WO2013089395A1 - Signature-based wireless intrusion prevention system - Google Patents

Signature-based wireless intrusion prevention system Download PDF

Info

Publication number
WO2013089395A1
WO2013089395A1 PCT/KR2012/010682 KR2012010682W WO2013089395A1 WO 2013089395 A1 WO2013089395 A1 WO 2013089395A1 KR 2012010682 W KR2012010682 W KR 2012010682W WO 2013089395 A1 WO2013089395 A1 WO 2013089395A1
Authority
WO
WIPO (PCT)
Prior art keywords
wireless
intrusion
signature
analysis
policy
Prior art date
Application number
PCT/KR2012/010682
Other languages
French (fr)
Korean (ko)
Inventor
류동주
Original Assignee
주식회사 코닉글로리
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 코닉글로리 filed Critical 주식회사 코닉글로리
Publication of WO2013089395A1 publication Critical patent/WO2013089395A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/22Arrangements for preventing the taking of data from a data transmission channel without authorisation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/126Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning

Definitions

  • the present invention relates to a wireless intrusion blocking system in a method, and relates to a signature-based wireless intrusion blocking system.
  • a wireless LAN system for wireless Internet communication includes a wireless LAN access point (AP) and a wireless LAN terminal.
  • An access point (AP) installs and uses equipment called an access point apparatus.
  • the WLAN terminal functions to receive information provided from the access point and provide the information to the next stage.
  • the access point device which is mainly used does not filter hacking information that is wirelessly intruded because it provides only a transmission and network support function for wireless traffic.
  • the present invention provides a signature-based wireless intrusion blocking system that can effectively detect and block a signal that invades wirelessly.
  • the present invention provides a method of operating a signature-based wireless intrusion blocking system, the method comprising: collecting a wireless data packet; Analyzing the collected wireless data packets; And providing a file corresponding to the analyzed result, wherein the analyzing of the wireless data packet includes a preprocessing step of performing a wireless threat analysis for packet verification, a protocol attack analysis, and an intrusion detection engine. Searches for a policy provided, selects one policy, and performs an intrusion blocking operation according to the selected policy, and provides a method of operating a signature-based wireless intrusion blocking system.
  • the wireless threat analysis is characterized by including the ARP spoofing, Mac spoofing, unauthorized access point and anti-stumbler method.
  • protocol attack analysis is characterized by including the analysis using analysis and segmentation using the analysis port scan using the flooding situation.
  • the intrusion detection engine is characterized in that using a black list, white list and gray list.
  • the wireless intrusion blocking system has a policy search function, so that the policy can be more effectively applied to the operation of blocking the wireless intrusion, thereby detecting and blocking the hacking signal more reliably.
  • FIG. 1 is a block diagram illustrating an intrusion prevention system for explaining the present invention.
  • FIG. 2 is an operation flowchart of a wireless intrusion prevention system according to an embodiment of the present invention.
  • FIG. 1 is a block diagram illustrating an intrusion prevention system for explaining the present invention.
  • the intrusion prevention system includes a plurality of sensors 12 and a manager 13.
  • a plurality of sensors 12 may be provided, and the number of the sensors 12 may be determined according to regional characteristics in which the wired / wireless network system is disposed.
  • the position where the sensor 12 is disposed may also vary according to the regional characteristics of the wired / wireless network.
  • the sensor 12 senses data transmitted from the wireless terminal 10 to the AP 11 or data transmitted by the request to the wireless terminal 10.
  • the manager 13 controls the sensor to check whether the data packet provided through the sensor 12 is malicious or not, and accordingly, controls whether the wireless terminal 10 is allowed to continue to be connected to the wired or wireless network. do.
  • each manager has a sensor corresponding thereto according to a zone where a network is installed, and each grouped sensor is controlled by each manager.
  • FIG. 2 is an operation flowchart of a wireless intrusion prevention system according to an embodiment of the present invention.
  • Figure 2 illustrates the wireless snort internal processing.
  • the wireless intrusion blocking system first collects a wireless data packet (S1).
  • the wireless data packet collected here may be a wireless data packet requested by the wireless terminal 10 and provided to the wireless terminal 10 from the AP 12.
  • the wireless data packet may be provided from the wireless terminal 10 and received by the AP 11. It may also be a data packet transmitted to a network system.
  • the wireless data packet collected by the preprocessor is verified (S3). Radio threat analysis and protocol attack analysis are performed using the collected wireless data packets.
  • Radio threat analysis includes ARP spoofing, Mac spoofing, rogue access point (rogue AP), and anti-stumbler.
  • ARP Address Resolution Protocol
  • IP address Internet Protocol address
  • ARP spoofing is a kind of hacking technique that sends packets of a forged ARP response packet to a specific computer so that packets from that specific computer can be sent to its own computer.
  • ARP spoofing is performed between a host and a host computer, the other host sends a packet to the host that sent ARP spoofing.
  • the device receiving ARP spoofing is a router or an L3 switch, the router or L3 switch may send a packet to the wrong destination, which may cause a host connected to the router or L3 switch to have no access to the Internet.
  • ARP spoofing detection technology can be divided into two types depending on the method. The first is using Dynamic Host Configuration Protocol (DHCP) packets, and the second is using IP and Reverse ARP (RAP).
  • DHCP Dynamic Host Configuration Protocol
  • RAP IP and Reverse ARP
  • the second method is to use IP and Reverse ARP.
  • the method using a DHCP packet uses a system consisting of a device for collecting DHCP packets, a DHCP packet analysis device, and an ARP spoofing detection device.
  • the ARP spoofing detection technique using DHCP packets manages the MAC address associated with the IP address in a database when the DHCP server assigns an IP. If it detects an ARP that does not correspond to a Mac address stored in this database, it is considered as ARP spoofing.
  • the method using IP and ARP / RARP uses a system consisting of an IP packet collection device, an IP packet analysis device, a RARP transmission device, and an ARP spoofing detection device.
  • the ARP spoofing detection technology using IP and ARP / RARP detects whether the IP packet received from the system is the same as the IP (or MAC) address of the local network. If it is not the same, it sends a RARP and determines that it is ARP spoofing if there is no response.
  • Mac spoofing is a type of DDoS attack that deceives a MAC or IP address. If such a DDoS attack occurs, it becomes very difficult to find a host computer that performs a DDoS attack in a short time. Because mostly Spoofed DDoS Packets do not have a true MAC or IP address, it is impossible to determine where a packet came from by observing the packet itself.
  • a rogue access point is a personally installed access point (AP) that does not comply with security policies within the company.
  • AP personally installed access point
  • an external or illegal intruder enters through a wireless AP frame personally installed by a user and accesses all resources with the same qualification as an internal employee. May become obsolete.
  • rogue AP has a method to prevent illegal AP installation in the enterprise or authenticate the AP by providing 802.1x authentication on the switch.
  • direct and physical surveillance is the best way for administrators to detect and navigate the AP range with an analyzer.
  • the Network Stumbler is one of the tools for discovering APs, and it can tell you if an AP is unauthorized.
  • Protocol attack analysis uses a flooding situation, a port scan method, and a fragmentation method.
  • Flooding attacks have been frequently used in recent years to target servers on the Internet and to disable them. Flooding attacks occur when a user sends a number of requests to a server in a relatively short time with the intention of overloading the server and thereby disabling the server. Flooding a packet from a malicious user can overload the server in the same way that flooding a packet from a misconfigured system can overload the server.
  • a port scan is a continuous access to a server over a network, looking for security holes (security holes).
  • Server computers published on the Internet operate according to a communication protocol (protocol) called TCP / IP.
  • TCP / IP a communication protocol
  • Port scan is an act of accessing these ports sequentially to examine the types of application software and operating systems running on the server, and to determine if there are any vulnerable ports that could be an intrusion. If a security hole is found as a result of a port scan, intrusion is often done using an intrusion program.
  • Network administrators can do port scans to investigate the weakness of their systems. Servers that receive port scans retain suspicious records in the communication history (access log), which are considered as port scans, and sometimes cover up port scans by performing scans at intervals.
  • Fragmentation is a method used to shorten the size of the IP packet in the short-range wireless communication device to reduce the size to transmit and receive data in the short-range wireless network supporting a packet of a relatively small size.
  • Intrusion detection engine detects what policy is provided (S4), and determines the policy to use.
  • Searching for a policy refers to a process of searching for a policy such as a filtering policy, an intrusion detection policy, and an access control policy necessary for intrusion detection and blocking, and selecting a currently required policy (rule).
  • a policy operates in accordance with the policy. For example, refer to an access control policy to prevent unauthorized users from using the system, and make sure that all subjects can access only if they have access to the object.
  • the result is stored in a log file.
  • an intrusion blocking operation for determining whether the wireless data packet is intrusion data for hacking is performed (S5).
  • a black list, a white list, and a gray list are used.
  • the black list is a list of mobile terminals that are in poor or stolen state
  • the white list is a list of all mobile terminals in good condition
  • the gray list is an unclear list of mobile terminals.
  • the intrusion prevention engine When the intrusion prevention engine completes its operation, it generates a log file and informs the user (S6).
  • the wireless intrusion blocking system performs the blocking method with its own stored policy base. That is, the wireless intrusion blocking operation is performed using only one stored policy internally.
  • the wireless intrusion blocking system has been developed to enable a function of making and distributing a signature (detection policy or rule).
  • it is designed to perform functions such as blacklist, whitelist, graylist, and the like, blocking, temporary blocking and temporary allow. Therefore, the wireless intrusion blocking operation can be easily performed by effectively reflecting the necessary policy.

Abstract

The present invention provides a signature-based wireless intrusion prevention system capable of effectively detecting a wireless intrusion signal and blocking the signal. The present invention provides a method for operating a signature-based wireless intrusion prevention system, comprising the steps of: collecting wireless data packets; analyzing the collected wireless data packets; and providing a file corresponding to the analyzed result, wherein the step of analyzing the wireless data packets comprises a preprocessing step for analyzing a wireless threat to verify the packets and analyzing a protocol attack, and a step for allowing an intrusion detection engine to search for provided policies to select one policy and to execute an intrusion prevention operation according to the selected policy.

Description

시그니쳐 기반 무선 침입차단시스템Signature based wireless intrusion prevention system
본 발명은 방법에 무선침입차단 시스템에 관한 것으로, 시그니쳐 기반 무선 침입차단시스템에 관한 것이다.The present invention relates to a wireless intrusion blocking system in a method, and relates to a signature-based wireless intrusion blocking system.
일반적으로, 인터넷의 급속한 발전과 보급으로 네트워크 환경은 점점 거대해지고 있으며, 인터넷의 간편하고 편리한 네트워크 접속과 제공하고 있는 다양한 서비스로 인하여 그 형태가 복잡해지고 있다. 그러나 인터넷 상에서의 바이러스, 해킹, 시스템 침입, 시스템 관리자 권한 획득, 침입사실 은닉, 서비스 거부공격 등과 같은 다양한 형태의 네트워크 공격으로 인해 인터넷은 항상 해킹의 위험에 노출되어 인터넷에 대한 침해가 증가하고 있고, 공공기관과 사회기반시설 및 금융 기관은 피해 규모가 점점 증가하며 그 영향력이 크다. 이러한 인터넷 보안문제를 해결하기 위해 바이러스 백신, 방화벽, 통합 보안 관리, 침입탐지시스템 등의 네트워크 보안 기술이 필요함에 있다.In general, due to the rapid development and dissemination of the Internet, the network environment is getting bigger and larger, and its shape is complicated by the simple and convenient network access of the Internet and various services provided. However, due to various types of network attacks, such as viruses, hacking, system intrusions, gaining system administrator rights, concealing intrusions, denial of service attacks, etc., the Internet is always exposed to the risk of hacking. Public institutions, infrastructure and financial institutions are increasingly affected and influential. In order to solve such Internet security problems, network security technologies such as antivirus, firewall, integrated security management, and intrusion detection system are needed.
무선 인터넷 통신을 위한 무선랜 시스템은 무선랜 액세스 포인트(Wireless LAN Access Point, AP)와 무선랜 단말을 포함한다. 액세스 포인트(AP)는 액세스 포인트 장치라는 장비를 설치하여 사용하고 있다. 무선랜 단말은 액세스 포인트에서 제공되는 정보를 전달받아 다음 단으로 제공하는 기능을 한다. 현재 주로 사용하는 엑세스 포인트 장치는 무선 트래픽에 대한 전송, 네트워크 지원 기능만을 제공하기 때문에, 무선으로 칩입되는 해킹 정보를 필터링하고 있지 못하다. A wireless LAN system for wireless Internet communication includes a wireless LAN access point (AP) and a wireless LAN terminal. An access point (AP) installs and uses equipment called an access point apparatus. The WLAN terminal functions to receive information provided from the access point and provide the information to the next stage. Currently, the access point device which is mainly used does not filter hacking information that is wirelessly intruded because it provides only a transmission and network support function for wireless traffic.
최근에는 유선과 무선을 이용한 통합형 네트워크 시스템이 널리 개발되고 적용되고 있다. 유선으로 접근하는 유해 트래픽을 안정적으로 차단하는 것도 어렵지만, 무선으로 접근하는 유해 트래픽을 안정적으로 차단하는 것은 더 어렵다. 이를 해결하기 위해 침입 차단 시스템이 개발되고 있지만, 아직은 신뢰성있게 무선으로 침입하는 해킹 패킷을 차단하는 침입 차단 시스템은 개발되고 있지 않다.Recently, integrated network systems using wired and wireless devices have been widely developed and applied. It is difficult to reliably block harmful traffic that is accessed by wire, but it is more difficult to reliably block harmful traffic that is accessed by wireless. To solve this problem, an intrusion prevention system has been developed, but no intrusion prevention system has yet been developed to block hacking packets that invade wirelessly reliably.
본 발명은 효과적으로 무선으로 침입하는 신호를 탐지하고, 차단할 수 있는 시그니쳐 기반 무선 침입차단시스템을 제공한다.The present invention provides a signature-based wireless intrusion blocking system that can effectively detect and block a signal that invades wirelessly.
본 발명은 시그니쳐 기반 무선 침입차단 시스템의 동작방법에 있어서, 무선 데이터 패킷을 수집하는 단계; 상기 수집된 무선 데이터 패킷을 분석하는 단계; 및 상기 분석된 결과에 대응하는 파일을 제공하는 단계를 포함하며, 상기 무선 데이터 패킷을 분석하는 단계는 패킷 검증을 위해 무선 위협 분석을 수행하고, 프로토콜 공격 분석을 수행하는 전처리 단계와, 침입탐지 엔진은 제공되는 정책을 검색하여, 하나의 정책을 선택하고, 그 선택된 정책에 따라 침입 차단 동작을 수행하는 단계를 포함하는 것을 특징으로 하는 시그니쳐 기반 무선 침입차단 시스템의 동작방법을 제공한다.The present invention provides a method of operating a signature-based wireless intrusion blocking system, the method comprising: collecting a wireless data packet; Analyzing the collected wireless data packets; And providing a file corresponding to the analyzed result, wherein the analyzing of the wireless data packet includes a preprocessing step of performing a wireless threat analysis for packet verification, a protocol attack analysis, and an intrusion detection engine. Searches for a policy provided, selects one policy, and performs an intrusion blocking operation according to the selected policy, and provides a method of operating a signature-based wireless intrusion blocking system.
또한, 상기 무선 위협분석은 ARP 스푸핑, 맥 스푸핑, 비인증 액세스 포인트 및 안티 스텀블러 방법을 포함하는 것을 특징으로 한다.In addition, the wireless threat analysis is characterized by including the ARP spoofing, Mac spoofing, unauthorized access point and anti-stumbler method.
또한, 상기 프로토콜 공격분석은 플러딩 상황을 이용한 분석 포트 스캔을 이용한 분석 및 분할을 이용한 분석 포함하는 것을 특징으로 한다.In addition, the protocol attack analysis is characterized by including the analysis using analysis and segmentation using the analysis port scan using the flooding situation.
또한, 상기 침입탐지엔진은 블랙리스트, 화이트리스트 및 그레이 리스트를 이용하는 것을 특징으로 한다.In addition, the intrusion detection engine is characterized in that using a black list, white list and gray list.
본 발명에 의해 무선 침입차단시스템은 정책 검색 기능을 구비하고 있어, 보다 효과적으로 정책을 무선침입을 차단하는 동작에 적용할 수 있으며, 그로 인해 더 신뢰성있게 해킹 신호를 탐지하고 차단할 수 있다.According to the present invention, the wireless intrusion blocking system has a policy search function, so that the policy can be more effectively applied to the operation of blocking the wireless intrusion, thereby detecting and blocking the hacking signal more reliably.
도1은 본 발명을 설명하기 위한 것으로 침입차단 시스템을 나타내는 블록도.1 is a block diagram illustrating an intrusion prevention system for explaining the present invention.
도2는 본 발명의 실시예에 따른 무선침입 차단 시스템의 동작 흐름도.2 is an operation flowchart of a wireless intrusion prevention system according to an embodiment of the present invention.
이하, 본 발명이 속하는 기술 분야에서 통상의 지식을 가진 자가 본 발명의 기술적 사상을 용이하게 실시할 수 있을 정도로 상세히 설명하기 위하여, 본 발명의 가장 바람직한 실시예를 첨부된 도면을 참조하여 설명하기로 한다.DETAILED DESCRIPTION Hereinafter, the most preferred embodiments of the present invention will be described with reference to the accompanying drawings so that those skilled in the art may easily implement the technical idea of the present invention. do.
도1은 본 발명을 설명하기 위한 것으로 침입차단 시스템을 나타내는 블럭도이다.1 is a block diagram illustrating an intrusion prevention system for explaining the present invention.
도1을 참조하여 살펴보면, 침입차단 시스템은 다수의 센서(12)와 매니저(13)를 포함한다. 센서(12)는 다수 개가 구비되며, 유무선 네트워크 시스템이 배치된 지역적 특성에 따라 그 개수가 정해질 수 있다. 또한, 센서(12)가 배치되는 위치도 유무선 네크워크 망이 배치된 지역적 특성에 따라 달라질 수 있다.Referring to FIG. 1, the intrusion prevention system includes a plurality of sensors 12 and a manager 13. A plurality of sensors 12 may be provided, and the number of the sensors 12 may be determined according to regional characteristics in which the wired / wireless network system is disposed. In addition, the position where the sensor 12 is disposed may also vary according to the regional characteristics of the wired / wireless network.
센서(12)는 AP(11)가 무선 단말기(10)로부터 전송받아 전달하게 되는 데이터 또는 무선 단말기(10)에 요청에 의해 전송하게 되는 데이터를 센싱하게 된다. 매니저(13)는 센서(12)를 통해 제공되는 데이터 패킷이 악성인지 아닌지를 센서가 검사하도록 제어하고, 그 결과에 따라 무선 단말기(10)가 계속해서 유무선 네트워크에 접속되는 것을 허용할지 말지를 제어한다. 도1에 도시된 바와 같이, 네트워크가 설치된 구역에 따라 각각 그에 대응하는 센서를 두고, 각 그룹화된 센서를 각 매니저가 제어하고 있다.The sensor 12 senses data transmitted from the wireless terminal 10 to the AP 11 or data transmitted by the request to the wireless terminal 10. The manager 13 controls the sensor to check whether the data packet provided through the sensor 12 is malicious or not, and accordingly, controls whether the wireless terminal 10 is allowed to continue to be connected to the wired or wireless network. do. As shown in Fig. 1, each manager has a sensor corresponding thereto according to a zone where a network is installed, and each grouped sensor is controlled by each manager.
도2는 본 발명의 실시예에 따른 무선침입 차단 시스템의 동작 흐름도이다. 특히, 도2는 무선 snort 내부 처리과정에 대해 도시되어 있다.2 is an operation flowchart of a wireless intrusion prevention system according to an embodiment of the present invention. In particular, Figure 2 illustrates the wireless snort internal processing.
도2를 참조하여 살펴보면, 본 실시예에 따른 무선침입 차단 시스템은 먼저 무선 데이터 패킷을 수집한다(S1). 여기서 수집하는 무선 데이터 패킷은 무선 단말기(10)에서 요청하여 AP(12)에서 무선 단말기(10)로 제공하는 무선 데이터 패킷일 수도 있으며, 무선 단말기(10)로부터 제공되어 AP(11)가 수신하여 네트워크 시스템으로 전송되는 데이터 패킷일 수도 있다. Referring to Figure 2, the wireless intrusion blocking system according to the present embodiment first collects a wireless data packet (S1). The wireless data packet collected here may be a wireless data packet requested by the wireless terminal 10 and provided to the wireless terminal 10 from the AP 12. The wireless data packet may be provided from the wireless terminal 10 and received by the AP 11. It may also be a data packet transmitted to a network system.
이어서, 수집된 무선 데이터 패킷을 분석하기 시작한다(S2). Subsequently, analysis of the collected wireless data packet is started (S2).
이어서, 전처리기에서 수집된 무선 데이터 패킷을 검증한다(S3). 수집된 무선 데이터 패킷을 이용하여 무선위협 분석과 프로토콜 공격 분석을 수행한다.Subsequently, the wireless data packet collected by the preprocessor is verified (S3). Radio threat analysis and protocol attack analysis are performed using the collected wireless data packets.
무선위협 분석은 ARP 스푸핑(arp spoofing), 맥 스푸핑(Mac spoofing), 비인증 액세스 포인트(rogue Access Point, rogue AP), 안티 스텀블럭(anti-stumbler) 방식을 포함한다.Radio threat analysis includes ARP spoofing, Mac spoofing, rogue access point (rogue AP), and anti-stumbler.
ARP(Address Resolution Protocol)는 LAN(Local Area Network)상에서 IP 주소(Internet Protocol Address)를 가지고 이더넷 주소인 맥 주소(MAC address)를 얻어오는 프로토콜이다. 네트워크 내에 ARP 패킷을 브로드캐스팅하여, 그 네트워크에 연결되어 있는 ARP 패킷에 대해 응답한 컴퓨터의 IP와 맥 주소를 알 수 있다.ARP (Address Resolution Protocol) is a protocol that obtains an MAC address, which is an Ethernet address, with an IP address (Internet Protocol address) on a local area network (LAN). By broadcasting ARP packets within a network, you can see the IP and MAC address of the computer that responded to the ARP packets connected to that network.
ARP 스푸핑은 원래 위조된 ARP 응답 패킷을 특정 컴퓨터로 전송함으로써, 특정 컴퓨터의 패킷들이 자신의 컴퓨터로 전송되도록 하는 일종의 해킹 기법이다. ARP 스푸핑이 사용자 컴퓨터인 호스트(host)와 호스트 간에 이루어지면 상대방 호스트가 ARP 스푸핑을 보낸 호스트로 패킷을 보낸다. 그러나 ARP 스푸핑을 받는 장치가 라우터나 L3 스위치인 경우에, 라우터나 L3 스위치가 잘못된 목적지로 패킷을 보내게 되어, 라우터나 L3 스위치에 연결된 호스트가 인터넷이 전혀 접속되지 상황이 초래될 수 있다.ARP spoofing is a kind of hacking technique that sends packets of a forged ARP response packet to a specific computer so that packets from that specific computer can be sent to its own computer. When ARP spoofing is performed between a host and a host computer, the other host sends a packet to the host that sent ARP spoofing. However, if the device receiving ARP spoofing is a router or an L3 switch, the router or L3 switch may send a packet to the wrong destination, which may cause a host connected to the router or L3 switch to have no access to the Internet.
ARP 스푸핑 감지 기술은 방식에 따라 2가지로 나눌 수 있다. 첫 번째는 DHCP(Dynamic Host Configuration Protocol) 패킷을 이용하는 방식이고, 두 번째는 IP와 ARP/RARP(Reverse ARP)를 이용하는 방식이다.ARP spoofing detection technology can be divided into two types depending on the method. The first is using Dynamic Host Configuration Protocol (DHCP) packets, and the second is using IP and Reverse ARP (RAP).
두 번째는 IP와 ARP/RARP(Reverse ARP)를 이용하는 방식이다. DHCP 패킷을 이용하는 방식은, DHCP 패킷을 수집하는 장치, DHCP 패킷 분석 장치, ARP 스푸핑 감지 장치로 구성된 시스템을 이용한다. DHCP 패킷을 이용한 ARP 스푸핑 감지 기술은, DHCP 서버에서 IP를 할당하면, IP 주소와 연관된 맥 주소를 데이터베이스로 관리한다. 이후 이 데이터베이스에 저장된 맥 주소에 대응되지 않는 ARP를 감지하는 경우에는, 이를 ARP 스푸핑으로 간주한다.The second method is to use IP and Reverse ARP. The method using a DHCP packet uses a system consisting of a device for collecting DHCP packets, a DHCP packet analysis device, and an ARP spoofing detection device. The ARP spoofing detection technique using DHCP packets manages the MAC address associated with the IP address in a database when the DHCP server assigns an IP. If it detects an ARP that does not correspond to a Mac address stored in this database, it is considered as ARP spoofing.
한편, IP와 ARP/RARP를 이용하는 방식은, IP 패킷 수집 장치, IP 패킷 분석 장치, RARP 전송 장치, ARP 스푸핑 감지 장치로 구성된 시스템을 이용한다. IP와 ARP/RARP를 이용한 ARP 스푸핑 감지 기술은 시스템에서 수신된 IP 패킷이 로컬 네트워크의 IP(또는 MAC)주소와 동일한지 감지해서, 동일하지 않으면 RARP를 보내 응답이 없으면 ARP 스푸핑으로 판단한다.On the other hand, the method using IP and ARP / RARP uses a system consisting of an IP packet collection device, an IP packet analysis device, a RARP transmission device, and an ARP spoofing detection device. The ARP spoofing detection technology using IP and ARP / RARP detects whether the IP packet received from the system is the same as the IP (or MAC) address of the local network. If it is not the same, it sends a RARP and determines that it is ARP spoofing if there is no response.
맥 스푸핑 기술은 맥(MAC)이나 아이피(IP) 어드레스를 속이는 DDoS 공격의 일종이다. 만약 이와 같은 DDoS 공격이 일어난다면 짧은 시간 내에 DDoS 공격을 가하는 호스트컴퓨터를 찾아낸다는 것은 대단히 곤란해져 버리고 만다. 왜냐하면, 대체로 거짓 DDoS 패킷(Spoofed DDoS Packet)은 진정한 맥이나 아이피 어드레스를 가지고 있지 않아서 패킷 그 자체를 관찰(분석)하는 것에 의해 패킷이 어디로부터 왔는지를 결정하는 것이 불가능하다.Mac spoofing is a type of DDoS attack that deceives a MAC or IP address. If such a DDoS attack occurs, it becomes very difficult to find a host computer that performs a DDoS attack in a short time. Because mostly Spoofed DDoS Packets do not have a true MAC or IP address, it is impossible to determine where a packet came from by observing the packet itself.
비인증 액세스 포인트(rogue Access Point, rogue AP)는 회사내의 보안 정책을 따르지 않는 개인적으로 설치된 액세스포인트(AP)를 말한다. 특히 기업의 무선랜 환경에서는 일반 사용자가 개인적으로 설치한 무선 AP틀 통해 외부나 불법 침입자가 들어와 내부 직원과 같은 자격으로 모든 자원에 접촉할 수 있게 되기 때문에 아무리 기업의 보안시설에 투자를 했어도 한순간에 무용지물화 될 수 있다. rogue AP는 기업 내부에서 불법 AP 설치를 규제하거나 스위치상에 802.1x 인증을 두어 AP를 인증하여 방지하는 방법이 있다. 하지만 정확한 rogue AP 방지를 위해서는 관리자가 분석기를 가지고 AP 도달거리 범위를 돌아다니며 감지하는 등의 직접적이고 물리적인 감시가 최선의 방법이다. A rogue access point (rogue AP) is a personally installed access point (AP) that does not comply with security policies within the company. In particular, in the wireless LAN environment of a company, an external or illegal intruder enters through a wireless AP frame personally installed by a user and accesses all resources with the same qualification as an internal employee. May become obsolete. rogue AP has a method to prevent illegal AP installation in the enterprise or authenticate the AP by providing 802.1x authentication on the switch. However, for accurate rogue AP prevention, direct and physical surveillance is the best way for administrators to detect and navigate the AP range with an analyzer.
스텀블러(Network Stumbler)는 AP를 검색한 하는 도구중 하나로서, AP가 무인증인지 아닌지 알 수 있는 도구이다.The Network Stumbler is one of the tools for discovering APs, and it can tell you if an AP is unauthorized.
계속해서 살펴보면, 프로토콜 공격 분석을 수행한다. 프로토콜 공격분석은 플러딩 상황(a flooding situation)을 이용한 방법, 포트 스캔(port scan)을 이용하는 방법, 분할(Fragmentation)을 이용하는 방법을 이용한다. As we continue, we perform a protocol attack analysis. Protocol attack analysis uses a flooding situation, a port scan method, and a fragmentation method.
플러딩 공격(flooding attack)은 인터넷상의 서버를 목표로 삼아 디스에이블링(disabling)시키기 위하여 최근에 자주 이용되어 왔다. 플러딩 공격은 유저가 서버를 오버로딩(overloading)시켜서 이로 인해 서버를 디스에이블링시킬 의도로 상대적으로 짧은 시간동안 서버로 다수의 요청(request)을 전송하는 경우에 발생한다. 악의의 유저로 부터의 패킷(packet)의 플러딩은 잘못 구성된 시스템(misconfigured system)으로부터의 패킷의 플러딩이 서버를 오버로딩시킬 수 있는 것과 동일한 방식으로 서버를 오버로딩시킬 수 있다.Flooding attacks have been frequently used in recent years to target servers on the Internet and to disable them. Flooding attacks occur when a user sends a number of requests to a server in a relatively short time with the intention of overloading the server and thereby disabling the server. Flooding a packet from a malicious user can overload the server in the same way that flooding a packet from a misconfigured system can overload the server.
포트 스캔(port scan)은 네트워크를 통해 서버에 연속적으로 억세스하며, 보안상의 약점(씨큐리티홀)을 찾는 행위이다. 인터넷상에서 공개된 서버 컴퓨터는 TCP/IP 라고 하는 통신 규약(프로토콜)에 따라서 작동하고 있는데, 보통 포트(Port)라 불리는 접속 창구를 여러 개 준비하여 이용자로부터 접속을 기다린다. 포트 스캔은 이 포트에 순차적으로 액세스하여 서버 내에서 작동하고 있는 어플리케이션 소프트와 OS의 종류를 조사하여, 침입로가 될 수 있는 취약한 포트가 있는지를 조사하는 행위이다. 포트 스캔 결과, 시큐리티홀이 발견되면 침입용 프로그램을 사용해서 부정침입이 이루어지는 경우가 많이 있다. 네트워크 관리자가 자신이 관리하는 시스템에 약점이 없는지를 조사하기 위해서 포트 스캔을 시행할 수 있다. 포트스캔을 받는 서버에는 통신이력(억세스 로그)에 포트스캔이라고 여겨지는 수상한 기록이 남게 되며, 간격을 두고 스캔을 시행하는 등 포트스캔을 은폐하는 공작을 하는 경우도 있다.A port scan is a continuous access to a server over a network, looking for security holes (security holes). Server computers published on the Internet operate according to a communication protocol (protocol) called TCP / IP. Usually, several connection windows called ports are prepared to wait for a connection from a user. Port scan is an act of accessing these ports sequentially to examine the types of application software and operating systems running on the server, and to determine if there are any vulnerable ports that could be an intrusion. If a security hole is found as a result of a port scan, intrusion is often done using an intrusion program. Network administrators can do port scans to investigate the weakness of their systems. Servers that receive port scans retain suspicious records in the communication history (access log), which are considered as port scans, and sometimes cover up port scans by performing scans at intervals.
분할(Fragmentation)은 근거리 무선 통신장치에서 IP 패킷 등을 분할(Fragmentation)하여 사이즈를 줄임으로써 상대적으로 작은 사이즈의 패킷을 지원하는 근거리 무선 네트워크에서 데이터를 송수신할 수 있도록 하는 데 사용되는 방법이다.Fragmentation is a method used to shorten the size of the IP packet in the short-range wireless communication device to reduce the size to transmit and receive data in the short-range wireless network supporting a packet of a relatively small size.
이어서 계속해서 살펴보면, 침임탐지 엔진을 가동한다. 침입탐지 엔진은 제공되는 정책이 어떤 것인지 검색하고(S4), 사용할 정책을 정한다. Continuing to look at it, we turn on the intrusion detection engine. Intrusion detection engine detects what policy is provided (S4), and determines the policy to use.
정책(룰)을 검색하는 것은 침입 탐지 및 차단동작에 필요한 필터링 정책, 침입 탐지 정책, 접근제어 정책 등의 정책을 검색하고, 현재 필요한 정책(룰)을 선택하는 과정을 말한다.Searching for a policy (rule) refers to a process of searching for a policy such as a filtering policy, an intrusion detection policy, and an access control policy necessary for intrusion detection and blocking, and selecting a currently required policy (rule).
정책이 정해지면 그 정책에 맞게 동작하는데, 예를 들어, 접근 제어 정책을 참조하여 허가받지 않은 사용자의 시스템 사용을 막고 모든 주체는 객체에 접근할 수 있는 권한을 가진 경우에만 접근이 가능하도록 하고, 그 결과를 로그 파일에 저장 하게 하는 것이다.Once a policy is set, it operates in accordance with the policy. For example, refer to an access control policy to prevent unauthorized users from using the system, and make sure that all subjects can access only if they have access to the object. The result is stored in a log file.
이어서, 무선 데이터 패킷이 해킹을 위한 침입 데이터인지 판별하기 위한 침입차단 동작을 수행한다(S5). 이때에는 블랙리스트(black list), 화이트 리스트(white list), 및 그래이 리스트(gray list)를 이용한다.Subsequently, an intrusion blocking operation for determining whether the wireless data packet is intrusion data for hacking is performed (S5). In this case, a black list, a white list, and a gray list are used.
블랙리스트는 상태가 불량하거나 도난당한 이동단말기의 리스트이며, 화이트 리스트는 상태가 양호한 모든 이동단말기의 리스트이며, 그래이 리스트는 불명확한 이동단말기의 리스트이다. The black list is a list of mobile terminals that are in poor or stolen state, the white list is a list of all mobile terminals in good condition, and the gray list is an unclear list of mobile terminals.
침입차단 엔진이 동작을 완료하면 로그파일을 생성하고 사용자에게 알려준다(S6).When the intrusion prevention engine completes its operation, it generates a log file and informs the user (S6).
무선침입차단 시스템은 자체적으로 저장된 정책 기반을 가진 차단 방식을 수행한다. 즉, 내부적으로 저장된 하나의 정책만을 이용하여 무선침입차단 동작을 수행하는 것이다.The wireless intrusion blocking system performs the blocking method with its own stored policy base. That is, the wireless intrusion blocking operation is performed using only one stored policy internally.
그러나, 본 발명에 의한 무선침입차단 시스템은 시그니쳐(탐지정책 또는 룰)을 자체 제작 및 배포하는 기능이 가능도록 개발되었다. 또한, 블랙리스트와 화이트 리스트, 그레이 리스트 등을 포함하여, 차단, 임시 차단 및 임시 허용 등의 기능을 수행하도록 설계되어 졌다. 따라서 효과적으로 필요한 정책을 쉽게 반영하여 무선침입차단 동작을 수행할 수 있다.However, the wireless intrusion blocking system according to the present invention has been developed to enable a function of making and distributing a signature (detection policy or rule). In addition, it is designed to perform functions such as blacklist, whitelist, graylist, and the like, blocking, temporary blocking and temporary allow. Therefore, the wireless intrusion blocking operation can be easily performed by effectively reflecting the necessary policy.
이상에서 대표적인 실시예를 통하여 본 발명에 대하여 상세하게 설명하였으나, 본 발명이 속하는 기술분야에서 통상의 지식을 가진 자는 상술한 실시예에 대하여 본 발명의 범주에서 벗어나지 않는 한도 내에서 다양한 변형이 가능함을 이해할 것이다. 그러므로 본 발명의 권리범위는 설명된 실시예에 국한되어 정해져서는 안되며, 후술하는 특허청구범위뿐만 아니라 이 특허청구범위와 균등한 것들에 의해 정해져야 한다.Although the present invention has been described in detail with reference to exemplary embodiments above, those skilled in the art to which the present invention pertains can make various modifications to the above-described embodiments without departing from the scope of the present invention. Will understand. Therefore, the scope of the present invention should not be limited to the described embodiments, but should be defined by the claims below and equivalents thereof.

Claims (4)

  1. 시그니쳐 기반 무선 침입차단 시스템의 동작방법에 있어서,In the operation method of the signature-based wireless intrusion blocking system,
    무선 데이터 패킷을 수집하는 단계;Collecting a wireless data packet;
    상기 수집된 무선 데이터 패킷을 분석하는 단계; 및Analyzing the collected wireless data packets; And
    상기 분석된 결과에 대응하는 파일을 제공하는 단계를 포함하며,Providing a file corresponding to the analyzed result;
    상기 무선 데이터 패킷을 분석하는 단계는Analyzing the wireless data packet
    패킷 검증을 위해 무선 위협 분석을 수행하고, 프로토콜 공격 분석을 수행하는 전처리 단계와, A preprocessing step of performing a wireless threat analysis for packet verification, a protocol attack analysis,
    침입탐지 엔진은 제공되는 정책을 검색하여, 하나의 정책을 선택하고, 그 선택된 정책에 따라 침입 차단 동작을 수행하는 단계를 포함하는 것을 특징으로 하는 시그니쳐 기반 무선 침입차단 시스템의 동작방법.The intrusion detection engine searches for a policy to be provided, selects one policy, and performs an intrusion blocking operation according to the selected policy.
  2. 제 1 항에 있어서The method of claim 1
    상기 무선 위협분석은 The wireless threat analysis
    ARP 스푸핑, 맥 스푸핑, 비인증 액세스 포인트 및 안티 스텀블러 방법을 포함하는 것을 특징으로 하는 시그니쳐 기반 무선 침입차단 시스템의 동작방법.ARP spoofing, MAC spoofing, unauthorized access point and anti-stumbler method comprising a method for operating a signature-based wireless intrusion prevention system.
  3. 제 1 항에 있어서,The method of claim 1,
    상기 프로토콜 공격분석은 플러딩 상황을 이용한 분석, 포트 스캔을 이용한 분석 및 분할을 이용한 분석 포함하는 것을 특징으로 하는 시그니쳐 기반 무선 침입차단 시스템의 동작방법.The protocol attack analysis is a method of operating a signature-based wireless intrusion blocking system comprising an analysis using a flooding situation, an analysis using a port scan and analysis using segmentation.
  4. 제 1 항에 있어서,The method of claim 1,
    상기 침입탐지엔진은 The intrusion detection engine
    블랙리스트, 화이트리스트 및 그레이 리스트를 이용하는 것을 특징으로 하는 시그니쳐 기반 무선 침입차단 시스템의 동작방법.A method of operating a signature-based wireless intrusion prevention system using blacklist, whitelist and graylist.
PCT/KR2012/010682 2011-12-16 2012-12-10 Signature-based wireless intrusion prevention system WO2013089395A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020110136758A KR101186873B1 (en) 2011-12-16 2011-12-16 Wireless intrusion protecting system based on signature
KR10-2011-0136758 2011-12-16

Publications (1)

Publication Number Publication Date
WO2013089395A1 true WO2013089395A1 (en) 2013-06-20

Family

ID=47287216

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2012/010682 WO2013089395A1 (en) 2011-12-16 2012-12-10 Signature-based wireless intrusion prevention system

Country Status (2)

Country Link
KR (1) KR101186873B1 (en)
WO (1) WO2013089395A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017091047A1 (en) * 2015-11-27 2017-06-01 삼성전자 주식회사 Method for blocking connection in wireless intrusion prevention system and device therefor

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101315686B1 (en) 2013-07-19 2013-10-08 이니텍(주) Control method for posterior auditing of computer network
KR101557857B1 (en) * 2014-04-02 2015-10-06 유넷시스템주식회사 Detection apparatus for wireless intrusion prevention system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20010090014A (en) * 2000-05-09 2001-10-18 김대연 system for protecting against network intrusion
US20050044418A1 (en) * 2003-07-25 2005-02-24 Gary Miliefsky Proactive network security system to protect against hackers
US20060002331A1 (en) * 2004-02-11 2006-01-05 Airtight Networks, Inc. (F/K/A Wibhu Technologies, Inc.) Automated sniffer apparatus and method for wireless local area network security
KR20060034581A (en) * 2004-10-19 2006-04-24 한국전자통신연구원 Intrusion detection and prevention system and method thereof
US20070094741A1 (en) * 2002-05-20 2007-04-26 Airdefense, Inc. Active Defense Against Wireless Intruders
KR20070054067A (en) * 2005-11-22 2007-05-28 충남대학교산학협력단 Wireless access point apparatus and network traffic intrusion detection and prevention method using the same

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20010090014A (en) * 2000-05-09 2001-10-18 김대연 system for protecting against network intrusion
US20070094741A1 (en) * 2002-05-20 2007-04-26 Airdefense, Inc. Active Defense Against Wireless Intruders
US20050044418A1 (en) * 2003-07-25 2005-02-24 Gary Miliefsky Proactive network security system to protect against hackers
US20060002331A1 (en) * 2004-02-11 2006-01-05 Airtight Networks, Inc. (F/K/A Wibhu Technologies, Inc.) Automated sniffer apparatus and method for wireless local area network security
KR20060034581A (en) * 2004-10-19 2006-04-24 한국전자통신연구원 Intrusion detection and prevention system and method thereof
KR20070054067A (en) * 2005-11-22 2007-05-28 충남대학교산학협력단 Wireless access point apparatus and network traffic intrusion detection and prevention method using the same

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017091047A1 (en) * 2015-11-27 2017-06-01 삼성전자 주식회사 Method for blocking connection in wireless intrusion prevention system and device therefor
KR20170062301A (en) * 2015-11-27 2017-06-07 삼성전자주식회사 Method and apparatus for preventing connection in wireless intrusion prevention system
US10834596B2 (en) 2015-11-27 2020-11-10 Samsung Electronics Co., Ltd. Method for blocking connection in wireless intrusion prevention system and device therefor
KR102329493B1 (en) * 2015-11-27 2021-11-22 삼성전자 주식회사 Method and apparatus for preventing connection in wireless intrusion prevention system

Also Published As

Publication number Publication date
KR101186873B1 (en) 2012-10-02

Similar Documents

Publication Publication Date Title
US9503463B2 (en) Detection of threats to networks, based on geographic location
US8176553B1 (en) Secure gateway with firewall and intrusion detection capabilities
KR100628325B1 (en) Intrusion detection sensor detecting attacks against wireless network and system and method for detecting wireless network intrusion
US9628508B2 (en) Discovery of suspect IP addresses
JP2003527793A (en) Method for automatic intrusion detection and deflection in a network
US7710933B1 (en) Method and system for classification of wireless devices in local area computer networks
US20030188190A1 (en) System and method of intrusion detection employing broad-scope monitoring
KR20080063209A (en) Network security elements using endpoint resources
JP2005079706A (en) System and apparatus for preventing illegal connection to network
US8250645B2 (en) Malware detection methods and systems for multiple users sharing common access switch
US20200106803A1 (en) Sensor-based wireless network vulnerability detection
CN105681272A (en) Method for detecting and defensing fishing WiFi of mobile terminal
WO2018116123A1 (en) Protecting against unauthorized access to iot devices
US10498758B1 (en) Network sensor and method thereof for wireless network vulnerability detection
Agrawal et al. The performance analysis of honeypot based intrusion detection system for wireless network
Agrawal et al. Wireless rogue access point detection using shadow honeynet
WO2013089395A1 (en) Signature-based wireless intrusion prevention system
WO2005026872A2 (en) Internal lan perimeter security appliance composed of a pci card and complementary software
Kim et al. A technical survey on methods for detecting rogue access points
KR20070003409A (en) A secure gateway system and method with internal network user authentication and packet control function
US20170085577A1 (en) Computer method for maintaining a hack trap
Thakur et al. RAPD algorithm: detection of rogue access point in wireless network
Kamal et al. Analysis of network communication attacks
WO2005065023A2 (en) Internal network security
KR102174507B1 (en) A appratus and method for auto setting firewall of the gateway in network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12857110

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12857110

Country of ref document: EP

Kind code of ref document: A1