KR102495369B1 - System for controlling network access based on controller and method of the same - Google Patents

Abstract

The present invention relates to a system for controlling network access based on a controller to effectively solve various network security problems and a method thereof. According to one embodiment of the present invention, a node comprises: a communication circuit; a processor operatively connected to the communication circuit; and a memory operatively connected to the processor and storing an access control application and a target application. The memory stores instructions to allow the processor, during execution, to detect a network access event through the access control application; check the existence of a data flow authorized from an external server corresponding to a data packet to be transmitted by the target application; check the type of the data packet; allow transmission of TCP SYN packets on the basis of whether the TCP SYN packets can be transmitted on the basis of the type of the data packets; perform a network access authentication check after TCP session generation or when checking TCP SYN packets is not necessary; and process subsequently transmitted data packets on the basis of an authentication check result, wherein the data flow can include information with respect to whether to basically allow transmission of the TCP SYN packet.

Description

System for controlling controller-based network access and method therefor

Embodiments disclosed in this document relate to a system and method for controlling a controller-based network connection.

Multiple devices may communicate data over a network. For example, a smartphone may transmit or receive data with a server via the Internet. The network may include a private network such as an intranet as well as a public network such as the Internet.

In general, communication between nodes and servers uses IP (Internet Protocol)-based TCP (Transmission Control Protocol), and access control is performed by identifying source IP, destination IP, and port information with 5 Tuples information included in data packets. Commonly used firewall technology that performs

Firewall technology identifies IPs assigned to nodes or network nodes and controls access of inbound or outbound data packets between network boundaries, thereby blocking unauthorized IPs from accessing unauthorized destination networks.

Technologies such as IP-based firewalls can cause problems that are difficult to control by IP unit in the case of nodes in the Internet band where IP allocation and control are difficult, or in the case of creating a private IP band by configuring a sub-network with routers and gateways. In practice, firewalls are used as a minimum safeguard.

In order to solve the above problems, connectivity control such as tunneling technology or secure session that encrypts data packets transmitted between nodes and servers or gateways, prevents forgery and tampering, and allows unique access only to authorized targets. technology is being used.

However, VPN (Virtual Private Network) based on tunneling technology created at the terminal level has a vulnerability that unallowed or unsafe applications access unallowed destination networks through always-connected tunneling after initial authentication. In other words, in the above vulnerability, VPN technology is increasing security incidents due to infiltration of various malware and ransomware.

In addition, communication between servers on an always-connected network has increased along with recent business complexity, and the target application operating in the server is a Micro Service Architecture in which all service logic is not operated in one application, but is separated and operated in modules or functional units. As it develops into a form, actual communication is changed to communication of a module or functional unit that is lower than the application level, and the identification unit is changed, requiring a network access control technology at a level lower than the application level.

Various embodiments disclosed in this document are intended to provide a system and method for solving the above problems in a network environment.

A node according to an embodiment disclosed herein includes communication circuitry, a processor operatively connected to the communication circuitry, and a memory operatively connected to the processor and storing a connection control application and a target application; When the memory is executed by the processor, the node detects a network connection event through the access control application, confirms the existence of a data flow corresponding to a data packet to be transmitted by the target application and authorized from an external server, The type of the data packet is checked, the transmission of the TCP SYN packet is allowed based on whether or not the transmission of the TCP SYN packet is possible based on the type of the data packet, and the TCP SYN packet check is not required after the TCP session is created. In this case, the network connection authentication check is performed, and based on the authentication check result, stored instructions for processing data packets to be transmitted later, and the data flow is basically whether or not to allow the transmission of the TCP SYN packet information may be included.

A method of operating an access control application installed in a node according to an embodiment disclosed in this document includes detecting a network access event, detecting the existence of a data flow corresponding to a data packet to be transmitted by the target application and authorized from an external server. Checking, checking the type of the data packet, if the data packet is a TCP SYN packet, allowing transmission of the TCP SYN packet based on whether the transmission of the TCP SYN packet is possible, and determining whether the data packet is an authentication data packet If , performing a network connection authentication check, and dropping the data packet if the data packet is not the TCP SYN packet and the authentication data packet, wherein the data flow basically transmits the TCP SYN packet It may contain information about whether or not to allow it.

According to the embodiments disclosed in this document, an application connectivity control technology that allows only permitted safe applications to access a permitted network is applied to identify an application that is a fundamental communication subject and block access of disallowed applications in advance. By doing so, it is possible to prevent various types of malware and ransomware from accessing an unauthorized destination network and effectively solve various network security problems currently occurring.

According to the embodiments disclosed in this document, due to the increase in datadam, my data, and AI services, communication of modules or functional units can be controlled in a more granular unit than applications, and data or data possessed by data providers In order to deliver the data entrusted by the owner to the data consumer, the allowed module may control network access so that only data permitted by the data owner or previously permitted by policy is transmitted.

According to the embodiments disclosed in this document, the calculation result of Data Centric Networking-centered AI overlaid on the conventional IP-based network and countless processed valuable data stored in the server are transmitted to the consumer and real value It can be used as a base technology for granting.

In addition, according to the embodiments disclosed in this document, in order to control network access of module unit and data unit that cannot be controlled by conventional application connectivity control technology, the operating system (Kernel Level) has a lower level than an application that cannot be identified. For unit identification, a method for controlling module or data level network access may be provided by inserting an identification layer added when network access is performed in the target application (user level).

In addition, according to the embodiments disclosed in this document, when a module or function in a target application (user level) that cannot be identified in an operating system (kernel level) accesses a network and transmits data, transmission is performed when the target application accesses the network. It is possible to provide a structure that allows or disallows network access depending on whether or not to allow network access including the identification information by checking each identification information included in one authentication data packet with the controller.

In addition, according to the embodiments disclosed in this document, whitelist-based network access is allowed for each identification unit according to the authentication policy of the controller set in advance, or a third party (eg, data owner) allows a network access of the corresponding identification unit. By additionally checking whether or not to allow access, it is possible to provide a structure that allows network access only with the approval of a third party, and since network access by each identification unit is recorded, it is possible to inquire what data was transmitted by which module at what time and where. can provide a way to do it.

In addition, according to the embodiments disclosed in this document, when data centric networking is configured to transmit credit information of a data owner entrusted to a credit institution to another institution, the credit information data of the data owner is transferred to In order to control the transmission to other institutions, only the data permitted by the user, the permitted data supplying institution may create network access at the time of data provision, and release the network connection at the end of data provision, in accordance with the permitted third party. It is possible to provide a method that can reach the practical purpose of My Data.

In addition, according to the embodiments disclosed in this document, various authentication information (eg, public key-based encryption/decryption key and certificate), data information signed based on authentication information (eg, propagation of approved data on a blockchain network) ) Transmission and personal information stored in the cloud, which is always connected to the network, but connects to the Internet only when remote storage including information that needs to be isolated from the Internet is required, thereby blocking external risks from the Internet. , By transmitting only allowed data, it is possible to block the transmission of non-permitted data by non-permitted subjects (e.g., when personal information is arbitrarily leaked by a thief).

In addition to this, various effects identified directly or indirectly through this document may be provided.

1 shows an environment including a plurality of networks.
2 illustrates an architecture within a network environment according to various embodiments.
3 is a functional block diagram illustrating a database stored in a controller according to various embodiments.
4 shows a functional block diagram of a node in accordance with various embodiments.
5 is a diagram showing the structure of an authentication data packet according to various embodiments.
6 is a diagram illustrating an operation of controlling transmission of a data packet according to various embodiments.
7 shows a signal flow diagram for controller connection of a node according to various embodiments.
8 shows a flowchart of an operation for network access of a node according to various embodiments.
9A illustrates a signal flow diagram for network connection inspection of a node according to various embodiments.
9B illustrates a signal flow diagram for network connection authentication check of a node according to various embodiments.
10 shows a signal flow diagram for transmitting a data packet of a node according to various embodiments.
11 shows a signal flow diagram for controlling reception of a data packet by a gateway according to various embodiments.
12 shows a signal flow diagram for updating a control flow of a node according to various embodiments.
13 shows a signal flow diagram for disconnection of a node according to various embodiments.
14 illustrates a signal flow diagram for termination of application execution of a node according to various embodiments.
15 is an operational flowchart of a method of operating an access control application installed in a node according to various embodiments.

Hereinafter, various embodiments of the present invention will be described with reference to the accompanying drawings. However, it should be understood that this is not intended to limit the present invention to the specific embodiments, and includes various modifications, equivalents, and/or alternatives of the embodiments of the present invention.

In this document, the singular form of a noun corresponding to an item may include one item or a plurality of items, unless the context clearly dictates otherwise. In this document, "A or B", "at least one of A and B", "at least one of A or B", "A, B or C", "at least one of A, B and C" and "A, Each of the phrases such as "at least one of B or C" may include any one of the items listed together in the corresponding one of the phrases, or all possible combinations thereof. Terms such as "first", "second", or "first" or "secondary" may simply be used to distinguish a given component from other corresponding components, and may be used to refer to a given component in another aspect (eg, importance or order) is not limited. A (e.g., first) component is said to be "coupled" or "connected" to another (e.g., second) component, with or without the terms "functionally" or "communicatively." When mentioned, it means that the certain component may be connected to the other component directly (eg by wire), wirelessly, or through a third component.

Each component (eg, module or program) of the components described in this document may include singular or plural entities. According to various embodiments, one or more components or operations among corresponding components may be omitted, or one or more other components or operations may be added. Alternatively or additionally, a plurality of components (eg modules or programs) may be integrated into a single component. In this case, the integrated component may perform one or more functions of each of the plurality of components identically or similarly to those performed by a corresponding component of the plurality of components prior to the integration. . According to various embodiments, operations performed by modules, programs, or other components are executed sequentially, in parallel, iteratively, or heuristically, or one or more of the operations are executed in a different order, omitted, or , or one or more other operations may be added.

The term "module" used in this document may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as logic, logic block, component, or circuit, for example. A module may be an integrally constructed component or a minimal unit of components or a portion thereof that performs one or more functions. For example, according to one embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of the present document may be implemented as software (eg, a program or application) including one or more instructions stored in a storage medium (eg, memory) readable by a machine. For example, the processor of the device may call at least one command among one or more commands stored from a storage medium and execute it. This enables the device to be operated to perform at least one function according to the at least one command invoked. The one or more instructions may include code generated by a compiler or code executable by an interpreter. The device-readable storage medium may be provided in the form of a non-transitory storage medium. Here, 'non-temporary' only means that the storage medium is a tangible device and does not contain a signal (e.g. electromagnetic wave), and this term refers to the case where data is stored semi-permanently in the storage medium. It does not discriminate when it is temporarily stored.

Methods according to various embodiments disclosed in this document may be included and provided in a computer program product. Computer program products may be traded between sellers and buyers as commodities. A computer program product is distributed in the form of a device-readable storage medium (eg compact disc read only memory (CD-ROM)), or through an application store or between two user devices (eg smartphones). It can be distributed (e.g., downloaded or uploaded) directly or online. In the case of online distribution, at least part of the computer program product may be temporarily stored or temporarily created in a device-readable storage medium such as a manufacturer's server, an application store server, or a relay server's memory.

1 shows an environment including a plurality of networks.

Referring to FIG. 1 , the first network 10 and the second network 20 may be different networks. For example, the first network 10 may be a public network such as the Internet, and the second network 20 may be a private network such as an intranet or VPN. According to embodiments, the first network 10 may include the data provider network 210 of FIG. 2 , and the second network 20 may include the data consumer network 220 of FIG. 2 .

The first network 10 may include a source node 101 . In FIG. 1 and embodiments described below, the 'source node' may be various types of devices capable of performing data communication. For example, the source node 101 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, or a virtual reality (VR) device. , or home appliances, but is not limited to the aforementioned devices. For example, source node 101 may include a server or gateway capable of transmitting data packets through an application. The source node 101 may also be referred to as 'electronic device' or 'terminal'. Meanwhile, the destination node 102 may include the same or similar device as the above-described source node 101 . For another example, the destination node 102 can be substantially the same as the destination network.

The source node 101 may attempt access to the second network 20 and transmit data to the destination node 102 included in the second network 20 . Source node 101 may transmit data to destination node 102 via gateway 103 and tunnel 105 . However, it is not limited thereto, and the source node 101 may transmit data to the destination node 102 through various paths such as a tunnel, a secure session, and a channel.

If access to the first network 10 of the starting node 101 is approved, since the starting node 101 can communicate with all servers included in the first network 10, the starting node 101 is malicious. ) can be exposed from program attacks. For example, the origin node 101 may be infected with malicious code 110c, as well as trusted and/or secure applications such as Internet web browser 110a and business application 110b. ) may receive data of an untrusted or unsecured application such as the business application 110d.

The starting node 101 infected by the malicious program may attempt access to the second network 20 and/or data transmission. When the second network 20 is formed based on IP, such as VPN, it may be difficult to individually monitor a plurality of devices included in the second network 20, and application in the OSI layer Security at the layer or transport layer may be vulnerable. In addition, if the source node 101 includes a malicious application after the channel has already been created, the data of the malicious application will be delivered to another electronic device (eg, the destination node 102) within the second network 20. can

2 illustrates an architecture within a network environment according to various embodiments.

Referring to FIG. 2, the number of nodes 201, gateways 203, destination networks 204, data provider networks 210, and data consumer networks 220 is not limited to the number shown in FIG. For example, a plurality of nodes may have network access controlled by the controller 202, and the controller 202 may communicate with a plurality of gateways and control transmission of data to a plurality of destination networks.

Node 201 may include a connection control application 211 and a target application 221 . For example, the access control application 211 checks whether a connection is possible from the controller 202 when a network connection occurs, and only if the connection is possible, the destination through the gateway 203 based on the data flow generated by the controller 202. Data packets may be transmitted over the network 204 . For example, the gateway 203 may include a first gateway 213 present at the node 201 side network boundary and a second gateway 223 present at the destination network 204 side network boundary.

The data flow-based connectivity control technology provides a structure in which communication is possible only when there is a data flow authorized by the controller 202 in order for the node 201 to access the destination network 204, and the data flow does not exist. If not, a structure in which the node 201 cannot perform communication may be provided. For example, the access control application 211 may restrict transmission of data packets of the target application 212 if no data flow exists.

Controller 202 may be a server (or cloud server). Controller 202 may perform network access control of node 201 to destination network 204 .

According to one embodiment, the controller 202 may send and receive control data packets to and from the node 201 to perform various operations (eg, registration, approval, authentication, renewal, and termination) associated with the network connection of the node 201. can A flow through which the control data packet is transmitted may be referred to as a control flow.

Through the above operations, the controller 202 may provide an environment capable of blocking access to the destination network 204 of disallowed nodes.

The gateway 203 may include a first gateway 213 and a second gateway 223 . For example, the gateway 203 may provide a technology capable of safely transmitting data packets in a network section through a secure channel. In addition, the gateway 203 checks whether the data packet received from the access control application 211 is actually transmitted by the allowed node 201, and the data packet that is transmitted by bypassing the access control application 211 It can play a blocking role. That is, the gateway 203 may always enable a secure network configuration throughout the data provider network 210 and the data consumer network 220 .

Data owner 206 can communicate with controller 202 . The controller 202 may allow whitelist-based network access for each identification unit according to the authentication policy, and further confirms whether or not the data owner 206 allows the network access of the corresponding identification unit, so that the data owner ( 206) can provide a structure that allows network access only by approval. In addition, since network access can be recorded for each identification unit, the data owner 206 can inquire what data was transmitted by which module and when and where.

3 is a functional block diagram illustrating a database stored in a controller according to various embodiments. Although FIG. 3 shows only the memory 330, the controller includes a communication circuit for communicating with an external electronic device (eg, the communication circuit 430 of FIG. 4) and a processor for controlling the overall operation of the controller (eg, FIG. Four processors 410) may be further included.

Since the administrator can connect to the controller 202 and set a connection-oriented policy to control access between applications and servers, security such as existing Network Access Control (NAC) and firewalls that simply perform access control based on IP It is possible to control network access that is more granular than technology and more secure from the point of view of network access.

The access policy database 311 may include information on networks and/or services to which an identified network, node (eg, node 201 of FIG. 2 ), user, unidentified user, or application may access. For example, when access to a destination network is requested from a node, the controller identifies the network (eg, the network to which the node belongs), the node, the user (eg, the user of the node), based on the access policy database 311, and/or determine whether an application (an application included in a node) is allowed to connect to the destination network.

The authentication policy database 312 identifies an access target at a more granular level than an application, which is the smallest unit of access control in an access policy (eg, information included in the access policy database 311), and allows the identified target to access. It may contain service information. For example, the authentication policy database 312 determines whether or not access to a service accessible by policy is always allowed when there is a request for network access with corresponding identification information, or whether other systems or third parties connected to the controller (eg : whether or not to allow access only when approved by the data owner). For another example, the authentication policy database 312 determines whether or not network access is continuously allowed after network access is allowed or under certain conditions (eg, TCP SYM Packet, TCP FIN Packet, the amount of transmitted data packets depends on the data flow). It may include whether or not to release the network connection and re-perform data packet authentication when the amount of data packets included in the data flow is exceeded, the update process character of the data packets included in the data flow, etc.) is satisfied. there is. In addition, the authentication policy database 312 may include whether to perform data packet authentication only when first connecting to a network or whether to check data packet authentication every data packet transmission time. Depending on the embodiment, the authentication policy database 312 may include a method for extracting identification information included in an authentication data packet and a method for checking (eg, one time password, authentication information generation and checking algorithms such as HMAC). Depending on the embodiment, the authentication policy database 312 includes information about whether it is possible to transmit data packets without additional authentication and information about changing the authentication state of the data flow when the renewal condition of the data flow is satisfied. It may contain information for generating information. That is, the controller 202 may generate authentication information based on the authentication policy database 312 .

The blacklist policy database 313 may include a policy for permanently or temporarily blocking access of nodes. The blacklist policy database 313 includes information (e.g., node, IP address, MAC (media access) identified through analysis of risk, occurrence cycle, and/or behavior of security events among security events periodically collected from nodes or gateways. control) address, or at least one of user ID).

The blacklist database 314 may include a list of at least one of nodes, IP addresses, MAC addresses, or users blocked by the blacklist policy database 313 . For example, if a node requesting access to the destination network is included in the blacklist database 314, the controller may isolate the node from the destination network by rejecting the connection request of the node.

The control flow table 315 is an example of a session table for managing a flow (eg, control flow) of control data packets generated between a node and a controller. When accessing the controller successfully, control flow information may be generated by the controller. The control flow information may include at least one of control flow identification information, an IP address identified during access to and authentication of a controller, a node ID, and a user ID. For example, when access to a destination network is requested from a node, the controller may search for control flow information through control flow identification information received from the node, and the IP address, node ID, or user information included in the searched control flow information By mapping at least one of the IDs to the access policy database 311, it is possible to determine (determine) whether a node can be connected and whether a data flow for creating a TCP session with a destination network can be created.

According to one embodiment, a control flow may have an expiration time. The node needs to update the expiration time of the control flow, and if the expiration time is not updated for a certain period of time, the control flow (or control flow information) may be removed. In addition, when it is determined that immediate disconnection is necessary according to the security event collected from the node, the controller may remove the control flow according to the request of the node to terminate the connection. If the control flow is removed, the previously created data flow is also removed, so node access may be blocked.

The data flow table 316 is a table for managing a flow (eg, data flow) in which detailed data packets are transmitted between nodes, gateways, and destination networks. A data flow can be created by a TCP session created by node or IP unit, by application of a node, or by a more granular unit. The data flow table 316 includes data flow identification information, control flow identification information when the data flow is subordinate to the control flow, application ID for identifying whether the data packet transmitted from the node is an authorized data packet, and source network identification information , destination network identification information and/or service port. The data flow table 316 determines whether or not network access is continuously allowed after network access is allowed or specific conditions (eg, TCP SYM Packet, TCP FIN Packet, amount of transmitted data packets, amount of data packets included in the data flow) may include authentication information including whether to release the network connection and re-perform data packet authentication when a rule such as including an update processing character of a data packet included in a data flow is satisfied. . Depending on the embodiment, the authentication information may include whether to perform data packet authentication only when first connecting to a network or whether to check data packet authentication every data packet transmission time. In addition, the data flow table 316 includes data flow state information including whether the data flow has been authenticated and can be transmitted, whether authentication is required, or whether network access is possible without authentication because authentication is unnecessary ( or authentication status information of a data flow).

Depending on the embodiment, the data flow table 316 may be equally included in a node (eg, node 201 of FIG. 2 ) and a gateway (eg, gateway 203 of FIG. 2 ).

4 shows a functional block diagram of a node in accordance with various embodiments.

Referring to FIG. 4 , a node may include a processor 410 , a memory 420 , and a communication circuit 430 . According to one embodiment, the node may further include a display 440 to interface with a user.

The processor 410 may control the overall operation of the node. In various embodiments, the processor 410 may include a single processor core or may include a plurality of processor cores. For example, the processor 410 may include multi-cores such as dual-core, quad-core, and hexa-core. According to embodiments, the processor 410 may further include an internal or external cache memory. According to embodiments, the processor 410 may be configured with one or more processors. For example, the processor 410 may include at least one of an application processor, a communication processor, or a graphical processing unit (GPU).

All or part of processor 410 is electrically or operatively coupled to other components within the node (e.g., memory 420, communication circuitry 430, or display 440). (coupled with) or connected to. The processor 410 may receive commands from other components of the node, interpret the received commands, and perform calculations or process data according to the interpreted commands. The processor 410 may interpret and process messages, data, commands, or signals received from the memory 420 , the communication circuit 430 , or the display 440 . The processor 410 may generate a new message, data, command, or signal based on the received message, data, command, or signal. Processor 410 may provide processed or generated messages, data, instructions, or signals to memory 420 , communication circuitry 430 , or display 440 .

The processor 410 may process data or signals generated or generated by a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may record (or store) or update instructions, data, or signals in the memory 420 to execute or control a program.

The memory 420 may store commands for controlling nodes, control command codes, control data, or user data. For example, the memory 420 may include at least one of an application program, an operating system (OS), middleware, or a device driver.

The memory 420 may include one or more of volatile memory and non-volatile memory. Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM). can include The nonvolatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, and the like.

The memory 420 uses a nonvolatile medium such as a hard disk drive (HDD), a solid state disk (SSD), an embedded multi media card (eMMC), or a universal flash storage (UFS). can include more.

According to an embodiment, the memory 420 may store some of the information included in the memory of the controller (eg, the memory 330 of FIG. 3 ). For example, the memory 420 may store the data flow table 316 described in FIG. 3 .

The communication circuit 430 may support establishing a wired or wireless communication connection between a node and an external electronic device (eg, the controller 202 of FIG. 2 ) and performing communication through the established connection. According to one embodiment, the communication circuit 430 may be a wireless communication circuit (eg, cellular communication circuit, short-range wireless communication circuit, or global navigation satellite system (GNSS) communication circuit) or a wired communication circuit (eg, a local area network (LAN)). ) communication circuit, or power line communication circuit), and using a corresponding communication circuit among them, a short-distance communication network such as Bluetooth, WiFi direct, or IrDA (infrared data association) or a cellular network, a long-distance communication such as the Internet, or a computer network It may communicate with an external electronic device through a network. The various types of communication circuits 430 described above may be implemented as a single chip or may be implemented as separate chips.

The display 440 may output content, data, or signals. In various embodiments, the display 440 may display image data processed by the processor 410 . According to embodiments, the display 440 may be configured as an integrated touch screen by being combined with a plurality of touch sensors (not shown) capable of receiving a touch input. When the display 440 is configured as a touch screen, a plurality of touch sensors may be disposed above the display 440 or below the display 440 .

A server (eg, the controller 202 of FIG. 2 ) according to an embodiment may include a processor 410 , a memory 420 , and a communication circuit 430 . The processor 410, memory 420, and communication circuit 430 included in the server may be substantially the same as the processor 410, memory 420, and communication circuit 430 described above.

A gateway (eg, the gateway 203 of FIG. 2 ) according to an embodiment may include a processor 410 , a memory 420 , and a communication circuit 430 . The processor 410, memory 420, and communication circuit 430 included in the gateway may be substantially the same as the processor 410, memory 420, and communication circuit 430 described above.

5 is a diagram showing the structure of an authentication data packet according to various embodiments.

Existing data packets can be composed of a data packet structure including an IP header and payload including 5 tuples (source, destination information, etc.) information, which is a unit that can be identified in OSI (Open System Interconnection) during IP communication. .

In order to implement Micro Service Architecture and Data Centric Networking, 5 tuples and applications that are actual communication subjects that can be identified in the operating system (Kernel Level) of nodes are targeted applications (e.g. : It may be necessary to know whether the minimum identification unit (unit defined in the user level) in the target application 212 of FIG. 2 is connected to the network.

The target application (e.g. target application 212 in FIG. 2) is an authentication data packet (e.g. a single authentication data packet) containing information that can identify the included module or function, and data that can be used to access the network. 510 and a data packet 520 using the authentication data packet as a header may be transmitted. In this case, a network access control application (e.g., the access control application 211 of FIG. 2) controlling network access at the operating system (kernel level) of the node can check the received authentication data packets 510 and 520, Authentication information is extracted from the authentication data packets 510 and 520 and transmitted to a controller (e.g., the controller 202 of FIG. 2) to determine whether to allow network access based on the authentication information, and A structure allowing network access based on whether or not network access is allowed may be provided.

Authentication information in the authentication data packets 510 and 520 can identify a level that cannot be identified by the operating system (Kernel), and is the minimum identification unit for requesting network access permission when a target application accesses a network in order to control network access. can include For example, the identification unit may include information such as a module, function, or data, and the identification unit may be assigned according to the intention of a target developing and operating a target application. For another example, the authentication information may include an authentication information generation algorithm designated by the controller to double check the network access of the target application.

A single authentication data packet 510 may include an IP header and payload. For example, the payload of a single authentication data packet 510 may include an authentication data packet. Depending on the embodiment, the single authentication data packet 510 may be a structure for initial network access authentication.

The data packet 520 using the authentication data packet as a header may include an IP header, a payload including the authentication data packet, and a payload including the actual transmission data packet. Depending on the embodiment, the data packet 520 using the authentication data packet as a header may be a data packet for inspecting successive data packets.

In one embodiment, authentication data packets 510 and 520 may include one or more pieces of authentication information.

6 is a diagram illustrating an operation of controlling transmission of a data packet according to various embodiments.

Referring to FIG. 6 , node 201 blocks data packets transmitted to destination network 204 after controller 202 is connected to network drivers and operating system kernel levels in the case of unacceptable data packets having no data flow. can Thus, node 201 may not transmit any data packets to destination network 204 that do not go through connection control application 211 .

The access control application 211 must access the controller 202 to identify and authenticate a node or one or more identification information and applications, modules, functions, and data included in the application. After authentication is performed, the access control application 211 queries the controller 202 for access network information when the target application 212 accesses the destination network 204 to determine whether access is possible, modules and functions of the authorized application, Only objects such as data can be controlled to be accessible to the network.

Unauthorized nodes or applications, modules, functions, data, etc. included in the application are basically in a state in which they cannot access the destination network 204, and the target application 212 and the modules included in the target application 212 from the controller 202. and when data flow information including access information such as function and data is not transmitted to the first gateway 213 or the second gateway 223, the first gateway 213 or the second gateway 223 sends a data packet Since forwarding of is blocked, the node 201 cannot reach the destination network 204, that is, it is in an isolated state.

7 shows a signal flow diagram for controller connection of a node according to various embodiments.

Since the node 201 needs to be authorized by the controller 202 in order to access or receive the network, the access control application 211 of the node 201 requests the controller 202 to create a control flow, so that the node ( 201) can try to connect to the controller.

Referring to FIG. 7 , the connection control application 211 of the node 201 may, in operation 705 , request a controller connection to the controller 202 . For example, the access control application 211 may perform a controller connection request to create a control flow with the controller 202 . For example, the controller connection request may include information about node 201 or connection control application 211 .

In operation 710, the controller 202 may check whether or not the access control application 211 is in an accessible state according to an access policy based on information requested for access. For example, the information requested for access by the access control application 211 may include the type of node 201, location information, environment, network including the node 201, and information about the access control application 211. there is.

In one embodiment, the controller 202 may use an access control application (eg, blacklist database 314 in FIG. 211) may transmit connection failure information (operation 725).

If the node 201 is accessible, in operation 715, the controller 202 may create a connection control application 211 or a control flow between the node 201 and the controller 202. In this case, the controller 202 may generate control flow identification information in the form of random numbers, and the identification information of the node 201 and/or the network to which the node 201 belongs is stored in a control flow table (eg, the control flow of FIG. 3 ). table 315). Information stored in the control flow table (e.g., control flow identification information and/or control flow information) is used for user authentication of the node 201, information update of the node 201, policy check for node 201 network access, and/or Or it can be used for validation. In one embodiment, the controller 120 may generate accessable application whitelist information in an access policy matching node 201 .

In operation 720, the controller 202 may generate a whitelist of accessible applications based on identification information of nodes, users, and source networks and matching access policies. When the whitelist is created, the controller 202 provides control flow identification information (e.g., ID) for identifying a control flow when a connection completion status as a result of the connection, a request for user authentication from a subsequent node, and a continuous update of node information are required. The application whitelist may be sent to the access control application 211 of the node 201 (act 725).

In addition, the controller 202 may determine whether to allow a data packet for which authentication has not been performed based on an authentication policy (eg, the authentication policy database 312 of FIG. 3 ). In this case, the controller 202 may check information on whether or not unauthenticated network access is available to determine whether the node 201 will allow network access without data packet authentication based on the authentication policy, and unauthenticated network access is possible. Whether information may be transmitted to the node 201 (operation 725).

When the control flow is generated, in operation 725 , the controller 202 may transmit a response to the controller connection request to the connection control application 211 of the node 201 . In this case, the controller 202 may transmit the generated control flow identification information to the connection control application 211 . In one embodiment, the controller 202 may send accessible application whitelist information to the access control application 211 .

At operation 730, the access control application 211 may perform a check on the application. For example, the access control application 211 may perform a check on the application based on a whitelist of accessible applications received from the controller 202 . The access control application 211 may check whether the application exists (installed) in the node 201 based on the accessible application information, and in the case of the existing application, integrity and stability are checked according to the validation policy ( Above the application, tampering inspection, code signing inspection, fingerprint inspection) can be performed.

At operation 735 , the access control application 211 may send the application check result to the controller 202 . For example, the access control application 211 may transmit information about applications existing in the node 201 and results of validation to the controller 202 .

In operation 740, the controller 202 may check whether the application is valid based on the received application information. If the application included in the received application information is a valid application, the controller 202 selects the gateway 203 where the node 201 is located in the access policy in order to allow access of the node 201 connected to the network including the application. It can be checked, and a data flow can be created in the authentication policy so that the application can allow data packet transmission in advance without data packet authentication. For example, a data flow may be generated based on source IP, destination IP, and port information.

According to an embodiment, the controller 202 may check whether to allow a data packet for which authentication has not been performed in the authentication policy. For example, the controller 202 determines whether the node 201 allows unauthenticated network access to determine whether to allow network access without data packet authentication or whether to allow transmission of TCP SYN packets by default. to the control application 211 (act 745).

In operation 745 , the controller 202 may transmit the generated data flow to the gateway 203 . For another example, if the generated data flow does not exist, the controller 202 may not transmit the data flow to the gateway 203 .

In operation 750 , the controller 202 may transmit the generated data flow to the node 201 . For another example, if the generated data flow does not exist, the controller 202 may not transmit the data flow to the gateway 203 .

In operation 755 , the connection control application 211 of the node 201 may process the result value of the response received from the controller 202 . For example, the connection control application 211 may store the received control flow identification information and display a user interface screen indicating completion of the controller connection to the user. When the controller connection is completed, the request for network connection of the node 201 to the destination network may be controlled by the controller 202 .

According to another embodiment, controller 202 may determine that node 201 is unreachable. For example, if identification information of the node 201 and/or a network to which the node 201 belongs is included in a blacklist database, the controller 202 may determine that the node 201 is inaccessible. In this case, the controller 202 may transmit a response indicating that access to the controller is impossible in operation 725 without generating a control flow in operation 715 . Also, in this case, operations 730 to 750 may not be performed. Depending on the embodiment, if a controller connection needs to be retried, the connection control application 211 may perform operation 705 again.

In addition, the access control application 211 updates the data flow of the node 201 when the data flow received from the controller 202 exists, and transmits the data packet based on the data flow allowed in advance when accessing the network. data flow can be managed.

Depending on the embodiment, operations 730 to 750 may not be performed when the access control application 211 determines that the inspection of the application is not necessary.

8 shows a flowchart of an operation for network access of a node according to various embodiments. Depending on the embodiment, the operations shown in FIG. 8 may be performed through the access control application 211 of the node 201 shown in FIG. 2 .

When the node 201 needs to communicate with a destination network, the controller 202 may check whether or not the node 201 can connect to the network or authenticate the network connection in order for the destination network to communicate.

At operation 805, connection control application 211 of node 201 may detect a network connection event. For example, the connection control application 211 can detect a network connection event for a target application's destination network. According to an embodiment, the access control application 211 may detect a network access event by detecting a data packet to be transmitted by the target application.

At operation 810, the access control application 211 may check the data flow. For example, the access control application 211 may confirm existence of a data flow that corresponds to a data packet to be transmitted by the target application and is authorized from the controller 202 . For another example, the access control application 211 may check whether a data flow corresponding to the identification information of the target application 211 and the identification information of the destination network exists. Depending on the embodiment, if the data flow exists but is not valid, the access control application 211 may drop the data packet (operation 840). According to another embodiment, if the data flow exists and the data flow is authenticated or authentication is unnecessary, the access control application 211 may transmit the data packet (operation 815).

When the data flow does not exist or the data flow exists but authentication is required, in operation 820, the access control application 211 may check whether the data packet is a TCP SYN packet for creating a TCP session. Depending on the embodiment, if the data packet is a TCP SYN packet, the access control application 211 may perform a network connection check related to whether the TCP SYN packet can be transmitted (operation 825). For another example, if the data packet is a TCP SYN packet, the access control application 211 may allow transmission of the TCP SYN packet based on whether or not the transmission of the TCP SYN packet is possible. For another example, if the data packet is a TCP SYN packet, the access control application 211 may check whether transmission of the TCP SYN packet is allowed based on whether transmission of the TCP SYN packet is possible. Depending on the embodiment, the process of checking whether transmission of the TCP SYN packet is allowed may be performed through network connection check. For example, the network connection check may be performed through the operations shown in FIG. 9A. If the data packet is not a TCP SYN packet, at operation 830, the connection control application 211 may check whether the data packet is an authentication data packet. Depending on the embodiment, if the data packet is not an authentication data packet, the access control application 211 may drop the data packet (operation 840).

If the data packet is an authentication data packet, in operation 835, the access control application 211 may perform a network connection authentication check related to whether the authentication data packet can be transmitted. For example, the network access authentication check may be performed through operations shown in FIG. 9B.

9A illustrates a signal flow diagram for network connection inspection of a node according to various embodiments.

When a target application attempts a TCP-based network connection, the node 201 may transmit a TCP SYN packet and perform a 3-way handshake procedure to actually create a TCP session. Node 201 may be in a state capable of transmitting actual data packets after the TCP session is created. Due to the characteristics of such TCP communication, in order to authenticate data packets, the node 201 needs to have a TCP session created in advance, and the controller 202 checks whether or not network access is possible at the time of TCP session creation, and after the TCP session is created. At the time of data packet authentication, a procedure for checking whether network access is possible in the controller 202 may be required. In this case, when communication is frequently performed targeting various destination networks, network access of the node 201 may have a disadvantage in that it takes a lot of time until a round trip and actual data packet transmission. According to an embodiment disclosed in this document, the access control application 211 of the node 201 basically allows TCP session creation, but then double-checks whether network access is possible at the time of data packet authentication and actual data packet transmission. The process of being confirmed by the controller 202 can be reduced to one.

Referring to FIG. 9A , in operation 905, the connection control application 211 may detect a network connection check event. For example, the access control application 211 may detect a network connection check event through operation 825 of FIG. 8 .

In operation 910, the access control application 211 may check whether the TCP SYN packet is inspected. For example, if the connection control application 211 does not need to examine the TCP SYN packet, it can create a TCP session by sending the TCP SYN packet to the destination network. For another example, if the connection control application 211 previously allowed TCP SYN data packets, that is, if the data packets were not authenticated, but there is a data flow that can transmit the TCP SYN data packets, the TCP SYN packets to the destination network to create a TCP session. Depending on the embodiment, operation 915 may be performed when the TCP SYN packet needs to be inspected or when a data flow capable of transmitting the TCP SYN data packet does not exist.

In operation 915 , the access control application 211 may perform a network connection request to the controller 202 . For example, the network access request may include at least one of control flow identification information previously generated with the controller 202 , target application identification information, and destination network identification information.

In operation 920, the controller 202 may check an access policy matched with information about the identified node 201, user, and source network based on the control flow identification information. For example, the controller 202 determines whether access-requested identification information (eg, target application identification information, destination network identification information) is included in the access policy and whether access to the destination network corresponding to the identification information is possible. You can check. Depending on the embodiment, when network access is impossible, the controller 202 may transmit a network connection failure result to the connection control application 211 in operation 935 .

If accessible, at operation 925 the controller 202 may process the data flow. For example, the controller 202 provides accessable data flow information as identification information of the destination network based on a data flow table (eg, the data flow table 316 of FIG. 3 ) to allow the node 201 to access the network. You can check if exists. Depending on the embodiment, if there is a data flow accessible from the data flow table, the controller 202 may transmit the data flow to the node 201 (operation 935).

If valid data flow information does not exist in the data flow table, the controller 202 may create a data flow based on the source IP and destination network identification information so that the target application can access the destination network. The data flow may be forwarded to node 201 and gateway 203 (acts 930 and 935).

At operation 940 , the connection control application 211 may process the resulting value with respect to the response received from the controller 202 . For example, the access control application 211 may drop a data packet when receiving a network connection failure result. For another example, when a data flow is received, the access control application 211 may transmit a data packet (TCP SYN packet) based on the received data flow. there is. Depending on the embodiment, the connection control application 211 of the node 201 may update the data flow based on the received data flow.

According to an embodiment, the access control application 211 of node 201 may further perform a validation check before performing operation 915 . For example, the access control application 211 may perform a test for integrity and stability (eg whether an application is falsified or not, falsified, code signing, fingerprint, etc.) of a target application according to a validation policy. Depending on the embodiment, if the validation is successful, the access control application 211 may perform operation 915. Depending on the embodiment, if validation fails, the access control application 211 may drop a data packet (TCP SYN packet).

9B illustrates a signal flow diagram for network connection authentication check of a node according to various embodiments.

When the node 201 needs to communicate with a destination network, it needs to check whether authentication is completed in order to communicate with the destination network.

Referring to FIG. 9B , in operation 950, the access control application 211 may detect a network access authentication check event. For example, the access control application 211 may detect a network access authentication check event through operation 835 shown in FIG. 8 .

In operation 955 , the access control application 211 may perform a network access authentication request to the controller 202 . In this case, the access control application 211 may perform a network access authentication request including control flow identification information, target application identification information, identification information of a destination network to be accessed, and authentication data packet information to the controller 202 .

In operation 960, the controller 202 may check an access policy matched with information about the identified node 201, user, and source network based on the control flow identification information. For example, the controller 202 determines whether access-requested identification information (eg, target application identification information, destination network identification information) is included in the access policy and whether access to the destination network corresponding to the identification information is possible. You can check. Depending on the embodiment, when network access is impossible, the controller 202 may transmit a network connection failure result to the connection control application 211 in operation 980 .

If access is possible, in operation 965, the controller 202 checks whether the authentication data packet transmitted by the node 201 is valid based on the authentication policy (eg, the authentication policy database 312 of FIG. 3). can For example, in order to validate the authentication data packet, the controller 202 checks whether transmittable identification information included in the authentication policy is the same as the identification information transmitted by the node, and whether network access is possible with the identification information. It is possible to determine whether or not the authentication information is valid through the authentication information generated through the authentication information generation algorithm for network access authentication and the authentication information inspection algorithm included in the authentication policy.

Depending on the embodiment, when the controller 202 can allow network access by approval of a matched third party (eg, the data owner 206 of FIG. 2) based on the identification information of the node 201, Authentication data packet validation can be performed through authentication confirmation by a third party. Through the above confirmation, the third party can safely manage the data they own and check the record of using the data.

When the verification of the access and authentication policies is complete, in operation 970, the controller 202 determines based on the data flow table (e.g., data flow table 316 of FIG. 3) to allow the node 201 to access the network. With the identification information of the destination network, it is possible to check whether there is data flow information that can be accessed.

When valid data flow information does not exist in the data flow table, the controller 202 generates data including authentication information generated according to the source IP, destination network identification information, and authentication policy so that the target application can access the network to the destination network. flow can be created.

Depending on the embodiment, the authentication information may be information including whether it is possible to always transmit data packets without further authentication renewal and authentication renewal timing. For example, the authentication information is whether to allow network access continuously after allowing network access, or specific conditions (eg TCP SYM Packet, TCP FIN Packet, amount of transmitted data packets, amount of data packets included in data flow) may include whether to release the network connection and re-perform data packet authentication when a rule such as including an update processing character of a data packet included in a data flow) is satisfied. Also, the authentication information may include information for setting the authentication state of the data flow to the authentication required state when the data flow renewal condition is satisfied.

At operation 975 , the controller 202 may transmit the generated data flow to the gateway 203 . For another example, if the generated data flow does not exist, the controller 202 may not transmit the data flow to the gateway 203 .

In operation 980, the controller 202 may transmit a response to the network connection authentication request of the connection control application 211 (operation 955). For example, if the generated data flow exists, the controller 202 may transmit the generated data flow to the access control application 211 . For another example, if there is a data flow accessible from the data flow table, the corresponding data flow may be transmitted to the node 201 . For another example, when the network access of the target application of the node 201 is impossible or authentication fails, the controller 202 may transmit a connection failure result.

In operation 985, the connection control application 211 may process the result value of the response transmitted from the controller 202. For example, when the access control application 202 receives a data flow from the controller 202, it updates the data flow of the node 201 with the received data flow, and drops or transmits an authentication data packet according to the authentication information. can be dealt with For another example, the access control application 211 may drop a data packet when receiving an authentication failure result or a connection failure result from the controller 202 .

According to an embodiment, after performing operation 950, the access control application 211 may perform validation on the target application according to a validation policy. For example, the access control application 211 may further perform integrity and stability checks (eg, falsification checks, falsification checks, code signing checks, fingerprint checks, etc.) of the target application. The access control application 211 may perform operation 955 when the validation result is successful.

10 shows a signal flow diagram for transmitting a data packet of a node according to various embodiments.

The access control application 211 of the node 201 checks whether the corresponding data packet is authenticated and whether renewal is required before transmitting the data packet, and controls not to transmit the data packet if authentication is not performed or renewal is required. there is.

At operation 1005, the connection control application 211 may detect a data packet transmission event. For example, the access control application 211 may detect an operation of transmitting a data packet by another application included in the node 201 (eg, the target application 212 of FIG. 2 ).

At operation 1010, access control application 211 may perform a data packet authentication check. For example, the access control application 211 may check authentication information included in the data flow corresponding to the destination network identification information of the data packet requested to be transmitted. The access control application 211 can check whether or not to check whether the authentication data packet is included in each data packet based on the authentication information, and can perform the data packet check if it needs to check whether or not the authentication data packet is included. In this case, the access control application 211 may drop the data packet when there is no authentication data packet included in the data packet or when authentication information included in the data packet is different from authentication information included in the data flow. For another example, if it is not necessary to check whether the authentication data packet is included, the access control application 211 may perform operation 1015.

At operation 1015, connection control application 211 may perform a data packet update check. For example, the access control application 211 may determine whether data packet inspection for authentication renewal is required based on authentication information included in the data flow. For example, when it is necessary to inspect data packets for authentication renewal, the access control application 211 may inspect the data packet requested to be transmitted according to the authentication renewal method included in the authentication information. Depending on the embodiment, the access control application 211, if the data packet requested to be transmitted is a TCP SYN Packet or a TCP FIN Packet, if the amount of transmitted data packets exceeds the amount of data packets included in the data flow, the data When a data flow update condition is satisfied according to a set of rules included in the authentication information, such as including an update processing character (suffix) of a data packet included in the flow, a data flow update procedure may be performed. For example, the access control application 211 may change the update status of the data flow to need update, send information about the data flow to the controller 202 and request an update of the data flow (act 1020).

In operation 1025, the controller 202 may update the data flow based on information about the data flow received from the access control application 211.

At operation 1030 , the controller 202 may transmit the updated data flow to the gateway 203 .

Depending on embodiments, operations 1020 to 1030 may not be performed when data flow update is not required.

If data packet inspection for authentication renewal is not required, in operation 1035, the access control application 211 may transfer the data packet. In addition, when authentication renewal is completed, the access control application 211 may transmit a data packet. In addition, the access control application 211 may transmit the data packet when the inspection of the data packet is completed through operation 1010 or operation 1015 . Depending on the embodiment, the access control application 211 may drop the data packet when the data packet inspection fails in operation 1010 or operation 1015 .

11 shows a signal flow diagram for controlling reception of a data packet by a gateway according to various embodiments.

When a data packet is received, the gateway 203 checks whether the corresponding data packet is authenticated and whether renewal is required before forwarding the data packet, and controls not to forward the data packet if authentication is not performed or renewal is required. there is.

At operation 1105, gateway 203 may detect a data packet reception event. For example, gateway 203 may detect data packets transmitted from connection control application 211 of node 201 .

In operation 1110, the gateway 203 may check the source IP of the received data packet and identification information of the destination network, and may check whether a data flow corresponding to the source IP and destination network identification information exists. Depending on the embodiment, the gateway 203 may drop the data packet when a data flow corresponding to the source IP and identification information of the destination network does not exist.

If the data flow exists, at operation 1115, gateway 203 may perform a data packet authentication check. For example, the gateway 203 may check authentication information included in the data flow corresponding to the destination network identification information of the received data packet. The gateway 203 can check whether to check whether the authentication data packet is included in each data packet based on the authentication information, and can perform the data packet check if it needs to check whether or not the authentication data packet is included. In this case, the gateway 203 may drop the data packet when the authentication data packet included in the data packet does not exist or when authentication information included in the data packet is different from authentication information included in the data flow. For another example, when it is not necessary to check whether the authentication data packet is included, the gateway 203 may perform operation 1120.

At operation 1120, gateway 203 may perform a data packet update check. For example, the gateway 203 may determine whether data packet inspection for authentication renewal is required based on authentication information included in the data flow. For example, when it is necessary to inspect a data packet for authentication renewal, the gateway 203 may inspect the received data packet according to an authentication renewal method included in authentication information. Depending on the embodiment, if the received data packet is a TCP SYN Packet or a TCP FIN Packet, the gateway 203 includes the received data packet in the data flow if the amount exceeds the amount of data packet included in the data flow. When the data flow update conditions are satisfied according to a series of rules included in the authentication information, such as including the update processing character (suffix) of the updated data packet, the data flow update procedure may be performed. For example, the gateway 230 may change the update status of the data flow to update required, transmit information about the data flow to the controller 202, and request update of the data flow (operation 1125).

In operation 1130, the controller 202 may update the data flow based on the data flow information received from the gateway 203.

Depending on embodiments, operations 1125 and 1130 may not be performed when data flow update is not required.

If data packet inspection for authentication renewal is not required, at operation 1135, gateway 203 may forward the data packet. Also, when authentication renewal is completed, the gateway 203 may forward the data packet. In addition, the gateway 203 may forward the data packet when the inspection of the data packet is completed through operation 1115 or operation 1120 . Depending on embodiments, the gateway 203 may drop the data packet when the data packet inspection fails in operation 1115 or operation 1120.

12 shows a signal flow diagram for updating a control flow of a node according to various embodiments.

The access control application 211 maintains information about the control flow and data flow of the node 201 and periodically checks the control flow to receive an updated data flow from the controller 202 or to check whether the control flow is valid. can request an update.

Referring to FIG. 12 , in operation 1205, the access control application 211 may detect a control flow update event.

In operation 1210, the access control application 211 may request a control flow update from the controller 202 based on the control flow identification information.

In operation 1215, the controller 202 may check whether a control flow exists in a control flow table (eg, the control flow table 315 of FIG. 3) based on the received control flow identification information. Depending on the embodiment, when the control flow does not exist (eg, when the connection is disconnected by another security system, when the connection is disconnected by its own risk detection, etc.), the controller 202 determines that the connection of the node 201 is valid. Therefore, a connection failure result may be transmitted to the connection control application 211 (operation 1220).

The controller 202 may update the update time when a control flow exists in the control flow table (eg, the control flow table 315 of FIG. 3 ). In this case, the controller 202 may transmit identification information of the updated control flow to the connection control application 211 (operation 1220).

In one embodiment, the controller 202 is required to perform re-authentication among data flows subordinate to the identified control flow, or if there is a data flow to which access is no longer possible, the controller 202 transmits information about the corresponding data flow to an access control application ( 211) (operation 1220).

At operation 1225 , the connection control application 211 of the node 201 may process the resulting value of the response received from the controller 202 . For example, the access control application 211 may block all network accesses of applications when the control flow update result is impossible. For another example, the access control application 211 may update the data flow when the control flow update result is normal and updated data flow information exists.

13 shows a signal flow diagram for disconnection of a node according to various embodiments.

Referring to FIG. 13 , in operation 1305, the node 201 terminates the node 201, terminates the access control application 211, terminates the target application, no longer uses the network connection, and information identified from the interworking system. At least one of connection termination requests may be detected based on . In this case, at operation 1310, node 201 or access control application 211 may request controller 202 to remove the control flow.

In operation 1315, the controller 202 may remove the identified control flow based on the received control flow identification information.

In operation 1320, the controller 202 may remove all data flows dependent on the removed control flow. Thus, node 201 can no longer connect to the destination network based on the removed data flow.

In operation 1325, the controller 202 may request the gateway 203 to remove all data flows dependent on the removed control flow.

14 illustrates a signal flow diagram for termination of application execution of a node according to various embodiments.

Referring to FIG. 14 , in operation 1405, the access control application 211 of the node 201 may check in real time whether or not the running application is terminated, and may detect an application execution end event.

In operation 1410, the access control application 211 may check whether a data flow corresponding to the terminated application identification information and PID (Process ID and Child Process ID Tree) information exists. If a data flow exists, the access control application can delete that data flow. Depending on the embodiment, the access control application 211 may check whether the terminated application exists in the running process list in order to track the termination of the multi-executable application, and if not, the identification information of the terminated application. All data flows corresponding to can be deleted.

In operation 1415, the access control application 211 may request the controller 202 to delete the deleted data flow.

In operation 1420, the controller 202 may delete the data flow requested to be deleted. Also, the controller 202 may perform a removal request for the deleted data flow to the gateway 203 . Accordingly, data packets corresponding to source network, destination network, and port information included in the deleted data flow cannot be transmitted any more.

15 is an operational flowchart of a method of operating an access control application installed in a node according to various embodiments. In one embodiment, the operations shown in FIG. 15 may be performed through the access control application 211 installed on the node 201 of FIG. 2 .

Referring to FIG. 15 , in operation 1505, the connection control application 211 may detect a network connection event. For example, the access control application 211 may detect a network access event by detecting a data packet that the target application intends to transmit to the destination network.

In operation 1510, the access control application 211 may check existence of a data flow corresponding to a data packet to be transmitted by the target application and authorized from an external server.

At operation 1515, the connection control application 211 may ascertain the type of data packet. For example, the connection control application 211 can determine whether the data packet is a TCP SYN packet, an authentication data packet, or not both a TCP SYN packet and an authentication data packet.

In the case of a TCP SYN packet, in operation 1520, the access control application 211 may allow transmission of the TCP SYN packet based on whether or not transmission of the TCP SYN packet is possible.

In the case of an authentication data packet, in operation 1525, the access control application 211 may perform a network connection authentication check related to whether transmission of the authentication data packet is possible.

If it is not a TCP SYN packet or authentication data packet, at operation 1530, the connection control application 211 may drop the data packet.

The above description is only an illustrative example of the technical idea disclosed in this document, and those skilled in the art to which the embodiments disclosed in this document belong will be within the scope of the essential characteristics of the embodiments disclosed in this document. Many modifications and variations will be possible.

Therefore, the embodiments disclosed in this document are not intended to limit the technical idea disclosed in this document, but to explain, and the scope of the technical idea disclosed in this document is not limited by these embodiments. The scope of protection of technical ideas disclosed in this document should be interpreted according to the scope of the following claims, and all technical ideas within the equivalent scope should be construed as being included in the scope of rights of this document.

Claims (8)

In node,
communication circuit;
a processor in operative connection with the communication circuitry; and
a memory operatively connected to the processor and storing a connection control application and a target application, wherein the memory, when executed by the processor, causes the node to:
detecting a network access event through the access control application;
confirming the existence of a data flow corresponding to the data packet to be transmitted by the target application and authorized from an external server, and confirming the type of the data packet;
Allowing transmission of a TCP SYN packet based on whether or not a TCP SYN packet can be transmitted based on the type of the data packet;
After the TCP session is created or when checking the TCP SYN packet is not required, network access authentication check is performed,
storing instructions for processing data packets to be transmitted later based on the result of the authentication check;
Wherein the data flow includes information on whether or not to basically allow transmission of the TCP SYN packet. The method of claim 1, wherein the instructions are the node,
When checking whether the transmission of the TCP SYN packet is possible, check whether the TCP SYN packet is inspected based on the data flow through the access control application;
Transmitting the TCP SYN packet to a destination network when inspection of the TCP SYN packet is not required or when the TCP SYN packet has previously been allowed;
When it is necessary to inspect the TCP SYN packet, perform a network access request to the external server through the access control application;
Receive a data flow from the external server and transmit the TCP SYN packet based on the received data flow;
The network access request includes identification information of the destination network and identification information of the target application, a node; The method of claim 1, wherein the instructions are the node,
When performing the network access authentication check, perform a network access authentication request to the external server based on information about an authentication data packet through the access control application;
Receiving data flow or network access unavailability information including authentication information from the external server;
transmit the authentication data packet based on a data flow including the authentication information;
The authentication information is generated based on an authentication policy included in the external server,
The authentication information includes information on whether it is possible to transmit a data packet without additional authentication and information for changing the authentication state of the data flow when an update condition of the data flow is satisfied based on the authentication policy Node, . The method of claim 1, wherein the instructions are the node,
determining whether or not to transmit data packets of the target application without authentication based on the unauthenticated network access availability information received from the external server through the access control application;
When the data packet is transmitted without authentication, a network connection request is made to the external server;
Receiving a data flow including authentication information from the external server;
A node to transmit the data packet based on the received data flow. The method of claim 1, wherein the instructions are the node,
Checking authentication information included in a data flow corresponding to information included in a data packet requested to be transmitted from the target application through the access control application;
determining whether to inspect the data packet based on whether authentication is required included in the authentication information;
determining whether to inspect the data packet based on whether or not an authentication renewal is required included in the authentication information;
and to transmit the data packet when the data packet inspection is completed. The method of claim 5, wherein the instructions are the node,
Through the access control application, check whether to check whether an authentication data packet is included in each data packet transmitted based on the authentication information,
If it is necessary to check whether or not an authentication data packet is included in each of the transmitted data packets, the data packet is checked,
and drop the data packet when no authentication data packet exists in the data packet or authentication information included in the data packet is different from authentication information included in the data flow. The method of claim 5, wherein the instructions are the node,
Through the access control application, based on the authentication information, it is determined whether data packet inspection for authentication renewal is required;
When data packet inspection for the authentication renewal is required, the data packet is inspected based on the authentication renewal method included in the authentication information;
A node configured to set an update state of the data flow to require update when a data flow update condition included in the authentication information is satisfied. In the operating method of the access control application installed in the node,
detecting a network access event;
confirming existence of a data flow corresponding to a data packet to be transmitted by the target application and authorized from an external server;
checking the type of the data packet;
If the data packet is a TCP SYN packet, transmission of the TCP SYN packet is allowed based on whether the transmission of the TCP SYN packet is possible, and if the data packet is an authentication data packet, a network connection authentication check is performed, and the data packet is dropping the data packet if it is not the TCP SYN packet and the authentication data packet; including,
The method of claim 1 , wherein the data flow includes information on whether or not to allow transmission of the TCP SYN packet by default.

Images