CN101430752B - Sensitive data switching control module and method for computer and movable memory device - Google Patents
Sensitive data switching control module and method for computer and movable memory device Download PDFInfo
- Publication number
- CN101430752B CN101430752B CN2008102097538A CN200810209753A CN101430752B CN 101430752 B CN101430752 B CN 101430752B CN 2008102097538 A CN2008102097538 A CN 2008102097538A CN 200810209753 A CN200810209753 A CN 200810209753A CN 101430752 B CN101430752 B CN 101430752B
- Authority
- CN
- China
- Prior art keywords
- content
- module
- control module
- file
- connection object
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a control module for sensitive data interchange between a computer and a mobile storage device and a method thereof, and relates to the control module for data interchange between the computer and the mobile storage device and the method thereof, thereby solving the problems of poorer security, and flexibility and practicality lack existing in the existing mobile storage security system. An operation monitoring module transmits a transmission object to a content filtering module, and carries out control of write operation; the content filtering module analyzes an attribute from the transmission object, determines whether the content of the transmission object contains sensitive information or not according to a sensitive data information base, and transmits a determination result to the operation monitoring module. By analyzing each attribute of the transmission object, the method extracts transmission content, determines whether the transmission content contains sensitive information or not, and controls the transmission object according to the determination result. The determination of invention to the sensitive information not only depends on a traditional key word way, but also can use a method based on text semanteme or multimedia aware content abstract.
Description
Technical field
The present invention relates to exchanges data control module and method between a kind of computing machine and the memory device, belong to the movable storage device security fields, and this method also can be applicable to the control and the management of exchanges data between the computer and network.
Background technology
Current, the exchange between computing machine and movable storage device for sensitivity or confidential data lacks safety management scheme system, practical.Existing technology generally adopts the usable range (is the patent of invention of CN1845136 as publication number) of software control movable storage device, perhaps direct limiting computer is to the visit (as the restricted mobile memory medium management system of USEC) of mobile device, to reduce the possibility that sensitive information leaks.Though these methods can reach secret purpose, also limited the exchange of general information simultaneously, for normal work has brought inconvenience.
Existing various data safety management technology generally all is conceived to some specific levels and considers safety problem, for example LAN system, whole computing machine, disk, file or file etc., can not filter inspection at the transmission content, can't solve the problem that prevents that sensitive information from leaking from content, influence the convenience of movable storage device practicality on the contrary.
Existing operation of generally all formulating level of security and permission based on the safety management system of file by the method for user's enactment document security attribute, though the control to exchange files improves, but still there are two problems: the one, file content is understood under deficiency or the situation the user in misoperation, set security attribute easily mistakenly, cause potential safety management to be lost efficacy, reduced the reliability of system; The 2nd, that the operation of these systems control often is confined to is read-only, restriction printing times, restricted part editting function etc., lacks dirigibility and practicality.
Summary of the invention
The present invention solves the problem that the security of existing mobile storage security system existence is relatively poor, lack dirigibility and practicality, and the sensitive data switching control module and the method for a kind of computing machine and movable storage device is provided.The sensitive data switching control module of computing machine of the present invention and movable storage device comprises with lower unit:
The operation supervise and control module is used for the data transfer operation between supervisory control comuter and the movable storage device, and connection object is sent to the information filtering module, and connection object is carried out the control of write operation according to the judged result of information filtering module feedback;
The information filtering module, be used to analyze each attribute: file type, file layout, content etc. from the connection object of operation supervise and control module, whether the content of judging connection object according to the sensitive data information bank comprises sensitive information, and judged result is sent to the operation supervise and control module.
The kernel state filter Driver on FSD is adopted in the file operation monitoring, the kernel state filter Driver on FSD is used for not changing underlying device driving or user program and increases the new function of I/O equipment, allow not need to rewrite the bottom layer driving code and change the characteristic that there has been the I/O device drives in this, can reach specified file, file or whole Logical Disk are protected, tackle the read-write requests of all users it;
Described information filtering module (2) comprises with lower unit:
Connection object analysis module (2-1) is used for the connection object that operation supervise and control module (1) provides is analyzed, and obtains its file type, file layout, reaches the transmission content, and the content of extracting is sent to transmission content discrimination module (2-2);
Transmission content discrimination module (2-2) is used for judging whether the transmission content is sensitive content, and judged result is sent to operation supervise and control module (1).But contents processing mainly contains two big class, i.e. text content and image content of multimedia;
Transmission content discrimination module (2-2) is judged the transmission content according to the sensitive information database, is obtaining transmitting under the situation of content, and matching process based on key word is adopted in the differentiation of content of text; To the differentiation of content of multimedia such as image, then adopt recognition methods based on the perception summary; When making up the sensitive information database, calculate and store the perception summary of responsive content of multimedia;
It also comprises with lower unit:
Encrypt filtration drive module (3), be used for connection object being carried out based on the real-time encrypted of filtering enciphered driving or deciphering according to the judged result of information filtering module (2);
1., receive the request of operation supervise and control module 1 and the target susceptibility connection object encrypted and store on the movable storage device function of encrypting filtration drive module (3) comprising:; When receiving the request that operation supervise and control module 1 is sent, before being saved to movable storage device, these data encrypt this document.2., tackle all users to the read request of encrypt file and before returning to validated user, decipher.
The sensitive data switching control method of computing machine of the present invention and movable storage device may further comprise the steps:
The write request from the user is tackled and resolved to step 1, operation supervise and control module, and analysis result is sent to the information filtering module;
Step 5, the operation supervise and control module is encrypted connection object according to the write operation or the startup encryption filtration drive module of judged result control transmission object; The process, user, filename, time etc. that to carry out current operation simultaneously record in the syslog file.
Step 6, the connection object of encrypting after the filtration drive module will be encrypted sends to down one deck device object.
Beneficial effect: monitoring granularity of the present invention is less, and the monitoring granularity is a connection object, and connection object may be " file " or " part of file "; The present invention can monitor the connection object of multiple file layout; The present invention not only is applicable to text, also can prevent the leakage of multimedia sensitive documents such as image, Voice ﹠ Video simultaneously, and practicality is stronger; The present invention mainly carries out file monitor in operating system nucleus attitude and user's attitude, is transparent to the application program of user's attitude; The present invention not only can be applied between computing machine and the movable storage device, also can be applied in the expansion environment such as message exchange between computing machine and the local network.
Description of drawings
Fig. 1 is the structural representation of the sensitive data switching control module of computing machine of the present invention and movable storage device; Fig. 2 is the composition structural representation of the sensitive data exchange control system of computing machine of the present invention and movable storage device; Fig. 3 is the process flow diagram of the sensitive data switching control method of computing machine of the present invention and movable storage device.
Embodiment
Embodiment one: referring to Fig. 1 and Fig. 2, the control module of present embodiment is by forming with lower unit:
Operation supervise and control module 1, be used for the data transfer operation between supervisory control comuter and the movable storage device, connection object (connection object may be the part of file or file) is sent to information filtering module 2, and connection object is carried out the control of write operation according to the judged result of information filtering module 2 feedbacks;
Present embodiment is an exchanges data management system between a kind of computing machine and the movable storage device, from function, mainly comprises supervision and control two parts.Its purpose is to prevent that the data form computer that comprises sensitive information from leaking into other unsafe occasion by movable storage device, be used for when movable storage device inserts the computing machine copies data, this system monitors operation, and by whether can carry out the write operation toward movable storage device to the analysis and judgement of connection object.The system of present embodiment forms as shown in Figure 2: the corresponding software of present embodiment is installed in the protected computer; data exchange between protected computer and movable storage device; therefore the prerequisite of present embodiment supposition is: protected computer is to trust, and movable storage device is fly-by-night.In protected computer inside, the function of present embodiment is carried out respectively at user's attitude and kernel state, cooperatively interacts and finishes different functions.
The kernel state filter Driver on FSD is adopted in the file operation monitoring; the kernel state filter Driver on FSD is used for not changing underlying device driving or user program and increases the new function of I/O equipment; allow not need to rewrite the bottom layer driving code and change the characteristic that there has been the I/O device drives in this; can reach specified file, file or whole Logical Disk are protected, tackle the read-write requests of all users it.
Embodiment two: referring to Fig. 1, present embodiment further defines described information filtering module 2 and comprises with lower unit on the basis of embodiment one:
Connection object analysis module 2-1 is used for the connection object that operation supervise and control module 1 provides is analyzed, and obtains its file type, file layout, reaches the transmission content, and the content of extracting is sent to transmission content discrimination module 2-2;
Transmission content discrimination module 2-2 is used for judging whether the transmission content is sensitive content, and judged result is sent to operation supervise and control module 1.But contents processing mainly contains two big class, i.e. content of multimedia such as text content and image.
Transmission content discrimination module 2-2 judges the transmission content according to the sensitive information database, data in the sensitive information database can be provided with according to concrete applied environment, as obtaining by training to known sensitive document, content of text key word among the present invention is simultaneously stored with the ciphertext form, content of multimedia such as image have guaranteed the safety of sensitive data with the form storage of perception summary.
Obtaining transmitting under the situation of content, matching process based on key word is being adopted in the differentiation of content of text.To the differentiation of content of multimedia such as image, then adopt recognition methods based on the perception summary.When making up the sensitive information database, calculate and store the perception summary of responsive content of multimedia, the perception summary has characteristics such as perception robustness, security, summary.Even wherein robustness be meant content of multimedia keep through content operation (as, compression, format conversion, rotation etc.) after, still can utilize the perception summary in the database to determine this content.This characteristic can satisfy demand of the present invention well.
Aspect the content differentiation, present embodiment not only can be monitored traditional text content, can also based on the synopsis (rather than traditional binary data stream) of multimedia Perception Features the susceptibility of file content be adjudicated by content of text (rather than traditional keyword) based on the character arrangement based on semanteme.
Embodiment three: referring to Fig. 1, present embodiment has increased on the basis of embodiment one with lower unit:
Encrypt filtration drive module 3, be used for connection object being carried out based on the real-time encrypted of filtration drive or deciphering according to the judged result of information filtering module 2.
Encrypting filtration drive is in operating system nucleus, the data encryption technology on the file system.It is to utilize the exploitation filtration drive to realize the technology of file system function expansion, belongs to operating system nucleus program and file system and combines closely, for the user provides the enciphering/deciphering service.Utilize filtration drive to realize that file encryption-decryption has safety guarantee, because filtration drive belongs to the operating system nucleus program, kernel mechanism provides strong safety assurance, is difficult under attack.Concerning validated user, this module can provide transparent file encryption-decryption service.The advantage that the integrated file system filtration drive is encrypted and the demand for security of this patent are carried out safe and reliable encryption to the specified file in the movable storage device, and it is rational adopting this technology.
1., receive the request of operation supervise and control module 1 and the target susceptibility connection object encrypted and store on the movable storage device function of encrypting filtration drive module 3 comprises:.When receiving the request that operation supervise and control module 1 is sent, before being saved to movable storage device, these data encrypt this document.2., tackle all users to the read request of encrypt file and before returning to validated user, decipher.This module realizes encipherment protection to the sensitive data in the protected computing machine, during write data data is encrypted, and during read data data is decrypted, and enciphering/deciphering is transparent to validated user.Even the disabled user steals the sensitive data on the movable storage device, can not decipher it.
Present embodiment adopts the encryption based on filtration drive, can carry out encipherment protection to the various files under the multiple file system, does not influence user's normal running; The seamless Embedded Operating System kernel of the encryption filtration drive that present embodiment adopted carries out high strength encrypting or deciphering to the I/O data, and is safe.
Embodiment four: referring to Fig. 1, present embodiment has increased on embodiment one or three basis with lower unit:
Daily record audit module 4 is used for recording operation monitoring module 1 or encrypts the operation of filtration drive module 3 to each transfer files, and operation note is offered user inquiring and output.
The user can according to daily record audit content that module 4 provides to the security of total system and system whether normally operation detect, and system is adjusted according to testing result.
Embodiment five: referring to Fig. 3, the control method of present embodiment is made up of following steps:
Step 5, operation supervise and control module 1 is encrypted 3 pairs of connection objects encryptions of filtration drive module according to the write operation or the startup of judged result control transmission object; The process, user, filename, time etc. that to carry out current operation simultaneously record in the syslog file.
Step 6, the connection object of encrypting after filtration drive module 3 will be encrypted sends to down one deck device object.
The control of the write operation of step 5 is meant if transmits data packets contains sensitive information in the present embodiment, then forbids current write operation or start encrypting the filtration drive module according to user's the wish or the needs of application scenario; If the transmission data do not comprise sensitive information, then allow current write operation to finish.
Claims (4)
1. the sensitive data switching control module of computing machine and movable storage device is characterized in that it comprises with lower unit:
Operation supervise and control module (1), be used for the data transfer operation between supervisory control comuter and the movable storage device, connection object is sent to information filtering module (2), and connection object is carried out the control of write operation according to the judged result of information filtering module (2) feedback;
Information filtering module (2), be used for analyzing each attribute: file type, file layout, content from the connection object of operation supervise and control module (1), whether the content of judging connection object according to the sensitive data information bank comprises sensitive information, and judged result is sent to operation supervise and control module (1);
The kernel state filter Driver on FSD is adopted in the file operation monitoring, the kernel state filter Driver on FSD is used for not changing underlying device driving or user program and increases the new function of I/O equipment, allow not need to rewrite the bottom layer driving code and change the characteristic that there has been the I/O device drives in this, can reach specified file, file or whole Logical Disk are protected, tackle the read-write requests of all users it;
Described information filtering module (2) comprises with lower unit:
Connection object analysis module (2-1) is used for the connection object that operation supervise and control module (1) provides is analyzed, and obtains its file type, file layout, reaches the transmission content, and the content of extracting is sent to transmission content discrimination module (2-2);
Transmission content discrimination module (2-2) is used for judging whether the transmission content is sensitive content, and judged result is sent to operation supervise and control module (1); But contents processing has two big class, i.e. text content and image content of multimedia;
Transmission content discrimination module (2-2) is judged the transmission content according to the sensitive information database, is obtaining transmitting under the situation of content, and matching process based on key word is adopted in the differentiation of content of text; To the differentiation of image content of multimedia, then adopt recognition methods based on the perception summary; When making up the sensitive information database, calculate and store the perception summary of responsive content of multimedia;
It also comprises with lower unit:
Encrypt filtration drive module (3), be used for connection object being carried out based on the real-time encrypted of filtering enciphered driving or deciphering according to the judged result of information filtering module (2);
1., receive the request of operation supervise and control module (1) and the target susceptibility connection object encrypted and store on the movable storage device function of encrypting filtration drive module (3) comprising:; When receiving the request that operation supervise and control module (1) is sent, before being saved to movable storage device, these data encrypt this document; 2., tackle all users to the read request of encrypt file and before returning to validated user, decipher.
2. the sensitive data switching control module of computing machine according to claim 1 and movable storage device is characterized in that it also comprises with lower unit:
Daily record audit module (4) is used for log file operation supervise and control module (1) or encrypts the operation of filtration drive module (3) to each transfer files, and operation note is offered user inquiring and output.
3. based on the control method of the sensitive data switching control module of described computing machine of claim 1 and movable storage device, it is characterized in that it may further comprise the steps:
The write request from the user is tackled and resolved to step 1, operation supervise and control module (1), and analysis result is sent to information filtering module (2);
Step 2, information filtering module (2) is analyzed file type, the file layout of connection object according to the analysis result from operation supervise and control module (1), obtains the content of text or the image content of multimedia of connection object;
Step 3, information filtering module (2) is filtered the result who analyzes according to the sensitive information database, judges whether the content of transmission is sensitive information.
Step 4, information filtering module (2) feeds back to operation supervise and control module (1) with judged result;
Step 5, operation supervise and control module (1) is encrypted connection object according to the write operation or the startup encryption filtration drive module (3) of judged result control transmission object; To carry out current process of operating, user, filename, time keeping simultaneously in syslog file.
Step 6, the connection object of encrypting after filtration drive module (3) will be encrypted sends to down one deck device object.
4. the sensitive data switching control method of computing machine according to claim 3 and movable storage device, the write operation that it is characterized in that the control transmission object described in the step 5 is meant the sensitive information that contains for transmits data packets, forbids write operation or start encryption filtration drive module (3) encrypting according to user's the wish or the needs of application scenario.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102097538A CN101430752B (en) | 2008-12-22 | 2008-12-22 | Sensitive data switching control module and method for computer and movable memory device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102097538A CN101430752B (en) | 2008-12-22 | 2008-12-22 | Sensitive data switching control module and method for computer and movable memory device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101430752A CN101430752A (en) | 2009-05-13 |
| CN101430752B true CN101430752B (en) | 2010-09-15 |
Family
ID=40646139
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008102097538A Expired - Fee Related CN101430752B (en) | 2008-12-22 | 2008-12-22 | Sensitive data switching control module and method for computer and movable memory device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101430752B (en) |
Families Citing this family (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101847190A (en) * | 2010-05-31 | 2010-09-29 | 北京测腾信息技术有限公司 | Method and system for ferrying data safely |
| US8578486B2 (en) * | 2010-06-18 | 2013-11-05 | Microsoft Corporation | Encrypted network traffic interception and inspection |
| CN101980237A (en) * | 2010-10-13 | 2011-02-23 | 中兴通讯股份有限公司 | Data encryption method and mobile terminal |
| CN101980240A (en) * | 2010-11-19 | 2011-02-23 | 北京巨网汇通信息技术有限公司 | Method and equipment for preventing data from being stolen |
| CN102185836A (en) * | 2011-04-15 | 2011-09-14 | 哈尔滨工业大学 | Standalone electronic document protection system based on information stream model |
| CN102867148B (en) * | 2011-07-08 | 2015-03-25 | 北京金山安全软件有限公司 | Safety protection method and device for electronic equipment |
| CN103186733B (en) * | 2011-12-30 | 2016-01-27 | 中国移动通信集团广东有限公司 | Database user behavior management system and database user behavior management method |
| CN102737190B (en) * | 2012-07-04 | 2015-08-26 | 复旦大学 | Based on the detection method of leakage of information hidden danger in the Android application daily record of static analysis |
| CN102968600B (en) * | 2012-10-30 | 2017-02-15 | 国网电力科学研究院 | Full life-cycle management method for sensitive data file based on fingerprint information implantation |
| CN103327363B (en) * | 2013-05-27 | 2016-06-15 | 公安部第三研究所 | Realize the system and the method thereof that carry out video information control extension based on semantic granularity |
| CN103684997A (en) * | 2013-12-31 | 2014-03-26 | 厦门市美亚柏科信息股份有限公司 | One-way instantaneous transmission method of complete physical isolation data and system for achieving same |
| CN104410532A (en) * | 2014-12-12 | 2015-03-11 | 携程计算机技术(上海)有限公司 | Server and log filtering method thereof |
| CN105205415B (en) * | 2015-10-28 | 2018-03-02 | 广东欧珀移动通信有限公司 | The processing method and processing system of file |
| CN105430195A (en) * | 2015-12-31 | 2016-03-23 | 中科创达软件股份有限公司 | Data transmission method |
| CN107733773A (en) * | 2016-08-10 | 2018-02-23 | 中兴通讯股份有限公司 | Information protecting method, protection information dispensing device and protection information reception device |
| CN106330958B (en) * | 2016-09-29 | 2020-07-07 | 上海创功通讯技术有限公司 | Secure access method and device |
| CN107506660A (en) * | 2017-08-09 | 2017-12-22 | 浪潮金融信息技术有限公司 | A kind of daily record sensitive information processing method and system applied to financial self-service equipment |
| CN108345803B (en) * | 2018-03-22 | 2021-01-08 | 北京可信华泰科技有限公司 | Data access method and device of trusted storage equipment |
| CN108449753B (en) * | 2018-03-22 | 2022-08-30 | 北京可信华泰科技有限公司 | Method for reading data in trusted computing environment by mobile phone device |
| CN108345804B (en) * | 2018-03-22 | 2021-01-08 | 北京可信华泰信息技术有限公司 | Storage method and device in trusted computing environment |
| US10754998B2 (en) * | 2018-10-17 | 2020-08-25 | Bank Of America Corporation | Data loss prevention using machine learning |
| CN109815729A (en) * | 2018-12-28 | 2019-05-28 | 北京奇安信科技有限公司 | A kind of storage processing method and device of source file of auditing |
| CN112580116A (en) * | 2019-09-30 | 2021-03-30 | 北京国双科技有限公司 | Data protection method and device |
-
2008
- 2008-12-22 CN CN2008102097538A patent/CN101430752B/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN101430752A (en) | 2009-05-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101430752B (en) | Sensitive data switching control module and method for computer and movable memory device | |
| US9348984B2 (en) | Method and system for protecting confidential information | |
| CN101512490B (en) | Securing data in a networked environment | |
| EP2510442B1 (en) | System and method for secured backup of data | |
| US8566934B2 (en) | Apparatus and method for enhancing security of data on a host computing device and a peripheral device | |
| CN102999732B (en) | Multi-stage domain protection method and system based on information security level identifiers | |
| CN105740725B (en) | A kind of document protection method and system | |
| CN101079882A (en) | Posture-based data protection | |
| CN103488954B (en) | A kind of file encryption system | |
| TWI493950B (en) | Conditional electric document right management system and method | |
| CN102110201B (en) | System for monitoring and auditing compact disc burning | |
| CN102609667A (en) | Automatic file encryption and decryption system and automatic file encryption and decryption method based on filter drive program | |
| CN100535876C (en) | Smart card and USB combined equipment and method of self-destroy forillegal access and try to pass valve value | |
| KR20010078840A (en) | Security System detecting the leak of information using computer storage device | |
| CN103218575A (en) | Host file security monitoring method | |
| CN101237353A (en) | A method and system for monitoring mobile storage device based on USBKEY | |
| CN104778954B (en) | A kind of CD subregion encryption method and system | |
| KR20150128328A (en) | Method of providing digital evidence collecting tools, apparatus and method of collecting digital evidence of mobile devices based on domain isolation | |
| CN106682521B (en) | File transparent encryption and decryption system and method based on driver layer | |
| CN100399304C (en) | Method for automatic protecting magnetic disk data utilizing filter driving program combined with intelligent key device | |
| CN111046405B (en) | Data processing method, device, equipment and storage medium | |
| JP3831990B2 (en) | Communication data audit method and apparatus | |
| CN106650492B (en) | A kind of multiple device file guard method and device based on security catalog | |
| CN106952659B (en) | CD multistage imprinting encryption method based on XTS encryption mode | |
| CN116028953A (en) | Data encryption method based on privacy calculation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100915 Termination date: 20111222 |