WO2023211122A1 - Système de commande de transmission et de réception de fichier d'une application sur la base d'un mandataire et procédé associé - Google Patents

Système de commande de transmission et de réception de fichier d'une application sur la base d'un mandataire et procédé associé Download PDF

Info

Publication number
WO2023211122A1
WO2023211122A1 PCT/KR2023/005628 KR2023005628W WO2023211122A1 WO 2023211122 A1 WO2023211122 A1 WO 2023211122A1 KR 2023005628 W KR2023005628 W KR 2023005628W WO 2023211122 A1 WO2023211122 A1 WO 2023211122A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
file
gateway
node
server
Prior art date
Application number
PCT/KR2023/005628
Other languages
English (en)
Korean (ko)
Inventor
김영랑
Original Assignee
프라이빗테크놀로지 주식회사
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 프라이빗테크놀로지 주식회사 filed Critical 프라이빗테크놀로지 주식회사
Publication of WO2023211122A1 publication Critical patent/WO2023211122A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/563Data redirection of data network streams
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • Embodiments disclosed in this document relate to a system and method for controlling file transmission and reception of an application based on a proxy.
  • Networks may include public networks such as the Internet as well as private networks such as intranets.
  • the terminal communicates with the server using IP (Internet Protocol)-based TCP (Transmission Control Protocol) or UDP (User Datagram Protocol), and is used to control the connection between the source IP and destination IP authorized by TCP or UDP technology.
  • IP Internet Protocol
  • TCP Transmission Control Protocol
  • UDP User Datagram Protocol
  • Firewall technology may be used.
  • IP communication there is a problem that IP can be forged or altered, so to solve this problem, VPN (Virtual Private Network) technology and tunneling technology are used to encrypt data packets between the terminal and the server.
  • DLP Data Loss Prevention
  • a permitted application can connect to a permitted network
  • DLP Data Loss Prevention
  • DLP prevents unauthorized media (e.g. USB or removable storage devices) from being connected or sharing specific folders on the network.
  • a specific application selects a file for file transfer, it prevents the file from being transferred by blocking the file from being selected, or when file input/output of a specific application occurs or when tracking file input/output, the user If you do not have file input/output permission, you can prevent data leakage by removing the file input/output handle.
  • This DLP technology may not be able to prevent unauthorized media from being connected in a work-from-home environment using personally owned terminals in areas where physical security control is not possible and where there are limitations in applying security policies.
  • DLP technology that tracks specific actions may not be able to prevent, for example, non-user malware from directly loading and transmitting files without a file selection window if a specific action is not performed.
  • DLP technology which tracks file input and output of a specific application, tracks file input and output for a specific application and blocks it altogether, so it may be difficult to allow file transfer on the network connected to the application.
  • DLP which provides a method to lift file input/output restrictions by identifying the access address window of the Internet browser
  • network access information cannot be tracked in the case of applications without an access address window, so there are limitations in controlling file reception and transmission. There may be.
  • the terminal may be able to access files received from or transmitted to the cloud without any restrictions. For example, files containing potentially dangerous information may be imported from the Internet, or files containing important information received from the cloud may be leaked through the Internet.
  • a gateway includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing a proxy server,
  • the memory is such that, when executed by the processor, the gateway receives a data flow including file IO (input output) information indicating whether approval for sending and receiving files of the node is required from an external server, and configures the proxy server.
  • file IO input output
  • a server includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing a database, the memory comprising: When executed by the processor, the server receives a network connection request for a service server from a node's connection control application, wherein the network connection request includes identification information of a target application of the node attempting to connect to the network of the service server and the Contains network information of the service server, checks whether the target application can connect to the service server based on the database, and if connection is possible, generates a data flow corresponding to the network information of the service server Transmitted to nodes and gateways, the data flow includes file IO (input output) information indicating whether approval is required for sending and receiving files from the node, and if connection is not possible, result information indicating that connection to the node is not possible. Commands to transmit can be stored.
  • the network connection request includes identification information of a target application of the node attempting to connect to the network of the service server and the
  • a method of operating a gateway includes receiving a data flow including file IO (input output) information indicating whether approval is required for sending and receiving files of a node from an external server, and It may include an operation of processing the service processing request or the service processing request result of the node based on whether file information is included in the service processing request or the service processing request result of the node through the proxy server of the gateway.
  • file IO input output
  • a method of operating a server includes the operation of receiving a network connection request for a service server from a connection control application of a node, wherein the network connection request is transmitted from the node trying to connect to the network of the service server.
  • Containing identification information of the target application and network information of the service server an operation of checking whether the target application can connect to the service server based on the database of the server, data corresponding to the network information of the service server
  • An operation of generating a flow and transmitting it to the node and the gateway may be included, and the data flow may include file IO (input output) information indicating whether approval is required for the node to transmit and receive a file.
  • file information included in service requests and service request results between an authenticated terminal and a service server can be monitored through a proxy included in the gateway, and transmission and reception of files can be controlled. .
  • FIG. 1 shows an architecture within a network environment according to various embodiments.
  • Figure 2 is a functional block diagram showing a database stored in a controller according to various embodiments.
  • Figure 3 shows control flow information, data flow information, and file table information among information included in a database according to various embodiments.
  • FIG. 4 is a functional block diagram of a node according to various embodiments.
  • Figure 5 explains an operation for controlling transmission of data packets according to various embodiments.
  • Figure 6 shows a signal flow diagram for controller connection according to various embodiments.
  • FIG. 7 shows a signal flow diagram for user authentication according to various embodiments.
  • FIG. 8 illustrates a user interface screen for accessing a controller according to various embodiments.
  • Figure 9 shows a signal flow diagram for network access according to various embodiments.
  • Figure 10 shows a signal flow diagram for processing a service processing request according to various embodiments.
  • Figure 11 shows a signal flow diagram for receiving a service processing request result according to various embodiments.
  • Figure 12 shows a signal flow diagram for transmitting a service request processing log and a rejection log according to various embodiments.
  • Figure 13 shows a signal flow diagram for control flow update according to various embodiments.
  • FIG. 14 shows a signal flow diagram for control flow removal according to various embodiments.
  • Figure 15 shows a signal flow diagram for data flow removal according to various embodiments.
  • One (e.g., first) component is said to be “coupled” or “connected” to another (e.g., second) component, with or without the terms “functionally” or “communicatively.”
  • second component e.g., any of the components can be connected to the other components directly (e.g. wired), wirelessly, or through a third component.
  • Each component (eg, module or program) described in this document may include singular or plural entities. According to various embodiments, one or more of the corresponding components or operations may be omitted, or one or more other components or operations may be added. Alternatively or additionally, multiple components (eg, modules or programs) may be integrated into a single component. In this case, the integrated component may perform one or more functions of each component of the plurality of components in the same or similar manner as those performed by the corresponding component of the plurality of components prior to the integration. .
  • operations performed by a module, program, or other component may be executed sequentially, in parallel, iteratively, or heuristically, or one or more of the operations may be executed in a different order, omitted, or , or one or more other operations may be added.
  • module used in this document may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as logic, logic block, component, or circuit, for example.
  • a module may be an integrated part or a minimum unit of the parts or a part thereof that performs one or more functions.
  • the module may be implemented in the form of an application-specific integrated circuit (ASIC).
  • ASIC application-specific integrated circuit
  • Various embodiments of this document may be implemented as software (e.g., a program or application) including one or more instructions stored in a storage medium (e.g., memory) that can be read by a machine.
  • the processor of the device may call at least one instruction among one or more instructions stored from a storage medium and execute it. This allows the device to be operated to perform at least one function according to the at least one instruction called.
  • the one or more instructions may include code generated by a compiler or code that can be executed by an interpreter.
  • a storage medium that can be read by a device may be provided in the form of a non-transitory storage medium.
  • 'non-transitory' only means that the storage medium is a tangible device and does not contain signals (e.g. electromagnetic waves), and this term refers to cases where data is semi-permanently stored in the storage medium. There is no distinction between temporary storage cases.
  • Computer program products are commodities and can be traded between sellers and buyers.
  • a computer program product may be distributed in the form of a machine-readable storage medium (e.g. compact disc read only memory (CD-ROM)) or through an application store or between two user devices (e.g. smartphones). It may be distributed in person or online (e.g., downloaded or uploaded). In the case of online distribution, at least a portion of the computer program product may be at least temporarily stored or temporarily created in a machine-readable storage medium, such as the memory of a manufacturer's server, an application store server, or a relay server.
  • a machine-readable storage medium such as the memory of a manufacturer's server, an application store server, or a relay server.
  • FIG. 1 shows an architecture within a network environment according to various embodiments.
  • the node 201-1 or 201-2 shown in FIG. 1 may be various types of devices capable of performing data communication.
  • the node 201-1 or 201-2 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, or VR. It may include a (virtual reality) device, or a home appliance device, and is not limited to the above-described devices.
  • node 201-1 or 201-2 may include a server or gateway capable of transmitting data packets through an application.
  • the node 201-1 or 201-2 may also be referred to as an ‘electronic device’ or a ‘terminal’.
  • Node 201-1 or 201-2 may store at least one target application and at least one access control application, respectively.
  • the node 201-1 may store the target application 211-1 and the access control application 212-1.
  • the node 201-2 may store the target application 211-2 and the access control application 212-2.
  • Each of the target applications (211-1 or 211-2) transmits data packets to the service server (205-1 or 205-2) through the gateway 203 under the control of the access control application (212-1 or 212-2). Or, conversely, you can receive data packets.
  • the target applications are allowed and/or secured applications, such as web browsers or business applications, while others are non-allowed programs (e.g. malware, ransomware, and other unallowed programs). It may be an unsecured application) or an insecure malicious program (an application infected with malware, forged or altered).
  • the access control application (212-1 or 212-2) identifies a program (or target application, process of the target application) requesting transmission of a data packet, and data packets of the unauthorized program are transmitted to the node ( It is possible to prevent transmission outside of 201-1 or 201-2).
  • the access control application (212-1 or 212-2) is connected to the connection control application (212-1 or 212-2) and the gateway 203 through a channel (220-1 or 220-2). Access to the service server (205-1 or 205-2) of unauthorized programs can be blocked and the program can be quarantined.
  • Channel 220-1 or 220-2 may also be referred to as a 'secure session'.
  • the access control application (212-1 or 212-2) is connected to the controller. It is possible to check whether connection is possible from 202, and if connection is possible, authentication with the gateway 203 can be performed through a data packet authenticated by the controller 202. Once authentication is completed, the access control application (212-1 or 212-2) can create the gateway 203 and the channel (220-1 or 220-2).
  • the node 201-1 or 201-2 is a connection control application for managing the network connection of the target application 211-1 or 211-2 stored in the node 201-1 or 201-2. (212-1 or 212-2) and a network driver (not shown).
  • the connection control application may determine whether the target application (211-1 or 211-2) is accessible. If the target application (211-1 or 211-2) is accessible, the access control application (212-1 or 212-2) transmits a data packet to the gateway 203 through the channel (220-1 or 220-2). You can.
  • the access control application 212-1 or 212-2 may control the transmission of data packets within the node 201-1 or 201-2 through a kernel including an operating system and a network driver.
  • the controller 202 may be, for example, a server (or cloud server).
  • the controller 202 manages data transmission between the node 201-1 or 201-2, the gateway 203, and the service server 205-1 or 205-2 to ensure reliable data transmission within the network environment. You can.
  • the controller 202 allows the authorized node 201-1 or 201-2 (or access control application 212-1 or 212-2) to access the network through policy information or blacklist information. can do.
  • the controller 202 mediates the creation of a channel (220-1 or 220-2) between the access control application (212-1 or 212-2) and the gateway 203, or connects the node (201-1 or 201-2) ), the channel 220-1 or 220-2 may be removed (or recovered) according to security events collected from the gateway 203, or other linked security systems (not shown).
  • the access control application (212-1 or 212-2) can communicate with the service server (205-1 or 205-2) only through the channel (220-1 or 220-2) authorized by the controller 202, If the authorized channel (220-1 or 220-2) does not exist, network access of the node (201-1 or 201-2) and the access control application (212-1 or 212-2) may be blocked.
  • the target application (211-1 or 211-2) communicates with the service server (205-1 or 205-2) only through the channel (220-1 or 220-2) authorized by the controller 202. This can be done, and if the authorized channel (220-1 or 220-2) does not exist, the network connection of the target application (211-1 or 211-2) is connected to the access control application (212-1 or 212-2), the controller ( 202) or may be blocked from the gateway 203.
  • the controller 202 performs various operations associated with network access of the node 201-1 or 201-2 or the access control application 212-1 or 212-2 (e.g., registration, authorization, authentication, In order to perform (update, termination), control data packets can be transmitted and received with the access control application (212-1 or 212-2).
  • the flow through which control data packets are transmitted (e.g., 230-1 or 230-2) may be referred to as a 'control flow'.
  • the gateway 203 may be located at the border of the network to which the node 201-1 or 201-2 belongs or at the border of the network to which the service server 205-1 or 205-2 belongs.
  • the gateway 203 may be located at the boundary of an intranet or cloud.
  • the gateway 203 may be connected to the controller 202 on a cloud basis.
  • the gateway 203 may forward only authorized data packets among the data packets received from the access control application 212-1 or 212-2 to the service server 205-1 or 205-2.
  • the flow in which data packets are transmitted between the access control application (212-1 or 212-2) and the gateway 203 (e.g., 240-1 or 240-2) may be referred to as 'data flow'. .
  • Data flows can be created not only on a per-node or per-IP basis, but also on a more granular basis (e.g. per-application).
  • the gateway 203 authenticates the access control application (212-1 or 212-2) before creating the channel (220-1 or 220-2) between the access control application (212-1 or 212-2) and the gateway 203. Perform, and among the data packets transmitted from the access control application (212-1 or 212-2), only the data packets transmitted through the channel (220-1 or 220-2) are sent to the service server (205-1 or 205-2). By forwarding to , indiscriminate network access can be blocked in advance.
  • the gateway 203 can relay service processing between the authenticated node 201-1 or 201-2 and the service server 205-1 or 205-2 through the proxy server 231 included in the gateway 203. there is.
  • the gateway 203 monitors the file information included in the service processing request and the service processing request result through the proxy server 231, and processes the file based on the file IO information included in the data flow 240-1 or 240-2. Transmission and reception can be controlled.
  • the proxy server 231 may also be referred to as a 'proxy'.
  • the proxy server 231 may be a program or application.
  • Figure 2 is a functional block diagram showing a database stored in the controller 202 according to various embodiments, and Figure 3 shows control flow information 340, data flow information 350, and file table information ( 360).
  • the controller 202 may store databases 311 to 320 for controlling network connection and data transmission in the memory 330.
  • FIG. 2 shows only the memory 330, the controller 202 can be used to connect external electronic devices (e.g., node 201-1 or 201-2 in FIG. 1, gateway 203, or service server 205-1 or 205- 2))) and a communication circuit for performing communication (e.g., the communication circuit 430 in FIG. 4) and a processor for controlling the overall operation of the controller 202 (e.g., the processor 410 in FIG. 4). can do.
  • the administrator can access the controller 202 and set a connection-oriented policy to control the connection between the access control application (212-1 or 212-2) and the service server (205-1 or 205-2), so the service terminal You can control network access more precisely and safely than managing sessions in .
  • the connection policy database 311 may include information about networks and/or services to which an identified network, node, or application can access. For example, when the controller 202 requests network access from the access control application 212-1 or 212-2, the controller 202 connects to the network identified based on the policy of the access policy database 311 (e.g., node 201-1 or network to which 201-2) belongs), a node (201-1 or 201-2), a user (e.g., a user of node 201-1 or 201-2), and/or an application (e.g., node 201-1 Alternatively, it may be determined whether the target application (211-1 or 211-2) included in 201-2) can access the service server (205-1 or 205-2). In one embodiment, the controller 202 may create a whitelist of target applications that can access a specific service (eg, IP and port) based on the connection policy database 311.
  • a specific service eg, IP and port
  • the channel policy database 312 connects the node 201-1 or 201-2 and the service server 205-1 or 201-2 (or destination IP and port) on the connection path according to the policy of the connection policy database 311. It may include information necessary for creating a channel with the gateway 203 (eg, authentication information, encryption algorithm, and/or tunnel end point IP). If a channel previously connected through another gateway exists between the access paths, the channel policy database 312 may include information for using it (e.g., whether IP information assigned to the node is collected and whether alternative processing is performed). there is.
  • the channel table 318 may include a channel dedicated IP assigned to the node 201-1 or 201-2 and channel creation information.
  • the service policy database 313 connects the node 201-1 or 201-2 and the service server 205-1 or 201-2 (or destination IP and port) on the connection path according to the policy of the connection policy database 311.
  • the node 201-1 or 201-2 connects the domain to relay the service processing request with the service server 205-1 or 205-2 through the proxy server 231 included in the gateway 203 existing between the domain.
  • information required to pass through the proxy server 231 e.g., domain address resolution information, certificate required to access the domain, and/or whether to return the service processing request result as failure information when the data flow check fails
  • Information on whether to redirect to another URL may be included.
  • the file IO policy database 314 is linked to the access policy and may include information for establishing a file IO policy for the target application 211-1 or 211-2.
  • the file IO policy database 314 may include information about whether approval is required for receiving and transmitting files of the target application 211-1 or 211-2.
  • the blacklist policy database 315 includes targets ( Example: It may indicate a blacklist registration policy to block access by at least one of a node ID (identifier), IP address, MAC (media access control) address, or user ID).
  • targets Example: It may indicate a blacklist registration policy to block access by at least one of a node ID (identifier), IP address, MAC (media access control) address, or user ID).
  • the blacklist database 320 may include a list of targets blocked by the blacklist policy database 315. For example, if the identification information of the node (201-1 or 201-2) requesting network access is included in the blacklist database 320, the controller 202 rejects the network access request, thereby allowing the node (201-1 or 201) to access the network. -2) can be isolated.
  • the control flow table 316 is an example of a session table for managing the flow (i.e., control flow) of control data packets generated between the access control application 212-1 or 212-2 and the controller 202.
  • control flow information 340 and control flow ID 342 may be generated by the controller 202.
  • the control flow information 340 may include identification information 344 representing at least one of an IP identified during controller connection and authentication, a node, an application, or a target additionally identified through linkage with a service server.
  • identification information 344 representing at least one of an IP identified during controller connection and authentication, a node, an application, or a target additionally identified through linkage with a service server.
  • the access control application (212-1 or 212-2) can be connected to the service server (205-1 or 205-2) by mapping with the flow ID (342) and identification information (344) and the channel with the gateway (203) You can decide whether or not it is possible to create a data flow for creation.
  • Status information 346 may indicate various states such as creation, authentication, update, termination, etc. of a control flow.
  • the node 201 since the control flow has an expiration time, the node 201 must update the expiration time of the control flow based on the time information 348, and if the expiration time is not updated within a certain period of time, the control flow ( Alternatively, control flow information 340) may be removed. In addition, immediate access is blocked according to security events collected from the node 201-1 or 201-2, the access control application 212-1 or 212-2, another security application (not shown), or the gateway 203. If it is determined that this is necessary, or if a connection termination request is received from them, the controller 202 may remove the control flow. When the control flow is removed, the related data flow is also removed, and the gateway 203 connects the service server 205-1 or 205 of the access control application 212-1 or 212-2 or the target application 211-1 or 211-2. Access to -2) can be blocked.
  • the data flow table 317 shows the flow (e.g., data flow) in which detailed data packets are transmitted between the node 201-1 or 201-2, the gateway 203, and the service server 205-1 or 205-2. ) is a table for managing. Data flows can be created by TCP sessions, applications, or more granular units.
  • the data flow table 316 may include an application ID, destination IP address, and/or service port to identify whether the data packet transmitted from the source is an authorized data packet.
  • the data flow information 350 may include a data flow ID 351 for identifying the data flow and a control flow ID 352 if the data flow is dependent on the control flow. Since the node (201-1 or 201-2) or the access control application (212-1 or 212-2) can create a channel and session with one or more gateways, the controller 202 controls the control flow ID assigned to the transmitting subject. With (352), data flows dependent on it can be managed.
  • the data flow information 350 determines whether a channel has been created between the access control application 212-1 or 212-2 and the gateway 203, and whether the service server 205-1 or 205-2), based on URL information and/or domain information to control service requests according to the source IP and destination IP of the data packet, service port information, protocol information, certificate information, and service request path (URL). It may include inspection target information 353 for determining forwarding of data packets. Certificate information may include certificate identification information. Additionally, the data flow information 350 may include status information 355 indicating whether the data flow is in a valid usable state. Additionally, the data flow information 350 may further include file IO information 354. The file IO information 354 may include whether approval is required for file transmission, whether approval is required for file reception, and exception information for file IO processing. The file IO information 354 may include target information (or policy information) (domain information, URL information, and/or file type information) to which control information for file transmission and reception is applied.
  • target information or policy information
  • the file table 319 is a database for managing approval for sending and receiving files, and may include file table information 360.
  • the file table information 360 may store inspection target information 362 for identifying the inspection target where file transmission and reception occurred in the gateway 203.
  • the inspection target information 362 may include, for example, source IP and destination IP, service port information, protocol information, certificate information, service request path (URL), and/or domain information. Certificate information may include certificate identification information.
  • the file table information 360 may include file information 364 for identifying and retrieving file information when approving file transmission and reception through an administrator or an externally connected system.
  • the file information 364 may include the binary of the file and/or unique information and identification information of the file (e.g., file name, partial contents of the file or header information, hash information, and/or signature information).
  • the file table information 360 may include status information 366 to check whether the file can be transmitted and received.
  • File table information 360 may be managed in the controller 202 and gateway 203.
  • Figure 4 shows a functional block diagram of a node 201-1 or 201-2 according to various embodiments. At least some of the configurations shown in FIG. 4 may be applied to the controller 202, gateway 203, or service server 205-1 or 205-2.
  • node 201-1 or 201-2 may include a processor 410, memory 420, and communication circuit 430. According to one embodiment, the node 201-1 or 201-2 may further include a display 440 to provide a user interface.
  • the processor 410 can control the overall operation of the node.
  • the processor 410 may include one processor core (single core) or may include a plurality of processor cores.
  • the processor 410 may include multi-core, such as dual-core, quad-core, or hexa-core.
  • the processor 410 may further include a cache memory located internally or externally.
  • the processor 410 may be configured with one or more processors.
  • the processor 410 may include at least one of an application processor, a communication processor, or a graphical processing unit (GPU).
  • GPU graphical processing unit
  • All or part of the processor 410 is electrically connected to other components (e.g., memory 420, communication circuit 430, or display 440) within node 201-1 or 201-2. ) or may be operatively coupled with or connected to.
  • the processor 410 may receive instructions from other components, interpret the received instructions, and perform calculations or process data according to the interpreted instructions.
  • the processor 410 may interpret and process messages, data, commands, or signals received from the memory 420, the communication circuit 430, or the display 440.
  • Processor 410 may generate new messages, data, instructions, or signals based on received messages, data, instructions, or signals.
  • Processor 410 may provide processed or generated messages, data, instructions, or signals to memory 420, communication circuit 430, or display 440.
  • the processor 410 can process data or signals generated or generated by a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may record (or store) or update instructions, data, or signals to the memory 420 in order to execute or control a program.
  • the memory 420 may store commands for controlling nodes, control command codes, control data, or user data.
  • the memory 420 may include at least one of an application program, an operating system (OS), middleware, or a device driver.
  • Memory 420 may include one or more of volatile memory or non-volatile memory.
  • Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM). It can be included.
  • Non-volatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, etc.
  • the memory 420 uses non-volatile media such as a hard disk drive (HDD), solid state disk (SSD), embedded multi media card (eMMC), and universal flash storage (UFS). More may be included.
  • the memory 420 may store the target application 211-1 or 211-2 and the access control application 212-1 or 212-2 of FIG. 1.
  • the access control application (212-1 or 212-2) can perform network connection and channel (220-1 or 220-2) creation with the gateway 203, and control flow creation and update functions with the controller 202.
  • the access control application 212-1 or 212-2 may include one or more security modules.
  • the memory 420 may store the control flow information 340, data flow information 350, and file table information 360 of FIG. 3.
  • the target application 211-1 or 211-2 may include one or more security modules to create a channel 220-1 or 220-2 with the gateway 203.
  • Communication circuitry 430 establishes a wired or wireless communication connection between node 201-1 or 201-2 and an external electronic device (e.g., controller 202 or gateway 203), and performs communication over the established connection. can support.
  • the communication circuit 430 may be a wireless communication circuit (e.g., a cellular communication circuit, a short-range wireless communication circuit, or a global navigation satellite system (GNSS) communication circuit) or a wired communication circuit (e.g., a local area network (LAN) ) communication circuit, or power line communication circuit), and using the corresponding communication circuit, a short-range communication network such as Bluetooth, WiFi direct, or IrDA (infrared data association) or a long-distance communication such as a cellular network, the Internet, or a computer network It can communicate with external electronic devices through a network.
  • the various types of communication circuits 430 described above may be implemented as one chip or may be implemented as separate chips.
  • the display 440 can output content, data, or signals.
  • the display 440 may display image data processed by the processor 410.
  • the display 440 may be configured with an integrated touch screen by being combined with a plurality of touch sensors (not shown) capable of receiving touch input, etc.
  • a plurality of touch sensors may be placed above the display 440 or below the display 440.
  • Figure 5 explains an operation for controlling transmission of data packets according to various embodiments.
  • the access control application 212 detects a network connection request to the service server 205 from the target application 211 included in the node 201, and connects the node 201 or the access control application 212. ) can be determined whether it is connected to the controller 202. If the node 201 or the access control application 212 is not connected to the controller 202, the access control application 212 may block the transmission of data packets in the kernel or network driver included in the operating system. The access control application 212 can only transmit data packets for requesting a connection to the controller 202, and if it is not connected to the controller 202, no data packets are transmitted to the service server 205.
  • the access control application 212 connects to the controller 202 to perform identification and authentication for the target application 211, and after performing authentication, queries the controller 202 for access network information to the service server of the target application 211. It is possible to check whether access to (205) is possible, and only authorized applications can access the service server (205). Through the access control application 212, the node 201 can prevent access to malicious applications (e.g., ransomware or malware) in advance at the application layer among the 7 layers of OSI (open system interconnection). there is.
  • malicious applications e.g., ransomware or malware
  • the access control application 212 if the access control application 212 is not authenticated by the gateway 203 or a channel is not created between the access control application 212 and the gateway 203, transmission from the access control application 212 The data packet may be blocked by the gateway 203. Depending on the embodiment, there may be cases where data packets transmitted from the access control application 212 are not blocked by the gateway 203 even if the access control application 212 is not authenticated by the gateway 203.
  • unauthorized data packets may be transmitted from the node 201.
  • the gateway 203 located at the border of the network blocks data packets received through unauthorized security sessions and data packets for which no data flow exists, so data packets transmitted from the node 201 (e.g. TCP session data packet for generation) may not reach the service server 205.
  • the node 201 may be isolated from the service server 205.
  • Figure 6 shows a signal flow diagram for controller connection according to various embodiments.
  • the access control application 212 of the node 201 requests the controller 202 to create a control flow, thereby controlling the node 201. You can try to connect to the controller.
  • node 201 may detect a controller connection event. For example, if the connection control application 212 is installed and/or executed within node 201, node 201 may detect that a connection to controller 202 is requested.
  • the node 201 may request controller connection to the controller 202.
  • the access control application 212 may transmit identification information of the access control application 212 to the controller 202.
  • the access control application 212 may include identification information of the node 201 (e.g., terminal ID, IP address, MAC address), type, location, environment, identification information of the network to which the node 201 belongs, and/or the network. Random identification information generated by the system itself may be further transmitted.
  • the controller 202 may identify whether the controller connection request (e.g., the connection control application 212 and the node 201) can be connected to the controller. According to one embodiment, the controller 202 determines whether information received from the node 201 is included in the connection policy database 311, or controls the node 201, the network to which the node 201 belongs, and/or access control. It is possible to check whether the controller connection request of the object requesting controller connection is possible based on at least one of whether the identification information of the application 212 is included in the blacklist database 315.
  • the controller connection request e.g., the connection control application 212 and the node 201
  • the controller 202 determines whether information received from the node 201 is included in the connection policy database 311, or controls the node 201, the network to which the node 201 belongs, and/or access control. It is possible to check whether the controller connection request of the object requesting controller connection is possible based on at least one of whether the identification information of the application 212 is included in the blacklist database 315
  • the controller 202 can create a control flow between the node 201 (or the connection control application 212) and the controller 202.
  • the controller 202 may create a control flow between the node 201 (or the connection control application 212) and the controller 202.
  • the controller 202 generates control flow identification information in the form of a random number and stores the identification information of at least one of the node 201, the network to which the node 201 belongs, or the access control application 212 in the control flow table ( 316).
  • control flow information 340 stored in the control flow table 316 is used for user authentication of the node 201, update of information of the node 201, confirmation of policy for network access of the node 201, and/ Or it can be used for validation.
  • the controller 202 may check the connection policy corresponding to the information identified in the connection policy database 311 (e.g., information about the node 201 and the source network to which the node 201 belongs). The controller 202 may generate whitelist information of accessible applications based on the confirmed access policy. The controller 202 can check the channel policy through the IP of the node 201 identified in the channel policy database 312. The controller 202 lists the channel types and gateways that the node 201 can connect to based on the confirmed channel policy, and checks the status (e.g., throughput and/or failure) of the listed gateways to list them. Among the gateways, one channel and gateway optimized for the node 201 can be identified. In another embodiment, the controller 202 may not perform operations 620 and 625. For example, if the controller for the connection request is not available, the controller 202 may not perform operations 620 and 625.
  • the controller 202 may transmit a response to the controller connection request to the node 201.
  • the controller 202 may transmit control flow information 340 including control flow identification information to the node 201 in response to a controller connection request.
  • the controller 202 may transmit the white list created through operation 625 to the access control application 212.
  • the controller 202 may transmit information necessary to create a channel including the identified gateway and channel authentication information to the node 201 by performing operation 625.
  • the controller 202 when connecting through a pre-connected channel between the node 201 and the gateway 203, or when connecting through another channel technology between the node 201 and the gateway 203, the controller 202 ) may not transmit separate channel creation information to the node 201.
  • the controller 202 may not generate a control flow and may notify the controller 202 of the inability to connect in response to the controller connection request.
  • node 201 may process the results according to the received response.
  • the connection control application 212 may store the received control flow identification information and display a user interface screen (not shown) to the user indicating that the controller connection is complete. Once the controller connection is completed, the network connection request of the node 201 to the service server 205 can be controlled by the controller 202.
  • the controller 202 may determine that the node 201 is inaccessible. For example, when information that controller connection is impossible is received, the node 201 may stop or end execution of the access control application 212 or display a user interface screen indicating that controller connection is impossible to the user.
  • the user interface screen indicates that access to the node 201 is blocked and may include a user interface that guides the release of isolation through an administrator (e.g., the controller 202).
  • the controller 202 may determine that channel creation is necessary. If channel creation is necessary, the controller 202 may transmit information for channel creation to the node 201. For example, when information for channel creation is received from the controller 202, the node 201 may perform a channel creation processing step. In operation 635, the node 201 may request the gateway 203 to create a channel. For example, the node 201 may request the gateway 203 to create a channel based on information for channel creation (eg, gateway and channel authentication information) received from the controller 202.
  • information for channel creation eg, gateway and channel authentication information
  • the controller 202 may determine that channel creation is unnecessary. For example, when information indicating that channel creation is unnecessary is received from the controller 202, or when information for creating a separate channel is not received from the controller 202, the node 201 It is determined that this is the case and the next step (application inspection step) can be performed.
  • the access control application 212, the controller 202, and the gateway 203 of the node 201 may further perform operations 635 to 660.
  • the access control application 212, the controller 202, and the gateway 203 of the node 201 may perform all or only part of operations 635 to 660.
  • the access control application 212 may perform a check of the application. For example, when a white list is received from the controller 202, the access control application 212 may check whether an application included in the white list is installed on the node 201. For applications included in the white list among applications installed on the node 201, the access control application 212 checks the integrity and stability of the application (whether the application is forged or tampered with, code signing inspection, and fingerprint inspection) according to the validation policy. at least one of) can be checked.
  • the access control application 212 may transmit the inspection result of the application to the controller 202.
  • the controller 202 may check whether the application is valid based on the test result. If the application is valid, the controller 202 checks the gateway 203 where the node 201 is located in the access policy for the node 201 to allow the node 201 to access the network, and then performs operation 650. can do.
  • the controller 202 configures the source IP, destination IP, service port information, protocol information, and You can create a data flow that includes certificate information, domain information, and/or URL information.
  • the controller 202 may check the file IO policy when creating a data flow and generate file IO information 354 based on the file IO policy.
  • Data flow information 350 of the data flow may include generated file IO information 354.
  • File IO information 354 may include policy information related to file IO access (e.g., sending (or uploading) and receiving (or downloading) files) of applications that use data flows.
  • the file IO information 354 may include whether approval is required for the application to transmit a file and whether approval is required for the application to receive the file.
  • the file IO information 354 may include approval by URL and approval by file type when approval is required for sending and receiving files of an application.
  • the controller 202 may transmit a response to the transmission of the application check result of the access control application 212. For example, the controller 202 may transmit data flow information 350 including file IO information 354 to the access control application 212. Additionally, in operation 660, the controller 202 may transmit data flow information 350 including file IO information 354 to the gateway 203.
  • FIG. 7 illustrates a signal flow diagram for user authentication according to various embodiments
  • FIG. 8 illustrates a user interface screen for connecting to a controller according to various embodiments.
  • the operations shown in FIG. 7 may be implemented, for example, after the signal flow diagram of FIG. 6.
  • the access control application 212 of the node 201 may receive authentication for the user of the node 201 from the controller 202.
  • node 201 may receive input for user authentication.
  • the input for user authentication may be, for example, a user input of entering a user ID and password.
  • the input for user authentication may be a user input for stronger authentication (e.g., biometric information).
  • the node 201 may display a user interface screen 810 for receiving information necessary for controller access.
  • the user interface screen 810 includes an input window 811 for entering controller access information (e.g. IP or domain), an input window 812 for entering a user ID, and/or an input window for entering a password ( 813) may be included.
  • the node 201 can detect a controller connection event by receiving an input to the button 814 or 815 for user authentication. For example, when controller access information, user ID, and password are entered, node 201 may receive an input for a button 815 to access the controller as a user.
  • the node 201 may receive an input for a button 814 for accessing the controller as a guest.
  • node 201 may request user authentication from controller 202.
  • the access control application 212 sends input information for user authentication (e.g., controller access information, user ID, and/or password entered into the input windows 811, 812, and 813 of FIG. 8) to the controller. It can be sent to (202). If a control flow between the node 201 and the controller 202 has already been created, the access control application 212 may transmit input information for user authentication along with control flow identification information.
  • input information for user authentication e.g., controller access information, user ID, and/or password entered into the input windows 811, 812, and 813 of FIG.
  • controller 202 may authenticate the user based on information received from node 201.
  • the controller 202 may store user ID, password, and/or enhanced authentication information included in the received information and a database included in the memory of the controller 202 (e.g., access policy database 311 of FIG. 2 ). ) or based on the blacklist database 320), it is possible to determine whether the user can access according to the access policy and whether the user is included in the blacklist.
  • the controller 202 checks the control flow information 340 in the control flow table 316 based on the control flow identification information transmitted by the node 201, and adds control flow information 340 to the confirmed control flow information 340. You can add the user's identifying information (e.g. user ID). The added user identification information can be used to connect the authenticated user to the controller or network.
  • the controller 202 if the controller 202 does not receive a user ID, password, and/or enhanced authentication information from the node 201, and only receives controller connection information, the controller 202 cannot authenticate the user; In connection with an unauthorized user's access to the controller or network access, an unidentified user (or, The access policy corresponding to the guest) may be applied.
  • the controller 202 may check the connection policy corresponding to the information identified in the connection policy database 311 (e.g., information about the node 201 and the source network to which the node 201 belongs). The controller 202 may generate white list information of accessible applications based on the confirmed access policy. The controller 202 can check the channel policy through the IP of the node 201 identified in the channel policy database 312. The controller 202 lists the channel types and gateways that the node 201 can connect to based on the confirmed channel policy, and checks the status (e.g., throughput and/or failure) of the listed gateways to list them. Among the gateways, one channel and gateway optimized for the node 201 can be identified. In another embodiment, controller 202 may not perform operation 720. For example, if the controller for which connection is requested is not available, the controller 202 may not perform operation 720.
  • the controller 202 may transmit a response to the user authentication request to the node 201.
  • the controller 202 may transmit information indicating that the user is authenticated to the node 201 in response to a user authentication request.
  • the controller 202 may transmit the white list created through operation 720 to the access control application 212.
  • the controller 202 may transmit information necessary to create a channel including the identified gateway and channel authentication information to the node 201 by performing operation 625.
  • the controller 202 when connecting through a pre-connected channel between the node 201 and the gateway 203, or when connecting through another channel technology between the node 201 and the gateway 203, the controller 202 ) may not transmit separate channel creation information to the node 201.
  • the controller 202 may notify the controller 202 of the inability to access the controller in response to the user authentication request.
  • node 201 may process results for user authentication.
  • the node 201 may output a user interface screen indicating that user authentication has been completed to the user through a display.
  • the controller 202 may determine that user authentication is not possible. For example, if the user's identifying information is included in the blacklist database, the controller 202 may determine that user authentication is not possible. In this case, in operation 725, the controller 202 may transmit information indicating that user authentication is impossible to the node 201, and the node 201 may stop or end execution of the access control application 212 or perform user authentication. A user interface screen indicating this failure can be output through the display. For example, referring to FIG. 8 , the node 201 may display a user interface screen 820 through the access control application 212. The user interface screen 820 indicates that access to the node 201 is blocked and may include a user interface 825 that guides the release of isolation through an administrator (e.g., the controller 202).
  • an administrator e.g., the controller 202
  • the controller 202 may determine that channel creation is necessary. If channel creation is necessary, the controller 202 may transmit information for channel creation to the node 201. For example, when information for channel creation is received from the controller 202, the node 201 may perform a channel creation processing step. In operation 730, the node 201 may request the gateway 203 to create a channel. For example, the node 201 may request the gateway 203 to create a channel based on information for channel creation (eg, gateway and channel authentication information) received from the controller 202.
  • information for channel creation eg, gateway and channel authentication information
  • the controller 202 may determine that channel creation is unnecessary. For example, when information indicating that channel creation is unnecessary is received from the controller 202, or when information for creating a separate channel is not received from the controller 202, the node 201 It is determined that this is the case and the next step (application inspection step) can be performed.
  • the access control application 212, the controller 202, and the gateway 203 of the node 201 may further perform operations 730 to 755.
  • the access control application 212, the controller 202, and the gateway 203 of the node 201 may perform all or part of operations 730 to 755.
  • access control application 212 may perform a check of the application. For example, when a white list is received from the controller 202, the access control application 212 may check whether an application included in the white list is installed on the node 201. For applications included in the white list among applications installed on the node 201, the access control application 212 checks the integrity and stability of the application (whether the application is forged or tampered with, code signing inspection, and fingerprint inspection) according to the validation policy. at least one of) can be checked.
  • the access control application 212 may transmit the application's inspection result to the controller 202.
  • the controller 202 may determine whether the application is valid based on the test result. If the application is valid, the controller 202 checks the gateway 203 where the node 201 is located in the access policy for the node 201 to allow the node 201 to access the network, and then performs operation 745. can do.
  • the controller 202 configures the source IP, destination IP, service port information, protocol information, and You can create a data flow that includes certificate information, domain information, and/or URL information.
  • the controller 202 may check the file IO policy when creating a data flow and generate file IO information 354 based on the file IO policy.
  • Data flow information 350 of the data flow may include generated file IO information 354.
  • File IO information 354 may include policy information related to file IO access (e.g., sending (or uploading) and receiving (or downloading) files) of applications that use data flows.
  • the file IO information 354 may include whether approval is required for the application's file transmission and whether approval is required for the application's file reception.
  • the file IO information 354 may include the application's file transmission and If approval is required for reception, it can include approval by URL and approval by file type.
  • the controller 202 may transmit a response to the application check result transmission of the access control application 212. For example, the controller 202 may transmit data flow information 350 including file IO information 354 to the access control application 212. Additionally, in operation 755, the controller 202 may transmit data flow information 350 including file IO information 354 to the gateway 203.
  • FIG. 9 shows a signal flow diagram for network access according to various embodiments, and the operations shown in FIG. 9 may be implemented, for example, after the signal flow diagram of FIG. 6 or FIG. 7.
  • node 201 may detect a network connection event. For example, the node 201 may detect that the target application attempts to connect to the service server 205 through the connection control application 212.
  • connection control application 212 may inspect data flow when a network connection event is detected. For example, the access control application 212 may check whether a data flow corresponding to the identification information, destination IP, and/or port information of the target application exists. Additionally, the access control application 212 can check whether the data flow is valid even if the data flow exists. As an example, the access control application 212 performs an integrity and safety check (e.g., application forgery, tampering, code signing check, fingerprint check) of the access control application 212 and the target application according to the validation policy. And, according to the connection policy received from the controller 202, it is possible to check whether the destination IP and port of the target application installed on the node 201 are accessible.
  • an integrity and safety check e.g., application forgery, tampering, code signing check, fingerprint check
  • the access control application 212 may skip the following operations and transmit the data packet of the target application to the gateway 203 through the channel.
  • the access control application 212 may not transmit a data packet and output a user interface screen indicating that the network connection has failed.
  • the access control application 212 may request network access from the controller 202. there is. Depending on the embodiment, the access control application 212 performs an integrity and safety check of the access control application 212 and the target application according to a validation policy before requesting network access, and when the integrity and stability of the application are confirmed, the controller You can request network access from (202).
  • the access control application 212 may request network access to the service server 205 from the controller 202.
  • the access control application 212 may transmit target application identification information and identification information of the service server 205 (eg, IP and service port) to the controller 202 along with identification information of the control flow.
  • the controller 202 may confirm the connection policy and channel policy associated with the target application in response to a request received from the connection control application 212.
  • the controller 202 may check whether the target application satisfies the access policy of the access policy database 311. For example, the controller 202 determines whether the entity requesting network access (e.g., target application) and the identification information of the requested entity (e.g., service server 205) are included in the connection policy database 311 and network connection. You can check whether the gateway request is available.
  • the entity requesting network access e.g., target application
  • the identification information of the requested entity e.g., service server 205
  • the controller 202 may transmit information indicating that connection is not possible to the node 201 in operation 920.
  • the access control application 212 may output a user interface screen indicating that access is impossible through the display.
  • the controller 202 can check whether a channel for connecting to the target (eg, service server 205) for which network connection has been requested has been created in the channel table 318. For example, if a channel has not been created, the controller 202 can check whether channel creation is necessary to access the service server 205 in the channel policy of the channel policy database 312. If channel creation is necessary, the controller 202 may transmit a result indicating network connection unavailability to the node 201. As another example, if a channel has been created or it is confirmed that channel creation is unnecessary in the channel policy, the controller 202 records the information (e.g., destination IP and service) that the node 201 requested for network connection in the data flow table 317. You can check whether a valid data flow corresponding to port information exists.
  • the target e.g, service server 205
  • the controller 202 can check whether channel creation is necessary to access the service server 205 in the channel policy of the channel policy database 312. If channel creation is necessary, the controller 202 may transmit a result indicating network connection un
  • the controller 202 may transmit data flow information to the node 201. If a valid data flow does not exist, the controller 202 may create a data flow including source IP, destination IP, service port information, protocol information, certificate information, domain information, and/or URL information.
  • the controller 202 may check the file IO policy when creating a data flow and generate file IO information 354 based on the file IO policy.
  • Data flow information 350 of the data flow may include generated file IO information 354.
  • File IO information 354 may include policy information related to file IO access (e.g., sending (or uploading) and receiving (or downloading) files) of applications that use data flows.
  • the file IO information 354 may include whether approval is required for the application to transmit a file and whether approval is required for the application to receive the file.
  • the file IO information 354 may include approval by URL and approval by file type when approval is required for sending and receiving files of an application.
  • the controller 202 may transmit a response to the network connection request of the access control application 212 to the node 201. For example, the controller 202 may transmit the data flow information 350 generated by performing operation 915 to the connection control application 212. Depending on the embodiment, if the object requesting connection is unable to connect, the controller 202 may notify the network connection inability in response to the network connection request.
  • Node 201 may process the result according to the received response.
  • the access control application 212 may store the received data flow information 350 and transmit the data packet of the target application when network access is available.
  • the node 201 may drop the data packet of the target application.
  • the controller 202 may transmit data flow information 350 to the gateway 203.
  • Figure 10 shows a signal flow diagram for processing a service processing request according to various embodiments.
  • the proxy server 231 may detect a service processing request event. For example, the proxy server 231 may confirm that a service processing request event has occurred when the target application (or its process) requests service processing from the service server 205.
  • the proxy server 231 can check whether a data flow corresponding to the source IP or certificate identification information, destination IP or domain and port information, and/or protocol information included in the service processing request information received from the target application exists. There is. If a data flow exists, the proxy server 231 may perform the following operations.
  • the proxy server 231 may check whether file information is included in the service processing request information. If file information is not included, the proxy server 231 may forward the service processing request to the service server 205. If file information is included, the proxy server 231 can check whether approval is required when transmitting the file from the file IO information 354 included in the data flow information 350. If approval is required when transmitting a file, the proxy server 231 can check whether approval for file transmission is performed based on the file extension in the file IO information 354. When approval is performed based on file extension, the proxy server 231 can check in the file IO information 354 whether the extension of the file information included in the service processing request information is an extension that requires approval when transmitting the file.
  • the proxy server 231 may forward the service processing request to the service server 205. If approval is required when transmitting a file, the proxy server 231 may extract unique information and identification information of the file (e.g., file name, partial contents of the file or header information, hash information, and/or signature information). The proxy server 231 may check whether approved file information corresponding to the unique information and identification information extracted from the file table 319 stored in the memory of the gateway 203 exists.
  • unique information and identification information of the file e.g., file name, partial contents of the file or header information, hash information, and/or signature information.
  • the proxy server 231 may check whether approved file information corresponding to the unique information and identification information extracted from the file table 319 stored in the memory of the gateway 203 exists.
  • the proxy server 231 forwards or redirects the service processing request to a specified path according to the service policy of the service policy database 313. may be returned, or failure information indicating that the service processing request has failed may be returned.
  • the proxy server 231 may forward a service processing request to the service server 205.
  • the proxy server 231 may perform operation 1015.
  • the proxy server 231 may request the controller 202 to check whether the file is approved. If file information does not exist in the file table 319, the proxy server 231 transmits data flow identification information and file identification information to the controller 202, or sends the inspection target identification information and file identification information to the controller 202. By sending it to , you can request a check on whether the file has been approved for transmission.
  • the controller 202 may perform a file acceptance check.
  • the controller 202 identifies the data flow based on the data flow identification information or the inspection target identification information received from the gateway 203, and selects the target in the file table 319 based on the file identification information received from the gateway 203. You can check whether a file (or a file corresponding to file identification information) exists.
  • the controller 202 sends information indicating that file transmission is allowed or fails according to the status value of the file table information 360 (e.g., status information 366) to the gateway. It can be sent to (203). If the target file does not exist in the file table 319, the controller 202 matches the user, node 201, application (e.g., target application 211), and network in the file IO policy database 314. You can check whether to allow transmission of the target file according to the file IO policy. Additionally, the controller 202 may query the external link system whether transmission of the target file is approved and check whether transmission of the target file will be permitted according to the received approval result. The controller 202 may add the result of checking whether transmission of the target file is permitted and the file information of the target file to the file table 319.
  • the controller 202 may query the external link system whether transmission of the target file is approved and check whether transmission of the target file will be permitted according to the received approval result. The controller 202 may add the result of checking whether transmission of the target file is permitted and the file information of the target file to
  • the controller 202 may update the status value (e.g., status information 366) of the file table 319 as it checks the file IO policy, and transmit information indicating permission or failure of file transmission to the gateway 203. there is. For example, according to the file IO policy, if the method requires manual approval by the administrator rather than querying the linked system, the status value of the file table 319 is updated to indicate that manual approval is required by the administrator. And, information indicating that approval for file transmission is required can be transmitted to the gateway 203.
  • the status value e.g., status information 366
  • the controller 202 may transmit the file approval check result to the gateway 203.
  • the controller 202 may transmit information indicating whether the file transmission confirmed through operation 1020 is approved or that approval for the file transmission is required as a result of the file approval check.
  • the proxy server 231 may update the file table information 360 according to the result value received from the controller 202. For example, if file transmission is not permitted, the proxy server 231 may perform operation 1032. In operation 1032, the proxy server 231 returns information for forwarding or redirecting the service processing request to a specified path according to the service policy of the service policy database 313, or returns failure information indicating that the service processing request fails. can do. As another example, when file transmission is permitted, the proxy server 231 may perform operation 1031. In operation 1031, the proxy server 231 may forward a service processing request to the service server 205. As another example, when approval for file transmission is required, the proxy server 231 may perform operations 1033 and 1034. In operation 1033, the proxy server 231 may store file information (e.g., binary) included in the service processing request information in the gateway. In operation 1034, the proxy server 231 may transmit file information to the controller 202.
  • file information e.g., binary
  • the controller 202 may store the received file information and update the file table 319.
  • the controller 202 can update the file table 319 to allow the manager or linked system to analyze the target file, and determine whether to approve file transmission based on the analysis result.
  • the controller 202 may transmit the decision on whether to approve the file transmission to the gateway 203, and the gateway 203 may perform operation 1031 or operation 1032 according to the received result value.
  • Figure 11 shows a signal flow diagram for receiving a service processing request result according to various embodiments.
  • the operations shown in FIG. 11 may be implemented, for example, after the signal flow diagram of FIG. 10.
  • the proxy server 231 may detect a reception event resulting from a service processing request. For example, when the proxy server 231 receives a result of a service processing request according to the process of FIG. 10, it may confirm that a service processing request result reception event has occurred. When receiving the result of the service processing request according to the process of FIG. 10, the proxy server 231 may perform the following operations related to checking whether the file is approved for the service processing request result information based on the pre-identified data flow. there is.
  • the proxy server 231 may check whether file information is included in the service processing request result information. If file information is not included, the proxy server 231 may forward the service processing request result to the node 201. If file information is included, the proxy server 231 can check whether approval is required when receiving the file from the file IO information 354 included in the data flow information 350. If approval is required when receiving a file, the proxy server 231 can check whether approval for file reception is performed based on the file extension in the file IO information 354. When approval is performed based on file extension, the proxy server 231 can check whether the extension of the file information included in the service processing request result information in the file IO information 354 is an extension that requires approval when receiving the file.
  • the proxy server 231 may forward the service processing request result to the node 201. If approval is required when receiving a file, the proxy server 231 may extract unique information and identification information of the file (e.g., file name, partial contents of the file or header information, hash information, and/or signature information). The proxy server 231 may check whether approved file information corresponding to the unique information and identification information extracted from the file table 319 stored in the memory of the gateway 203 exists.
  • unique information and identification information of the file e.g., file name, partial contents of the file or header information, hash information, and/or signature information.
  • the proxy server 231 may check whether approved file information corresponding to the unique information and identification information extracted from the file table 319 stored in the memory of the gateway 203 exists.
  • the proxy server 231 For example, if file information exists in the file table 319 but is not approved, the proxy server 231 generates failure information indicating that reception of the service processing request result fails according to the service policy of the service policy database 313. can be returned. As another example, if file information exists in the file table 319 and is approved, the proxy server 231 may forward the service processing request result to the node 201. As another example, when file information does not exist in the file table 319, the proxy server 231 may perform operation 1115.
  • the proxy server 231 may request the controller 202 to check whether the file is approved. If file information does not exist in the file table 319, the proxy server 231 transmits data flow identification information and file identification information to the controller 202, or sends the inspection target identification information and file identification information to the controller 202. By sending it to , you can request a check to see if receipt of the file has been approved.
  • the controller 202 may perform a file acceptance check.
  • the controller 202 identifies the data flow based on the data flow identification information or the inspection target identification information received from the gateway 203, and selects the target in the file table 319 based on the file identification information received from the gateway 203. You can check whether a file (or a file corresponding to file identification information) exists.
  • the controller 202 sends information indicating that file reception is allowed or fails according to the status value of the file table information 360 (e.g., status information 366). It can be sent to (203). If the target file does not exist in the file table 319, the controller 202 matches the user, node 201, application (e.g., target application 211), and network in the file IO policy database 314. You can check whether to allow reception of the target file according to the file IO policy. Additionally, the controller 202 may query the external link system whether reception of the target file is approved and check whether reception of the target file will be permitted according to the received approval result. The controller 202 may add the result of checking whether reception of the target file is allowed and the file information of the target file to the file table 319.
  • the controller 202 may query the external link system whether reception of the target file is approved and check whether reception of the target file will be permitted according to the received approval result. The controller 202 may add the result of checking whether reception of the target file is allowed and the file information of the target file to the file table
  • the controller 202 may update the status value (e.g., status information 366) of the file table 319 as it checks the file IO policy, and transmit information indicating permission or failure to receive the file to the gateway 203. there is. For example, according to the file IO policy, if the method requires manual approval by the administrator rather than querying the linked system, the status value of the file table 319 is updated to indicate that manual approval is required by the administrator. And, information indicating that approval for receiving the file is required may be transmitted to the gateway 203.
  • the status value e.g., status information 366
  • the controller 202 may transmit the file approval check result to the gateway 203.
  • the controller 202 may transmit information indicating whether reception of the file confirmed through operation 1120 is approved or that approval for receiving the file is required as a result of the file approval check.
  • the proxy server 231 may update the file table information 360 according to the result value received from the controller 202. For example, when receiving a file is not allowed, the proxy server 231 may perform operation 1132. In operation 1132, the proxy server 231 may return failure information indicating that reception of the service processing request result fails according to the service policy of the service policy database 313. As another example, when file reception is allowed, the proxy server 231 may perform operation 1131. In operation 1131, the proxy server 231 may forward the service processing request result to the node 201. As another example, when approval for receiving a file is required, the proxy server 231 may perform operations 1133 and 1134. In operation 1133, the proxy server 231 may store file information (e.g., binary) included in the service processing request result information in the gateway. In operation 1134, the proxy server 231 may transmit file information to the controller 202.
  • file information e.g., binary
  • the controller 202 may store the received file information and update the file table 319.
  • the controller 202 can update the file table 319 to allow the manager or linked system to analyze the target file, and determine whether to approve receipt of the file based on the analysis result.
  • the controller 202 may transmit to the gateway 203 whether the determined file reception is approved, and the gateway 203 may perform operation 1131 or operation 1132 according to the received result value.
  • Figure 12 shows a signal flow diagram for transmitting a service request processing log and a rejection log according to various embodiments.
  • the proxy server 231 may transmit a service request processing log and a rejection log to the controller 202.
  • the proxy server 231 may transmit service request processing logs and rejection logs to the controller 202 in designated time units.
  • the service request may include a service processing request for the service server 205 of the node 201.
  • the controller 202 may analyze the log received from the gateway 203.
  • the controller 202 may update statistical information on service requests and rejections based on the received log information.
  • the controller 202 may analyze the received log to check whether the object requesting the service (e.g., the node 201 or the target application 211 of the node 201) is performing abnormal behavior. For example, if the object requesting the service is performing abnormal behavior, the controller 202 may register it in the blacklist 320 according to the blacklist policy of the blacklist policy database 315. Additionally, the controller can block service access of a target performing abnormal behavior by removing the target's data flow and control flow. The controller 202 may return updated data flow information to the gateway 203.
  • the object requesting the service e.g., the node 201 or the target application 211 of the node 201
  • the controller 202 may register it in the blacklist 320 according to the blacklist policy of the blacklist policy database 315. Additionally, the controller can block service access of a target performing abnormal behavior by removing
  • the controller 202 may transmit the update result of the data flow to the gateway 203.
  • the gateway 203 needs to remove a data flow according to the received data flow information, it removes the data flow of the target performing abnormal behavior from the data flow table 317 so that the target can no longer perform service access requests. You can make it so that you can't do it.
  • Figure 13 shows a signal flow diagram for control flow update according to various embodiments.
  • the access control application 212 may request a control flow update.
  • the access control application 212 may request a control flow update from the controller 202 to maintain the control flow and data flow. In one embodiment, the access control application 212 may request a control flow update including identification information of the control flow at specified intervals.
  • controller 202 may update (check) the control flow. For example, the controller 202 determines whether the control flow information 340 indicated by the received identification information exists in the control flow table 316, and if the control flow information 340 exists, the data flow information 350 dependent thereon. You can check whether exists. If the connection is released by another security system, the update time has elapsed, or the connection is released due to risk detection, the control flow may not exist. If a control flow does not exist, the controller 202 may return unreachable information to the node 201. If a control flow exists, the controller 202 may update the update time or expiration time of the control flow and search for data flows dependent on the control flow. For example, if re-authentication must be performed in the discovered data flow or if there is a data flow that is no longer accessible, the controller 202 may return the corresponding data flow information to the node 201.
  • the controller 202 may transmit unconnectable information to the node 201. In this case, the node 201 may terminate the access control application 212 or block the network connection of the access control application 212. For another example, if the update (check) is successful, the controller 202 may update the expiration time of the control flow and the data flow dependent thereon. The controller 202 may transmit updated control flow information and data flow information to the node 201. In this case, the node 201 may update the control flow information 340 and data flow information 350.
  • the controller 202 may transmit update (check) result information to the access control application 212. For example, if an update (check) fails, the controller 202 may transmit no-connection information. For another example, if the update (check) is successful, the controller 202 may transmit the updated control flow information 340 and data flow information 350 dependent thereon to the connection control application 212. In this case, the node 201 may update the control flow information 340 and data flow information 350.
  • the access control application 212 may process update (check) result information. If the control flow update result indicates that connection is not possible, the access control application 212 may terminate the target application or block all network connections of the target application. If the control flow update result indicates normal and there is updated data flow information 350, the connection control application 212 may update the data flow table 316 in the connection control application 212.
  • Figure 14 shows a signal flow diagram for control flow removal according to various embodiments.
  • the node 201 may request the controller 202 to terminate the control flow.
  • node 201 may terminate the connection control application 212, request termination of the control flow when the network connection is unused for a specified period of time, or when a connection termination request is received from another system.
  • the controller 202 may remove the control flow corresponding to the identification information received from the node 201.
  • the controller 202 may also remove data flows dependent on the removed control flow.
  • the controller 202 requests the gateway 203 to remove the data flow, and in operation 1420, the gateway 203 may block the network connection of the access control application 212 by removing the data flow.
  • Figure 15 shows a signal flow diagram for data flow removal according to various embodiments.
  • the access control application 212 may detect termination of the target application.
  • the access control application 212 can monitor in real time whether the target application running on the node 201 is terminated.
  • the access control application 212 may request the controller 202 to terminate the data flow.
  • the access control application 212 may request termination of the data flow by transmitting data flow identification information assigned to the terminated target application or identification information of the target application to the controller 202.
  • the controller 202 may remove the data flow based on the data flow identification information received from the node 201 or the identification information of the target application.
  • the controller 202 may identify and search a control flow based on the received data flow identification information or the identification information of the target application, and remove the data flow tied to the identified and searched control flow.
  • the controller 202 requests the gateway 203 to remove the data flow, and in operation 1525, the gateway 203 removes the data flow and thereby removes the service corresponding to the removed data flow of the access control application 212. Access to the server 205 can be blocked. The target application will no longer be able to transmit data packets to the destination network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Information Transfer Between Computers (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Une passerelle selon un mode de réalisation divulgué dans le présent document peut comprendre : un circuit de communication ; un processeur connecté fonctionnellement au processeur ; et une mémoire, connectée fonctionnellement au processeur, pour stocker un serveur mandataire, la mémoire pouvant stocker des instructions qui, lorsqu'elles sont exécutées par le processeur, amènent la passerelle à : recevoir, en provenance d'un serveur externe, un flux de données comprenant des informations d'entrée et de sortie (E/S) de fichier indiquant si un nœud nécessite une approbation pour une transmission et une réception de fichier ; et traiter une demande de traitement de service ou un résultat de demande de traitement de service du nœud par l'intermédiaire du serveur mandataire sur la base du fait que des informations de fichier sont incluses dans la demande de traitement de service ou le résultat de demande de traitement de service.
PCT/KR2023/005628 2022-04-28 2023-04-25 Système de commande de transmission et de réception de fichier d'une application sur la base d'un mandataire et procédé associé WO2023211122A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2022-0053102 2022-04-28
KR1020220053102A KR102446934B1 (ko) 2022-04-28 2022-04-28 프록시에 기반하여 애플리케이션의 파일 송신 및 수신을 제어하기 위한 시스템 및 그에 관한 방법

Publications (1)

Publication Number Publication Date
WO2023211122A1 true WO2023211122A1 (fr) 2023-11-02

Family

ID=83452527

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2023/005628 WO2023211122A1 (fr) 2022-04-28 2023-04-25 Système de commande de transmission et de réception de fichier d'une application sur la base d'un mandataire et procédé associé

Country Status (2)

Country Link
KR (1) KR102446934B1 (fr)
WO (1) WO2023211122A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102446934B1 (ko) * 2022-04-28 2022-09-26 프라이빗테크놀로지 주식회사 프록시에 기반하여 애플리케이션의 파일 송신 및 수신을 제어하기 위한 시스템 및 그에 관한 방법
KR102578800B1 (ko) * 2023-02-08 2023-09-15 프라이빗테크놀로지 주식회사 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100645171B1 (ko) * 2005-05-16 2006-11-10 주식회사 대우일렉트로닉스 계층적 UPnP를 이용한 홈 네트워크 미디어 서비스시스템과 방법
KR20090017931A (ko) * 2007-08-16 2009-02-19 삼성전자주식회사 단말기 및 그의 파일수신방법
KR20170006596A (ko) * 2015-07-08 2017-01-18 주식회사 엘지유플러스 다중 경로 패킷 데이터 서비스 제공 방법 및 장치
KR102309115B1 (ko) * 2021-09-07 2021-10-08 프라이빗테크놀로지 주식회사 데이터 플로우 기반 애플리케이션의 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법
KR102349039B1 (ko) * 2021-08-31 2022-01-11 프라이빗테크놀로지 주식회사 분산 게이트웨이 환경에 최적화된 제어 데이터 패킷 처리 시스템 및 그에 관한 방법
KR102446934B1 (ko) * 2022-04-28 2022-09-26 프라이빗테크놀로지 주식회사 프록시에 기반하여 애플리케이션의 파일 송신 및 수신을 제어하기 위한 시스템 및 그에 관한 방법

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100645171B1 (ko) * 2005-05-16 2006-11-10 주식회사 대우일렉트로닉스 계층적 UPnP를 이용한 홈 네트워크 미디어 서비스시스템과 방법
KR20090017931A (ko) * 2007-08-16 2009-02-19 삼성전자주식회사 단말기 및 그의 파일수신방법
KR20170006596A (ko) * 2015-07-08 2017-01-18 주식회사 엘지유플러스 다중 경로 패킷 데이터 서비스 제공 방법 및 장치
KR102349039B1 (ko) * 2021-08-31 2022-01-11 프라이빗테크놀로지 주식회사 분산 게이트웨이 환경에 최적화된 제어 데이터 패킷 처리 시스템 및 그에 관한 방법
KR102309115B1 (ko) * 2021-09-07 2021-10-08 프라이빗테크놀로지 주식회사 데이터 플로우 기반 애플리케이션의 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법
KR102446934B1 (ko) * 2022-04-28 2022-09-26 프라이빗테크놀로지 주식회사 프록시에 기반하여 애플리케이션의 파일 송신 및 수신을 제어하기 위한 시스템 및 그에 관한 방법

Also Published As

Publication number Publication date
KR102446934B1 (ko) 2022-09-26

Similar Documents

Publication Publication Date Title
WO2021060854A1 (fr) Système de commande d'accès réseau et procédé associé
WO2023038387A1 (fr) Système de commande d'accès réseau d'application sur la base d'un flux de données, et procédé associé
WO2023033586A1 (fr) Système de commande d'accès réseau d'une application d'après une commande de session tcp, et procédé associé
WO2023163509A1 (fr) Système de commande de connexion de réseau reposant sur un dispositif de commande et procédé associé
WO2022231306A1 (fr) Système de commande de connexion réseau basée sur un contrôleur et procédé correspondant
WO2023211122A1 (fr) Système de commande de transmission et de réception de fichier d'une application sur la base d'un mandataire et procédé associé
WO2023085793A1 (fr) Système de commande d'accès au réseau sur la base d'un dispositif de commande, et procédé associé
WO2023211124A1 (fr) Système de commande de connexion de réseau basée sur un contrôleur et procédé associé
WO2023146308A1 (fr) Système de commande d'accès au réseau sur la base d'un contrôleur, et procédé associé
WO2023211104A1 (fr) Système permettant de contrôler un accès au réseau basé sur un dispositif de commande, et procédé associé
WO2023146304A1 (fr) Système de commande de transmission et de réception d'un fichier d'une application et procédé associé
WO2023177238A1 (fr) Système de commande de connexion au réseau basé sur un contrôleur, et son procédé
WO2023090755A1 (fr) Système de contrôle d'accès au réseau d'instance de virtualisation, et procédé associé
WO2023163514A1 (fr) Système de commande d'accès au réseau basé sur un dispositif de commande et procédé associé
US10558798B2 (en) Sandbox based Internet isolation in a trusted network
WO2023085791A1 (fr) Système de contrôle de l'accès au réseau basé sur un contrôleur et procédé associé
WO2023136658A1 (fr) Système et procédé reposant sur un dispositif de commande de commande d'accès réseau
WO2013085281A1 (fr) Procédé et dispositif de sécurité dans un service informatique en nuage
WO2014069777A1 (fr) Commande de transit pour des données
WO2022231304A1 (fr) Système de contrôle d'accès à un réseau basé sur un contrôleur et procédé associé
WO2023033588A1 (fr) Système de commande de flux de données dans un terminal de virtualisation, et procédé associé
WO2023211121A1 (fr) Système de commande d'émission et de réception de fichier d'application sur la base d'un proxy, et procédé associé
WO2023211120A1 (fr) Système de commande d'émission et de réception de fichiers d'une application sur la base d'un mandataire, et procédé associé
WO2020189800A1 (fr) Procédé et système d'authentification de données générées dans une chaîne de blocs
WO2021060859A1 (fr) Système d'authentification et de contrôle d'accès au réseau d'un terminal, et procédé associé

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23796767

Country of ref document: EP

Kind code of ref document: A1