[go: up one dir, main page]

TWI871153B - Security managing module and security managing method for endpoint device - Google Patents

Security managing module and security managing method for endpoint device Download PDF

Info

Publication number
TWI871153B
TWI871153B TW112151046A TW112151046A TWI871153B TW I871153 B TWI871153 B TW I871153B TW 112151046 A TW112151046 A TW 112151046A TW 112151046 A TW112151046 A TW 112151046A TW I871153 B TWI871153 B TW I871153B
Authority
TW
Taiwan
Prior art keywords
program
communication
whitelist
features
data packet
Prior art date
Application number
TW112151046A
Other languages
Chinese (zh)
Other versions
TW202527511A (en
Inventor
卓傳育
林育生
賴佳宏
楊惠國
Original Assignee
財團法人工業技術研究院
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 財團法人工業技術研究院 filed Critical 財團法人工業技術研究院
Priority to TW112151046A priority Critical patent/TWI871153B/en
Application granted granted Critical
Publication of TWI871153B publication Critical patent/TWI871153B/en
Publication of TW202527511A publication Critical patent/TW202527511A/en

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A security managing module, includes the following elements. A capturing unit, for capturing a plurality of first program features of an application program, and capturing a plurality of first communication features of a data packet. An analyzing unit, for analyzing the first program features to generate a plurality of second program features, filtering the data packet based on a communication operation of the data packet, and analyzing the first communication features of the filtered data packet to generate a plurality of second communication features. A rule establishing unit, for establishing a candidate rule based on the first program features and the first communication features. A rule filtering unit, for filtering the candidate rule based on a trust interval to generate a allow list. A security control unit, for executing a security control based on the allow list.

Description

用於端點裝置之安全管理模組與安全管理方法 Security management module and security management method for endpoint devices

本揭示關於一種資料處理模組與其處理方法,特別有關於一種提供端點裝置之資訊安全的安全管理模組與安全管理方法。 This disclosure relates to a data processing module and a processing method thereof, and in particular to a security management module and a security management method for providing information security for an endpoint device.

隨著資料中心之分布式應用程式之數量大幅增加,通訊網路之資訊安全日漸重要,以防止惡意程式與入侵行為。通訊網路與主機裝置的管理員多以手動方式設定應用程式行為白名單及網路通訊白名單。然而,當資料中心的伺服器主機之數量較多時,管理員手動設定白名單將成為沉重負擔。 As the number of distributed applications in data centers increases dramatically, information security of communication networks becomes increasingly important to prevent malicious programs and intrusions. Administrators of communication networks and host devices often manually set up application behavior whitelists and network communication whitelists. However, when the number of server hosts in a data center is large, it will become a heavy burden for administrators to manually set up whitelists.

針對於上述議題,需要提供自動化的安全管理模組,能夠自動化地建立白名單並動態地更新白名單,且能夠自動化地針對惡意程式及不合法訪問執行安全控制。 To address the above issues, an automated security management module is needed that can automatically create and dynamically update whitelists, and automatically perform security controls against malicious programs and illegal access.

根據本揭示之一方面,提供一種安全管理模組,包括以下元件。擷取單元,用於擷取應用程式的複數個第一程式特徵,並且擷取資料封包的複數個第一通訊特徵。分析單元,用於 分析第一程式特徵以產生複數個第二程式特徵,依據資料封包的一通訊運作篩選資料封包,並且分析篩選後的資料封包的第一通訊特徵以產生複數個第二通訊特徵。規則建立單元,用於依據第一程式特徵與第一通訊特徵建立候選規則。規則篩選單元,用於依據信賴區間篩選候選規則以產生白名單。安全控制單元,用於依據白名單執行安全控制。 According to one aspect of the present disclosure, a security management module is provided, comprising the following elements. An acquisition unit for acquiring a plurality of first program features of an application and a plurality of first communication features of a data packet. An analysis unit for analyzing the first program features to generate a plurality of second program features, filtering the data packet according to a communication operation of the data packet, and analyzing the first communication features of the filtered data packet to generate a plurality of second communication features. A rule establishment unit for establishing candidate rules according to the first program features and the first communication features. A rule screening unit for screening the candidate rules according to the trust interval to generate a whitelist. A security control unit for performing security control according to the whitelist.

根據本揭示之另一方面,提供一種安全管理方法,包括以下步驟。擷取應用程式的複數個第一程式特徵。擷取資料封包的複數個第一通訊特徵。分析第一程式特徵以產生複數個第二程式特徵。依據資料封包的一通訊運作篩選資料封包。分析篩選後的資料封包的第一通訊特徵以產生複數個第二通訊特徵。依據第一程式特徵與第一通訊特徵建立候選規則。依據信賴區間篩選候選規則以產生白名單。依據白名單執行安全控制。 According to another aspect of the present disclosure, a security management method is provided, comprising the following steps. Capturing a plurality of first program features of an application. Capturing a plurality of first communication features of a data packet. Analyzing the first program features to generate a plurality of second program features. Filtering the data packet according to a communication operation of the data packet. Analyzing the first communication features of the filtered data packet to generate a plurality of second communication features. Establishing candidate rules according to the first program features and the first communication features. Filtering the candidate rules according to the trust interval to generate a whitelist. Performing security control according to the whitelist.

根據本揭示之又一方面,提供一種非暫態電腦可讀取媒體,當被包括處理器與儲存裝置的主機裝置所讀取時,主機裝置執行安全管理方法。 According to another aspect of the present disclosure, a non-transitory computer-readable medium is provided, and when read by a host device including a processor and a storage device, the host device executes a security management method.

透過閱讀以下圖式、詳細說明以及申請專利範圍,可見本揭示之其它方面以及優點。 Other aspects and advantages of the present disclosure may be seen by reading the following drawings, detailed descriptions and claims.

1000,1000a,1000b:安全管理模組 1000,1000a,1000b: Security management module

2000:主機裝置 2000: Host device

2000a,2000b:虛擬機 2000a,2000b:Virtual machines

3000:通訊網路 3000: Communication network

100,100a,100b:擷取單元 100,100a,100b: Capture unit

110:程式特徵擷取單元 110: Program feature extraction unit

120:通訊特徵擷取單元 120: Communication feature acquisition unit

200,200a,200b:分析單元 200,200a,200b:Analysis unit

210:程式特徵分析單元 210: Program feature analysis unit

220:通訊特徵分析單元 220: Communication feature analysis unit

300,300a,300b:規則建立單元 300,300a,300b: Rule creation unit

400,400a,400b:規則篩選單元 400,400a,400b: Rule filtering unit

500,500a,500b:安全控制單元 500,500a,500b: Safety control unit

600:防火牆機制 600: Firewall mechanism

PF1:第一程式特徵 PF1: First Program Feature

PF2:第二程式特徵 PF2: Second Program Features

CF1:第一通訊特徵 CF1: First Communication Feature

CF2:第二通訊特徵 CF2: Second communication feature

RL:候選規則 RL: Candidate rules

WL:白名單 WL: Whitelist

P_WL:程式白名單 P_WL: Program Whitelist

C_WL:通訊白名單 C_WL: Communication whitelist

AP(1):應用程式 AP(1):Application

PK(1):資料封包 PK(1):Data packet

PK(2),PK(3):待測資料封包 PK(2),PK(3): Data packets to be tested

E(1):事件 E(1): Event

S302~S314:步驟 S302~S314: Steps

4010:醫療環境 4010: Medical environment

10:遙控裝置 10: Remote control device

20:達文西手臂 20:Da Vinci Arm

30:惡意第三方 30: Malicious third party

FF_L:前饋連結 FF_L: Feedback link

FB_L:反饋連結 FB_L: Feedback link

4020:工業控制系統 4020: Industrial Control Systems

41,43:生產機台 41,43: Production machines

42:控制主機 42: Control host

44:周邊設施 44: Peripheral facilities

第1圖,其繪示本揭示一實施例的安全管理模組的方塊圖,並繪示安全管理模組的運作。 Figure 1 shows a block diagram of a security management module of an embodiment of the present disclosure and illustrates the operation of the security management module.

第2圖繪示本揭示另一實施例的安全管理模組1000a與1000b的示意圖。 FIG. 2 is a schematic diagram of the security management modules 1000a and 1000b of another embodiment of the present disclosure.

第3圖繪示本揭示一實施例的安全管理方法的流程圖。 Figure 3 shows a flow chart of a security management method according to an embodiment of the present disclosure.

第4圖繪示安全管理模組應用於醫療環境的實施例之示意圖。 Figure 4 shows a schematic diagram of an implementation example of the safety management module being applied in a medical environment.

第5圖繪示安全管理模組應用於工業控制系統的實施例之示意圖。 Figure 5 shows a schematic diagram of an implementation example of the safety management module being applied to an industrial control system.

本說明書的技術用語係參照本技術領域之習慣用語,如本說明書對部分用語有加以說明或定義,該部分用語之解釋係以本說明書之說明或定義為準。本揭示之各個實施例分別具有一或多個技術特徵。在可能實施的前提下,本技術領域具有通常知識者可選擇性地實施任一實施例中部分或全部的技術特徵,或者選擇性地將這些實施例中部分或全部的技術特徵加以組合。 The technical terms in this specification refer to the customary terms in this technical field. If this specification explains or defines some terms, the interpretation of these terms shall be based on the explanation or definition in this specification. Each embodiment disclosed in this disclosure has one or more technical features. Under the premise of possible implementation, a person with ordinary knowledge in this technical field can selectively implement some or all of the technical features in any embodiment, or selectively combine some or all of the technical features in these embodiments.

請參見第1圖,其繪示本揭示一實施例的安全管理模組1000的方塊圖,並繪示安全管理模組1000的運作。安全管理模組1000可以是一套軟體程式,其安裝並執行於主機裝置2000。主機裝置2000包括處理器與儲存裝置(圖中未顯示),儲存裝置具有非暫態的電腦可讀取媒體,例如是非揮發性的記憶體或硬碟。安全管理模組1000的程式碼儲存於主機裝置2000的儲存裝置的非暫態的電腦可讀取媒體之中,當安全管理模組1000 的程式碼被主機裝置2000讀取時,主機裝置2000執行安全管理模組1000的程式碼,據以實施安全管理模組1000的各項運作。 Please refer to FIG. 1, which shows a block diagram of a security management module 1000 according to an embodiment of the present disclosure, and illustrates the operation of the security management module 1000. The security management module 1000 may be a set of software programs installed and executed on a host device 2000. The host device 2000 includes a processor and a storage device (not shown in the figure), and the storage device has a non-transient computer-readable medium, such as a non-volatile memory or a hard disk. The program code of the security management module 1000 is stored in a non-transitory computer-readable medium of the storage device of the host device 2000. When the program code of the security management module 1000 is read by the host device 2000, the host device 2000 executes the program code of the security management module 1000 to implement various operations of the security management module 1000.

在另一種示例中,安全管理模組1000可以是一個獨立的硬體元件(例如是微控制器(micro-processor)或特殊應用積體電路(ASIC)),可協同於主機裝置2000而執行。 In another example, the security management module 1000 may be an independent hardware component (such as a micro-processor or an application-specific integrated circuit (ASIC)) that can be executed in conjunction with the host device 2000.

安全管理模組1000是應用於主機裝置2000與通訊網路3000。主機裝置2000是一個端點裝置(即,終端節點),通訊網路3000安裝於主機裝置2000。安全管理模組1000對於主機裝置2000與通訊網路3000之中的事件E(1)進行分析。事件E(1)包括應用程式AP(1)以及資料封包PK(1)。應用程式AP(1)是相關於主機裝置2000,應用程式AP(1)是執行於主機裝置2000的作業平台。並且,資料封包PK(1)是相關於通訊網路3000,資料封包PK(1)是經由通訊網路3000進行傳遞而傳送至主機裝置2000。 The security management module 1000 is applied to the host device 2000 and the communication network 3000. The host device 2000 is an endpoint device (i.e., a terminal node), and the communication network 3000 is installed on the host device 2000. The security management module 1000 analyzes the event E(1) between the host device 2000 and the communication network 3000. The event E(1) includes an application AP(1) and a data packet PK(1). The application AP(1) is related to the host device 2000, and the application AP(1) is an operating platform executed on the host device 2000. Furthermore, the data packet PK(1) is related to the communication network 3000, and the data packet PK(1) is transmitted via the communication network 3000 and sent to the host device 2000.

安全管理模組1000包括擷取單元100、分析單元200、規則建立單元300、規則篩選單元400與安全控制單元500。上述單元分別是安全管理模組1000之中的子程式模組。其中,擷取單元100更包括程式特徵擷取單元110與通訊特徵擷取單元120。並且,分析單元200更包括程式特徵分析單元210與通訊特徵分析單元220。 The security management module 1000 includes a capture unit 100, an analysis unit 200, a rule creation unit 300, a rule screening unit 400 and a security control unit 500. The above units are sub-program modules in the security management module 1000. Among them, the capture unit 100 further includes a program feature capture unit 110 and a communication feature capture unit 120. In addition, the analysis unit 200 further includes a program feature analysis unit 210 and a communication feature analysis unit 220.

應用程式AP(1)與資料封包PK(1)是安全管理模組1000所監測的待測目標。擷取單元100從通訊網路3000與主機 裝置2000擷取應用程式AP(1)與資料封包PK(1)各自的特徵。更具體而言,擷取單元100的程式特徵擷取單元110從主機裝置2000擷取應用程式AP(1)的第一程式特徵PF1。並且,擷取單元100的通訊特徵擷取單元120從通訊網路3000擷取資料封包PK(1)的第一通訊特徵CF1。 The application AP(1) and the data packet PK(1) are the targets to be tested monitored by the security management module 1000. The capture unit 100 captures the respective features of the application AP(1) and the data packet PK(1) from the communication network 3000 and the host device 2000. More specifically, the program feature capture unit 110 of the capture unit 100 captures the first program feature PF1 of the application AP(1) from the host device 2000. Furthermore, the communication feature capture unit 120 of the capture unit 100 captures the first communication feature CF1 of the data packet PK(1) from the communication network 3000.

分析單元200耦接於擷取單元100以接收應用程式AP(1)的第一程式特徵PF1與資料封包PK(1)的第一通訊特徵CF1。其中,分析單元200的程式特徵分析單元210耦接於程式特徵擷取單元110以接收第一程式特徵PF1,並且程式特徵分析單元210對於第一程式特徵PF1進行分析以產生第二程式特徵PF2。類似地,分析單元200的通訊特徵分析單元220耦接於通訊特徵擷取單元120以接收第一通訊特徵CF1,並且通訊特徵分析單元220對於第一通訊特徵CF1進行分析以產生第二通訊特徵CF2。 The analysis unit 200 is coupled to the capture unit 100 to receive the first program feature PF1 of the application program AP(1) and the first communication feature CF1 of the data packet PK(1). The program feature analysis unit 210 of the analysis unit 200 is coupled to the program feature capture unit 110 to receive the first program feature PF1, and the program feature analysis unit 210 analyzes the first program feature PF1 to generate the second program feature PF2. Similarly, the communication feature analysis unit 220 of the analysis unit 200 is coupled to the communication feature capture unit 120 to receive the first communication feature CF1, and the communication feature analysis unit 220 analyzes the first communication feature CF1 to generate the second communication feature CF2.

規則建立單元300耦接於擷取單元100以接收第一程式特徵PF1及第一通訊特徵CF1,並耦接於分析單元200以接收第二程式特徵PF2及第二通訊特徵CF2。規則建立單元300依據應用程式AP(1)的第一程式特徵PF1以及資料封包PK(1)的第一通訊特徵CF1歸納出正常行為模式下的程式特徵與通訊特徵,據以建立候選規則RL。例如,在正常行為模式下的通訊特徵之中,資料封包PK(1)之通訊傳輸的單位流量變化是「1GB」。並且,可選擇地,規則建立單元300更可進一步依據應用程式AP(1)的 第二程式特徵PF2與資料封包PK(1)的第二通訊特徵CF2來建立候選規則RL。換言之,當建立候選規則RL時,規則建立單元300必須藉由分析第一程式特徵PF1及第一通訊特徵CF1,然而第二程式特徵PF2及第二通訊特徵CF2是非必要的(僅作為輔助)。 The rule establishment unit 300 is coupled to the capture unit 100 to receive the first program feature PF1 and the first communication feature CF1, and is coupled to the analysis unit 200 to receive the second program feature PF2 and the second communication feature CF2. The rule establishment unit 300 summarizes the program features and communication features under the normal behavior mode according to the first program feature PF1 of the application program AP(1) and the first communication feature CF1 of the data packet PK(1), and establishes the candidate rule RL accordingly. For example, among the communication features under the normal behavior mode, the unit flow change of the communication transmission of the data packet PK(1) is "1GB". Furthermore, optionally, the rule establishment unit 300 may further establish the candidate rule RL according to the second program feature PF2 of the application program AP(1) and the second communication feature CF2 of the data packet PK(1). In other words, when establishing the candidate rule RL, the rule establishment unit 300 must analyze the first program feature PF1 and the first communication feature CF1, but the second program feature PF2 and the second communication feature CF2 are not necessary (only as an auxiliary).

規則篩選單元400耦接於規則建立單元300以接收候選規則RL。並且,規則篩選單元400依據信賴區間篩選候選規則RL以產生白名單WL。白名單WL包括程式白名單P_WL與通訊白名單C_WL。 The rule screening unit 400 is coupled to the rule creation unit 300 to receive the candidate rule RL. Furthermore, the rule screening unit 400 screens the candidate rule RL according to the trust interval to generate a whitelist WL. The whitelist WL includes a program whitelist P_WL and a communication whitelist C_WL.

安全控制單元500耦接於規則篩選單元400以接收白名單WL,並根據白名單WL的程式白名單P_WL與通訊白名單C_WL執行安全控制。例如,安全控制單元500將程式白名單P_WL與通訊白名單C_WL分別套用於主機裝置2000的程式防火牆機制與通訊防火牆機制。並且,安全控制單元500依據程式白名單P_WL與通訊白名單C_WL對於後續的待測應用程式與待測資料封包進行監測,以判斷其是否符合程式白名單P_WL與通訊白名單C_WL。 The security control unit 500 is coupled to the rule screening unit 400 to receive the whitelist WL, and performs security control according to the program whitelist P_WL and the communication whitelist C_WL of the whitelist WL. For example, the security control unit 500 applies the program whitelist P_WL and the communication whitelist C_WL to the program firewall mechanism and the communication firewall mechanism of the host device 2000 respectively. In addition, the security control unit 500 monitors the subsequent application programs to be tested and the data packets to be tested according to the program whitelist P_WL and the communication whitelist C_WL to determine whether they comply with the program whitelist P_WL and the communication whitelist C_WL.

下文係說明擷取單元100、分析單元200、規則建立單元300、規則篩選單元400與安全控制單元500的詳細運作。擷取單元100的程式特徵擷取單元110與通訊特徵擷取單元120是自動化地擷取應用程式AP(1)的第一程式特徵PF1與資料封包PK(1)的第一通訊特徵CF1。在一種示例中,程式特徵擷取單元110依據應用程式AP(1)在主機裝置2000(即端點裝置)的程式運 作以擷取第一程式特徵PF1。例如,主機裝置2000的作業平台是「linux」,程式特徵擷取單元110執行「linux」之指令「ps-ef」以存取主機裝置2000的日誌檔(log),據以擷取應用程式AP(1)的第一程式特徵PF1。所擷取得到的第一程式特徵PF1例如包括應用程式AP(1)的程式名稱(app name)與程式校驗碼,並且可選擇性地包括:路徑名稱、處理程序識別碼(process ID,PID)、母項處理程序識別碼(parent process ID,PPID)、CPU使用率、程式開始時間、程式結束時間、系統呼叫順序,等等。表1列出部分的第一程式特徵PF1。 The following is a description of the detailed operation of the capture unit 100, the analysis unit 200, the rule establishment unit 300, the rule screening unit 400 and the security control unit 500. The program feature capture unit 110 and the communication feature capture unit 120 of the capture unit 100 automatically capture the first program feature PF1 of the application AP(1) and the first communication feature CF1 of the data packet PK(1). In one example, the program feature capture unit 110 captures the first program feature PF1 according to the program operation of the application AP(1) on the host device 2000 (i.e., the endpoint device). For example, the operating platform of the host device 2000 is "linux", and the program feature capture unit 110 executes the "linux" command "ps-ef" to access the log file (log) of the host device 2000, thereby capturing the first program feature PF1 of the application AP (1). The captured first program feature PF1 includes, for example, the program name (app name) and the program verification code of the application AP (1), and may optionally include: path name, process ID (PID), parent process ID (PPID), CPU usage, program start time, program end time, system call sequence, etc. Table 1 lists part of the first program feature PF1.

Figure 112151046-A0305-12-0007-1
Figure 112151046-A0305-12-0007-1

通訊特徵擷取單元120可同步或非同步於程式特徵擷取單元110而運作。通訊特徵擷取單元120依據資料封包PK(1)在通訊網路3000的通訊運作以擷取資料封包PK(1)的第一通訊特 徵CF1。例如,通訊特徵擷取單元120對於資料封包PK(1)執行開源程式「tcpdump」以擷取第一通訊特徵CF1,例如包括網路協定來源位址(source IP address,src IP)與網路協定目的位址(destination IP address,dst IP),並且可選擇性地包括:通訊協定(例如傳輸控制協定(Transmission Control Protocol,TCP))、媒體存取控制位址(MAC address)、來源埠(src port)、目的埠(dst port)、封包尺寸,等等。 The communication feature acquisition unit 120 can operate synchronously or asynchronously with the program feature acquisition unit 110. The communication feature acquisition unit 120 operates according to the communication of the data packet PK(1) in the communication network 3000 to acquire the first communication feature CF1 of the data packet PK(1). For example, the communication feature capture unit 120 executes the open source program "tcpdump" for the data packet PK(1) to capture the first communication feature CF1, such as the source IP address (src IP) and the destination IP address (dst IP), and optionally includes: communication protocol (such as Transmission Control Protocol (TCP)), media access control address (MAC address), source port (src port), destination port (dst port), packet size, etc.

程式特徵分析單元210依據應用程式AP(1)在主機裝置2000的程式運作對於第一程式特徵PF1進行分析,以產生第二程式特徵PF2。第二程式特徵PF2例如包括應用程式AP(1)的執行頻率、執行總時間與啟動間隔時間。例如,程式特徵分析單元210依據應用程式AP(1)每次的程式開始時間(第一程式特徵PF1)來計算應用程式AP(1)的執行頻率與啟動間隔時間(第二程式特徵PF2)。並且,程式特徵分析單元210依據應用程式AP(1)的程式開始時間與程式結束時間(第一程式特徵PF1)來計算應用程式AP(1)的執行總時間(第二程式特徵PF2)。 The program feature analysis unit 210 analyzes the first program feature PF1 according to the program operation of the application program AP(1) in the host device 2000 to generate the second program feature PF2. The second program feature PF2 includes, for example, the execution frequency, the total execution time, and the startup interval time of the application program AP(1). For example, the program feature analysis unit 210 calculates the execution frequency and the startup interval time (the second program feature PF2) of the application program AP(1) according to each program start time (the first program feature PF1) of the application program AP(1). Furthermore, the program feature analysis unit 210 calculates the total execution time (second program feature PF2) of the application AP(1) based on the program start time and program end time (first program feature PF1) of the application AP(1).

通訊特徵分析單元220可同步或非同步於程式特徵分析單元210而運作。通訊特徵分析單元220依據資料封包PK(1)在通訊網路3000的通訊運作對於第一通訊特徵CF1進行分析,以產生第二通訊特徵CF2。第二通訊特徵CF2例如包括資料封包PK(1)的通訊傳輸的連線次數與單位流量變化。例如,通訊特徵分析單元220以統計方法分析資料封包PK(1)的網路協定來源位址 與網路協定目的位址(第一通訊特徵CF1)以計算出連線次數(第二通訊特徵CF2)。在一種示例中,通訊特徵分析單元220可依據通訊運作篩選資料封包PK(1),當資料封包PK(1)不屬於分析對象時,則濾除資料封包PK(1)。例如,安全管理模組1000是針對作為端點裝置的主機裝置2000執行安全控制,因此,無關於端點裝置角色的資料封包PK(1)不屬於分析對象而被濾除。當資料封包PK(1)在通訊網路3000的通訊運作是「廣播運作」或「轉發運作」時無關於端點裝置角色,通訊特徵分析單元220濾除資料封包PK(1)而不進行分析。 The communication feature analysis unit 220 can operate synchronously or asynchronously with the program feature analysis unit 210. The communication feature analysis unit 220 analyzes the first communication feature CF1 according to the communication operation of the data packet PK(1) in the communication network 3000 to generate the second communication feature CF2. The second communication feature CF2 includes, for example, the number of connections and unit flow changes of the communication transmission of the data packet PK(1). For example, the communication feature analysis unit 220 analyzes the network protocol source address and the network protocol destination address (first communication feature CF1) of the data packet PK(1) by a statistical method to calculate the number of connections (second communication feature CF2). In one example, the communication feature analysis unit 220 can filter the data packet PK(1) according to the communication operation. When the data packet PK(1) does not belong to the analysis object, the data packet PK(1) is filtered out. For example, the security management module 1000 performs security control on the host device 2000 as an endpoint device. Therefore, the data packet PK(1) that is not related to the role of the endpoint device is not an analysis object and is filtered out. When the communication operation of the data packet PK(1) in the communication network 3000 is "broadcast operation" or "forwarding operation", it is not related to the role of the endpoint device. The communication feature analysis unit 220 filters the data packet PK(1) without analyzing it.

規則建立單元300依據第一程式特徵PF1與第一通訊特徵CF1自動化地建立候選規則RL,無須藉由使用者以人工方式建立。並且,當建立候選規則RL時,規則建立單元300更可選擇性地參考第二程式特徵PF2與第二通訊特徵CF2。在一種示例中,規則建立單元300可對於歷史資料集HS進行統計分析以建立候選規則RL。在另一種示例中,規則建立單元300可利用運算模型MDL進行深度學習以建立候選規則RL,運算模型MDL例如是卷積神經網路(CNN)。 The rule establishment unit 300 automatically establishes the candidate rule RL according to the first program feature PF1 and the first communication feature CF1, without the need for the user to manually establish it. Moreover, when establishing the candidate rule RL, the rule establishment unit 300 can selectively refer to the second program feature PF2 and the second communication feature CF2. In one example, the rule establishment unit 300 can perform statistical analysis on the historical data set HS to establish the candidate rule RL. In another example, the rule establishment unit 300 can use the computational model MDL to perform deep learning to establish the candidate rule RL, and the computational model MDL is, for example, a convolutional neural network (CNN).

在利用運算模型MDL建立候選規則RL的示例中,規則建立單元300先產生訓練資料集TR以訓練運算模型MDL。規則建立單元300可從第一程式特徵PF1、第二程式特徵PF2、第一通訊特徵CF1與第二通訊特徵CF2歸納出正常行為模式下的程式特徵與通訊特徵,並對其進行預資料處理以產生訓練資料集 TR。訓練資料集TR的預資料處理例如是編碼處理與分類標籤處理,使得預資料處理之後的訓練資料集TR的資料型態能夠符合運算模型MDL。例如,對於第一通訊特徵CF1之中的TCP通訊協定與UDP通訊協定進行「One-Hot encoding」之編碼處理,以將TCP通訊協定編碼成為「00001」,並將UDP通訊協定編碼成為「00010」。並且,對於規則「iptables-A INPUT-s 11.22.33/24-j ACCEPT」進行分類標籤處理而定義為標籤「6」。或者,將正常行為模式下的單位流量變化「1GB」定義為標籤「1」,將非正常的單位流量變化「5GB」定義為標籤「0」。 In the example of using the computational model MDL to establish the candidate rule RL, the rule establishment unit 300 first generates a training data set TR to train the computational model MDL. The rule establishment unit 300 can summarize the program features and communication features under the normal behavior mode from the first program feature PF1, the second program feature PF2, the first communication feature CF1, and the second communication feature CF2, and perform pre-data processing on them to generate the training data set TR. The pre-data processing of the training data set TR is, for example, encoding processing and classification label processing, so that the data type of the training data set TR after the pre-data processing can conform to the computational model MDL. For example, the TCP protocol and the UDP protocol in the first communication feature CF1 are encoded by "One-Hot encoding" to encode the TCP protocol as "00001" and the UDP protocol as "00010". In addition, the rule "iptables-A INPUT-s 11.22.33/24-j ACCEPT" is classified and labeled as "6". Alternatively, the unit traffic change "1GB" in the normal behavior mode is defined as label "1", and the abnormal unit traffic change "5GB" is defined as label "0".

並且,規則建立單元300可依據測試資料集TST測試運算模型MDL,據以評估運算模型MDL產生的候選規則RL的精確度。此外,規則建立單元300可依據後續發生事件之新的程式特徵(即,第一程式特徵及/或第二程式特徵)與新的通訊特徵(即,第一通訊特徵及/或第二通訊特徵)動態地更新程式白名單P_WL與通訊白名單C_WL。 Furthermore, the rule creation unit 300 can test the computation model MDL according to the test data set TST to evaluate the accuracy of the candidate rule RL generated by the computation model MDL. In addition, the rule creation unit 300 can dynamically update the program whitelist P_WL and the communication whitelist C_WL according to the new program features (i.e., the first program features and/or the second program features) and the new communication features (i.e., the first communication features and/or the second communication features) of subsequent events.

規則篩選單元400依據預定數量及預訂比例設定信賴區間。例如,信賴區間設定為小於或等於100個項目、或設定為「80/20」的比例、或設定為採用常態分布時的三倍標準差(即,99.7%的區間)。規則篩選單元400依據信賴區間的比例或數量從候選規則RL篩選白名單WL,可防止白名單WL的項目過多,以節省安全控制單元500的運算時間。 The rule filtering unit 400 sets the trust interval according to the predetermined quantity and the predetermined ratio. For example, the trust interval is set to be less than or equal to 100 items, or set to the ratio of "80/20", or set to three times the standard deviation when a normal distribution is adopted (i.e., the interval of 99.7%). The rule filtering unit 400 filters the white list WL from the candidate rules RL according to the ratio or quantity of the trust interval, which can prevent the white list WL from having too many items, thereby saving the calculation time of the security control unit 500.

安全控制單元500依據白名單WL之中的程式白名單P_WL與通訊白名單C_WL實施安全控制。主機裝置2000具有防火牆機制600,防火牆機制600包括程式防火牆機制與通訊防火牆機制。安全控制單元500將程式白名單P_WL與通訊白名單C_WL分別套用於程式防火牆機制與通訊防火牆機制。安全控制單元500具有監測模式與阻擋模式,程式防火牆機制與通訊防火牆機制可依據不同模式而選擇性地啟用程式白名單P_WL與通訊白名單C_WL。在監測模式中,程式防火牆機制與通訊防火牆機制並未實際啟用程式白名單P_WL與通訊白名單C_WL,安全控制單元500僅依據程式白名單P_WL與通訊白名單C_WL對於待測應用程式與待測資料封包進行監測;當監測出異常時,安全控制單元500僅發出警示。在阻擋模式中,程式防火牆機制與通訊防火牆機制可實際啟用程式白名單P_WL與通訊白名單C_WL;當監測出異常時,安全控制單元500控制程式防火牆機制與通訊防火牆機制對異常的應用程式或資料封包進行阻擋。 The security control unit 500 implements security control based on the program whitelist P_WL and the communication whitelist C_WL in the whitelist WL. The host device 2000 has a firewall mechanism 600, and the firewall mechanism 600 includes a program firewall mechanism and a communication firewall mechanism. The security control unit 500 applies the program whitelist P_WL and the communication whitelist C_WL to the program firewall mechanism and the communication firewall mechanism respectively. The security control unit 500 has a monitoring mode and a blocking mode, and the program firewall mechanism and the communication firewall mechanism can selectively enable the program whitelist P_WL and the communication whitelist C_WL according to different modes. In the monitoring mode, the program firewall mechanism and the communication firewall mechanism do not actually activate the program whitelist P_WL and the communication whitelist C_WL. The security control unit 500 only monitors the application to be tested and the data packet to be tested according to the program whitelist P_WL and the communication whitelist C_WL. When an abnormality is detected, the security control unit 500 only issues a warning. In blocking mode, the program firewall mechanism and the communication firewall mechanism can actually enable the program whitelist P_WL and the communication whitelist C_WL; when an abnormality is detected, the security control unit 500 controls the program firewall mechanism and the communication firewall mechanism to block abnormal applications or data packets.

在表2的示例中,程式白名單P_WL之中的正常行為模式的程式特徵包括:執行總時間為「20分鐘」。若待測應用程式的執行總時間為「20分鐘」而符合程式白名單P_WL,則判斷該應用程式為正常,可允許該應用程式運作於主機裝置2000。另一方面,若另一個待測應用程式的執行總時間為「120分鐘」而不符合程式白名單P_WL,則判斷其具有異常行為(可能是惡意程 式),安全控制單元500阻擋或停止該應用程式的運作(即,阻擋模式)或僅發出警示(即,監測模式)。 In the example of Table 2, the program characteristics of the normal behavior mode in the program whitelist P_WL include: the total execution time is "20 minutes". If the total execution time of the application to be tested is "20 minutes" and meets the program whitelist P_WL, the application is judged to be normal and the application can be allowed to run on the host device 2000. On the other hand, if the total execution time of another application to be tested is "120 minutes" and does not meet the program whitelist P_WL, it is judged to have abnormal behavior (possibly a malicious program), and the security control unit 500 blocks or stops the operation of the application (i.e., blocking mode) or only issues a warning (i.e., monitoring mode).

Figure 112151046-A0305-12-0012-2
Figure 112151046-A0305-12-0012-2

類似地,安全控制單元500對於待測資料封包進行監測,如表3所示,待測資料封包的幾個通訊特徵例如包括通訊協定、來源位址、來源埠、目的位址與目的埠。安全控制單元500依據待測資料封包是否符合通訊白名單C_WL而判斷其是否異常。 Similarly, the security control unit 500 monitors the data packet to be tested. As shown in Table 3, several communication characteristics of the data packet to be tested include, for example, the communication protocol, source address, source port, destination address and destination port. The security control unit 500 determines whether the data packet to be tested is abnormal based on whether it complies with the communication whitelist C_WL.

Figure 112151046-A0305-12-0012-3
Figure 112151046-A0305-12-0012-3
Figure 112151046-A0305-12-0013-4
Figure 112151046-A0305-12-0013-4

在表4的示例中,通訊白名單C_WL之中的正常行為模式的目的埠是「600」。若待測資料封包之目的埠是「600」而符合通訊白名單C_WL,則判斷該資料封包是合法的訪問。另一方面,若另一個待測資料封包之目的埠是「650」而不符合通訊白名單C_WL,則判斷其具有異常行為,是不合法的訪問。安全控制單元500可阻擋不合法訪問的資料封包(即,阻擋模式)或僅發出警示(即,監測模式)。 In the example of Table 4, the destination port of the normal behavior mode in the communication whitelist C_WL is "600". If the destination port of the data packet to be tested is "600" and meets the communication whitelist C_WL, the data packet is judged to be a legal access. On the other hand, if the destination port of another data packet to be tested is "650" and does not meet the communication whitelist C_WL, it is judged to have abnormal behavior and is an illegal access. The security control unit 500 can block data packets with illegal access (i.e., blocking mode) or just issue a warning (i.e., monitoring mode).

Figure 112151046-A0305-12-0013-5
Figure 112151046-A0305-12-0013-5

又如表5的示例,通訊白名單C_WL之中的正常行為模式的連線次數是「50」。若待測資料封包的連線次數是「50」而符合通訊白名單C_WL,則判斷該資料封包是合法的訪問。另一方面,若另一個待測資料封包的連線次數是「500」而不符合通訊白名單C_WL,則判斷該資料封包是不合法的訪問。 As another example in Table 5, the number of connections in the normal behavior mode in the communication whitelist C_WL is "50". If the number of connections of the data packet to be tested is "50" and meets the communication whitelist C_WL, the data packet is judged to have legal access. On the other hand, if the number of connections of another data packet to be tested is "500" and does not meet the communication whitelist C_WL, the data packet is judged to have illegal access.

Figure 112151046-A0305-12-0014-6
Figure 112151046-A0305-12-0014-6

通訊防火牆機制可分別處理(允許或阻擋)輸入類型、輸出類型與轉發(forward)類型之通訊連線的資料封包。其中,輸入類型是外部裝置(例如遠端的SSH)經由通訊網路3000對於本地的主機裝置2000的通訊連線。輸出類型是本地的主機裝置2000經由通訊網路3000對於外部裝置的通訊連線。轉發類型是來自外部裝置的通訊連線且轉發到其他裝置,其目的地並非主機裝置2000。 The communication firewall mechanism can process (allow or block) data packets of input type, output type and forward type communication connections respectively. Among them, the input type is the communication connection from the external device (such as remote SSH) to the local host device 2000 via the communication network 3000. The output type is the communication connection from the local host device 2000 to the external device via the communication network 3000. The forwarding type is the communication connection from the external device and forwarded to other devices, and its destination is not the host device 2000.

綜上所述,安全控制單元500是自動化地將程式白名單P_WL與通訊白名單C_WL套用於主機裝置2000的程式防火牆機制與通訊防火牆機制,使用者無須以人工方式改變程式防火牆機制與通訊防火牆機制的安全管理規則、安全控制策略(policy)與參數設定。並且,程式防火牆機制與通訊防火牆機制可選擇性地啟用程式白名單P_WL與通訊白名單C_WL,安全控制單元500可自動化地阻擋惡意程式或不合法訪問、或對其發出警 示,使用者亦可選擇人工介入下命令阻擋惡意程式或不合法訪問。 In summary, the security control unit 500 automatically applies the program whitelist P_WL and the communication whitelist C_WL to the program firewall mechanism and the communication firewall mechanism of the host device 2000, and the user does not need to manually change the security management rules, security control policies and parameter settings of the program firewall mechanism and the communication firewall mechanism. In addition, the program firewall mechanism and the communication firewall mechanism can selectively enable the program whitelist P_WL and the communication whitelist C_WL, and the security control unit 500 can automatically block malicious programs or illegal access, or issue warnings to them. The user can also choose to manually intervene and issue commands to block malicious programs or illegal access.

請參見第2圖,其繪示本揭示另一實施例的安全管理模組1000a與1000b的示意圖。對於欲保護之主機裝置2000,可在主機裝置2000關聯之容器(container)或虛擬機(virtual machine)內安裝安全管理模組1000a與1000b,據以收集程式特徵或通訊特徵資訊且建立及更新白名單WL而執行安全控制。例如,安全管理模組1000a可安裝於主機裝置2000關聯之虛擬機2000a,安全管理模組1000b可安裝於主機裝置2000關聯之虛擬機2000b。 Please refer to Figure 2, which shows a schematic diagram of security management modules 1000a and 1000b of another embodiment of the present disclosure. For the host device 2000 to be protected, the security management modules 1000a and 1000b can be installed in the container or virtual machine associated with the host device 2000 to collect program characteristics or communication characteristics information and establish and update the white list WL to perform security control. For example, the security management module 1000a can be installed in the virtual machine 2000a associated with the host device 2000, and the security management module 1000b can be installed in the virtual machine 2000b associated with the host device 2000.

類似於第1圖的實施例之安全管理模組1000,本實施例之安全管理模組1000a包括擷取單元100a、分析單元200a、規則建立單元300a、規則篩選單元400a與安全控制單元500a。上述單元分別是安全管理模組1000a之中的子程式模組。同樣地,安全管理模組1000b亦包括擷取單元100b、分析單元200b、規則建立單元300b、規則篩選單元400b與安全控制單元500b。 Similar to the security management module 1000 of the embodiment of FIG. 1, the security management module 1000a of this embodiment includes a capture unit 100a, an analysis unit 200a, a rule establishment unit 300a, a rule screening unit 400a, and a security control unit 500a. The above units are subroutine modules in the security management module 1000a. Similarly, the security management module 1000b also includes a capture unit 100b, an analysis unit 200b, a rule establishment unit 300b, a rule screening unit 400b, and a security control unit 500b.

第2圖僅示出對於資料封包進行處理(不包括處理應用程式)的示例:安全管理模組1000a與1000b監測來自通訊網路3000的待測資料封包PK(2)與PK(3),據以保護主機裝置2000免於非法訪問及惡意程式的攻擊。在運作上,擷取單元100a從通訊網路3000擷取待測資料封包PK(2)的第一通訊特徵CF1。分析單元200a對於第一通訊特徵CF1進行分析以產生資料封包 PK(2)的第二通訊特徵CF2。規則建立單元300a依據第一通訊特徵CF1(或選擇性地參考第二通訊特徵CF2)建立候選規則RL。規則篩選單元400a依據信賴區間篩選候選規則RL以產生通訊白名單C_WL。安全控制單元500a依據通訊白名單C_WL執行安全控制,據以保護主機裝置2000。類似地,安全管理模組1000b的擷取單元100b、分析單元200b、規則建立單元300b、規則篩選單元400b與安全控制單元500b具有相同之運作方式,於此不再贅述。 FIG. 2 only shows an example of processing a data packet (excluding processing applications): the security management modules 1000a and 1000b monitor the test data packets PK(2) and PK(3) from the communication network 3000 to protect the host device 2000 from illegal access and attacks by malicious programs. In operation, the capture unit 100a captures the first communication feature CF1 of the test data packet PK(2) from the communication network 3000. The analysis unit 200a analyzes the first communication feature CF1 to generate the second communication feature CF2 of the data packet PK(2). The rule establishment unit 300a establishes the candidate rule RL based on the first communication feature CF1 (or optionally with reference to the second communication feature CF2). The rule screening unit 400a screens the candidate rules RL according to the trust interval to generate the communication whitelist C_WL. The security control unit 500a performs security control according to the communication whitelist C_WL to protect the host device 2000. Similarly, the capture unit 100b, analysis unit 200b, rule establishment unit 300b, rule screening unit 400b and security control unit 500b of the security management module 1000b have the same operation mode, which will not be repeated here.

請參見第3圖,其繪示本揭示一實施例的安全管理方法的流程圖。安全管理方法可藉由第1圖的安全管理模組1000來實施。例如前文所述,當安全管理模組1000的程式碼被主機裝置2000讀取時,主機裝置2000執行安全管理模組1000的程式碼,據以實施安全管理方法。 Please refer to FIG. 3, which shows a flow chart of a security management method of an embodiment of the present disclosure. The security management method can be implemented by the security management module 1000 of FIG. 1. For example, as described above, when the program code of the security management module 1000 is read by the host device 2000, the host device 2000 executes the program code of the security management module 1000 to implement the security management method accordingly.

首先,執行步驟S302:藉由程式特徵擷取單元110依據應用程式AP(1)在主機裝置2000的程式運作擷取第一程式特徵PF1。例如,程式特徵擷取單元110執行「linux」之指令「ps-ef」以存取主機裝置2000的日誌檔(log),據以擷取應用程式AP(1)的第一程式特徵PF1。接著,執行步驟S304:藉由程式特徵分析單元210對於第一程式特徵PF1進行分析以產生第二程式特徵PF2。 First, execute step S302: the program feature capture unit 110 captures the first program feature PF1 according to the program operation of the application AP(1) in the host device 2000. For example, the program feature capture unit 110 executes the "linux" command "ps-ef" to access the log file (log) of the host device 2000, thereby capturing the first program feature PF1 of the application AP(1). Then, execute step S304: the program feature analysis unit 210 analyzes the first program feature PF1 to generate the second program feature PF2.

並且,執行步驟S306與步驟S308(可同步或非同步於步驟S302與步驟S304而執行)。在步驟S306之中,藉由通 訊特徵擷取單元120依據資料封包PK(1)在通訊網路3000的通訊運作以擷取第一通訊特徵CF1。例如,通訊特徵擷取單元120執行開源程式「tcpdump」以擷取第一通訊特徵CF1。接著,執行步驟S308:藉由通訊特徵分析單元220對於第一通訊特徵CF1進行分析以產生第二通訊特徵CF2。 Furthermore, step S306 and step S308 are executed (which can be executed synchronously or asynchronously with step S302 and step S304). In step S306, the communication feature acquisition unit 120 acquires the first communication feature CF1 according to the communication operation of the data packet PK(1) in the communication network 3000. For example, the communication feature acquisition unit 120 executes the open source program "tcpdump" to acquire the first communication feature CF1. Then, step S308 is executed: the communication feature analysis unit 220 analyzes the first communication feature CF1 to generate the second communication feature CF2.

在步驟S304與步驟S308之後,接著執行步驟S310:藉由規則建立單元300依據第一程式特徵PF1及第一通訊特徵CF1建立候選規則RL。可選擇地,規則建立單元300更可參考第二程式特徵PF2與第二通訊特徵CF2來建立候選規則RL(即,當建立候選規則RL時,規則建立單元300必須依據第一程式特徵PF1及第一通訊特徵CF1;另一方面,第二程式特徵PF2與第二通訊特徵CF2僅作為選擇性的輔助)。在一種示例中,規則建立單元300可利用運算模型MDL的深度學習而建立候選規則RL。在另一種示例中,規則建立單元300可利用歷史資料集HS建立候選規則RL。 After step S304 and step S308, step S310 is then executed: the rule establishment unit 300 establishes the candidate rule RL according to the first program feature PF1 and the first communication feature CF1. Optionally, the rule establishment unit 300 may further refer to the second program feature PF2 and the second communication feature CF2 to establish the candidate rule RL (i.e., when establishing the candidate rule RL, the rule establishment unit 300 must be based on the first program feature PF1 and the first communication feature CF1; on the other hand, the second program feature PF2 and the second communication feature CF2 are only optional auxiliary). In one example, the rule establishment unit 300 may establish the candidate rule RL using deep learning of the computational model MDL. In another example, the rule establishment unit 300 may establish the candidate rule RL using the historical data set HS.

接著,執行步驟S312:規則篩選單元400依據預定數量及預訂比例設定信賴區間,並依據信賴區間篩選候選規則RL以產生白名單WL。白名單WL包括程式白名單P_WL與通訊白名單C_WL。 Next, execute step S312: the rule screening unit 400 sets the trust interval according to the predetermined quantity and the predetermined ratio, and screens the candidate rules RL according to the trust interval to generate a whitelist WL. The whitelist WL includes the program whitelist P_WL and the communication whitelist C_WL.

接著,執行步驟S314:藉由安全控制單元500依據程式白名單P_WL與通訊白名單C_WL實施安全控制。安全控制單元500將程式白名單P_WL與通訊白名單C_WL分別套用於主 機裝置2000的程式防火牆機制與通訊防火牆機制。安全控制單元500可將主機裝置2000的程式防火牆機制與通訊防火牆機制設定為不同模式。在監測模式中,主機裝置2000的程式防火牆機制與通訊防火牆機制並不真正啟用程式白名單P_WL與通訊白名單C_WL。安全控制單元500僅是依據程式白名單P_WL與通訊白名單C_WL對於待測應用程式與待測資料封包進行監測;當監測出異常時,安全控制單元500發出警示。在阻擋模式中,主機裝置2000的程式防火牆機制與通訊防火牆機制實際啟用程式白名單P_WL與通訊白名單C_WL;當監測出異常時,安全控制單元500控制程式防火牆機制與通訊防火牆機制對異常的應用程式或資料封包進行阻擋。 Then, step S314 is executed: the security control unit 500 implements security control according to the program whitelist P_WL and the communication whitelist C_WL. The security control unit 500 applies the program whitelist P_WL and the communication whitelist C_WL to the program firewall mechanism and the communication firewall mechanism of the host device 2000 respectively. The security control unit 500 can set the program firewall mechanism and the communication firewall mechanism of the host device 2000 to different modes. In the monitoring mode, the program firewall mechanism and the communication firewall mechanism of the host device 2000 do not actually activate the program whitelist P_WL and the communication whitelist C_WL. The security control unit 500 only monitors the application to be tested and the data packet to be tested based on the program whitelist P_WL and the communication whitelist C_WL; when an abnormality is detected, the security control unit 500 issues an alarm. In the blocking mode, the program firewall mechanism and the communication firewall mechanism of the host device 2000 actually activate the program whitelist P_WL and the communication whitelist C_WL; when an abnormality is detected, the security control unit 500 controls the program firewall mechanism and the communication firewall mechanism to block the abnormal application or data packet.

第1~3圖的各實施例的安全管理模組1000與安全管理方法可使用於不同的環境及用途,包括工業控制(例如無人車)、金融(例如自動櫃員機ATM)、軍事(例如無人機)及醫療(例如達文西手臂手術),等等。請參見第4圖,其繪示安全管理模組1000應用於醫療環境4010的實施例之示意圖。在醫療環境4010中,外科醫師藉由遙控裝置10操作達文西手臂20以進行外科手術。遙控裝置10經由前饋(feed-forward)連結FF_L傳送控制命令至達文西手臂20。達文西手臂20經由反饋(feedback)連結FB_L傳送狀態訊號至遙控裝置10。安全管理模組1000可安裝於達文西手臂20的驅動主機之中,以防止惡意程式侵入遙控裝置10與達文西手臂20。安全管理模組1000的運作如表6所示。 The security management module 1000 and the security management method of each embodiment of Figures 1 to 3 can be used in different environments and purposes, including industrial control (such as unmanned vehicles), finance (such as automated teller machines ATMs), military (such as drones), and medical (such as Da Vinci arm surgery), etc. Please refer to Figure 4, which shows a schematic diagram of an embodiment of the security management module 1000 applied to a medical environment 4010. In the medical environment 4010, a surgeon operates the Da Vinci arm 20 through a remote control device 10 to perform a surgical operation. The remote control device 10 transmits control commands to the Da Vinci arm 20 via a feed-forward connection FF_L. The Da Vinci arm 20 transmits status signals to the remote control device 10 via a feedback connection FB_L. The security management module 1000 can be installed in the driving host of the Da Vinci arm 20 to prevent malicious programs from invading the remote control device 10 and the Da Vinci arm 20. The operation of the security management module 1000 is shown in Table 6.

Figure 112151046-A0305-12-0019-7
Figure 112151046-A0305-12-0019-7

在表6中,程式白名單P_WL之中的正常行為模式的程式特徵包括:核對和(checksum)結果為「0xcd」。若待測應用程式的核對和結果是「0xcd」,其符合程式白名單P_WL,則判斷該應用程式為正常。另一方面,若另一個待測應用程式的核對和結果是「0xcf」,其不符合程式白名單P_WL,則判斷該應用程式具有異常行為,其可能為惡意第三方30的惡意程式。因此,安全控制單元500拒絕該應用程式執行於達文西手臂20的驅動主機。 In Table 6, the program characteristics of the normal behavior mode in the program whitelist P_WL include: the checksum result is "0xcd". If the checksum result of the application to be tested is "0xcd", which conforms to the program whitelist P_WL, the application is judged to be normal. On the other hand, if the checksum result of another application to be tested is "0xcf", which does not conform to the program whitelist P_WL, the application is judged to have abnormal behavior, which may be a malicious program of a malicious third party 30. Therefore, the security control unit 500 refuses to execute the application on the driving host of the Da Vinci arm 20.

請參見第5圖,其繪示安全管理模組1000應用於工業控制系統4020的實施例之示意圖。在工業控制系統4020中設置了生產機台41與43及控制主機42。並且,工業控制系統4020更包括周邊設施44。安全管理模組1000可安裝於控制主機42之中,以防止惡意程式侵入生產機台41與43、控制主機42與周邊設施44。安全管理模組1000的運作如表7所示。 Please refer to Figure 5, which shows a schematic diagram of an implementation example of the security management module 1000 applied to the industrial control system 4020. The industrial control system 4020 is provided with production machines 41 and 43 and a control host 42. In addition, the industrial control system 4020 further includes peripheral facilities 44. The security management module 1000 can be installed in the control host 42 to prevent malicious programs from invading the production machines 41 and 43, the control host 42 and the peripheral facilities 44. The operation of the security management module 1000 is shown in Table 7.

Figure 112151046-A0305-12-0020-8
Figure 112151046-A0305-12-0020-8

在表7中,程式白名單P_WL之中的正常行為模式的程式特徵包括:核對和結果「0xcd」與程式名稱「platform」。待測應用程式的核對和結果「0xca」不符合程式白名單P_WL的「0xcd」、且其程式名稱「machine」不符合程式白名單P_WL的「platform」,則判斷該應用程式可能為惡意第三方30的惡意程式。因此,安全控制單元500拒絕該應用程式執行於生產機台41與43、控制主機42或周邊設施44之中。 In Table 7, the program features of the normal behavior mode in the program whitelist P_WL include: the checksum result "0xcd" and the program name "platform". If the checksum result "0xca" of the application to be tested does not match "0xcd" of the program whitelist P_WL, and its program name "machine" does not match "platform" of the program whitelist P_WL, it is determined that the application may be a malicious program of a malicious third party 30. Therefore, the security control unit 500 refuses to execute the application in the production machines 41 and 43, the control host 42 or the peripheral equipment 44.

綜上所述,本揭示的安全管理模組1000對於主機裝置2000(主機裝置2000作為端點裝置角色)提供自動化資安強固(cyber security self-hardening)機制。在一般的應用程式白名單及網路通訊白名單之安全控制中,多由系統管理員以手動方式設定規則且缺乏動態更新機制,因此容易發生錯誤或保護不周全。相對地,本揭示的安全管理模組1000可收集待保護的主機裝置2000的程式日誌檔及網路通訊日誌,據以自動化地學習、生成、 並動態更新產生白名單WL,可節省使用者之人工介入的時間成本。 In summary, the security management module 1000 disclosed herein provides an automated cyber security self-hardening mechanism for the host device 2000 (host device 2000 as an endpoint device). In the general security control of application whitelists and network communication whitelists, the system administrators usually set the rules manually and lack a dynamic update mechanism, which makes it easy for errors to occur or the protection is incomplete. In contrast, the security management module 1000 disclosed herein can collect the program log files and network communication logs of the host device 2000 to be protected, and automatically learn, generate, and dynamically update the generated whitelist WL, which can save the time cost of manual intervention by users.

雖然本揭示已以較佳實施例及範例詳細揭示如上,可理解的是,此些範例意指說明而非限制之意義。可預期的是,所屬技術領域中具有通常知識者可想到多種修改及組合,其多種修改及組合落在本揭示之精神以及後附之申請專利範圍之範圍內。 Although the present disclosure has been disclosed in detail with preferred embodiments and examples, it is understood that these examples are intended to be illustrative rather than restrictive. It is expected that a person with ordinary knowledge in the relevant technical field can think of various modifications and combinations, and the various modifications and combinations fall within the spirit of the present disclosure and the scope of the attached patent application.

1000:安全管理模組 1000: Security management module

2000:主機裝置 2000: Host device

3000:通訊網路 3000: Communication network

100:擷取單元 100: Capture unit

110:程式特徵擷取單元 110: Program feature extraction unit

120:通訊特徵擷取單元 120: Communication feature acquisition unit

200:分析單元 200:Analysis unit

210:程式特徵分析單元 210: Program feature analysis unit

220:通訊特徵分析單元 220: Communication feature analysis unit

300:規則建立單元 300: Rule creation unit

400:規則篩選單元 400: Rule filtering unit

500:安全控制單元 500: Safety control unit

600:防火牆機制 600: Firewall mechanism

PF1:第一程式特徵 PF1: First Program Feature

PF2:第二程式特徵 PF2: Second Program Features

CF1:第一通訊特徵 CF1: First Communication Feature

CF2:第二通訊特徵 CF2: Second communication feature

RL:候選規則 RL: Candidate rules

WL:白名單 WL: Whitelist

P_WL:程式白名單 P_WL: Program Whitelist

C_WL:通訊白名單 C_WL: Communication whitelist

AP(1):應用程式 AP(1):Application

PK(1):資料封包 PK(1):Data packet

E(1):事件 E(1): Event

Claims (20)

一種安全管理模組,包括:一擷取單元,用於擷取一應用程式的複數個第一程式特徵、並且同步於該些第一程式特徵之擷取而同步地擷取一資料封包的複數個第一通訊特徵;一分析單元,用於分析該些第一程式特徵以產生複數個第二程式特徵,依據該資料封包的一通訊運作篩選該資料封包,並且分析篩選後的該資料封包的該些第一通訊特徵以產生複數個第二通訊特徵;一規則建立單元,用於依據該些第一程式特徵與該些第一通訊特徵建立一候選規則;一規則篩選單元,用於依據一信賴區間篩選該候選規則以產生一白名單;以及一安全控制單元,用於依據該白名單執行一安全控制。 A security management module includes: a capture unit for capturing a plurality of first program features of an application and synchronously capturing a plurality of first communication features of a data packet in synchronization with the capture of the first program features; an analysis unit for analyzing the first program features to generate a plurality of second program features, filtering the data packet according to a communication operation of the data packet, and The first communication features of the filtered data packet are analyzed to generate a plurality of second communication features; a rule establishment unit is used to establish a candidate rule based on the first program features and the first communication features; a rule screening unit is used to screen the candidate rule based on a trust interval to generate a whitelist; and a security control unit is used to perform a security control based on the whitelist. 如請求項1所述之安全管理模組,其中當該資料封包的該通訊運作是一廣播運作或一轉發運作時,該分析單元濾除該資料封包。 The security management module as described in claim 1, wherein when the communication operation of the data packet is a broadcast operation or a forwarding operation, the analysis unit filters the data packet. 如請求項1所述之安全管理模組,其中該白名單包括一程式白名單與一通訊白名單,該規則建立單元更選擇性地依據該些第二程式特徵及該些第二通訊特徵建立該候選規則,並 且依據該些第一程式特徵及/或該些第二程式特徵更新該程式白名單,並且依據該些第一通訊特徵及/或該些第二通訊特徵更新該通訊白名單。 The security management module as described in claim 1, wherein the whitelist includes a program whitelist and a communication whitelist, and the rule creation unit selectively creates the candidate rule based on the second program characteristics and the second communication characteristics, and updates the program whitelist based on the first program characteristics and/or the second program characteristics, and updates the communication whitelist based on the first communication characteristics and/or the second communication characteristics. 如請求項3所述之安全管理模組,其中該安全控制單元將該程式白名單與該通訊白名單分別套用於一主機裝置的一程式防火牆機制與一通訊防火牆機制。 The security management module as described in claim 3, wherein the security control unit applies the program whitelist and the communication whitelist to a program firewall mechanism and a communication firewall mechanism of a host device respectively. 如請求項4所述之安全管理模組,其中該安全控制單元判斷一待測應用程式是否符合該程式白名單,並且判斷一待測資料封包是否符合該通訊白名單。 The security management module as described in claim 4, wherein the security control unit determines whether a tested application complies with the program whitelist, and determines whether a tested data packet complies with the communication whitelist. 如請求項5所述之安全管理模組,其中在一阻擋模式之中,當該待測應用程式不符合該程式白名單時,該程式防火牆機制停止該待測應用程式,當該待測資料封包不符合該通訊白名單時,該通訊防火牆機制阻擋該待測資料封包。 The security management module as described in claim 5, wherein in a blocking mode, when the application to be tested does not conform to the program whitelist, the program firewall mechanism stops the application to be tested, and when the data packet to be tested does not conform to the communication whitelist, the communication firewall mechanism blocks the data packet to be tested. 如請求項5所述之安全管理模組,其中在一監測模式之中,當該待測應用程式不符合該程式白名單、或該待測資料封包不符合該通訊白名單時,該安全控制單元發出一警示。 The security management module as described in claim 5, wherein in a monitoring mode, when the application to be tested does not comply with the program whitelist, or the data packet to be tested does not comply with the communication whitelist, the security control unit issues a warning. 如請求項1所述之安全管理模組,其中該些第一程式特徵至少包括一程式名稱與一程式校驗碼,該些第二程式特徵可以是一執行頻率或一啟動間隔時間。 The security management module as described in claim 1, wherein the first program characteristics at least include a program name and a program verification code, and the second program characteristics may be an execution frequency or a startup interval. 如請求項1所述之安全管理模組,其中該些第一通訊特徵至少包括一網路協定來源位址與一網路協定目的位址,該些第二通訊特徵可以是一通訊連線次數或一單位流量變化。 The security management module as described in claim 1, wherein the first communication characteristics include at least a network protocol source address and a network protocol destination address, and the second communication characteristics can be a number of communication connections or a unit traffic change. 如請求項1所述之安全管理模組,其中該規則建立單元對於該些第一程式特徵、該些第二程式特徵、該些第一通訊特徵以及該些第二通訊特徵進行一預資料處理以產生一訓練資料集,並且使用該訓練資料集訓練一運算模型以建立該候選規則,該預資料處理至少包括一編碼處理或一分類標籤處理。 The security management module as described in claim 1, wherein the rule establishment unit performs a pre-data processing on the first program features, the second program features, the first communication features, and the second communication features to generate a training data set, and uses the training data set to train an operation model to establish the candidate rule, and the pre-data processing at least includes a coding process or a classification label process. 一種安全管理方法,包括以下步驟:擷取一應用程式的複數個第一程式特徵、並且同步於該些第一程式特徵之擷取而同步地擷取一資料封包的複數個第一通訊特徵;分析該些第一程式特徵以產生複數個第二程式特徵;依據該資料封包的一通訊運作篩選該資料封包;分析篩選後的該資料封包的該些第一通訊特徵以產生複數個第二通訊特徵; 依據該些第一程式特徵與該些第一通訊特徵建立一候選規則;依據一信賴區間篩選該候選規則以產生一白名單;以及依據該白名單執行一安全控制。 A security management method includes the following steps: capturing a plurality of first program features of an application, and synchronously capturing a plurality of first communication features of a data packet in synchronization with the capturing of the first program features; analyzing the first program features to generate a plurality of second program features; filtering the data packet according to a communication operation of the data packet; analyzing the first communication features of the filtered data packet to generate a plurality of second communication features; establishing a candidate rule according to the first program features and the first communication features; filtering the candidate rule according to a trust interval to generate a whitelist; and executing a security control according to the whitelist. 如請求項11所述之安全管理方法,其中篩選該資料封包之步驟包括:當該資料封包的該通訊運作是一廣播運作或一轉發運作時,濾除該資料封包。 The security management method as described in claim 11, wherein the step of filtering the data packet includes: filtering the data packet when the communication operation of the data packet is a broadcast operation or a forwarding operation. 如請求項11所述之安全管理方法,其中該白名單包括一程式白名單與一通訊白名單,該安全管理方法更包括:選擇性地依據該些第二程式特徵及該些第二通訊特徵建立該候選規則,依據該些第一程式特徵及/或該些第二程式特徵更新該程式白名單;以及依據該些第一通訊特徵及/或該些第二通訊特徵更新該通訊白名單。 The security management method as described in claim 11, wherein the whitelist includes a program whitelist and a communication whitelist, and the security management method further includes: selectively establishing the candidate rule based on the second program characteristics and the second communication characteristics, updating the program whitelist based on the first program characteristics and/or the second program characteristics; and updating the communication whitelist based on the first communication characteristics and/or the second communication characteristics. 如請求項13所述之安全管理方法,其中依據該白名單執行該安全控制之步驟更包括: 將該程式白名單與該通訊白名單分別套用於一主機裝置的一程式防火牆機制與一通訊防火牆機制。 The security management method as described in claim 13, wherein the step of executing the security control according to the whitelist further includes: Applying the program whitelist and the communication whitelist to a program firewall mechanism and a communication firewall mechanism of a host device respectively. 如請求項14所述之安全管理方法,其中依據該白名單執行該安全控制之步驟包括:判斷一待測應用程式是否符合該程式白名單;以及判斷一待測資料封包是否符合該通訊白名單。 The security management method as described in claim 14, wherein the step of executing the security control according to the whitelist includes: determining whether a tested application complies with the program whitelist; and determining whether a tested data packet complies with the communication whitelist. 如請求項15所述之安全管理方法,其中在一阻擋模式之中,當該待測應用程式不符合該程式白名單、或當該待測資料封包不符合該通訊白名單時,執行該安全控制之步驟包括:藉由該程式防火牆機制停止該待測應用程式;或者藉由該通訊防火牆機制阻擋該待測資料封包。 The security management method as described in claim 15, wherein in a blocking mode, when the application to be tested does not conform to the program whitelist, or when the data packet to be tested does not conform to the communication whitelist, the step of executing the security control includes: stopping the application to be tested by the program firewall mechanism; or blocking the data packet to be tested by the communication firewall mechanism. 如請求項15所述之安全管理方法,其中在一監測模式之中,當該待測應用程式不符合該程式白名單、或當該待測資料封包不符合該通訊白名單時,執行該安全控制之步驟包括:發出一警示。 As described in claim 15, the security management method, wherein in a monitoring mode, when the application to be tested does not comply with the program whitelist, or when the data packet to be tested does not comply with the communication whitelist, the step of executing the security control includes: issuing a warning. 如請求項11所述之安全管理方法,其中該些第一程式特徵至少包括一程式名稱與一程式校驗碼,該些第二程式特徵可以是一執行頻率與一啟動間隔時間。 The security management method as described in claim 11, wherein the first program characteristics include at least a program name and a program verification code, and the second program characteristics may be an execution frequency and a startup interval. 如請求項11所述之安全管理方法,其中該些第一通訊特徵至少包括一網路協定來源位址與一網路協定目的位址,該些第二通訊特徵可以是一通訊連線次數與一單位流量變化。 The security management method as described in claim 11, wherein the first communication characteristics include at least a network protocol source address and a network protocol destination address, and the second communication characteristics can be a communication connection number and a unit traffic change. 如請求項11所述之安全管理方法,其中建立該候選規則之步驟包括:對於該些第一程式特徵、該些第二程式特徵、該些第一通訊特徵以及該些第二通訊特徵進行一預資料處理以產生一訓練資料集;以及使用該訓練資料集訓練一運算模型以建立該候選規則,其中,該預資料處理至少包括一編碼處理或一分類標籤處理。 The security management method as described in claim 11, wherein the step of establishing the candidate rule includes: performing a pre-data processing on the first program features, the second program features, the first communication features, and the second communication features to generate a training data set; and using the training data set to train a computational model to establish the candidate rule, wherein the pre-data processing includes at least a coding process or a classification label process.
TW112151046A 2023-12-27 2023-12-27 Security managing module and security managing method for endpoint device TWI871153B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW112151046A TWI871153B (en) 2023-12-27 2023-12-27 Security managing module and security managing method for endpoint device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW112151046A TWI871153B (en) 2023-12-27 2023-12-27 Security managing module and security managing method for endpoint device

Publications (2)

Publication Number Publication Date
TWI871153B true TWI871153B (en) 2025-01-21
TW202527511A TW202527511A (en) 2025-07-01

Family

ID=95151936

Family Applications (1)

Application Number Title Priority Date Filing Date
TW112151046A TWI871153B (en) 2023-12-27 2023-12-27 Security managing module and security managing method for endpoint device

Country Status (1)

Country Link
TW (1) TWI871153B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI741698B (en) * 2020-07-28 2021-10-01 中華電信股份有限公司 Method for detecting malicious attacks and network security management device
US20230074151A1 (en) * 2020-01-31 2023-03-09 Palo Alto Networks, Inc. Multi-representational learning models for static analysis of source code

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230074151A1 (en) * 2020-01-31 2023-03-09 Palo Alto Networks, Inc. Multi-representational learning models for static analysis of source code
TWI741698B (en) * 2020-07-28 2021-10-01 中華電信股份有限公司 Method for detecting malicious attacks and network security management device

Also Published As

Publication number Publication date
TW202527511A (en) 2025-07-01

Similar Documents

Publication Publication Date Title
US11595396B2 (en) Enhanced smart process control switch port lockdown
CN113660296B (en) Method and device for detecting anti-attack performance of industrial control system and computer equipment
US8737398B2 (en) Communication module with network isolation and communication filter
CN107544470B (en) A controller protection method based on white list
JP2011100443A (en) Integrated unified threat management for process control system
CN102413127A (en) Database generalization safety protection method
WO2020132949A1 (en) Industrial control system monitoring method, device and system, and computer-readable medium
Salfati et al. Digital forensics and incident response (dfir) framework for operational technology (ot)
CN113240116A (en) Wisdom fire prevention cloud system based on class brain platform
US9559908B2 (en) Lockout prevention system
CN116318934A (en) Security early warning method and system based on behavior modeling of Internet of things equipment
CN110505212B (en) Internet of things virtual safety equipment based on Middlebox
EP3726309A1 (en) Method and system for monitoring the current integrity of a distributed automation system
TWI871153B (en) Security managing module and security managing method for endpoint device
CN112383417B (en) Terminal security external connection detection method, system, equipment and readable storage medium
US20250219998A1 (en) Security managing module and security managing method for endpoint device
CN109688142B (en) Threat management method and system in an industrial control system network
CN118694567A (en) Internet of Things security monitoring system and method based on situational awareness
CN113454956A (en) Communication terminal device, communication control method, and communication control program
CN111343193B (en) Cloud network port security protection method and device, electronic equipment and storage medium
CN111261271B (en) Service availability diagnosis method and device for video monitoring environment
TWI878858B (en) Network management device and method
CN109075979B (en) Electrical arrangement and DC powered device for monitoring unallowable operation data
KR20250155995A (en) Generative AI-based method, apparatus and computer program for responding network incident
CN120263636A (en) Network orchestration method and computing-network integration device