Search

US-12627666-B2 - Controller-based network access control system, and method therefor

US12627666B2US 12627666 B2US12627666 B2US 12627666B2US-12627666-B2

Abstract

A node according to an embodiment disclosed in the present document may store instructions which cause the node to: detect a network access event through an access control application; transmit a domain name system (DNS) query request packet to a first external server through the access control application; receive a DNS query result from the first external server, wherein the DNS query result includes domain information and IP information; and transmit a domain validation request or a network access request including the domain information to a second external server on the basis of whether a data flow corresponding to the IP information exists, through the access control application.

Inventors

  • Young Rang Kim

Assignees

  • Pribit Technology, Inc.

Dates

Publication Date
20260512
Application Date
20221110
Priority Date
20211118

Claims (14)

  1. 1 . A node, comprising: a communication circuit; a processor operatively connected to the communication circuit; and a memory operatively connected to the processor and configured to store a database, a target application, and an access control application, wherein the memory stores instructions causing, when executed by the processor, the node to: detect a network access event through the access control application; transmit a domain name system (DNS) query request packet to a first external server through the access control application; receive a DNS query result from the first external server, wherein the DNS query result includes domain information and IP information; and perform a domain validity check request or a network access request including the domain information to a second external server based on whether there exists a data flow corresponding to the IP information, through the access control application, and when there exists the data flow corresponding to the IP information through the access control application: perform the domain validity check request to the second external server, where the domain validity check request includes the data flow identification information and the domain information; and receive a domain validity check result including a data flow whose domain validity check state is updated, from the second external server through the access control application.
  2. 2 . The node of claim 1 , wherein the instructions cause the node to: identify whether a data flow corresponding to identification information of a destination network of the data packet, port information, and identification information of the target application and authorized from the second external server exists, through the access control application; when the authorized data flow exists, transmit the data packet; when the authorized data flow does not exist, identify whether domain information corresponding to the identification information of the destination network exists; request a network access from the second external server through the access control application, wherein the network access request includes the identification information of the target application, the identification information of the destination network, and the port information; and receive a data flow generated from the second external server through the access control application.
  3. 3 . The node of claim 2 , wherein, when domain information corresponding the identification information of the destination network exists, the network access request includes the domain information.
  4. 4 . The node of claim 2 , wherein the instructions cause the node to: identify whether domain information corresponding to the identification information of the destination network is present in the database, through the access control application; and identify existence of the domain information through a DNS reverse query function based on the identification information of the destination network of an operating system, through the access control application.
  5. 5 . The node of claim 1 , wherein the instructions cause the node to: request a controller access from the second external server through the access control application; receive a first response to the controller access request from the second external server through the access control application, wherein the first response includes an accessible application list and identification information of a control flow generated between the access control application and the second external server; check the target application based on the application list, through the access control application; transmit the target application check result to the external server, through the access control application; and receive a data flow into which the domain information is inserted from the external server, through the access control application.
  6. 6 . The node of claim 1 , wherein the instructions cause the node to: request a user authentication from the second external server through the access control application; receive a second response to the user authentication request from the second external server through the access control application, wherein the second response includes an accessible application list and identification information of a control flow generated between the access control application and the second external server; check the target application based on the application list, through the access control application; transmit the target application check result to the external server, through the access control application; and receive a data flow into which the domain information is inserted from the external server, through the access control application.
  7. 7 . The node of claim 1 , wherein the instructions cause the node to: identify whether the network access event is a request for a DNS query, through the access control application; when the network access event is the request for the DNS query, transmit the DNS query request packet to the first external server through the access control application; and when the network access event is not the request for the DNS query, request a network access from the second external server through the access control application.
  8. 8 . The node of claim 1 , wherein the instructions cause the node to: identify whether there is a need to check domain validity of the data flow through the access control application; when there is a need to check the domain validity, request the second external server to check the domain validity; and when there is no need to check the domain validity, transmit a data packet based on the data flow.
  9. 9 . A server, comprising: a communication circuit; a memory configured to store a database; and a processor operatively connected to the communication circuit and the memory, wherein the processor is configured to: receive a network access request for a destination network of a target application from an access control application of a node; identify whether an access of the target application is possible, based on identification information and domain information of the target application, and identification information and a port of the destination network; identify whether there exists a data flow corresponding to the identification information of the target application, the identification information of the destination network, a port, and the domain information; perform a domain validity check based on the identification information of the destination network, a port, and the domain information; transmit whether a network access is possible to the access control application based on whether the data flow exists and a result of the domain validity check; when the domain validity check is failed, transmit validity check failure information to the access control application; and when the domain validity check is successful, generate a data flow and transmit the generated data flow to the access control application.
  10. 10 . The server of claim 9 , wherein the processor is configured to: when the domain information and domain information included in the data flow are different, transmit a network access-impossible result to the access control application.
  11. 11 . The server of claim 9 , wherein, when the domain validity check is performed based on the domain information, the processor is configured to: identify whether the domain information is present in the database; when the domain information is absent from the database, query a third external server based on the domain information and update a result of the query to the database; and compare whether the domain information is matched with the identification information of the destination network and perform access success processing based on a comparison result.
  12. 12 . The server of claim 11 , wherein the processor is configured to: determine whether or not of a harmful site based on the domain information, the identification information of the destination network, and the database, or query whether or not of the harmful site to a fourth external server based on the domain information and the identification information of the destination network and receive a response to the query of whether or not of the harmful site; and perform access success processing based on the response to the query or whether or not of the harmful site thus determined.
  13. 13 . The server of claim 9 , wherein, when the domain validity check is performed based on the destination network domain information, the processor is configured to: identify whether the destination network identification information is present in the database; when the destination network identification information is present in the database, compare whether the domain information and the destination network identification information are matched; and when the destination network identification information is absent from the database, perform access success processing.
  14. 14 . An operating method of an access control application stored in a node, the method comprising: detecting a network access event; identifying whether a data packet of a target application is a DNS query request packet; transmitting the DNS query request packet to a first external server; receiving a DNS query result from the first external server, wherein the DNS query result includes domain information and IP information; identifying whether a data flow corresponding to the IP information exists and whether there is a need to check domain validity of the data flow; requesting a domain validity check from a second external server, wherein the domain validity check request includes identification information of the data flow, the domain information, and the IP information; and receiving a domain validity check result including a data flow whose a domain validity check state is updated from the second external server.

Description

CROSS-REFERENCE TO RELATED APPLICATION(S) The present disclosure claims the benefit of Korean Patent Application No. 10-2021-0159715 filed on Nov. 18, 2021 with the Korean Intellectual Property Office, the disclosure of which is incorporated herein by reference in its entirety. BACKGROUND Technical Field Embodiments of the present disclosure relate to a system for controlling a network access based on a controller and a method thereof. Description of the Related Art A plurality of devices may communicate data over a network. For example, a smartphone may transmit or receive data to or from a server over the Internet. The network may include a private network such as an intranet as well as a public network such as the Internet. BRIEF SUMMARY Technical Problem A technology for restricting the access to the network based on transmission control protocol (TCP)/Internet protocol (IP) is being applied to control the indiscriminate access to the network. For example, when an authorized terminal is provided with an authorized IP address, a network access controller (NAC) allows the authorized terminal to access the network; when an unauthorized terminal uses an unauthorized IP address, the NAC blocks the unauthorized terminal by using address resolution protocol spoofing (ARP spoofing). A firewall refers to a method of determining whether to permit the transmission of a data packet, based on a source IP, a destination IP, and port information, which are included in IP header information, and a policy. A virtual private network (VPN) refers to a method which guarantees the integrity and confidentiality of data packets by using a tunnel, to which encryption is applied, on the TCP/IP protocol. However, the ARP spoofing may act as a load on the network. Nowadays, a technology for bypassing the ARP spoofing is being developed. Because the firewall is used to control the flow of data packets, the firewall may fail to directly involve the process of generating a connection between two nodes. Also, the VPN is vulnerable to management associated with the flow of data packets after the tunnel is generated. In addition, because the above technologies are based on the TCP/IP, the above technologies may be vulnerable to security associated with any other layer (e.g., an application layer) among open system interconnection (OSI) layers. Various embodiments of the present disclosure provide a system for addressing the above-mentioned problems in a network environment and a method thereof. Technical Solution A node according to an embodiment of the present disclosure may include a communication circuit, a processor that is operatively connected to the communication circuit, and a memory that is operatively connected to the processor and stores a database, a target application, and an access control application. The memory stores instructions causing, when executed by the processor, the node to detect a network access event through the access control application, to transmit a domain name system (DNS) query request packet to a first external server through the access control application, to receive a DNS query result from the first external server, the DNS query result including domain information and IP information, and to perform a domain validity check request or a network access request including the domain information to a second external server based on whether there exists a data flow corresponding to the IP information, through the access control application. A server according to an embodiment of the present disclosure may include a communication circuit, a memory that stores a database, and a processor that is operatively connected to the communication circuit and the memory. The processor may receive a network access request for a destination network of a target application from an access control application of a node, may identify whether an access of the target application is possible, based on identification information and domain information of the target application, and identification information and a port of the destination network, may identify whether there exists a data flow corresponding to the identification information of the target application, the identification information of the destination network, a port, and the domain information, may perform a domain validity check based on the identification information of the destination network, a port, and the domain information, and may transmit whether a network access is possible to the access control application based on whether the data flow exists and a result of the domain validity check. An operating method of an access control application stored in a node, according to an embodiment of the present disclosure, may include detecting a network access event, identifying whether a data packet of a target application is a DNS query request packet, transmitting the DNS query request packet to a first external server, receiving a DNS query result from the firs