CN106203187B - USB storage device limiting method and system driven by file filtering - Google Patents
USB storage device limiting method and system driven by file filtering Download PDFInfo
- Publication number
- CN106203187B CN106203187B CN201610475994.1A CN201610475994A CN106203187B CN 106203187 B CN106203187 B CN 106203187B CN 201610475994 A CN201610475994 A CN 201610475994A CN 106203187 B CN106203187 B CN 106203187B
- Authority
- CN
- China
- Prior art keywords
- usb storage
- storage device
- record
- serial number
- application layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/85—Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
Abstract
The invention relates to a USB storage device limiting method of a file filtering driver, which comprises the following steps: saving the strategy configuration, and detecting the serial number of the USB storage equipment which is currently mounted when the USB storage equipment is inserted into the computer; obtaining stored strategy configuration information; judging whether the serial number of the USB storage equipment is legally used according to the strategy configuration, and giving the USB storage equipment a use permission; the system comprises: the engine server is respectively connected with the control console and the data acquisition server, and the data acquisition server is connected with the client. The file filtering driving module can be used for universally and flexibly limiting the USB storage equipment to use, and the file filtering driving module takes effect on the USB storage equipment and cannot be used for other types of USB equipment.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method and a system for limiting a USB storage device driven by file filtering.
Background
With the widespread use of computer technology in office work, the task of securing office data is becoming more and more important. Especially for some confidential data, if leakage occurs, it may have serious consequences. At present, USB (universal serial BUS) storage devices are widely used, have the characteristics of strong versatility, easy carrying, easy use, large capacity, long service life and the like, have replaced early 3.5-inch and 5.25-inch floppy disks, and play an important role in data exchange and data backup.
However, these mass storage mobile devices also pose a significant safety hazard while providing convenience to the user: if the employee is easy to copy away some confidential documents of the company by using the USB storage device when leaving the job, if the data is leaked to a competitor company, inestimable loss is caused to the enterprise; the mixed use of the computer in the unit and the computer outside the unit easily enables the USB storage device to be a transmission tool, sensitive or confidential information in the unit is leaked to the outside of the unit, or harmful information such as viruses and trojans is transmitted to the inside of the unit from the outside of the unit, so that data on the computer in the unit is damaged or lost. In recent years, the event of disclosure through a USB storage medium is occurring, which brings great trouble to users.
In the prior art, in order to implement effective monitoring management on a USB storage device, the following two methods are generally adopted: firstly, plugging the USB interface by using solid glue, if plugging is not thorough, easily opening the solid glue seal, and continuously inserting the USB storage equipment into the USB interface for use; and secondly, removing the USB interface of the computer, if the USB interface is forbidden to be used, the USB equipment is not available, and the convenience of the USB storage equipment cannot be brought into play flexibly.
In view of the above, the present inventors have devised a method and system for restricting a USB storage device driven by file filtering.
Disclosure of Invention
The invention aims to provide a method and a system for limiting a USB storage device driven by file filtering, so that the USB storage device can be limited to use by a file filtering driving module flexibly and generally, the USB storage device can be enabled, and the USB storage device can not be limited to other types of USB devices.
In order to achieve the purpose, the technical scheme adopted by the invention is as follows:
a file filter driven USB storage device restriction method comprises the following steps:
s01: saving the strategy configuration, and detecting the serial number of the USB storage equipment which is currently mounted when the USB storage equipment is inserted into the computer;
s02: obtaining stored strategy configuration information;
s03: and judging whether the serial number of the USB storage equipment is legally used according to the strategy configuration, and giving the USB storage equipment use permission.
The strategy configuration comprises the serial number of the USB storage equipment passing the authentication and the corresponding authority.
The use authority comprises read-only, read-write or forbidding.
In step S01, the step of saving the policy configuration specifically includes the following steps:
a01: inserting a USB storage device to be authorized to use into a computer;
a02: and scanning the unique serial number of the USB storage equipment, storing the unique serial number as a unique authentication mark of the USB storage equipment, and configuring corresponding authority.
In step S01, after detecting the serial number of the currently mounted USB storage device, the insertion event of the USB storage device is encapsulated into a record and sent to the process of the application layer, and then the record is transmitted and stored by the process of the application layer.
If the user operates the files in the current USB storage device, the operation logs of the user on all the files in the USB storage device are recorded, the operation logs are packaged into a strip of record and sent to the process of the application layer, and then the record is transmitted and stored by the process of the application layer.
The operation log includes file creation, copy, deletion, editing, and renaming operations.
A file filter driven USB storage device restriction system, comprising:
an engine server for storing policy configuration;
the console is used for providing a management interface for an administrator and carrying out policy configuration on the engine server;
the data acquisition server is used for transferring the strategy configuration sent by the engine server and storing the audit log;
the client is used for receiving the strategy configuration sent by the data acquisition server, applying the strategy configuration and submitting an audit log to the data acquisition server;
the client is provided with a file filtering driving module which is used for acquiring the serial number of the currently mounted USB storage device and detecting whether the serial number of the USB storage device is an authorized serial number or not;
the engine server is respectively connected with the control console and the data acquisition server, and the data acquisition server is connected with the client.
After detecting the serial number of the currently mounted USB storage device, the file filter driver module is further configured to encapsulate the insertion event of the USB storage device into a record, send the record to the process of the application layer, and transmit and store the record by the process of the application layer.
If the user operates the files in the current USB storage device, the file filtering driving module can record the operation logs of the user on all the files in the USB storage device, packages the operation logs into a strip of record, sends the record to the process of the application layer, and then transmits and stores the record by the process of the application layer.
After the scheme is adopted, the USB storage device is used for replacing a conventional mode of plugging or disassembling the USB interface, the USB storage device is limited by a software mode, namely the USB storage device is identified by acquiring the unique serial number of the USB storage device, different use authorities are given to the USB storage device by virtue of the file filtering driving module, the USB storage device has stronger universality, flexibility and operability, only takes effect on the USB storage device, does not relate to the version of the USB interface, does not interfere and limit other types of USB devices, and is safe and reliable.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention and not to limit the invention. In the drawings:
FIG. 1 is a schematic diagram of the system architecture of the present invention;
FIG. 2 is a flow chart illustrating the process of registering and authenticating a USB memory device according to the present invention;
FIG. 3 is a schematic diagram of the limited use of the USB storage device and the log recording process thereof according to the present invention.
Detailed Description
In order to make the technical problems, technical solutions and advantageous effects to be solved by the present invention clearer and clearer, the present invention is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1 to fig. 3, the present invention provides a method for restricting a USB storage device driven by file filtering, including the following steps:
s01: saving the strategy configuration, and detecting the serial number of the USB storage equipment which is currently mounted when the USB storage equipment is inserted into the computer;
s02: obtaining stored strategy configuration information;
s03: and judging whether the serial number of the USB storage equipment is legally used according to the strategy configuration, and giving the USB storage equipment use permission.
The above-mentioned policy configuration is various, and may specifically include the serial number of the authenticated USB storage device and the corresponding authority, so as to correspondingly limit the use of the USB storage device.
The use permission of the embodiment comprises read-only, read-write or prohibition, so that more use permissions are given to the USB storage device, and the universality, flexibility and operability are further enhanced.
In step S01, the step of saving the policy configuration specifically includes the following steps:
a01: inserting a USB storage device to be authorized to use into a computer;
a02: and scanning the unique serial number of the USB storage equipment, storing the unique serial number as a unique authentication mark of the USB storage equipment, and configuring corresponding authority.
In this embodiment, in step S01, after detecting the serial number of the currently mounted USB storage device, the insertion event of the USB storage device is encapsulated into a record and sent to the application layer process, and then the record is transmitted and stored by the application layer process.
Furthermore, if the user operates the files in the current USB storage device, the operation logs of the user on all the files in the USB storage device are recorded, packaged into a strip of record and sent to the process of the application layer, and then transmitted and stored by the process of the application layer.
The operation log comprises file creating, copying, deleting, editing and renaming operations, and monitoring of the use of the USB storage device is enhanced.
The invention also provides a file filter driven USB storage device restriction system, comprising:
the engine server is a core control center of the system and is used for storing the strategy configuration;
the console is used for providing a management interface for an administrator and carrying out policy configuration on the engine server; when the system is used, the console provides a management interface for an administrator, and when the administrator logs in the console, the console is connected with the engine server, carries out strategy configuration on the engine server, and then the engine server transmits the strategy configuration to each client through the data acquisition server.
The data acquisition server is used for transferring the strategy configuration sent by the engine server and storing the audit log; when auditing the log of a certain client, an administrator logs in an engine server through a control console, and then extracts data from the data acquisition server through the engine server;
the client is used for receiving the strategy configuration sent by the data acquisition server, applying the strategy configuration and submitting an audit log to the data acquisition server;
the client is provided with a file filtering driving module which is used for acquiring the serial number of the currently mounted USB storage device and detecting whether the serial number of the USB storage device is an authorized serial number or not;
the engine server is respectively connected with the control console and the data acquisition server, and the data acquisition server is connected with the client.
After detecting the serial number of the currently mounted USB storage device, the file filter driver module is further configured to encapsulate the insertion event of the USB storage device into a record, send the record to the process of the application layer, and transmit and store the record by the process of the application layer.
Further, if the user operates the files in the current USB storage device, the file filter driver module may record the operation logs of all the files in the USB storage device, encapsulate the operation logs into a single record, send the record to the process of the application layer, and transmit and store the record by the process of the application layer.
The specific work flow is as follows:
1. the registration authenticates the USB memory device, as shown in FIG. 2.
a. Inserting the USB storage device to be authorized to use into a computer with an installation console;
b. the console scans the unique serial number of the USB storage device and stores the unique serial number in a database as a unique authentication mark of the USB storage device;
c. the console sends the serial number to a computer which can use the USB storage device;
d. the computer receiving the authorization has the authority to use the USB storage device, and the computer not receiving the authorization cannot use the USB storage device;
2. the limited use of a USB storage device and its logging is shown in fig. 3.
a. The computer is started, the strategy configuration is automatically obtained from the engine server, and the serial number of the USB storage equipment which can be used on the computer is sent to the file filtering driving module through the strategy configuration;
b. a user inserts a USB storage device;
c. the file filtering driving module acquires an insertion event of the USB storage device, acquires serial number information of the current USB storage device, encapsulates the insertion event of the USB storage device into a record and sends the record to a process of an application layer, and then the record is transmitted to a data acquisition server by the process of the application layer for subsequent examination;
d. the file filtering driving module judges whether the serial number of the USB storage equipment is legally used according to the current strategy configuration, and then gives the current USB storage equipment the permission of only reading or forbidding use;
e. if the user operates the files in the current USB storage device, the file filtering driving module can record operation logs of the user on all the files in the USB storage device, including file creating, copying, deleting, editing, renaming and other operations, packages the operation logs into a strip of record and sends the record to the process of the application layer, and then the record is sent to the data acquisition server by the process of the application layer for subsequent examination.
The invention can configure read-only, read-write or forbid by collecting the unique serial numbers of the USB storage devices allowed to be used in the company and then distributing the serial numbers to the computers needing to be used. When a USB storage device is inserted into a computer with an installation client, a file filtering driving module can detect whether the serial number of the currently mounted USB storage device is an authorized serial number, if the serial number of the USB storage device is authorized, authorization is followed and read-only or read-write authority is given, otherwise, the USB storage device is forbidden to be used.
Meanwhile, the invention also obtains all operations of the user on the files in the USB storage device and the plugging and unplugging records of all USB storage devices on the computer through the file filtering driving module, and then forms the records to be uploaded to the data acquisition server for subsequent audit.
The invention can appoint the company computer to use only the appointed USB storage device, prevent the user from using the USB storage device at will, cause the USB storage device to spread the virus to the computer in the company; the method can also prevent the user from copying important files of the company by using own USB storage equipment at will and record plug records of all USB storage equipment on the computer; if the user plugs and unplugs the illegal USB storage device, an administrator can check the record on the operation log of the data acquisition server at a glance, the operation log records all file operations of the USB storage device in detail, and if company files are leaked through the USB storage device, data can be checked afterwards.
The USB storage device is limited to be used by a software mode instead of a conventional mode of plugging or disassembling the USB interface, namely, the USB storage device is identified by acquiring the unique serial number of the USB storage device, and different use authorities are given to the USB storage device by virtue of the file filtering driving module, so that the USB storage device has stronger universality, flexibility and operability, only takes effect on the USB storage device, is independent of the version of the USB interface, cannot interfere and limit other types of USB devices, and is safe and reliable.
While the foregoing description shows and describes the preferred embodiments of the present invention, it is to be understood that the invention is not limited to the forms disclosed herein, but is not to be construed as excluding other embodiments and is capable of use in various other combinations, modifications, and environments and is capable of changes within the scope of the inventive concept as described herein, commensurate with the above teachings, or the skill or knowledge of the relevant art. And that modifications and variations may be effected by those skilled in the art without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (2)
1. A restriction method of a restriction system of a file filter driven USB storage device is characterized in that,
the restraint system includes:
an engine server for storing policy configuration;
the console is used for providing a management interface for an administrator and carrying out policy configuration on the engine server;
the data acquisition server is used for transferring the strategy configuration sent by the engine server and storing the audit log;
the client is used for receiving the strategy configuration sent by the data acquisition server, applying the strategy configuration and submitting an audit log to the data acquisition server;
the client is provided with a file filtering driving module which is used for acquiring the serial number of the currently mounted USB storage device and detecting whether the serial number of the USB storage device is an authorized serial number or not; after detecting the serial number of the currently mounted USB storage device, the file filtering driving module is further used for encapsulating the insertion event of the USB storage device into a record and sending the record to the process of the application layer, and then the record is transmitted by the process of the application layer and is stored in the data acquisition server; if the user operates the files in the current USB storage device, the file filtering driving module can record operation logs of all the files in the USB storage device, packages the operation logs into a strip of record and sends the record to the process of the application layer, and the record is transmitted by the process of the application layer and is stored in the data acquisition server;
the engine server is respectively connected with the control console and the data acquisition server, and the data acquisition server is connected with the client;
the limiting method comprises the following steps:
s011: inserting the USB storage device to be authorized to use into a computer with an installation console;
s012: the console scans the unique serial number of the USB storage device and stores the unique serial number in a database as a unique authentication mark of the USB storage device;
s013: the console sends the serial number to a computer which can use the USB storage device;
s014: the computer receiving the authorization has the authority to use the USB storage device, and the computer not receiving the authorization cannot use the USB storage device;
s01: after the strategy configuration is saved, when a USB storage device is inserted into a computer, the serial number of the currently mounted USB storage device is detected; the strategy configuration comprises a USB storage equipment serial number passing the authentication and a corresponding authority;
s02: obtaining stored strategy configuration information;
s03: judging whether the serial number of the USB storage equipment is legally used according to the strategy configuration, and giving the USB storage equipment a use permission;
in step S01, after detecting the serial number of the currently mounted USB storage device, encapsulating the insertion event of the USB storage device into a record and sending the record to the process of the application layer, and then transmitting and storing the record by the process of the application layer;
if the user operates the files in the current USB storage device, the operation logs of all the files in the USB storage device of the user are recorded, the operation logs are packaged into a strip of record and sent to the process of the application layer, and the record is transmitted and stored by the process of the application layer, wherein the operation logs comprise file creating, copying, deleting, editing and renaming operations.
2. The restriction method of the restriction system of the file filter driven USB storage device according to claim 1, wherein: the use authority comprises read-only, read-write or forbidding.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610475994.1A CN106203187B (en) | 2016-06-26 | 2016-06-26 | USB storage device limiting method and system driven by file filtering |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610475994.1A CN106203187B (en) | 2016-06-26 | 2016-06-26 | USB storage device limiting method and system driven by file filtering |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106203187A CN106203187A (en) | 2016-12-07 |
| CN106203187B true CN106203187B (en) | 2020-05-05 |
Family
ID=57461275
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610475994.1A Active CN106203187B (en) | 2016-06-26 | 2016-06-26 | USB storage device limiting method and system driven by file filtering |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106203187B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106951789B (en) * | 2016-12-09 | 2019-07-16 | 中国电子科技集团公司第三十研究所 | A kind of USB Anti-ferry method based on safety label |
| CN107483434A (en) * | 2017-08-10 | 2017-12-15 | 郑州云海信息技术有限公司 | The management system and method for a kind of movable storage device |
| CN107483462B (en) * | 2017-08-30 | 2020-02-14 | 厦门天锐科技股份有限公司 | Operation authority management system and method of outgoing USB flash disk |
| CN108418802A (en) * | 2018-02-02 | 2018-08-17 | 大势至(北京)软件工程有限公司 | A kind of access control method and system of shared file |
| CN109246112A (en) * | 2018-09-20 | 2019-01-18 | 郑州云海信息技术有限公司 | A kind of management system and method for mobile memory medium that supporting two kinds of examination & approval modes |
| CN109491878A (en) * | 2018-09-26 | 2019-03-19 | 深圳市吉祥腾达科技有限公司 | A method of equipment of serial Log is acquired by USB flash disk |
| CN109254735A (en) * | 2018-10-11 | 2019-01-22 | 北京明朝万达科技股份有限公司 | The access control method and device of movable storage device |
| CN111027046A (en) * | 2019-10-30 | 2020-04-17 | 厦门天锐科技股份有限公司 | Access control method and device for USB network equipment |
| CN113485895A (en) * | 2021-07-22 | 2021-10-08 | 北京天空卫士网络安全技术有限公司 | Method and device for determining IO device type |
| CN113810366A (en) * | 2021-08-02 | 2021-12-17 | 厦门天锐科技股份有限公司 | Website uploaded file safety identification system and method |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102109986A (en) * | 2009-12-23 | 2011-06-29 | 阿里巴巴集团控股有限公司 | Method, system and device for providing connection serial numbers and connecting plugins |
| CN103973646A (en) * | 2013-01-31 | 2014-08-06 | 中国电信股份有限公司 | Method, client device and system for storing services by aid of public cloud |
| CN105069383A (en) * | 2015-05-21 | 2015-11-18 | 中国科学院计算技术研究所 | Virtual desktop USB (Universal Serial Bus) storage peripheral management and control method and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100458808C (en) * | 2006-04-26 | 2009-02-04 | 南京大学 | Read-write access control method for plug-in memory device |
-
2016
- 2016-06-26 CN CN201610475994.1A patent/CN106203187B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102109986A (en) * | 2009-12-23 | 2011-06-29 | 阿里巴巴集团控股有限公司 | Method, system and device for providing connection serial numbers and connecting plugins |
| CN103973646A (en) * | 2013-01-31 | 2014-08-06 | 中国电信股份有限公司 | Method, client device and system for storing services by aid of public cloud |
| CN105069383A (en) * | 2015-05-21 | 2015-11-18 | 中国科学院计算技术研究所 | Virtual desktop USB (Universal Serial Bus) storage peripheral management and control method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106203187A (en) | 2016-12-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106203187B (en) | USB storage device limiting method and system driven by file filtering | |
| US8898802B2 (en) | Electronic computer data management method, program, and recording medium | |
| US7793110B2 (en) | Posture-based data protection | |
| US8281388B1 (en) | Hardware secured portable storage | |
| KR101522445B1 (en) | Client computer for protecting confidential file, server computer therefor, method therefor, and computer program | |
| KR100783446B1 (en) | System, apparatus and method for providing data security using the usb device | |
| JP4681053B2 (en) | Data management method for computer, program, and recording medium | |
| US20080195750A1 (en) | Secure cross platform auditing | |
| KR20150128328A (en) | Method of providing digital evidence collecting tools, apparatus and method of collecting digital evidence of mobile devices based on domain isolation | |
| CN101739361A (en) | Access control method, access control device and terminal device | |
| CN102930216A (en) | Encrypt file management method based on wireless USB (Universal Serial Bus) flash disc | |
| JP4044126B1 (en) | Information leakage prevention device, information leakage prevention program, information leakage prevention recording medium, and information leakage prevention system | |
| TW201415283A (en) | File management system and method | |
| CN101694683A (en) | Method for preventing Trojans ferrying via movable memories to steal files | |
| KR101751876B1 (en) | Method and system for access event logging in mobile storage | |
| KR20090050266A (en) | Security management system for portable memory devices and security management method using the same | |
| JP2008052390A (en) | Audit log storage control method and information leakage monitoring program | |
| CN103440465B (en) | A kind of mobile memory medium method of controlling security | |
| US11283794B2 (en) | Method for monitoring activity of database server administrator in enterprise resource planning system and the tamper-proof enterprise resource planning system | |
| CN105095693A (en) | Method and system for safely sharing digital asset based on Internet | |
| CN112671719A (en) | Network security isolation method and device based on data stripping and construction method thereof | |
| KR20100040074A (en) | Server and method for preventing information outflow from inside | |
| CN108287988B (en) | Security management system and method for mobile terminal file | |
| US8088172B2 (en) | Data processing apparatus, data processing method, and computer readable medium | |
| KR101460297B1 (en) | Removable storage media control apparatus for preventing data leakage and method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |