1. Technical Field
The present invention relates generally to a method and system for extracting an access control list and, more particularly, to a method and system for extracting an access control list between systems from network traffic without requiring flag information.
2. Description of the Related Art
Access control is technology necessary for network resource management, security management, and fault management.
Network Access Control (NAC) that is representative access control technology denotes technology for inspecting the security status of devices that access a network and permitting the access of only secure nodes. However, when a separate agent cannot be installed due to the characteristics of a host, the use of NAC is impossible. Further, there is a problem in that, when an Access Control List (ACL) for network equipment is used, all lists must be manually generated and maintained in real time. Due to this problem, it is realistically very difficult to implement a method of extracting an ACL for all hosts in a given network. Further, access control is generally implemented such that separate equipment monitors network traffic and restricts traffic violating an ACL when necessary. Furthermore, it is difficult to precisely extract the status of connection and a relation between a client and a server, which are most important in the ACL.
In order to solve those problems, technology for automating an ACL is required.
In order to automatically generate an ACL, a conventional scheme is implemented such that flag information in network traffic exchanged between systems is analyzed in the case of a Transmission Control Protocol (TCP), a server-client relation is detected, and a server-side port is assumed to be used as a static port (fixed port), and then an ACL such as “server IP-server port-protocol-client IP” is generated. In other words, a conventional TCP is configured such that when a client sends a synchronization (syn) signal to a server in TCP 3-way handshaking, the server sends syn+acknowledgement (ack) to the client. Then, by utilizing ack sent from the client, flag information is analyzed, and thus a server-client relation is detected. Thereafter, on the assumption that a server port is used as a static port, an ACL such as “server IP-server port-protocol-client IP” is generated. In addition, on the assumption that well-known server ports (e.g., port #80 is a HyperText Transfer Protocol (HTTP) server port) are used as server ports, an ACL is extracted.
Such a conventional scheme is advantageous in that it is most accurate when TCP is used. However, the conventional scheme has the following problems:
1) When packets having specific flags such as syn, finish (fin), and syn+ack required to extract a server-client relation are missing, such a scheme cannot be applied. It is impossible to detect the server-client relation when it is not possible for a traffic analysis tool or security equipment to analyze/log even flag information from all traffic or when a given packet is dropped.
2) Such a scheme cannot be applied to a protocol having no flag information, such as a User Datagram Protocol (UDP).
Meanwhile, as preceding technology related to the present invention, there is a paper entitled “Flow Whitelisting in SCADA Networks (written by Rafael Ramos Regis Barbosa, Ramin Sadre, and Aiko Pras)” published in International Conference of Critical Infrastructure Protection, 2013.