KR101637912B1 - Method and apparatus for detecting wireless router with altered domain name system ip - Google Patents

Abstract

The present invention relates to a method and apparatus for detecting a router whose DNS IP is modulated, and an embodiment of the present invention includes a step of receiving a DNS IP (Domain Name System Internet Protocol) from a terminal connected to the router, , Determining whether the DNS IP is modulated, generating a determination result according to whether the DNS IP is modulated, and transmitting the determination result to the terminal. Can be provided.

Description

METHOD AND APPARATUS FOR DETECTING WIRELESS ROUTER WITH ALTERED DOMAIN NAME SYSTEM IP FIELD OF THE INVENTION [0001]

Field of the Invention [0002] The present invention relates to a method and apparatus for preventing pharming, and more particularly, to a method and apparatus for detecting a router whose DNS IP is modulated.

Recently, the value of information assets is increasing rapidly due to the rapid development and diffusion of the Internet. There are also various attempts to protect the value of such information assets. Technologically, technology has been developed to diagnose or remove vulnerabilities to various threats such as hacking, viruses, worms, trojans, phishing, pharming, and others.

A phishing attack means using a fraudulent e-mail or Web site to allow the recipient to enter and transmit personal or financial information such as credit card numbers, account names, passwords, social security numbers, and so on.

The pharming attack illegally modifies the host file by referring to the host file when performing a DNS (Domain Name Server) query on the terminal, so that even if the user correctly inputs the name of the site to which the user intends to visit, ) Address to trick the terminal user to input important information.

In the case of a phishing attack, an email sent from a website such as a financial institution is disguised to induce a link to extract an individual's authentication number, credit card number, account information, etc., and a pharming attack steals a domain of a user legally owned Or DNS name fraudulent people to mislead as a real site that means the Internet fraud technique means that the site itself was officially operating in the middle of the domain itself, ID), a password, and an account number.

On the other hand, a pharming attack can be more easily deceived than a phishing attack on the user side by modifying the address of the DNS or proxy server directly or indirectly. There are various methods that can be used as a pharming attack, such as modifying the DNS address, changing the client host file, changing the client DNS server address, changing the registered domain information, and using the proxy server.

In this way, the basic foundation of pharming attack is centered on address change so that users can easily connect without any doubt, and the modulation of DNS information is a common form. This DNS has the function of changing the domain address that is often input when connecting to a site to an IP address or vice versa. The reason for this is that the communication on the real network is done through the IP address, and since it can not remember all of the IP addresses, it is used to easily memorize and retrieve the desired place by using the DNS.

Phishing attacks have led to fraudulent phishing sites using similar domain names, redirects through normal sites, and sophisticated counterfeit pages, but there are areas where users can be aware of phishing sites if they look carefully, , The change of DNS information makes it more difficult for users to judge and it is more likely to believe that they are not forgery.

Korean Patent Laid-Open No. 10-2009-0120343 (entitled "Pharming Detection System and Control Method Therefor") discloses a pharming method for changing a host file in a terminal to move to an unexpected web site, The modulated DNS information of the wired and wireless router connected to the terminal is not limited to the DNS information of the terminal connected to the terminal, Can not confirm. In addition, since the DNS server is directly inquired of whether or not the DNS information is altered, there is a problem that the detection speed is very low.

Published Korean patent: 10-2009-0120343

A problem to be solved by an embodiment of the present invention is to provide a router with a DNS IP-modulated router that can quickly detect a modulated router or router and prevent a security incident by blocking important personal information of a user terminal from being leaked And to provide a method and an apparatus for detecting the same.

According to another aspect of the present invention, there is provided a method for controlling a DNS server, the method comprising: receiving a DNS (Domain Name System Protocol) from a terminal connected to a router; determining whether the DNS IP is modulated; Generating a result of the determination according to the result of the determination, and transmitting the determination result to the terminal.

In one embodiment, the step of determining whether to modulate the DNS IP may include determining whether the DNS IP includes a whitelist and a blacklist, wherein the whitelist includes an authorized DNS IP, And determining whether the DNS IP has been tampered with.

In another embodiment, the determination result indicates that the DNS IP is included in the whitelist, the result that the DNS IP is included in the blacklist, and the DNS IP is not included in either the whitelist or the blacklist The result may be included.

In yet another embodiment, the step of generating a determination result according to whether the DNS IP is modulated may include the step of the sensing device generating a message according to the determination result.

Another embodiment according to the present invention is a method for accessing a router, comprising: transmitting a connection request to a router, receiving DNS information including a DNS IP from the router, extracting the DNS IP from the DNS information, To the sensing device, and receiving a determination result depending on whether the DNS IP is modulated from the sensing device.

In one embodiment, the terminal may further include displaying the determination result.

In another embodiment, when the DNS IP is included in the black list, the terminal may further include a step of blocking connection with the router.

Another embodiment according to the present invention is a DNS IP receiver for receiving a DNS IP from a terminal, a whitelist and a blacklist for the DNS IP, wherein the whitelist comprises an authorized DNS IP, And a DNS IP, the method comprising: determining whether the DNS IP is modulated; determining whether the DNS IP is modulated; comparing the whitelist with a whitelist; storing a blacklist; A message generator for generating a message according to a determination result of the determination unit, and a message transmission unit for transmitting the message to the terminal.

If the DNS IP is included in the whitelist, the modulation / deciding unit determines that the DNS IP is not modulated. If the DNS IP is included in the black list, And if the DNS IP is not included in either the whitelist or the blacklist, the DNS IP can determine that there is a possibility of modulation.

In another embodiment, the whitelist storage unit updates and stores the whitelist based on data received from the DNS IP management unit managing the DNS IP, and the blacklist storage unit receives the black list from the DNS IP management unit The black list can be updated and stored based on one data.

In another embodiment, the message further comprises a message that the DNS IP is included in the whitelist and that the DNS IP is not tampered, a warning message indicating that the DNS IP is included in the blacklist and the DNS IP is tampered, And a modulated suspect message that the IP is not included in either the whitelist or the blacklist.

According to another aspect of the present invention, there is provided an IP network system including a connection unit for requesting a connection to a router and initiating connection, a DNS IP extracting unit for extracting DNS IP from DNS information received from the router, a DNS And a message display unit for receiving a result of the determination of whether or not the DNS IP is modulated from the sensing device and a message display unit for displaying the message.

In one embodiment, the terminal further includes an access blocking unit for blocking access to the currently connected router when the terminal receives the determination result that the DNS IP is included in the black list and is a modulated DNS IP .

Another embodiment of the present invention is a computer program for causing a computer to perform the following steps stored in a computer-readable medium, the method comprising: receiving a Domain Name System Internet Protocol (DNS) Protocol), wherein the DNS IP is whitelisted and blacklisted, wherein the whitelist includes an authorized DNS IP, and the blacklist includes a modulated DNS IP, Determining whether the IP is modulated, generating a determination result according to whether the DNS IP is modulated, and transmitting the determination result to the terminal.

The method and apparatus for detecting a DNS router-modulated router according to an exemplary embodiment of the present invention quickly detects a wired or wireless router whose DNS information is modulated and blocks important personal information of a user terminal from being leaked, Can be prevented.

Various aspects are now described with reference to the drawings, wherein like reference numerals are used to refer to like elements throughout. In the following examples, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of one or more aspects. It will be apparent, however, that such aspect (s) may be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to facilitate describing one or more aspects.
FIG. 1 shows a system for detecting a router whose DNS IP is modulated according to an embodiment of the present invention. Referring to FIG.
FIG. 2 is a flowchart illustrating a method of detecting a router whose DNS IP is modulated according to an exemplary embodiment of the present invention. Referring to FIG.
FIG. 3 illustrates a process of determining whether or not a DNS IP is modulated by a sensing apparatus according to an exemplary embodiment of the present invention.
FIG. 4 is an internal configuration diagram illustrating a sensing apparatus for detecting a router whose DNS IP is modulated according to an exemplary embodiment of the present invention. Referring to FIG.
5 illustrates a white list storage unit and a black list storage unit according to an embodiment of the present invention.
6 illustrates a terminal for detecting a router whose DNS IP is modulated according to an embodiment of the present invention.
FIG. 7 illustrates a block diagram of a computer that is operative to execute a computer program that performs a method of detecting a router with DNS IP according to an embodiment of the present invention.
Figure 8 shows a schematic block diagram of an exemplary computing environment for executing a computer program that performs a method for DNS IP to detect modulated routers in accordance with an embodiment of the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS The above and other objects, features and advantages of the present invention will become more apparent from the following detailed description of the present invention when taken in conjunction with the accompanying drawings. It is to be understood that the following specific structure or functional description is illustrative only for the purpose of describing an embodiment in accordance with the concepts of the present invention and that embodiments in accordance with the concepts of the present invention may be embodied in various forms, It should not be construed as limited to the embodiments.

The embodiments according to the concept of the present invention can make various changes and have various forms, so that specific embodiments are illustrated in the drawings and described in detail in this specification or application. It should be understood, however, that the embodiments according to the concept of the present invention are not intended to be limited to any particular mode of disclosure, but include all modifications, equivalents, and alternatives falling within the spirit and scope of the present invention.

The terms first and / or second etc. may be used to describe various components, but the components are not limited to these terms. The terms may be named for the purpose of distinguishing one element from another, for example, without departing from the scope of the right according to the concept of the present invention, the first element being referred to as the second element, The second component may also be referred to as a first component.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when it is mentioned that an element is "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between. Other expressions for describing the relationship between components, such as "between" and "between" or "adjacent to" and "directly adjacent to" should also be interpreted.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. It is to be understood that the terms such as " comprises "or" having "in this specification are intended to specify the presence of stated features, integers, But do not preclude the presence or addition of steps, operations, elements, parts, or combinations thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the meaning of the context in the relevant art and, unless explicitly defined herein, are to be interpreted as ideal or overly formal Do not.

FIG. 1 shows a system for detecting a router whose DNS IP is modulated according to an embodiment of the present invention. Referring to FIG.

Referring to FIG. 1, a system for detecting a DNS router-modulated router according to an exemplary embodiment of the present invention may include a terminal 100, a router 200, and a sensing device 300.

The terminal 100 may be connected to the router 200 through a communication network 400. The terminal 100 can access a specific web site using the connection information provided by the router 200. [ Here, the connection information may include DNS information. For example, the DNS information may include an IP (Internet Protocol) address given to the terminal 100 by the router 200 and DNS information necessary for the terminal 100 to access a specific web site. In particular, the DNS information may include information that allows a user to change a domain name input through the terminal 100 to an IP address. For example, when the user inputs www.abcdef.com into the terminal 100, the terminal 100 can connect to the IP address of 123.456.789.10 using the DNS information received from the router 200.

If the DNS information provided by the router 200 is tampered (for example, 123.456.789.10 corresponding to www.abcdef.com is modulated to 123.456.789.20), the user can access www.abcdef.com It can be linked to a website with an IP address of 123.456.789.20 which is intended, but not related to the user's intent. In order to solve such a problem, a system for detecting a router 200 modulated with DNS IP according to an embodiment of the present invention includes a DNS (Domain Name System Internet Protocol And determines whether or not the DNS IP is modulated and transmits the determination result to the terminal 100 so that the DNS detects the modulated wireless router 200 quickly and the important personal information of the terminal 100 is leaked You can prevent security incidents by blocking in advance.

The terminal 100 according to an exemplary embodiment of the present invention may include a portable terminal 100, a mobile terminal, a telematics terminal, a notebook computer, a digital broadcasting terminal, An AVN (Audio Video Navigation) terminal, a PMP (Portable Multimedia Player), a navigation terminal (a car navigation device), a navigation terminal (a navigation terminal) And the like.

In addition, the communication network 400 according to an exemplary embodiment of the present invention may include a wireless LAN (WLAN), a Wi-Fi, a wireless broadband (Wibro), a wimax (World Interoperability for Microwave Access) , HSDPA (High Speed Downlink Packet Access), IEEE 802.16, Long Term Evolution (LTE), and a Wireless Mobile Broadband Service (WMBS). The local area communication technology may be Bluetooth, Radio Frequency Identification (RFID), Infrared Data Association (IrDA), Ultra Wide Band (UWB), ZigBee, Near Field Communication ), And the like.

FIG. 2 is a flowchart illustrating a method of detecting a router whose DNS IP is modulated according to an exemplary embodiment of the present invention. Referring to FIG.

Referring to FIG. 2, in step S201, the terminal 100 may request a connection to the router 200. FIG.

In step S202, the router 200 can receive the connection request and transmit the connection information corresponding thereto to the terminal 100. [ Here, the connection information may include an IP address assigned to the terminal 100 by the router 200 and DNS information required when the terminal 100 accesses a specific web site.

In step S203, the terminal 100 can extract the DNS IP from the received DNS information. Here, the DNS IP may include an IP address corresponding to a domain name of a specific web site input by the user.

In step S204, the terminal 100 may transmit the DNS IP to the sensing apparatus 300. [ At this time, the terminal 100 can transmit the DNS IP to the sensing device 300 through the same communication network 400 as the communication network 400 connected to the router 200, The DNS IP can be transmitted to the sensing device 300 through the communication network 400. [ For example, when the terminal 100 is connected to the router 200 via the WiFi, the terminal 100 can transmit the DNS IP to the sensing device 300 through the Wi-Fi network, DNS IP to the sensing device 300.

In step S205, the sensing apparatus 300 can determine whether the DNS IP has been tampered with using the received DNS IP.

In step S206, the sensing device 300 may generate a determination result of modulation or not, and may transmit the determination result to the terminal 100. [

In step S207, the terminal 100 can display the determination result. Here, the determination result may include a message that the DNS IP provided by the router 200 to which the terminal 100 is currently connected has been tampered with. The user can confirm the message that the DNS IP has been tampered and can disconnect or disconnect the connection with the currently connected router 200. [

If the user is blocked or disconnected from the router 200 that is currently connected to the suspicious alert message, information about the router 200 that blocked or released the connection is transmitted to the sensing device 300 for updating It is possible.

In another embodiment, when the terminal 100 receives a message indicating that the DNS IP provided by the currently connected router 200 has been tampered as in step S208, the terminal 100 may automatically block the connection with the currently connected router 200. [

FIG. 3 illustrates a process of determining whether or not a DNS IP is modulated by a sensing apparatus according to an exemplary embodiment of the present invention.

Referring to FIG. 3, in step S301, the sensing apparatus 300 according to an embodiment of the present invention may receive a DNS IP from the terminal 100. FIG. The terminal 100 can extract the DNS IP from the DNS information as described above. The terminal 100 may transmit the extracted DNS IP to the sensing device 300. [

In step S302, the sensing apparatus 300 according to an exemplary embodiment of the present invention can search whether the received DNS IP is in the whitelist. Here, the whitelist is a list of authorized DNS IPs, and the whitelist can be provided by Korea Internet & Security Agency (http://www.kisa.or.kr/). In addition, the data provided by KISA can be updated as needed. However, the scope of the present invention is not limited thereto, but it suffices to manage the whitelist using data provided by an organization providing services similar to the Korea Internet Promotion Agency. If the received DNS IP is in the whitelist, the DNS IP provided by the router 200 can be determined as an unmodified DNS IP. The router 200 to which the terminal 100 is currently connected provides the unmodified DNS IP, so that the current connection state can be maintained. In another embodiment, the router 200 to which the terminal 100 is currently connected may generate and send a message to the terminal 100 that the router 200 provides an unmodified DNS IP.

In step S303, if the received DNS IP is not in the whitelist, it can be checked whether the received DNS IP is in the black list. Here, the blacklist may include information about the DNS IP that has been tampered with. As described above, the blacklist can be provided by KISA, but not limited thereto, and the data can be provided and updated from an organization providing similar services.

If the received DNS IP is in the black list in step S304, it is determined that the received DNS IP has been modulated and a modulation alert message can be generated.

In step S305, the sensing apparatus 300 may transmit the generated modulation alert message to the terminal 100. [ After that, the terminal 100 provides the DNS IP that is currently connected to the router 200, thereby blocking the connection. The terminal 100 may block the connection at a time, but may inform the user of the method of displaying a modulation warning message to the user. Thereafter, the user may maintain a connection with the sharing router 200 which is currently connected, or may block the connection, if necessary.

If the received DNS IP is not in the black list in step S303, it can not be sure that the received DNS IP is a modulated DNS IP, so that a suspicious warning message can be generated in step S306. Although the whitelist and the blacklist described above store data regarding the modulated DNS IP and the unmodified DNS IP, it is not easy to actually update the DNS IP provided in the router 200 in real time. Therefore, there is a certain time interval while the whitelist and the blacklist are updated. Therefore, when the received DNS IP is not included in either the white list or the black list, the suspicious alert message can be transmitted to the terminal 100 . If the terminal 100 receives the suspicious warning message, the terminal 100 may display a suspicious warning message to give the user a choice of whether to maintain the connection. The suspicious alert message generated in step S306 may be transmitted to the terminal 100 in step S305.

FIG. 4 is an internal configuration diagram illustrating a sensing apparatus for detecting a router whose DNS IP is modulated according to an exemplary embodiment of the present invention. Referring to FIG.

4, the sensing apparatus 300 for sensing the router 200 modulated by DNS IP according to an embodiment of the present invention includes a DNS IP receiving unit 310, a modulation determining unit 320, A black list storage unit 340, a message generation unit 350, and a message transmission unit 360. The black list storage unit 340 may include a black list storage unit 340, a black list storage unit 340, a message generation unit 350,

The DNS IP receiving unit 310 may receive the DNS IP from the terminal 100. [ The terminal 100 may extract the DNS IP from the DNS information received from the router 200 and transmit the extracted DNS IP to the sensing apparatus 300 according to an embodiment of the present invention.

The tampering determination unit 320 receives the DNS IP from the DNS IP receiving unit 310 and compares the received DNS IP with the whitelist or the black list to determine whether or not the DNS IP has been tampered with. Here, the whitelist includes an authorized DNS IP, and the blacklist can include a DNS IP that has been tampered with.

If the DNS IP is in the whitelist, the received DNS IP can be determined as the authorized DNS IP, and the tampering determination unit 320 determines that the DNS 200 is not tampered with in the router 200 providing the DNS IP .

If the DNS IP is in the black list, the received DNS IP can be judged as a modulated DNS IP. The modulator 320 determines whether the DNS IP is modulated . That is, it can be determined that the router is likely to be hacked. If the DNS IP is not whitelisted or blacklisted, the received DNS IP is not an authorized DNS IP, but it can not be concluded that it is a modulated DNS IP. At this time, first, DNS IP can judge that the modulation is suspected.

The sensing apparatus 300 according to an exemplary embodiment of the present invention generates a determination result according to whether the received DNS IP is included in the whitelist and the blacklist, It can be determined that the DNS IP is suspecting the modulation.

5 illustrates a white list storage unit and a black list storage unit according to an embodiment of the present invention.

Referring to FIG. 5, the white list storage unit 330 may store a white list. In addition, the blacklist storage unit 340 may store the blacklist. The whitelist storage unit 330 and the blacklist storage unit 340 may be connected to the server 500 or the like that provides information on the DNS IP to the communication network 400. At this time, the server 500 providing the information about the DNS IP may be a server capable of managing and updating the authorized DNS IP and the modulated DNS IP. For example, the server 500 providing information on the DNS IP may be a server operated by the Korea Internet Development Agency (http://www.kisa.or.kr/), but the present invention is not limited thereto. A server operating on an organization that provides similar services is sufficient.

Referring again to FIG. 4, the white list storage unit 330 and the black list storage unit 340 according to an embodiment of the present invention may be provided inside the sensing apparatus 300. The white list storage unit 330 and the black list storage unit 340 may be a flash memory type, a hard disk type, a multimedia card micro type, a card type (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read only memory (PROM) (Programmable Read-Only Memory) magnetic memory, a magnetic disk, or an optical disk.

4, the white list storage unit 330 and the black list storage unit 340 are provided inside the sensing device 300. However, the present invention is not limited to the white list storage unit 330 and the blacklist storage unit 340, The unit 340 may be disposed to be physically separated from the sensing device 300.

The message generation unit 350 may generate a message according to the determination result of the modulation state determination unit 320. The message generated by the message generating unit 350 may include a message according to a result of the determination that the DNS IP provided by the currently connected router 200 has not been tampered with, a determination result that the DNS IP provided by the currently connected router 200 is tampered And the DNS IP provided by the router 200 that is currently connected may include a message according to a result of the determination that the modulation is suspected.

The message transmission unit 360 may transmit the message generated by the message generation unit 350 to the terminal 100 through the communication network 400.

6 illustrates a terminal for detecting a router whose DNS IP is modulated according to an embodiment of the present invention.

Referring to FIG. 6, a terminal 100 for detecting a router 200 modulated by DNS IP according to an embodiment of the present invention includes a connection unit 110, a DNS IP extracting unit 120, a DNS IP transmitting unit 130, A message receiving unit 140, and a message display unit 150. [

The connection unit 110 can request the connection to the router 200 and start the connection. The connection unit 110 may initiate a connection at the request of the user, or may recognize the signal of the connectable router and automatically initiate the connection.

The DNS IP extracting unit 120 can extract the DNS IP from the DNS information received from the router 200. Extracting the DNS IP from the received DNS information corresponds to a known technology and will not be described in detail here.

The DNS IP transmission unit 130 can transmit the DNS IP to the sensing apparatus 300. [ The DNS IP transmitting unit 130 can transmit the DNS IP to the sensing device 300 through the communication network 400 described above.

The message receiving unit 140 may receive a result of the determination of whether or not the DNS IP is modulated from the sensing device 300. [

The message display unit 150 may display a message so that the user can confirm the message.

The connection blocking unit (not shown) may block the connection with the router 200 according to the message. Also, the connection blocking unit may determine whether or not to block according to a user's request.

One embodiment according to the present invention is a computer program for causing a computer to perform the following steps, the computer being stored in a computer-readable medium, the method comprising: receiving, from a terminal (100) connected to the router (200) Receiving a Domain Name System Internet Protocol (IP), wherein the DNS IP is whitelisted and blacklisted, wherein the whitelist includes an authorized DNS IP, and the blacklist includes a modulated DNS IP Determining whether the DNS IP is modulated, generating a determination result according to whether the DNS IP is modulated, and transmitting the determination result to the terminal 100 .

FIG. 7 illustrates a block diagram of a computer that is operative to execute a computer program that performs a method of detecting a router with DNS IP according to an embodiment of the present invention.

Referring to FIG. 7, a brief general description of a suitable computing environment in which various aspects of an embodiment of the invention may be implemented may be provided.

Although the present invention has been described above generally in terms of computer-executable instructions that can be executed on one or more computers, those skilled in the art will appreciate that the present invention may be implemented in combination with other program modules and / will be.

Generally, program modules include routines, programs, components, data structures, etc. that perform particular tasks or implement particular abstract data types. Moreover, those skilled in the art will appreciate that the inventive methods may be practiced with other computer systems, such as single-processor or multi-processor computer systems, minicomputers, mainframe computers, as well as personal computers, handheld computing devices, microprocessor-based or programmable consumer electronics, And may operate in conjunction with one or more associated devices).

Illustrative aspects of the invention may also be practiced in distributed computing environments where certain tasks are performed by remote processing devices connected through a communications network. In a distributed computing environment, program modules may be located in both local and remote memory storage devices.

Computers typically include a variety of computer readable media. Any medium accessible by a computer can be a computer-readable medium, which includes both volatile and non-volatile media, both removable and non-removable media. By way of example, and not limitation, computer readable media may comprise computer storage media and communication media. Computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storing information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital video disk (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, Or any other medium which can be accessed by a computer and used to store the desired information.

Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal, such as a carrier wave or other transport mechanism, Media. The term modulated data signal refers to a signal that has one or more of its characteristics set or changed to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared, or other wireless media. Combinations of any of the above described media are also intended to be included within the scope of computer readable media.

There is shown an exemplary environment 1100 that implements various aspects of the present invention including a computer 1102 and includes a processing unit 1104, a system memory 1106 and a system bus 1108 do. The system bus 1108 couples system components, including but not limited to, system memory 1106 to the processing unit 1104. The processing unit 1104 may be any of a variety of commercially available processors. Dual processors and other multiprocessor architectures may also be used as the processing unit 1104.

The system bus 1108 may be any of several types of bus structures that may additionally be interconnected to a local bus using any of the memory bus, peripheral bus, and various commercial bus architectures. The system memory 1106 includes read only memory (ROM) 1110 and random access memory (RAM) The basic input / output system (BIOS) is stored in a non-volatile memory 1110, such as a ROM, EPROM, EEPROM or the like, which is a basic (non-volatile) memory device that aids in transferring information between components within the computer 1102 Routine. The RAM 1112 may also include a high speed RAM such as static RAM for caching data.

The computer 1102 may also be an internal hard disk drive (HDD) 1114 (e.g., EIDE, SATA) - this internal hard disk drive 1114 may also be configured for external use within a suitable chassis , A magnetic floppy disk drive (FDD) 1116 (e.g., for reading from or writing to a removable diskette 1118), and an optical disk drive 1120 (e.g., a CD-ROM For reading disc 1122 or reading from or writing to other high capacity optical media such as DVD). The hard disk drive 1114, magnetic disk drive 1116 and optical disk drive 1120 are connected to the system bus 1108 by a hard disk drive interface 1124, a magnetic disk drive interface 1126 and an optical drive interface 1128, respectively. . The interface 1124 for external drive implementation includes at least one or both of USB (Universal Serial Bus) and IEEE 1394 interface technologies.

These drives and their associated computer-readable media provide non-volatile storage of data, data structures, computer-executable instructions, and the like. In the case of computer 1102, the drives and media correspond to storing any data in a suitable digital format. While the above description of computer readable media refers to HDDs, removable magnetic disks, and removable optical media such as CDs or DVDs, those skilled in the art will appreciate that other types of storage devices, such as zip drives, magnetic cassettes, flash memory cards, Or the like may also be used in the exemplary operating environment and any such medium may include computer-executable instructions for carrying out the methods of the present invention.

A number of program modules may be stored in the drive and RAM 1112, including an operating system 1130, one or more application programs 1132, other program modules 1134, and program data 1136. All or a portion of the operating system, applications, modules, and / or data may also be cached in the RAM 1112. It will be appreciated that the present invention may be implemented in a variety of commercially available operating systems or combinations of operating systems.

A user may enter commands and information into the computer 1102 via one or more wired / wireless input devices, such as a keyboard 1138 and a pointing device such as a mouse 1140. [ Other input devices (not shown) may include a microphone, an IR remote control, a joystick, a game pad, a stylus pen, a touch screen, and so on. These and other input devices are often connected to the processing unit 1104 via an input device interface 1142 that is coupled to the system bus 1108, but may be a parallel port, an IEEE 1394 serial port, a game port, a USB port, an IR interface, ≪ / RTI > and so forth.

A monitor 1144 or other type of display device is also connected to the system bus 1108 via an interface, such as a video adapter 1146, In addition to the monitor 1144, the computer typically includes other peripheral output devices (not shown) such as speakers, printers,

Computer 1102 may operate in a networked environment using logical connections to one or more remote computers, such as remote computer (s) 1148, via wired and / or wireless communication. The remote computer (s) 1148 can be a workstation, a server computer, a router, a personal computer, a portable computer, a microprocessor-based entertainment device, a peer device or other conventional network node, Includes a number of or all of the described elements, but for simplicity, only memory storage device 1150 is shown. The logical connections depicted include a wired / wireless connection to a local area network (LAN) 1152 and / or a larger network, e.g., a wide area network (WAN) These LAN and WAN networking environments are commonplace in offices and corporations and facilitate enterprise-wide computer networks such as intranets, all of which can be connected to computer networks worldwide, for example the Internet.

When used in a LAN networking environment, the computer 1102 is connected to the local network 1152 via a wired and / or wireless communication network interface or adapter 1156. [ The adapter 1156 may facilitate wired or wireless communication to the LAN 1152 and the LAN 1152 also includes a wireless access point installed therein to communicate with the wireless adapter 1156. [ When used in a WAN networking environment, the computer 1102 may include a modem 1158, or may be coupled to a communications server on the WAN 1154, or to other devices that establish communications over the WAN 1154, such as via the Internet. . A modem 1158, which may be an internal or external and a wired or wireless device, is coupled to the system bus 1108 via a serial port interface 1142. In a networked environment, program modules described for the computer 1102, or portions thereof, may be stored in the remote memory / storage device 1150. It will be appreciated that the network connections shown are exemplary and other means of establishing a communication link between the computers may be used.

The computer 1102 may be any wireless device or entity that is deployed and operable in wireless communication, such as a printer, a scanner, a desktop and / or portable computer, a portable data assistant (PDA) (E.g., a kiosk, a newsstand, a toilet), and a telephone. This includes at least Wi-Fi and Bluetooth ™ wireless technology. Thus, the communication may be a predefined structure, such as in a conventional network, or simply an ad hoc communication between at least two devices.

Wi-Fi (Wireless Fidelity) allows you to connect to the Internet from a home sofa, a bed in a hotel room, or a meeting room in your workplace without wires. Wi-Fi is a wireless technology such as a cell phone that allows such devices, e.g., computers, to transmit and receive data indoors and outdoors, i. E. Anywhere within the coverage area of a base station. Wi-Fi networks use a wireless technology called IEEE 802.11 (a, b, g, etc.) to provide a secure, reliable, and high-speed wireless connection. Wi-Fi can be used to connect computers to each other, the Internet, and a wired network (using IEEE 802.3 or Ethernet). The Wi-Fi network operates in unlicensed 2.4 and 5 GHz wireless bands, for example, at 11 Mbps (802.11a) or 54 Mbps (802.11b) data rates, or in products containing both bands (dual band) Thus, this network can provide real-world performance similar to the basic 10BaseT wired Ethernet network used in many offices.

Figure 8 shows a schematic block diagram of an exemplary computing environment for executing a computer program that performs a method for detecting a router with DNS IP according to an embodiment of the present invention.

Referring to FIG. 8, system 1200 includes one or more client (s) 1202. The client (s) 1202 may be hardware and / or software (e.g., threads, processes, computing devices). The client (s) 1202 may store cookie (s) and / or associated contextual information, for example, by using the present invention.

System 1200 also includes one or more server (s) 1204. The server (s) 1204 may also be hardware and / or software (e.g., threads, processes, computing devices). The server 1204 may, for example, store a thread that performs the transformation by using the present invention. One possible communication between client 1202 and server 1204 may be in the form of a data packet that is configured to be transmitted between two or more computer processes. The data packet may include, for example, a cookie and / or associated contextual information. System 1200 includes a communications framework 1206 (e.g., a worldwide communications network such as the Internet) that can be utilized to facilitate communications between client (s) 1202 and server (s) .

Communications may be facilitated via wireline (including optical fibers) and / or wireless technology. The client (s) 1202 may include one or more client data stores (e. G., Client 1202) that may be used to store information (e.g., cookie (s) and / ) 1208, respectively. Similarly, server (s) 1204 operate in conjunction with one or more server data store (s) 1210 that may be utilized to store information local to servers 1204.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the invention as defined in the appended claims. It will be understood that the invention may be varied and varied without departing from the scope of the invention.

100: terminal
110:
120: DNS IP extracting unit
130: DNS IP sender
140:
150:
200: Router
300: sensing device
310: DNS IP receiver
320:
330: Whitelist storage unit
340: Blacklist storage unit
350:
360:
400: communication network
500: Server providing information about DNS IP

Claims (14)

CLAIMS 1. A method for detecting a modulated router by a DNS IP performed by a sensing device,
Receiving a DNS IP (Domain Name System Internet Protocol) from a terminal connected to the router;
Wherein the DNS IP is whitelisted and blacklisted, wherein the whitelist includes an authorized DNS IP, the blacklist includes a modulated DNS IP, and determines whether the DNS IP is modulated ;
Generating a determination result according to whether the DNS IP is modulated; And
Transmitting the determination result to the terminal;
Lt; / RTI >
As a result of the determination,
As a result that the DNS IP is included in the whitelist,
The result that the DNS IP is included in the blacklist and
The result that the DNS IP is not included in either the white list or the black list
/ RTI >
The step of generating a determination result according to whether or not the DNS IP is modulated includes:
Generating a message that the DNS IP is included in the whitelist to notify the DNS IP that the DNS IP is unmodified, generating a warning message that the DNS IP is included in the blacklist and that the DNS IP has been tampered, And generating a suspicion warning message if it is not included in either the list or the blacklist. ≪ RTI ID = 0.0 >
How DNS IP detects modulated routers.



delete delete The method according to claim 1,
Generating a determination result according to whether or not the DNS IP is modulated;
Generating a message according to the determination result;
/ RTI >
How DNS IP detects modulated routers.
CLAIMS 1. A method for detecting a modulated router by a DNS IP performed by a terminal,
Transmitting a connection request to the router;
Receiving DNS information including a DNS IP from the router;
Extracting the DNS IP from the DNS information;
Sending the DNS IP to a sensing device; And
Wherein the DNS IP from the sensing device is whitelisted and blacklisted, wherein the whitelist includes an authorized DNS IP, and wherein the blacklist includes a modulated DNS IP, Receiving a determination result according to whether or not the IP is modulated;
/ RTI >
Wherein the step of receiving the determination result comprises:
Receiving the message that the DNS IP is not modulated if the sensing device determines that the DNS IP is included in the whitelist and the DNS IP is not modulated;
Receiving a warning message indicating that the DNS IP has been tampered when the sensing device determines that the DNS IP is included in the blacklist and the DNS IP has been tampered with; And
Receiving, by the sensing device, a suspicious warning message if the DNS IP is not included in either the whitelist or the blacklist;
/ RTI >
How DNS IP detects modulated routers.

6. The method of claim 5,
The terminal displaying the determination result;
≪ / RTI >
How DNS IP detects modulated routers.
6. The method of claim 5,
If the DNS IP is included in the blacklist,
Blocking the connection with the router by the terminal;
≪ / RTI >
How DNS IP detects modulated routers.
A DNS IP receiver for receiving a DNS IP from the terminal;
If the DNS IP is included in the whitelist, judges that the DNS IP is not modulated; if the DNS IP is included in the blacklist, it judges that the DNS IP is modulated; A modulation / non-conformance determining unit determining that the DNS IP is modifiable if any of the black lists is not included in the black list;
A white list storage unit for storing the white list;
A black list storage unit for storing the black list;
A message generating unit for generating a message according to a result of the determination by the modulation / deciding unit; And
A message transmission unit for transmitting the message to the terminal;
Lt; / RTI >
The message comprises:
The DNS IP is included in the whitelist, the message indicating that the DNS IP has not been tampered with,
A warning message indicating that the DNS IP is included in the blacklist and that the DNS IP has been tampered with and
Wherein the DNS IP is not included in either the whitelist or the blacklist,
/ RTI >
DNS A sensing device that detects IP routers that are modulated.


delete 9. The method of claim 8,
The whitelist storage unit updates and stores the whitelist based on data received from the DNS IP management unit managing the DNS IP,
Wherein the black list storage unit updates and stores the black list based on data received from the DNS IP management unit,
DNS A sensing device that detects IP routers that are modulated.
delete A connection unit for requesting connection to the router, and initiating connection;
A DNS IP extracting unit for extracting a DNS IP from DNS information received from the router;
A DNS IP transmitter for transmitting the DNS IP to a sensing device;
Wherein if the sensing device determines that the DNS IP is included in the whitelist and that the DNS IP is not modulated, the sensing device receives the message that the DNS IP is not modulated and the sensing device determines that the DNS IP is included in the blacklist And receiving a warning message indicating that the DNS IP has been tampered when it is determined that the DNS IP has been tampered with, and if the detecting device does not include the DNS IP in either the whitelist or the blacklist, Receiving a message; And
A message display unit displaying the message;
Lt; / RTI >
Terminal where the DNS IP detects the modulated router.

13. The method of claim 12,
When the DNS IP is included in the black list and the terminal receives the determination result that the DNS IP is a modulated DNS IP,
An access blocking unit for blocking connection with a currently connected router;
≪ / RTI >
Terminal where the DNS IP detects the modulated router.
A computer program for causing a computer to perform the following steps, the computer program being stored on a readable medium,
Wherein the step
Receiving a DNS IP (Domain Name System Internet Protocol) from a terminal connected to the router;
Wherein the DNS IP is whitelisted and blacklisted, wherein the whitelist includes an authorized DNS IP, the blacklist includes a modulated DNS IP, and determines whether the DNS IP is modulated ;
Generating a determination result according to whether the DNS IP is modulated; And
Transmitting the determination result to the terminal;
Lt; / RTI >
As a result of the determination,
As a result that the DNS IP is included in the whitelist,
The result that the DNS IP is included in the blacklist and
The result that the DNS IP is not included in either the white list or the black list
/ RTI >
The step of generating a determination result according to whether or not the DNS IP is modulated includes:
Generating a message that the DNS IP is included in the whitelist to notify the DNS IP that the DNS IP is unmodified, generating a warning message that the DNS IP is included in the blacklist and that the DNS IP has been tampered, And generating a suspicion warning message if it is not included in either the list or the blacklist. ≪ RTI ID = 0.0 >
Computer program.

Images