The Internet is a network that uses Transmission Control Protocol/Internet Protocol (TCP/IP). With the development of Internet technology, the area of use of the Internet has extended, and thus individuals and general enterprises access the Internet, acquire various types of information, and use the acquired information for their business. However, despite the advantage of the acquisition of information, a variety of types of hacking programs, such as computer viruses, spread across the Internet, and computer viruses, etc. intrude into networks connected to the Internet, so that systems using the Internet are attacked.
As a security technology for preventing illegal intrusion into a system, Microsoft Corporation has basically provided, starting with their Windows XP operating system, an Internet Connection Firewall (ICF) for protecting a computer or a network from intrusion.
An ICF is a security technology that prevents traffic not desired by a computer user from entering a computer from the outside or exiting from a computer to the outside. For this purpose, the ICF constructs a communication-allowed list in the form of a table, tracks an inbound packet (a packet entering a computer from the outside) and an outbound packet (a packet exiting from a computer to the outside) using network filtering technology, and compares those packets with the communication-allowed list. The ICF allows the traffic of a corresponding packet if the corresponding packet is included in the communication-allowed list, and blocks the traffic of the corresponding packet if the corresponding packet is not included in the communication-allowed list. In this case, the process ID and path of a process for which communication has been allowed by a user are stored in the communication-allowed list.
FIG. 1 is an operation flowchart illustrating a conventional method of blocking network access in an ICF.
The ICF analyzes the process information (the process ID and path) of a process that transmits or receives a network packet at step S11. If the corresponding process ID and path are included in a communication-allowed list at step S12, the traffic of the corresponding packet is allowed at step S13. However, if the corresponding process ID and path are not included in the communication-allowed list at step S12, a user is requested to verify whether to allow a packet that is transmitted or received by the corresponding process at step S14. If the user allows the transmission of the packet at step S15, the process ID and path of the corresponding process are included in a communication-allowed list at step S16, and the traffic of the corresponding packet is allowed at step S13. Meanwhile, if the user does not allow the transmission of the packet at step S15, the traffic of the corresponding packet is blocked at step S17.
This conventional method of blocking network access in an ICF has the problem of being unable to block packet traffic when a hacker inserts malware into a process for which communication has been allowed and the malware operates and generates the packet traffic because the conventional method selectively allows and blocks packet traffic based on a process ID.
This will now be described in greater detail.
In general, Internet Explorer (iexplore.exe) is a Web browser program that is widely used under the Windows operating system (OS). Internet Explorer frequently generates traffic, such as an outbound packet or an inbound packet. Accordingly, if the verification of the transmission of a packet generated by Internet Explorer is requested, a user would allow the transmission without particular doubt. In this case, both an outbound packet that Internet Explorer sends to the outside and an inbound packet that is sent from the outside to Internet Explorer are allowed without the additional verification of the user.
Meanwhile, a program, such as Trojan or Zeus, injects malicious code into a process through code injection, and enables the malicious code to generate a thread. Recently, a financial incident occurred in which malicious code inserted into a user computer by a Zeus program divulged financial information, such as bank accounts and passwords, stored in a computer to a hacker and then the hacker accessed the bank accounts of small- and medium-sized enterprises and local autonomous entities using the financial information and then withdrew money therefrom.
For example, it is assumed that, as illustrated in FIG. 2, as malicious code is inserted into Internet Explorer, a thread is generated based on malicious code, and the malicious thread Thread 3 attempts to maliciously divulge information. In this case, an ICF searches a communication-allowed list using a process ID (that is, Internet Explorer iexplore.exe) and then controls the network access of Internet Explorer. That is, if Internet Explorer has been included in the communication-allowed list, the malicious divulgence of information via the malicious thread is allowed. In contrast, if Internet Explorer has not been included in the communication-allowed list, the malicious divulgence of information via the malicious thread is blocked. It will be apparent that the ICF controls the network access of normal packets via other normal threads of Internet Explorer based on process IDs.
Accordingly, if the user allows Internet Explorer to perform network access, the user can access the Internet without inconvenience because normal packet transmission via other normal threads is smoothly performed, but security becomes vulnerable because the network access of a malicious thread included in Internet Explorer is also allowed.
In contrast, if the user does not allow the network access of Internet Explorer, the malicious divulgence of information via a malicious thread can be prevented, but the user has serious trouble using the Internet because normal packet transmission via other normal threads is also blocked.