[go: up one dir, main page]

WO2023146308A1 - Système de commande d'accès au réseau sur la base d'un contrôleur, et procédé associé - Google Patents

Système de commande d'accès au réseau sur la base d'un contrôleur, et procédé associé Download PDF

Info

Publication number
WO2023146308A1
WO2023146308A1 PCT/KR2023/001210 KR2023001210W WO2023146308A1 WO 2023146308 A1 WO2023146308 A1 WO 2023146308A1 KR 2023001210 W KR2023001210 W KR 2023001210W WO 2023146308 A1 WO2023146308 A1 WO 2023146308A1
Authority
WO
WIPO (PCT)
Prior art keywords
data packet
authentication information
information
data flow
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/KR2023/001210
Other languages
English (en)
Korean (ko)
Inventor
김영랑
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Pribit Technology Inc
Original Assignee
Pribit Technology Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Pribit Technology Inc filed Critical Pribit Technology Inc
Publication of WO2023146308A1 publication Critical patent/WO2023146308A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/12Network monitoring probes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • Embodiments disclosed in this document relate to a system and method for controlling a controller-based network connection.
  • Multiple devices may communicate data over a network.
  • the terminal may transmit or receive data with a server through the Internet.
  • the network may include a private network such as an intranet as well as a public network such as the Internet.
  • the terminal performs communication with the server by utilizing IP (Internet Protocol)-based TCP (Transmission Control Protocol) or UDP (User Datagram Protocol), and controls the connection between the source IP and destination IP authorized in TCP or UDP technology.
  • IP Internet Protocol
  • TCP Transmission Control Protocol
  • UDP User Datagram Protocol
  • Firewall technology may be used.
  • IP communication since data packets are transmitted in plain text, there is a problem in that a third party can easily view important information of the data packet using sniffing technology such as tapping equipment or rouge WiFi.
  • VPN Virtual Private Network
  • tunneling technology for encrypting data packets between the terminal and the server are used.
  • Tunneling technology may be limited in scope to controlling only network access subordinate to a specific network or service, since tunneling usage and related specifications are all different depending on service servers.
  • tunneling technology needs to set a wide network bandwidth, it may be difficult to control communication of each application running in the terminal and the unit of a service server to which the application wants to access.
  • Tunneling-based data packet authentication method identifies an authorized terminal through a tunneling connection process, identifies an application that is the actual communication subject, and at the same time identifies a destination IP and port that the application can access according to authentication information to secure network access. By controlling it, it is possible to provide a safer technology than the existing network security technology. However, since tunneling-based application and data packet authentication technology can be used only when tunneling is connected between the terminal and the gateway, it may be difficult to use in an environment where tunneling is difficult to configure.
  • the malicious purpose application When transmitting authentication information by inserting authentication information into data packets in an environment where it is difficult to configure tunneling, the malicious purpose application identifies the authentication data packet through network sniffing and confirms the destination network information that can be accessed through the authentication information. Then, malicious data packets are transmitted by inserting corresponding authentication information, so that unauthorized applications can access the network.
  • tunneling technology when tunneling technology is used, there are restrictions on the number and number of target networks that can be tunneled by a terminal, and depending on the type of tunneling, compatibility problems such as loss of data packets occur in the process of transmitting the corresponding data packets. Because of the existence of the tunneling technology, the terminal may encounter a problem in which the tunneling technology cannot be used when the number of target network boundaries to be accessed varies.
  • a node includes communication circuitry, a processor operatively connected to the communication circuitry, and a memory operatively connected to the processor and storing a connection control application and a target application;
  • the memory when executed by the processor, causes the node, through the access control application, to detect a transmission event of a data packet of the target application, to determine a transmission protocol of the data packet, and to determine the transmission protocol and the target application.
  • Checking whether there is a data flow corresponding to the identification information and authorized from an external server, inserting authentication information into the data packet based on the transmission protocol and authentication information included in the data flow, and inserting the data packet Commands to be transmitted based on the transmission protocol may be stored.
  • a gateway includes communication circuitry, a memory, and a processor operatively coupled to the communication circuitry and the memory, the processor receiving a data packet from a node, and storing the data packet in Check whether there is a data flow corresponding to the included information and authorized from an external server, and if the data flow exists, check the transmission protocol of the data packet, and process the data packet based on the transmission protocol It can be.
  • a server includes communication circuitry, a memory for storing a database, and a processor operatively connected to the communication circuitry and the memory, wherein the processor controls access control applications of nodes from a network Receives an access request, wherein the network access request includes identification information of a target application included in the node, a transmission protocol, and identification information of a destination network, and the identification information of the target application, the transmission protocol, and identification of the destination network. Based on the information, it is checked whether access to the gateway of the target application is possible through the access policy of the database, and if access is possible, a data flow including authentication information is generated based on the authentication policy of the database. and transmit the data flow to the node and the gateway.
  • a method of operating an access control application installed in a node includes detecting a transmission event of a data packet of a target application, checking a transmission protocol of the data packet, the transmission protocol and the target application. checking whether there is a data flow corresponding to the identification information of the application and authorized from an external server; inserting authentication information into the data packet based on authentication information included in the transmission protocol and the data flow; and and transmitting the data packet based on the transmission protocol.
  • a method of operating a gateway includes receiving a data packet from a node, confirming whether a data flow corresponding to information included in the data packet and authorized from an external server exists, and the If there is a data flow, it may include checking a transport protocol of the data packet, and configuring to process the data packet based on the transport protocol.
  • data packet authentication technology can be used as a minimum network access control factor for authorized terminals and applications to access an authorized network in a network environment that does not use tunneling, and data packet authentication technology can be used.
  • a secure network access control method applicable to various transmission protocols without tunneling can be provided by applying a technology for protecting authentication information.
  • a system for controlling network access blocks data packets transmitted by unauthorized objects through a gateway, thereby preventing DoS attacks and brute force attacks through access to service resources.
  • a system for controlling network access overcomes the problems inherent in existing IP communication by implementing a secure network connection lifecycle that includes application network access control, threat blocking, and isolation. and provide a secure network connection.
  • a system for controlling network access can safely control network access even when tunneling technology for protecting data packets is not used in a wide network range.
  • a data flow header optimized for each transmission protocol can be inserted, and the corresponding data flow header includes application and destination network information, data flow identification information for identifying authentication information, and corresponding data Minimal network for authorized terminals and applications to access the authorized network in a general IP network environment in which tunneling cannot be used because it can include encrypted authentication information to confirm that flow identification information is transmitted by an authorized subject Access control technology can be provided.
  • applications with malicious purposes may sniff the authentication data through network sniffing. After identifying the packet and confirming destination network information that can be accessed through the corresponding authentication information, the authentication information is inserted and transmitted when data packets are transmitted, thereby solving the problem that unauthorized applications can access the network.
  • FIG. 1 shows an environment including a plurality of networks.
  • FIG. 2 illustrates an architecture within a network environment according to various embodiments.
  • FIG. 3 is a functional block diagram illustrating a database stored in a controller according to various embodiments.
  • FIG. 4 shows a functional block diagram of a node in accordance with various embodiments.
  • FIG. 6 illustrates an example of a data packet in which authentication information is inserted according to various embodiments.
  • FIG. 7 shows a signal flow diagram for controller connection according to various embodiments.
  • FIG. 8 shows a signal flow diagram for user authentication according to various embodiments.
  • FIG 9 illustrates a signal flow diagram for network access according to various embodiments.
  • FIG 10 illustrates an operational flow diagram for controlling data packet transmission in accordance with various embodiments.
  • FIG. 11 illustrates a signal flow diagram for inserting authentication information according to various embodiments.
  • FIG 12 depicts an operational flow diagram for controlling data packet reception according to various embodiments.
  • FIG 13 illustrates an operational flow diagram for checking authentication information according to various embodiments.
  • FIG. 14 illustrates a signal flow diagram for control flow update according to various embodiments.
  • 15 illustrates a signal flow diagram for disconnection according to various embodiments.
  • 16 illustrates a signal flow diagram for termination of application execution according to various embodiments.
  • 17 is a flowchart illustrating a method of operating an access control application installed in a node according to various embodiments.
  • FIG. 18 shows a flowchart of a method of operating a gateway according to various embodiments.
  • a (e.g., first) component is said to be “coupled” or “connected” to another (e.g., second) component, with or without the terms “functionally” or “communicatively.”
  • the certain component may be connected to the other component directly (eg by wire), wirelessly, or through a third component.
  • Each component (eg, module or program) of the components described in this document may include singular or plural entities. According to various embodiments, one or more components or operations among the corresponding components may be omitted, or one or more other components or operations may be added. Alternatively or additionally, a plurality of components (eg modules or programs) may be integrated into a single component. In this case, the integrated component may perform one or more functions of each of the plurality of components identically or similarly to those performed by a corresponding component of the plurality of components prior to the integration. . According to various embodiments, the actions performed by a module, program, or other component are executed sequentially, in parallel, iteratively, or heuristically, or one or more of the actions are executed in a different order, or omitted. or one or more other actions may be added.
  • module used in this document may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as logic, logic block, component, or circuit, for example.
  • a module may be an integrally constructed component or a minimal unit of components or a portion thereof that performs one or more functions.
  • the module may be implemented in the form of an application-specific integrated circuit (ASIC).
  • ASIC application-specific integrated circuit
  • Various embodiments of this document may be implemented as software (eg, a program or application) including one or more instructions stored in a storage medium (eg, memory) readable by a machine.
  • the processor of the device may call at least one command among one or more commands stored from a storage medium and execute it. This enables the device to be operated to perform at least one function according to the at least one command invoked.
  • the one or more instructions may include code generated by a compiler or code executable by an interpreter.
  • the device-readable storage medium may be provided in the form of a non-transitory storage medium.
  • 'non-temporary' only means that the storage medium is a tangible device and does not contain a signal (e.g. electromagnetic wave), and this term refers to the case where data is stored semi-permanently in the storage medium. It does not discriminate when it is temporarily stored.
  • Computer program products may be traded between sellers and buyers as commodities.
  • a computer program product is distributed in the form of a device-readable storage medium (eg compact disc read only memory (CD-ROM)), or through an application store or between two user devices (eg smartphones). It can be distributed (e.g., downloaded or uploaded) directly or online.
  • a device-readable storage medium such as a manufacturer's server, an application store server, or a relay server's memory.
  • FIG. 1 shows an environment including a plurality of networks.
  • the first network 10 and the second network 20 may be different networks.
  • the first network 10 may be a public network such as the Internet
  • the second network 20 may be a private network such as an intranet or VPN.
  • the first network 10 may include a source node 101 .
  • the 'source node' may be various types of devices capable of performing data communication.
  • the source node 101 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, or a virtual reality (VR) device. , or home appliances, but is not limited to the aforementioned devices.
  • source node 101 may include a server or gateway capable of transmitting data packets through an application.
  • the source node 101 may also be referred to as 'electronic device' or 'terminal'.
  • the destination node 102 may include the same or similar device as the above-described source node 101 .
  • the destination node 102 can be substantially the same as the destination network.
  • the source node 101 may attempt access to the second network 20 and transmit data to the destination node 102 included in the second network 20 .
  • the source node 101 may transmit data to the destination node 102 via the gateway 103 .
  • the starting node 101 If access to the first network 10 of the starting node 101 is approved, since the starting node 101 can communicate with all servers included in the first network 10, the starting node 101 is malicious. ) can be exposed from program attacks. For example, the origin node 101 may be infected with malicious code 110c, as well as trusted and/or secure applications such as Internet web browser 110a and business application 110b. ) may receive data of an untrusted or unsecured application such as the business application 110d.
  • the starting node 101 infected by the malicious program may attempt access to the second network 20 and/or data transmission.
  • the second network 20 is formed based on IP, such as VPN, it may be difficult to individually monitor a plurality of devices included in the second network 20, and application in the OSI layer Security at the layer or transport layer may be vulnerable.
  • the source node 101 includes a malicious application after the channel has already been created, the data of the malicious application will be delivered to another electronic device (eg, the destination node 102) within the second network 20.
  • FIG. 2 illustrates an architecture within a network environment according to various embodiments.
  • a node 201 may be various types of devices capable of performing data communication.
  • the node 201 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, a virtual reality (VR) device, Or it may include a home appliance, but is not limited to the aforementioned devices.
  • node 201 may include a server or gateway capable of transmitting data packets through an application.
  • the node 201 may also be referred to as an 'electronic device' or a 'terminal'.
  • Node 201 may store target application 212 and access control application 211 .
  • the target application 212 may transmit a data packet to the service server 205 through the gateway 203 under the control of the access control application 211 or, conversely, may receive a data packet.
  • the network access system may be Through the network access control of the access control application 211 , access to the service server 205 of an unauthorized program (application) may be blocked and the corresponding program may be quarantined.
  • the access control application 211 may check from the controller 202 whether access is possible. When authentication is complete, the access control application 211 may control data packet transmission of the target application 212 . That is, in order for the target application 212 to access the network, it must go through the access control application 211, and the access control application 211 must be authorized from the controller 202, and the access control application 211 must pass through the controller 202. Authentication-related information may be received from, and the access control application 211 may transmit a data packet of the target application 212 based on the authentication-related information.
  • the controller 202 may be, for example, a server (or cloud server).
  • the controller 202 can ensure reliable data transmission within a network environment by managing data transmission between the node 201, the gateway 203, and the service server 205.
  • the controller 202 may allow the network access of the authorized node 201 (or the access control application 211) through policy information or blacklist information.
  • the controller 202 may generate authentication-related information for authenticating data packets based on an authentication policy, and transmit the generated authentication-related information to the access control application 211 or the gateway 203 to transmit data It can prevent packets from being sent without authentication.
  • the target application 212 may authenticate the data packet based on the authentication information received by the controller 202, and if the data packet is not authenticated, the network connection of the target application 212 is connected to the connection. It can be blocked from the control application 211, the controller 202 or the gateway 203.
  • the controller 202 is an access control application (eg, registration, authorization, authentication, renewal, termination) associated with network access of the node 201 or access control application 211. 211) and control data packets can be transmitted and received.
  • a flow through which the control data packet is transmitted (eg, 220) may be referred to as a 'control flow'.
  • the gateway 203 may be located at a boundary of a network to which the node 201 belongs or a boundary of a network to which the service server 205 belongs. According to one embodiment, the gateway 203 may be connected to the controller 202 based on a cloud. The gateway 203 may forward only authenticated data packets based on the authentication information among the data packets received from the access control application 211 to the service server 205 . A flow in which data packets are transmitted between the access control application 211 and the gateway 203 may be referred to as 'data flow'. Data flows can be created in granular units (eg applications) as well as nodes or IP units. The gateway 203 may block indiscriminate network access in advance by forwarding only data packets for which authentication information has been checked among data packets transmitted from the access control application 211 to the service server 205 .
  • the node 201 may include a connection control application 211 and a network driver (not shown) for managing network access of the target application 212 stored in the node 201 .
  • the access control application 211 may determine whether the target application 212 can be accessed. . If the target application 212 is accessible, the access control application 211 may transmit a data packet including authentication information to the gateway 203 .
  • the access control application 211 may control transmission of data packets through a kernel including an operating system and a network driver within the node 201 .
  • FIG. 3 is a functional block diagram illustrating a database stored in a controller according to various embodiments.
  • the controller includes a communication circuit for communicating with an external electronic device (eg, the communication circuit 430 of FIG. 4) and a processor for controlling the overall operation of the controller (eg, FIG. Four processors 410) may be further included.
  • the access policy database 311 may include information about networks and/or services to which the identified networks, nodes, or applications may access.
  • the controller 202 when requesting network access from the access control application 211, identifies a network based on a policy of the access policy database 311 (eg, a network to which the node 201 belongs), a node, A user (eg, a user of the node 201) and/or an application (eg, a target application 212 included in the node 201) may determine whether access to the service server 205 is possible.
  • the controller 202 may create a whitelist of target applications 212 accessible to a specific service (eg, IP and port) based on the access policy database 311 .
  • the authentication policy database 312 determines whether or not the gateway 203 existing between the network boundaries of the service server 205 on a connection path authenticates the transport protocol and the data packet flow between the destination network and When performing authentication, a series of policies related to the authentication method can be set.
  • the authentication policy database 312 may include information for generating authentication information to be inserted or checked to check whether an allowed subject has transmitted a data packet.
  • the authentication policy database 312 inserts authentication information for each transport protocol (eg, inserts authentication information into a TCP SYN packet in the case of TCP data packets, inserts authentication information for each data packet in the case of UDP, or inserts authentication information at regular intervals).
  • authentication information generated based on the authentication policy database 312 may be transmitted to the node 201 or the gateway 203 .
  • the access control application 211 of the node 201 may insert authentication information into a data packet to be transmitted based on the transport protocol, and the gateway 203 may insert the data packet received based on the transport protocol. authentication information can be checked.
  • the blacklist policy database 313 is a target (e.g., a node ID (eg, node ID ( identifier), an IP address, a media access control (MAC) address, or a user ID) may indicate a blacklist registration policy for blocking access.
  • a target e.g., a node ID (eg, node ID ( identifier), an IP address, a media access control (MAC) address, or a user ID
  • a target e.g., a node ID (eg, node ID ( identifier), an IP address, a media access control (MAC) address, or a user ID
  • MAC media access control
  • the blacklist database 314 may include a list of objects blocked by the blacklist policy database 313 .
  • the controller 202 may isolate the node 201 by rejecting the network access request when identification information of the node 201 requesting network access is included in the blacklist database 314 .
  • the control flow table 315 is an example of a session table for managing a flow (eg, control flow) of control data packets generated between the node 201 and the controller 202 .
  • control flow information may be generated by the controller 202 .
  • the control flow information may include at least one of control flow identification information, an IP address identified during access to and authentication of a controller, a node ID, and a user ID.
  • the controller 202 may search for control flow information through control flow identification information received from the node 201, and the searched control flow Whether the node 201 can access the service server 205 by mapping at least one of the IP address, node ID, or user ID included in the information to the access policy database 311, data flow for data packet transmission It can be judged (determined) whether it is created or not.
  • a control flow may have an expiration time.
  • the node 201 needs to update the expiration time of the control flow, and if the expiration time is not updated for a certain period of time, the control flow (or control flow information) may be removed.
  • the controller 202 may remove the control flow according to the connection termination request of the node 201 .
  • the connection of the node 201 may be blocked because the previously generated data flow is also removed.
  • the data flow table 316 is a table for managing a flow (eg, data flow) in which detailed data packets are transmitted between the node 201 and the gateway 203 and the service server 205 .
  • Data flows can be created in TCP sessions, applications, or more granular units.
  • the data flow table 316 may include an application ID, destination IP address, and/or service port for identifying whether a data packet transmitted from a source is an authorized data packet.
  • the data flow table 316 may be managed based on control flow IDs.
  • the data flow table 316 may include state information including whether or not the data flow is valid and authorized destination information for determining whether data packets are forwarded based on source IP, destination IP, and port information of the data packet.
  • the data flow table 316 may further include authentication information generated based on the authentication policy database 312 .
  • the authentication information is inserted by a method of inserting authentication information for each transmission protocol (e.g., inserting authentication information into a TCP SYN packet for TCP data packets, inserting authentication information for each data packet in the case of UDP, or authenticating at a certain period (or interval)).
  • Insertion of information maximum number of authentications for the corresponding authentication algorithm, expiration date of authentication information, insertion method or timing), information for encrypting or decrypting authentication information, algorithm information for generating and verifying authentication information, and a series of information included in the algorithm ( Example: Secret Key information when generating HMAC OTP), and at least one of source IP authentication.
  • the data flow table 316 may be equally stored in the node 201 , the gateway 203 , or the service server 205 .
  • FIG. 4 shows a functional block diagram of a node in accordance with various embodiments.
  • a node may include a processor 410 , a memory 420 , and a communication circuit 430 .
  • the node may further include a display 440 to interface with a user.
  • the processor 410 may control the overall operation of the node.
  • the processor 410 may include a single processor core or may include a plurality of processor cores.
  • the processor 410 may include multi-cores such as dual-core, quad-core, and hexa-core.
  • the processor 410 may further include an internal or external cache memory.
  • the processor 410 may be configured with one or more processors.
  • the processor 410 may include at least one of an application processor, a communication processor, or a graphical processing unit (GPU).
  • GPU graphical processing unit
  • processor 410 is electrically or operatively coupled to other components within the node (e.g., memory 420, communication circuitry 430, or display 440). (coupled with) or connected to.
  • the processor 410 may receive commands from other components of the node, interpret the received commands, and perform calculations or process data according to the interpreted commands.
  • the processor 410 may interpret and process messages, data, commands, or signals received from the memory 420 , the communication circuit 430 , or the display 440 .
  • the processor 410 may generate a new message, data, command, or signal based on the received message, data, command, or signal.
  • Processor 410 may provide processed or generated messages, data, instructions, or signals to memory 420 , communication circuitry 430 , or display 440 .
  • the processor 410 may process data or signals generated or generated by a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may record (or store) or update instructions, data, or signals in the memory 420 to execute or control a program.
  • the memory 420 may store commands for controlling nodes, control command codes, control data, or user data.
  • the memory 420 may include at least one of an application program, an operating system (OS), middleware, or a device driver.
  • OS operating system
  • middleware middleware
  • device driver a device driver
  • the memory 420 may include one or more of volatile memory and non-volatile memory.
  • Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM).
  • DRAM dynamic random access memory
  • SRAM static RAM
  • SDRAM synchronous DRAM
  • PRAM phase-change RAM
  • MRAM magnetic RAM
  • RRAM resistive RAM
  • FeRAM ferroelectric RAM
  • the nonvolatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, and the like.
  • the memory 420 uses a nonvolatile medium such as a hard disk drive (HDD), a solid state disk (SSD), an embedded multi media card (eMMC), or a universal flash storage (UFS). can include more.
  • a nonvolatile medium such as a hard disk drive (HDD), a solid state disk (SSD), an embedded multi media card (eMMC), or a universal flash storage (UFS).
  • HDD hard disk drive
  • SSD solid state disk
  • eMMC embedded multi media card
  • UFS universal flash storage
  • the memory 420 may store the target application 212 and the access control application 211 of FIG. 2 .
  • the access control application 211 may perform a function of inserting authentication information into a data packet to be transmitted and a function of creating and updating a control flow with the controller 202 .
  • the access control application 211 may include one or more security modules.
  • the memory 420 may store some of the information included in the memory of the controller (eg, the memory 330 of FIG. 3 ).
  • the memory 420 may store the data flow table 316 described in FIG. 3 .
  • the communication circuit 430 establishes a wired or wireless communication connection between the node and an external electronic device (eg, the controller 202, gateway 203 or service server 205 of FIG. 2) and performs communication through the established connection.
  • an external electronic device eg, the controller 202, gateway 203 or service server 205 of FIG. 2
  • the communication circuit 430 may be a wireless communication circuit (eg, cellular communication circuit, short-range wireless communication circuit, or global navigation satellite system (GNSS) communication circuit) or a wired communication circuit (eg, a local area network (LAN)).
  • GNSS global navigation satellite system
  • LAN local area network
  • communication circuit or power line communication circuit
  • a short-distance communication network such as Bluetooth, WiFi direct, or IrDA (infrared data association) or a cellular network
  • IrDA infrared data association
  • long-distance communication such as the Internet
  • computer network It may communicate with an external electronic device through a network.
  • the various types of communication circuits 430 described above may be implemented as a single chip or may be implemented as separate chips.
  • the display 440 may output content, data, or signals.
  • the display 440 may display image data processed by the processor 410 .
  • the display 440 may be configured as an integrated touch screen by being combined with a plurality of touch sensors (not shown) capable of receiving a touch input.
  • a plurality of touch sensors may be disposed above the display 440 or below the display 440 .
  • a server may include a processor 410 , a memory 420 , and a communication circuit 430 .
  • the processor 410, memory 420, and communication circuit 430 included in the server may be substantially the same as the processor 410, memory 420, and communication circuit 430 described above.
  • a gateway may include a processor 410 , a memory 420 , and a communication circuit 430 .
  • the processor 410, memory 420, and communication circuit 430 included in the gateway may be substantially the same as the processor 410, memory 420, and communication circuit 430 described above.
  • the access control application 211 detects a request for network access to the service server 205 from the target application 212 included in the node 201, and the node 201 or the access control application 211 ) can determine whether or not the controller 202 is in a connected state.
  • the access control application 211 may block transmission of data packets in a kernel or network driver including an operating system. there is.
  • the node 201 may block access of malicious applications in advance in the application layer of the OSI layer.
  • the access control application 211 when the access control application 211 is not connected to the controller 202 or when the data packet to be transmitted is not authenticated at the gateway, the data packet transmitted from the access control application 211 is the gateway ( 203) and the access control application 211 can only request access to the controller 202.
  • unauthorized data packets may be sent from node 201 if access control application 211 is not installed on node 201 or if a malicious application bypasses control of access control application 211. .
  • the gateway 203 present at the boundary of the network blocks unauthorized data packets and data packets for which no data flow exists, data packets transmitted from the node 201 (eg, data packets for creating a TCP session) ) may not reach the service server 205. In other words, node 201 can be isolated from service server 205 .
  • FIG. 6 illustrates an example of a data packet in which authentication information is inserted according to various embodiments.
  • the access control application 211 of the node 201 can manage its own authentication time point for UDP because UDP does not have the concept of creating a session like TCP.
  • the target application 212 since the target application 212 must create a TCP session with the service server 205 before transmitting the actual data packet when transmitting the TCP-based data packet, the access control application 211 performs a 3-Way Handshake for TCP session creation.
  • authentication information for the data packet can be managed by inserting authentication information into the TCP SYN data packet for TCP session creation.
  • the UDP-based data packet 610 may include an IP header and a payload.
  • the access control application 211 can insert a data flow header into the payload of the UDP-based data packet 610.
  • the access control application 211 may configure a UDP-based data packet into which a data flow header is inserted based on authentication information included in the data flow. For example, when transmitting UDP-based data packets, the access control application 211 may transmit the data packets by inserting a data flow header into only the first data packet of a continuously transmitted UDP data packet flow. In this case, subsequent data packets can be transmitted without data flow header insertion. For another example, if strong data packet authentication is required, the access control application 211 may insert a data flow header into the payload of every UDP data packet.
  • the TCP SYN data packet 620 may include an IP header, a TCP header, and a payload.
  • the connection control application 211 can insert a data flow header into the payload of the TCP SYN data packet 620.
  • the access control application 211 inserts a data flow header into the TCP SYN packet, and the gateway 203 authenticates the data flow header inserted into the TCP SYN packet, and a TCP session is established only for the authenticated target. can lose For example, since the TCP session is not established if not authenticated, the access control application 211 can provide a more efficient TCP-based data packet control method than the method of inserting data flow header information whenever every data packet is transmitted in TCP. can
  • whether the data flow header is a data packet that can be forwarded by the gateway 203 based on the data flow received from the controller 202 in the data packet flow between the target application 212 and the service server 205 It may be information for confirming.
  • the data flow header may be information combining data flow identification information and encrypted authentication information.
  • the authentication information may include information about authentication generated based on the authentication policy of the controller 202 .
  • authentication information may include an encrypted OTP.
  • authentication information may include plain OTP.
  • the gateway 203 since a data packet in an IP network has no identifying information other than 5 tuple information, the gateway 203 determines whether or not the terminal to which the IP is assigned has been substantially authenticated and the target for which the application, which is the actual communication subject, is allowed. It is not known whether it was sent by Therefore, in order to confirm that the data packet is transmitted from the authenticated target, the gateway 203 receives the data flow from the controller 202, and the data flow information, destination IP, port information, and authentication information included in the data flow Based on this, data packet authentication and transmission control can be performed.
  • the encrypted authentication information included in the data flow header includes data flow identification information and can be used for the purpose of verifying whether the subject who transmitted the data packet actually transmitted the data packet.
  • the encrypted authentication information may be encrypted and decrypted from an authenticated object through encryption and decryption keys based on authentication information included in the data flow received from the controller 202 .
  • the decrypted authentication information is not information that is fixed at every data packet authentication time, such as data flow identification information, but is changed at every authentication time.
  • OTP One-Time Password
  • random generation type information there is.
  • the gateway 203 may identify a data flow header in the received data packet, check the data flow information with the data flow identification information, and decrypt the data flow authentication information with a decryption key included in the data flow. .
  • the gateway 2030 can confirm that the corresponding data packet has been transmitted from an allowed destination by the OTP verification algorithm, and thus can safely control the flow of data packets between the target application 212 and the service server 205 without tunneling. there is.
  • FIG. 7 shows a signal flow diagram for controller connection according to various embodiments.
  • the access control application 211 of the node 201 requests the controller 202 to create a control flow, thereby 201) can try to connect to the controller.
  • node 201 may detect a controller connection event. For example, when the connection control application 211 is installed and executed within the node 201, the node 201 may detect that a connection to the controller 202 is requested.
  • node 201 may request controller connection from controller 202 .
  • the access control application 211 may transmit identification information of the access control application 211 to the controller 202 .
  • the access control application 211 may include identification information of the node 201 (eg, terminal ID, IP address, MAC address), type, location, environment, identification information of the network to which the node 201 belongs, and/or network Arbitrary identification information generated by the system itself may be further transmitted.
  • the controller 202 may identify whether or not the controller connection request (eg, the access control application 211 or the node 201) is accessible. According to one embodiment, the controller 202 determines whether information received from the node 201 is included in the access policy database 311, the node 201, the network to which the node 201 belongs, and/or the connection. Based on at least one of whether the identification information of the control application 211 is included in the blacklist database 314 , it is possible to check whether the controller connection requesting object is accessible.
  • the controller connection request eg, the access control application 211 or the node 201
  • the controller 202 determines whether information received from the node 201 is included in the access policy database 311, the node 201, the network to which the node 201 belongs, and/or the connection. Based on at least one of whether the identification information of the control application 211 is included in the blacklist database 314 , it is possible to check whether the controller connection requesting object is accessible.
  • the controller 202 may create a control flow between the node 201 (or the connection control application 211 ) and the controller 202 .
  • the controller 202 generates control flow identification information in the form of random numbers, and converts identification information of at least one of the node 201, the network to which the node 201 belongs, or the access control application 211 into a control flow table ( 315) can be stored.
  • Information stored in the control flow table 315 may be used for user authentication of the node 201 , information update of the node 201 , policy check for network access of the node 201 , and/or validation.
  • the controller 202 connects from the access policy database 311 and the authentication policy database 312 corresponding to the identified information (eg, the node 201 and source network information to which the node 201 belongs).
  • the identified information eg, the node 201 and source network information to which the node 201 belongs.
  • Whitelist information of possible applications can be created.
  • the controller 202 may send the application white list to the connection control application 211 at operation 725 .
  • the controller 202 may transmit control flow identification information to the node 201 in response to the controller connection request. Depending on the embodiment, if the object requesting controller access is unavailable or is included in the blacklist, the controller 202 may transmit access unavailability information in operation 725 without generating a control flow. In one embodiment, the controller 202 may transmit the application white list generated through the execution of operation 720 to the connection control application 211 .
  • the access control application 211 may perform a check on the application.
  • the access control application 211 can perform a check for applications based on the white list of accessible applications received from the controller 202 .
  • the access control application 211 may check whether the application exists (installed) in the node 201 based on the accessible application information, and in the case of the existing application, integrity and stability are checked according to the validation policy ( Above the application, tampering inspection, code signing inspection, fingerprint inspection) can be performed.
  • the access control application 211 may send the application check result to the controller 202 .
  • the access control application 211 may transmit information about existing applications and results of validation to the controller 202 .
  • the controller 202 may check whether the application is valid based on the received application information. If it is a valid application, the controller 202 selects the gateway 203 where the node 201 is located in the access policy database 311 and the authentication policy database 312 to allow access of the node 201 connected to the network. You can check. In addition, the controller 202 may generate a data flow based on source IP, destination IP, and port information so that the node 201 can transmit data packets without a network access request procedure.
  • the data flow is a method of inserting authentication information for each transmission protocol (e.g., inserting authentication information into a TCP SYN packet in the case of TCP data packets, inserting authentication information into each data packet in the case of UDP, or authenticating at a certain period (or interval)) Insertion of information, maximum number of authentications for the corresponding authentication algorithm, expiration date of authentication information, insertion method or timing), information for encrypting or decrypting authentication information, algorithm information for generating and verifying authentication information, and a series of information included in the algorithm ( Example: Secret Key information when generating HMAC OTP) and authentication information including at least one of source IP authentication.
  • authentication information included in a data flow may also be referred to as authentication-related information.
  • the controller 202 may transmit the generated data flow to the gateway 203 and the access control application 211 (operations 745 and 750).
  • the access control application 211 may process the resulting value according to the received response.
  • the connection control application 211 may store the received control flow identification information and display a user interface screen indicating completion of the controller connection to the user.
  • the request for network connection of the node 201 to the destination network may be controlled by the controller 202 .
  • controller 202 may determine that node 201 is unreachable. For example, if identification information of the node 201 and/or a network to which the node 201 belongs is included in a blacklist database, the controller 202 may determine that the node 201 is inaccessible. In this case, the controller 202 may transmit a response indicating that access to the controller is impossible in operation 725 without generating a control flow in operation 715 . Also, in this case, operations 730 to 750 may not be performed. Depending on the embodiment, if a controller connection needs to be retried, the connection control application 211 may perform operation 705 again.
  • the access control application 211 updates the data flow of the node 201 when the data flow received from the controller 202 exists, and transmits the data packet based on the data flow allowed in advance when accessing the network. data flow can be managed. Afterwards, when a data packet transmission request is detected, the access control application 211 may process the data packet to be transmitted based on authentication information included in the received data flow.
  • operations 730 to 750 may not be performed.
  • FIG. 8 shows a signal flow diagram for user authentication according to various embodiments.
  • the access control application 211 of the node 201 may authenticate the user of the node 201 from the controller 202 .
  • node 201 may receive an input for user authentication.
  • An input for user authentication may be, for example, a user input for inputting a user ID and password.
  • the input for user authentication may be a user input (eg, biometric information) for stronger authentication.
  • the access control application 211 of the node 201 may request user authentication from the controller 202 in operation 805 . If the control flow between the node 201 and the controller 202 has already been created, the access control application 211 may transmit input information for user authentication together with control flow identification information.
  • controller 202 may authenticate the user based on the information received from node 201 .
  • the controller 202 may use the user ID, password, and/or enhanced authentication information included in the received information and a database included in the memory of the controller 202 (e.g., the access policy database of FIG. 3). 311 or the blacklist database 314), it is possible to determine whether the user can access according to the access policy and whether the user is included in the blacklist.
  • the controller 202 may add user identification information (eg, user ID) to identification information of the control flow.
  • user identification information eg, user ID
  • the added user identification information can be used for the authenticated user's controller access or network access.
  • the controller 202 may generate accessible application information based on the access policy database 311 or the authentication policy database 312 in operation 820 .
  • the accessible application information may be an application whitelist generated based on an access policy.
  • the controller 202 may transmit information indicating that the user is authenticated to the node 201 in response to the user authentication request. In addition, the controller 202 may transmit accessible application information to the access control application 211 .
  • the access control application 211 may perform a check on the application.
  • the access control application 211 can perform a check for applications based on the white list of accessible applications received from the controller 202 .
  • the access control application 211 may check whether the application exists (installed) in the node 201 based on the accessible application information, and in the case of the existing application, integrity and stability are checked according to the validation policy ( Above the application, tampering inspection, code signing inspection, fingerprint inspection) can be performed.
  • the access control application 211 may transmit the application check result to the controller 202 .
  • the access control application 211 may transmit information about existing applications and results of validation to the controller 202 .
  • the controller 202 may check whether the application is valid based on the received application information. If it is a valid application, the controller 202 selects the gateway 203 where the node 201 is located in the access policy database 311 and the authentication policy database 312 to allow access of the node 201 connected to the network. You can check. In addition, the controller 202 may generate a data flow based on source IP, destination IP, and port information so that the node 201 can transmit data packets without a network access request procedure.
  • the data flow is a method of inserting authentication information for each transmission protocol (e.g., inserting authentication information into a TCP SYN packet in the case of TCP data packets, inserting authentication information into each data packet in the case of UDP, or authenticating at a certain period (or interval)) Insertion of information, maximum number of authentications for the corresponding authentication algorithm, expiration date of authentication information, insertion method or timing), information for encrypting or decrypting authentication information, algorithm information for generating and verifying authentication information, and a series of information included in the algorithm ( Example: Secret Key information when generating HMAC OTP) and authentication information including at least one of source IP authentication.
  • authentication information included in a data flow may also be referred to as authentication-related information.
  • the controller 202 may transmit the generated data flow to the gateway 203 and the access control application 211 (operations 845 and 850).
  • the access control application 211 may process the resulting value according to the received response. For example, the access control application 211 may store the received control flow identification information and display a user interface screen indicating completion of user authentication to the user. When user authentication is complete, the request for network access of the node 201 to the destination network may be controlled by the controller 202 .
  • controller 202 may determine that user authentication of node 201 is not possible. For example, if identification information of the node 201 and/or the network to which the node 201 belongs is included in the blacklist database, the controller 202 may determine that the node 201 is inaccessible and user authentication is not possible. . In this case, the controller 202 may not reflect user identification information in operation 815 and may transmit a response indicating that access to the controller is impossible in operation 825 . Also, in this case, operations 830 to 850 may not be performed.
  • the access control application 211 updates the data flow of the node 201 when the data flow received from the controller 202 exists, and transmits the data packet based on the data flow allowed in advance when accessing the network. data flow can be managed.
  • operations 830 to 850 may not be performed when the application test is not required.
  • FIG 9 illustrates a signal flow diagram for network access according to various embodiments.
  • node 201 After node 201 is authorized by controller 202, node 201 controls the network access of other applications stored in node 201 through node 201's access control application 211 to provide trusted data. delivery can be guaranteed.
  • connection control application 211 may detect a network connection event of another application stored in node 201 (eg, target application 212 of FIG. 2 ).
  • the access control application 211 may check the existence of a data flow corresponding to identification information of the application requesting network access, destination network identification information, and port information. Depending on the embodiment, if a data flow exists but is not valid, the access control application 211 may drop the data packet. According to another embodiment, if a data flow exists, the access control application 211 may transmit a data packet based on the data flow. According to the embodiment, the access control application 211 of the node 201 may perform a network access request in operation 915 without performing operation 910 .
  • the access control application 211 may request the controller 202 to access the network.
  • the network access request may include control flow identification information, destination network identification information, and port information.
  • the network access request may further include a data packet transmission protocol.
  • the controller 202 determines the access requested identification information (eg, destination network identification information) in the access policy corresponding to the identified information (eg, node, user, source network identification information) based on the control flow identification information. and port information) and whether the destination network is accessible can be checked. According to an embodiment, the controller 202 may check whether the target application is accessible to the gateway 203 . According to an embodiment, the controller 202 may check whether the transport protocol is included in the access policy. Depending on the embodiment, the controller 202 may transmit a connection failure result to the connection control application 211 of the node 201 when network access is impossible (operation 935).
  • the access requested identification information eg, destination network identification information
  • the identified information eg, node, user, source network identification information
  • the controller 202 may check whether data packet authentication between the node 201 and the gateway 203 is required and an authentication method based on the authentication policy.
  • the controller 202 may check whether a valid data flow corresponding to the identification information and port information of the destination network exists in the data flow table. According to the embodiment, if a valid data flow exists in the data flow table, the controller 202 may transmit the corresponding data flow to the gateway 203 and the access control application (operations 930 and 935). According to another embodiment, when a valid data flow does not exist, the controller 202 may create a data flow based on a transport protocol, source IP, destination IP, port information, and authentication policy. In this case, the controller 202 may transmit the generated data flow to the gateway 203 and the access control application (operations 930 and 935).
  • the data flow inserts authentication information for each transport protocol (e.g., inserts authentication information into TCP SYN packets in the case of TCP data packets, inserts authentication information into each data packet in the case of UDP, or at regular intervals (or intervals)). Insertion of authentication information, maximum number of authentications for the corresponding authentication algorithm, expiration date of authentication information, insertion method or timing), information for encrypting or decrypting authentication information, algorithm information for generating and verifying authentication information, and a series of information included in the algorithm (Example: Secret Key information when generating HMAC OTP), and authentication information including at least one of source IP authentication.
  • authentication information included in a data flow may also be referred to as authentication-related information.
  • controller 202 may, in operation 935, send a network connectivity unavailable result to the access control application. .
  • the connection control application 211 of the node 201 may process the resulting value of the response received from the controller 202 . For example, when the connection control application 211 receives a network connection failure result from the controller 202, it may drop a data packet to be transmitted by the target application. For another example, when a data flow is received from the controller 202, the access control application 211 may transmit a data packet based on the received data flow. According to an embodiment, when the access control application 211 transmits a data packet based on the received data flow, the data packet is authenticated based on authentication information included in the data flow through the operations shown in FIG. 10 . You can insert information (or data flow headers).
  • the access control application 211 may perform validation on the access application according to the validation policy. For example, the access control application 211 may further perform an integrity and stability test of the access application (forgery or tampering test, code signing test, fingerprint test, etc.). The access control application 211 may perform operation 915 when the validation result is successful.
  • FIG. 10 shows a signal flow diagram for controlling data packet transmission according to various embodiments. According to an embodiment, the operations shown in FIG. 10 may be performed through the access control application 211 of FIG. 2 .
  • the access control application 211 of the node 201 transmits a trusted data packet by controlling the transmission of the data packet based on whether or not to insert authentication information into the corresponding data packet and the transmission protocol when transmission of the data packet is detected. can provide.
  • the connection control application 211 may detect a data packet transmission event. For example, the access control application 211 sends a data packet to a target application of the node 201 (eg, the target application 212 of FIG. 2) after network access is allowed through the operations shown in FIG. movement can be sensed.
  • a target application of the node 201 eg, the target application 212 of FIG. 2
  • the access control application 211 may identify a transmission protocol of the data packet, a target application transmitting the data packet, and information included in the data packet (eg, source identification information, destination identification information, port information, etc.) there is. For example, the access control application 211 may check whether a data flow corresponding to the identified information exists, and may perform operation 1015 when the data flow exists. For another example, if the data flow does not exist or the data flow is invalid, the access control application 211 may drop the data packet.
  • information included in the data packet eg, source identification information, destination identification information, port information, etc.
  • the connection control application 211 may ascertain the type of data packet. For example, the access control application 211 can determine whether the data packet to be transmitted is a TCP session creation data packet, a TCP session end data packet, a TCP session-based data transfer data packet, or a UDP-based data packet. According to the embodiment, when the data packet to be transmitted is a TCP session creation data packet, the access control application 211 may perform operation 1020. According to the embodiment, when the data packet to be transmitted is a TCP session termination data packet, the connection control application 211 may perform operation 1035. According to the embodiment, when the data packet to be transmitted is a TCP session-based data transmission data packet, the access control application 211 may perform operation 1045. According to the embodiment, when the data packet to be transmitted is a UDP-based data packet, the access control application 211 may perform operation 1055.
  • the connection control application 211 may perform a TCP data packet authentication information insertion procedure.
  • the access control application 211 may perform a TCP data packet authentication information insertion procedure through operations shown in FIG. 11 .
  • the connection control application 211 may transmit a TCP session creation data packet in operation 1025 .
  • the TCP session creation data packet may be a data packet in which authentication information is inserted.
  • the TCP session creation data packet may be a data packet in which a data flow header is inserted into a payload.
  • the access control application 211 may receive and process the TCP session creation completion data packet. For example, when the connection control application 211 receives the TCP session creation completion data packet, it may set the data flow to the TCP session creation completion state, and send information indicating that the TCP session creation has been completed to the service server (eg, FIG. 2 service server 205) or a controller (controller 202 in FIG. 2). According to the embodiment, when TCP session creation is complete, the connection control application 211 may transmit a TCP session-based data packet based on the data flow set to the TCP session creation complete state.
  • the service server eg, FIG. 2 service server 205
  • controller controller
  • the connection control application 211 may update the data flow. For example, the access control application 211 may set the data flow to a TCP session end state. In this case, the access control application 211 can no longer transmit TCP-based data packets thereafter. According to an embodiment, the access control application 211 may have to perform the TCP session creation procedure again in order to transmit the TCP-based data packet thereafter. In this case, the access control application 211 may transmit a TCP session end data packet to the server where the TCP session is created (operation 1040).
  • the connection control application 211 may check the TCP session creation state if the data packet is a TCP session-based data transfer data packet. For example, the access control application 211 may check the TCP session creation state in the data flow, and transmit a TCP data packet when the TCP session is in the created state (operation 1040). For another example, the access control application 211 may check the TCP session creation state in the data flow, and drop the data packet when the TCP session is not created (operation 1050).
  • the access control application 211 may perform a UDP data packet authentication information insertion procedure.
  • the access control application 211 may perform a UDP data packet authentication information insertion procedure through the operations shown in FIG. 11 .
  • connection control application 211 may send a UDP data packet.
  • FIG. 11 illustrates a signal flow diagram for inserting authentication information according to various embodiments.
  • the access control application 211 may detect a data packet authentication information insertion event.
  • the access control application 211 may detect a data packet authentication information insertion event through operation 1020 or operation 1055 shown in FIG. 10 .
  • the access control application 211 may check whether authentication information needs to be inserted. For example, the access control application 211 may check authentication-related information included in a data flow corresponding to a data packet to be transmitted, and determine whether authentication information needs to be inserted based on the authentication-related information. According to embodiments, when authentication information insertion is not required, the access control application 211 may transmit a data packet in operation 1150 without performing operations 1115 to 1145 . According to another embodiment, if authentication information needs to be inserted, the access control application 211 may perform operation 1115.
  • the access control application 211 may check the authentication information usage count and due date. For example, the access control application 211 may check the number of uses of the authentication information and the expiration date based on authentication information or authentication information included in the data flow. Depending on the embodiment, if the authentication information can be used regardless of the number of times and the period of use of the authentication information, if there is a remaining number of uses of the authentication information, or if the expiration date of the authentication information remains, the access control application 211 performs operations 1120 to 1120. Operation 1140 may be performed without performing operation 1135 . According to another embodiment, the access control application may perform operation 1120 when the number of times and the period of use of the authentication information are used and there is no remaining number of times of use of the authentication information or the period of use of the authentication information has elapsed.
  • the access control application 211 may request the controller 202 to update authentication information.
  • the authentication information renewal request may include data flow identification information.
  • the controller 202 may check the authentication policy and update the data flow. For example, the controller 202 may check a data flow corresponding to the received data flow identification information, and update the data flow based on an authentication policy corresponding to the destination IP, port, and transport protocol of the data flow. .
  • the controller 202 inserts authentication information for each transport protocol included in the authentication policy (e.g., inserts authentication information into a TCP SYN packet in case of TCP data packets, inserts authentication information into each data packet in case of UDP, or Authentication information insertion at regular intervals (or intervals), maximum number of authentication times for the corresponding authentication algorithm, expiration date of authentication information, insertion method or timing), information for encrypting or decrypting authentication information, algorithm information for generating and verifying authentication information, and
  • the data flow may be updated based on authentication information including at least one of a series of information included in the algorithm (eg, Secret Key information when generating the HMAC OTP) and whether or not the source IP has been authenticated.
  • the controller 202 may transmit the updated data flow to the gateway 203 and the access control application 211 (operations 1130 and 1135).
  • the controller 202 controls access A failure result of authentication information update may be transmitted to the application 211 (operation 1135).
  • access control application 211 may generate authentication information. For example, the access control application 211 may generate authentication information based on authentication information included in an updated data flow or an existing data flow. Depending on the embodiment, the access control application 211 may generate authentication information by using an authentication information generation algorithm and additional information in authentication information included in the data flow. Depending on the embodiment, the access control application 211 may encrypt authentication information based on an encryption algorithm and an encryption key included in authentication information.
  • connection control application 211 may insert a data flow header into the data packet.
  • the access control application 211 may insert a data flow header in which data flow identification information and encrypted authentication information are combined into a data packet based on a transport protocol.
  • the transport protocol is TCP
  • the access control application 211 may insert a data flow header into the payload of the TCP SYN data packet.
  • the transport protocol is UDP
  • the access control application 211 may insert a data flow header into the payload of the UDP data packet.
  • the access control application 211 may insert a data flow header into every UDP data packet, insert a data flow header on a certain data packet basis or time basis, or determine the flow of data packets. It is possible to determine whether or not to insert a data flow header at the point at which this starts. That is, the access control application 211 may insert a data flow header into the UDP data packet according to the determined data flow header insertion method.
  • the access control application 211 may transmit the data packet in which the data flow header is inserted. Depending on the embodiment, the access control application 211 may transmit the data packet without inserting the data flow header in the case of a data packet that does not require insertion of the data flow header.
  • FIG. 12 depicts an operational flow diagram for controlling data packet reception according to various embodiments. Depending on the embodiment, the operations shown in FIG. 12 may be performed through the gateway 203 of FIG. 2 .
  • the gateway 203 may detect a data packet reception event. For example, gateway 203 may receive a data packet from a node's connection control application.
  • the gateway 203 may check whether a data flow corresponding to the data packet exists. For example, the gateway 203 may check whether a data flow exists based on the transport protocol, destination IP, and port included in the 5 Tuples information of the data packet. Depending on the embodiment, the gateway 203 may drop the data packet when the data flow does not exist.
  • the gateway 203 may check the type of data packet. For example, the gateway 203 can determine whether the data packet is a TCP session creation data packet, a TCP session based data packet but not a TCP session creation data packet, or a UDP based data transfer data packet. According to an embodiment, when the data packet is a TCP session creation data packet, the gateway 203 may perform operation 1220. According to embodiments, when the data packet is a TCP session-based data packet but not a TCP session creation data packet, the gateway 203 may perform operation 1225. According to an embodiment, when the data packet is a UDP-based data transmission data packet, the gateway 203 may perform operation 1235.
  • the gateway 203 may perform a TCP data packet authentication information check. For example, the gateway 203 may perform TCP data packet authentication information check through the operations shown in FIG. 13 . Depending on the embodiment, if the authentication information check fails, the gateway 203 may drop the TCP data packet. According to another embodiment, if the authentication information check succeeds, the gateway 203 may forward the TCP data packet.
  • gateway 203 may forward the data packet.
  • the gateway 203 may perform a UDP data packet authentication information check. For example, the gateway 203 may perform UDP data packet authentication information check through the operations shown in FIG. 13 . Depending on the embodiment, if the authentication information check fails, the gateway 203 may drop the UDP data packet. According to another embodiment, if the authentication information check succeeds, the gateway 203 may forward the UDP data packet.
  • FIG. 13 illustrates an operational flow diagram for checking authentication information according to various embodiments. The operations shown in FIG. 13 may be performed through the gateway 203 of FIG. 2 .
  • the gateway 203 may detect a data packet authentication information checking event.
  • the gateway 203 may detect a data packet authentication information check event through operation 1220 or operation 1235 shown in FIG. 12 .
  • the gateway 203 may check whether authentication information needs to be checked. For example, the gateway 203 can check whether authentication information of a corresponding data packet needs to be checked in authentication information included in a data flow corresponding to the data packet. Depending on the embodiment, if checking the authentication information of the corresponding data packet is not required, the gateway 203 may forward the data packet (operation 1315).
  • the gateway 203 may check whether a data flow header is inserted into the data packet. Depending on the embodiment, when it is impossible to identify the data flow header, the gateway 203 may drop the data packet (operation 1350).
  • the gateway 203 may examine the data flow. For example, the gateway 203 may check whether the data flow corresponding to the data packet and the data flow identified based on the data flow header are the same. According to an embodiment, when the data flow corresponding to the data packet and the data flow identified based on the data flow header are not the same, the gateway 203 may drop the data packet (operation 1350).
  • the gateway 203 may decrypt authentication information. For example, the gateway 203 may decrypt authentication information included in the data flow header based on authentication information included in the data flow in order to check the authentication information included in the data flow header. Depending on the embodiment, the gateway 203 may decrypt authentication information through a decryption algorithm and a decryption key included in authentication information. Depending on the embodiment, when authentication information decryption fails, the gateway 203 may drop the data packet (operation 1350).
  • the gateway 203 may check the authentication information. For example, the gateway 203 may check decrypted authentication information based on authentication information included in the data flow. According to an embodiment, the gateway 203 may check whether the decrypted authentication information is valid based on an authentication information check algorithm or related information included in authentication information. According to an embodiment, if the authentication information is not valid, the gateway 203 may drop the data packet (operation 1350).
  • the gateway 203 may remove the data flow header. For example, the gateway 203 may remove a data flow header included in the received data packet. If the data flow header is removed from the data packet, gateway 203 may forward the data packet (act 1345).
  • FIG. 14 illustrates a signal flow diagram for control flow update according to various embodiments.
  • the access control application 211 may detect a control flow update event.
  • the access control application 211 may request a control flow update from the controller 202 based on the control flow identification information.
  • the controller 202 may check whether a control flow exists in a control flow table (eg, the control flow table 315 of FIG. 3) based on the received control flow identification information.
  • a control flow table eg, the control flow table 315 of FIG. 3
  • the controller 202 determines that the connection of the node 201 is valid. Therefore, a connection failure result may be transmitted to the connection control application 211 (operation 1420).
  • the controller 202 may update the update time when a control flow exists in the control flow table (eg, the control flow table 315 of FIG. 3 ). In this case, the controller 202 may transmit identification information of the updated control flow to the connection control application 211 (operation 1420).
  • the controller 202 is required to perform re-authentication among data flows subordinate to the identified control flow, or if there is a data flow to which access is no longer possible, the controller 202 transmits information about the corresponding data flow to an access control application ( 211) (operation 1420).
  • the connection control application 211 of the node 201 may process the resulting value of the response received from the controller 202 .
  • the access control application 211 may block all network accesses of applications when the control flow update result is impossible.
  • the access control application 211 may update the data flow when the control flow update result is normal and updated data flow information exists.
  • 15 illustrates a signal flow diagram for disconnection according to various embodiments.
  • node 201 terminates node 201, terminates access control application 211, terminates target application, no longer uses the network connection, and information identified from the interworking system. At least one of connection termination requests may be detected based on . In this case, at operation 1510, node 201 or access control application 211 may request controller 202 to remove the control flow.
  • the controller 202 may remove the identified control flow based on the received control flow identification information.
  • the controller 202 may remove all data flows dependent on the removed control flow. Thus, node 201 can no longer connect to the destination network based on the removed data flow.
  • the controller 202 may request the gateway 203 to remove all data flows dependent on the removed control flow.
  • the gateway 203 may remove the data flow, and thus data packets corresponding to source network, destination network, and port information included in the removed data flow may no longer be transmitted.
  • 16 illustrates a signal flow diagram for termination of application execution according to various embodiments.
  • the access control application 211 of the node 201 may check in real time whether or not the running application is terminated, and may detect an application execution termination event.
  • the access control application 211 may check whether a data flow corresponding to terminated application identification information and PID (Process ID and Child Process ID Tree) information exists.
  • PID Process ID and Child Process ID Tree
  • the connection control application 211 may perform a data flow removal request to the controller 202 .
  • the access control application 211 may transmit identification information of a terminated application or identification information of a data flow corresponding to the terminated application to the controller 202 and may perform a data flow removal request.
  • the controller 202 may delete the data flow requested to be removed.
  • the controller 202 may perform a removal request for the removed data flow to the gateway 203 (operation 1620).
  • the gateway 203 may remove the data flow, and thus data packets corresponding to source network, destination network, and port information included in the removed data flow may no longer be transmitted.
  • FIG. 17 is a flowchart illustrating a method of operating an access control application installed in a node according to various embodiments. According to an embodiment, the operations shown in FIG. 17 may be performed through the access control application 211 of the node 201 of FIG. 2 .
  • the access control application 211 may detect a data packet transmission event of the target application.
  • the connection control application 211 may ascertain the transport protocol of the data packet. For example, the access control application 211 can determine whether the transport protocol of the data packet is TCP or UDP.
  • the access control application 211 may check whether a data flow corresponding to the transport protocol and identification information of the target application and authorized from the external server exists.
  • the access control application 211 may insert authentication information into the data packet based on information about authentication included in the transport protocol and data flow.
  • the connection control application 211 may transmit the data packet based on the transport protocol.
  • the access control application 211 may transmit a data packet into which a data flow header is inserted based on a transport protocol.
  • FIG. 18 is a flowchart of a method of operating a gateway according to various embodiments. According to an embodiment, the operations shown in FIG. 18 may be performed through the gateway 203 of FIG. 2 .
  • the gateway 203 may receive a data packet from the node 201 .
  • the gateway 203 may check whether a data flow corresponding to the information included in the data packet and authorized from the external server exists.
  • the gateway 203 may check the transmission protocol of the data packet if there is a data flow.
  • gateway 203 may process the data packet based on the transport protocol.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Un mode de réalisation de la présente invention concerne un nœud qui peut stocker des instructions qui amènent une application de commande d'accès à détecter un événement de transmission de paquet de données d'une application cible, vérifier un protocole de transmission du paquet de données, déterminer l'existence d'un flux de données qui correspond au protocole de transmission et des informations d'identification de l'application cible et est autorisé par un serveur externe, insérer des informations d'authentification dans le paquet de données sur la base du protocole de transmission et des informations d'authentification contenues dans le flux de données, et transmettre le paquet de données sur la base du protocole de transmission.
PCT/KR2023/001210 2022-01-27 2023-01-26 Système de commande d'accès au réseau sur la base d'un contrôleur, et procédé associé Ceased WO2023146308A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020220012071A KR102439881B1 (ko) 2022-01-27 2022-01-27 컨트롤러 기반의 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법
KR10-2022-0012071 2022-01-27

Publications (1)

Publication Number Publication Date
WO2023146308A1 true WO2023146308A1 (fr) 2023-08-03

Family

ID=83279874

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2023/001210 Ceased WO2023146308A1 (fr) 2022-01-27 2023-01-26 Système de commande d'accès au réseau sur la base d'un contrôleur, et procédé associé

Country Status (2)

Country Link
KR (1) KR102439881B1 (fr)
WO (1) WO2023146308A1 (fr)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102439881B1 (ko) * 2022-01-27 2022-09-05 프라이빗테크놀로지 주식회사 컨트롤러 기반의 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법
KR102620214B1 (ko) * 2022-12-21 2024-01-03 프라이빗테크놀로지 주식회사 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법
KR102613414B1 (ko) * 2023-02-08 2023-12-14 프라이빗테크놀로지 주식회사 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법
KR102593271B1 (ko) * 2023-02-22 2023-10-25 프라이빗테크놀로지 주식회사 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20170063280A (ko) * 2015-11-30 2017-06-08 엘아이지넥스원 주식회사 Tcp/ udp를 적응적으로 선택하는 전자기기 및 이의 패킷 송수신 방법
KR102146568B1 (ko) * 2019-09-24 2020-08-20 프라이빗테크놀로지 주식회사 네트워크 접속 제어 시스템 및 그 방법
KR102309115B1 (ko) * 2021-09-07 2021-10-08 프라이빗테크놀로지 주식회사 데이터 플로우 기반 애플리케이션의 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법
KR102333553B1 (ko) * 2021-05-07 2021-12-01 프라이빗테크놀로지 주식회사 컨트롤러 기반의 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법
KR102439881B1 (ko) * 2022-01-27 2022-09-05 프라이빗테크놀로지 주식회사 컨트롤러 기반의 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20170063280A (ko) * 2015-11-30 2017-06-08 엘아이지넥스원 주식회사 Tcp/ udp를 적응적으로 선택하는 전자기기 및 이의 패킷 송수신 방법
KR102146568B1 (ko) * 2019-09-24 2020-08-20 프라이빗테크놀로지 주식회사 네트워크 접속 제어 시스템 및 그 방법
KR102204705B1 (ko) * 2019-09-24 2021-01-19 프라이빗테크놀로지 주식회사 네트워크 접속 제어 시스템 및 그 방법
KR102333553B1 (ko) * 2021-05-07 2021-12-01 프라이빗테크놀로지 주식회사 컨트롤러 기반의 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법
KR102309115B1 (ko) * 2021-09-07 2021-10-08 프라이빗테크놀로지 주식회사 데이터 플로우 기반 애플리케이션의 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법
KR102439881B1 (ko) * 2022-01-27 2022-09-05 프라이빗테크놀로지 주식회사 컨트롤러 기반의 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법

Also Published As

Publication number Publication date
KR102439881B1 (ko) 2022-09-05

Similar Documents

Publication Publication Date Title
WO2023136658A1 (fr) Système et procédé reposant sur un dispositif de commande de commande d'accès réseau
WO2023163509A1 (fr) Système de commande de connexion de réseau reposant sur un dispositif de commande et procédé associé
WO2021060854A1 (fr) Système de commande d'accès réseau et procédé associé
WO2023033586A1 (fr) Système de commande d'accès réseau d'une application d'après une commande de session tcp, et procédé associé
WO2022231306A1 (fr) Système de commande de connexion réseau basée sur un contrôleur et procédé correspondant
WO2023146308A1 (fr) Système de commande d'accès au réseau sur la base d'un contrôleur, et procédé associé
WO2024177382A1 (fr) Système de commande d'accès au réseau et procédé associé
WO2023085793A1 (fr) Système de commande d'accès au réseau sur la base d'un dispositif de commande, et procédé associé
WO2023038387A1 (fr) Système de commande d'accès réseau d'application sur la base d'un flux de données, et procédé associé
WO2023211121A1 (fr) Système de commande d'émission et de réception de fichier d'application sur la base d'un proxy, et procédé associé
WO2023163514A1 (fr) Système de commande d'accès au réseau basé sur un dispositif de commande et procédé associé
WO2023211124A1 (fr) Système de commande de connexion de réseau basée sur un contrôleur et procédé associé
WO2023090756A1 (fr) Système de commande d'accès au réseau basé sur un dispositif de commande, et procédé associé
WO2023085791A1 (fr) Système de contrôle de l'accès au réseau basé sur un contrôleur et procédé associé
WO2018151390A1 (fr) Dispositif de l'internet des objets
WO2023211122A1 (fr) Système de commande de transmission et de réception de fichier d'une application sur la base d'un mandataire et procédé associé
WO2020050424A1 (fr) SYSTÈME ET PROCÉDÉ BASÉS SUR UNE CHAÎNE DE BLOCS POUR UNE AUTHENTIFICATION DE SÉCURITÉ MULTIPLE ENTRE UN TERMINAL MOBILE ET UN DISPOSITIF D'IdO
WO2021060859A1 (fr) Système d'authentification et de contrôle d'accès au réseau d'un terminal, et procédé associé
WO2023211120A1 (fr) Système de commande d'émission et de réception de fichiers d'une application sur la base d'un mandataire, et procédé associé
WO2023090755A1 (fr) Système de contrôle d'accès au réseau d'instance de virtualisation, et procédé associé
KR102377248B1 (ko) 컨트롤러 기반의 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법
WO2023146304A1 (fr) Système de commande de transmission et de réception d'un fichier d'une application et procédé associé
WO2022235006A1 (fr) Système permettant de commander une connexion réseau sur la base d'un dispositif de commande et son procédé
WO2023211104A1 (fr) Système permettant de contrôler un accès au réseau basé sur un dispositif de commande, et procédé associé
WO2023177238A1 (fr) Système de commande de connexion au réseau basé sur un contrôleur, et son procédé

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23747349

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 04.12.2024)

122 Ep: pct application non-entry in european phase

Ref document number: 23747349

Country of ref document: EP

Kind code of ref document: A1