 120 may isolate the client 10 from the entire network by allocating the client 10 to a Virtual LAN (VLAN) region. Whether a virus and/or malicious code has infiltrated into the client 10 may be determined with reference to process information provided by the monitoring program. The virus or malicious code can infiltrate into an operating system, and be automatically executed therein. The process manager 10b detects the execution processes of the virus or malicious code, and transmits the results of the detection to the policy control server 100. When a suspicious process is detected among the processes being executed in the client 10, the policy control server 100 stops the running of the corresponding process (or application program) by controlling the manager program. For this purpose, the criteria information storage unit 132 is provided with information about processes running in the operating system of the client 10 when a virus or malicious code is executed.
[51] FIG. 4 conceptually shows a policy control method for a network system according to another embodiment of the present invention.
[52] The illustrated embodiment is similar to that shown in FIG. 1, but further includes a policy determination module for determining a policy in a manager program. The policy determination module checks the running information of the client 10, and thus determines whether the client 10 has violated running criteria and takes measures based on the results of the determination. Accordingly, in the present embodiment, the policy control server 100 is notified of the running information, information about whether the client 10 has violated the running criteria, violated items, and measures taken against the violated items, which have been collected for the client 10, by the manager program, and records them in the database. Accordingly, the criteria information storage unit 132 and the policy information storage unit 131, illustrated in the embodiment of FIG. 1, belong to the monitoring program. The policy control server 100 have only a function of blocking the network access of the client 10 by controlling the NMS 200, and a function of storing the running information, whether the client 10 has violated the running criteria, violated items, and measures taken against the violated items, which are provided from the monitoring program, and calculating statistics thereof.
[53] FIG. 5 is a conceptual block diagram of a network policy control system to which the policy control method, described in conjunction with FIG. 4, is applied.
[54] The illustrated network policy control system is similar to that shown in FIG. 2, but differs from the network policy control system illustrated in FIG. 2 in that a policy determination module is provided in a monitoring program. Accordingly, the descriptions, made in conjunction with FIG. 2, are appropriately used as descriptions of a network manager 11, a process manager 12, an application program manager 13, and a file manager 14.
[55] In the drawing, a policy determination module 15 determines whether the client 10 has violated the running criteria with reference to running information and history information collected from the network manager 11, the process manager 12, the application program manager 13, and the file manager 14. For this purpose, the policy determination module 15 is provided with the running criteria and policy information used for each running criterion. The monitoring program takes corresponding measures when the client 10 has violated the running criteria, and notifies the policy control server 100 of related results, together with running information.
[56] The policy determination module 15 includes the following functions:
[57] 3) A function of forcibly terminating a corresponding application program when an unauthorized application program is run. In this case, the policy determination module 15 is provided with a list of application programs the running of which is limited.
[58] 4) A function of forcibly terminating the running of an application program that has violated the running criteria (for example, when the processor utilization rate is 98%).
[59] 5) A function of forcibly terminating a process that has violated the running criteria
(for example, when the processor utilization rate is 98%).
[60] 6) A function of forcibly terminating a process and an application program that cause network traffic when the network utilization rate exceeds the running criteria.
[61] 7) A function of, when the network utilization rate of the client is not reduced even when the measures of 6) have been taken, notifying the policy control server 100 of the fact, and causing the policy control server 100 to block the network access of a corresponding client or isolate the client through allocation to a VLAN region by controlling the NMS 200.
[62] As a result, excessive traffic and the running of unnecessary application programs, which occur in the client 10, can be minimized. Furthermore, the histories of application programs and processes, which have been run in the client 10, and network information are left in the policy control server, so that the causes of the occurrence of problems can be easily found when the problems occur in a network system.

Claims

Claims
[1] A policy control method for a network system, the network system including one or more clients, an access control server, and a Network Management Server (NMS) for controlling network access of the client, wherein: each of the clients is provided with a monitoring program for monitoring running information about processes and application programs, which are run in the client, and a network utilization rate, and providing the running information to the access control server; and the running information is provided to the access control server, and the access control server limits running of one or more entities that belong to the processes and the application programs, which are run in the client, and the network utilization rate and deviate from preset running criteria.
[2] The policy control method as set forth in claim 1, wherein the monitoring program comprises: a network manager for monitoring a network utilization rate of the client; a process manager for monitoring a process utilization rate of the client; an application program manager for monitoring application programs being run in the client; and an interface module for transmitting the running information, collected from the network manager, the process manager and the application program manager, to the access control server.
[3] The policy control method as set forth in claim 2, further comprising a file manager for checking a history file, including an Internet access history and running application history of the client, and providing results of the check to the access control server through the interface module.
[4] The policy control method as set forth in claim 3, wherein the Internet access history comprises any one of URLs and IP addresses that are accessed by the client over an Internet.
[5] The policy control method as set forth in claim 1, wherein, when the network utilization rate of the client deviates from a preset reference value, the NMS is notified of the deviation by the access control server and blocks the network access of the client.
[6] The policy control method as set forth in claim 1, wherein, when the network utilization rate of the client deviates from a preset reference value, the NMS allocates the client to a preset Virtual LAN (VLAN) region and thus isolates the client.
[7] The policy control method as set forth in claim 1, wherein the access control server generates and stores a running history of the client based on the running information.
[8] A policy control method for a network system, the network system including one or more clients, an access control server, and an NMS for controlling network access of the client, wherein: each of the clients is provided with a monitoring program for monitoring running information about processes and application programs, which are run in the client, and a network utilization rate; and the policy control method comprises the steps of: the access control server acquiring the running information of the client through the monitoring program; the access control server analyzing the running information, and determining whether the client has violated running criteria preset for processes, application programs, and a network utilization rate; the access control server notifying the access control server of whether the client has violated the running criteria; and the access control server limits running of one or more processes and application programs of the client depending on whether the client has violated the running criteria, and limits network access of the client by controlling the NMS when the network utilization rate has violated the running criteria.
[9] The policy control method as set forth in claim 8, wherein, when the network utilization rate of the client deviates from the running criteria, the NMS is notified of the deviation by the access control server and blocks the network access of the client.
[10] The policy control method as set forth in claim 8, wherein, when the network utilization rate of the client deviates from the running criteria, the NMS allocates the client to a preset VLAN region and then isolates the client by controlling the access control server.
[11] The policy control method as set forth in claim 8, wherein the monitoring program comprises: a network manager for monitoring a network utilization rate of the client; a process manager for monitoring a process utilization rate of the client; an application program manager for monitoring application programs executed in the client; a policy determination module for comparing the running information, collected from the network manager, the process manager and the application program manager, with the running criteria and determining whether the client has violated the running criteria; and an interface module for transmitting results of the determination of the policy determination module and the running information, collected for the client, to the access control server.
[12] The policy control method as set forth in claim 11, wherein the monitoring program further comprises an anti- virus program, the anti-virus program providing results of inspection of the anti- virus program to the access control server through the interface module.
[13] The policy control method as set forth in claim 8, wherein the access control server generates and stores a running history of the client based on the running information.
[14] A policy control system for a network system, the network system including one or more clients, an access control server, and an NMS for controlling network access of the client comprising a client, the access control server comprises: a collection module for collecting information about any one of processes and application programs, which are executed in the client, and a network utilization rate of the client; and a policy determination module provided with running criteria for a processor utilization rate of any one of the processes and the application programs of the client and the network utilization rate, and configured to determine one or more items, which belong to the running information of the client and have violated the running criteria, based on the running criteria; wherein the access control server limits running of one or more processes and application programs, which are run in the client, when the processor utilization rate of the client has violated the running criteria, and limits the network access of the client by controlling the NMS when the network utilization rate of the client has violated the running criteria.
[15] The policy control system as set forth in claim 14, wherein the client comprises: a network manager for monitoring the network utilization rate of the client; a process manager for monitoring the process utilization rate of the client; an application program manager for monitoring application programs executed in the client; and a policy determination module for comparing the running information, collected from the network manager, the process manager and the application program manager, with the running criteria, determining whether the client has violated the running criteria, and transmitting results of the determination to the access control server.
[16] The policy control system as set forth in claim 15, further comprising a file manager for checking a history file, including an Internet access history and running application history of the client, and providing results of the check to the access control server through the interface module. [17] The policy control system as set forth in claim 16, wherein the Internet access history includes any one of URLs and IP addresses that are accessed by the client over an Internet. [18] The policy control system as set forth in claim 14, wherein, when the network utilization rate of the client deviates from a preset reference value, the NMS is notified of the deviation by the access control server and blocks the network access of the client. [19] The policy control system as set forth in claim 14, wherein, when the network utilization rate of the client deviates from a preset reference value, the access control server allocates the client to a preset VLAN region and thus isolates the client by controlling the NMS.
PCT/KR2007/004770 2006-09-28 2007-09-28 Policy based network management method and system WO2008039033A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2006-0094898 2006-09-28
KR1020060094898A KR100785446B1 (en) 2006-09-28 2006-09-28 Policy control method of network system and network policy control system

Publications (1)

Publication Number Publication Date
WO2008039033A1 true WO2008039033A1 (en) 2008-04-03

Family

ID=39140955

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2007/004770 WO2008039033A1 (en) 2006-09-28 2007-09-28 Policy based network management method and system

Country Status (2)

Country Link
KR (1) KR100785446B1 (en)
WO (1) WO2008039033A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014090080A1 (en) * 2012-12-10 2014-06-19 Tencent Technology (Shenzhen) Company Limited Method and apparatus for restricting network applications

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050022185A1 (en) * 2003-07-10 2005-01-27 Romero Francisco J. Systems and methods for monitoring resource utilization and application performance
KR20060012134A (en) * 2004-08-02 2006-02-07 주식회사 케이티 Realtime service management system for enterprise and a method thereof
US20060159017A1 (en) * 2005-01-17 2006-07-20 Seung-Cheol Mun Dynamic quality of service (QoS) management

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100301703B1 (en) 1998-12-03 2001-10-29 오길록 Dynamic Object Distribution Placement in Object-based Distributed Processing System
KR100523483B1 (en) * 2002-10-24 2005-10-24 한국전자통신연구원 The system and method of malicious traffic detection and response in network
KR100468374B1 (en) 2004-07-06 2005-01-31 주식회사 잉카인터넷 Device and method for controlling network harmful traffic

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050022185A1 (en) * 2003-07-10 2005-01-27 Romero Francisco J. Systems and methods for monitoring resource utilization and application performance
KR20060012134A (en) * 2004-08-02 2006-02-07 주식회사 케이티 Realtime service management system for enterprise and a method thereof
US20060159017A1 (en) * 2005-01-17 2006-07-20 Seung-Cheol Mun Dynamic quality of service (QoS) management

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014090080A1 (en) * 2012-12-10 2014-06-19 Tencent Technology (Shenzhen) Company Limited Method and apparatus for restricting network applications
US10116586B2 (en) 2012-12-10 2018-10-30 Tencent Technology (Shenzhen) Company Limited Managing network bandwidth for network applications

Also Published As

Publication number Publication date
KR100785446B1 (en) 2007-12-13

Similar Documents

Publication Publication Date Title
US9325725B2 (en) Automated deployment of protection agents to devices connected to a distributed computer network
US11068588B2 (en) Detecting irregularities on a device
US10432650B2 (en) System and method to protect a webserver against application exploits and attacks
US8291498B1 (en) Computer virus detection and response in a wide area network
US8806009B2 (en) System and method for optimization of security tasks by configuring security modules
US20040205419A1 (en) Multilevel virus outbreak alert based on collaborative behavior
KR101036750B1 (en) System for blocking zombie behavior and method for the same
WO2015009296A1 (en) Event management system
Baarzi et al. Microservices made attack-resilient using unsupervised service fissioning
US20030084344A1 (en) Method and computer readable medium for suppressing execution of signature file directives during a network exploit
US7437758B2 (en) Propagation of viruses through an information technology network
Wang et al. Research of electric power information security protection on cloud security
US20070083913A1 (en) Propagation of malicious code through an information technology network
KR20020072618A (en) Network based intrusion detection system
CN101453363A (en) Network intrusion detection system
WO2008039033A1 (en) Policy based network management method and system
CN115632871A (en) Intelligent network security control system
RU186198U1 (en) Host Level Intrusion Detector
KR100785444B1 (en) Policy based network management method and system
CN110022301A (en) Firewall is used in internet of things equipment protection
US20110173675A9 (en) Propagation of malicious code through an information technology network
CN117082147B (en) Application network access control method, system, device and medium
Tupakula et al. On the design of Virtual machine Intrusion detection system
KR100439174B1 (en) Method for managing alert database and policy propagation in ladon-security gateway system
KR20080030405A (en) Policy based network management method and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07833087

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC OF 290709

122 Ep: pct application non-entry in european phase

Ref document number: 07833087

Country of ref document: EP

Kind code of ref document: A1