WO2023211120A1

WO2023211120A1 - System for controlling file transmission and reception of application on basis of proxy, and method related thereto

Info

Publication number: WO2023211120A1
Application number: PCT/KR2023/005625
Authority: WO
Inventors: 김영랑
Original assignee: 프라이빗테크놀로지 주식회사
Priority date: 2022-04-27
Filing date: 2023-04-25
Publication date: 2023-11-02
Also published as: KR102449118B1

Abstract

A gateway according to one embodiment disclosed in the present document executes a proxy server so as to receive a service processing request from a node, confirms whether there is data flow information corresponding to information included in the service processing request, the information included in the service processing request including departure information or destination information, and can store, if there is data flow information, on the basis of the data flow information, instructions for processing the service processing request.

Description

System and method for controlling file transmission and reception of applications based on proxy

Cross-citation with related applications

The present invention claims the benefit of priority based on Korean Patent Application No. 10-2022-0051914 filed on April 27, 2022, and all contents disclosed in the document of the Korean Patent Application are included as part of this specification.

Technology field

Embodiments disclosed in this document relate to a system and method for controlling file transmission and reception of an application based on a proxy.

Communication is performed between the terminal and the server using IP (Internet Protocol)-based TCP (Transmission Control Protocol), and the source IP, destination IP, and port information are identified using 5 tuples information included in the data packet. Therefore, firewall technology that performs access control is commonly used.

Firewall technology identifies IPs assigned to terminals or network terminals (e.g. gateways, routers, etc.) and performs access control for inbound or outbound data packets between network boundaries, preventing unauthorized IPs from accessing unauthorized destination networks. It plays a blocking role.

Technologies such as IP-based firewalls have a problem in that IP-based control is difficult when a private IP band is created by configuring a sub-network using a terminal or router and gateway in an Internet band where IP allocation and control are difficult. In addition, there is a problem that IP can be forged or altered due to the IP communication structure. Accordingly, firewalls are used as a minimum safety device.

To solve this problem, tunneling technology (e.g. IPSec (Internet Protocol Firewalls are protected by using connectivity control technologies such as Security, Generic Routing Encapsulation (GRE), GPRS Tunneling Protocol (GTP), or secure sessions (Secure Sockets Layer (SSL), Transport Layer Security (TLS)). We are solving the inherent problems.

However, when using a VPN (Virtual Private Network) based on tunneling technology created at the terminal (IP unit assigned to the terminal) level, unauthorized or insecure applications are connected to the unauthorized destination network through tunneling that is always connected after initial authentication. Because it has inherent vulnerabilities, security incidents caused by various malware and ransomware infiltration are increasing.

To solve this problem, we apply application connectivity control technology that allows only permitted applications to access permitted networks to identify the application that is the fundamental communication subject and block access to unauthorized applications in advance to prevent various types of malware and ransomware. It can prevent users from accessing unauthorized destination networks and effectively solve various network security problems that are currently occurring.

With recent industrial developments, there has been an increase in global work environments and home work environments that transcend boundaries, and an increase in the transition to the cloud. As a result, terminals can access work systems anytime and anywhere, and application access control technology in this environment is used to control work systems. Provides optimal security elements for protection.

However, there is a problem in which the application cannot control the act of receiving or transmitting files through the network while the permitted application can access the permitted network.

For example, in a work-from-home environment using a PC connected to the Internet, access to the cloud using a permitted application can receive important files and leak them externally, or transfer files containing malicious code imported from the Internet to the cloud and transfer them to other terminals. It is impossible to prevent the risk from spreading.

In other words, applications that contain macros or programmable information and load executable files through a runtime included in the application itself (e.g. document editing tools, graphic editing tools, etc.) may contain malicious code that cannot be inferred by the user. This malicious code can connect to the cloud and receive important files (e.g. personal information, confidential information) and leak them to the outside, or files containing malicious code can be transmitted to the cloud and spread to all terminals connected to the cloud. There are inherent problems that can arise.

DLP (Data Loss Prevention) technology exists as a similar technology to solve these problems. DLP technology prevents unauthorized media (e.g. USB (Universal Serial Bus), removable storage devices, etc.) from being connected or prevents network Prevent files from being transferred by preventing a specific folder from being shared on the computer, blocking a file from being selected when a specific application selects a file to transfer a file, or file IO (input output) of a specific application. (Or, when file system IO) occurs, data leakage is prevented by tracking file IO and removing the file IO handle if the user does not have file IO permission.

The problem with this DLP technology is that uniform security policies are always enforced on terminals where the application is installed, so in areas where physical security control is not possible and in a telework environment using personally owned terminals where there are limitations in applying security policies. Actions that prevent unauthorized media from connecting cannot be enforced.

Furthermore, when using DLP technology that tracks specific actions, it operates based on the user performing a specific action (e.g., opening a file selection window within the application), so if a specific action is not performed, e.g. For example, it is impossible to prevent malicious code other than the user from directly loading and transmitting files without a file selection window.

To solve this problem, DLP technology is used to track file system IO of a specific application, but because this technology tracks file IO targeting a specific application and blocks it in bulk, the specific network accessed by the application is blocked. There is a problem that makes it difficult to allow file transfer, and some DLP technologies provide a way to remove file IO restrictions by identifying the address bar of the Internet browser to solve this problem. However, in applications where the address bar does not exist, In this case, there are limitations in controlling file reception and transmission because network access information cannot be tracked.

Various embodiments disclosed in this document are intended to provide a system and method for solving the above-described problems in a network environment.

A gateway according to an embodiment disclosed in this document includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor, wherein the memory, when executed by the processor, The gateway executes the proxy server to: receive a service processing request from a node, and check whether data flow information corresponding to the information included in the service processing request exists, wherein the information included in the service processing request is It may include source information or destination information, and when the data flow information exists, instructions for processing the service processing request based on the data flow information may be stored.

A method of operating a gateway according to an embodiment disclosed in this document includes receiving a service processing request from a node, checking whether data flow information corresponding to the information included in the service processing request exists, and requesting the service processing. The information included may include source information or destination information, and when the data flow information exists, processing the service processing request based on the data flow information.

Various embodiments disclosed in this document may utilize application connectivity control technology to control file IO based on information identifying an application and the network to which the application is connected.

Various embodiments disclosed in this document identify the application and network information connected to or trying to connect to the network through a proxy server, check whether to allow file transmission and reception of the identified target, and file only to the permitted access target. By allowing transmission and reception, it is possible to control file reception and transmission by application and network.

In addition, various effects that can be directly or indirectly identified through this document may be provided.

1 shows an architecture within a network environment according to various embodiments.

Figure 2 is a functional block diagram showing a database stored in a controller according to various embodiments.

Figure 3 shows control flow information and data flow information according to various embodiments.

Figure 4 shows a functional block diagram of a node according to various embodiments.

Figure 5 explains an operation for controlling transmission of data packets according to various embodiments.

Figure 6 shows a signal flow diagram for controller connection according to various embodiments.

Figure 7 shows a signal flow diagram for user authentication according to various embodiments.

Figure 8 shows a signal flow diagram for network access according to various embodiments.

Figure 9 shows a flowchart for processing a service request of a gateway according to various embodiments.

FIG. 10 illustrates a flowchart for receiving a service request processing result of a gateway according to various embodiments.

FIG. 11 illustrates a signal flow diagram for transmitting a service request processing log and a rejection log according to various embodiments.

Figure 12 shows a signal flow diagram for control flow update according to various embodiments.

Figure 13 shows a signal flow diagram for control flow removal according to various embodiments.

Figure 14 shows a signal flow diagram for data flow removal according to various embodiments.

Hereinafter, various embodiments of the present invention are described with reference to the accompanying drawings. However, this is not intended to limit the present invention to specific embodiments, and should be understood to include various modifications, equivalents, and/or alternatives to the embodiments of the present invention.

In this document, the singular form of a noun corresponding to an item may include one or plural items, unless the relevant context clearly indicates otherwise. In this document, “A or B”, “at least one of A and B”, “at least one of A or B”, “A, B or C”, “at least one of A, B and C” and “A, Each of phrases such as “at least one of B, or C” may include any one of the items listed together in the corresponding phrase, or any possible combination thereof. Terms such as "first", "second", or "first" or "second" may be used simply to distinguish one component from another, and to refer to that component in other respects (e.g., importance or order) is not limited. One (e.g., first) component is said to be “coupled” or “connected” to another (e.g., second) component, with or without the terms “functionally” or “communicatively.” When mentioned, it means that any of the components can be connected to the other components directly (e.g. wired), wirelessly, or through a third component.

Each component (eg, module or program) described in this document may include singular or plural entities. According to various embodiments, one or more of the corresponding components or operations may be omitted, or one or more other components or operations may be added. Alternatively or additionally, multiple components (eg, modules or programs) may be integrated into a single component. In this case, the integrated component may perform one or more functions of each component of the plurality of components in the same or similar manner as those performed by the corresponding component of the plurality of components prior to the integration. . According to various embodiments, operations performed by a module, program, or other component may be executed sequentially, in parallel, iteratively, or heuristically, or one or more of the operations may be executed in a different order, omitted, or , or one or more other operations may be added.

The term “module” used in this document may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as logic, logic block, component, or circuit, for example. A module may be an integrated part or a minimum unit of the parts or a part thereof that performs one or more functions. For example, according to one embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of this document may be implemented as software (e.g., a program or application) including one or more instructions stored in a storage medium (e.g., memory) that can be read by a machine. For example, the processor of the device may call at least one instruction among one or more instructions stored from a storage medium and execute it. This allows the device to be operated to perform at least one function according to the at least one instruction called. The one or more instructions may include code generated by a compiler or code that can be executed by an interpreter. A storage medium that can be read by a device may be provided in the form of a non-transitory storage medium. Here, 'non-transitory' only means that the storage medium is a tangible device and does not contain signals (e.g. electromagnetic waves), and this term refers to cases where data is semi-permanently stored in the storage medium. There is no distinction between temporary storage cases.

Methods according to various embodiments disclosed in this document may be provided and included in a computer program product. Computer program products are commodities and can be traded between sellers and buyers. A computer program product may be distributed in the form of a machine-readable storage medium (e.g. compact disc read only memory (CD-ROM)) or through an application store or between two user devices (e.g. smartphones). It may be distributed in person or online (e.g., downloaded or uploaded). In the case of online distribution, at least a portion of the computer program product may be at least temporarily stored or temporarily created in a machine-readable storage medium, such as the memory of a manufacturer's server, an application store server, or a relay server.

The nodes 201-1 and 201-2 shown in FIG. 1 may be various types of devices capable of performing data communication. For example, the nodes 201-1 and 201-2 may be connected to portable devices such as smartphones or tablets, computer devices such as desktops or laptops, multimedia devices, medical devices, cameras, wearable devices, and VR. It may include a (virtual reality) device, or a home appliance device, and is not limited to the above-described devices. For example, nodes 201-1 and 201-2 may include servers or gateways capable of transmitting data packets through an application. Nodes 201-1 and 201-2 may also be referred to as ‘electronic devices’ or ‘terminals.’

A situation in which the node 201-1 accesses the service servers 205-1 and 205-2 through the Internet, and the node 201-2 accesses the service servers 205-1 and 205-2 through the intranet. This can be assumed.

Nodes 201-1 and 201-2 may store access applications 211-1 and 211-2 and access control applications 212-1 and 212-2.

Each of the connection applications 211-1 and 211-2 transmits data packets to the service servers 205-1 and 205-2 through the gateway 203 under the control of the connection control applications 212-1 and 212-2. Or, conversely, you can receive data packets.

Some of the access applications 211-1, 211-2 are permitted and/or secured applications, such as web browsers or business applications, while others are unauthorized programs (e.g. malware, ransomware, and other unauthorized applications). It may be an unsecured application) or an insecure malicious program (an application infected with malware, forged or altered). According to embodiments, the access control application (212-1, 212-2) identifies a program (or access application) requesting transmission of a data packet, and data packets of the unauthorized program are transmitted to the nodes (201-1, 201). -2) It can be prevented from being transmitted outside. In addition, according to embodiments, the access control applications (212-1, 212-2) allow unauthorized access through the security session (220-1) between the access control applications (212-1, 212-2) and the gateway 203. Access to the program's service servers (205-1, 205-2) can be blocked and the program can be isolated.

For example, before the access applications (211-1, 211-2) according to embodiments communicate with the service servers (205-1, 205-2), the access control applications (212-1, 212-2) are connected to the controller. It is possible to check whether connection is possible from 202, and if connection is possible, authentication with the gateway 203 can be performed through a data packet authenticated by the controller 202. Once authentication is completed, the access control application (212-1, 212-2) can create a security session (220-1) with the gateway 203.

The access control application (212-1, 212-2) may create a channel with the gateway 203 to access the service server (205-1, 205-2). Through the channel created between the nodes 201-1 and 201-2 and the gateway 203, the access control applications 212-1 and 212-2 access the unauthorized access applications 211-1 and 211-2. Transmission of data packets to unauthorized destinations can be prevented, and only allowed data packets can be transmitted to the service servers 205-1 and 205-2.

Controller 202 may be, for example, a server (or cloud server, or intranet). The controller 202 manages data transmission between the nodes 201-1, 201-2, the gateway 203, and the service servers 205-1, 205-2, thereby ensuring reliable data transmission within the network environment. You can. For example, the controller 202 allows authorized nodes 201-1, 201-2 (or access control applications 212-1, 212-2) to access the network through policy information or blacklist information. can do.

Additionally, the controller 202 mediates the creation of a security session 220-1 between the access control application 212-1 and the gateway 203, or provides security events collected from the node 201-1 or the gateway 203. Accordingly, the security session 220-1 can be removed. The access control application (212-1) can communicate with the service servers (205-1, 205-2) only through the security session (220-1) authorized by the controller 202, and the authorized security session (220-1). If 1) does not exist, network access of the node 201-1 and the access control application 212-1 may be blocked.

In one embodiment, the access application 211-1 may communicate with the service servers 205-1 and 205-2 through a security session 220-1 authorized by the controller 202, and If the session 220-1 does not exist, the network connection of the access application 211-2 is blocked from the access control application 212-2, the controller 202, or the gateway 203, or is in a state where safety is not guaranteed. Network access is permitted, and the controller 202 can provide the node 201-2 with functions appropriate for the corresponding security level. According to one embodiment, the controller 202 performs various operations (e.g., registration, approval, authentication, renewal, termination) associated with the network connection of the node 201-1 or the access control application 212-1 and 212-2. In order to perform, control data packets can be transmitted and received with the access control application 212-1. The flow through which control data packets are transmitted (e.g., 230) may be referred to as a 'control flow'.

The controller 230 performs network access and channel control of the access control applications 212-1 and 212-2, and when the access control applications 212-1 and 212-2 are terminated or the linked security system 206 ), a secure network state can be maintained at all times by immediately recovering the channel between the nodes 201-1 and 201-2 and the gateway 203.

The gateway 203 may be located at the border of the network to which the nodes 201-1 and 201-2 belong or at the border of the network to which the service servers 205-1 and 205-2 belong. According to one embodiment, the gateway 203 may be connected to the controller 202 on a cloud basis. The gateway 203 may forward only authorized data packets among the data packets received from the access control applications 212-1 and 212-2 to the service servers 205-1 and 205-2. The flow in which data packets are transmitted between the access control application (212-1, 212-2) and the gateway 203 (e.g., 240-1, 240-2) may be referred to as 'data flow'. .

Data flows can be created not only on a per-node or per-IP basis, but also on a more granular basis (e.g. per-application). The gateway 203 performs authentication of the access control applications 212-1 and 212-2 before creating a security session 220-1 between the access control applications 212-1 and 212-2 and the gateway 203. , Indiscriminate network access by forwarding only data packets transmitted through the security session 220-1 among the data packets transmitted from the access control applications 212-1 and 212-2 to the service servers 205-1 and 205-2. can be blocked in advance.

The gateway 203 uses the tunneling module 204-1 to create a channel with the nodes 201-1 and 201-2, and sends data packets received through the authorized channel to the proxy server included in the gateway 203. By relaying service processing with the service servers 205-1 and 205-2 through 204-2, the service servers 205-1 and 205-2 receive information from the authenticated nodes 201-1 and 201-2. Service requests can be processed.

FIG. 2 is a functional block diagram showing a database stored in the controller 202 according to various embodiments, and FIG. 3 shows control flow information 340 and data flow information 350 among the information included in the database.

Referring to FIG. 2, the controller 202 may store databases 311 to 319 for controlling network connection and data transmission in the memory 330. Although FIG. 2 shows only the memory 330, the controller 202 can be used to connect external electronic devices (e.g., nodes 201-1 and 201-2 in FIG. 1, gateways 203, or service servers 205-1 and 205- 2))) and a communication circuit for performing communication (e.g., the communication circuit 430 in FIG. 4) and a processor for controlling the overall operation of the controller 202 (e.g., the processor 410 in FIG. 4). can do. The administrator connects to the controller 202 and establishes a connection-oriented policy to control access between the access control applications (212-1, 212-2), the gateway (203), and the service servers (205-1, 205-2). Since it can be set, network access can be controlled more precisely and safely than managing sessions at the service level.

The connection policy database 311 may include information about networks and/or services to which an identified network, node, or application can access. For example, when the controller 202 requests network access from the access control applications 212-1 and 212-2, the controller 202 connects to the network identified based on the policy of the access policy database 311 (e.g., nodes 201-1, network to which 201-2) belongs), nodes, users (e.g., users of nodes 201-1, 201-2), and/or applications (e.g., connections included in nodes 201-1, 201-2) It may be determined whether the application (211-1, 211-2) can connect to the service server (205-1, 205-2). In one embodiment, the controller 202 may create a whitelist of connection applications 211-1 and 211-2 that can be connected to a specific service (e.g., IP and port) based on the connection policy database 311. .

The channel policy database 312 contains a series of information (authentication information, encryption algorithm, tunnel) required to create a channel with the gateway 203 that exists between the service servers (destination IP and port) on the connection path according to the channel policy. If a pre-connected channel exists between the endpoint IP (Tunnel End Point IP) and the access path through another gateway, a set of information to use it (IP assigned to nodes (201-1, 201-2) information collection and alternative processing, etc.).

The service policy database 313 contains information required for nodes 201-1 and 201-2 to be included in the gateway 203 or pass through a separate proxy server 204-2 when attempting to access a domain address. may include. For example, the service policy database 313 may include information such as domain address resolution information and certificates required for domain access. Additionally, the service policy database 313 may include a series of information such as information on whether to return the service processing request result as failure information or redirect to another URL when the data flow check fails. According to the service policy of the service policy database 313, the proxy server 204-2 processes services between the nodes 201-1 and 201-2 and the service servers 205-1 and 205-2 on the connection path. Requests can be relayed.

The file policy database 314 is linked to the access policy and may include information for establishing a file policy for the access applications 211-1 and 211-2. For example, the file policy database 314 may include information on whether to allow or disallow the connection applications 211-1 and 211-2 to receive and transmit files.

The blacklist policy database 315 includes a target ( Example: A blacklist registration policy may be included to block access by at least one of a node ID (identifier), IP address, MAC (media access control) address, or user ID).

The blacklist database 319 may include a list of objects blocked by the blacklist policy database 315. For example, if the identification information of the nodes (201-1, 201-2) requesting network access is included in the blacklist database 319, the controller 202 rejects the network access request, thereby allowing the nodes (201-1, 201) to access the network. -2) can be isolated.

The control flow table 316 is an example of a session table for managing the flow (i.e., control flow) of control data packets generated between the access control applications 212-1 and 212-2 and the controller 202.

For example, referring to Figure 3, when the access control application (212-1, 212-2) successfully connects to the controller 202, control flow information 340 and control flow ID 342 (or 'control flow (may also be referred to as 'identification information') may be generated by the controller 202. The control flow information 340 may include identification information 344 representing at least one of an IP identified during controller connection and authentication, a node, an application, or a target additionally identified through linkage with a service server. For example, when a network connection request from the access control application 212 is received, the controller 202 combines the control flow ID and identification information included in the connection request with the control flow ID 342 and the control flow information 340 included in the control flow information 340. By mapping with the identification information 344, whether the access control application (212-1, 212-2) can connect to the service server (205-1, 205-2) and the security session (220-1) with the gateway (203) You can decide whether or not it is possible to create a data flow for creation. Status information 346 may indicate various states such as creation, authentication, update, termination, etc. of a control flow.

According to one embodiment, since the control flow has an expiration time, the nodes 201-1 and 201-2 must update the expiration time of the control flow based on the time information 348, and the expiration time is set for a certain period of time. If not updated, the control flow (or control flow information 340) may be removed. In addition, immediate access is blocked according to security events collected from nodes 201-1, 201-2, access control applications 212-1, 212-2, other security applications (not shown), or gateway 203. If it is determined that this is necessary, or if a connection termination request is received from them, the controller 202 may remove the control flow. When the control flow is removed, the related data flow is also removed, and the gateway 203 connects the service servers 205-1 and 205 of the access control applications 212-1 and 212-2 or the access applications 211-1 and 211-2. Access to -2) can be blocked.

The data flow table 317 is a table for managing the flow (eg, data flow) in which detailed data packets are transmitted between the nodes 201-1 and 201-2 and the gateway 203.

The data flow table 317 contains data flow information ( 350) may be included.

Data flow information 350 may be generated on a security session, application, or more granular basis. The data flow table 317 may include an application ID, destination IP address, and/or service port to identify whether the data packet transmitted from the source is an authorized data packet.

Referring to FIG. 3, the data flow information 350 may include a data flow ID 351 and, if the data flow is dependent on the control flow, a control flow ID 352. In addition, the data flow information 350 determines whether a channel has been created between the application and the gateway 203 and the corresponding data packet when accessing the service servers 205-1 and 205-2 through the proxy server 204-2. Determine forwarding of data packets based on URL information and domain information to control service requests according to source IP and destination IP, service port information, protocol information, certificate information (including identification information), and service request path (URL). It may include inspection target information 353 for performing the test, and/or status information 356 indicating whether the data flow is in a valid usable state.

Additionally, the data flow information 350 may further include file IO information 354. The file IO information 354 may include control information such as whether the application can receive files, whether files can be transmitted, file IO processing exceptions, and target information such as domains and URLs to which control according to the control information is applied.

Additionally, the data flow information 350 may further include file inspection information 355. The file inspection information 355 is the proxy server 204-1 or the target of the application connected to the proxy server 204-1, depending on whether to perform the file inspection when sending (uploading) or receiving (downloading) the file. Whether to scan files and allow file downloads and uploads, pattern and rule information to be applied when scanning files, external applications (e.g. antivirus, malware detection tools, data loss prevention technology, etc.) and external devices It may contain a series of information to detect files that cannot be downloaded or uploaded, such as information for linked inspection.

The channel table 318 may include a channel dedicated IP assigned to the node 201-1 or 201-2 and channel creation information.

Figure 4 shows a functional block diagram of the node 201 according to various embodiments. At least some of the configurations shown in FIG. 4 may be applied to the controller 202, the gateways 203-1 and 203-2, or the service servers 205-1 and 205-2.

Referring to FIG. 4 , the node 201 may include a processor 410, a memory 420, and a communication circuit 430. According to one embodiment, the node 201 may further include a display 440 to provide a user interface.

The processor 410 can control the overall operation of the node. In various embodiments, the processor 410 may include one processor core (single core) or may include a plurality of processor cores. For example, the processor 410 may include multi-core, such as dual-core, quad-core, or hexa-core. Depending on embodiments, the processor 410 may further include a cache memory located internally or externally. Depending on embodiments, the processor 410 may be configured with one or more processors. For example, the processor 410 may include at least one of an application processor, a communication processor, or a graphical processing unit (GPU).

All or a portion of processor 410 may be electrically or operationally connected to other components within node 201 (e.g., memory 420, communication circuitry 430, or display 440). Can be coupled with or connected to operatively. The processor 410 may receive instructions from other components, interpret the received instructions, and perform calculations or process data according to the interpreted instructions. The processor 410 may interpret and process messages, data, commands, or signals received from the memory 420, the communication circuit 430, or the display 440. Processor 410 may generate new messages, data, instructions, or signals based on received messages, data, instructions, or signals. Processor 410 may provide processed or generated messages, data, instructions, or signals to memory 420, communication circuit 430, or display 440.

The processor 410 can process data or signals generated or generated by a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may record (or store) or update instructions, data, or signals to the memory 420 in order to execute or control a program.

The memory 420 may store commands for controlling nodes, control command codes, control data, or user data. For example, the memory 420 may include at least one of an application program, an operating system (OS), middleware, or a device driver. Memory 420 may include one or more of volatile memory or non-volatile memory. Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM). It can be included. Non-volatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, etc. The memory 420 uses non-volatile media such as a hard disk drive (HDD), solid state disk (SSD), embedded multi media card (eMMC), and universal flash storage (UFS). More may be included.

According to one embodiment, the memory 420 may store the access applications 211-1 and 211-2 and the access control applications 212-1 and 212-2 of FIG. 1 . The access control applications 212-1 and 212-2 may perform network connection and security session creation with the gateway 203 and control flow creation and update functions with the controller 202. To this end, the access control application 212 may include one or more security modules. In one embodiment, the memory 420 may store the control flow information 340 and data flow information 350 of FIG. 3 .

In one embodiment, the connection applications 211-1 and 211-2 may include one or more security modules to create a secure session 220-1 with the gateway 203.

Communication circuitry 430 may support establishing a wired or wireless communication connection between node 201 and an external electronic device (e.g., controller 202 or gateway 203), and performing communication over the established connection. According to one embodiment, the communication circuit 430 may be a wireless communication circuit (e.g., a cellular communication circuit, a short-range wireless communication circuit, or a global navigation satellite system (GNSS) communication circuit) or a wired communication circuit (e.g., a local area network (LAN) ) communication circuit, or power line communication circuit), and using the corresponding communication circuit, a short-range communication network such as Bluetooth, WiFi direct, or IrDA (infrared data association) or a long-distance communication such as a cellular network, the Internet, or a computer network It can communicate with external electronic devices through a network. The various types of communication circuits 430 described above may be implemented as one chip or may be implemented as separate chips.

The display 440 can output content, data, or signals. In various embodiments, the display 440 may display image data processed by the processor 410. Depending on embodiments, the display 440 may be configured with an integrated touch screen by being combined with a plurality of touch sensors (not shown) capable of receiving touch input, etc. When the display 440 is configured as a touch screen, a plurality of touch sensors may be placed above the display 440 or below the display 440.

Referring to FIG. 5, the access control application 212 detects a network connection request to the service server 205 from the access application 211 included in the node 201, and connects the node 201 or the access control application 212. ) can be determined whether it is connected to the controller 202. If the node 201 or the access control application 212 is not connected to the controller 202, the access control application 212 may block the transmission of data packets in the kernel or network driver included in the operating system. Through the access control application 212, the node 201 can block access of malicious applications in advance at the application layer of the 7 layers of open system interconnection (OSI).

In one embodiment, the access control application 212 is not connected to the controller 202, the access control application 212 is not authenticated by the gateway 203, or the access control application 212 is not connected to the controller 202. If a security session is not created between the gateways 203, data packets transmitted from the access control application 212 are blocked by the gateway 203, and the access control application 212 may request a connection to the controller 202. It's just that. Depending on the embodiment, there may be cases where data packets transmitted from the access control application 212 are not blocked by the gateway 203 even if the access control application 212 is not authenticated by the gateway 203.

According to another embodiment, if the access control application 212 is not installed on the node 201 or a malicious application bypasses the control of the access control application 212, unauthorized data packets may be transmitted from the node 201. there is. In this case, the gateway 203 located at the border of the network blocks data packets received through unauthorized security sessions and data packets for which no data flow exists, so data packets transmitted from the node 201 (e.g. TCP session data packet for generation) may not reach the service server 205. In other words, the node 201 may be isolated from the service server 205.

Since the node 201 needs to be authorized by the controller 202 to access the network, the access control application 212 of the node 201 requests the controller 202 to create a control flow, thereby controlling the node 201. You can try to connect to the controller.

Referring to Figure 6, at operation 605, node 201 may detect a controller connection event. For example, if the connection control application 212 is installed and/or executed within node 201, node 201 may detect that a connection to controller 202 is requested.

In operation 610, the node 201 may request controller connection to the controller 202. For example, the access control application 212 may transmit identification information of the access control application 212 to the controller 202. Additionally, the access control application 212 may include identification information of the node 201 (e.g., terminal ID, IP address, MAC address), type, location, environment, identification information of the network to which the node 201 belongs, and/or the network. Random identification information generated by the system itself may be further transmitted.

In operation 615, the controller 202 may identify whether the controller connection request (e.g., the connection control application 212 and the node 201) can be connected to the controller. According to one embodiment, the controller 202 determines whether information received from the node 201 is included in the connection policy database 311, or controls the node 201, the network to which the node 201 belongs, and/or access control. It is possible to check whether the controller connection request of the object requesting controller connection is possible based on at least one of whether the identification information of the application 212 is included in the blacklist database 314.

If the controller connection request is possible, the controller 202 creates a control flow (or control flow information 340) between the node 201 (or the connection control application 212) and the controller 202. can do. In this case, the controller 202 generates control flow identification information 342 in the form of a random number and controls the identification information of at least one of the node 201, the network to which the node 201 belongs, or the access control application 212. It can be stored in the flow table 316. Information (e.g., control flow information 340) stored in the control flow table 316 is used for user authentication of the node 201, update of information of the node 201, confirmation of policy for network access of the node 201, and/ Or it can be used for validation.

At operation 620, the controller 202 may check the connection policy and channel policy. The controller 202 may check the connection policy corresponding to the information identified in the connection policy database 311 (e.g., information about the node 201 and the source network to which the node 201 belongs). The controller 202 may generate whitelist information of accessible applications based on the confirmed access policy. The controller 202 can check the channel policy through the IP of the node 201 identified in the channel policy database 312. The controller 202 can check whether there is destination network information to which the node 201 requesting connection can basically connect. If the controller connection request is possible, the controller 202 provides the information necessary for the node 201 to connect to the destination network (e.g., the type of node 201 included in the control flow, location information, environment, and Information on the source network that includes the node 201), the type of channel to which the node 201 can be connected, and information on the gateway 203 can be listed. The controller 202 may check the status (e.g., throughput, failure status) of the listed gateways 203 and identify one channel and one gateway optimized for the node 201 among the listed gateways. Here, the type of channel to which the node 201 can be connected and the information on the gateway 203 are based on the IP of the node 201 identified through the controller 202 and the IP of the node 201 identified in the node 201. It can be confirmed based on

In another embodiment, controller 202 may not perform operation 620. For example, if the controller for which connection is requested is not available, the controller 202 may not perform operation 620.

In operation 625, the controller 202 may transmit a response to the controller connection request to the node 201.

In one embodiment, the controller 202 may transmit control flow information 340 including control flow identification information 342 to the node 201 in response to a controller connection request. In one embodiment, the controller 202 may transmit the white list created through operation 820 to the access control application 212. Depending on the embodiment, if the object requesting controller connection is unavailable or included in the blacklist, the controller 202 may not generate a control flow and may notify the controller 202 of the inability to connect in response to the controller connection request.

If there is a channel and a gateway that the node 201 can access, the controller 202 sends the node 201 information for creating a channel (e.g., a series of information such as gateway and channel authentication) to the node 201. Can be transmitted. Depending on the embodiment, when the node 201 connects through a pre-connected channel between a gateway existing in the source network to which the node 201 belongs and a gateway existing at the border of the destination network (i.e., the node 201 and the gateway (203), or when access is made between the terminal and the destination network boundary through another channel technology, the controller 202 may not transmit separate channel creation information to the node 201. there is.

In one embodiment, node 201 may process the results according to the received response. For example, the connection control application 212 may store the received control flow identification information and display a user interface screen to the user indicating that the controller connection is complete. Once the controller connection is completed, the network connection request of the node 201 to the service server 205 can be controlled by the controller 202.

Depending on the embodiment, the controller 202 may determine that the node 201 is inaccessible. For example, when controller connection inaccessibility information is received, the node 201 may output a user interface screen to the user indicating that the controller connection is not possible. For example, the user interface screen indicates that access to the node 201 is blocked and may include a user interface that guides the release of isolation through an administrator (e.g., the controller 202).

In one embodiment, the access control application 212, the controller 202, and the gateway 203 of the node 201 may further perform operations 630 to 650. Depending on the embodiment, the access control application 212, the controller 202, and the gateway 203 of the node 201 may perform all or only part of operations 630 to 670.

At operation 630, the access control application 212 may determine whether channel creation is necessary. For example, when the controller 202 transmits information for creating a channel (eg, a series of information such as gateway and channel authentication), the access control application 212 may determine that channel creation is necessary. For another example, when the controller 202 does not transmit separate channel creation information to the node 201, the access control application 212 may determine that channel creation is not necessary.

In operation 635, the access control application 212 may request the gateway 203 to create a channel. If it is determined that channel creation is necessary, the access control application 212 may request the gateway 203 to create a channel. For example, the access control application 212 may transmit to the gateway 203 a channel creation request including a series of information for channel creation (eg, gateway and channel authentication, etc.) received from the controller 202.

In operation 640, the gateway 203 may create a channel based on a series of information for channel creation (eg, gateway and channel authentication, etc.). In operation 645, the gateway 203 may transmit a response including the channel creation result to the access control application 212. The channel creation result may include a channel dedicated IP assigned to the node 201 and corresponding channel creation information.

At operation 650, the access control application 212 may perform a check of the application. When it is determined that channel creation is not necessary, or when a response including a channel creation result is received from the gateway 203, the access control application 212 may perform an application inspection. For example, when a white list is received from the controller 202, the access control application 212 may check whether an application included in the white list is installed on the node 201. For applications included in the white list among applications installed on the node 201, the access control application 212 checks the integrity and stability of the application (whether the application is forged or tampered with, code signing inspection, and fingerprint inspection) according to the validation policy. at least one of) can be checked.

In operation 655, the access control application 212 may transmit the inspection result of the application to the controller 202.

The controller 202 may check whether the application is valid based on the test result. If the application is valid, the controller 202 checks the gateway 203 where the node 201 is located in the access policy and service policy for the node 201 to allow the node 201 to access the network, and then operates. 640 can be performed.

In operation 660, when the channel creation is completed according to the channel creation processing result, the controller 202 registers the channel dedicated IP assigned to the node 201 and the corresponding channel creation information in the channel table 318, and the node 201 registers the channel creation information in the channel table 318. The transmitted series of information can be updated to the identified control flow information 240.

So that the node 201 can control service processing requests without a network access request procedure, data flow (or data flow information (or data flow information ( 350)) can be generated.

When creating a data flow, the controller 202 may check the file IO policy in the file policy table 314 and generate file IO information 354 based on the file IO policy. File IO information 354 determines whether to allow downloading or uploading files when accessing the service server 205 to which the data flow is applied, and when file downloading and uploading are allowed, only which URLs are allowed to access and which URLs are not provided with file IO information. It may include a series of policy information related to file IO control information about whether to allow or not to allow and file IO control information by file type about which file types to allow or not to allow.

Additionally, the controller 202 may generate file inspection information 255 including whether to inspect a file when creating a data flow, and pattern and rule information to be inspected when inspecting a file.

In operation 665, the controller 202 may transmit a response to the connection application check result transmission of the connection control application 212. For example, the controller 202 may transmit data flow information 350 to the connection control application 212. Additionally, in operation 670, the controller 202 may transmit data flow information 350 to the gateway 203.

According to the operations of FIG. 6, when the node 211 is normally connected to the controller 202, all network connection requests generated from the node 211 are checked through the controller 202 to see whether they are authorized. After normal connection to the controller 202, since user authentication is not performed before user authentication, an access policy corresponding to an unidentified user (guest) may be applied to the node 211.

Figure 7 shows a signal flow diagram for user authentication according to various embodiments. The operations shown in FIG. 7 may be implemented, for example, after the signal flow diagram of FIG. 6.

In order for the node 201 to be granted detailed access rights to the destination network, the access control application 212 of the node 201 may receive authentication for the user of the node 201 from the controller 202.

Referring to FIG. 7, in operation 705, node 201 may receive input for user authentication. The input for user authentication may be, for example, a user input of entering a user ID and password. For another example, the input for user authentication may be a user input for stronger authentication (e.g., biometric information).

For example, when the access control application 212 is executed, the node 201 may display a user interface screen for receiving information necessary for connecting to the controller. The user interface screen may include an input window for entering controller connection information (e.g., IP or domain), an input window for entering a user ID, and/or an input window for entering a password. After information is entered into the input windows, the node 201 can detect a controller connection event by receiving an input for a button for user authentication. For example, when controller access information, user ID, and password are entered, node 201 may receive an input for a button to access the controller as a user. As another example, when only the controller access information is input and the user ID and password are not input, the node 201 may receive an input for a button to access the controller as a guest.

In operation 710, node 201 may request user authentication from controller 202. For example, the access control application 212 may transmit input information for user authentication to the controller 202. If a control flow between the node 201 and the controller 202 has already been created, the access control application 212 may transmit input information for user authentication along with control flow identification information.

At operation 715, controller 202 may authenticate the user based on information received from node 201. For example, the controller 202 may store user ID, password, and/or enhanced authentication information included in the received information and a database included in the memory of the controller 202 (e.g., access policy database 311 of FIG. 2 ). ) or based on the blacklist database 319), it can be determined whether the user can access according to the access policy and whether the user is included in the blacklist.

When the user is authenticated, the controller 202 checks the control flow information 340 in the control flow table 316 based on the control flow identification information transmitted by the node 201, and adds control flow information 340 to the confirmed control flow information 340. You can add the user's identifying information (e.g. user ID). The added user identification information can be used to connect the authenticated user to the controller or network.

In operation 720, the controller 202 configures a connection policy corresponding to information identified in the connection policy database 311 and the channel policy database 312 (e.g., node 201, source network information to which node 201 belongs), and You can check the channel policy.

The controller 202 may generate white list information of accessible applications based on the connection policy confirmed in the connection policy database 311. As a result of the connection, the controller 202 may return a control flow ID for identifying the control flow and a generated application whitelist when the connection is completed and when the node 201 requests user authentication and continuously updates node information.

The controller 202 can check the channel policy through the IP of the node 201 identified in the channel policy database 312. The controller 202 may check whether destination network information to which the node 201 requesting connection exists by default can be connected based on the confirmed channel policy. If the controller connection request is possible, the controller 202 provides the information necessary for the node 201 to connect to the destination network (e.g., the type of node 201 included in the control flow, location information, environment, and Information on the source network that includes the node 201), the type of channel to which the node 201 can be connected, and information on the gateway 203 can be listed. The controller 202 may check the status (e.g., throughput, failure status) of the listed gateways 203 and identify one channel and one gateway optimized for the node 201 among the listed gateways. Here, the type of channel to which the node 201 can be connected and the information on the gateway 203 are based on the IP of the node 201 identified through the controller 202 and the IP of the node 201 identified in the node 201. It can be confirmed based on In another embodiment, controller 202 may not perform operation 720. For example, if the controller for which connection is requested is not available, the controller 202 may not perform operation 720.

At operation 725, the controller 202 may transmit a response to the user authentication request to the node 201. In one embodiment, the controller 202 may transmit information indicating that the user is authenticated to the node 201 in response to a user authentication request. In one embodiment, the controller 202 may transmit the white list created through operation 720 to the access control application 212. Depending on the embodiment, if the object requesting controller access is unable to access or is included in the blacklist, the controller 202 may notify the controller 202 of the inability to access the controller in response to the user authentication request.

In one embodiment, node 201 may process results for user authentication. For example, the node 201 may output a user interface screen indicating that user authentication has been completed to the user through a display.

According to another embodiment, the controller 202 may determine that user authentication is not possible. For example, if the user's identifying information is included in the blacklist database, the controller 202 may determine that user authentication is not possible. In this case, in operation 725, the controller 202 may transmit information indicating that user authentication is impossible to the node 201, and the node 201 may output a user interface screen on the display indicating that user authentication has failed. You can. For example, the node 201 may display a user interface screen through the access control application 212. The user interface screen indicates that access to the node 201 is blocked and may include a user interface that guides the release of isolation through an administrator (e.g., controller 202).

In one embodiment, the access control application 212, the controller 202, and the gateway 203 of the node 201 may further perform operations 730 to 750. Depending on the embodiment, the access control application 212, the controller 202, and the gateway 203 of the node 201 may perform all or part of operations 730 to 770.

At operation 730, the access control application 212 may determine whether channel creation is necessary. For example, when the controller 202 transmits information for creating a channel (eg, a series of information such as gateway and channel authentication), the access control application 212 may determine that channel creation is necessary. For another example, when the controller 202 does not transmit separate channel creation information to the node 201, the access control application 212 may determine that channel creation is not necessary.

In operation 735, the access control application 212 may request the gateway 203 to create a channel. If it is determined that channel creation is necessary, the access control application 212 may request the gateway 203 to create a channel. For example, the access control application 212 may transmit to the gateway 203 a channel creation request including a series of information for channel creation (eg, gateway and channel authentication, etc.) received from the controller 202.

In operation 740, the gateway 203 may create a channel based on a series of information for channel creation (eg, gateway and channel authentication, etc.). In operation 745, the gateway 203 may transmit a response including the channel creation result to the access control application 212. The channel creation result may include a channel dedicated IP assigned to the node 201 and corresponding channel creation information.

At operation 750, access control application 212 may perform a check of the application. When it is determined that channel creation is not necessary, or when a response including a channel creation result is received from the gateway 203, the access control application 212 may perform an application inspection. For example, when a white list is received from the controller 202, the access control application 212 may check whether an application included in the white list is installed on the node 201. For applications included in the white list among applications installed on the node 201, the access control application 212 checks the integrity and stability of the application (whether the application is forged or tampered with, code signing inspection, and fingerprint inspection) according to the validation policy. at least one of) can be checked.

In operation 755, the access control application 212 may transmit the application's inspection result to the controller 202.

The controller 202 may determine whether the application is valid based on the test result. If the application is valid, the controller 202 selects the gateways 203-1 and 203-2 where the node 201 is located in the access policy and service policy for the node 201 to allow the node 201 to access the network. After confirmation, operation 740 can be performed.

In operation 760, when the channel creation is completed according to the result of the channel creation process, the controller 202 registers the channel dedicated IP assigned to the node 201 and the corresponding channel creation information in the channel table 318, and the node 201 registers the channel creation information in the channel table 318. The transmitted series of information can be updated to the identified control flow information 240. A data flow can be created based on source IP, destination IP, service port information, protocol information, certificate information, domain, and URL information so that the node 201 can control service processing requests without a network connection request procedure.

The controller 202 may check the file IO policy when creating a data flow and generate file IO information 354 based on the file IO policy. File IO information 354 determines whether to allow downloading or uploading files when accessing the service server 205 to which the data flow is applied, and when file downloading and uploading are allowed, only which URLs are allowed to access and which URLs are not provided with file IO information. It may include a series of policy information related to file IO control information about whether to allow or not to allow and file IO control information by file type about which file types to allow or not to allow.

Additionally, the controller 202 may generate file inspection information 355 including whether to inspect a file when creating a data flow, and pattern and rule information to be inspected when inspecting a file.

At operation 765, the controller 202 may transmit a response to the connection control application 212's transmission of the application check result. For example, the controller 202 may transmit data flow information 350 to the connection control application 212. Additionally, in operation 770, the controller 202 may transmit data flow information 350 to the gateway 203.

According to the operations of FIG. 7, when the user of the node 211 is successfully authenticated, the access policy corresponding to the authenticated user is applied to the node 211, and the controller 202 checks whether network access is authorized. .

FIG. 8 illustrates a signal flow diagram for network access according to various embodiments, and the operations shown in FIG. 8 may be implemented, for example, after the signal flow diagram of FIG. 6 or FIG. 7.

Referring to FIG. 8, in operation 805, the node 201 may detect a network connection event of the connection application 211. For example, the node 201 may detect that a connection application attempts to connect to the destination network through the connection control application 212.

In one embodiment, connection control application 212 may inspect data flow when a network connection event is detected. For example, the access control application 212 may check whether a data flow corresponding to the identification information, destination IP, and/or port information of the access application exists. Additionally, the access control application 212 can check whether the data flow is valid even if the data flow exists. As an example, the access control application 212 performs integrity and safety checks of the access control application 212 and the access application (e.g., whether the application is forged or altered, code signing check, fingerprint check) according to the validation policy. And, according to the connection policy received from the controller 202, it is possible to check whether connection is possible to the destination IP and port of the connection application installed on the node 201.

If a valid data flow exists, the access control application 212 may skip the following operations and transmit the data packet of the access application to the gateway 203 through a secure session.

If a data flow exists but is not valid, the access control application 212 may not transmit a data packet and output a user interface screen indicating that the network connection has failed.

If the data flow does not exist, the authentication time of the data flow has expired and needs to be renewed, or if the data flow needs to be updated for other reasons, the access control application 212 may request network access from the controller 202. there is. Depending on the embodiment, the access control application 212 performs an integrity and safety check of the access control application 212 and the access application according to a validation policy before requesting network access, and when the integrity and stability of the application are confirmed, the controller You can request network access from (202).

In operation 810, the access control application 212 may request network access from the controller 202. In this case, the access control application 212 may transmit the access application identification information and the identification information of the service server 205 (eg, IP and service port) to the controller 202 along with the identification information of the control flow.

At operation 815, the controller 202 may confirm a connection policy and a channel policy associated with the connection application in response to a request received from the connection control application 212.

The controller 202 may check whether the access application satisfies the access policy of the access policy database 311. For example, the controller 202 determines whether the entity requesting network access (e.g., a connection application) and the identification information of the requested entity (e.g., service server 205) are included in the connection policy database 311 and the network connection. You can check whether the gateway request is available.

If network connection of the connection application is not possible, the controller 202 may transmit information indicating that connection is not possible to the node 201 in operation 820. In this case, the access control application 212 may output a user interface screen indicating that access is impossible through the display.

If the connection application can access the network, the controller 202 can check whether a channel has been created in the channel table to access the network. If a channel has not been created, or if a channel must be created in order to access the service in the channel policy, the controller 202 may transmit information indicating that access is not possible to the node 201 in operation 820. .

If a channel has been created, or if there is no need to create a channel to access the service in the channel policy, the controller 202 records the information requested by the node 201 for connection (e.g., destination IP and service) in the data flow table. You can check whether a valid data flow exists based on port information, etc.).

If there is no valid data flow, the controller 202 may create a data flow that allows a target (e.g., a connection application) to connect to the network between the node 201 and the service servers 205-1 and 205-2. You can. The controller 202 may generate data flow information 350 including source IP, destination IP, service port information, protocol information, certificate information, domain and URL information, etc.

In operation 820, the controller 202 may transmit a response to the network connection request of the access control application 212 to the node 201. For example, the controller 202 may transmit the data flow information 350 generated by performing operation 815 to the connection control application 212. Depending on the embodiment, if the object requesting connection is unable to connect, the controller 202 may notify the network connection inability in response to the network connection request. Here, the data flow information 350 transmitted in operation 820 may include source IP, destination IP, service port information, protocol information, certificate information, domain and URL information, etc.

Node 201 may process the result according to the received response. For example, the access control application 212 may store the received data flow information 350 and perform a file IO table check when network access is available. For another example, when receiving a response that network connection is not possible, the node 201 may drop the data packet of the connection application.

Additionally, in operation 825, the controller 202 may transmit data flow information 350 to the gateway 203. Here, the data flow information 350 transmitted in operation 825 may include source IP, destination IP, service port information, protocol information, certificate information, domain and URL information, etc.

FIG. 9 illustrates a flowchart for processing a service request of a gateway according to various embodiments, and the operations shown in FIG. 9 may be implemented, for example, after the signal flowchart of FIG. 6, FIG. 7, or FIG. 8.

Referring to FIG. 9, in operation 910, the gateway 203 (or proxy server 204-2) sends a service request including source IP or certificate identification information, destination IP or domain information, port information, and protocol information. You can receive it. The service request may be transmitted from node 201.

In operation 920, the gateway 203 may check whether data flow information 350 exists based on information included in the service request. For example, the gateway 203 may check whether data flow information 350 exists based on source IP or certificate identification information, destination IP or domain information, port information, and protocol information.

If data flow information 350 exists, the gateway 203 may perform operation 930.

In operation 930, the gateway 203 may check whether file information is included in the service processing request. If the service processing request includes file information, the gateway 203 may perform operation 940. If file information is not included in the service processing request, the gateway 203 may perform operation 970.

In operation 940, the gateway 203 may check whether file transfer is allowed based on the file IO information 354 included in the data flow information 350. If file transfer is permitted, gateway 203 may perform operation 950. If file transfer is not permitted, the gateway 203 may perform operation 980. In another example, if file transmission is not permitted for the file information included in the service processing request, the gateway 203 forwards the service processing request to a specified path according to the service processing policy, or redirects it to the node 201. information can be returned.

In another embodiment, if file transfer is allowed, the gateway 203 may check whether the extension allows file transfer based on the file IO information 354 included in the data flow information 350. If file transfer is allowed and the extension is an extension that allows file transfer, the gateway 203 may perform operation 950. If file transfer is not permitted, or the extension is for which file transfer is not permitted, the gateway 203 may perform operation 980. In another example, if file transfer is not allowed or the extension is not allowed for file transfer, the gateway 203 forwards the service processing request to a designated path according to the service processing policy, or redirects it to the node 201. information can be returned.

In operation 950, the gateway 203 may check whether to inspect the file based on the file inspection information 355 included in the data flow information 350. When checking a file, gateway 203 may perform operation 960. If not checking the file, gateway 203 may perform operation 970.

At operation 960, gateway 203 may confirm whether the file information check was successful. For example, the gateway 203 inspects the file information included in the service processing request information according to the file inspection method indicated by the file inspection information 355 included in the data flow information 350, and determines whether the inspection result is successful. You can check. Here, file information inspection performs its own inspection based on the pattern and rule information included in the data flow, or external applications (e.g. anti-virus, malware detection tools, data loss prevention technology, etc.) and external devices. The inspection can be performed through In addition, the file information check can check whether malware, malicious code, personal information, etc. exists in the file being checked, or replace unauthorized or unsafe information with other information.

If checking the file is successful, the gateway 203 may perform operation 970. If checking the file fails, the gateway 203 may perform operation 980.

In operation 970, the gateway 203 may forward the service processing request to the destination based on the source IP or certificate identification information, destination IP or domain information, port information, and protocol information. For example, the gateway 203 may forward the service processing request to the destination if the file information check is successful, if the file information is not included, or if the file information check is not necessary.

In operation 980, the gateway 203 may return service request failure information to the node 201. In another example, instead of operation 980, the gateway 203 may forward the service processing request to a designated path according to the service processing policy, or may return information to redirect it to the node 201.

FIG. 10 illustrates a flowchart for receiving a service request processing result of a gateway according to various embodiments, and the operations shown in FIG. 10 may be implemented, for example, after the signal flow diagram of FIG. 9 .

Referring to FIG. 10, in operation 1010, the gateway 203 (or proxy server 204-2) may receive a service processing request result. Here, the result according to the service processing request may be data according to the operations of FIG. 9. The service request processing result may be transmitted from the destination of the service request (e.g., service server 205-1ㅓ, 205-2).

In operation 1020, the gateway 203 may check whether file information is included in the service processing request result. If the service processing request result includes file information, the gateway 203 may perform operation 1030. If file information is not included in the service processing request result, the gateway 203 may perform operation 1060.

In operation 1030, the gateway 203 may check whether file reception is allowed based on the file IO information 354 included in the data flow information 350. If file reception is permitted, the gateway 203 may perform operation 1040. If file reception is not permitted, the gateway 203 may perform operation 1070.

In another embodiment, if file reception is allowed, the gateway 203 may check whether the extension allows file reception based on the file IO information 354 included in the data flow information 350. If file reception is allowed and the extension is an extension that allows file reception, the gateway 203 may perform operation 1040. If the file is not allowed to be received, or the file extension is not allowed to be received, the gateway 203 may perform operation 1070.

In operation 1040, the gateway 203 may check whether to inspect the file based on the file inspection information 355 included in the data flow information 350. When checking a file, gateway 203 may perform operation 1050. If not checking the file, gateway 203 may perform operation 1060.

At operation 1050, the gateway 203 may confirm whether the file information check was successful. For example, the gateway 203 inspects the file information included in the service processing request result information according to the file inspection method indicated by the file inspection information 355 included in the data flow information 350, and determines the success of the inspection result. You can check whether or not. Here, file information inspection performs its own inspection based on the pattern and rule information included in the data flow, or external applications (e.g. anti-virus, malware detection tools, data loss prevention technology, etc.) and external devices. The inspection can be performed through In addition, the file information check can check whether malware, malicious code, personal information, etc. exists in the file being checked, or replace unauthorized or unsafe information with other information.

If checking the file is successful, the gateway 203 may perform operation 1060. If checking the file fails, the gateway 203 may perform operation 1070.

In operation 1060, the gateway 203 may forward a service processing request to the node 201 based on the source IP or certificate identification information, destination IP or domain information, port information, and protocol information. For example, the gateway 203 may forward the service processing request result to the node 201 when the file information check is successful, when the file information is not included, or when the file information check is not necessary.

In operation 1060, the gateway 203 may return service request failure information.

Figure 11 shows a signal flow diagram for transmitting a service request processing log and a rejection log according to various embodiments.

In operation 1105, the gateway 203 may transmit a service request processing log and a rejection log to the controller 202. The gateway 203 may transmit service request processing logs and rejection logs to the controller 202 in designated time units. For example, the service request may include a service processing request for the service server 205 of the node 201.

At operation 1110, the controller 202 may analyze the log received from the gateway 203. The controller 202 may update statistical information on service requests and rejections based on the received log information. The controller 202 may analyze the received log to check whether the object requesting the service (e.g., the node 201 or the access application 211 of the node 201) is performing abnormal behavior. For example, if the object requesting the service is performing abnormal behavior, the controller 202 may register it in the blacklist database 319 according to the blacklist policy of the blacklist policy database 315. Additionally, the controller can block service access of a target performing abnormal behavior by removing the target's data flow and control flow. The controller 202 may return updated data flow information to the gateway 203.

In operation 1115, the controller 202 may transmit the update result of the data flow to the gateway 203. When the gateway 203 needs to remove a data flow according to the received data flow information 350, the gateway 203 removes the data flow of the target performing abnormal behavior from the data flow table 317 so that the target can no longer access the service. You can prevent a request from being performed.

Referring to FIG. 12, at operation 1205, the access control application 212 may request a control flow update.

In one embodiment, the access control application 212 may request a control flow update from the controller 202 to maintain the control flow and data flow. In one embodiment, the access control application 212 may request a control flow update including identification information of the control flow at specified intervals.

At operation 1210, controller 202 may update (check) the control flow. For example, the controller 202 determines whether the control flow information 340 indicated by the received identification information exists in the control flow table 316, and if the control flow information 340 exists, the data flow information 350 dependent thereon. You can check whether exists. If the connection is released by another security system, the update time has elapsed, or the connection is released due to risk detection, the control flow may not exist. If a control flow does not exist, the controller 202 may return unreachable information to the node 201. If a control flow exists, the controller 202 may update the update time or expiration time of the control flow and search for data flows dependent on the control flow. For example, if re-authentication must be performed in the discovered data flow or if there is a data flow that is no longer accessible, the controller 202 may return the corresponding data flow information to the node 201.

For example, if an update (check) fails, the controller 202 may transmit unconnectable information to the node 201. In this case, the node 201 may terminate the access control application 212 or block the network connection of the access control application 212. For another example, if the update (check) is successful, the controller 202 may update the expiration time of the control flow and the data flow dependent thereon. The controller 202 may transmit updated control flow information and data flow information to the node 201. In this case, the node 201 may update the control flow information 340 and data flow information 350.

In operation 1215, the controller 202 may transmit update (check) result information to the access control application 212. For example, if an update (check) fails, the controller 202 may transmit no-connection information. For another example, if the update (check) is successful, the controller 202 may transmit the updated control flow information 340 and data flow information 350 dependent thereon to the connection control application 212. In this case, the node 201 may update the control flow information 340 and data flow information 350.

The access control application 212 may process update (check) result information. If the control flow update result indicates that connection is not possible, the connection control application 212 may terminate the connection application 211 or block all network connections of the connection application 211. If the control flow update result indicates normal and there is updated data flow information 350, the connection control application 212 may update the data flow table 317 in the connection control application 212.

Referring to FIG. 13, in operation 1305, the node 201 may request the controller 202 to terminate the control flow. For example, node 201 may terminate the connection control application 212, request termination of the control flow when the network connection is unused for a specified period of time, or when a connection termination request is received from another system.

At operation 1310, the controller 202 may remove the control flow corresponding to the identification information received from the node 201. The controller 202 may also remove data flows dependent on the removed control flow.

At operation 1315, the controller 202 may request the gateway 203 to remove the data flow.

In operation 1320, the gateway 203 may block the network connection of the access control application 212 by removing the data flow.

Through the operations of FIG. 13, the gateway 203 periodically performs a data flow update procedure with the controller 202 and updates invalid data flow information 350 according to termination of the connection application or release of network connection of the node 201. Invalid sessions can be removed by receiving and matching session information stored in the gateway 203. Accordingly, embodiments according to the present disclosure may prevent subjects whose authentication is not valid due to characteristics such as HTTP where the status of the node 201 is unknown, from using the service in an authenticated state.

Referring to FIG. 14, in operation 1405, the access control application 212 may detect termination of the access application 211. The access control application 212 can monitor in real time whether the access application 211 running on the node 201 is terminated.

In operation 1410, the access control application 212 may request the controller 202 to terminate the data flow. For example, the connection control application 212 may request termination of the data flow by transmitting the data flow identification information assigned to the terminated connection application 211 or the identification information of the connection application 211 to the controller 202. .

In operation 1415, the controller 202 may remove the data flow based on the data flow identification information received from the node 201 or the identification information of the access application 211. The controller 202 may identify and search a control flow based on the received data flow identification information or the identification information of the access application 211 and remove the data flow dependent on the identified and searched control flow.

In operation 1420, the controller 202 requests the gateway 203 to remove the data flow, and in operation 1425, the gateway 203 removes the data flow and thereby removes the service corresponding to the removed data flow of the access control application 212. Access to the server 205 can be blocked. Afterwards, the connection application 211 can no longer transmit data packets to the destination network.

The above description is merely an illustrative description of the technical ideas disclosed in this document, and those skilled in the art in the technical field to which the embodiments disclosed in this document belong will understand without departing from the essential characteristics of the embodiments disclosed in this document. Various modifications and variations will be possible.

Accordingly, the embodiments disclosed in this document are not intended to limit the technical ideas disclosed in this document, but rather to explain them, and the scope of the technical ideas disclosed in this document is not limited by these embodiments. The scope of protection of the technical ideas disclosed in this document should be interpreted in accordance with the claims below, and all technical ideas within the equivalent scope should be interpreted as being included in the scope of rights of this document.

Claims

In the gateway,

communication circuit;

a processor operatively connected to the communication circuit; and

a memory operatively coupled to the processor and storing a proxy server, wherein when executed by the processor the gateway causes the proxy server to:

Receive service processing requests from nodes,

Check whether data flow information corresponding to the information included in the service processing request exists, and the information included in the service processing request includes source information or destination information,

A gateway that stores instructions for processing the service processing request based on the data flow information when the data flow information exists.
The method of claim 1, wherein the commands allow the gateway to:

Check whether file information is included in the service processing request,

If the service processing request does not include file information, forwarding the service processing request to the destination according to the service processing request,

When the service processing request includes file information, a gateway that processes the service processing request depending on whether transmission of the file indicated by the file information is permitted.
The method of claim 1, wherein the commands allow the gateway to:

Based on the file IO (input output) information included in the data flow information, confirm whether transmission of the file indicated by the file information included in the service processing request is permitted,

If transmission of the file is not permitted, return the service processing request to the node,

When transmission of the file is allowed, the gateway processes the service processing request depending on whether or not the inspection of the file indicated by the file information is successful.
The method of claim 3, wherein the commands allow the gateway to:

Based on the file IO information, check whether the extension of the file is an extension that allows file transfer,

If the extension does not allow the file transfer, the service processing request is returned to the node,

If the extension allows the file transfer, the gateway processes the service processing request depending on whether or not the inspection of the file indicated by the file information is successful.
The method of claim 1, wherein the commands allow the gateway to:

Based on the file inspection information included in the data flow information, determine whether file information inspection of the file indicated by the file information included in the service processing request is necessary,

If the file information inspection is not necessary, forwarding the service processing request to a destination according to the service processing request,

When the file information check is necessary, the gateway processes the service processing request depending on whether the file check of the file indicated by the file information is successful.
The method of claim 1, wherein the commands allow the gateway to:

Based on the file inspection method indicated by the file inspection information included in the data flow information, inspect the file information included in the service processing request,

If the file information check is successful, forwarding the service processing request to a destination according to the service processing request,

If the file information check fails, the gateway returns the service processing request to the node.
The method of claim 1, wherein the commands allow the gateway to:

After forwarding the service processing request, receive the service processing result from the destination server,

A gateway that processes the service processing results based on the data flow information.
The method of claim 7, wherein the commands allow the gateway to:

When file information is included in the service processing result, check whether reception of the file indicated by the file information included in the service processing result is allowed based on file IO (input output) information included in the data flow information. do,

If reception of the file is permitted, check whether file information of the file indicated by the file information included in the service processing result is necessary based on the file inspection information included in the data flow information,

When the file information inspection is necessary, inspect the file information included in the service processing result based on the file inspection method indicated by the file inspection information included in the data flow information,

If the file information check is successful, the gateway forwards the service processing result to the node according to the service processing result.
In the operation method performed by running the proxy server of the gateway,

An operation of receiving a service processing request from a node,

An operation of checking whether data flow information corresponding to the information included in the service processing request exists, the information included in the service processing request includes source information or destination information,

An operating method comprising, when the data flow information exists, processing the service processing request based on the data flow information.
The method of claim 9, wherein the operation of processing the service processing request includes:

An operation to check whether file information is included in the service processing request,

If file information is not included in the service processing request, forwarding the service processing request to a destination according to the service processing request, and

When the service processing request includes file information, an operation method comprising processing the service processing request according to whether transmission of the file indicated by the file information is permitted.
The method of claim 9, wherein the operation of processing the service processing request includes:

An operation of checking whether transmission of a file indicated by file information included in the service processing request is permitted based on file IO (input output) information included in the data flow information;

If transmission of the file is not permitted, returning the service processing request to the node, and

An operating method comprising processing the service processing request depending on whether or not inspection of the file indicated by the file information is successful when transmission of the file is permitted.
The method of claim 11, wherein the operation of processing the service processing request includes:

An operation of checking whether the extension of the file is an extension that allows file transfer, based on the file IO information,

If the extension does not allow the file transfer, returning the service processing request to the node, and

An operation method comprising processing the service processing request depending on whether the file inspection of the file indicated by the file information is successful or not, if the extension allows the file transmission.
The method of claim 9, wherein the operation of processing the service processing request includes:

An operation of checking whether file information of a file indicated by file information included in the service processing request is required, based on file inspection information included in the data flow information;

If the file information check is not necessary, forwarding the service processing request to a destination according to the service processing request, and

An operation method comprising processing the service processing request depending on whether the file inspection of the file indicated by the file information is successful when the file information inspection is necessary.
The method of claim 9, wherein the operation of processing the service processing request includes:

An operation of inspecting file information included in the service processing request based on a file inspection method indicated by file inspection information included in the data flow information;

If the file information check is successful, forwarding the service processing request to a destination according to the service processing request, and

An operation method comprising returning the service processing request to the node when the file information check fails.
In claim 9,

An operation of receiving a service processing result from a destination server after forwarding the service processing request, and

An operation method including processing the service processing result based on the data flow information.
The method of claim 15, wherein the operation of processing the service processing result includes:

When file information is included in the service processing result, check whether reception of the file indicated by the file information included in the service processing result is allowed based on file IO (input output) information included in the data flow information. action,

If reception of the file is permitted, an operation of checking whether file information of the file indicated by the file information included in the service processing result is necessary based on file inspection information included in the data flow information;

When the file information inspection is necessary, an operation of inspecting the file information included in the service processing result based on a file inspection method indicated by the file inspection information included in the data flow information, and

An operation method comprising forwarding the service processing result to the node according to the service processing result when the file information check is successful.