CN114006776A - Sensitive information leakage detection method and device - Google Patents
Sensitive information leakage detection method and device Download PDFInfo
- Publication number
- CN114006776A CN114006776A CN202111658014.9A CN202111658014A CN114006776A CN 114006776 A CN114006776 A CN 114006776A CN 202111658014 A CN202111658014 A CN 202111658014A CN 114006776 A CN114006776 A CN 114006776A
- Authority
- CN
- China
- Prior art keywords
- sensitive information
- information
- leakage
- response data
- sensitive
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
- G06F16/24564—Applying rules; Deductive queries
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The embodiment of the application provides a sensitive information leakage detection method and a device, which relate to the technical field of data security, and the sensitive information leakage detection method comprises the following steps: intercepting all response data by monitoring a network flow outlet of a target organization; judging whether all the response data are matched with a preset feature database or not; if yes, extracting the sensitive information and the access condition information associated with the sensitive information from the response data; judging whether the access condition information is matched with a preset cloud information library or not; if the sensitive information leakage condition exists, the leakage path of the sensitive information is obtained, the alarm prompt information comprising the leakage path is output to prompt that the sensitive information is maliciously accessed, the sensitive information leakage detection can be rapidly and accurately carried out, the flexibility is high, the coverage is comprehensive, the whole flow outlet of a target organization can be monitored, meanwhile, the path tracking analysis can be carried out on the sensitive information leakage condition, and the data safety is maintained in time.
Description
Technical Field
The application relates to the technical field of data security, in particular to a sensitive information leakage detection method and device.
Background
With the development of internet technology, it has become a common way to access and store user information on the internet. In the process of browsing a webpage by a user, a client and a server make a request and receive the return content of the server, and sensitive information related to user privacy or needing to be kept secret is easily leaked due to improper processing. In the existing sensitive information leakage detection method, after a client initiates a request, a server returns data, a back-end module judges whether sensitive information exists in the return according to keyword matching, and when the sensitive information is matched and hit, an alarm is given according to the matching information.
As for the sensitive information leakage detection method, there are other methods, such as comparison document 1: CN201710452471.X A method and system for detecting data leakage, which utilizes a probe to collect data from a database to the Internet in a data flow direction, then collects the data and performs sensitive data fingerprint feature matching operation on the collected data, and if the matching is successful, the sensitive data is leaked to the Internet. The method can be used for detecting the data leakage with smaller modification amount, more comprehensive and more intuitive under the condition that the data leakage cannot be completely avoided. Comparison document 2: defining sensitive information and determining the stored equipment; then, according to the defined sensitive data, a sensitive information access/external access strategy is formulated and managed; then, network flow data acquisition and preprocessing are carried out on equipment in which the sensitive data are stored; and performing sensitive information leakage responsibility confirmation on the obtained illegal access/receiving program, and determining an illegal access account and related personnel information. Through analysis of the access flow of the sensitive data, active analysis and control are carried out in the process of possibly causing data leakage, and identification control and responsibility confirmation of client sensitive information leakage generated by any unknown attack are achieved.
However, in practice, it is found that the detection accuracy is low and the flexibility is low due to the simple keyword matching mechanism and the language difference, and meanwhile, the sensitive information leakage situation cannot be tracked and analyzed. Meanwhile, when the comparison file 1 detects whether the sensitive data is leaked or not through a fingerprint feature matching method, the leakage path of the sensitive data cannot be tracked and analyzed, and an accurate alarm prompt cannot be given; for the comparison file 2, only the abnormal access initiating program and the abnormal external access receiving program of the sensitive information can be determined, that is, only the abnormal access initiating source can be determined, and the leakage path of the sensitive information cannot be tracked and analyzed, so that the data security cannot be maintained in time. It can be seen that the prior art has low flexibility and low accuracy, and cannot track and analyze sensitive information leakage paths, so that data security cannot be maintained in time.
Disclosure of Invention
The embodiment of the application aims to provide a sensitive information leakage detection method and device, which can be used for quickly and accurately detecting sensitive information leakage, are high in flexibility and comprehensive in coverage, can monitor the whole flow outlet of a target organization, can also be used for carrying out path tracking analysis on the sensitive information leakage condition and maintaining data safety in time.
A first aspect of an embodiment of the present application provides a sensitive information leakage detection method, including:
intercepting all response data by monitoring a network flow outlet of a target organization;
judging whether all the response data are matched with a preset feature database;
if yes, sensitive information and access condition information associated with the sensitive information are extracted from the response data;
judging whether the access condition information is matched with a preset cloud information library or not;
if yes, obtaining a leakage path of the sensitive information, and outputting alarm prompt information comprising the leakage path to prompt that the sensitive information is maliciously accessed.
In the implementation process, all response data are intercepted by monitoring a network flow outlet of a target organization; judging whether all the response data are matched with a preset feature database or not; if yes, extracting the sensitive information and the access condition information associated with the sensitive information from the response data; judging whether the access condition information is matched with a preset cloud information library or not; if the sensitive information leakage condition exists, the leakage path of the sensitive information is obtained, the alarm prompt information comprising the leakage path is output to prompt that the sensitive information is maliciously accessed, the sensitive information leakage detection can be rapidly and accurately carried out, the flexibility is high, the coverage is comprehensive, the whole flow outlet of a target organization can be monitored, meanwhile, the path tracking analysis can be carried out on the sensitive information leakage condition, and the data safety is maintained in time.
Further, intercepting all the response data by monitoring the network traffic outlet of the target organization includes:
monitoring a network flow outlet of a target organization, and intercepting all outlet flows of the network flow outlet;
analyzing and reducing all the outlet flows to obtain analyzed and reduced data;
and acquiring all response data in the analysis and reduction data.
Further, the determining whether all the response data are matched with a preset feature database includes:
judging whether a preset matching rule can be acquired or not;
if yes, acquiring the preset matching rule and a preset feature database to perform multi-mode matching on all the response data to obtain a matching result;
judging whether all the response data are matched with the matching rules and/or the feature database according to the matching result;
and if so, executing the extraction of the sensitive information and the access condition information associated with the sensitive information from the response data.
Further, the access condition information includes exposure point information of the sensitive information, a leakage manner of the sensitive information, a user identifier for accessing the sensitive information, and a specific access condition of the sensitive information;
wherein the exposure point information comprises one or more of a communication interface, a communication service, and a host address that exposes the sensitive information;
the leakage mode comprises one or more of static resource leakage and data content leakage;
the user identification comprises one or more of address information and geographical position information;
the specific access condition comprises one or more of access time, access frequency and access statistic.
Further, the obtaining of the leakage path of the sensitive information includes:
performing data integration on the sensitive information, the exposure point information, the leakage mode, the user identification and the specific access condition to obtain leakage content, a leakage source and a leakage destination of the sensitive information;
generating a leakage path according to the leakage content, the leakage source and the leakage destination.
Further, the method further comprises:
and when the access condition information is judged not to be matched with the cloud information base, outputting risk prompt information that the sensitive information has a leakage risk.
A second aspect of the embodiments of the present application provides a sensitive information leakage detection apparatus, including:
the intercepting unit is used for intercepting all response data by monitoring a network flow outlet of a target organization;
the first judging unit is used for judging whether all the response data are matched with a preset feature database or not;
the extraction unit is used for extracting sensitive information and access condition information associated with the sensitive information from the response data when all the response data are judged to be matched with the feature database;
the second judgment unit is used for judging whether the access condition information is matched with a preset cloud information library or not;
the path acquisition unit is used for acquiring a leakage path of the sensitive information when the access condition information is judged to be matched with the cloud information base;
and the alarm output unit is used for outputting alarm prompt information comprising the leakage path so as to prompt that the sensitive information is maliciously accessed.
In the implementation process, the interception unit intercepts all response data by monitoring a network flow outlet of a target organization; then a first judging unit judges whether all the response data are matched with a preset feature database or not; if yes, the extraction unit extracts the sensitive information and the access condition information associated with the sensitive information from the response data; the second judging unit judges whether the access condition information is matched with a preset cloud information base; if the sensitive information leakage detection device is used, the path acquisition unit acquires a leakage path of the sensitive information, and the alarm output unit outputs alarm prompt information including the leakage path to prompt that the sensitive information is maliciously accessed, so that the sensitive information leakage detection can be rapidly and accurately carried out, the flexibility is high, the coverage is comprehensive, the whole flow outlet of a target organization can be monitored, meanwhile, the path tracking analysis can be carried out on the leakage condition of the sensitive information, and the data safety is maintained in time.
Further, the intercepting unit includes:
the first subunit is used for monitoring a network traffic outlet of a target organization and intercepting all outlet traffic of the network traffic outlet;
the second subunit is used for analyzing and reducing all the outlet flows to obtain analyzed and reduced data;
and the third subunit is used for acquiring all the response data in the analysis and reduction data.
A third aspect of the embodiments of the present application provides an electronic device, including a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to enable the electronic device to execute the sensitive information leakage detection method according to any one of the first aspect of the embodiments of the present application.
A fourth aspect of the present embodiment provides a computer-readable storage medium, which stores computer program instructions, where the computer program instructions, when read and executed by a processor, perform the sensitive information leakage detection method according to any one of the first aspect of the present embodiment.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of a sensitive information leakage detection method according to an embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of a sensitive information leakage detection apparatus according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram illustrating an access behavior matching result according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
Example 1
Referring to fig. 1, fig. 1 is a schematic flowchart illustrating a sensitive information leakage detection method according to an embodiment of the present application. The sensitive information leakage detection method comprises the following steps:
s101, intercepting all response data by monitoring a network flow outlet of a target organization.
In this embodiment, an execution subject of the method may be a sensitive information leakage detection device, specifically, the sensitive information leakage detection device may specifically be a computer, a server, or other equipment, and may also be a software device running on the client, and the like, which is not limited in this embodiment.
In the embodiment of the application, all intercepted response data are response data returned to all clients in the target organization by the server. Specifically, the target organization may be a company, a corporation, a school, etc., and this embodiment of the present application is not limited thereto.
In the embodiment of the present application, the number of clients in the target organization may be one or more, and the embodiment of the present application is not limited thereto.
As an alternative embodiment, intercepting all the response data by listening to the network traffic outlet of the target organization includes:
monitoring a network flow outlet of a target organization, and intercepting all outlet flows of the network flow outlet;
analyzing and reducing all outlet flows to obtain analyzed and reduced data;
and acquiring all response data in the analysis and reduction data.
In the above embodiment, the network traffic outlets of the target organization are monitored, and all the outlet traffic returned by the server to all the clients in the target organization is intercepted, so as to facilitate subsequent matching with the preset feature database. For example, sensitive information leakage of various clients and systems in a target organization can be detected.
In the above embodiment, a Sensor flowmeter may be used to analyze all outlet flows and restore the flows into request data and response data, where the analyzed and restored data includes the request data and the response data.
In the above embodiment, when the client and the server communicate with each other based on the HTTP protocol, the request data is an HTTP request, and the response data is an HTTP response. Among them, HTTP (hypertext transfer protocol) is an application layer protocol for distributed, collaborative, and hypermedia information systems.
S102, judging whether a preset matching rule can be acquired or not, and if so, executing S103 and S105; if not, executing the steps S104 to S105.
In this embodiment of the present application, the preconfigured matching rule may include a matching rule configured by a user in a customized manner in advance, and specifically, the matching rule may specifically be a keyword matching rule, and the like, which is not limited in this embodiment of the present application.
S103, acquiring a preset matching rule and a preset feature database, performing multi-mode matching on all response data to obtain a matching result, and executing the step S105.
As an optional implementation manner, when it is detected that a preconfigured matching rule exists, the multi-mode matching needs to be performed on all answer data according to the preconfigured matching rule and a preset feature database, including:
matching all the response data with a preset matching rule to obtain a first result;
simultaneously, matching all the response data with a preset feature database to obtain a second result;
and summarizing the first result and the second result to obtain a matching result.
In the above embodiment, the matching rule may also be customized, for example, keyword extraction is performed on confidential company content, and then content matching is performed. By obtaining the pre-configured matching rule, the customized personalized privacy information matching can be realized, and the matching precision is improved.
In the embodiment of the present application, in the matching process, a preset feature database is used, where the feature database includes a large number of features, the number of the features may specifically reach about 50W, specifically, the number of the features includes a user privacy feature, an organization secret feature, and the like, and the embodiment of the present application is not limited thereto.
In the embodiment of the application, the user privacy characteristics include an identity card number characteristic, a mobile phone number characteristic, a mail characteristic, a bank card account number characteristic and the like, wherein the identity card number characteristic is as follows for example:
\b(1[1-5]|2[1-3]|3[1-7]|4[1-6]|5[0-4]|6[1-5]|71|81|82)[0-9]{4}(19|20)[1-9]{2}((0[1-9])|(1[0-2]))(([0-2][1-9])|10|20|30|31)\d{3}[0-9Xx]\b
mail characteristics are exemplified as follows:
(i)\b[A-Z0-9+_.-]+@[A-Z0-9.-]+((\.com)|(\.com\.cn)|(.net)|(\.net\.cn)|(\.org)|(\.gov\.cn)|(\.cn)|(\.org\.cn))\b
examples of mobile phone number characteristics are as follows:
!pcre: \b130\d{8}\b
130
the above description shows only one of the characteristics of the identification number, the mobile phone number, and the mail, and in practical applications, the method for representing the characteristics is not limited in any way in the embodiment of the present application.
After step S103, the following steps are also included:
and S104, acquiring a preset feature database, performing multi-mode matching on all response data to obtain a matching result, and executing the step S105.
In the embodiment of the present application, step S103 and step S104 are implemented, and rapid matching can be performed on the response data, wherein a matching method based on an Aho-Corasick automaton can be adopted for matching.
In the embodiment of the application, the matching algorithm can adopt an AC automaton matching algorithm to perform multi-mode matching. The AC automaton is mainly based on the dictionary tree, and can be matched efficiently and accurately under the conditions of large text strings and numerous target character strings.
S105, judging whether all response data are matched with the matching rules and/or the feature database according to the matching result, and if so, executing the step S106-step S107; if not, the flow is ended.
And S106, extracting the sensitive information and the access condition information associated with the sensitive information from the response data.
In the embodiment of the present application, by implementing the steps S102 to S106, it can be determined whether all the response data are matched with the preset feature database.
In the embodiment of the present application, when matching is successful, access condition information of the sensitive information is extracted from the response data with respect to the matching result, where the access condition information includes, but is not limited to, exposure point information of the sensitive information, a leakage manner of the sensitive information, a user identifier for accessing the sensitive information, a specific access condition of the sensitive information, and the like, and the embodiment of the present application is not limited thereto.
In this embodiment, the exposure point information includes one or more of a communication interface, a communication service, a host address, and the like, which exposes the sensitive information, and this embodiment of the present application is not limited thereto.
In the embodiment of the present application, the leakage manner includes one or more of static resource leakage and data content leakage, and the embodiment of the present application is not limited thereto.
In the embodiment of the present application, the user identifier includes one or more of address information and geographic location information, which is not limited in the embodiment of the present application.
In the embodiment of the present application, the specific access condition includes one or more of an access time, an access frequency, and an access statistic (such as a QPM value, etc.), where the QPM value includes, but is not limited to, a query rate per minute, a number of query requests processed per minute, and the like, and the embodiment of the present application is not limited thereto.
In the embodiment of the application, the matching rules can be configured in advance according to requirements, the mass feature library is matched, the matching algorithm is optimized, accurate matching is carried out, and the matching flexibility and accuracy are improved.
S107, judging whether the access condition information is matched with a preset cloud information base, and if so, executing the step S108-the step S110; if not, step S111 is performed.
In the embodiment of the application, when the access condition information is judged to be matched with the cloud information base, the sensitive information is shown to be maliciously accessed, and when the access condition information is judged not to be matched with the cloud information base, the sensitive information is shown not to be maliciously accessed, but leakage risks exist.
And S108, performing data integration on the sensitive information, the exposure point information, the leakage mode, the user identification and the specific access condition to obtain the leakage content, the leakage source and the leakage destination of the sensitive information.
And S109, generating a leakage path according to the leakage content, the leakage source and the leakage destination.
In the embodiment of the present application, the leakage path of the sensitive information can be obtained by implementing the steps S108 to S109.
And S110, outputting alarm prompt information comprising the leakage path to prompt that the sensitive information is maliciously accessed, and ending the process.
In the embodiment of the application, the access condition information of the sensitive information is extracted and matched with the cloud information base. And when the matching is successful, determining that the sensitive information is maliciously accessed, integrating the leaked content, the leaked source and the leaked destination into a leakage path, generating an alarm and sending the alarm to an information owner.
In the embodiment of the application, the information owner of the sensitive information can be determined, and the warning prompt information is sent to the information owner, so that warning is timely given.
And S111, outputting risk prompt information of the sensitive information with leakage risk.
In the embodiment of the application, when the access condition information is judged not to be matched with the cloud information base, leakage risk exists in the information, and risk prompt information of the leakage risk of the sensitive information is output to remind an information owner of processing.
In the embodiment of the application, the information owner of the sensitive information can be determined, and the risk prompt information is sent to the information owner, so that prompt is timely given, and sensitive information leakage is avoided.
In the embodiment of the application, when it is determined that the sensitive information is leaked, the corresponding access condition information can be acquired for recording, the access condition of the specific sensitive information can be determined, and the leakage condition and the leakage path of the complete sensitive information, such as which interface, which host, and what information is leaked in which mode, can be acquired.
In the embodiment of the present application, the method performs sensitive information monitoring based on a traffic reduction request and feature matching, for example, as follows:
in the first step, a request interface is simulated at the client. Setting the access address as: http:// www.xxxxxxxxxxx.cn/xxxxx. html, access IP is an internal access address and an external access address.
And secondly, simulating the flow returned by the data at the server (the following contents are all test generation data):
{ "bizfamiyinfos": [ { "id":1234123, "family umberber": h80 ysqtjlir 4W3vsqkGk "," name ": "test user", "certificationumber": "123412341234123232", "mobile": "12312341234", "ensuremod": "applytype _001", "appprovestate": "family _ application", "datavalid": "check _003", "regstreet": "110100000", "biznum": "FEkux32VEka8gd0aKMZp", "biztype": "BIZ001", "regnum": "GX010000000", "resultnum": "GX010000000", "belongarea": "110107", "sysnumber": "b2Vr5gJnnb3 nkibbz 3N9m4N3P8ckl gmtlgtanbhfh", "BIZNODE": "biznode003", "IBIZTYPE": "biztype003", "CCSTATE": null, "PDFSTATE": null, "BANKPDFFILE": null, "WARNINGFLAG": null, "CCREPORT": "no" }, { "id":1234123, "family umberber": "Oh804Sb8TB0rppkhzYr7", "name": "test user 2", "certificationumber": "123121233333000", "mobile": "12311222233"}]}.
And thirdly, restoring the flow into request data and response data through a Sensor.
Fourthly, matching the answer data: performing feature library matching through an AC automaton; and extracting the matched content, acquiring the access condition information and giving an alarm.
Fifthly, matching results obtained according to the flow examples include matching results of sensitive content and matching results of corresponding access behaviors, the sensitive content examples are shown in the following table one, and the matching results of the access behaviors are shown in fig. 3.
Watch 1
| Sensitive content type | Sensitive content |
| Identity card | 123412341234123232 |
| Mobile phone | 12312341234,12311222233 |
| Bank card | 123121233333000 |
And sixthly, performing cloud matching, namely extracting the access condition information of the sensitive information, and matching the extracted access condition information with a cloud information library. If the matching is successful, the information is judged to be maliciously accessed, the leaked content, the leaked source and the destination are integrated into a leakage path, and an alarm is generated and sent to the information owner. If the information is not matched, the information has a leakage risk and an information owner needs to be reminded to process the information.
In the embodiment of the application, the method can monitor the sensitive information of different platforms in a more flexible mode without manually accessing the service codes.
In the embodiment of the application, the method can effectively match the sensitive information display conditions of the identity card, the bank card, the mobile phone number, the mailbox and the customer definition by analyzing and restoring the flow and efficiently matching the sensitive information aiming at the response data. And access records of different environments and hosts to the series of information can be extracted, whether sensitive information leaks to a public network and is used by non-internal personnel is effectively analyzed, and whether the sensitive information is maliciously accessed is judged. And timely informing the owner of the leakage condition for processing.
Therefore, the sensitive information leakage detection method described in the embodiment can be implemented to quickly and accurately perform sensitive information leakage detection, has high flexibility and comprehensive coverage, can monitor the whole flow outlet of the target organization, can perform path tracking analysis on the sensitive information leakage condition, and maintains data safety in time.
Example 2
Referring to fig. 2, fig. 2 is a schematic structural diagram of a sensitive information leakage detection apparatus according to an embodiment of the present application. As shown in fig. 2, the sensitive information leakage detecting apparatus includes:
the intercepting unit 210 is configured to intercept all response data by monitoring a network traffic outlet of a target organization;
a first judging unit 220, configured to judge whether all the response data match a preset feature database;
an extracting unit 230, configured to extract the sensitive information and the access condition information associated with the sensitive information from the response data when it is determined that all the response data match the feature database;
a second determining unit 240, configured to determine whether the access information matches a preset cloud information base;
a path obtaining unit 250, configured to obtain a leakage path of the sensitive information when it is determined that the access condition information matches the cloud information base;
and an alarm output unit 260 for outputting alarm prompt information including the leakage path to prompt that the sensitive information has been accessed maliciously.
As an alternative embodiment, the intercepting unit 210 includes:
a first subunit 211, configured to monitor a network traffic outlet of a target organization, and intercept all outlet traffic of the network traffic outlet;
a second subunit 212, configured to perform analysis and reduction processing on all the outlet flows to obtain analysis and reduction data;
and a third subunit 213, configured to obtain all response data in the analysis and restoration data.
As an alternative implementation, the first determining unit 220 includes:
a fourth subunit 221, configured to determine whether a preconfigured matching rule can be obtained; if yes, acquiring a preset matching rule and a preset feature database to perform multi-mode matching on all response data to obtain a matching result;
a fifth subunit 222, configured to determine whether all response data are matched with the matching rule and/or the feature database according to the matching result; if so, the execution extracts the sensitive information and the access condition information associated with the sensitive information from the response data.
In this embodiment of the present application, the access condition information includes, but is not limited to, exposure point information of the sensitive information, a leakage manner of the sensitive information, a user identifier for accessing the sensitive information, a specific access condition of the sensitive information, and the like, and this is not limited in this embodiment of the present application.
In this embodiment, the exposure point information includes one or more of a communication interface, a communication service, a host address, and the like, which exposes the sensitive information, and this embodiment of the present application is not limited thereto.
In the embodiment of the present application, the leakage manner includes one or more of static resource leakage and data content leakage, and the embodiment of the present application is not limited thereto.
In the embodiment of the present application, the user identifier includes one or more of address information and geographic location information, which is not limited in the embodiment of the present application.
In the embodiment of the present application, the specific access condition includes one or more of an access time, an access frequency, and an access statistic (such as a QPM value, etc.), where the QPM value includes, but is not limited to, a query rate per minute, a number of query requests processed per minute, and the like, and the embodiment of the present application is not limited thereto.
As an alternative embodiment, the path obtaining unit 250 includes:
the sixth subunit 251, configured to, when it is determined that the access condition information matches the cloud information base, perform data integration on the sensitive information, the exposure point information, the disclosure manner, the user identifier, and the specific access condition to obtain disclosure content, a disclosure source, and a disclosure destination of the sensitive information;
a seventh subunit 251 for generating a leakage path based on the content of the leakage, the source of the leakage, and the direction of the leakage.
As an optional implementation manner, the alarm output unit 260 is further configured to output risk prompt information that the sensitive information has a leakage risk when it is determined that the access condition information is not matched with the cloud information base.
In the embodiment of the present application, for the explanation of the sensitive information leakage detection apparatus, reference may be made to the description in embodiment 1, and details are not repeated in this embodiment.
It can be seen that, the sensitive information leakage detection device described in this embodiment can perform sensitive information leakage detection quickly and accurately, has high flexibility and comprehensive coverage, can monitor the whole flow outlet of the target organization, and can perform path tracking analysis on the sensitive information leakage condition and maintain data security in time.
An embodiment of the present application provides an electronic device, which includes a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to make the electronic device execute the sensitive information leakage detection method in embodiment 1 of the present application.
The embodiment of the present application provides a computer-readable storage medium, which stores computer program instructions, and when the computer program instructions are read and executed by a processor, the method for detecting sensitive information leakage in embodiment 1 of the present application is executed.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. A sensitive information leakage detection method, comprising:
intercepting all response data by monitoring a network flow outlet of a target organization;
judging whether all the response data are matched with a preset feature database;
if yes, sensitive information and access condition information associated with the sensitive information are extracted from the response data;
judging whether the access condition information is matched with a preset cloud information library or not;
if yes, obtaining a leakage path of the sensitive information, and outputting alarm prompt information comprising the leakage path to prompt that the sensitive information is maliciously accessed.
2. The sensitive information leakage detection method according to claim 1, wherein intercepting all the response data by monitoring a network traffic outlet of the target organization comprises:
monitoring a network flow outlet of a target organization, and intercepting all outlet flows of the network flow outlet;
analyzing and reducing all the outlet flows to obtain analyzed and reduced data;
and acquiring all response data in the analysis and reduction data.
3. The sensitive information leakage detection method according to claim 1, wherein the determining whether all the response data match a preset feature database includes:
judging whether a preset matching rule can be acquired or not;
if yes, acquiring the preset matching rule and a preset feature database to perform multi-mode matching on all the response data to obtain a matching result;
judging whether all the response data are matched with the matching rules and/or the feature database according to the matching result;
and if so, executing the extraction of the sensitive information and the access condition information associated with the sensitive information from the response data.
4. The sensitive information leakage detection method according to claim 1, wherein the access condition information includes exposure point information of the sensitive information, a leakage manner of the sensitive information, a user identifier for accessing the sensitive information, and a specific access condition of the sensitive information;
wherein the exposure point information comprises one or more of a communication interface, a communication service, and a host address that exposes the sensitive information;
the leakage mode comprises one or more of static resource leakage and data content leakage;
the user identification comprises one or more of address information and geographical position information;
the specific access condition comprises one or more of access time, access frequency and access statistic.
5. The sensitive information leakage detection method according to claim 4, wherein the obtaining of the leakage path of the sensitive information includes:
performing data integration on the sensitive information, the exposure point information, the leakage mode, the user identification and the specific access condition to obtain leakage content, a leakage source and a leakage destination of the sensitive information;
generating a leakage path according to the leakage content, the leakage source and the leakage destination.
6. The sensitive information leakage detection method according to claim 1, further comprising:
and when the access condition information is judged not to be matched with the cloud information base, outputting risk prompt information that the sensitive information has a leakage risk.
7. A sensitive information leakage detecting apparatus, characterized by comprising:
the intercepting unit is used for intercepting all response data by monitoring a network flow outlet of a target organization;
the first judging unit is used for judging whether all the response data are matched with a preset feature database or not;
the extraction unit is used for extracting sensitive information and access condition information associated with the sensitive information from the response data when all the response data are judged to be matched with the feature database;
the second judgment unit is used for judging whether the access condition information is matched with a preset cloud information library or not;
the path acquisition unit is used for acquiring a leakage path of the sensitive information when the access condition information is judged to be matched with the cloud information base;
and the alarm output unit is used for outputting alarm prompt information comprising the leakage path so as to prompt that the sensitive information is maliciously accessed.
8. The sensitive information leakage detecting apparatus according to claim 7, wherein the intercepting unit includes:
the first subunit is used for monitoring a network traffic outlet of a target organization and intercepting all outlet traffic of the network traffic outlet;
the second subunit is used for analyzing and reducing all the outlet flows to obtain analyzed and reduced data;
and the third subunit is used for acquiring all the response data in the analysis and reduction data.
9. An electronic device, characterized in that the electronic device comprises a memory for storing a computer program and a processor for executing the computer program to cause the electronic device to execute the sensitive information leakage detection method of any one of claims 1 to 6.
10. A readable storage medium, wherein computer program instructions are stored, and when read and executed by a processor, perform the sensitive information leakage detection method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111658014.9A CN114006776B (en) | 2021-12-31 | 2021-12-31 | Sensitive information leakage detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111658014.9A CN114006776B (en) | 2021-12-31 | 2021-12-31 | Sensitive information leakage detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114006776A true CN114006776A (en) | 2022-02-01 |
| CN114006776B CN114006776B (en) | 2022-03-18 |
Family
ID=79932429
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111658014.9A Active CN114006776B (en) | 2021-12-31 | 2021-12-31 | Sensitive information leakage detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114006776B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115242462A (en) * | 2022-06-30 | 2022-10-25 | 北京华顺信安科技有限公司 | Data leakage detection method |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050246112A1 (en) * | 2004-04-29 | 2005-11-03 | Abhulimen Kingsley E | Realtime computer assisted leak detection/location reporting and inventory loss monitoring system of pipeline network systems |
| CN104778415A (en) * | 2015-02-06 | 2015-07-15 | 北京北信源软件股份有限公司 | Computer behavior-based data anti-leakage system and method |
| CN105653947A (en) * | 2014-11-11 | 2016-06-08 | 中国移动通信集团公司 | Method and device for assessing application data security risk |
| CN107038372A (en) * | 2016-11-14 | 2017-08-11 | 平安科技(深圳)有限公司 | Leaking data interface detection method and device |
| CN107169361A (en) * | 2017-06-15 | 2017-09-15 | 深信服科技股份有限公司 | The detection method and system of a kind of leaking data |
| CN107908959A (en) * | 2017-11-10 | 2018-04-13 | 北京知道创宇信息技术有限公司 | Site information detection method, device, electronic equipment and storage medium |
| US20180288051A1 (en) * | 2017-03-31 | 2018-10-04 | International Business Machines Corporation | Enhanced data leakage detection in cloud services |
| CN110414222A (en) * | 2019-06-18 | 2019-11-05 | 北京邮电大学 | A kind of application privacy leakage failure detecting method and device based on component liaison |
| CN111027096A (en) * | 2019-12-11 | 2020-04-17 | 支付宝(杭州)信息技术有限公司 | Method and device for detecting leakage channel for private data |
| CN112000984A (en) * | 2020-08-24 | 2020-11-27 | 杭州安恒信息技术股份有限公司 | Data leakage detection method, device, equipment and readable storage medium |
| CN112364369A (en) * | 2020-05-12 | 2021-02-12 | 厦门市三驾马车网络科技有限公司 | Method for detecting information leakage of web system database by content trap |
| CN112565266A (en) * | 2020-12-07 | 2021-03-26 | 深信服科技股份有限公司 | Information leakage attack detection method and device, electronic equipment and storage medium |
| CN112632551A (en) * | 2021-03-11 | 2021-04-09 | 北京邮电大学 | Third-party library information leakage detection method and device |
| CN112887341A (en) * | 2021-04-29 | 2021-06-01 | 北京微步在线科技有限公司 | External threat monitoring method |
-
2021
- 2021-12-31 CN CN202111658014.9A patent/CN114006776B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050246112A1 (en) * | 2004-04-29 | 2005-11-03 | Abhulimen Kingsley E | Realtime computer assisted leak detection/location reporting and inventory loss monitoring system of pipeline network systems |
| CN105653947A (en) * | 2014-11-11 | 2016-06-08 | 中国移动通信集团公司 | Method and device for assessing application data security risk |
| CN104778415A (en) * | 2015-02-06 | 2015-07-15 | 北京北信源软件股份有限公司 | Computer behavior-based data anti-leakage system and method |
| CN107038372A (en) * | 2016-11-14 | 2017-08-11 | 平安科技(深圳)有限公司 | Leaking data interface detection method and device |
| US20180288051A1 (en) * | 2017-03-31 | 2018-10-04 | International Business Machines Corporation | Enhanced data leakage detection in cloud services |
| CN107169361A (en) * | 2017-06-15 | 2017-09-15 | 深信服科技股份有限公司 | The detection method and system of a kind of leaking data |
| CN107908959A (en) * | 2017-11-10 | 2018-04-13 | 北京知道创宇信息技术有限公司 | Site information detection method, device, electronic equipment and storage medium |
| CN110414222A (en) * | 2019-06-18 | 2019-11-05 | 北京邮电大学 | A kind of application privacy leakage failure detecting method and device based on component liaison |
| CN111027096A (en) * | 2019-12-11 | 2020-04-17 | 支付宝(杭州)信息技术有限公司 | Method and device for detecting leakage channel for private data |
| CN112364369A (en) * | 2020-05-12 | 2021-02-12 | 厦门市三驾马车网络科技有限公司 | Method for detecting information leakage of web system database by content trap |
| CN112000984A (en) * | 2020-08-24 | 2020-11-27 | 杭州安恒信息技术股份有限公司 | Data leakage detection method, device, equipment and readable storage medium |
| CN112565266A (en) * | 2020-12-07 | 2021-03-26 | 深信服科技股份有限公司 | Information leakage attack detection method and device, electronic equipment and storage medium |
| CN112632551A (en) * | 2021-03-11 | 2021-04-09 | 北京邮电大学 | Third-party library information leakage detection method and device |
| CN112887341A (en) * | 2021-04-29 | 2021-06-01 | 北京微步在线科技有限公司 | External threat monitoring method |
Non-Patent Citations (1)
| Title |
|---|
| 胡英杰等: "基于静态污点分析的Android隐私泄露检测方法研究", 《信息安全学报》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115242462A (en) * | 2022-06-30 | 2022-10-25 | 北京华顺信安科技有限公司 | Data leakage detection method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114006776B (en) | 2022-03-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110399925B (en) | Account risk identification method, device and storage medium | |
| CN107204960B (en) | Webpage identification method and device and server | |
| JP6609047B2 (en) | Method and device for application information risk management | |
| CN105808639B (en) | Network access behavior identification method and device | |
| CN104539624B (en) | The safety monitoring method and device of number information in text | |
| CN106713579B (en) | Telephone number identification method and device | |
| CN110648172B (en) | Identity recognition method and system integrating multiple mobile devices | |
| CN108337269A (en) | A kind of WebShell detection methods | |
| CN114003903A (en) | Network attack tracing method and device | |
| CN114006776B (en) | Sensitive information leakage detection method and device | |
| CN111404937B (en) | Method and device for detecting server vulnerability | |
| CN108280102B (en) | Internet surfing behavior recording method and device and user terminal | |
| CN106294406B (en) | Method and equipment for processing application access data | |
| CN113779481A (en) | Method, device, equipment and storage medium for identifying fraud websites | |
| CN108270754B (en) | Detection method and device for phishing website | |
| CN113989859B (en) | Fingerprint similarity identification method and device for anti-flashing equipment | |
| CN108804501B (en) | Method and device for detecting effective information | |
| CN112632409A (en) | Same user identification method, device, computer equipment and storage medium | |
| CN113434588B (en) | Data mining analysis method and device based on mobile communication ticket | |
| CN112104656B (en) | Network threat data acquisition method, device, equipment and medium | |
| US8909795B2 (en) | Method for determining validity of command and system thereof | |
| CN112488562A (en) | Service implementation method and device | |
| CN111800409A (en) | Interface attack detection method and device | |
| CN111970272A (en) | APT attack operation identification method | |
| Bo et al. | Tom: A threat operating model for early warning of cyber security threats |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |