KR20130124885A - A apparatus and method of providing security to cloud data to prevent unauthorized access - Google Patents

Abstract

An electronic device and a security providing method thereof are provided. The security providing method of the electronic device comprises: checking a client environment for receiving a cloud service from a cloud; executing a cloud process by determining at least one between an address size and a range of a virtual memory to acquire the cloud service; determining and storing a state of the cloud process in response to a cloud process execution of the virtual memory; monitoring the cloud process for making the cloud service access the cloud; and protecting the cloud service from unauthenticated accesses as a result of the monitoring. Thereby, a user can protect cloud data from unauthenticated accesses. [Reference numerals] (305) Start;(310) Checking a client environment for receiving a cloud service;(315) Checking an address size and a range of a memory;(320) Storing a state of the cloud process in response to a cloud process execution of the memory;(325) Monitoring whether a cloud process can make an access to a cloud to transmit a cloud service to a client;(330) Protecting the cloud service from unauthenticated accesses;(335) End

Description

A APPARATUS AND METHOD OF PROVIDING SECURITY TO CLOUD DATA TO PREVENT UNAUTHORIZED ACCESS} To Provide Security to Cloud Data to Prevent Unauthorized Access

The present invention relates to the field of cloud computing, and more particularly to the field of cloud computing that can provide a security function while providing a cloud service.

Recently, cloud-based computing has been widely used and various services have been provided. Examples of such services include IPTV services, virtual web stores, media outlets, e-stores, internet shops, web shops, and other online sites. It is not limited. In the past, cloud-based architectures used resources hosted by cloud service providers. Examples of such resources include, but are not limited to, at least one processor, operating system, display device, at least one storage device, and the like. Resources are connected to each other to form a virtual machine.

The user requests a virtual machine from a cloud service provider to obtain a service. The user may also request a virtual machine to perform at least one intended task. The virtual machine is controlled by a central server in the cloud to provide resources for performing at least one intended task requested by the user. The cloud-based architecture also includes several virtual machines that can be scaled by request. In addition, the virtual machines included in the cloud-based architecture connect to users using an Internet Protocol (IP) network. However, data security to prevent unauthorized access, such as hacking data from the cloud, is an important issue.

The conventional method provides security at the central server side. This method provides a variety of approaches to providing security functions to prevent unauthorized access on the central server side. Such approaches may include network filter security, virtual machine security, operating system security, file security, file resource management security, endpoint security, virtual account security, process security, and application security. The central server can control one access or multiple accesses to provide security functions. However, this approach provides a security function if a service containing an application or data is delivered to a user's electronic device (eg, personal computer, TV, mobile phone, etc.). In other words, when delivering an application, the user provides the application to other clients, whether intended or unintentional. In particular, this method does not monitor unauthorized access when an application is delivered.

In addition, other security functions (eg, anti-virus, firewalls, etc.) can also provide data to unauthorized users. This security function may be applied to provide a security function when a user follows a security license provided by a cloud service provider to prevent unauthorized access.

For example, the first user may access a cloud application provided by a cloud service provider. However, the second user can access the cloud application at the same time by executing at least one process. In such a scenario, the second user can perform unauthorized access to the cloud application. In this case, the first user may not be aware of the unauthorized access performed by the second user. In other cases, the first user may intentionally share the cloud application with the second user. In both cases, however, the cloud service provider may lose money by losing revenue. In addition, unauthorized access can pose a threat to the cloud business.

Thus, there is a need for an efficient method and apparatus for monitoring and preventing unauthorized access of cloud services.

SUMMARY OF THE INVENTION The present invention has been made to solve the above-described problem, and an object of the present invention is to provide an electronic device and method for providing security to cloud data to prevent unauthorized access.

According to one embodiment of the invention, a method for providing security to cloud data to prevent unauthorized access checks the environment of the client to provide cloud services obtained from the cloud. The method then includes determining at least one of an address size and an address range of the virtual memory, where the virtual memory is used by a client to execute a cloud process to obtain a cloud service. The method then includes storing the process state of the cloud process in response to the execution of the cloud process of the virtual memory, where the process state may be stored in a cloud client management system database associated with the client. In addition, the method includes monitoring the cloud process to ensure that the cloud process is guaranteed access to the cloud to deliver the cloud service to the client. The method then includes protecting the cloud service from unauthorized access.

According to one embodiment of the invention, an apparatus for providing security to cloud data to prevent unauthorized access includes a communication interface for performing communication. The device also includes a memory for storing instructions. In addition, the device checks the environment of the client to provide the cloud service, and determines at least one of an address size and an address range of the virtual memory, wherein the virtual memory is used by the client to execute the cloud process to obtain the cloud service. It is used to store the process state of the cloud process in response to the execution of the cloud process in virtual memory, monitor the cloud process to ensure that the cloud process's access is corrected to the cloud to deliver the cloud service to the client, and to gain unauthorized access. And responding to instructions for protecting the cloud service from.

On the other hand, according to an embodiment of the present invention for achieving the above object, a security providing method of an electronic device, comprising: checking the environment of the client to receive the cloud service from the cloud; Determining at least one of an address size and a range of a virtual memory to execute the cloud process to obtain the cloud service; Determining and storing a process state of the cloud process in response to executing the cloud process of the virtual memory; Monitoring the cloud process for the cloud process to access the cloud; And protecting the cloud service from unauthorized access as a result of the monitoring.

Determining a plurality of processes running in an environment of the client; Monitoring the plurality of processes for each of the plurality of processes to access the cloud to deliver the cloud service to the client; And blocking at least one process denied access to the cloud among the plurality of processes.

The method may further include storing system specific information and software specific information to monitor the plurality of cloud processes.

The method may further include updating the system specific information and the software specific information in real time.

The monitoring may include determining whether access of the cloud process is unauthorized access; And if determined to be unauthorized access, determining the type of unauthorized access, wherein the protecting comprises: blocking the unauthorized access; And reporting the information about the unauthorized access to the cloud.

And, the type of unauthenticated access may include access made by a user whose access has been breached for a period and a condition and by another user who is not allowed to be shared.

In addition, when the information on the unauthorized access is reported, the cloud service provider may further include updating a security function based on the information about the unauthorized access.

And stopping monitoring of the plurality of processes in real time; And resuming monitoring of the plurality of suspended processes in real time.

On the other hand, an electronic device according to an embodiment of the present invention for achieving the above object, the communication unit for performing communication with the external cloud; A storage unit; And verifying an environment of a client to receive a cloud service from the cloud, and determining at least one of an address size and a range of a virtual memory to obtain a cloud service, and executing a cloud process, wherein the cloud process of the virtual memory is executed. In response to the execution, the process state of the cloud process is determined and stored in the storage unit, the cloud process is monitored for the cloud process to access the cloud, and as a result of the monitoring, the cloud service is received from unauthorized access. It includes; a processor to protect.

The processor is further configured to determine a plurality of processes running in an environment of the client, and to monitor the plurality of processes for each of the plurality of processes to access the cloud to deliver the cloud service to the client. At least one process of accessing the cloud may be blocked among the plurality of processes.

The storage unit may store system specific information and software specific information for monitoring a plurality of cloud processes.

The processor may update the system specific information and the software specific information in real time.

Further, the processor determines whether the access of the cloud process is unauthorized access, and if the access of the cloud processor is determined to be unauthorized access, determines the type of unauthorized access, and the authentication And control the communication interface to block unauthorized access and report information about the unauthorized access to the cloud.

And, the type of unauthenticated access may include access made by a user whose access has been breached for a period and a condition and by another user who is not allowed to be shared.

In addition, when the information on the unauthorized access is reported, the cloud service provider may update the security function based on the information on the unauthorized access.

The processor may stop monitoring the plurality of processes in real time and resume monitoring the plurality of suspended processes in real time.

1 is a block diagram of a cloud environment, in accordance with an embodiment of the invention;
2 is a block diagram of an electronic device providing security to cloud data to prevent unauthorized access according to an embodiment of the present invention.
3 is a flow chart illustrating a method for providing security to cloud data to prevent unauthorized access in accordance with one embodiment of the present invention;
4A to 4B are flowcharts illustrating a method of delivering a cloud service to a user according to an embodiment of the present invention;
5A through 5D are flowcharts illustrating a method of monitoring a cloud process to ensure access of the cloud process to the cloud before providing the cloud service to a user, according to an embodiment of the present invention;
6A to 6B are flowcharts for explaining a method for providing security of cloud data according to an embodiment of the present invention, and
7A-7D are flow diagrams illustrating a method for monitoring and protecting cloud applications from unauthorized access, according to one embodiment of the invention.

Hereinafter, the present invention will be described in more detail with reference to the drawings. In particular, a specific embodiment for providing a method and apparatus for providing security to cloud data to prevent unauthorized access will be described.

1 is a block diagram of a cloud environment 100 according to an embodiment of the present invention. The cloud environment 100 includes various electronic devices such as digital TV 105a, computer 105b, mobile device 105c, PDA 105d, laptop 105e, and the like. The electronic devices may obtain various cloud services from the cloud 110.

Examples of cloud services may include IPTV services, various cloud applications, computing services, virtual web stores, media outlets, e-stores, internet shops, web shops, and other online sites provided by the cloud 110. It is not limited to this. A user of the electronic device may subscribe to a cloud service provider to obtain a cloud service. The user of the electronic device subscribed to the cloud service provider may be referred to as a client. The user may generate a request to obtain a cloud service. When a request is generated by the user, the cloud service provider starts the process in response to the request. Processing includes preparation of the virtual machine. During the preparation operation, the virtual machine is assigned to a user. At least one cloud process associated with the cloud service requested by the user is executed in the virtual machine to provide the cloud service to the user.

According to an embodiment, the electronic device may operate to provide a security function at a user side. The security function may be provided before providing the cloud service to the user. Security features can protect users from performing unauthorized access to the cloud. In addition, security features enable cloud service providers to monitor unauthorized access to the cloud by violation of users, terms and conditions associated with the cloud service. In addition, the security feature allows the cloud service provider to provide feedback to the user when the user violates a term or condition or the user performs unauthorized access to the cloud.

For example, a TV channel service provider provides a plurality of TV channels to a user. However, the TV channels provided may be limited. In addition, the TV channel service provider cannot provide foreign channels (eg, German channels, etc.) that the user wants to watch. In this case, the user can use the IPTV service to acquire a foreign channel together with the TV channel from the cloud. The cloud service provider makes it possible to provide an IPTV service from the cloud 110 provided to the user. The cloud service provider provides a license that defines the terms and conditions for accessing the IPTV service. In addition, a security function provided according to an embodiment of the present invention can prevent a user from violating a license. In addition, security features can prevent users from breaching security and also prevent hacking of IPTV services to share the cloud with other users in an unauthorized manner.

According to an embodiment of the present invention, the electronic device operates to check the user's environment. The environment is identified to determine the functionality of the cloud service. Judgments on functionality may include the determination of the status of the Cloud Service, the determination of the type of unauthorized access (e.g., access by other users directly to the Cloud Service), and the determination of the duration or condition violation by the user. For example, but is not limited thereto.

While checking the user's environment, the address size and address range of the memory (eg, virtual memory, flash memory, random access memory (RAM), etc.) are determined. For example, the memory may include a video random access memory (VRAM). Memory is used to execute various cloud processes to support cloud services. In addition, the state of the cloud service is determined and stored. For example, the number of cloud services in the activated state is determined. The state of the cloud services is stored in a database such as a cloud client management system database. Each user is then associated with a cloud client management system database. In addition, the database includes a list of processes running in the environment of the authenticated user for accessing the cloud 110. The database may be updated in real time to add the process to the list of processes authorized to access the cloud 110.

In addition, the electronic device may monitor the list of processes to prevent unauthorized access to the client. In an embodiment of the present invention, the list of processes authorized to access the cloud 110 may be used to identify violations of the terms and conditions provided for the cloud service (eg, other users dedicated to the cloud data). Can be monitored.

In an embodiment of the present invention, when an unauthorized access to the cloud 110 is attempted by a processor, the process included in the list of processes is blocked. In addition, processes that violate terms and conditions may not be able to access the cloud 110.

An electronic device including various configurations for protecting cloud data from unauthorized access will be described in detail with reference to FIG. 2.

2 is a block diagram of an electronic device providing security to cloud data to prevent unauthorized access according to an embodiment of the present invention. As shown in FIG. 2, the electronic device includes a bus 205, a processor 210, a memory 215, a ROM 220, a storage unit 225, a display 230, an input device 235, and a cursor control. 240, a communication interface 245.

The electronic device includes a bus 205 or other communication mechanism for transmitting and receiving information, and a process 210 coupled with the bus 205 for processing information. The electronic device includes a memory 215, such as a RAM or other dynamic storage device, coupled with the bus 205 to store information or instructions executed by the process 210. Memory 215 may be used to store temporary changes or other intermediate information while instructions are being executed by processor 210. The electronic device may also include a read only memory (ROM) or other static storage device coupled to the bus 205 for storing static information and instructions for the process. The storage unit 225 (e.g., magnetic disk or optical disk) is authorized to access the cloud 110 and stores a bus 205 for storing various information such as information related to various processors that drive the user's electronic devices. Is provided in connection with

The electronic device is connected to the display 230 (eg, cathode ray tube (CRT), Liquid Crystal Display (LCD), etc.) via the bus 205 to display the cloud content requested by the user. In order to send and receive information and command selections to the process 210, an input device 235 comprising numeric keys, text keys and other keys is coupled to the bus 205. A cursor controller 240, such as a mouse, trackball, or cursor movement key, is provided to send and receive direction information and selected commands to the process 210 and to control the movement of the cursor displayed on the display 230.

Various embodiments relate to the use of electronic devices to implement the techniques described below. In one embodiment, the technique is performed by the electronic device in response to the processor 210 executing instructions contained in the memory 215. Such instructions may be read into memory 215 from another machine-readable medium, such as storage unit 225. Execution of instructions contained in memory 215 operates process 210 to perform the process steps described below.

In one embodiment, the processor 210 includes at least one processing unit to perform at least one function of the processor 210. The processing unit may be implemented in hardware circuitry to perform a particular function or in a combination of software instructions.

The term " machine-removable media " as used below refers to a medium capable of providing data to a machine for performing a particular function. In embodiments implemented using an electronic device, various machine-readable media may provide instructions to the processor 210 that is executed. Machine-readable media may be implemented as volatile or nonvolatile wet media. Volatile storage media includes memory 215, such as dynamic memory and the like. The nonvolatile storage medium includes a storage unit 225, such as an optical disk or magnetic disk. All of these media are tangible to deliver instructions to media that can be sensed by physical mechanisms so that instructions can be read to a machine.

Common forms of machine-readable media include floppy disks, flexible disks, hard disks, magnetic tapes, or other magnetic media, CD-ROM, or other optical media. , Punchcards, paper tape, or other physical media having a pattern of holes, RAM, PROM, EPROM, FLASH-EPROM, other memory chips or cartridges, and the like. have.

In other embodiments, the machine-leadable media may be transmission media including optical axis cables, copper wire or fiber optic cables, etc., using wires comprising bus 205. The transmission media may be in the form of acoustic or light waves that may be generated during radio wave and infrared data communications. Examples of machine-ready media, such as carrier waves or other media that may be read by an electronic device, described below. It may include, but is not limited thereto. For example, the command may be first delivered by the magnetic disk of the remote computer. The remote computer can load commands from the dynamic memory and send commands over a telephone line using a modem. The modem connected to the electronic device uses an infrared communication unit to receive a command through a telephone line and convert data into an infrared signal. The infrared detector receives the data carried by the infrared signal, and appropriate circuitry can locate the data on the bus 205. The bus 205 delivers data to the memory 215 so that the processor 210 can execute instructions. The instructions received by the memory 215 may optionally be stored in the storage unit 225 before or after being executed by the processor 210. All of these media are tangible to deliver instructions to media that can be sensed by physical mechanisms so that instructions can be read to a machine.

The electronic device also includes a communication interface 245 connected to the bus 205. The communication interface 245 is connected to the cloud 110 to provide bidirectional data communication. For example, communication interface 245 may be a modem that provides a data communication connection to an integrated services digital network (ISDN) card or a corresponding type of telephone line. As another example, communication interface 245 may be a local area network (LAN) card capable of providing a data communication connection to a compatible LAN. In such implementations, communication interface 245 may transmit and receive electrical, electromagnetic or optical signals that transmit digital data streams representing various types of information.

The process 210 of the electronic device may operate to identify the environment of the client to provide cloud services from the cloud 110. Process 210 may operate to determine the address size and address range of the virtual memory. The virtual memory may be used to run a cloud processor for obtaining cloud services by the user. In addition, the processor 210 may operate to store the process state of the cloud process in response to the execution of the cloud processor of the virtual memory. In one embodiment, processor 210 may include a cloud client management system database for storing process state. In addition, the cloud client management system database included in the processor 210 may store a list of processes authorized to access the cloud 110. In addition, the processor 210 may monitor the cloud processor as to whether the cloud processor can access the cloud to deliver the cloud service to the client. In addition, the processor 210 may operate to protect the cloud service from unauthorized access.

In one embodiment, the processor 210 may be operable to determine the execution of various processes in a user's electronic transfer. In addition, the processor 210 may operate to monitor the processor as to whether each processor is accessible to the cloud 110. In addition, the processor 210 may block or block at least one processor for which access to the cloud 110 is denied. In addition, the processor 210 may stop or resume monitoring of the processor in real time.

In one embodiment, processor 210 may be part of a standalone operating system, a cloud operating system, or a browser (eg, Firefox, Internet Explorer, Chrome, etc.). The processor 210 that provides security for cloud data may be provided by a cloud service provider and delivered as a cloud service obtained from the cloud 110.

Hereinafter, a method of providing security of cloud data for preventing unauthorized access will be described with reference to FIG. 3.

3 is a flowchart illustrating a method for providing security of cloud data for preventing unauthorized access according to an embodiment of the present invention. The method begins at step 305. In step 310, the environment of the client is checked to provide a cloud service. Examples of cloud services include, but are not limited to, IPTV services, mail services, computation services, storage services, and the like. Examples of environments include, but are not limited to, browsers, cloud operating systems associated with users, and the like. In addition, the status of the cloud service is confirmed. The environment is identified to provide a secure function of cloud data while the user is accessing the cloud 110.

In step 315, an address size and an address range of a memory (eg, virtual memory, flash memory, RAM, etc.) are determined. The memory is used to execute cloud processes so that clients can acquire cloud services. As an example, the address range and address size of the VRAM are determined. In one embodiment, metadata supporting the cloud service may also be determined. Memory and metadata are used to identify the client to protect the cloud service from unauthorized access. In addition, the memory and metadata are used to verify that a user maliciously accesses the cloud service in an unauthenticated manner. Various mechanisms such as calling graph mechanism and access control mechanism can be used to identify malicious users.

In step 320, the process state of the cloud process is stored in response to the execution of the cloud process in the memory. In one embodiment, the cloud process may be active. Here, the activation state of the cloud process is determined and stored. In other embodiments, the cloud process may be inactive. The deactivation state of the cloud process is also determined and stored.

Process status is stored in a cloud client management system database associated with the client. Here, each user is associated with a corresponding cloud client management system database to store a corresponding process state. In one embodiment, the cloud client management system database stores a list of processes authorized to access the cloud 110 that drives the client's electronic device. When at least one process included in the process list invokes a cloud service, the at least one process is monitored to determine whether the processor is authorized to access the cloud 110. In addition, the process is monitored to determine whether the processor has violated the terms and conditions provided by the cloud service provider to access the cloud service.

In step 325, the cloud process is monitored whether the cloud process is accessible to the cloud to deliver the cloud service to the client. As an example, a client runs a remote sharing application to share cloud services with other users. In this case, the client violates the terms and conditions. Here, the cloud process is monitored to confirm activation of the remote shared application, and the remote shared application is blocked so that other users cannot access the cloud service. The cloud process is monitored in real time to prevent unauthorized access to the cloud 110. In addition, cloud processes are monitored to determine violations of terms and conditions.

In step 330, the cloud service is protected from unauthorized access by another user. Protection is performed by blocking at least one process that attempts to perform unauthorized access to the cloud 110. The cloud service is also protected by informing the cloud service provider of violations of terms and conditions by the client. In operation 330, the method may include providing feedback to a cloud service provider including various cloud services used by a client. Feedback also includes violations of terms and conditions by the client.

In one embodiment, the client is capable of at least one new process. In this case, before accessing the cloud 110, the new process is monitored to determine whether the new process is authorized to access the cloud. During monitoring, any of the new processes that block access to the cloud are blocked.

In one embodiment, system specific information and soft specific information associated with a client are stored. System specific information and software specific information are used to monitor various processes and to prevent at least one process from performing unauthorized access to the cloud 110. System specific information and software specific information are also stored in the cloud client management system database. System-specific information and software-specific information are updated in real time before being stored in the cloud client management system database. In addition, at least one modification to the system specific information and the software specific information is updated in real time and stored in the cloud client management system database.

In one embodiment, monitoring of cloud processes is stopped and resumed in real time. In addition, the method described above defines the level of security functions in accordance with the requirements specified in the client. The level of security function may be defined by a license or the like provided to the client.

In one embodiment, if an unauthorized entry into the address space is confirmed, it is reported by the cloud service provider to prevent unauthorized access to the cloud 110.

In one embodiment, the method determines whether the VRAM driver associated with the cloud process follows defined security functions prior to accessing the cloud 110. The method ends at 335.

4A to 4B are flowcharts illustrating a method for delivering cloud services to a user according to an embodiment of the present invention. The method begins at step 405.

In step 410, a request for a cloud service is received from a user. Examples of cloud services include, but are not limited to, IPTV services, mail services, computing services, storage services, and the like. The request may be performed by the user's electronic device.

At 415, the request is parsed to obtain system specific information. The request is also analyzed to obtain software specific information. Various parsing techniques are used to parse the request. System specific information and software specific information are used to determine various processes authorized to access the cloud 110. In addition, system specific information and software specific information are used to determine the process that needs to be blocked for accessing the cloud 110.

In step 420, the mode of the service included in the request is checked. Examples of the mode of the service include, but are not limited to, a cloud IPTV service, a data manipulation service, a main service, a calculation service, and the like. The mode of service is determined to process the request.

In step 425, the virtual machine is prepared based on the mode of the service identified in step 420. The virtual machine is used to execute at least one process to deliver cloud services to the user.

In step 430, a license is prepared for monitoring the cloud service. The license includes terms and conditions for a list of processes that are authorized to access the cloud 110. The license prevents unauthorized access to at least one process that is preventing access to the cloud 110.

In step 435, it is determined whether a new license is required. If it is determined that a new license is needed, the method continues to step 440. However, if it is determined that no new license is required, the method continues to step 450. A new license is required if you run a new process.

In step 440, a new license is prepared for monitoring the cloud service. The new process is monitored to determine whether the new process is authorized to access the cloud 110. The new license is prepared based on the access of a new process to the cloud 110.

In step 445, a new license is sent to the user. As an example, if a new process is authorized to access the cloud 110, the new license is updated so that the new license can be added to the list of authorized processes to access the cloud 110.

In step 450, the system specific information is updated. The system specific information is updated to determine a list of processes authorized to access the cloud 110 and a list of processes for which access to the cloud 110 is prevented.

In step 445, the cloud service is delivered to the user. The method then ends at step 460.

5A through 5D are flowcharts illustrating a method of monitoring a cloud process to ensure accessibility of the cloud process to the cloud before delivering the cloud service to the user according to an embodiment of the present invention.

The method begins at step 502. In step 504, a request for a cloud service is received from a user. For example, the request may include an IPTV service.

In step 506, the security function may be configured to monitor the cloud service. The configuration includes determining address sizes and address ranges of memory (eg, virtual memory, flash memory, RAM) used to execute cloud processes for delivering cloud services to users. The configuration also includes determining a process state of the cloud process in response to the cloud process execution of the virtual memory.

In step 508, system specific information and software specific information are collected. Examples of system-specific information and software-specific information include various processes running on a user's electronic device, address ranges associated with each of the various processes, maps, VRAM driver details, user-specific information, and at least one user first process, and the like. It may be, but is not limited thereto. System specific information and software specific information are used to monitor various processes and to prevent at least one process from performing unauthorized access to the cloud 110. System specific information and software specific information include a list of processes associated with a user authorized to access the cloud 110. Further, in step 508, system specific information and software information are stored.

In step 510, various processes for which monitoring is required are identified. Various processes may be running on the user's electronic device. Various processes that require monitoring are stored in storage.

At 514, various processes are monitored. The monitoring includes confirming whether the various processes are authorized to access the cloud 110. Monitoring includes identifying at least one process that is preventing access to the cloud 110. Monitoring may be performed by comparing the list of process identifiers authorized to access the cloud 110 with process identifiers associated with each of the various processes.

In step 516, it is determined whether unauthorized access to the storage device has been performed. If so, the method continues to step 518. Otherwise, the method continues to step 520.

In step 518, information related to the various processes is extracted. The information is used to determine whether various processes are allowed to access the cloud 110.

In step 520, it is determined whether unauthorized access has been performed to the cloud application providing the cloud service. If so, the method continues to step 522. Otherwise, the method continues to step 544.

In step 522, the type of unauthorized access is determined. An example of the type of unauthenticated access may include, but is not limited to, access in which a term and condition are violated by a user, unauthorized access made by another user such as a hacker, and the like.

In step 524, it is determined whether the cloud content is shared by the user. The cloud content includes a cloud service such as an image included in cloud TV. If the cloud content is determined to be shared, the method continues to step 526. Otherwise, the method continues to step 534.

In step 526, it is determined whether a user's license is allowed to share cloud content with other users. Licenses are provided by cloud service providers. If it is determined that the user is allowed to share with other users, the method proceeds to step 532. Otherwise, the method continues to step 528.

In step 528, the cloud content is blocked to prevent sharing. Cloud content is blocked because your license prevents you from sharing cloud content with other users. In addition, blocks of cloud content ensure the user from violating licenses.

In step 530, feedback is sent to the user. The feedback informs the user about the violation of the license. The feedback also informs the user about discontinuing sharing of cloud content.

At 532, the cloud content is dedicated to be shared. Sharing of cloud content is possible because the user's license allows sharing. The license may define the number of users allowed to access the cloud client to prevent unauthorized unauthorized access.

In step 534, it is determined whether access is performed that is not authenticated by another user, such as a hacker. If so, the method continues to step 536. Otherwise, the method continues to step 540.

In step 536, the cloud content is blocked to prevent unauthorized access. At least one algorithm is used to allow cloud content to be blocked from unauthorized access.

In step 538, the user is notified about unauthorized access performed by another user. The notification is performed to allow the user to recognize unauthorized access. The notification also allows the user to take precautions to prevent unauthorized access.

In step 540, the cloud service provider is updated for unauthorized access performed by another user.

In step 542, the security function is updated to prevent unauthorized access. Security features are updated by the cloud service provider.

In step 544, the cloud service is delivered to the user. The method ends at 546.

6A and 6B are flowcharts illustrating a method for providing security of cloud data according to an embodiment of the present invention. The method begins at step 605.

In step 610, the user's cloud service is activated on the user side. Activation includes preparing the terms and conditions by the cloud service provider to access the cloud 110.

In step 615, a security function for the VRAM associated with the cloud service is provided. For example, the security function for the VRAM is performed by checking the process ID of the VRAM. If the process ID of the VRAM is included in the list of processes authorized to access the cloud 110, the cloud service may be accessed by the user.

In step 620, backtrace security is enabled. Backtrace security allows users to collect a comprehensive and diverse collection of security-related tools, such as port scanners and password hackers.

In step 625, the address space associated with the user's cloud service is protected. The address space is used to execute a process for providing cloud services to the user. Protection is provided by monitoring unauthorized access to the cloud 110. In addition, protection is provided by ensuring that users do not violate the terms and conditions provided by the cloud service provider to access the cloud.

In step 630, a request for a cloud service is received from a user. The user may transmit a request using an accessible electronic device of the cloud 110.

In step 635, it is determined whether unauthorized access to the cloud 110 has been performed by the user. Examples of unauthorized access include, but are not limited to, sharing user of the cloud service with other users, remote user hacking contents included in the cloud service, unauthorized content included in the VRAM, and the like. It doesn't happen. Unauthenticated access is determined by identifying a process identifier (ID) associated with various processes authorized to access the cloud 110. If unauthorized access was performed by the user, the method continues to step 640. Otherwise, the method continues to step 650.

In step 640, the type of unauthorized access is determined. An example of unauthorized access may include, but is not limited to, unauthorized access performed by another user such as a violation of a period and a condition by a user, a hacker, and the like.

In step 645, action is taken against unauthorized access. Examples of actions may include, but are not limited to, blocking cloud processes that violate terms and conditions, and informing a user about unauthorized access performed by another user. The action includes storing a cloud process that performs unauthorized access to prevent further recurring analysis. The method ends at 650.

7A-7D are flowcharts illustrating a method for monitoring and protecting cloud applications from unauthorized access, according to one embodiment of the invention. The method begins at step 702.

In step 704, the request to provide the cloud service is approved to the user. The request may be authorized for the user to subscribe to the cloud service provider to access the cloud 110. Cloud applications run to deliver cloud services to users.

In step 706, the VRAM driver is updated to support the security function. The VRAM driver enables access to VRAM that stores cloud content for providing cloud services.

At 708, system specific information, software specific information and metadata associated with the user are sent to the VRAM driver. In addition, a process ID associated with each of the at least one process is also sent to the VRAM driver. At least one processor may be running on the user's electronic device.

At 710, at least one processor is identified to determine the acceptability of at least one process as to whether VRAM is accessible. The VRAM driver generates a list of at least one process that is required to run to deliver the cloud service to the user. The acceptance of at least one process as to whether VRAM can be accessed is determined by comparing the process ID of each process with the list of process IDs authorized to access the cloud 110. The list of process IDs authorized to access the cloud 110 may be stored in a database associated with the user.

In step 712, a status associated with a cloud application for delivering cloud services to a user is checked.

In step 714, it is determined whether a state associated with the cloud application is activated. If activated, the method continues to step 716. Otherwise, the method continues to step 726.

In step 716, it is determined whether a window associated with the cloud application is hidden on the user's electronic device. If the window is hidden, the method continues to step 718. Otherwise, the method continues to step 722.

In operation 718, it is determined whether unauthorized access is performed to the cloud application. If unauthorized access was performed, the method continues to 720. Otherwise, the method continues to step 742. At least one process running on the user's electronic device may perform unauthorized access to the cloud application. Unauthenticated access can include invoking a read function on the VRAM by at least one process running on the user's electronic device. Unauthenticated access can also include invoking a write function on the VRAM by at least one process running on the user's electronic device.

In operation 720, a process of performing unauthorized access to a cloud application is confirmed. In addition, at 720, the process is blocked from accessing the cloud application.

At 722, the cloud service is delivered to the user, and the method ends at 724.

In step 726, it is determined whether at least one cloud service is available. The determination is performed when the state associated with the cloud application is inactive or the window associated with the cloud application is not hidden on the user's electronic device. If at least one cloud service is available, the method continues to step 728. Otherwise, the method continues to step 740. Examples of at least one cloud service may include, but are not limited to, a mail service and a calculation service.

In step 728, it is determined whether the state associated with the cloud application is activated. If the state associated with the cloud application is active, the method returns to step 718; otherwise, to step 730.

At 730, the cloud service is delivered to the user, and the method ends at 740.

In operation 742, it is determined whether at least one process running on the user's electronic device is allowed to access the cloud application. If at least one process is allowed to access the cloud application, the method continues to step 744. Otherwise, the method continues to step 748. Determining whether at least one process running on the user's electronic device is allowed to access the cloud application is performed if no unauthorized access is found to the cloud application.

At 744, at least one processor is allowed to access the cloud service.

At 746, the cloud service is delivered to the user and the method ends at 750.

In step 748, the at least one process is blocked from accessing the cloud service because at least one process is not allowed to access the cloud application, and the method ends at 750.

According to various embodiments of the present invention as described above, it is possible to protect the cloud data on the client side. In addition, by providing a security function on the client side, cloud content can be protected from unauthorized access prior to providing cloud services to users. At this time, the client, the cloud service provider, and the third participant are guaranteed secure access to the cloud content. In addition, it is possible to prevent sharing of cloud data with other users in a manner not authenticated by the above-described method. In addition, the method described above enables the cloud service provider to protect content replication of the third participant.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is clearly understood that the same is by way of illustration and example only and is not to be construed as limiting the scope of the invention as defined by the appended claims. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention.

110: cloud 105: electronic device
205: bus 210: processor
215: memory 220: ROM
225: storage unit 230: display
235: input device 240: cursor controller
245: communication interface

Claims (16)

In the method for providing security of an electronic device,
Confirming an environment of a client to receive a cloud service from a cloud;
Determining at least one of an address size and a range of a virtual memory to execute the cloud process to obtain the cloud service;
Determining and storing a process state of the cloud process in response to executing the cloud process of the virtual memory;
Monitoring the cloud process for the cloud process to access the cloud; And
As a result of the monitoring, protecting the cloud service from unauthorized access. The method of claim 1,
Determining a plurality of processes running in an environment of the client;
Monitoring the plurality of processes for each of the plurality of processes to access the cloud to deliver the cloud service to the client; And
Blocking at least one process of the plurality of processes that is denied access to the cloud. The method of claim 1,
Storing system-specific information and software-specific information to monitor the plurality of cloud processes. The method of claim 3,
Updating the system specific information and the software specific information in real time. The method of claim 1,
Wherein the monitoring comprises:
Determining whether access of the cloud process is unauthorized access; And
Determining the type of unauthorized access, if it is determined that the user is not authenticated;
The protecting step,
Blocking the unauthorized access; And
Reporting the information about the unauthorized access to the cloud. The method of claim 5,
The type of unauthorized access is
A method of providing security, comprising access by a user in violation of terms and conditions, and access by other users who are not allowed to be shared. The method of claim 5,
If the information on the unauthorized access is reported, a cloud service provider updating a security function based on the information on the unauthorized access. The method of claim 1,
Stopping monitoring of the plurality of processes in real time; And
Resuming monitoring of the plurality of suspended processes in real time. In an electronic device,
Communication unit for performing communication with the external cloud;
A storage unit; And
In order to receive a cloud service from the cloud, a client environment is checked, and a cloud process is executed by determining at least one of an address size and a range of a virtual memory to obtain the cloud service, and the cloud process is executed. In response to determine the process status of the cloud process and store in the storage unit, monitor the cloud process for the cloud process to access the cloud, and as a result of the monitoring, protect the cloud service from unauthorized access And a processor. 10. The method of claim 9,
The processor
Determine a plurality of processes running in an environment of the client, monitor each of the plurality of processes to access the cloud to deliver the cloud service to the client, and among the plurality of processes And block at least one process denied access to the cloud. 10. The method of claim 9,
Wherein,
And store the system specific information and the software specific information for monitoring the plurality of cloud processes. 12. The method of claim 11,
The processor comprising:
And update the system peculiar information and the software peculiar information in real time. 10. The method of claim 9,
The processor comprising:
Determine whether the access of the cloud process is unauthorized access, and if the access of the cloud processor is determined to be unauthorized access, determine the type of unauthorized access,
Block the unauthorized access and control the communication interface to report information about the unauthorized access to the cloud. The method of claim 13,
The type of unauthorized access is
An access made by another user who is not allowed to be shared and whose access has been breached for a period and condition by the user. The method of claim 13,
And when the information on the unauthorized access is reported, the cloud service provider updates a security function based on the information on the unauthorized access. 10. The method of claim 9,
The processor comprising:
Stop monitoring the plurality of processes in real time and resume monitoring the plurality of suspended processes in real time.

Images