CN112187699B - Method and system for sensing file theft - Google Patents

Method and system for sensing file theft Download PDF

Info

Publication number
CN112187699B
CN112187699B CN201910587125.1A CN201910587125A CN112187699B CN 112187699 B CN112187699 B CN 112187699B CN 201910587125 A CN201910587125 A CN 201910587125A CN 112187699 B CN112187699 B CN 112187699B
Authority
CN
China
Prior art keywords
folder
file
desktop
server
sensing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910587125.1A
Other languages
Chinese (zh)
Other versions
CN112187699A (en
Inventor
刘潮歌
尹捷
崔翔
冯云
刘奇旭
王晓茜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201910587125.1A priority Critical patent/CN112187699B/en
Publication of CN112187699A publication Critical patent/CN112187699A/en
Application granted granted Critical
Publication of CN112187699B publication Critical patent/CN112187699B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/302Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance

Abstract

The invention discloses a method and a system for sensing file theft. The method comprises the following steps: 1) putting a folder configuration file desktop.ini in each peer or superior folder for storing the set sensitive data files; 2) writing a network position for acquiring a folder icon of a folder where the configuration file is located in each configuration file, wherein the description format of the network position meets the Windows UNC format; 3) making each folder as a file package; 4) signing a name server on a public network as a perception server; 5) when the file packet is accessed on a host, the configuration file initiates a domain name resolution request to a sensing server; 6) the sensing server obtains an IP address for initiating access to the host computer and a user name and a folder number identification of a logged-in system according to the request; 7) and the sensing server judges whether the theft or the secret leakage event occurs or not according to the extracted information and a preset access rule.

Description

Method and system for sensing file theft
Technical Field
The invention relates to the field of computer network security, in particular to an anomaly sensing and tracking system, and more particularly to a method and a system for sensing and tracking file theft.
Background
With the advent of the big data era, the data leakage events emerge endlessly, and the scale and range of data leakage are also expanding rapidly. Data leakage brings property loss and reputation risks to enterprises, and meanwhile, protection of personal privacy is greatly challenged.
Government agencies and enterprises face serious risks of data and file theft, and only in the last half 2017, 19 hundred million records are leaked or stolen around the world. Although the risk of theft can be relieved to a certain extent by deploying and installing security products such as firewalls, intrusion detection, virus prevention, information encryption and vulnerability scanning, these measures cannot achieve good effect on handling Advanced Persistent Threat (APT). In addition, some existing technical means cannot resist the threat of stealing and divulging secret from the inside of the tissue. Because the internal authorized user is familiar with the system authority setting and the business process, the information can be directly stolen by legal operation by utilizing the self authority and the known system vulnerability. In 2018, a data leakage investigation report of Verizon shows that 25% of attacks all the year round are caused by insiders, mainly for seeking wealth and intelligence or negligence or misoperation.
The existing defense for data leakage mostly establishes a corresponding protection mechanism aiming at the protection requirement of a certain stage of a data life cycle, and the data life cycle comprises several stages of data creation, storage, use, sharing, archiving and destruction. Once a problem occurs in a certain link, the whole leakage protection fails. In addition, the link of protection strategy after data theft is often ignored by people. However, the sensing and tracking after the data loss and leakage event occurs should be the last line of defense of data protection, once the sensing and tracking are timely performed, the tracking is effectively implemented, the loss caused by data leakage can be reduced, and a thief is further tracked.
The current mainstream network tracing technology is to add mark data (such as digital watermark) in a message or a data packet, and then detect and trace the mark data to implement tracing of attacks and intrusions, which obviously increases the overhead of a router or other tracing equipment, and increases the traffic of a network, and the implementation and operation costs are high. A content monitoring strategy is adopted, and a layer of safety guarantee is directly added to the data, so that the data can be perceived and tracked in time even if the data is stolen by an attacker. The method has a quite good defense effect on data leakage caused by the fact that APT is developed more and more at present and internal personnel actively steal.
Disclosure of Invention
Aiming at the problems, the invention adopts a strategy of actively marking and tracking, and aims to sense whether the file is stolen or not in time, including unknown threat of stealing secrets. The implementation of the method and the deployment of the system are irrelevant to the attack method of an attacker, the method is suitable for data protection facing to multiple operating systems such as Windows, Linux and MacO, and can effectively sense and track data theft events.
In order to achieve the purpose, the invention adopts the following specific technical scheme:
an anomaly awareness method comprising the steps of:
1) additionally placing a folder configuration file (desktop. ini file) in a peer folder or a superior folder for storing sensitive data files, and setting the desktop. ini file as a system and a hidden attribute.
2) The network location of the network path identification folder icon satisfying the Windows UNC (Universal Naming Convention) format is written in each desktop. Each Windows folder is provided with an icon, the icon is essentially a picture, and the acquisition position of the picture can be specified by a desktop. The specified location may be a location on a network; UNC is a format used to describe this network location.
The domain name and sub-domain name that constitute the UNC path include, but are not limited to, the following: the command is used for obtaining the logged-in system user name, and the number Identification (ID) is in one-to-one correspondence with the folder where the user name is located. The system command is a variable in the UNC path, and after the command is executed, the execution result replaces the command, and the addressable UNC path is formed by the execution result and other contents.
3) And each folder is integrally made into a file package, files at the original directory level and each level are reserved in the file package, the directory structure and the file content can be compressed without loss, and the directory structure and the file content can be restored on a disk through an unpacking operation. One typical approach is to make each folder as a compressed package file in RAR, ZIP, etc. format.
4) A Name Server (Name Server) is deployed on the public network as a sensing Server, and is required to be able to resolve all domain names and sub-domain names involved in the UNC path.
5) When the file packet is stolen or leaked, if the file packet is unpacked on a certain Windows host and the unpacked directory is accessed, the desktop. ini folder function in the file packet is triggered, so that a domain name resolution request is sent to a sensing server, and the domain name in the UNC path of the file is resolved. After the file package is decompressed, a directory is generated, the inside of the directory contains a desktop. 1. Commands in the UNC path written in the desktop. ini file can be executed to obtain the current login user name and form the actually addressable UNC path; 2. and initiating a domain name resolution request to a sensing server to request for resolution of the domain name in the UNC path.
6) The sensing server receives the domain name resolution request, can obtain an IP address for initiating access to the host, and further extracts information such as a user name and a folder number identification of a logged-in system from the domain name and the sub-domain name.
7) Comparing the information such as the IP address, the user name, the folder number and the time stamp (the time stamp of the analysis request and the time recorded after the sensing server receives the analysis request) extracted in the step 6) with a preset access rule, if the information is not generated by the access behavior of the compliance, proving that a secret divulgence event happens, and sending an access warning to a system administrator and a user by the sensing server.
An anomaly awareness system comprising:
-perceptual document generation module
-database module
-request processing module
Analysis control module
-exception notification module
1. And a perception file generation module. The method is installed on a protected host and a server, and the core function of the method is to generate a desktop. ini configuration file with an UNC format address under a specific folder. Ini is a file automatically recognized by a system, and is used for storing the personal setting (such as a folder icon) of a folder by a user, and setting hiding and system attributes. The method comprises the following steps that an ini file core is provided with a specially-constructed UNC path, a domain name in the path comprises a user name which is logged in by a host at present, and the user name is dynamically obtained by using Windows system variables; the domain name in the path also contains a character string ID identifier for uniquely identifying the folder to which the domain name belongs. The module also makes the protection file folder and all directory structures and files below the protection file folder into a file package. Once the generated file package is stolen and unpacked, and the unpacked folder is accessed on other Windows hosts, a code operable system in desktop. When requesting resources, it will first initiate domain name resolution, and then the IP of the accessing host and the above-mentioned login user name and ID identification will be sent to the sensing server.
Ini file is generated, and simultaneously, the module also sends the label information of IP, user name, generated ID identification, folder name and the like of the host to which the folder belongs to the database module for storage, and the label information is used as a white list rule to indicate that the folder is legal to access from the host and illegal to access from other hosts.
2. And a database module. And the sensing server is installed on the sensing server and used for recording the mark information returned by the sensing file generation module, wherein the mark information comprises a folder ID identification, an IP (Internet protocol) of a host to which the sensing file generation module belongs, a name and the like. And meanwhile, recording information such as a DNS request source IP and time when the protected folder is triggered. In addition, a statistical query and configuration interface is provided for the analysis control module, and a relevant query result is automatically generated and returned according to the query condition.
3. And a request processing module. Install on the sensing server, when the protected folder is accessed, then the desktop. ini file is triggered to initiate a domain name resolution request (i.e. request to resolve the domain name of the UNC path constructed above) to the sensing server. The request processing module can respond to the domain name resolution request, and simultaneously analyzes the domain name resolution request and obtains information such as request source IP, time, ID identification, login user name and the like.
4. And an analysis control module. And the server is arranged on the perception server and used for receiving the information obtained by the request processing module, inquiring and matching the information with a preset access rule stored in the database, and if the information is inconsistent with the preset access rule, the server is regarded as abnormal access, and the server sends an abnormal warning to the abnormal notification module. Wherein, the access rule can be set as: 1) the IP address and the user name of the initiating request are different from the recorded white list; 2) the time of the request is not within a specified time period; 3) and continuously triggering for a plurality of times in a period of time.
5. And an exception notification module. And the sensing server is used for sending abnormal information transmitted by the analysis control module to a specified user through short message notification, mail notification and the like, wherein the abnormal information comprises domain name analysis request source IP, time, user name, detailed folder position and the like.
Compared with the existing abnormity perception and tracking system, the invention has the following advantages:
1. the abnormity perception does not depend on the attack type or on rule matching, so long as an attacker steals and accesses a protected folder, the analysis control module can monitor in real time, automatically judge whether the activity is abnormal according to the abnormity perception rule, and automatically carry out real-time warning notification if the activity is abnormal. The false alarm rate of the system is zero.
2. The method is separated from the life cycle of data, adds the last protection lock for data protection, and can sense stealing behavior in time and implement effective tracking.
3. Compared with the existing anomaly detection system and tracking system, the system is convenient to deploy and efficient, only a domain name resolution server needs to be simply deployed, extra hardware resources such as a router, a firewall, an IPS (intrusion detection system) and the like do not need to be added, cost can be effectively saved, and anomaly sensing efficiency is improved.
4. The method also supports the main stream WinZIP and WinRAR compressed file formats, the desktop. ini files in the compressed file folder are still valid, and once the compressed file folder is opened, the exception can still be triggered.
The invention aims to protect the host computer and data in a designated network and realize the perception and tracking of file theft. The invention has the beneficial effects that: by adopting a content monitoring strategy, an alarm can be triggered as long as an attacker browses a protected folder in a different place, the file theft sensing and tracking can be realized efficiently and at low cost, and a last line of defense is added for protecting the target network host and data security.
Drawings
FIG. 1 is a schematic diagram of the overall system configuration according to an embodiment of the present invention
Fig. 2 is a schematic diagram of a system module according to an embodiment of the present invention.
Fig. 3 is a flow chart of set-up and summary in an embodiment of the invention.
Fig. 4 is a schematic diagram of a perception file generation module according to an embodiment of the present invention.
Fig. 5 is a schematic diagram of the workflow of each module of the awareness server according to an embodiment of the present invention.
FIG. 6 is a flow chart illustrating the process of sensing and tracking a hacking attack in accordance with an embodiment of the present invention.
Detailed Description
In order to make the technical solutions in the embodiments of the present invention better understood and make the objects, features, and advantages of the present invention more comprehensible, the technical core of the present invention is described in further detail below with reference to the accompanying drawings and examples.
In the invention, a strategy of active marking and tracking is adopted, a set of sensing and tracking system aiming at file theft is designed, and the existing problems can be effectively solved.
As shown in fig. 1, the file theft sensing and tracking system is a schematic diagram, and physically includes two parts, namely a plurality of sensing file generation clients embedded in a target host system and an abnormality sensing and tracking master server comprehensively controlled.
As shown in fig. 2, the document theft sensing and tracking system module is constructed as a schematic diagram. The system comprises a perception file generation module, a database module, a request processing module, an analysis control module and an exception notification module.
As shown in fig. 3, a flow chart for establishing and collectively operating a file theft sensing and tracking system includes:
step 100, a perception file generation module is deployed, a perception file generation client is installed locally, a desktop. As shown in particular in fig. 4.
And 200, deploying all modules of the perception server, receiving the mark information of the protected folder generated by the perception file generation module and storing the mark information into a database. Meanwhile, the deployment request processing module and the analysis control module configure the condition for determining the abnormality, the abnormality notification information, and the abnormality notification address book, as shown in fig. 5.
And step 300, abnormal sensing and tracking. The sensing server receives the request information triggered by the protected folder, performs matching association with information stored in the database, determines the condition of the abnormality according to system configuration, automatically discovers and locates the abnormality, and simultaneously performs abnormality notification to a specified user, as shown in fig. 6.
As shown in fig. 4, the sensing file generation module includes two functions of ID identification generation and special UNC address construction. The method specifically comprises the following steps:
and step 110, the sensing file generation module generates a unique character string based on a certain rule or a random number as an ID. Each protected folder has a unique ID corresponding thereto.
And step 120, constructing an UNC address and requesting a folder icon resource from the sensing server. For example, the domain of the hosting server is my123.com, the locally generated unique string is 7342dbebfc236b8d, and the UNC address can be constructed as \% USERNAME% USERDOMAIN%. 7342dbebfc236b8d.my123.com \ myresource.dll. Wherein,% USERNAME% is Windows system variable, which is the current login user name,% USERDOMAIN% is Windows system variable, which is the user account name, and myresource. The code in the final desktop. ini is exemplified by:
[.ShellClassInfo]
IconResource=\\%USERNAME%.%USERDOMAIN%.zxcvbnm.123.com\myresouce.dll
the desktop. ini file is placed into the protected folder and set as the file hiding property. Protected folders may also be compressed into WinZIP and WinRAR files.
Step 130, generating a file package, making the protected folder and all the directory structures and files below the protected folder into a file package, and storing the file package in a disk. One typical approach is to use software to folder a package as a compressed package file in RAR, ZIP, etc. format.
As shown in fig. 5, a schematic diagram of a workflow of each module of the awareness server includes:
step 210, request processing module. The module receives and processes the request after the folder is triggered, analyzes the request, can acquire information such as IP, user name, time, ID identification and the like of the device where the triggered protected folder is located, and transmits the information to the analysis control module for data query association and exception analysis.
Step 220, database module. The system is used for storing the ID identification of the protected folder, the IP of the host, the user name, touch warning prompt information and the like. In addition, the database module also provides a query interface for the background analysis control module to perform abnormity judgment and abnormity alarm.
And step 230, the analysis control module receives the host related information of the protected folder transmitted by the request processing module, and transmits the data to the database for storage. And simultaneously, reading the database, and comparing the ID identification with the rules stored in the database. And comparing the original host IP of the protected folder when the protected folder is generated with the host IP of the request, and judging whether the request carries out abnormity warning or not according to the set abnormity conditions. If the abnormal information exists, the abnormal host information, the warning information, the mailbox or the short message address and the like are sent to the abnormal notification module to perform real-time abnormal notification.
And step 240, the abnormal notification module notifies the abnormal notification information transmitted by the analysis control module in real time in a short message mode, a mailbox mode and the like.
As shown in fig. 6, the process of discovering and tracing a hacking attack in the embodiment of the present invention includes:
at step 310, the anomaly awareness and tracking system deployment is complete, as described above.
Step 320, the attacker opens the protected folder on the host, triggers the UNC address request in desktop. The non-specified host user name is used, the folder is browsed in a non-specified time period, and the folder is opened continuously for multiple times in a period of time. Thus, an anomaly warning and notification is generated as described in step 340, and the defender can quickly discover the anomaly.
In step 330, an attacker steals the protected folder on the host and triggers a request when it is accessed on any device outside the original host. Since the protected folder has been disconnected from the original host, when the request is triggered, the anomaly awareness and tracking system alerts the anomaly as shown in step 340. And, the request processing module can acquire information such as host IP, user name, trigger time, etc. of the attacker, thereby tracking.
And 340, carrying out visual display and real-time notification of short messages and mails on the abnormal information.
And 350, acquiring information such as the IP (Internet protocol) of the host where the protected folder is located when the protected folder is accessed in different places, the user name, the trigger time and the like, and tracing.
Finally, it should be noted that the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention is described in detail by using examples, it should be understood by those skilled in the art that modifications or equivalent substitutions can be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, which should be covered in the claims of the present invention.

Claims (8)

1. A method for the perception of theft of a document, comprising the steps of:
1) placing a folder configuration file desktop.ini in each peer or superior folder for storing the set sensitive data files, and setting the desktop.ini files as system and hidden attributes;
2) writing a network position for acquiring a folder icon of a folder where the desktop.ini file is located in each desktop.ini file, wherein the description format of the network position meets the Windows UNC format; the description information of the network location includes but is not limited to the following: the system command is used for obtaining the logged-in system user name, and the serial number identification corresponding to the folder is located; the system command is a variable in the UNC path, after the command is executed, the execution result replaces the command, and the addressable UNC path is formed by the execution result and other contents;
3) making each folder containing a folder configuration file desktop.ini as a file package, and reserving directory levels and files in directories of each level in the file package;
4) signing a name server on a public network as a perception server;
5) when the file packet is accessed on a Windows host, the function of the desktop. ini file is triggered, so that a domain name resolution request is sent to a sensing server;
6) the sensing server obtains an IP address for initiating an access host and a user name and a folder number identification of a logged-in system according to the received domain name resolution request;
7) and the sensing server judges whether the theft or the divulgence event occurs according to the information extracted in the step 6) and a preset access rule.
2. The method of claim 1, wherein the preset access rule is at least one of the following rules: 1) the IP address and the user name of the initiating request are different from the recorded white list; 2) the time of the request is not within a specified time period; 3) and continuously triggering for multiple times within a set time length.
3. The method according to claim 1, wherein in step 3), each of said folders containing the folder profile. In step 5), when the compressed file package is unpacked on a Windows host and the unpacked directory is accessed, the function of the desktop. ini file is triggered.
4. The method of claim 1, wherein when the aware server determines that a theft or compromise event has occurred, sending an access warning message to the designated party.
5. The system for sensing the file theft is characterized by comprising a sensing server and a sensing file generation module, wherein the sensing server comprises a database module, a request processing module and an analysis control module; wherein the content of the first and second substances,
the system comprises a perception file generation module, a protected host or a server and a plurality of servers, wherein the perception file generation module is positioned on the protected host or the server and is used for putting a folder configuration file desktop.ini into each peer or superior folder for storing a set sensitive data file, setting the desktop.ini file as a system and a hiding attribute, and writing a network position for acquiring a folder icon of the folder where the desktop.ini file is located into each desktop.ini file, wherein the description format of the network position meets the Windows UNC format; each folder containing a folder configuration file desktop.ini is made into a file package, and directory hierarchies and files in the directories of each hierarchy are reserved in the file package; sending the IP, the user name, the generated ID identification and the folder name of the host to which the folder belongs to a database module; wherein the description information of the network location includes but is not limited to the following: the system command is used for obtaining the logged-in system user name, and the serial number identification corresponding to the folder is located; the system command is a variable in the UNC path, after the command is executed, the execution result replaces the command, and the addressable UNC path is formed by the execution result and other contents;
the database module is used for recording the marking information returned by the sensing file generation module, and recording a DNS request source IP and timestamp information when the protected folder is triggered;
the request processing module is used for receiving that the function of a desktop. ini file is triggered to send a domain name resolution request to the sensing server, and obtaining an IP address for sending an access host and a user name and a folder number identification of a logged-in system from the domain name resolution request;
and the analysis control module is used for judging whether a theft or a secret leakage event occurs according to the information extracted by the request processing module and a preset access rule.
6. The system of claim 5, wherein the aware server further comprises an anomaly notification module for sending an access warning message to the designated party when the aware server determines that a theft or a disclosure event has occurred.
7. The system of claim 5, wherein the preset access rule is at least one of the following rules: 1) the IP address and the user name of the initiating request are different from the recorded white list; 2) the time of the request is not within a specified time period; 3) and continuously triggering for multiple times within a set time length.
8. The system of claim 5, wherein the aware file generation module makes and compresses each folder containing a folder profile desktop.ini as a bundle; when the compressed file packet is unpacked on a Windows host and the unpacked directory is accessed, the function of the desktop. ini file is triggered, and a domain name resolution request is sent to the sensing server.
CN201910587125.1A 2019-07-01 2019-07-01 Method and system for sensing file theft Active CN112187699B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910587125.1A CN112187699B (en) 2019-07-01 2019-07-01 Method and system for sensing file theft

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910587125.1A CN112187699B (en) 2019-07-01 2019-07-01 Method and system for sensing file theft

Publications (2)

Publication Number Publication Date
CN112187699A CN112187699A (en) 2021-01-05
CN112187699B true CN112187699B (en) 2021-12-28

Family

ID=73914789

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910587125.1A Active CN112187699B (en) 2019-07-01 2019-07-01 Method and system for sensing file theft

Country Status (1)

Country Link
CN (1) CN112187699B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113949555B (en) * 2021-10-13 2023-01-31 中国商用飞机有限责任公司 Online network defense method and system based on time mark and data comparison module

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104657637A (en) * 2015-01-29 2015-05-27 深信服网络科技(深圳)有限公司 Document information embedding and tracking methods and systems and proxy service equipment
CN107046535A (en) * 2017-03-24 2017-08-15 中国科学院信息工程研究所 A kind of abnormality sensing and method for tracing and system
CN108121914A (en) * 2018-01-17 2018-06-05 四川神琥科技有限公司 A kind of document, which is divulged a secret, protects tracing system
US10097538B1 (en) * 2017-08-12 2018-10-09 Growpath, Inc. User authentication systems and methods

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8489637B2 (en) * 2009-11-19 2013-07-16 International Business Machines Corporation User-based DNS server access control

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104657637A (en) * 2015-01-29 2015-05-27 深信服网络科技(深圳)有限公司 Document information embedding and tracking methods and systems and proxy service equipment
CN107046535A (en) * 2017-03-24 2017-08-15 中国科学院信息工程研究所 A kind of abnormality sensing and method for tracing and system
US10097538B1 (en) * 2017-08-12 2018-10-09 Growpath, Inc. User authentication systems and methods
CN108121914A (en) * 2018-01-17 2018-06-05 四川神琥科技有限公司 A kind of document, which is divulged a secret, protects tracing system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"渗透技巧-利用图标文件获取连接文件服务器的NTLMv2 Hash";wilsonlee1;《https://xz.aliyun.com/t/1977?page=5》;20180123;全文 *

Also Published As

Publication number Publication date
CN112187699A (en) 2021-01-05

Similar Documents

Publication Publication Date Title
EP3462698B1 (en) System and method of cloud detection, investigation and elimination of targeted attacks
CN109495443B (en) Method and system for resisting Lexong software attack based on host honeypot
RU2417417C2 (en) Real-time identification of resource model and resource categorisation for assistance in protecting computer network
CN113660224B (en) Situation awareness defense method, device and system based on network vulnerability scanning
US20050273673A1 (en) Systems and methods for minimizing security logs
US20030196123A1 (en) Method and system for analyzing and addressing alarms from network intrusion detection systems
US20060248590A1 (en) System and method for protecting an information server
CN109587122B (en) System and method for realizing self-guarantee of Web subsystem security based on WAF system function
KR20130031433A (en) Security system for remote connection
CN113411295A (en) Role-based access control situation awareness defense method and system
CN111800405A (en) Detection method, detection device and storage medium
CN113411297A (en) Situation awareness defense method and system based on attribute access control
CN113032793A (en) Intelligent reinforcement system and method for data security
CN112187699B (en) Method and system for sensing file theft
CN113660222A (en) Situation awareness defense method and system based on mandatory access control
CN111756707A (en) Back door safety protection device and method applied to global wide area network
CN112118204B (en) Method and system for sensing illegal access of Windows file system
CN115834205A (en) Monitoring system illegal external connection alarm system
KR20130033161A (en) Intrusion detection system for cloud computing service
Wu et al. A novel approach to trojan horse detection by process tracing
AT&T
EP1504323B1 (en) Method and system for analyzing and addressing alarms from network intrustion detection systems
Osako et al. Proactive Defense model based on Cyber threat analysis
Yang et al. Analysis of Computer Network Security and Prevention Technology
CN112818396B (en) BMC trusted audit log generation and management method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant