CN116186764B - Data security inspection method and system - Google Patents

Abstract

The invention relates to the technical field of data security inspection, and discloses a data security inspection method, which comprises the steps of creating task items in a task database through a processing module, writing various information of a new task, including a file storage path to be scanned, then scanning data through a scanning module, generating a scanning result to an inspection report file to store a designated path after scanning is completed, inquiring the task items in the database through an inquiring module by a user, reading the scanning result from a file system according to the designated path if the task state is completed, realizing scanning of the data, quickly obtaining the scanning result, and facilitating the user to quickly take corresponding measures.

Description

Data security inspection method and system

Technical Field

The invention relates to the technical field of data security inspection, in particular to a data security inspection method and system.

Background

With popularization and application of internet technology, the problem of data security is not ignored, and computer system security is the security protection of technology and management established and adopted for a data processing system, and computer hardware, software and data are protected from being destroyed, altered and leaked due to accidental and malicious reasons; the network system is enabled to normally operate by adopting various technologies and management measures, so that the availability, the integrity and the confidentiality of network data are ensured; ensuring that data transmitted and exchanged over the network does not increase, modify, lose and leak.

In the present information age, enterprises store more and more technical achievements, production records, market statistics and other information in the form of data, more and more data information is stored in the form of electronic documents, chinese patent CN108133148B discloses a data security inspection method and system, trusted authentication is carried out on an acquisition terminal, data are safely acquired, transmitted and stored, security and reliability of the data to be inspected are ensured, and the data security inspection result is true and effective.

Although the above patent may call the security inspection sub-module matched with the preset inspection mode through the data security inspection module, and perform security inspection on the data to be inspected according to the called security inspection sub-module to obtain a security inspection result, there is no specific method for inspecting various data files of different types, and an lawbreaker may mix the sensitive data in a normal file, thereby bringing the sensitive data.

Disclosure of Invention

The invention aims to provide a data security inspection method and system, which solve the technical problems.

The aim of the invention can be achieved by the following technical scheme:

a data security inspection method, the method comprising the steps of:

step 1, uploading data needing to be safely scanned by a user through a communication module, and submitting tasks through a processing module;

step 2, the system receives a task request and attached data to be scanned, saves the data to be scanned to a file system, creates task items in a task database through a processing module, writes various information of a new task, including a file saving path to be scanned, and then performs data inspection through a scanning module;

step 3, the scanning module polls the database regularly through a scanning program, if a new task is found, the task attribute is read to obtain a data path to be scanned, the data is scanned according to the path, a scanning result is generated and an inspection report file is stored to a designated path after the scanning is finished, and meanwhile, the state of the current task item is updated to be finished in the task database;

and 4, when the user requests the task state next time, the system queries task items in the database through the query module, and if the task state is completed, the scanning result is read from the file system according to the designated path.

According to the technical scheme, when the data security needs to be checked, task items can be created in the task database through the processing module, various information of a new task including a file storage path to be scanned is written, then the scanning module is used for scanning data, a scanning result is generated into a checking report file to store a specified path after the scanning is completed, a user can inquire the task items in the database through the inquiring module, and if the task state is completed, the scanning result is read from the file system according to the specified path.

As a further description of the scheme of the present invention, the specific working method of the step 3 includes the following steps:

step 31, firstly, a scanning program obtains a scanning path, and starts to traverse all files under the path and all sub paths;

step 32, carrying out file type filtering, file type verification and file encryption checking on the file, if the checking is not passed, directly reporting the file as a suspicious file, and if the checking is normal, entering the next checking;

step 33, sequentially performing Office document structure inspection and text keyword inspection on the Office document, reporting to be a suspicious file if the inspection is not passed, and entering the next inspection if the inspection is normal;

step 34, performing image noise adding and transformation on the image file;

step 35, decompressing the compressed package files, returning to the step one again, and scanning all files in the compressed package;

step 36, after the file enumeration has been completed for all files in the scan path, the scan is completed, the report generator collects all inspection results, sorts the results into report files, and stores the report files in the designated path, so that the task execution is completed.

Through the technical scheme, the scanning program carries out file type filtering, file type verification and file encryption checking on the file, if the checking is not passed, the file is directly reported as a suspicious file, image noise and conversion are carried out on the image file, the file in the file is decompressed by compressing the file, then the file is checked, if the checking is not passed, the file is directly reported as the suspicious file, and if the checking is normal, the next checking is carried out.

As a further description of the solution of the present invention, the scanning program will continuously poll the task database, retrieve the tasks to be executed therein and execute the tasks sequentially, and if all the tasks are executed, the polling will continue to wait for a new task to appear.

As a further description of the solution of the present invention, the specific method of step 32 includes:

the file type filtering method comprises the following steps:

firstly, scanning the suffix name of a file;

secondly, comparing the scanned suffix name with a white list which is set in advance;

finally, the file types in the white list can pass through, and other types are reported as suspicious files;

the method for verifying the file type comprises the following steps:

firstly, scanning the suffix name of a file;

secondly, checking the file structure according to the format stated by the file suffix name;

finally, reporting as suspicious if it does not conform to the format identified by the suffix;

the file encryption checking method comprises the following steps: the system reports all files protected by the password as suspicious files, scans file types supporting encryption, checks whether the files are encrypted or not, and reports the encrypted files as suspicious.

Through the technical scheme, file type filtering, file type verification and file encryption checking are carried out on the files, hidden means for changing the suffix names of the files are prevented, the files which do not accord with the format marked by the suffix are scanned out through scanning the suffix names, meanwhile, all files protected by passwords are reported as suspicious files, and the suspicious files are scanned out and reported as suspicious.

As a further description of the solution of the present invention, the specific method of step 33 includes:

the Office document structure checking method comprises the following steps: checking the file structure of Office documents according to the definition of Microsoft on various Office documents, checking some common data hiding methods and reporting files of hidden data;

the text keyword checking method comprises the following steps:

first, each byte of the file is scanned;

then, comparing the scanned bytes with the contrast keywords defined in advance;

and finally, if the comparison keywords appear, reporting as suspicious text.

As a further description of the scheme of the present invention, the definition method of the comparison keyword is as follows:

firstly, randomly selecting a plurality of sensitive documents as an experimental data set, processing the experimental data set by using an algorithm tool, selecting candidate keywords, and forming the obtained keywords into a keyword vocabulary;

then, calculating weights for each candidate keyword in the keyword vocabulary, and ranking according to the weights to screen out the first five candidate keywords with the maximum weights;

and finally, deleting other candidate keywords, wherein the five screened candidate keywords are comparison keywords.

By the technical scheme, office document structure inspection and text keyword inspection are sequentially carried out on Office documents, office texts are inspected through keywords defined in advance, and out-of-line suspicious texts are prevented.

As a further description of the solution of the present invention, the specific method of step 34 includes: methods of using active attacks on image files destroy hidden data that may be present in them: noise is added to the image file to destroy the possible LSB steganographic data, and then a fine rotation and scaling is performed to destroy the possible DCT steganographic data.

Through the technical scheme, hidden data possibly existing in the image file is destroyed through active attack, and the original image file is not influenced.

As a further description of the solution of the present invention, in the step 35: the present system uses the Zlib development package to compress and decompress the Zip file, uses the rar.exe to compress the RAR document, and uses the un.dll to decompress the RAR file.

By the technical scheme, after the compressed file is decompressed, scanning is performed, and the phenomenon that suspicious files are mixed in the compressed file is avoided.

A data security inspection system comprising: the device comprises a communication module, a processing module and a scanning module;

and a communication module: the system is used for uploading files needing to be safely scanned and sending task demands to the system;

the processing module is used for: the method comprises the steps of creating a scanning task item and writing various information of a new task;

the scanning module is responsible for scanning detection data and is a core module of the system.

The invention has the beneficial effects that:

1. the invention creates task items in the task database through the processing module, writes various information of new tasks including the file storage path to be scanned, then scans data through the scanning module, generates the scanning result to check the report file to store the appointed path after the scanning is completed, and a user can inquire the task items in the database through the inquiring module, if the task state is completed, reads the scanning result from the file system according to the appointed path, thereby realizing the scanning of the data, rapidly obtaining the scanning result and being convenient for the user to rapidly make corresponding measures.

2. The invention carries out file type filtering, file type verification and file encryption checking on the file through a scanning program, if the checking is not passed, the file is directly reported as a suspicious file, image noise adding and conversion are carried out on the image file, the compressed package file is decompressed, then the file is checked, and the file name and the file format are checked to prevent the embedding of additional files.

3. According to the invention, office document structure inspection and text keyword inspection are sequentially carried out on Office documents, and Office texts are inspected through the keywords which are defined in advance, so that additional information is prevented from being embedded into the texts.

4. The invention damages hidden data possibly existing in the image file through active attack, does not influence the original image file, and places additional information embedded in the image file.

5. The invention prevents suspicious files from being mixed in the compressed files by decompressing the compressed files and then scanning and checking the compressed files.

Drawings

The invention is further described below with reference to the accompanying drawings.

Fig. 1 is a schematic flow chart of a part of a data security checking method provided by the invention.

Detailed Description

The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

A data security inspection method, the method comprising the steps of:

step 1, uploading data needing to be safely scanned by a user through a communication module, and submitting tasks through a processing module;

step 2, the system receives a task request and attached data to be scanned, saves the data to be scanned to a file system, creates task items in a task database through a processing module, writes various information of a new task, including a file saving path to be scanned, and then performs data inspection through a scanning module;

step 3, the scanning module polls the database regularly through a scanning program, if a new task is found, the task attribute is read to obtain a data path to be scanned, the data is scanned according to the path, a scanning result is generated and an inspection report file is stored to a designated path after the scanning is finished, and meanwhile, the state of the current task item is updated to be finished in the task database;

the specific working method of the step 3 comprises the following steps:

step 31, firstly, a scanning program obtains a scanning path, and starts to traverse all files under the path and all sub paths;

step 32, carrying out file type filtering, file type verification and file encryption checking on the file, if the checking is not passed, directly reporting the file as a suspicious file, and if the checking is normal, entering the next checking;

the specific method of the step 32 includes:

the file type filtering method comprises the following steps:

firstly, scanning the suffix name of a file;

secondly, comparing the scanned suffix name with a white list which is set in advance;

finally, the file types in the white list can pass, and other types are reported as suspicious files.

The method for verifying the file type comprises the following steps:

firstly, scanning the suffix name of a file;

secondly, checking the file structure according to the format stated by the file suffix name;

finally, it is reported as suspicious if it does not conform to the format identified by the suffix.

The file encryption checking method comprises the following steps: the system reports all files protected by the password as suspicious files, scans file types supporting encryption, checks whether the files are encrypted or not, and reports the encrypted files as suspicious.

Through the technical scheme, the scanning program carries out file type filtering, file type verification and file encryption checking on the file, if the checking is not passed, the file is directly reported as a suspicious file, image noise and conversion are carried out on the image file, the file in the file is decompressed by compressing the file, then the file is checked, if the checking is not passed, the file is directly reported as the suspicious file, and if the checking is normal, the next checking is carried out.

Step 33, sequentially performing Office document structure inspection and text keyword inspection on the Office document, reporting to be a suspicious file if the inspection is not passed, and entering the next inspection if the inspection is normal;

the specific method of step 33 includes:

the Office document structure checking method comprises the following steps: checking the file structure of Office documents according to the definition of Microsoft on various Office documents, checking some common data hiding methods and reporting files of hidden data;

the text keyword checking method comprises the following steps:

first, each byte of the file is scanned;

then, comparing the scanned bytes with the contrast keywords defined in advance;

the definition method of the comparison keywords comprises the following steps:

firstly, randomly selecting a plurality of sensitive documents as an experimental data set, processing the experimental data set by using an algorithm tool, selecting candidate keywords, and forming the obtained keywords into a keyword vocabulary;

then, calculating weights for each candidate keyword in the keyword vocabulary, and ranking according to the weights to screen out the first five candidate keywords with the maximum weights;

and finally, deleting other candidate keywords, wherein the five screened candidate keywords are comparison keywords.

And finally, if the comparison keywords appear, reporting as suspicious text.

By the technical scheme, office document structure inspection and text keyword inspection are sequentially carried out on Office documents, office texts are inspected through keywords defined in advance, and out-of-line suspicious texts are prevented.

Step 34, performing image noise adding and transformation on the image file;

methods of using active attacks on image files destroy hidden data that may be present in them: noise is added to the image file to destroy possible LSB steganography data, and then fine rotation and scaling transformation are carried out to destroy possible DCT steganography data, wherein the step is a cleaning operation, a suspicious examination result is not generated, and the original image file is not influenced.

Through the technical scheme, hidden data possibly existing in the image file is destroyed through active attack, and the original image file is not influenced.

Step 35, decompressing the compressed package files, returning to the step one again, and scanning all files in the compressed package;

the present system uses the Zlib development package to compress and decompress the Zip file, uses the rar.exe to compress the RAR document, and uses the un.dll to decompress the RAR file.

By the technical scheme, after the compressed file is decompressed, scanning is performed, and the phenomenon that suspicious files are mixed in the compressed file is avoided.

Step 36, after the file enumeration has been completed for all files in the scan path, the scan is completed, the report generator collects all inspection results, sorts the results into report files, and stores the report files in the designated path, so that the task execution is completed.

And 4, when the user requests the task state next time, the system queries task items in the database through the query module, and if the task state is completed, the scanning result is read from the file system according to the designated path.

The scanning program can continuously poll the task database, search the tasks to be executed in the task database and execute the tasks in sequence, and if all the tasks are executed, the polling can still be continued to wait for new tasks to appear.

Through the technical scheme, when the data security needs to be checked, task items can be created in the task database through the processing module, various information of a new task including a file storage path to be scanned is written, then the scanning module is used for scanning data, a scanning result is generated into a checking report file to store a specified path after the scanning is completed, a user can inquire the task items in the database through the inquiring module, and if the task state is completed, the scanning result is read from the file system according to the specified path.

A data acquisition security inspection system, comprising: the device comprises a communication module, a processing module and a scanning module;

and a communication module: the system is used for uploading files needing to be safely scanned and sending task demands to the system;

the processing module is used for: the method comprises the steps of creating a scanning task item and writing various information of a new task;

the scanning module is responsible for scanning the detection file and is a core module of the system.

The foregoing describes one embodiment of the present invention in detail, but the description is only a preferred embodiment of the present invention and should not be construed as limiting the scope of the invention. All equivalent changes and modifications within the scope of the present invention are intended to be covered by the present invention.

Claims (8)

1. A method of data security inspection, the method comprising the steps of:

step 1, uploading data needing to be safely scanned by a user through a communication module, and submitting tasks through a processing module;

step 2, the system receives a task request and attached data to be scanned, saves the data to be scanned to a file system, creates task items in a task database through a processing module, writes various information of a new task, including a file saving path to be scanned, and then performs data inspection through a scanning module;

step 3, the scanning module polls the database regularly through a scanning program, if a new task is found, the task attribute is read to obtain a data path to be scanned, the data is scanned according to the path, a scanning result is generated and an inspection report file is stored to a designated path after the scanning is finished, and meanwhile, the state of the current task item is updated to be finished in the task database;

step 4, when the user requests the task state next time, the system inquires task items in the database through the inquiry module, and if the task state is completed, the scanning result is read from the file system according to the designated path;

the specific working method of the step 3 comprises the following steps:

step 31, firstly, a scanning program obtains a scanning path, and starts to traverse all files under the path and all sub paths;

step 32, carrying out file type filtering, file type verification and file encryption checking on the file, if the checking is not passed, directly reporting the file as a suspicious file, and if the checking is normal, entering the next checking;

step 33, sequentially performing Office document structure inspection and text keyword inspection on the Office document, reporting to be a suspicious file if the inspection is not passed, and entering the next inspection if the inspection is normal;

step 34, image noise adding and transformation are carried out on the image file;

step 35, decompressing the compressed package files, returning to the step one again, and scanning all files in the compressed package;

step 36, after the file enumeration has been completed for all files in the scan path, the scan is completed, the report generator collects all inspection results, sorts the results into report files, and stores the report files in the designated path, so that the task execution is completed.

2. The data security inspection method of claim 1, wherein the scanning program continuously polls the task database, retrieves the tasks to be executed therein and sequentially executes them, and if all tasks are executed, the polling continues to wait for new tasks to appear.

3. The data security inspection method according to claim 1, wherein the specific method of step 32 comprises:

the file type filtering method comprises the following steps:

firstly, scanning the suffix name of a file;

secondly, comparing the scanned suffix name with a white list which is set in advance;

finally, the file types in the white list can pass through, and other types are reported as suspicious files;

the method for verifying the file type comprises the following steps:

firstly, scanning the suffix name of a file;

secondly, checking the file structure according to the format stated by the file suffix name;

finally, reporting as suspicious if it does not conform to the format identified by the suffix;

the file encryption checking method comprises the following steps: the system reports all files protected by the password as suspicious files, scans file types supporting encryption, checks whether the files are encrypted or not, and reports the encrypted files as suspicious.

4. The method for data security inspection according to claim 1, wherein,

the specific method of step 33 includes:

the Office document structure checking method comprises the following steps: checking the file structure of Office documents according to the definition of Microsoft on various Office documents, checking some common data hiding methods and reporting files of hidden data;

the text keyword checking method comprises the following steps:

first, each byte of the file is scanned;

then, comparing the scanned bytes with the contrast keywords defined in advance;

and finally, if the comparison keywords appear, reporting as suspicious text.

5. The method for data security inspection according to claim 4, wherein,

the definition method of the comparison keywords comprises the following steps:

firstly, randomly selecting a plurality of sensitive documents as an experimental data set, processing the experimental data set by using an algorithm tool, selecting candidate keywords, and forming the obtained keywords into a keyword vocabulary;

then, calculating weights for each candidate keyword in the keyword vocabulary, and ranking according to the weights to screen out the first five candidate keywords with the maximum weights;

and finally, deleting other candidate keywords, wherein the five screened candidate keywords are comparison keywords.

6. The data security inspection method according to claim 1, wherein the specific method of step 34 comprises: methods of using active attacks on image files destroy hidden data that may be present in them: noise is added to the image file to destroy the possible LSB steganographic data, and then a fine rotation and scaling is performed to destroy the possible DCT steganographic data.

7. The data security inspection method according to claim 1, wherein in the step 35: the present system uses the Zlib development package to compress and decompress the Zip file, uses the rar.exe to compress the RAR document, and uses the un.dll to decompress the RAR file.

8. A data security inspection system employing the method of any one of claims 1-7, comprising: the device comprises a communication module, a processing module and a scanning module;

and a communication module: the system is used for uploading files needing to be safely scanned and sending task demands to the system;

the processing module is used for: the method comprises the steps of creating a scanning task item and writing various information of a new task;

the scanning module is responsible for scanning detection data and is a core module of the system.