Patent Application
20070136139
This application claims the priority of Korean Patent Application No. 10-2005-0120166, filed on Dec. 8, 2005, and Korean Patent Application No. 10-2006-0083569, filed on Aug. 31, 2006, in the Korean Intellectual Property Office, the disclosures of which are incorporated herein in their entirety by reference.
The present invention relates to service security of a network system, and more particularly, to a privacy & intellectual property protection framework (PIPPF) against a denial-of-information (DoI) attack and a method of implementing the PIPPF.
As the amount of information transmitted through various service communication channels, such as the world wide web (WWW), e-mails, peer-to-peer (P2P) and instant messaging (IM) increases rapidly, there is a growing need for technologies that can counter denial-of-information (DoI) attacks launched using such information.
Examples of DoI attacks include extended enterprise network overseas (XENO) threats using back-end processing, such as P2Ps, recent phishing scams sent through e-mails using social engineering schemes, and pharming through domain spoofing. These DoI attacks cause serious leakage of important personal and corporate information. Therefore, an integrated security framework and system technology which can ward off the illegal leakage and malicious use of personal privacy information and important corporate information is required.
Conventional technologies for guarding against these attacks are available, such as intrusion prevention systems, e-mail monitoring systems, and identity and access management (IAM) solutions and network access control (NAC) solutions. However, intrusion prevention systems mostly concentrate on processing inbound contents or traffic, and e-mail monitoring systems and IAM and NAC solutions mostly concentrate on single service channels.
Therefore, a technology which can configure an integrated security framework at the enterprise network level and prevent inflow of harmful information (inbound filtering) and illegal leakage of information (outbound filtering) at a location between a lead-in point of a network and a service end is required.
A relevant conventional art is disclosed in Korean Patent Application No. 10-2001-0080720, which relates to a Ladon-security gateway system (SGS), a method of setting a security policy, and a method of generating a harmful traffic detection alarm. The Ladon-SGS is designed to counter harmful traffic that illegally invades a system through a network. A security system including a plurality of Ladon-SGSes in a security policy server management network is implemented. However, this conventional art aims to block harmful traffic flowing into a network, and a security gateway controls traffic according to a policy determined by a policy server based on whether the traffic is harmful or not. Hence, the conventional art does not take the service level of normal traffic into consideration nor addresses the problem of illegal leakage of important information.
In this regard, a systematic system and method of not only determining whether traffic is harmful, but also preventing the leakage of personal privacy information and corporate intellectual property at the enterprise network level at a location between a network and a server is required.
The present invention provides a privacy & intellectual property protection framework (PIPPF) against a denial-of-information (DoI) attack and a method of implementing the PIPPF in order to prevent the inflow of harmful information (inbound filtering) and the illegal leakage of information (outbound filtering) at the enterprise network level.
According to an aspect of the present invention, there is provided an apparatus for protecting a user's privacy information and intellectual property. The apparatus includes an inbound processing unit determining whether inbound contents are harmful traffic using black lists and blocking the inbound contents based on the determination result; an identity and access management (IAM)/network access control (NAC) solution unit detecting and blocking internal, abnormal user activity and/or a malicious attack, which targets privacy information and intellectual property, using user access control and device access control; and an outbound processing unit preventing the leakage of the privacy information and intellectual property through outbound contents using white lists.
According to another aspect of the present invention, there is provided a method of protecting a user's privacy information and intellectual property. The method includes determining whether inbound contents are harmful traffic using black lists and blocking the inbound contents based on the determination result; detecting and blocking internal, abnormal user activity of a user and/or a malicious attack, which targets privacy information and intellectual property, through user access control and device access control using an IAM/NAC solution; and preventing the leakage of the privacy information and intellectual property through outbound contents using white lists.
The above and other features and advantages of the present invention will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings in which:
The present invention will now be described more fully with reference to the accompanying drawings, in which exemplary embodiments of the invention are shown. The invention may, however, be embodied in many different forms and should not be construed as being limited to the embodiments set forth therein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the invention to those skilled in the art.
Referring to
Referring to
Referring to
The rule-based attack can be detected using a rule database (DB) created based on existing well-known rules. The activity-based attack is not an existing well-known attack but may be classified as harmful traffic due to an abnormal activity pattern of traffic.
Specifically, when processing inbound contents, the inbound processing unit 330 detects an attack and determines if the attack is the rule-based attack or the activity-based attack in cooperation with a security policy and event management unit 310. Since most of a hacker's attack can be detected and countered only when the two attacks are detected, the attack combiner 331 considers the possibility of a combination of the two attacks, and the attack determiner 332 determines whether an attack has been launched based on the combined attacks. In this case, the attack determiner 332 refers to necessary information stored in a policy & event information base (PEIB) 320. Finally, the attack processor 333 processes the attack through passing, blocking or controlling.
If an attack is an activity-based attack in the form of a rule-based attack, such as a distributed denial-of-service (DDOS) attack or a worm attack, the attack processor 333 blocks the attack by using all means at its disposal. For other types of attacks, the attack processor 333 updates the rule DB and passes or blocks the attacks according to an administration policy.
On the other hand, white lists detector & determiner 341 included in the outbound processing unit 340 determines whether outbound contents are illegally leaked using white lists (list of important information for user or enterprise). Large-volume data attached to outbound contents and leaked accordingly is generally logged. Thus, the outbound processing unit 340 can directly block the illegal leakage of the large-volume data by comparing the log with the white lists. An information leakage prevention processor 342 may determine whether to pass or block the outbound contents.
Referring to
Specifically, the initial countermeasure includes detecting a rule-based attack and/or an activity-based attack, combining the attacks in order to accurately determine whether an attack has been launched using two attack detection techniques, determining whether the attack has been launched based on the combined attacks, and updating the rule DB based on the determination result and processing the attack by passing, blocking or control.
The third countermeasure includes determining whether the outbound contents have been illegally leaked by comparing a log of the outbound contents with white lists and preventing the illegal leakage of important information by passing or controlling the important information according to a policy of an administrator.
As described above, the preset invention provides a PIPPF and an NPIPPS in order to protect important personal and corporate information. Since the PIPPF includes the NPIPPS and an integrated IAM/NAC solution, it can monitor inbound and outbound contents at the network level and thus prevent the inflow of harmful and malicious information and the illegal leakage of important information. In addition, the PIPPF can prevent abnormal user activity within a network and unauthorized use of information.
While this invention has been particularly shown and described with reference to exemplary embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. The exemplary embodiments should be considered in descriptive sense only and not for purposes of limitation. Therefore, the scope of the invention is defined not by the detailed description of the invention but by the appended claims, and all differences within the scope will be construed as being included in the present invention.
It may be easily understood by those of ordinary skill in the art that each operation included in the present invention can be variously implemented in software or hardware using a general programming technique.
Some operations of the present invention can also be embodied as computer readable codes on a computer readable recording medium. The computer readable recording medium is any data storage device that can store data which can be thereafter read by a computer system.
| Number | Date | Country | Kind |
|---|---|---|---|
| 10-2005-0120166 | Dec 2005 | KR | national |
| 10-2006-0083569 | Aug 2006 | KR | national |
