KR102785106B1 - Method for detecting cyber threat over network using virtual host, and access switch and network controller using the same - Google Patents

Abstract

The present invention relates to a method for detecting a cyber threat to a network using a virtual host, comprising: (a) a step of: when a host scan packet is received from a specific active host among active hosts, the active hosts being hosts connected to switching ports of the access switches, by a specific access switch which is one of the access switches that allows hosts to communicate with each other in the network, the step of: checking whether a destination IP (Internet Protocol) address of the host scan packet corresponds to at least one preset virtual host IP address; and, if the destination IP address of the host scan packet is checked to correspond to a specific virtual host IP address, transmitting the host scan packet to a specific virtual host corresponding to the specific virtual host MAC address by referencing a specific virtual host MAC address matched to the specific virtual host IP address, the specific virtual host being generated in a security engine installed inside the specific access switch, thereby causing the security engine corresponding to the specific virtual host to generate a response packet corresponding to a specific host scan method used in the host scan packet and including the specific virtual host MAC address, and transmitting the response packet generated by the security engine to the specific active host; And (b) when a data packet having a destination IP address of the specific virtual host IP address and a destination MAC address of the specific virtual host MAC address is received from the specific active host, the specific access switch transmits the data packet to the specific virtual host, thereby causing the security engine corresponding to the specific virtual host to determine that the data packet is malware and block the specific active host from the network through at least one of the access switches;

Description

METHOD FOR DETECTING CYBER THREAT OVER NETWORK USING VIRTUAL HOST, AND ACCESS SWITCH AND NETWORK CONTROLLER USING THE SAME

The present invention relates to a method for detecting cyber threats to a network, and more particularly, to a method for detecting cyber threats to a network by creating a virtual host in an access switch to which hosts of the network are connected and inducing a network attack to be attempted on the virtual host.

A cyber threat is a malicious and deliberate attempt by a specific individual or organization to compromise the security of another individual or organization's information systems, usually with the intention of disrupting the victim's network for some kind of gain.

These cyber threats come in many forms, including malware, phishing, man-in-the-middle (MitM) attacks, denial of service (DoS) attacks, and zero-day exploits.

To prevent these cyber threats, network-based security devices such as firewalls, IPS, UTM, and web firewalls separate the external network and the internal network, and analyze and protect traffic flowing from the external network to the internal network or from the internal network to the outside, thereby protecting the entire network.

Meanwhile, interest in security switches that analyze traffic generated in the internal network and block traffic at the switch level if it is determined to be malicious traffic or a cyber threat is increasing in order to secure the reliability of network communication by blocking malicious traffic that causes performance degradation and failure of network infrastructure equipment due to infection of internal network hosts with viruses, etc., and to prevent secondary infection from spreading to other hosts.

In these security switches, cyber threats are typically detected by detecting one host searching multiple hosts or multiple hosts sending a large amount of traffic to one host.

However, there are clear limitations to applying these security switches to network environments where various devices and operating environments are intricately intertwined.

In addition, responses to cyber threats using these security switches have limitations in that they must distinguish between reconnaissance and situations actually detected as threats, and they cannot respond to changes in various forms of cyber attacks.

In addition, there are limitations in monitoring all traffic occurring on the network due to low CPU performance and insufficient memory.

Therefore, the present applicant proposes a method to overcome low CPU performance and memory shortage and to detect various types of threatening behavior occurring in a network, thereby reducing the probability of false detection and increasing the detection rate.

The purpose of the present invention is to solve all of the problems of the above-mentioned prior art.

In addition, another purpose of the present invention is to overcome low CPU performance and memory shortage of an access switch and to effectively detect cyber threats occurring in a network.

In addition, another purpose of the present invention is to enable detection of cyber threats by creating a virtual host in an access switch.

In addition, another purpose of the present invention is to block a host that poses a cyber threat from a network by allowing the host to pose a cyber threat through a virtual host created in an access switch.

In addition, another purpose of the present invention is to enable efficient response to changes in cyber attack types by using a virtual host.

A representative configuration of the present invention to achieve the above purpose is as follows.

According to one embodiment of the present invention, a method for detecting a cyber threat to a network using a virtual host comprises the steps of: (a) a specific access switch, which is one of access switches that allows hosts to communicate with each other within a network, when a host scan packet is received from a specific active host among active hosts, the active hosts being hosts connected to switching ports of the access switches, confirming whether a destination IP (Internet Protocol) address of the host scan packet corresponds to at least one preset virtual host IP address, and if it is confirmed that the destination IP address of the host scan packet corresponds to a specific virtual host IP address, transmitting the host scan packet to a specific virtual host corresponding to the specific virtual host MAC address by referencing a specific virtual host MAC address matched to the specific virtual host IP address, thereby causing the security engine corresponding to the specific virtual host to generate a response packet corresponding to a specific host scan method used in the host scan packet and including the specific virtual host MAC address, and transmitting the response packet generated by the security engine to the specific active host; And (b) when a data packet having a destination IP address of the specific virtual host IP address and a destination MAC address of the specific virtual host MAC address is received from the specific active host, the specific access switch transmits the data packet to the specific virtual host, thereby causing the security engine corresponding to the specific virtual host to determine that the data packet is malware and to block the specific active host from the network through at least one of the access switches; a method is provided.

In the above embodiment, in the step (b), the specific access switch transmits the data packet to the specific virtual host, causes the security engine corresponding to the specific virtual host to analyze the data code of the data packet and identify an analysis operation pattern that analyzes the operation pattern of the data code, and (i) if the analysis operation pattern matches a specific registered operation pattern among registered operation patterns corresponding to each of the pre-registered malware profiles, determines that the data code is specific malware corresponding to the specific registered operation pattern, and blocks the specific active host from the network through at least one of the access switches, (ii) if the analysis operation pattern does not match each of the registered operation patterns, determines that the data code is unidentified malware, and (ii-1) blocks the specific active host from the network through at least one of the access switches and then sends an alarm to a network controller managing the network, and (ii-2) sends the alarm to the network controller without blocking the specific active host from the network, so that the network controller detects the specific active host from the network. Any one of the processes that assist in determining whether to block a host may be performed.

In the above embodiment, the specific access switch causes the security engine corresponding to the specific virtual host to transmit the host scan packet and the data packet corresponding to the unidentified malware to the network controller, so that the network controller updates a malware database stored in the network controller with reference to the result of analyzing the unidentified malware, and when a profile corresponding to the unidentified malware including a behavior pattern for the unidentified malware is received from the network controller, the pre-registered malware profiles can be updated.

In the above embodiment, the specific access switch can cause the security engine to transmit the host scan packet and the data packet corresponding to the specific malware or the host scan packet and the data packet corresponding to the unidentified malware to the network controller, so that the network controller can distinguish the data packet and the host scan packet into one of the data packet and the host scan packet corresponding to the specific malware and the host scan packet and the data packet corresponding to the unidentified malware, and store and manage the data as back data for subsequent analysis.

In the above embodiment, in the step (a), the specific access switch may verify the destination IP address of the host scan packet, and (i) if the destination IP address of the host scan packet is the specific virtual host IP address, transmit the host scan packet to the specific virtual host, and (ii) if the destination IP address of the host scan packet is a broadcast IP address, perform a process of broadcasting the host scan packet to the active hosts on the network through a network stack and a process of duplicating the host scan packet and transmitting it to the specific virtual host.

In the above embodiment, the specific virtual host IP address and the specific virtual host MAC address are set by a network controller managing the network, and the network controller can generate the specific virtual host IP address by using unused host addresses that are not used by the active hosts among all host addresses of the network, and generate the specific virtual host MAC address that matches the virtual host IP address and corresponds to the security engine.

In the above embodiment, in the step (a), the specific access switch transmits the host scan packet to the specific virtual host to cause the security engine corresponding to the specific virtual host to identify the specific host scan method used in the host scan packet among preset host scan methods and generate the response packet, wherein the preset host scan methods may include scan methods used in general networks and scan methods of confirmed malware.

According to another embodiment of the present invention, a method for detecting a cyber threat to a network using a virtual host comprises the steps of: (a) a network controller managing a network generating at least one first virtual host IP address to at least one nth virtual host IP address using unused host addresses not used by active hosts, which are hosts connected to switching ports of a first access switch to an nth access switch, wherein n is an integer greater than or equal to 1, that allow hosts to communicate with each other within the network, from among all host addresses of the network, and generating at least one first virtual host MAC address corresponding to the first virtual host IP address to at least one nth virtual host MAC address corresponding to the nth virtual host IP address; And (b) the network controller transmits the first virtual host IP address and the first virtual host MAC address to the nth virtual host IP address and the nth virtual host MAC address, respectively, to the first access switch to the nth access switch, respectively, so that the first access switch to the nth access switch, respectively, (i) causes the first security engine installed in the first access switch to the nth security engine installed in the nth access switch to generate at least one first virtual host referencing the first virtual host IP address and the first virtual host MAC address, or at least one nth virtual host referencing the nth virtual host IP address and the nth virtual host MAC address, and (ii) scans at least one of the first virtual host to the nth virtual host using at least one of the first virtual host IP address to the nth virtual host IP address, and then determines a specific active host transmitting a data packet to at least one of the first virtual host to the nth virtual host through at least one of the first security engine to the nth security engine, and blocks the specific active host from the network. A method including:

In the other embodiment, the network controller generates malware profiles including the operation patterns of the identified malware from a malware database storing operation patterns of the already identified malware, transmits the malware profiles for the identified malware to each of the first security engine to the nth security engine so that each of the first security engine to the nth security engine registers the malware profiles for the identified malware, and in the step (b), the network controller causes a specific security engine corresponding to a specific virtual host that has received the data packet to analyze the data code of the data packet and identify an analysis operation pattern obtained by analyzing the operation pattern of the data code, and (i) if the analysis operation pattern matches a specific registered operation pattern among the registered operation patterns corresponding to each of the previously registered malware profiles, it is determined that the data code is a specific malware corresponding to the specific registered operation pattern, and blocks the specific active host from the network through at least one of the first access switch to the nth access switch, and (ii) if the analysis operation pattern does not match each of the registered operation patterns, Otherwise, the process may be performed to determine that the data code is unidentified malware, (ii-1) a process of blocking the specific active host from the network through at least one of the first access switch to the nth access switch and then sending an alarm to the network controller, and (ii-2) a process of sending the alarm to the network controller without blocking the specific active host from the network, thereby supporting the network controller to determine whether to block the specific active host from the network.

In the other embodiment, in the step (b), when the host scan packet and the data packet corresponding to the unidentified malware are received from the specific security engine, the network controller updates the malware database with reference to the result of analyzing the unidentified malware, generates an unidentified malware profile for the unidentified malware including an operation pattern for the unidentified malware, and transmits the unidentified malware profile to each of the first to nth security engines to cause each of the first to nth security engines to update the pre-registered malware profiles.

In the other embodiment, in the step (b), when the network controller receives a host scan packet and a data packet corresponding to the specific malware or a host scan packet and a data packet corresponding to the unidentified malware from the specific security engine, the network controller may distinguish the data packet and the host scan packet into one of the data packet and the host scan packet corresponding to the specific malware and the host scan packet and the data packet corresponding to the unidentified malware, and store and manage the data as back data for subsequent analysis.

In the other embodiment, in the step (a), the network controller may group the unused host addresses into a 1_1 group to a 1_n group, and generate the first virtual host IP address referencing the unused host addresses of the 1_1 group to the n-th virtual host IP address referencing the unused host addresses of the 1_n group.

In the other embodiment, in the step (a), the network controller may group the entire host addresses into the 2_1 group to the 2_n group, and generate the first virtual host IP address referencing unused host addresses among the entire host addresses of the 2_1 group to the n-th virtual host IP address referencing unused host addresses among the entire host addresses of the 2_n group.

In the other embodiment, in the step (a), if the number of virtual hosts to be created on the network is m - wherein m is an integer greater than or equal to n -, the network controller groups all host addresses into a 3_1-th group to a 3_m-th group, generates a 3_1-th virtual host IP address referencing an unused host address in the 3_1-th group to a 3_m-th virtual host IP address referencing an unused host address in the 3_m-th group, and groups the 3_1-th virtual host IP address to the 3_m-th virtual host IP address into n to generate the first virtual host IP address to the n-th virtual host IP address.

According to another embodiment of the present invention, an access switch for detecting cyber threats to a network using a virtual host comprises: a memory storing instructions for detecting cyber threats to a network using a virtual host; and a processor performing an operation for detecting cyber threats to the network using the virtual host according to the instructions stored in the memory; , wherein the processor comprises: (I) a process for checking whether a destination IP (Internet Protocol) address of a host scan packet corresponds to at least one virtual host IP address set in advance when a host scan packet is received from a specific active host among active hosts connected to switching ports of access switches that enable hosts to communicate with each other within the network, and if it is confirmed that the destination IP address of the host scan packet corresponds to a specific virtual host IP address, transmitting the host scan packet to a specific virtual host corresponding to the specific virtual host MAC address by referencing a specific virtual host MAC address matched to the specific virtual host IP address, whereby the specific virtual host is generated in a security engine installed inside the specific access switch, thereby causing the security engine corresponding to the specific virtual host to generate a response packet corresponding to a specific host scan method used in the host scan packet and including the specific virtual host MAC address, and transmitting the response packet generated by the security engine to the specific active host, and (II) data from the specific active host, whose destination IP address is the specific virtual host IP address and whose destination MAC address is the specific virtual host MAC address. An access switch is provided which, when a packet is received, performs a process of transmitting said data packet to said specific virtual host, thereby causing said security engine corresponding to said specific virtual host to determine that said data packet is malware and block said specific active host from said network via at least one of said access switches.

In another embodiment, the processor, in the (II) process, transmits the data packet to the specific virtual host, causes the security engine corresponding to the specific virtual host to analyze the data code of the data packet and identify an analysis operation pattern obtained by analyzing the operation pattern of the data code, and (i) if the analysis operation pattern matches a specific registered operation pattern among registered operation patterns corresponding to each of the pre-registered malware profiles, determines that the data code is specific malware corresponding to the specific registered operation pattern, and blocks the specific active host from the network through at least one of the access switches, (ii) if the analysis operation pattern does not match each of the registered operation patterns, determines that the data code is unidentified malware, and (ii-1) blocks the specific active host from the network through at least one of the access switches and then sends an alarm to a network controller managing the network, and (ii-2) sends the alarm to the network controller without blocking the specific active host from the network, so that the network controller detects the specific active host from the network. Any one of the processes that assist in determining whether to block a host may be performed.

In another embodiment, the processor causes the security engine corresponding to the specific virtual host to transmit the host scan packet and the data packet corresponding to the unidentified malware to the network controller, so that the network controller updates a malware database stored in the network controller with reference to the result of analyzing the unidentified malware, and when a profile corresponding to the unidentified malware including a behavior pattern for the unidentified malware is received from the network controller, the pre-registered malware profiles can be updated.

In another embodiment, the processor may cause the security engine to transmit the host scan packet and the data packet corresponding to the specific malware or the host scan packet and the data packet corresponding to the unidentified malware to the network controller, so that the network controller may distinguish the data packet and the host scan packet into one of the data packet and the host scan packet corresponding to the specific malware and the host scan packet and the data packet corresponding to the unidentified malware, and store and manage the data as back data for subsequent analysis.

In another embodiment, the processor may perform, in the process (I), a process of checking a destination IP address of the host scan packet, and (i) if the destination IP address of the host scan packet is the specific virtual host IP address, transmitting the host scan packet to the specific virtual host, and (ii) if the destination IP address of the host scan packet is a broadcast IP address, performing a process of broadcasting the host scan packet to the active hosts on the network through a network stack and a process of duplicating the host scan packet and transmitting it to the specific virtual host.

In the above still another embodiment, the specific virtual host IP address and the specific virtual host MAC address are set by a network controller managing the network, and the network controller can generate the specific virtual host IP address by using unused host addresses that are not used by the active hosts among all host addresses of the network, and generate the specific virtual host MAC address that matches the specific virtual host IP address and corresponds to the security engine.

In another embodiment, the processor, in the (I) process, transmits the host scan packet to the specific virtual host to cause the security engine corresponding to the specific virtual host to identify the specific host scan method used in the host scan packet among preset host scan methods and generate the response packet, wherein the preset host scan methods may include scan methods used in general networks and scan methods of confirmed malware.

According to another embodiment of the present invention, a network controller for detecting cyber threats to a network using a virtual host comprises: a memory storing instructions for detecting cyber threats to a network using a virtual host; and a processor performing an operation for detecting cyber threats to the network using the virtual host according to the instructions stored in the memory; , wherein the processor comprises: (I) a process for generating at least one first virtual host IP address to at least one nth virtual host IP address by using unused host addresses that are not used by active hosts, which are hosts connected to switching ports of a first access switch to an nth access switch, wherein n is an integer greater than or equal to 1, that enable hosts to communicate with each other within the network, among all host addresses of the network, and generating at least one first virtual host MAC address corresponding to the first virtual host IP address to at least one nth virtual host MAC address corresponding to the nth virtual host IP address, and (II) transmitting the first virtual host IP address and the first virtual host MAC address to the nth virtual host IP address and the nth virtual host MAC address, respectively, to the first access switch to the nth access switch, respectively, so that the first access switch to the nth access switch, respectively, (i) causes the first security engine installed inside the first access switch to the nth security engine installed inside the first access switch, respectively, to transmit the first virtual host IP address and the first virtual host MAC address. A network controller is provided that performs a process of generating at least one first virtual host referencing an address, at least one nth virtual host referencing an IP address of the nth virtual host and a MAC address of the nth virtual host, and (ii) scanning at least one of the first virtual host IP address to the nth virtual host IP address, and then determining, through at least one of the first security engine to the nth security engine, a specific active host transmitting a data packet to at least one of the first virtual host to the nth virtual host, and blocking the active host from the network.

In another embodiment, the processor generates malware profiles including the operation patterns of the identified malware from a malware database storing operation patterns of the already identified malware, transmits the malware profiles for the identified malware to each of the first security engine to the nth security engine so that each of the first security engine to the nth security engine registers the malware profiles for the identified malware, and in the (II) process, causes a specific security engine corresponding to a specific virtual host that has received the data packet to analyze the data code of the data packet to identify an analysis operation pattern obtained by analyzing the operation pattern of the data code, and (i) if the analysis operation pattern matches a specific registered operation pattern among the registered operation patterns corresponding to each of the previously registered malware profiles, it is determined that the data code is a specific malware corresponding to the specific registered operation pattern, and blocks the specific active host from the network through at least one of the first access switch to the nth access switch, and (ii) if the analysis operation pattern does not match each of the registered operation patterns, the data The method may be configured to perform one of the following processes: (ii-1) a process for determining that the code is unidentified malware, and (ii-2) a process for sending the alarm to the network controller while not blocking the specific active host from the network, thereby supporting the network controller to decide whether to block the specific active host from the network.

In another embodiment, the processor, in the process (II), when a host scan packet and the data packet corresponding to the unidentified malware are received from the specific security engine, updates the malware database with reference to the result of analyzing the unidentified malware, generates an unidentified malware profile for the unidentified malware including a behavioral pattern for the unidentified malware, and transmits the unidentified malware profile to each of the first to nth security engines to cause each of the first to nth security engines to update the pre-registered malware profiles.

In another embodiment, in the process (II), when the processor receives a host scan packet and a data packet corresponding to the specific malware or a host scan packet and a data packet corresponding to the unidentified malware from the specific security engine, the processor may distinguish the data packet and the host scan packet into one of the data packet and the host scan packet corresponding to the specific malware and the host scan packet and the data packet corresponding to the unidentified malware, and store and manage the data as back data for subsequent analysis.

According to another embodiment of the present invention, in the process (I), the processor may group the unused host addresses into a 1_1 group to a 1_n group, and generate the first virtual host IP address referencing the unused host addresses of the 1_1 group to the n-th virtual host IP address referencing the unused host addresses of the 1_n group.

According to another embodiment of the present invention, the processor may, in the process (I), group the entire host addresses into the 2_1 group to the 2_n group, and generate the first virtual host IP address referencing unused host addresses among the entire host addresses of the 2_1 group to the n-th virtual host IP address referencing unused host addresses among the entire host addresses of the 2_n group.

According to another embodiment of the present invention, when the number of virtual hosts to be created on the network in the (I) process is m, where m is an integer greater than or equal to n, the processor groups all host addresses into a 3_1-th group to a 3_m-th group, generates a 3_1-th virtual host IP address referencing an unused host address in the 3_1-th group to a 3_m-th virtual host IP address referencing an unused host address in the 3_m-th group, and groups the 3_1-th virtual host IP address to the 3_m-th virtual host IP address into n to generate the first virtual host IP address to the n-th virtual host IP address.

In addition, a computer-readable recording medium for recording a computer program for executing the method of the present invention is further provided.

According to the present invention, it is possible to overcome low CPU performance and memory shortage of an access switch and effectively detect cyber threats occurring in a network.

In addition, according to the present invention, it is possible to detect cyber threats by creating a virtual host in an access switch.

In addition, according to the present invention, it is possible to block a host that poses a cyber threat from the network by making the host pose a cyber threat through a virtual host created in an access switch.

In addition, according to the present invention, it is possible to efficiently respond to changes in cyber attack types by using a virtual host.

The drawings attached below for use in explaining embodiments of the present invention are only some of the embodiments of the present invention, and a person having ordinary knowledge in the technical field to which the present invention belongs (hereinafter, “ordinary skilled in the art”) can obtain other drawings based on these drawings without making an inventive work.
FIG. 1 schematically illustrates a cyber threat detection system that detects cyber threats to a network using a virtual host according to one embodiment of the present invention.
FIG. 2 schematically illustrates an access switch that detects cyber threats to a network using a virtual host according to one embodiment of the present invention.
FIG. 3 schematically illustrates a process of detecting cyber threats to a network using a virtual host according to one embodiment of the present invention.
FIG. 4 schematically illustrates a state of updating malware profiles in access switches according to one embodiment of the present invention.

The detailed description of the invention set forth below refers to the accompanying drawings which illustrate specific embodiments in which the invention may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention. It should be understood that the various embodiments of the invention, while different from each other, are not necessarily mutually exclusive. For example, specific shapes, structures, and characteristics described herein may be modified and implemented from one embodiment to another without departing from the spirit and scope of the invention. It should also be understood that the positions or arrangements of individual components within each embodiment may be changed without departing from the spirit and scope of the invention. Accordingly, the detailed description set forth below is not intended to be limiting, and the scope of the invention is to be construed to include the scope of the claims and all equivalents thereof. Like reference numerals in the drawings represent the same or similar elements throughout the several aspects.

Hereinafter, various preferred embodiments of the present invention will be described in detail with reference to the attached drawings so that a person having ordinary skill in the art to which the present invention pertains can easily practice the present invention.

FIG. 1 schematically illustrates a cyber threat detection system that detects cyber threats to a network using a virtual host according to one embodiment of the present invention. The cyber threat detection system (1000) may include a network controller (100) and at least one access switch (200_1 to 200_n).

First, the network controller (100) sets up network security for network management, and may include a memory storing instructions for detecting cyber threats to the network using a virtual host, and a processor performing operations for detecting cyber threats to the network using a virtual host according to the instructions stored in the memory.

Specifically, the network controller (100) may typically, but is not limited to, utilize a combination of computing devices (e.g., devices that may include computer processors, memory, storage, input devices and output devices, and other components of conventional computing devices; electronic communication devices such as routers, switches, and the like; electronic information storage systems such as network attached storage (NAS) and storage area networks (SAN)) and computer software (i.e., instructions that cause the computing devices to function in a particular manner) to achieve desired system performance.

In addition, the processor of the network controller (100) may include hardware configurations such as a Micro Processing Unit (MPU) or a Central Processing Unit (CPU), a cache memory, and a data bus. In addition, the network controller (100) may further include a software configuration of an operating system and an application performing a specific purpose.

However, this does not exclude the case where the network controller (100) includes an integrated processor in which a medium, processor, and memory for implementing the present invention are integrated.

Meanwhile, the processor of the network controller (100) may perform a process of generating at least one first virtual host IP (Internet Protocol) address to at least one nth virtual host IP address by using unused host addresses that are not used by active hosts (AH_*_*), which are hosts connected to switching ports of at least one first access switch (200_1) to an nth access switch (200_n) that allow hosts to communicate with each other within the network, according to instructions stored in the memory, among all host addresses of the network, and generating at least one first virtual host MAC address corresponding to the first virtual host IP address to at least one nth virtual host MAC address corresponding to the nth virtual host IP address. And, the processor of the network controller (100) transmits the first virtual host IP address and the first virtual host MAC address to the nth virtual host IP address and the nth virtual host MAC address, respectively, to the first access switch (200_1) to the nth access switch (200_n), so that the first access switch (200_1) to the nth access switch (200_n) generates at least one first virtual host (VH_1_*) referencing the first virtual host IP address and the first virtual host MAC address to at least one nth virtual host (VH_n_*) referencing the nth virtual host IP address and the nth virtual host MAC address, using at least one of the first virtual host IP address to the nth virtual host IP address. A process can be performed to determine, through at least one of the first security engine to the nth security engine, that a specific active host that scans one and then transmits a data packet to at least one of the first virtual host (VH_1_*) to the nth virtual host (VH_n_*) is blocked from the network.

Next, each of the first access switch (200_1) to the nth access switch (200_n) may include a memory storing instructions for detecting cyber threats to the network using the virtual host, and a processor performing an operation for detecting cyber threats to the network using the virtual host according to the instructions stored in the memory, so that active hosts and virtual hosts can communicate with each other within the network.

Specifically, each of the first access switch (200_1) to the nth access switch (200_n) may typically achieve desired system performance using a combination of computing devices (e.g., devices that may include computer processors, memory, storage, input devices and output devices, and other components of conventional computing devices; electronic communication devices such as routers, switches, and the like; electronic information storage systems such as network attached storage (NAS) and storage area networks (SAN)) and computer software (i.e., instructions that cause the computing devices to function in a particular manner) but are not limited thereto.

In addition, each of the processors of the first access switch (200_1) to the nth access switch (200_n) may include hardware configurations such as a Micro Processing Unit (MPU) or a Central Processing Unit (CPU), a cache memory, and a data bus. In addition, each of the first access switch (200_1) to the nth access switch (200_n) may further include software configurations of an operating system and an application performing a specific purpose.

However, this does not exclude the case where each of the first access switch (200_1) to the nth access switch (200_n) includes an integrated processor in which a medium, processor, and memory for implementing the present invention are integrated.

In addition, each of the first access location (200_1) to the nth access switch (200_n) may be configured as a logical module, such as a virtual switch that performs an L2 switch function in a cloud environment, such as OVS (Open VSwitch), as well as a physical module that performs an L2 switch function.

Meanwhile, each of the processors of the first access switch (200_1) to the nth access switch (200_n), when a host scan packet is received from a specific active host among the active hosts, verifies whether a destination IP address of the host scan packet corresponds to at least one preset virtual host IP address, and if it is verified that the destination IP address of the host scan packet corresponds to a specific virtual host IP address, transmits the host scan packet to a specific virtual host corresponding to the specific virtual host MAC address by referencing a specific virtual host MAC address matched to the specific virtual host IP address, thereby causing a security engine corresponding to the specific virtual host to generate a response packet corresponding to a specific host scan method used in the host scan packet and including a specific virtual host MAC address, and performs a process of transmitting the response packet generated by the security engine to the specific active host. And, each of the processors of the first access switch (200_1) to the nth access switch (200_n), when a data packet having a destination IP address of a specific virtual host IP address and a destination MAC address of a specific virtual host MAC address is received from a specific active host, may perform a process of transmitting the data packet to a specific virtual host, thereby causing a security engine corresponding to the specific virtual host to determine that the data packet is malware and block the specific active host from the network through at least one of the access switches.

Referring to FIG. 2, the configuration state of an access switch according to one embodiment of the present invention is described as follows.

An access switch (200) according to one embodiment of the present invention may include switch hardware (210), a communication packet processing module (220), a network stack (230), and a security engine (240).

Specifically, the switch hardware (210) performs a switching operation to forward a communication packet received through a network to a destination host, and a virtual host MAC switch for forwarding a communication packet destined for a virtual host can be registered.

And, the communication packet processing module (220) analyzes the communication packet received through the network to determine the destination host, and forwards the communication packet to the destination host through the switch hardware (210) with reference to the determined destination host. If the communication packet is for a virtual host, the communication packet is transmitted to the security engine (240), and if the communication packet is for broadcast, the process of broadcasting the communication packet to other active hosts through the network stack (230) and the process of duplicating the communication packet and transmitting it to the security engine (240) can be performed. In addition, the communication packet processing module (220) can forward the communication packet generated by the virtual host, i.e., the security engine (240), to the destination host through the switch hardware (210).

Additionally, the network stack (230) can forward communication packets destined for a host connected to another access switch to another access switch via the switch hardware (210).

Meanwhile, the security engine (240) analyzes a host scan packet transmitted to a virtual host when at least one virtual host (VH) is created, identifies a specific host scan method used in the host scan packet among preset host scan methods, and generates and transmits a response packet. When a data packet is transmitted to the virtual host in response to the response packet, the security engine determines that the data packet is malware and blocks a specific active host that transmitted the data packet from the network to the virtual host through at least one of the access switches.

In addition, although the above description exemplifies that the access switch (200) is configured as a physical module, the present invention is not limited thereto, and the access switch (200) may also be configured as a logical module that performs an L2 switch function through a virtual switch such as OVS.

A method for detecting cyber threats to a network using a virtual host through a cyber threat detection system and an access switch according to one embodiment of the present invention configured as described above is described with reference to FIGS. 1 and 2.

First, each of the first access switch (200_1) to the nth access switch (200_n) installed in the network can monitor ARP (Address Resolution Protocol) communication of active hosts connected to the network to collect IP addresses and MAC addresses of active hosts (AH_*_*) connected to the network and then transmit them to the network controller (100).

Then, the network controller (100) performs active host management in real time by referencing the IP addresses and MAC addresses of active hosts (AH_*_*) connected to the network.

And, the network controller (100) can check unused IP addresses by referring to the active host list obtained from the first access switch (200_1) to the nth access switch (200_n), and create virtual hosts (VH_*_*) using the unused IP addresses.

That is, the network controller (100) generates at least one first virtual host IP address to at least one nth virtual host IP address by using unused host addresses that are not used by active hosts (AH_*_*) among all host addresses of the network, and generates at least one first virtual host MAC address corresponding to the first virtual host IP address to at least one nth virtual host MAC address corresponding to the nth virtual host IP address. Then, the network controller (100) can transmit the first virtual host IP address and the first virtual host MAC address to the nth virtual host IP address and the nth virtual host MAC address, respectively, to the first access switch (200_1) to the nth access switch (200_n), respectively. Then, each of the first access switch (200_1) to the nth access switch (200_n) can generate at least one first virtual host (VH_1_*) to the nth virtual host IP address and the nth virtual host MAC address, respectively, referencing the first virtual host IP address and the first virtual host MAC address, to the first security engine installed inside the first access switch to the nth security engine installed inside the nth access switch. At this time, each of the first access switch (200_1) to the nth access switch (200_n) can register the first virtual host MAC switch to the nth virtual host MAC switch corresponding to the first virtual host (VH_1_*) to the nth virtual host (VH_n_*), respectively, in the respective switch hardware, so that a communication packet destined for the first virtual host (VH_1_*) to the nth virtual host (VH_n_*), respectively, can be transmitted to the first security engine to the nth security engine, respectively.

For example, the network controller (100) may group unused host addresses into the 1_1 group to the 1_n group, and generate at least one first virtual host IP address referencing the unused host addresses of the 1_1 group to at least one nth virtual host IP address referencing the unused host addresses of the 1_n group. At this time, the network controller (100) may change some of the IP addresses being used by the active hosts (AH_*_*) so that the virtual host IP addresses are uniformly distributed across all host addresses. In addition, the network controller (100) may cause the virtual host IP addresses to be uniformly distributed across all host addresses, but may cause them to be more concentratedly distributed across some of the host addresses of the first half, the middle, and the latter half. Through this, it is possible to detect cyber threats in a short period of time and maintain the network stably against cyber threats in situations where general cyber threats are made from low-address hosts to high-address hosts in sequence, or from high-address hosts to low-address hosts in sequence, or from addresses in a specific location to low-address hosts in sequence, or to high-address hosts in sequence.

As another example, the network controller (100) may group all host addresses into the 2_1 group to the 2_n group, and generate at least one first virtual host IP address referencing unused host addresses among all host addresses of the 2_1 group to at least one nth virtual host IP address referencing unused host addresses among all host addresses of the 2_n group. At this time, the network controller (100) may change some of the IP addresses being used by the active hosts (AH_*_*) so that the virtual host IP addresses are uniformly distributed among all host addresses. In addition, the network controller (100) may cause the virtual host IP addresses to be uniformly distributed among all host addresses, but may cause them to be more concentratedly distributed among some of the host addresses in the first half, the host addresses in the middle, and the host addresses in the second half. Through this, it is possible to detect cyber threats in a short period of time and maintain the network stably against cyber threats in situations where general cyber threats are made from low-address hosts to high-address hosts in sequence, or from high-address hosts to low-address hosts in sequence, or from addresses in a specific location to low-address hosts in sequence, or to high-address hosts in sequence.

As another example, when the number of at least one virtual host to be created on the network is m, the network controller (100) groups all host addresses into the 3_1st group to the 3_mth group, generates the 3_1st virtual host IP address referencing one unused host address in the 3_1st group to the 3_mth virtual host IP address referencing one unused host address in the 3_mth group, and groups the 3_1st virtual host IP address to the 3_mth virtual host IP address into n to generate the 1st virtual host IP address to the nth virtual host IP address.

For example, let's say there are two access switches in a network using class C 192.168.0.255, and 5 virtual hosts are created on the network. The host address is from 0 to 255 in the last octet, and the IP address 192.168.0.0 corresponding to "0" is used as the network address, and the IP address 192.168.0.255 corresponding to "255" is used to broadcast messages to all hosts in the network, so the first IP address and the last IP address cannot be assigned to individual hosts. Therefore, since the IP addresses that can be assigned to actual individual hosts are IP addresses between 192.168.0.1 and 192.168.0.254, they are grouped into five groups: Group 3_1 of “192.168.0.1 to 192.168.0.50”, Group 3_2 of “192.168.0.51 to 192.168.0.100”, Group 3_3 of “192.168.0.101 to 192.168.0.150”, Group 3_4 of “192.168.0.151 to 192.168.0.200”, and Group 3_5 of “192.168.0.201 to 192.168.0.254”, and then Group 3_1 One unused IP address from each of the groups, the 3rd_2nd group, the 3rd_3rd group, the 3rd_4th group, and the 3rd_5th group can be created as the first virtual host IP address to the fifth virtual host IP address. Then, three virtual hosts can be created in the first access switch using three virtual host IP addresses from among the first virtual host IP address to the fifth virtual host IP address, and two virtual hosts can be created in the second access switch using the remaining two virtual host IP addresses.

For reference, in Fig. 1, the first access switch (200_1) is connected to a first_1 active host (AH_1_1) having an IP address of 192.168.0.10 and a first_2 active host (AH_1_2) having an IP address of 192.168.0.11, and a first_1 virtual host (VH_1_1) having a virtual host IP address of 192.168.0.2 is created, and the second access switch (200_2) is connected to a second_1 active host (AH_2_1) having an IP address of 192.168.0.21 and a second_2 active host (AH_2_2) having an IP address of 192.168.0.22, and a second_1 virtual host (VH_2_1) having a virtual host IP address of 192.168.0.50 is created. The following example illustrates a state in which a 2_2 virtual host (VH_2_2) having a virtual host IP address of 192.168.0.100 is created, an n_1 active host (AH_n_1) having an IP address of 192.168.0.32 is connected to an n-th access switch (200_n), and an n_1 virtual host (VH_n_1) having a virtual host IP address of 192.168.0.200 is created.

In a state where virtual hosts (VH_*_*) are created in access switches (200_1 to 200_n) of a network by the method described above, the process of access switches (200_1 to 200_n) detecting cyber threats using the virtual hosts will be described with reference to FIGS. 1 and 3 as follows. For reference, the specific active host causing the cyber threat in FIG. 3 is assumed to be the 1_1-th active host (AH_1_1) in FIG. 1, and the specific access switch (200) in FIG. 3 is any one of the 1st access switch (200_1) to the nth access switch (200_n) in FIG. 1, and it is assumed that one virtual host (VH) is created.

A specific active host (AH_1_1) infected with malware can transmit (S100) a host scan packet to the active hosts and virtual hosts of the network through the first access switch (200_1) to search for hosts connected to the network in order to infect other connected hosts of the network.

Then, a host scan packet transmitted from a specific active host (AH_1_1) can be received by a specific access switch (200) that is one of the first access switches (200_1) to the nth access switch (200_n) installed in the network, and the specific access switch (200) that received the host scan packet can check whether the destination IP address of the host scan packet corresponds to at least one preset virtual host IP address.

And, as a result of checking whether the destination IP address of the host scan packet corresponds to a specific virtual host IP address, if it is confirmed that the destination IP address of the host scan packet corresponds to a specific virtual host IP address, a specific access switch (200) can transmit the host scan packet to a specific virtual host (VH) by referencing a specific virtual host MAC address matched to the specific virtual host IP address.

At this time, the destination IP address of the host scan packet can be a specific IP address for scanning a specific host, or a broadcast IP address for scanning all hosts in the network.

Accordingly, when a specific access switch (200) verifies the destination IP address of a host scan packet received from a specific active host (AH_1_1), if the destination IP address of the host scan packet is a specific virtual host IP address, the specific access switch (200) can transmit the host scan packet to a specific virtual host (VH).

In contrast, when a specific access switch (200) verifies the destination IP address of a host scan packet received from a specific active host (AH_1_1), and if the destination IP address of the host scan packet is a broadcast IP address, the specific access switch (200) can perform a process of broadcasting the host scan packet to active hosts on the network through the network stack and a process of duplicating the host scan packet and transmitting it to a specific virtual host (VH).

When a host scan packet is transmitted to a specific virtual host (VH) by an operation as described above, that is, when a specific access switch (200) transmits the host scan packet to a security engine in which a specific virtual host (VH) is created, the security engine can generate a response packet corresponding to the specific host scan method used in the host scan packet and including a specific virtual host MAC address.

At this time, the security engine may store preset host scan methods for checking a specific host scan method of a host scan packet, and the preset host scan methods may include scan methods used in general networks, such as ICMP (Internet Control Message Protocol) scan, TCP (Transmission Control Protocol) scan, scan methods used in confirmed malware, such as SMB (Server Message Block) scan, NetBIOS scan, NBNS (NetBIOS Name Service) scan, and scan methods used in both general networks and confirmed malware, such as ARP scan.

And, a specific access switch (200) can transmit (S200) a response packet generated by a security engine to a specific active host (AH_1_1). That is, a specific access switch (200) can perform a virtual host response in response to a specific virtual host (VH) scan performed by a specific active host (AH_1_1), thereby allowing a specific active host (AH_1_1) to recognize that a specific virtual host (VH) is an infected host.

Thereafter, a specific active host (AH_1_1) that has received the response packet determines that the virtual host (VH) is an infectable host, and generates a data packet that includes malware for infecting the virtual host (VH), and has a specific virtual host IP address as a destination IP address and a specific virtual host MAC address as a destination MAC address, and then transmits it (S300) to a specific access switch (200) (here, it may be a case of directly transmitting it to a specific access switch (200) or a case of transmitting it to a specific access switch (200) through another access switch). That is, the concept that a specific active host (AH_1_1) generates a data packet and then transmits it to a specific access switch (200) can be understood as an attempt to infect a virtual host (VH).

Then, a specific access switch (200) can transmit a data packet having a destination IP address and a destination MAC address that are a specific virtual host IP address and a specific virtual host MAC address transmitted from a specific active host (AH_1_1) to a specific virtual host (VH).

And, when a data packet is transmitted to a virtual host (VH), that is, when a specific access switch (200) transmits the data packet to a security engine in which a specific virtual host (VH) is created, the security engine determines that the data packet is malware and blocks the specific active host (AH_1_1) from the network through at least one of the access switches (200_1 to 200_n) installed in the network. That is, the specific access switch (200) blocks the specific active host (AH_1_1) attempting to infect the specific virtual host, thereby protecting the network from cyber threats. This is based on the fact that scanning and attempting to access a virtual host, not an actually operating active host, is not a normal operation, and by recognizing a virtual host created at the access switch level as an infectable host and then blocking a specific active host attempting to infect the virtual host from the network, it is possible to effectively block cyber threats before they are attempted to infect other active hosts.

Meanwhile, the security engine of a specific access switch (200) can analyze the data code of the data packet and identify the analysis operation pattern by analyzing the operation pattern of the data code.

And, if the security engine of a specific access switch (200) determines that the data code is a specific malware corresponding to a specific registered operation pattern when the analysis operation pattern for the data packet matches a specific registered operation pattern among the registered operation patterns corresponding to each of the pre-registered malware profiles, the security engine can block a specific active host (AH_1_1) from the network through at least one of the access switches (200_1 to 200_n).

In contrast, if the analysis operation pattern does not match each of the registered operation patterns, the security engine of the specific access switch (200) determines that the data code is unidentified malware, blocks the specific active host (AH_1_1) from the network through at least one of the access switches (200_1 to 200_n), and then sends an alarm to the network controller (100) managing the network, or sends an alarm to the network controller (100) without blocking the specific active host (AH_1_1) from the network, so that the network controller (100) determines whether to block the specific active host (AH_1_1) from the network.

At this time, the network controller (100) stores the operation patterns of already confirmed malware in a malware database, generates malware profiles including the operation patterns of the malware confirmed from the malware database, and transmits the malware profiles for the confirmed malware to each of the first security engine of the first access switch (200_1) to the nth security engine of the nth access switch (200_n), thereby causing each of the first security engine to the nth security engine to register the malware profiles for the confirmed malware.

For example, the malware database may be represented as shown in Table 1 below, and the malware database may store information on the host scan method for confirmed malware and the operation pattern such as the protocol and access method. However, the present invention is not limited thereto, and may include various information for confirming the operation pattern of malware.

Malware Host Scan Mode Movement pattern Protocol Approach WannaCry(2017) 1:1 ARP SMB/TCP BROWSER Crysis(2016) SMB Broadcast SMB/NetBIOS BROWSER Lockbit(2020) NBNS Broadcast SMB/NetBIOS SAMBA Login

Additionally, the security engine of a specific access switch (200) can transmit a host scan packet and a data packet corresponding to unidentified malware to the network controller (100). Then, the network controller (100) can add information about the unidentified malware to the malware database as shown in Table 2 below.

Malware Host Scan Mode Movement pattern Protocol Approach WannaCry(2017) 1:1 ARP SMB/TCP BROWSER Crysis(2016) SMB Broadcast SMB/NetBIOS BROWSER Lockbit(2020) NBNS Broadcast SMB/NetBIOS SAMBA Login Unidentified malware No matching pattern, but scan and infection attempts confirmed

And, the network controller (100) can analyze the operation pattern of the unidentified malware and update the malware database with reference to the result of analyzing the unidentified malware. Thereafter, as shown in FIG. 4, the network controller (100) can create an unidentified malware profile for the unidentified malware including the operation pattern of the unidentified malware updated in the malware database, and transmit the malware profile for the unidentified malware to each of the first security engine of the first access switch (200_1) to the nth security engine of the nth access switch (200_n), thereby causing each of the first security engine to the nth security engine to update the pre-registered malware profiles.

Additionally, the security engine of a specific access switch (200) may transmit a host scan packet and data packet corresponding to a specific malware or a host scan packet and data packet corresponding to an unidentified malware to the network controller (100).

Then, the network controller (100) can distinguish the data packets and host scan packets into either the data packets and host scan packets corresponding to specific malware or the host scan packets and data packets corresponding to unidentified malware, and store and manage them as back data for subsequent analysis.

The embodiments of the present invention described above may be implemented in the form of program commands that can be executed through various computer components and recorded on a computer-readable recording medium. The computer-readable recording medium may include program commands, data files, data structures, etc., alone or in combination. The program commands recorded on the computer-readable recording medium may be those specially designed and configured for the present invention or may be those known to those skilled in the art of computer software and available for use. Examples of the computer-readable recording medium include magnetic media such as hard disks, floppy disks, and magnetic tapes, optical recording media such as CD-ROMs and DVDs, magneto-optical media such as floptical disks, and hardware devices specially configured to store and execute program commands such as ROMs, RAMs, flash memories, etc. Examples of the program commands include not only machine language codes generated by a compiler, but also high-level language codes that can be executed by a computer using an interpreter, etc. The hardware devices may be configured to operate as one or more software modules to perform processing according to the present invention, and vice versa.

Although the present invention has been described above with specific details such as specific components and limited examples and drawings, these have been provided only to help a more general understanding of the present invention, and the present invention is not limited to the above examples, and those with common knowledge in the technical field to which the present invention belongs can make various modifications and variations from this description.

Therefore, the idea of the present invention should not be limited to the embodiments described above, and not only the claims described below but also all modifications equivalent to or equivalent to the claims are included in the scope of the idea of the present invention.

1000: Cyber Threat Detection System,
100: Network Controller,
200_1 to 200_n: Access switches,
AH_*_*: Active host,
VH_*_*: Virtual host

Claims (28)

A method for detecting cyber threats to a network using a virtual host,
(a) A specific access switch, which is one of the access switches that allows hosts to communicate with each other within a network, when a host scan packet is received from a specific active host among active hosts - the active hosts are hosts connected to switching ports of the access switches - checks whether a destination IP (Internet Protocol) address of the host scan packet corresponds to at least one virtual host IP address that is preset, and if it is confirmed that the destination IP address of the host scan packet corresponds to a specific virtual host IP address, the host scan packet is transmitted to a specific virtual host corresponding to the specific virtual host MAC address by referencing a specific virtual host MAC address matched to the specific virtual host IP address - the specific virtual host is generated in a security engine installed inside the specific access switch - thereby causing the security engine corresponding to the specific virtual host to generate a response packet corresponding to a specific host scan method used in the host scan packet and including the specific virtual host MAC address, and the response packet generated by the security engine a step of transmitting the above response packet to the specific active host; and
(b) a step of, when a data packet having a destination IP address of the specific virtual host IP address and a destination MAC address of the specific virtual host MAC address is received from the specific active host, the specific access switch transmits the data packet to the specific virtual host, thereby causing the security engine corresponding to the specific virtual host to determine that the data packet is malware and block the specific active host from the network through at least one of the access switches;
A method including: In the first paragraph,
In step (b) above,
The specific access switch transmits the data packet to the specific virtual host, causes the security engine corresponding to the specific virtual host to analyze the data code of the data packet and identify an analysis operation pattern that analyzes the operation pattern of the data code, and (i) if the analysis operation pattern matches a specific registered operation pattern among registered operation patterns corresponding to each of the pre-registered malware profiles, determines that the data code is specific malware corresponding to the specific registered operation pattern, and blocks the specific active host from the network through at least one of the access switches, (ii) if the analysis operation pattern does not match each of the registered operation patterns, determines that the data code is unidentified malware, and (ii-1) blocks the specific active host from the network through at least one of the access switches and then sends an alarm to a network controller managing the network, and (ii-2) sends the alarm to the network controller without blocking the specific active host from the network, thereby supporting the network controller to determine whether to block the specific active host from the network. How to perform a process. In the second paragraph,
The above specific access switch causes the security engine corresponding to the specific virtual host to transmit the host scan packet and the data packet corresponding to the unidentified malware to the network controller, so that the network controller updates the malware database stored in the network controller with reference to the result of analyzing the unidentified malware, and when a profile corresponding to the unidentified malware including a behavior pattern for the unidentified malware is received from the network controller, a method for updating the pre-registered malware profiles. In the second paragraph,
A method wherein the specific access switch causes the security engine to transmit a host scan packet and a data packet corresponding to the specific malware or a host scan packet and a data packet corresponding to the unidentified malware to the network controller, so that the network controller distinguishes the data packet and the host scan packet into one of the data packet and the host scan packet corresponding to the specific malware and the host scan packet and the data packet corresponding to the unidentified malware, and stores and manages the data as back data for subsequent analysis. In the first paragraph,
In step (a) above,
A method wherein the specific access switch verifies a destination IP address of the host scan packet, and (i) if the destination IP address of the host scan packet is the specific virtual host IP address, transmits the host scan packet to the virtual host, and (ii) if the destination IP address of the host scan packet is a broadcast IP address, broadcasts the host scan packet to the active hosts on the network through a network stack and performs a process of duplicating the host scan packet and transmitting it to the specific virtual host. In the first paragraph,
The specific virtual host IP address and the specific virtual host MAC address are set by a network controller managing the network, and the network controller generates the specific virtual host IP address by using unused host addresses not used by the active hosts among all host addresses of the network, and generates the specific virtual host MAC address that matches the specific virtual host IP address and corresponds to the security engine. In the first paragraph,
In step (a) above,
A method in which the specific access switch transmits the host scan packet to the specific virtual host, causes the security engine corresponding to the specific virtual host to identify the specific host scan method used in the host scan packet among preset host scan methods, and generates the response packet, wherein the preset host scan methods include scan methods used in general networks and scan methods of confirmed malware. A method for detecting cyber threats to a network using a virtual host,
(a) a step in which a network controller managing a network generates at least one first virtual host IP address to at least one nth virtual host IP address by using unused host addresses that are not used by active hosts, which are hosts connected to switching ports of a first access switch to an nth access switch, wherein n is an integer greater than or equal to 1, among all host addresses of the network, and generates at least one first virtual host MAC address corresponding to the first virtual host IP address to at least one nth virtual host MAC address corresponding to the nth virtual host IP address; and
(b) a step for the network controller to transmit the first virtual host IP address and the first virtual host MAC address to the nth virtual host IP address and the nth virtual host MAC address, respectively, to the first access switch to the nth access switch, so as to cause the first access switch to the nth access switch, respectively, to (i) generate, in the first security engine installed in the first access switch to the nth security engine installed in the nth access switch, at least one first virtual host referencing the first virtual host IP address and the first virtual host MAC address, or at least one nth virtual host referencing the nth virtual host IP address and the nth virtual host MAC address, and (ii) scan at least one of the first virtual host to the nth virtual host using at least one of the first virtual host IP address to the nth virtual host IP address, and then determine a specific active host transmitting a data packet to at least one of the first virtual host to the nth virtual host through at least one of the first security engine to the nth security engine, and block the specific active host from the network;
A method including: In Article 8,
Prior to step (b) above,
The above network controller generates malware profiles including operation patterns of already confirmed malware from a malware database storing operation patterns of the already confirmed malware, and transmits the malware profiles for the confirmed malware to each of the first security engine to the nth security engine, thereby causing each of the first security engine to the nth security engine to register malware profiles for the confirmed malware.
In step (b) above,
The network controller causes a specific security engine corresponding to a specific virtual host that has received the data packet to analyze the data code of the data packet to identify an analysis operation pattern that analyzes the operation pattern of the data code, and (i) if the analysis operation pattern matches a specific registered operation pattern among registered operation patterns corresponding to each of the pre-registered malware profiles, it is determined that the data code is specific malware corresponding to the specific registered operation pattern, and blocks the specific active host from the network through at least one of the first access switch to the nth access switch, (ii) if the analysis operation pattern does not match each of the registered operation patterns, it is determined that the data code is unidentified malware, and (ii-1) a process of blocking the specific active host from the network through at least one of the first access switch to the nth access switch and then sending an alarm to the network controller, and (ii-2) a process of supporting the network controller to determine whether to block the specific active host from the network by sending the alarm to the network controller without blocking the specific active host from the network. A method of performing one of the processes. In Article 9,
In step (b) above,
A method wherein the network controller, when receiving a host scan packet and the data packet corresponding to the unidentified malware from the specific security engine, updates the malware database by referring to the result of analyzing the unidentified malware, creates an unidentified malware profile for the unidentified malware including a behavior pattern for the unidentified malware, and transmits the unidentified malware profile to each of the first to n-th security engines to cause each of the first to n-th security engines to update the pre-registered malware profiles. In Article 9,
In step (b) above,
The above network controller, when receiving a host scan packet and a data packet corresponding to the specific malware or a host scan packet and a data packet corresponding to the unidentified malware from the specific security engine, classifies the data packet and the host scan packet into one of the data packet and the host scan packet corresponding to the specific malware and the host scan packet and the data packet corresponding to the unidentified malware, and stores and manages the data as back data for subsequent analysis. In Article 8,
In step (a) above,
A method wherein the network controller groups the unused host addresses into a 1_1 group to a 1_n group, and generates the first virtual host IP address referencing the unused host addresses of the 1_1 group to the n-th virtual host IP address referencing the unused host addresses of the 1_n group. In Article 8,
In step (a) above,
A method wherein the network controller groups the entire host addresses into a 2_1 group to a 2_n group, and generates the first virtual host IP address referencing unused host addresses among the entire host addresses of the 2_1 group to the n-th virtual host IP address referencing unused host addresses among the entire host addresses of the 2_n group. In Article 8,
In step (a) above,
The above network controller, when the number of virtual hosts to be created on the network is m - wherein m is an integer greater than or equal to n -, groups all host addresses into a 3_1-th group to a 3_m-th group, generates a 3_1-th virtual host IP address referencing an unused host address in the 3_1-th group to a 3_m-th virtual host IP address referencing an unused host address in the 3_m-th group, and groups the 3_1-th virtual host IP address to the 3_m-th virtual host IP address into n to generate the first virtual host IP address to the n-th virtual host IP address. In an access switch that detects cyber threats to the network using virtual hosts,
Memory storing instructions for detecting cyber threats to the network using virtual hosts; and
A processor that performs an operation to detect cyber threats to the network using the virtual host according to the instructions stored in the memory;
Including,
The processor comprises: (I) a process for checking whether a destination IP (Internet Protocol) address of a host scan packet corresponds to at least one virtual host IP address set when a host scan packet is received from a specific active host among active hosts connected to switching ports of access switches that enable hosts to communicate with each other within the network, and if it is confirmed that the destination IP address of the host scan packet corresponds to a specific virtual host IP address, transmitting the host scan packet to a specific virtual host corresponding to the specific virtual host MAC address by referencing a specific virtual host MAC address matched to the specific virtual host IP address, thereby causing the security engine corresponding to the specific virtual host to generate a response packet corresponding to a specific host scan method used for the host scan packet and including the specific virtual host MAC address, and transmitting the response packet generated by the security engine to the specific active host, and (II) a process for checking whether a data packet having a destination IP address of the specific virtual host IP address and a destination MAC address of the specific virtual host MAC address is received from the specific active host, An access switch that performs a process of blocking the specific active host from the network through at least one of the access switches by causing the security engine corresponding to the specific virtual host to determine that the data packet is malware by transmitting the packet to the specific virtual host. In Article 15,
The above processor,
In the above (II) process, the data packet is transmitted to the specific virtual host, and the security engine corresponding to the specific virtual host analyzes the data code of the data packet to identify an analysis operation pattern obtained by analyzing the operation pattern of the data code, and (i) if the analysis operation pattern matches a specific registered operation pattern among registered operation patterns corresponding to each of the pre-registered malware profiles, the data code is determined to be specific malware corresponding to the specific registered operation pattern, and the specific active host is blocked from the network through at least one of the access switches, (ii) if the analysis operation pattern does not match each of the registered operation patterns, the data code is determined to be unidentified malware, and (ii-1) a process of blocking the specific active host from the network through at least one of the access switches and then sending an alarm to a network controller managing the network, and (ii-2) a process of sending the alarm to the network controller without blocking the specific active host from the network, so as to support the network controller in determining whether to block the specific active host from the network. An access switch that performs one of the processes. In Article 16,
The above processor causes the security engine corresponding to the specific virtual host to transmit the host scan packet and the data packet corresponding to the unidentified malware to the network controller, so that the network controller updates the malware database stored in the network controller with reference to the result of analyzing the unidentified malware, and when a profile corresponding to the unidentified malware including a behavior pattern of the unidentified malware is received from the network controller, the access switch updates the pre-registered malware profiles. In Article 16,
The above processor is an access switch that causes the security engine to transmit the host scan packet and the data packet corresponding to the specific malware or the host scan packet and the data packet corresponding to the unidentified malware to the network controller, so that the network controller distinguishes the data packet and the host scan packet into either the data packet and the host scan packet corresponding to the specific malware or the host scan packet and the data packet corresponding to the unidentified malware, and stores and manages the data as back data for subsequent analysis. In Article 15,
The above processor,
An access switch which performs a process of verifying a destination IP address of the host scan packet in the above process (I), and (i) if the destination IP address of the host scan packet is the specific virtual host IP address, transmitting the host scan packet to the specific virtual host, and (ii) if the destination IP address of the host scan packet is a broadcast IP address, broadcasting the host scan packet to the active hosts on the network through a network stack and performing a process of duplicating the host scan packet and transmitting it to the specific virtual host. In Article 15,
The specific virtual host IP address and the specific virtual host MAC address are set by a network controller managing the network, and the network controller generates the specific virtual host IP address by using unused host addresses not used by the active hosts among all host addresses of the network, and an access switch generating the specific virtual host MAC address that matches the specific virtual host IP address and corresponds to the security engine. In Article 15,
The above processor,
In the above (I) process, an access switch that transmits the host scan packet to the specific virtual host to cause the security engine corresponding to the specific virtual host to identify the specific host scan method used in the host scan packet among preset host scan methods and generate the response packet, wherein the preset host scan methods include scan methods used in general networks and scan methods of confirmed malware. In a network controller that detects cyber threats to the network using virtual hosts,
Memory storing instructions for detecting cyber threats to the network using virtual hosts; and
A processor that performs an operation to detect cyber threats to the network using the virtual host according to the instructions stored in the memory;
Including,
The processor comprises: (I) a process for generating at least one first virtual host IP address to at least one nth virtual host IP address by using unused host addresses that are not used by active hosts, which are hosts connected to switching ports of a first access switch to an nth access switch, wherein n is an integer greater than or equal to 1, among all host addresses of the network, for allowing hosts to communicate with each other within the network, and generating at least one first virtual host MAC address corresponding to the first virtual host IP address to at least one nth virtual host MAC address corresponding to the nth virtual host IP address, and (II) transmitting the first virtual host IP address and the first virtual host MAC address to the first access switch to the nth access switch, respectively, so that the first access switch to the nth access switch, respectively, causes the first access switch to: (i) cause a first security engine installed inside the first access switch to the nth security engine installed inside the nth access switch to, respectively, execute at least one reference to the first virtual host IP address and the first virtual host MAC address. A network controller that performs a process of creating at least one nth virtual host referencing a first virtual host to the nth virtual host IP address and a nth virtual host MAC address, and (ii) scanning at least one of the first virtual host to the nth virtual host using at least one of the first virtual host IP address to the nth virtual host IP address, and then determining, through at least one of the first security engine to the nth security engine, a specific active host transmitting a data packet to at least one of the first virtual host to the nth virtual host and blocking the host from the network. In Article 22,
The processor generates malware profiles including operation patterns of already confirmed malware from a malware database storing operation patterns of the already confirmed malware, and transmits the malware profiles of the confirmed malware to each of the first security engine to the nth security engine, thereby causing each of the first security engine to the nth security engine to register malware profiles of the confirmed malware.
In the above (II) process, a specific security engine corresponding to a specific virtual host that has received the data packet analyzes the data code of the data packet to identify an analysis operation pattern that analyzes the operation pattern of the data code, and (i) if the analysis operation pattern matches a specific registered operation pattern among registered operation patterns corresponding to each of the pre-registered malware profiles, it is determined that the data code is specific malware corresponding to the specific registered operation pattern, and the specific active host is blocked from the network through at least one of the first access switch to the nth access switch, (ii) if the analysis operation pattern does not match each of the registered operation patterns, it is determined that the data code is unidentified malware, and (ii-1) a process of blocking the specific active host from the network through at least one of the first access switch to the nth access switch and then sending an alarm to the network controller, and (ii-2) sending the alarm to the network controller without blocking the specific active host from the network so that the network controller determines whether to block the specific active host from the network. A network controller that causes any one of the processes supporting decision making to be performed. In Article 23,
The above processor,
A network controller for, in the above (II) process, when a host scan packet and the data packet corresponding to the unidentified malware are received from the specific security engine, updating the malware database with reference to the result of analyzing the unidentified malware, generating an unidentified malware profile for the unidentified malware including a behavior pattern for the unidentified malware, and transmitting the unidentified malware profile to each of the first to nth security engines to cause each of the first to nth security engines to update the pre-registered malware profiles. In Article 23,
The above processor,
In the above (II) process, when a host scan packet and a data packet corresponding to the specific malware or a host scan packet and a data packet corresponding to the unidentified malware are received from the specific security engine, a network controller which distinguishes the data packet and the host scan packet into one of the data packet and the host scan packet corresponding to the specific malware and the host scan packet and the data packet corresponding to the unidentified malware, and stores and manages it as data for back data for subsequent analysis. In Article 22,
The above processor,
A network controller for grouping the unused host addresses into a 1_1 group to a 1_n group in the above process, and generating a first virtual host IP address referencing the unused host addresses of the 1_1 group to an n-th virtual host IP address referencing the unused host addresses of the 1_n group. In Article 22,
The above processor,
A network controller for grouping the entire host addresses into the 2_1 group to the 2_n group in the above process, and generating the first virtual host IP address referencing unused host addresses among the entire host addresses of the 2_1 group to the n-th virtual host IP address referencing unused host addresses among the entire host addresses of the 2_n group. In Article 22,
The above processor,
In the above (I) process, when the number of virtual hosts to be created on the network is m - wherein m is an integer greater than or equal to n -, a network controller which groups all host addresses into a 3_1-th group to a 3_m-th group, generates a 3_1-th virtual host IP address referencing an unused host address in the 3_1-th group to a 3_m-th virtual host IP address referencing an unused host address in the 3_m-th group, and groups the 3_1-th virtual host IP address to the 3_m-th virtual host IP address into n to generate the 1st virtual host IP address to the n-th virtual host IP address.