KR102810808B1 - Method for monitoring content activity by reconstructing content based on network packets and device performing thereof - Google Patents

Abstract

A method for restoring content by a device for monitoring content activity according to one embodiment of the present application is characterized by including the steps of collecting packet data from data traffic transmitted and received through a network, storing an original of the packet data on a disk, indexing the packet data to create a high-speed search DB, searching for a packet corresponding to a condition value in the high-speed search DB and confirming session information of the packet, searching for original data of packets related to the session information from the disk, and restoring the content by combining the searched original data.

Description

METHOD FOR MONITORING CONTENT ACTIVITY BY RECONSTRUCTING CONTENT BASED ON NETWORK PACKETS AND DEVICE PERFORMING THEREOF

The present application relates to a method for monitoring content activity by restoring content based on network packets and a device for performing the same.

NDLP (Network Data Loss Prevention) products are a group of products that analyze user content activities. Specifically, existing NDLP technology collects all packets sent and received through the network and analyzes patterns in advance for specific user services such as mail (e.g. SMTP, IMAP, POP3), webmail services (Naver, Kakao, Gmail, etc.), bulletin board post creation, comments, messengers, and query contents such as ChatGPT. Then, it monitors patterned packets and decodes and displays encoded contents.

Since the existing NDLP technology can only extract pre-patterned services, there is a problem that the patterns of recently created diverse services or service communication methods change and are therefore not extracted. In addition, packets are not extracted until the pattern for the changed service is updated, and even if the pattern is updated later and extraction is possible again, there is a problem that leakage incidents that occurred during the update cannot be confirmed. For example, since the communication methods of ChatGPT 3.0 and ChatGPT 4.0 are different, even if the pattern for ChatGPT 3.0 is known, packets using ChatGPT 4.0 cannot be extracted. In addition, ChatGPT 4.0 can be extracted after the pattern is updated by patterning ChatGPT 4.0, but if a data leakage occurs using ChatGPT 4.0 before the update, it cannot be confirmed.

Therefore, there is a need for a method that can continuously analyze packets without data loss.

The problem to be solved by the present invention is to provide a method for monitoring content activity by restoring content based on packets and a device for performing the same.

The problems to be solved by the present invention are not limited to the problems described above, and problems not mentioned can be clearly understood by a person having ordinary skill in the art to which the present invention belongs from this specification and the attached drawings.

A method for restoring content by a device for monitoring content activity according to one embodiment of the present invention may include the steps of collecting packet data from data traffic transmitted and received through a network, storing an original of the packet data on a disk, indexing the packet data to create a high-speed search DB, searching for a packet corresponding to a condition value in the high-speed search DB and confirming session information of the packet, searching for original data of packets related to the session information from the disk, and restoring the content by combining the searched original data.

According to one embodiment of the present invention, a device for monitoring content activity by restoring content based on network packets includes a communication unit for transmitting and receiving packets, a storage unit including a memory and a disk, and a processor, wherein the processor collects packet data from data traffic transmitted and received through a network, stores an original of the packet data in the disk, indexes the packet data to create a high-speed search DB, searches for packets corresponding to a condition value in the high-speed search DB, confirms session information of the packet, searches for original data of packets related to the session information in the disk, and restores the content by combining the original data of the packets.

The solutions to the problems of the present invention are not limited to the solutions described above, and solutions that are not mentioned can be clearly understood by a person having ordinary skill in the art to which the present invention pertains from this specification and the attached drawings.

According to one embodiment of the present invention, content can be restored using packets collected during a period that has already elapsed.

In addition, according to one embodiment of the present invention, continuous data restoration and analysis can be possible by rebuilding data without loss even when a service is changed using stored packets.

Figure 1 is a block diagram briefly illustrating the configuration of a device according to one embodiment of the present application.
FIG. 2 is a block diagram briefly illustrating the configuration of a processor according to one embodiment of the present application.
FIG. 3 is a drawing for explaining a method for creating a high-speed search DB according to one embodiment of the present application.
FIG. 4 is a diagram for explaining a method for searching original data of packets corresponding to condition values according to one embodiment of the present application.
FIG. 5 is a diagram illustrating original data of content according to one embodiment of the present application.
FIG. 6 is a diagram for explaining a method of restoring content by combining retrieved original data according to one embodiment of the present application.
FIG. 7 is a drawing illustrating a screen displaying restored content according to one embodiment of the present application.
FIG. 8 is a flowchart illustrating a method for monitoring content activity by restoring content based on network packets according to one embodiment of the present application.
FIG. 9 is a diagram for explaining a method for monitoring content activity by restoring content based on network packets according to one embodiment of the present application.

The above-described objects, features and advantages of the present application will become more apparent through the following detailed description with reference to the attached drawings. However, since the present application may have various modifications and various embodiments, specific embodiments will be illustrated in the drawings and described in detail below.

Throughout the specification, the same reference numerals, in principle, represent the same components. In addition, components that have the same function within the scope of the same idea shown in the drawings of each embodiment are described using the same reference numerals, and redundant descriptions thereof are omitted.

If it is determined that a detailed description of a known function or configuration related to the present application may unnecessarily obscure the gist of the present application, the detailed description will be omitted. In addition, the numbers (e.g., first, second, etc.) used in the description of this specification are merely identifiers to distinguish one component from another.

In addition, the suffixes “module” and “part” for components used in the following examples are given or used interchangeably only for the convenience of writing the specification, and do not have distinct meanings or roles in themselves.

In the examples below, singular expressions include plural expressions unless the context clearly indicates otherwise.

In the examples below, terms such as “include” or “have” mean that a feature or component described in the specification is present, and do not exclude in advance the possibility that one or more other features or components may be added.

In the drawings, the sizes of components may be exaggerated or reduced for convenience of explanation. For example, the sizes and thicknesses of each component shown in the drawings are arbitrarily shown for convenience of explanation, and the present invention is not necessarily limited to what is shown.

In some embodiments, where the implementation is otherwise feasible, the order of specific processes may be performed differently from the order described. For example, two processes described in succession may be performed substantially simultaneously, or may be performed in an order opposite to the order described.

In the examples below, when components are said to be connected, this includes not only cases where the components are directly connected, but also cases where components are interposed between the components and are indirectly connected.

For example, when it is said in this specification that components, etc. are electrically connected, it includes not only cases where the components, etc. are directly electrically connected, but also cases where components, etc. are interposed and indirectly electrically connected.

Meanwhile, in this specification, content refers to various information or contents provided through networks such as mail, messenger, translator, and posting, and may be various information or contents processed and distributed digitally such as letters, codes, voices, sounds, images, and videos.

Hereinafter, with reference to FIGS. 1 to 9, a method for monitoring content activity by restoring content based on network packets of the present application and a device for performing the same are described.

FIG. 1 is a block diagram briefly illustrating the configuration of a device according to one embodiment of the present application. Referring to FIG. 1, the device (100) may include a communication unit (110), a processor (120), and a storage unit (130). (130) may include a memory and a disk.

The communication unit (110) may support establishment of a direct (wired) communication channel or a wireless communication channel between the device (100) and an external device (e.g., a server), and performance of communication through the established communication channel. The communication unit (110) may include one or more communication processors that operate independently from the processor (120) (e.g., an application processor) and support direct (e.g., wired) communication or wireless communication. According to one embodiment, the communication unit (110) may include a wireless communication module (e.g., a cellular communication module, a short-range wireless communication module, or a GNSS (global navigation satellite system) communication module) or a wired communication module (e.g., a local area network (LAN) communication module, or a power line communication module).

The communication unit (110) can send and receive packets over a network. For example, when accessing a website, the communication unit (110) can connect a session and send and receive packets.

The processor (120) may execute software to control at least one other component (e.g., a hardware or software component) of the device (100) connected to the processor (120), and may perform various data processing operations. According to one embodiment, as at least a part of the data processing or operation, the processor (120) may store a command or data received from another component (e.g., a communication unit (110)) in a volatile memory, process the command or data stored in the volatile memory, and store result data in a non-volatile memory. According to one embodiment, the processor (120) may include a main processor (e.g., a central processing unit or an application processor) or an auxiliary processor (e.g., a graphics processing unit, a neural processing unit (NPU), an image signal processor, a sensor hub processor, or a communication processor) that can operate independently of or together with the main processor. For example, when the electronic device (100) includes a main processor and an auxiliary processor, the auxiliary processor may be configured to use lower power than the main processor or to be specialized for a given function. The auxiliary processor may be implemented separately from the main processor, or as a part of the main processor. The auxiliary processor may control at least a portion of the functions or states associated with at least one of the components of the electronic device (100), for example, on behalf of the main processor while the main processor is in an inactive (e.g., sleep) state, or together with the main processor while the main processor is in an active (e.g., application execution) state.

The processor (120) can collect packet data from data traffic transmitted and received through a network and store the original packet data on a disk.

The processor (120) can index information such as the departure IPs, arrival IPs, applications, upload data, download data, and communication protocols of packet data using metadata of packet data stored on a disk at preset intervals, and create a high-speed search DB.

The processor (120) can search for a packet corresponding to a condition value in a high-speed search DB and check the session information of the packet. Specifically, the processor (120) can search for a packet in which some of the information, such as the packet's departure IP, arrival IP, or application, corresponds to a specified condition. Or, if a search period for a period that has already elapsed is input, the processor (120) can search for a packet corresponding to the condition value among packet data collected during the search period in the high-speed search DB. In addition, the processor (120) can check the IP, Port, Timestamp, etc. and session information.

The processor (120) can search for original data of packets related to session information from the disk. Specifically, the processor (120) can search for original data of all packets transmitted and received in the session. At this time, packets related to session information may be packets that share information about the same content.

The processor (120) can restore content by combining original data of packets. Specifically, the processor (120) can sequentially combine original data of packets retrieved from a disk to generate content original data. In addition, the processor (120) can distinguish the type of content original data among a plurality of parsers, and parse and decode the content original data using a parser corresponding to the type of content original data. In addition, the processor (120) can display the restored content on the screen.

The storage (130) can store various data used by at least one component (e.g., processor (120)) of the device (100). The data can include, for example, input data or output data for software and commands related thereto. The storage (130) can include volatile memory or nonvolatile memory, and can include memory and a disk.

The storage unit (130) can store a high-speed search DB. In addition, the original of the collected packet data can be stored in the storage unit (130) (e.g., a disk).

The display (140) can visually present information to an external party (e.g., a user) of the device (100). For example, the display (140) can include a display, a holographic device, or a projector and control circuitry for controlling the device.

The display (140) can display a restored content screen.

FIG. 2 is a block diagram briefly illustrating a configuration of a processor according to one embodiment of the present application. FIG. 2 will be described in more detail with reference to FIGS. 3 to 7. FIG. 3 is a diagram illustrating a method for generating a high-speed search DB according to one embodiment of the present application. FIG. 4 is a diagram illustrating a method for searching original data of packets corresponding to condition values according to one embodiment of the present application. FIG. 5 is a diagram illustrating original data of content according to one embodiment of the present application. FIG. 6 is a diagram illustrating a method for restoring content by combining searched original data according to one embodiment of the present application. FIG. 7 is a diagram illustrating a screen displaying restored content according to one embodiment of the present application.

Referring to FIG. 2, the processor (120) may include a high-speed search DB generation unit (121), a content original data generation unit (123), and a content restoration unit (125).

The high-speed search DB generation unit (121) can collect packet data from data traffic transmitted and received through a network. In addition, the high-speed search DB generation unit (121) can store the original of the collected packet data in a disk at once. In addition, the high-speed search DB generation unit (121) can analyze the stored packet data at each interval (for example, 1 minute). Specifically, the high-speed search DB generation unit (121) can index information such as the departure IPs, arrival IPs, applications, upload data, download data, and communication protocols of the packet data using metadata of the packet data stored for 1 minute. In addition, the high-speed search DB generation unit (121) can generate a high-speed search DB based on the indexed information.

For example, referring to FIG. 3, when a packet source is generated (S1) through a network, a high-speed search DB generation unit (121) can collect (S2) the generated packet source using a sensor. Then, the high-speed search DB generation unit (121) can store (S4) the collected packets in bulk on a disk (packet source storage). Then, the high-speed search DB generation unit (121) can analyze (S5) the packets stored in bulk once every minute using a parser. Then, the high-speed search DB generation unit (121) can create (S6) a high-speed search DB based on the analyzed information using qsearch.

The content original data generation unit (123) can search for packets corresponding to condition values in the high-speed search DB and check session information of the searched packets. For example, the session information can be information such as IP, Port, Timestamp, etc., and the condition value can be at least one of the packet's source IP, destination IP, or application. For example, a user can set conditions for posting articles on a specific website, conditions for sending emails, and cases of writing comments on a specific bulletin board as condition values. In addition, the content original data generation unit (123) can search for original data of packets related to the confirmed session information. For example, the original data of all packets transmitted and received in the confirmed session can be searched for. In addition, the content original data generation unit (123) can generate content original data by sequentially combining the searched original packets. The generated content original data can be stored in a specific directory.

Meanwhile, the content original data generation unit (123) can search for packets corresponding to condition values in the high-speed search DB in real time. At this time, the condition value may be a pattern of a packet that has been patterned in advance. For example, the content original data generation unit (123) can patternize the characteristics of a specific application and determine which application or service a newly generated packet is based on this. In this case, if a packet that has been patterned in advance is generated in real time, the original data can be searched.

In addition, the content original data generation unit (123) can search for packets corresponding to condition values in the high-speed search DB at a time specified by the user. For example, the content original data generation unit (123) can receive an input for setting a search period for an already elapsed period, and search for packets corresponding to the condition values among packet data collected during the search period. In the present invention, packets for an elapsed period can be searched by storing the original packet data on a disk rather than a memory.

For example, referring to FIG. 4, the content original data generation unit (123) can check whether there is data traffic that occurred in a specified time zone using a condition value in a high-speed search DB in real time or at a time specified by a user (S11). At this time, the condition value may be a temporary storage in a webmail, and packets stored in the high-speed search DB are indexed by departure IP, arrival IP, application information, etc., so that packet search is possible at high speed. In addition, the content original data generation unit (123) can check session information (e.g., IP, Port, Timestamp, etc.) corresponding to the condition value (S12). In addition, the content original data generation unit (123) can check the original data of all packets related to the session corresponding to the condition value among the original data of packets stored in the disk (S13). In addition, the content original data generation unit (123) can sequentially combine the original data of the confirmed packets to generate content original data (S14) and store it in a specific directory (S15). As shown in Fig. 5, since the content original data is data in an encoded state, the user cannot check the content with the content original data.

The content restoration unit (125) can restore the content by combining the searched original data. Specifically, the content restoration unit (125) can distinguish the type of the original data by using a plurality of parsers. Then, the content restoration unit (125) can decode the content original data so that it can be displayed on the screen by using a parser corresponding to the type of the content original data among the plurality of parsers. For example, the content restoration unit (125) can extract metadata by parsing the contents such as the title and contents from the content original data. At this time, the extracted metadata can be stored in a high-speed search DB and used for packet search later. Then, the content restoration unit (125) can restore and display the screen that was previously displayed on the screen by decoding it according to the format of the title, contents, etc.

For example, referring to FIG. 6, if we look at an example of restoring content that a user previously temporarily saved as a webmail, the content restoration unit (125) can extract metadata (S21) by parsing contents such as recipient, sender, reference, subject, file name, token ID, and body from the temporarily saved webmail original data using a parser corresponding to the type of original data among a plurality of parsers. Then, the content restoration unit (125) can store the extracted metadata in a high-speed search DB (S22). Then, the content restoration unit (125) can restore the previously displayed webmail screen as it is by decoding it according to the body format, and display the restored webmail screen (S23). In most cases, the body and attached files in webmail can be generated as different sessions. When composing an email, the body of the email is automatically saved every cycle, and the attached file can be uploaded only when it is moved to the browser. And, by executing mail transmission later, a single mail can be completed by using the token ID value that confirms that the completed mail body and the uploaded attachment file have the same content. Therefore, the content restoration unit (125) can perform parsing on the mail body and check whether there was an attachment file using the token ID (S24). And, the content restoration unit (125) can map the body and the attachment file, and display the restored webmail screen while also displaying the attachment file. For example, as shown in FIG. 7, the content restoration unit (125) can display the previously displayed webmail screen and the attachment file together.

FIG. 8 is a flowchart illustrating a method for monitoring content activity by restoring content based on network packets according to one embodiment of the present application. The operations in FIG. 8 are not limited in order, and other operations may be performed between two adjacent operations. In addition, at least some of the operations in FIG. 8 may be omitted. In the present invention, the expression that the electronic device (100) performs a specific operation may mean that the processor (120) of the electronic device (100) performs a specific operation, or that the processor (120) controls other hardware to perform a specific operation.

Referring to FIG. 8, the device (100) can collect packet data (S100). Specifically, the device (100) can collect packet data from data traffic transmitted and received through a network.

The device (100) can store the original of packet data on a disk (S200). Specifically, the device (100) can store the original of collected packet data in bulk on the disk.

The device (100) can create a high-speed search DB by indexing packet data (S300). Specifically, the device (100) can create a high-speed search DB by indexing information such as the departure IPs, arrival IPs, applications, upload data, download data, and communication protocols of packet data using metadata of the stored packet data at preset intervals.

The device (100) can search for a packet corresponding to a condition value in a high-speed search DB and check the session information of the packet (S400). Specifically, the device (100) can search for a packet in which some of the information, such as the packet's departure IP, arrival IP, or application, corresponds to a specified condition. Or, if a search period for a period that has already elapsed is input, the device (100) can search for a packet corresponding to the condition value among packet data collected during the search period in the high-speed search DB. In addition, the device (100) can check the IP, Port, Timestamp, etc. and session information.

The device (100) can search for original data of packets related to session information on the disk (S500). Specifically, the device (100) can search for original data of all packets transmitted and received in the session. At this time, packets related to session information may be packets that share information about the same content.

The device (100) can restore content by combining original data of packets (S600). Specifically, the device (100) can sequentially combine original data of packets retrieved from a disk to generate content original data. At this time, since the content original data is in an encoded state, the user cannot check the content. Therefore, the device (100) can distinguish the type of content original data among a plurality of parsers, and parse and decode the content original data using a parser corresponding to the type of content original data. Then, the device (100) can display the restored content on the screen.

FIG. 9 is a diagram for explaining a method for monitoring content activity by restoring content based on network packets according to one embodiment of the present application. The content extraction engine and the content restoration engine of FIG. 9 are components included in the processor (120) of FIG. 1. Referring to FIG. 9, the content analysis service can restore the user's content by using the content extraction engine and the content restoration engine based on the extraction (search) pattern defined by the user. The content extraction engine and the content restoration engine can extract the data desired by the user by receiving the time value for defining the extraction range and the patterns of the extraction target service as condition values. In the case of rebuilding, the content can be restored by extracting the desired time and pattern from the user as condition values and re-extracting them once. In this case, the desired content can be extracted from all packets without any packets being lost due to the service method, etc.

The content extraction engine can extract and combine packets that have exchanged data among packets for a specific service from among the original packets stored using IP, URL, and various metadata in a user-defined extraction pattern to create original content data. In addition, the content extraction engine can also compress, encrypt, and decrypt the original content data.

The content restoration engine can restore the extracted content original data to be identical to the content displayed on the screen. The extracted content original data can be composed of various types. Therefore, the content restoration engine can distinguish the data using Multi-Part, Json, Split, MIME, XML, File, Json Multi-Part, Text, HTML parsers, etc. for processing various types of data, and can additionally parse the detailed contents by specifying a specific key and value in the contents. In addition, the content restoration engine can decode the encoded contents of the content original data into human-readable contents (content that can be displayed on the screen) and display them on the screen.

According to a method for monitoring content activity by restoring content according to one embodiment of the present invention and a device for performing the same, there is an advantage in that content provided to a user can be restored by using previously transmitted and received packets.

The features, structures, effects, etc. described in the embodiments above are included in at least one embodiment of the present invention, and are not necessarily limited to only one embodiment. Furthermore, the features, structures, effects, etc. exemplified in each embodiment can be combined or modified and implemented in other embodiments by a person having ordinary knowledge in the field to which the embodiments belong. Therefore, the contents related to such combinations and modifications should be interpreted as being included in the scope of the present invention.

In addition, although the above has been described focusing on the embodiments, this is only an example and does not limit the present invention, and those with ordinary knowledge in the field to which the present invention pertains will know that various modifications and applications not exemplified above are possible without departing from the essential characteristics of the present embodiment. In other words, each component specifically shown in the embodiments can be modified and implemented. And the differences related to such modifications and applications should be interpreted as being included in the scope of the present invention defined in the appended claims.

100: Device
110: Communications Department
120: Processor
130: Storage
140: Display

Claims (10)

In a method for restoring content by a device that monitors content activity,
A step of collecting packet data from data traffic transmitted and received over a network;
A step of saving the original data of the above packet data to a disk;
A step of creating a high-speed search DB by indexing the above packet data;
A step of searching for a packet corresponding to a condition value in the high-speed search DB and confirming session information of the session in which the packet was transmitted and received;
A step of searching for original data of packets transmitted and received through the session based on the session information confirmed on the disk;
A step of sequentially combining the above searched original data to create content original data;
A step of determining a parser corresponding to the type of the original content data among multiple parsers;
A step of decoding the content original data so that it can be displayed on the screen using the above-determined parser; and
a step of displaying the restored content;
How to restore content.
In the first paragraph,
The step of creating a high-speed search DB by indexing the above packet data is:
A step of analyzing the original packet data stored on the disk at preset intervals; and
A step of indexing the packet's origin IP, destination IP, and application information based on the above analysis;
How to restore content.
In the first paragraph,
The above condition value includes at least one of the packet's source IP, destination IP, or application.
How to restore content.
In the first paragraph,
The step of searching for a packet corresponding to a condition value in the above high-speed search DB and checking the session information of the packet is as follows.
A step for receiving an input setting a search period for a period that has already elapsed; and
A step of searching for a packet corresponding to the condition value among packet data collected during the search period;
How to restore content.
In the first paragraph,
The step of retrieving the original data of packets related to the session information from the above disk is:
A step of distinguishing the type of the original data using multiple parsers; including;
How to restore content.
delete delete A computer-readable recording medium having recorded thereon a program for causing a computer to execute a method according to any one of claims 1 to 5.
In a device that monitors content activity by restoring content based on network packets,
A communication unit that sends and receives packets;
Storage unit including memory and disk;
A display that displays content; and
a processor; including;
The above processor,
Collect packet data from data traffic transmitted and received over the network,
Save the original data of the above packet data to the above disk,
Create a high-speed search DB by indexing the above packet data,
Search for a packet corresponding to a condition value in the above high-speed search DB, and check the session information of the session in which the packet was transmitted and received.
Based on the session information confirmed on the above disk, the original data of packets transmitted and received through the above session is retrieved,
The above searched original data is sequentially combined to create content original data,
Among multiple parsers, determine the parser that corresponds to the type of the original content data,
Using the above judged parser, restore the original content data so that it can be displayed on the screen,
Displaying the restored content above,
device.
delete