KR100703567B1 - Online Content Access Control System and Method - Google Patents

Abstract

The present invention relates to an online content access control system and method.

Online content access control system according to the present invention is the Internet network; A user terminal connected to the internet network; An authentication system for authenticating network access information when the user terminal accesses the Internet network; An edge router controlling packets transmitted and received from the internet network to the user terminal; A content providing server providing content to the user terminal; An access control system controlling the content providing server or the internet network access of the user terminal; And obtaining network access information for the user terminal to access the Internet network, comparing the contents included in the network access information with a preset blocking condition, and selecting the supply of the packet to supply the content. It characterized in that it comprises a; control server for controlling for each protocol provided content.

Addictive, selective control, service provider contact point, edge, TCP session block, UDP port block

Description

Online Contents Access Control System And Method

1 is a block diagram showing an online content access control system according to an embodiment of the present invention.

2 is a block diagram illustrating each process of the control server of FIG.

3 is a flowchart illustrating a method for controlling access to online content according to an embodiment of the present invention.

4 is a flowchart illustrating a method of collecting network access information according to an embodiment of the present invention.

5 is a flowchart illustrating a method of collecting network access information according to another embodiment of the present invention.

6 is a flow chart showing a traffic information collection method according to an embodiment of the present invention.

7 is a flow chart showing a traffic information collection method according to another embodiment of the present invention.

8 is a flow chart showing a traffic information collection method according to another embodiment of the present invention.

9 is a flowchart illustrating a traffic information processing method according to an embodiment of the present invention.

10 is a flowchart illustrating a method of determining content classification and blocking conditions according to an embodiment of the present invention.

11 is a flowchart illustrating a selective access control method for content of a user terminal according to an embodiment of the present invention.

12 is a flowchart illustrating a method for blocking IP communication according to an embodiment of the present invention.

13 is a flowchart illustrating a TCP communication blocking method according to an embodiment of the present invention.

14 is a flowchart illustrating a TCP communication blocking method according to another embodiment of the present invention.

15 is a flowchart illustrating a UDP communication blocking method according to an embodiment of the present invention.

16 is a flow chart showing in detail the data processing according to the selective access control by the control process according to an embodiment of the present invention.

FIG. 17 illustrates a combined packet for blocking TCP communication by OSI layer 3 layer (IP) protocol control according to the present invention. FIG.

FIG. 18 illustrates a combined packet for blocking UDP communication by OSI layer 3 layer (IP) protocol control according to the present invention. FIG.

19 is a view showing an RST, FIN control packet generated for TCP session control of the present invention.

      <Description of Symbols for Main Parts of Drawings>

10: Internet network 20: user terminal

30: authentication system 40: edge router

50: content providing server 60: access control system

70: control server 80: LNS

The present invention relates to an online content access control system and method, and more particularly, to an online content access control system and method for controlling the selective supply of the content in a user edge area using the content in the Internet network.

With the development of computer networks, many computer users share and use various data, and moreover, the number of users who use specific contents by accessing servers and servers providing specific contents is exploding. The server-client structure can access the server and use the contents provided by the server regardless of the characteristics of the user, that is, the user's age, environment, and knowledge level, as long as there is only a URL address for accessing the server. While this feature is very powerful in terms of easy sharing of various data, certain content may provide harmful environment for some users. Accordingly, when the user is a child or adolescent, a network-based control technology is emerging to effectively block access to a site by reviving a demand for access to a game or an adult site selectively.

Conventional network-based control technologies include session blocking technology for TCP blocking, network access blocking technology, and firewall technology for intranet control.

The TCP session blocking technique is a technique for blocking a server connection by controlling a TCP protocol used while a user establishes a path to access a server. This TCP session blocking technique is impossible to block packets transmitted and received based on other protocols, for example, UDP and RTP, and thus, only TCP-based services can be controlled.

On the other hand, the network access blocking technology is a technology for blocking the network itself that the user access. This network access blocking technology blocks the entire network to which the user wants to access, and has a disadvantage in that selective control of specific contents is impossible.

In addition, the firewall technology is a technology for blocking data flowing into the intranet in a plurality of computer edge areas constituting the intranet. This firewall technology is inconvenient to control the user list only if the scope of the control target is limited to the intranet, and if you want to apply the control criteria of each user constituting the intranet.

As a result, the conventional network-based control technology, due to the diversification of online contents and the development of service providing technology, has the following disadvantages of limited controllable content, limitations of the control target to intranet, and various users. It has technical and structural limitations that make it difficult to effectively accommodate the demands of control methods by hierarchy.

Accordingly, an object of the present invention is to provide a method for collecting / analyzing / processing user network access information and packets through linkage with a telecommunications carrier contact system.

It is another object of the present invention to provide an online content access control system and method that enables user-specific sorting control of online content by classifying content according to a control condition designated by a user and determining a blocking condition.

Another object of the present invention is to provide an online content access control system and method that enables selective access control of online content regardless of a communication protocol applied to an online content requested by a user.

Another object of the present invention is to provide an online content access control system and method that enables selective access control of content through the protocol control in transmission and reception of data using an IP layer and a TCP / UDP layer.

In order to achieve the above object, the online content access control system according to the present invention includes an Internet network; A user terminal connected to the internet network; An authentication system for authenticating network access information when the user terminal accesses the Internet network; An edge router controlling packets transmitted and received from the internet network to the user terminal; A content providing server providing content to the user terminal; An access control system controlling the content providing server or the internet network access of the user terminal; And obtaining network access information for the user terminal to access the Internet network, comparing the contents included in the network access information with a preset blocking condition, and selecting the supply of the packet to supply the content. It characterized in that it comprises a; control server for controlling for each protocol provided content.

The system includes an L2TP network server forming a virtual tunnel with the edge router; And a tap for copying the packet transmitted and received to the user terminal and supplying the packet to the control server.

The protocol is characterized in that at least one of TCP, UDP, RTP, IP.

The control server includes a FIN packet for supplying the user terminal or the content providing server when the TCP protocol control; And an RST packet for supplying the user terminal or the content providing server. It characterized in that at least one of generating.

The control server, when the UDP protocol control, characterized in that for generating a message requesting the blocking of the packet to the access control system.

The control server includes a capture process for receiving the user packet transmitted and received to the user terminal; A session management process for extracting source IP / PORT, destination IP / PORT and protocol information by analyzing the user packet; A log processing process of generating and storing a user access information log according to the network access information; An authentication information interworking process for receiving network access information provided from the authentication system; A content classification process of classifying a list of contents to be blocked among contents provided by the content providing server; A web-based process for providing an interface for transmitting and receiving information with the authentication system; An information construction process for collecting and managing management target URL information; An access control process for commanding content access according to the access control determination; And a control process for instructing a content blocking command by using the network access information, the analyzed user packet information, and the content lists.

The blocking condition is an age of the user; Contents classified according to the user age; A hierarchical list of the contents according to the classification; Access time according to the user; And a connectable time according to the user.

Online content access control method according to an embodiment of the present invention comprises the steps of collecting the user network access information, when the user terminal accesses the Internet network; Collecting content and user traffic transmitted to and received from the user terminal; Comparing the network access information with user information included in the user traffic; Comparing the traffic information with classified content and blocking conditions; Classifying the content by protocol according to the blocking condition and the comparison result of the traffic information, and performing access control of the user terminal by each classified protocol; And blocking network access of the user terminal according to the access control.

The network access blocking method may include an IP communication blocking, a TCP communication blocking, and a UDP communication blocking.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings.

Prior to the description, the terms used in the present invention are defined below. An edge router is a router located at the border of a carrier network and the Internet. A TAB device is a network device that duplicates an input packet into two identical packets. Traffic is a continuous flow of packets generated by a user. open system interconnect is an abbreviation for open interconnect.

1 is a block diagram showing an online content access control system according to an embodiment of the present invention.

Referring to FIG. 1, the online content access control system according to the present invention includes an internet network 10, a user terminal 20 connected to the internet network 10, an authentication system 30, and an edge router ( 40, a content providing server 50, an access control system 60 and a control server 70, and the L2TP network server (LNS) 80 and the user to form a virtual tunnel with the edge router 40 A tab (TAB) (not shown) is further provided for copying packets transmitted and received to and from the terminal 20.

The internet network 10 is a set of networks in which a communication network and a communication network are interworked. The internet network 10 is not only a form of interconnecting a small communication network such as a LAN, but also an aggregation of a huge communication network covering the entire world. In the present invention, the Internet network 10 logically refers to the role of the interconnection path through which the signal flow between each component including the content providing server 50 and the user terminal 20, etc., and physically includes a number of cables It means a network formed by wired or wireless.

The user terminal 20 is a terminal that accesses the content providing server 50 and uses various services provided by the content providing server 50. Such a user terminal 20 refers to not only a personal computer but also all terminals using IP (Internet Protocol), such as a mobile notebook and a portable terminal. The user terminal 20 includes an ATM series and an IP series according to characteristics of a line connected to the Internet network 10. On the other hand, the user terminal 20, the user subscribed to the online content access control service to create the setting of the use time, the amount of time and the complex control criteria according to the content, based on the control information set by the user for each protocol of the content It works in conjunction with selective control.

The authentication system 30 checks whether the user terminal 20 connected to the Internet network 10 is registered to use the content access control service provided by the present invention, and the user information of the user terminal 20. For example, the IP address value is checked, and an authentication ID corresponding to the IP address value is assigned. In general, the authentication system 30 may be a system that a communication service provider (Internet Service Provider) such as KT, PowerComm, etc., establishes to authenticate the user terminal 20 subscribed to its Internet service. When the user terminal 20 wants to access the Internet network 10, the authentication system 30 transmits the user terminal network access information to the control server 70 via the access control system 60.

The edge router 40 establishes a communication line with the content providing server 50 to which a specific user terminal 20 of the plurality of user terminals 20 is to be connected at the terminal end of the network, which is a physical configuration of the Internet network 10. Manage the required address settings. That is, the edge router 40 receives the address value of the content providing server 50 to which the user terminal 20 wants to connect from another router constituting the Internet network 10, and the user terminal 20 and the content providing server. A communication line for data communication between 50 is established. The edge router 40 is a service edge router (SER) for routing the user terminal 20 of the IP series, a network access server (NAS) or an L2TP access concentrator (LAC) for routing the user terminal 20 of the ATM series. Etc. At this time, a General Routing Encapsulation (GRE) tunnel is formed between the SER and the network server 80 corresponding to the virtual IP address value assigned by the authentication system 30, and L2TP (Layer 2) between the NAS and the network server 80. Tunneling Protocol) A tunnel is formed.

The content providing server 50 provides various contents to the user terminal 20 when the user terminal 20 is connected, manages the setting information set by the user terminal 20, and changes the user terminal 20 to the change. It delivers to the control server 70 in real time.

The access control system 60 selectively controls the supply of the content transmitted to the user terminal 20 under the control of the control server 70. That is, the access control system 60 performs the role of selectively controlling the content access of the user terminal 20, for this purpose, the access control system 60 is the TCP, UDP, RTP and Access to the content transmitted to the user terminal 20 is controlled by controlling a protocol such as IP. The access control system 60 is already established by the above-mentioned communication service provider, and it is preferable to perform content access control of each user terminal 20 through linkage of the communication service provider.

The control server 70 checks whether the content providing server 50 and the content provided by the content providing server 50 to which the user terminal 20 is to be connected are on the access control list. The control signal for controlling the approach of 20 is transmitted to the connection control system 60. The control server 70 analyzes the user packet transmitted from the tap, and in the case of access information that meets the blocking condition, delivers a raw packet to the user through the edge router 40 to block TCP packets for each protocol. Or, it requests a block to the access control system 60 to block the UDP packet. This control server 70 will be described in detail with reference to FIG. 2.

2 is a diagram showing in detail each process configuration of the control server 70 according to an embodiment of the present invention.

2, the control server 70 of the present invention is a capture process 71, session management process 72, log processing process 73, control process 74, authentication information interworking process 75, content And a classification process 76, an external process 77, and an access control process 78.

The capture process 71 is a process of receiving a user packet copied by the TAB equipment, which distributes the user packet to the session management process 72.

The session management process 72 analyzes the user packet, extracts source IP / PORT, destination IP / PORT, and protocol information, and delivers it to the log processing process 73 and the control process 74.

The log processing process 73 generates and stores a log of user access information according to a user packet.

The control process 74 compares the user control condition predetermined by the user terminal 20 with the user packet information, and determines whether or not to block the processing. In detail, the control process 74 manages the content IP, the predetermined content list information, the network access information, and the connection time for each session to compare the session information for each packet and to block the TCP session blocking of the user who meets the blocking condition. In order to generate a raw packet and transmit it to a user, a request is made to block the UDP packet from the access control system 60 for UDP packet control. When the change of the blocking condition occurs, the control process 74 requests the connection control system 60 to release the blocked UDP PORT. For this purpose, the control process 74 calls the access control process 78 and a process related to the communication block.

The content list information includes a control target list classified for each control service, for example, a game server list for a game access permission or use time control service, white list information and black list information defined for each user group. Here, the white list information represents list information included in the control target list but excluded from the control target for each user group. In case of a site or content provided by a site that is not accessible to teenagers under 18, the user terminal ( The control service is selectively blocked according to the group of 20). The black list information may be a site list that blocks access of the user terminal 20 at source, and may be a site that is tracked by a cyber investigation unit, for example, a suicide site or a bomb making site. The blocking condition of the content list information and the control condition of the user terminal 20 may be individually adjusted according to the white list information and the black list information. That is, the blocking condition and the control condition are specified by the user terminal 20 according to the user's preferences. It can be adjusted appropriately according to the circumstances and circumstances.

The authentication information interworking process 75 receives a network access information generated by the authentication system 30 in association with the authentication system 30 when the user terminal 20 attempts to access the Internet network 10. 74).

The content classification process 76 generates a control process 74 by generating user terminal setting information set by the user terminal 20 in the content providing server 50 and information related to classification of various contents provided by the content providing server 50. To provide. The content classification process 76 includes a classification according to access permission criteria of the content to be classified, for example, an age group that can be accessed and a time that can be accessed. In detail, the content classification process 76 classifies users by rating according to a specific criterion in order to apply a selection criterion, that is, a blocking condition of the selective control function, and hierarchies the contents corresponding to each user rating to white list information and The black list information is created and provided to the control process 74.

The external process 77 includes a web-based process 77a and an information building process 77b. The web-based process 77a provides an interface for receiving information from the authentication system 30 in connection with the authentication system 30 of the telecommunication service provider providing the information necessary for the control process of the present invention, and provides a content providing server ( It manages user's configuration change of 50). The information building process 77b collects / manages management target URL information and may provide the content classification process 76 for site and content classification.

The access control process 78 instructs the access control system 60 to control the actual content connection of the user terminal 20 when the access control determination is determined by the control process 74. That is, the access control process 78 instructs the connection control system 60 to control the content connection by controlling protocols such as TCP, UDP, RTP, and IP.

In the above, each configuration of the online content access control system of the present invention has been described. Hereinafter, a content access control method using the online content access control system of the present invention will be described with reference to FIG. 4.

3 is a flowchart illustrating an online content access control method according to an embodiment of the present invention.

3, the online content access control method of the present invention first collects network access information of the user terminal 20 (S100).

In the step S100, as shown in FIG. 4, the method for collecting network access information includes an IP address, an authentication ID pair, and network access / release information received by the user terminal 20 during network access in the authentication system 30 of the communication service provider. Receiving step (S111), reading the setting information including the user's current control method according to the authentication ID in the storage medium of the carrier (S112), the authentication ID, IP Address and the user additional information control process 74 It can be collected, including the step (S113) to deliver.

On the other hand, in step S100, when the user terminal 20 establishes an access control service and attempts to access, as shown in FIG. 5, the MAC address collected from the user packet transmitted and received from the user terminal 20 as shown in FIG. Determining whether to register by comparing with a list stored in a storage medium of the storage medium (S121), and in the case of an unregistered MAC address, collecting user information by interworking with a user management system of a communication service provider providing a service to the user terminal 20 ( S122), storing the collected MAC address, IP address pair and additional information in a storage medium of a communication service provider (S123), and reading setting information including a user ID and a current control method according to the MAC address from the storage medium. In operation S124, the user ID, the IP address, and the user additional information may be transmitted to the control process 74.

Next, collect user traffic transmitted and received to the user terminal 20 (S200).

In the step S200, the method for collecting user traffic is to install the TAB equipment between the carrier edge router 40 and the Internet network 10 to copy the user packet as shown in Figure 6 (S211), load distribution If necessary (S212) in the switch (L4 Switch) step of distributing the packet by the hash key value according to the user IP (S213), the packet is read in the capture process through the LAN card installed in the control server 70 May include step S214.

On the other hand, in step S200, another method for collecting user traffic is a step of mirroring the user packet through a mirroring port (Mirroring Port) of the switch equipment connected to the carrier's uplink (UPLINK) as shown in FIG. S221), when load distribution is required (S222) in the switch (L4 Switch) equipment to distribute the packet by the hash key value according to the user IP (S223), the packet capture process through the LAN card installed in the control server 70 ( And reading step S224).

On the other hand, in step S200, another method of collecting user traffic is MAC address and session information (IP address pair and port pair) and L4 (OSI layer 4 layer) through protocol head analysis as shown in FIG. Collecting the protocol classification and the additional information (S231), calculating the number of sessions per session and the session maintenance time (S232), recording the session information and the additional information on the storage medium, and transmitting the information to the control process (S233). It may include.

Next, the traffic information collected in steps S100 and S200 is processed according to network access information (S300).

In step S300, as shown in FIG. 9, the method for processing traffic information is transmitted according to network access / release classification of user network access information transmitted to the control process 74 (S311). Loading the information into the memory of the control server 70 (S312), in the case of network disconnection after storing the user additional information in the storage medium (S313), and then removing it from the memory (S314), the control process 74 In step S315, the user information is classified from the transmitted traffic analysis information and compared with the corresponding network access information.

Next, classified content and blocking conditions are compared with the traffic information (S400).

In step S400, the method of classifying content and determining a blocking condition may include classifying the content list for each user group based on the white list information / black list information list for each user group (S411), and as shown in FIG. 10. Applying the blocking condition determination rule to the user IP, the destination IP / PORT delivered to the server 70, the list of use time and content grouped by the user group, and the control method specified by the user (S412), accordingly Determining whether the traffic is blocked or accumulated time (S413), Accumulating the usage time for each user / content according to the step S413 (S414), L4 (OSI layer 4 layer) protocol (TCP) for the traffic control target Call the access control process 78 according to UDP) (S415).

If a change in the control method of the user occurs in the step for determining the control method specified by the user terminal 20, providing an input tool for the user and reading the input before calling the access control process 78, setting The method may further include recording the information on the storage medium and transmitting the information to the control process, and determining a change of the control method currently applied to the network access user.

According to the result of step S400, the selective access control of the user terminal 20 is performed (S500).

In operation S500, the selective access control method may control session information including the user IP / PORT, the destination IP / PORT, and the protocol generated by the collection / analysis of the above-described traffic as illustrated in FIG. 11. (S511) storing the retrievable memory in the memory of (), transferring the session information to the control process 74 (S512), reading the blocking condition determination result of the control process 74 and recording it in the session information ( S513), when traffic classified into the same session occurs and a blocking according to the blocking condition is required, the method may include classifying by protocol and invoking a process for blocking communication described later (S514).

Finally, the communication block of the user terminal 20 according to the selective access control is performed (S600).

In step S600, the communication blocking method includes an IP communication blocking, a TCP communication blocking, a UDP communication blocking, and each blocking method will be described in detail below. First, as shown in FIG. 12, the method for blocking IP communication reads and stores an IP header and a TCP or UDP header of a packet for blocking communication through OSI layer 3 layer (IP) protocol control as illustrated in FIG. 12, and ICMP ( Internet control message protocol) generating a destination unreachable (ICMP UNREACH) packet (S612), mapping the header information stored in the data portion of the ICMP and generating an IP packet (S613), the packet to the source IP of the stored IP header And transmitting (S614). Here, the transmitted packet is interpreted by the terminal of the source IP and compares the packet transmitted by itself with the packet of the data part of the ICMP and recognizes the packet as a transmission error, thereby controlling the higher protocol based on the IP protocol including the IP protocol. can do.

On the other hand, in the step S600, another method of blocking TCP communication is TCP session information and sequence number in the user packet for the communication blocking through the OSI layer 4 layer (TCP) protocol control as shown in FIG. Reading and storing (S621), generating a TCP control RST (Reset) packet (S622), transmitting to the user terminal 20 and the server providing the content service, that is, the content providing server 50 (S623). It includes. Here, the transmitted packet may be interpreted by the terminal of the source IP to recognize that the TCP session is reset due to a problem of an application program or a terminal of the communication counterpart, thereby inducing communication termination and controlling the TCP session.

On the other hand, in step S600, another method of blocking TCP communication is to read the TCP session information and the sequence number from the user packet to block the communication through the OSI layer 4 layer (TCP) protocol control as shown in FIG. Storing (S631), generating a TCP control FIN (Finish) packet (S632), and transmitting to a user terminal and a server providing content service (S633). In this case, the transmitted packet may be interpreted by the terminal of the source IP to recognize the end of the corresponding TCP session by the application program of the communication counterpart to control the TCP session by inducing termination of the communication.

Finally, in the step S600, the UDP communication blocking method reads and stores IP / PORT information from a user packet for communication blocking through SI layer 4 layer (UDP) protocol control as shown in FIG. 15 (S641). In step S642, a UDP packet is sent by the access control system 60 to the connection control system 60 of the communication service provider. Blocking step S643 is included.

16 is a flowchart illustrating in detail each procedure corresponding to an online content access control method according to an embodiment of the present invention.

Referring to FIG. 16, the online content access control method according to the present invention is as follows.

Ⓐ Collects packets delivered by the service provider through tunneling technology.

Ⓑ When accessing the user network, the service provider's authentication system and access information (user ID, IP address) are interlocked.

Ⓒ Copy user packet with TAB and L4 Switch device and analyze the copied packet.

Ⓓ Configure user session information (Source IP / PORT, Target IP / PORT, Protocol) with the analyzed information.

Ⓔ It builds the current user's current configuration information in the process area of the daemon.

Ⓕ If the user configuration information is changed through the web, ⓖ save the changes in the DB or modify the process area information of the daemon after the DB change.

Ⓙ Check the block setting and if it is not the target of blocking, repeat logging and repeat.

If the destination information is included in the white list information, repeat after logging.

Ⓛⓟ If the destination information is not blocked and not included in the black list information, repeat after logging.

Ⓜ If the destination information is a blocking target, check the available set time.

Ⓝ If the available time is before the setting time, check the message notification and repeat after logging.

If the message is notified, notify the user terminal of the remaining time available for content such as games.

O The protocol is checked if the available time has timed out or if the destination information is included in the blacklist information.

Ⓡ If the checked protocol is TCP, create raw packet and send it to the user.

If the checked protocol is UDP, it requests the user's UDP packet blocking in conjunction with the router control system of the service provider.

Ⓣ Router drops UDP packet by applying filter rule to LC (Logical Circuit) of user.

Ends the content service such as a game by the blocking process.

Ⓥ Logs the processing results and repeats.

Meanwhile, hereinafter, as a result of the content access control, a packet combining process for controlling a protocol in each layer when the communication is blocked will be described in detail with reference to FIGS. 17 to 19.

17 illustrates a TCP packet combining process for controlling an OSI layer 3 layer (IP) protocol of an embodiment of a communication blocking method according to the present invention.

In detail, in the TCP control packet for IP protocol control, S311 and S312 refer to a TCP-based packet generated by a user, and for combination of ICMP packets for blocking control, S313-data refers to IP and TCP (S311, S312) protocols. Map the header to the ICMP data part without modification. In addition, S313-type is set to not reach destination (ICMP_UNREACH: 3), and S313-code is set to protocol not reached or port not reached (ICMP_UNREACH_PROTOCOL: 2 or ICMP_UNREACH_PORT: 3). And, S314 represents a combined IP header for blocking control, S314-Source IP is mapped to S311-Destination IP, S314-Destination IP is set to change to S311-Source IP to map.

18 illustrates a UDP packet combining process for controlling an OSI layer 3 layer (IP) protocol according to an embodiment of a communication blocking method according to the present invention.

In detail, in the UDP control packet, S321 and S322 denote UDP-based packets generated by the user, and for the combination of ICMP packets for blocking control, S323-data can change IP and UDP (S321, S322) protocol headers without changing them. Map to ICMP data part, S323-type is set to not reach destination (ICMP_UNREACH: 3), and S323-code is set to protocol not reached or port not reached (ICMP_UNREACH_PROTOCOL: 2 or ICMP_UNREACH_PORT: 3). S324 represents a combined IP header, S324-Source IP is set to S321-Destination IP, and 324-Destination IP is changed to S311-Source IP.

The TCP and UDP communication blocking method by the OSI layer 3 layer (IP) protocol control described above is an application for the active control of online content using the ICMP protocol, and the blocking by the FIN control packet in the TCP session control method is performed before the RST control. It can be applied more efficiently in signal transmission and reception and blocking than packet blocking.

19 illustrates a packet combining process for TCP protocol control in the OSI layer 4 layer of the embodiment of the communication blocking method according to the present invention.

In detail, S411 and S412 refer to a TCP-based packet generated by a user, and S422-F (Flags) for a packet in which an ACK field of S412-F (Flags) is set based on S411 and S412 for blocking control. Set RST or FIN field of S324, S324-Sequence number is same as S412-Acknowledgment number, S421-Source IP is mapped to S411-Destination IP and S421-Destination IP is changed to S411-Source IP. Set the mapping. The S422-Source Port is mapped to the S412-Destination Port, and the S422-Destination Port is changed to the S412-Source Port.

Such an online content access control system and method according to an embodiment of the present invention relates to a telecommunications provider's high-speed Internet edge-based online content control for wired communication subscribers, and provides a content service according to a condition set by a user. By controlling communication protocols such as UDP, RTP, etc., it has more advanced effect than TCP-based URL blocking or IP-based communication.

In addition, the present invention provides a method for interworking the authentication system of the service provider and traffic analysis / management for each user, a method of dividing the user by artificial groups to control the content access, and real-time according to the available time specified by the user or guardian Various methods of reflection and control, various control methods for blocking / release of TCP, UDP, RTP communication regardless of contents based protocol, copy user traffic based on network edge of service provider, and router filtering function by user By describing a method of interworking between systems for application, users can actively control their own services for additional services of high-speed Internet service providers in the existing control method by the service provider's settings.

In addition, the present invention collects / manages user network access information through interworking service provider authentication system, collects / analyzes user traffic at the service provider edge router, and determines the blocking condition for each user in the control server 70 to determine the content of the content. OSI Layer 3 layer (IP), 4 layer (TCP, UDP) protocols are controlled, and the user's access control system is requested to apply the router filtering function for each user. Do.

Meanwhile, in the detailed description of the present invention, specific embodiments have been described, but various modifications may be made without departing from the scope of the present invention, and an input may be processed to generate an output by processing a part of the function described in the present invention. Of course, it can be implemented as a mechanical device. Therefore, the scope of the present invention should not be limited to the described embodiments, but should be defined not only by the claims below, but also by the equivalents of the claims.

As described above, the online content access control system and method according to an embodiment of the present invention may collect / analyze / process user network access information and traffic through linkage with a telecommunication service provider contact system.

The online content access control system and method according to another embodiment of the present invention may classify content according to a control condition specified by a user, determine a blocking condition, and perform user-specific selective control of the online content.

The online content access control system and method according to another embodiment of the present invention enables selective access control of online content regardless of a communication protocol applied to the online content requested by a user.

Finally, the online content access control system and method according to another embodiment of the present invention, in the transmission and reception of data using the IP layer and the TCP / UDP layer, it is possible to selectively access control of content through the protocol control. .

Claims (22)

Internet network; A user terminal connected to the internet network; An authentication system for authenticating network access information when the user terminal accesses the Internet network; An edge router controlling packets transmitted and received from the internet network to the user terminal; A content providing server providing content to the user terminal; An access control system controlling the content providing server or the internet network access of the user terminal; And The user terminal acquires network access information for accessing the Internet network, compares the contents included in the network access information with a preset blocking condition, and selects the supply of the packet to supply the content. Control server for controlling for each protocol provided; including the control server, A capture process for receiving the user packet transmitted to and received from the user terminal, and  A session management process for extracting source IP / PORT, destination IP / PORT and protocol information by analyzing the user packet; and An authentication information interworking process for receiving network access information provided from the authentication system; and A content classification process of classifying a list of contents to be blocked among contents provided by the contents providing server; and An access control process for controlling content access according to access control determination; and And a control process for instructing a content blocking command by using the network access information, the analyzed user packet information, and the content lists. The method of claim 1, An L2TP network server forming a virtual tunnel with the edge router; And And a tab for copying and transmitting the packet transmitted and received to the user terminal to the control server. The method according to claim 1 or 2, The protocol is Online content access control system, characterized in that at least one of TCP, UDP, RTP, IP. The method of claim 3, wherein The control server, When controlling the TCP protocol A FIN packet for supplying the user terminal or the content providing server; And An RST packet for supplying the user terminal or the content providing server; Generating at least one of the online contents access control system. The method of claim 3, wherein The control server, When controlling the UDP protocol, And generating a message requesting the access control system to block the packet. The method according to claim 1 or 2, The control server, A log processing process of generating and storing a user access information log according to the network access information; A web-based process for providing an interface for transmitting and receiving information with the authentication system; An online content access control system comprising an information construction process of collecting and managing management target URL information. The method according to claim 1 or 2, The blocking condition is, The age of the user; Contents classified according to the user age; A hierarchical list of the contents according to the classification; Access time according to the user; And Access time according to the user; online content access control system comprising a. Receiving an IP address, an authentication ID pair, and network connection / disconnection information, which are assigned when the user terminal accesses the network, from a communication service provider's authentication system; Reading setting information including a current control method of a user according to the authentication ID from a storage medium of a communication service provider; Transmitting the authentication ID, the IP address, and user additional information to a control process; Collecting network access information through each of the above steps and collecting user traffic transmitted and received to the user terminal; Comparing the network access information with user information included in the user traffic; Comparing the classified information and the preset blocking condition with the traffic information; Classifying the content by protocol according to the blocking condition and the comparison result of the traffic information, and performing access control of the user terminal by each classified protocol; And And blocking network access of the user terminal according to the access control. delete The method of claim 8, When the user terminal establishes an access control service and attempts to access in the network access information collection method, Determining whether to register the service by comparing a MAC address collected in a user packet transmitted and received to the user terminal with a list stored in a storage medium of a communication service provider; Collecting user information in association with a user management system of a communication service provider providing the service to the user terminal when the MAC address is an unregistered MAC address; Storing the collected MAC address, IP address pair and additional information in a storage medium of a communication service provider; Reading setting information including a user ID according to the MAC address and a current control method from a storage medium; And And forwarding the user ID, the IP address, and the user additional information to a control process. The method of claim 8, The method of collecting the user traffic, Copying user packets to and from the user terminal using tap equipment; Distributing the packet by a hash key value according to a user IP in a switch device when load balancing of the user packet is required; And Reading the packet; online content access control method comprising a. The method of claim 8, Another method of collecting the user traffic is Mirroring user packets transmitted to and received from the user terminal through a mirroring port of a switch device to which a carrier's uplink is connected; Distributing the packet by a hash key value according to a user IP in a switch device when load balancing of the user packet is required; And Reading the packet; online content access control method comprising a. The method of claim 8, Another method of collecting the user traffic is Collecting MAC address, session information, OSI layer 4 layer protocol classification and additional information through the protocol head analysis; Calculating the number of sessions per session and the session duration; And And recording the session information and the additional information in a storage medium and passing the same to the control process. The method of claim 8, The method for processing the traffic information, Distinguishing network access and release of the user network access information passed to a control process; In the network access and disconnection step, loading the transferred information into a memory of a control server in the case of network access information; In the network access and disconnection step, in the case of network access release, storing the user additional information on a storage medium and removing the memory from the memory; And And classifying user information from the traffic analysis information transmitted to the control process and comparing the user information with corresponding network access information. The method of claim 8, The method of classifying the content and determining the blocking condition may include: Classifying a content list for each user terminal group; Applying a blocking condition determination rule to an IP of the user terminal, a destination IP / PORT delivered to a control server, a usage time of contents, a list classified by the user terminal group, and a control scheme specified by the user; Determining whether the corresponding traffic is blocked or accumulated in time according to the application step; Accumulating the usage time for each user / content in the case of the determination of the accumulation; And And if the blocking traffic is the target, calling an access control process according to an OSI layer 4 layer protocol. The method of claim 15, If a change of the control method of the user occurs in the step for determining the control method specified by the user terminal, Providing an input tool for the user and reading the input prior to invoking the access control process; Recording setting information according to the user input to a storage medium and transferring the setting information to a control process; And And determining a change of a control scheme currently being applied to the network access user. The method of claim 8, The access control method, Storing session information including a user IP / PORT, a destination IP / PORT, and a protocol generated by the collection / analysis of the traffic to be searchable in a memory of a control server; Passing the session information to a control process; Reading the blocking condition determination result of the control process and recording the result in the session information; And And classifying the protocols and invoking a process for blocking the communication when the traffic classified into the same session is generated and the blocking according to the blocking condition is required. The method of claim 8, The network connection blocking method, On-line content access control method comprising the IP communication blocking, TCP communication blocking and UDP communication blocking. The method of claim 18, The IP communication blocking method, Reading and storing an IP header and a TCP or UDP header of a packet transmitted and received to the user terminal; Generating an internet control message protocol destination dead packet; Generating an IP packet after mapping the header information stored in the data portion of the Internet control message protocol; And Transmitting the generated packet to a source IP of the stored IP header. The method of claim 18, Another method of blocking the TCP communication, Reading and storing TCP session information and a sequence number from a user packet transmitted and received to the user terminal; Generating a TCP control RST packet; And And transmitting to the server providing the user terminal and the content service. The method of claim 18, Another method of blocking the TCP communication, Reading and storing TCP session information and a sequence number from a user packet transmitted and received to the user terminal; Generating a TCP control FIN packet; And And transmitting to the server providing the user terminal and the content service. The method of claim 18, The UDP communication blocking method, Reading and storing IP / PORT information from user packets transmitted and received to the user terminal; Transmitting, by a filtering function of a router of a blocking target UDP port for each user, a request for release of a blocking state and a blocking state to an access control system of a communication operator; And And blocking the UDP packet by the access control system.

Images