L2 INTRUSION PREVENTION SYSTEM AND METHOD CAPABLE OF BLOCKING L2 PACKET

摘要

Disclosed are an intrusion prevention system capable of blocking an L2 packet and a method thereof, wherein the system comprises: a packet input module receiving a packet; a packet checking module checking whether the packet received in the packet input module is an L2 packet; and an L2 packet filtering module which parses the L2 packet checked by the packet checking module, and blocks or passes the L2 packet corresponding to the parsing result. Therefore, the intrusion prevention system capable of blocking an L2 packet and the method thereof are configured to detect intrusion with respect to the L2 packet which is mainly used under the environment of an industry control system by using a whitelist composed of a MAC address of devices of the industry control system, thereby enabling detection and prevention of the intrusion of the L2 packet, which were not possible according to known technology. Furthermore, the present invention is configured to detect intrusion based on a payload of the packet, and to perform machine learning based on the payload of a non-standard protocol packet which is mainly used under the environment of the industry control system, to automatically generate the whitelist in real time. Therefore, the present invention can detect an unannounced abnormal operation and determine the abnormality thereof in real time.