CN116305250A - Printing control method and device based on data leakage prevention, electronic equipment and medium - Google Patents
Printing control method and device based on data leakage prevention, electronic equipment and medium Download PDFInfo
- Publication number
- CN116305250A CN116305250A CN202310093398.7A CN202310093398A CN116305250A CN 116305250 A CN116305250 A CN 116305250A CN 202310093398 A CN202310093398 A CN 202310093398A CN 116305250 A CN116305250 A CN 116305250A
- Authority
- CN
- China
- Prior art keywords
- printing
- content
- virtual
- sensitive information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 230000002265 prevention Effects 0.000 title claims abstract description 16
- 238000007726 management method Methods 0.000 claims description 33
- 238000012550 audit Methods 0.000 claims description 25
- 238000012545 processing Methods 0.000 claims description 18
- 238000013475 authorization Methods 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 11
- 230000008569 process Effects 0.000 claims description 11
- 238000001514 detection method Methods 0.000 claims description 3
- 230000009471 action Effects 0.000 description 13
- 238000004458 analytical method Methods 0.000 description 11
- 239000000243 solution Substances 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000012544 monitoring process Methods 0.000 description 4
- 238000012552 review Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 239000000284 extract Substances 0.000 description 3
- 230000008520 organization Effects 0.000 description 3
- 238000001914 filtration Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 230000035945 sensitivity Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/12—Digital output to print unit, e.g. line printer, chain printer
- G06F3/1201—Dedicated interfaces to print systems
- G06F3/1223—Dedicated interfaces to print systems specifically adapted to use a particular technique
- G06F3/1237—Print job management
- G06F3/1238—Secure printing, e.g. user identification, user rights for device usage, unallowed content, blanking portions or fields of a page, releasing held jobs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/12—Digital output to print unit, e.g. line printer, chain printer
- G06F3/1201—Dedicated interfaces to print systems
- G06F3/1278—Dedicated interfaces to print systems specifically adapted to adopt a particular infrastructure
- G06F3/1285—Remote printer device, e.g. being remote from client or server
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Human Computer Interaction (AREA)
- Databases & Information Systems (AREA)
- Automation & Control Theory (AREA)
- Accessory Devices And Overall Control Thereof (AREA)
Abstract
The embodiment of the application discloses a printing management and control method, a device, electronic equipment and a medium based on data leakage prevention, wherein the method comprises the following steps: when a print job is detected, intercepting the print job and extracting virtual print content in the print job; performing sensitive information matching on the virtual printing content in a sensitive information base to obtain a matching result; determining a control mode of the virtual printing content according to the matching result; and the control target printer prints the virtual printing content according to the control mode. The method can effectively avoid the secret information from being printed carelessly, can determine whether the printing content contains sensitive information or not and effectively manage and control the sensitive information, and finally prevents the sensitive information from being leaked by controlling the target printer.
Description
Technical Field
The invention relates to the field of information security, in particular to a printing management and control method, a device, electronic equipment and a medium based on data leakage prevention.
Background
The popularity and development of computers and the internet in china has grown into every corner of society, and has become increasingly dependent on computers and networks in every respect. Printers are an indispensable tool for offices, and are common and common, but the common tool becomes an important way for data leakage.
At present, potential safety hazards of network information are more and more prominent, information leakage occurs during an event, terminal leakage channels are more and more, and protection of confidential information is more and more challenging. Many enterprises have no direct limit on staff printing, and have no corresponding management mechanism when printing confidential documents and data, so that the confidential documents and data are unknowingly leaked.
Disclosure of Invention
In order to solve the above problems, embodiments of the present application provide a print control method, device, electronic apparatus, and medium based on data leakage prevention.
Some embodiments of the application disclose a print management and control method based on data leakage prevention, the method comprising:
when a print job is detected, intercepting the print job and extracting virtual print content in the print job;
performing sensitive information matching on the virtual printing content in a sensitive information base to obtain a matching result;
Determining a control mode of the virtual printing content according to the matching result;
and the control target printer prints the virtual printing content according to the control mode.
Optionally, before the sensitive information matching is performed on the virtual printing content in the sensitive information base to obtain a matching result, the method includes:
establishing a sensitive information base by loading preset sensitive information rules, wherein the sensitive information base at least comprises: sensitive information key, data, file name, user ID.
Optionally, the determining a control manner of the virtual print content according to the matching result includes:
when the matching result comprises a sensitive transaction, determining a control mode of the virtual printing content as watermark printing; wherein the watermark printing comprises: at least one of plaintext watermarking, two-dimensional code watermarking, picture watermarking and vector watermarking, wherein the sensitive transaction comprises: at least one of policy content, copyright content and confidential content.
Optionally, after determining the controlled manner of the virtual print content as watermark printing when the matching result includes a sensitive transaction, the method further comprises:
Adding a plurality of watermark information to the virtual print content; the watermark information at least comprises an IP address, a MAC address, administrator definition information and content ciphertext.
Optionally, before the control target printer prints the virtual print content in the controlled manner, the method includes:
identity authentication and authority authorization are carried out on the printing users in the virtual printing content; wherein the identity authentication comprises at least one of user name and password authentication, fingerprint identification and face recognition, and the authority authorization comprises at least one of role authority and access control list so as to ensure that only authorized users can execute printing operation.
Optionally, after the control target printer prints the virtual print content in the controlled manner, the method further includes:
performing security audit on the virtual printing content;
and after the auditing is finished, the virtual printing content, the control mode and the user information are recorded in an auditing log.
Optionally, after the determining the control mode for the virtual print content according to the matching result, the method includes:
when the control mode is determined to be approval printing, the virtual printing content is sent to an approval client;
After the approval client finishes approval, if the approval passes, printing is continued, and if the approval is refused, a corresponding refused printing flow is generated; wherein the refusal to print process includes at least one of resubmitting an audit and failing to print.
Some embodiments of the present application provide a print management and control apparatus based on data leakage prevention, the apparatus including:
the detection module is used for intercepting the print task and extracting virtual print content in the print task when the print task is not detected;
the processing module is used for carrying out sensitive information matching on the virtual printing content in the sensitive information base to obtain a matching result; determining a control mode of the virtual printing content according to the matching result;
and the printing module is used for controlling the target printer to print the virtual printing content according to the control mode.
Optionally, the processing module is further configured to:
establishing a sensitive information base by loading preset sensitive information rules, wherein the sensitive information base at least comprises: sensitive information key, data, file name, user ID.
Optionally, the processing module is further configured to:
When the matching result comprises a sensitive transaction, determining a control mode of the virtual printing content as watermark printing; wherein the watermark printing comprises: at least one of plaintext watermarking, two-dimensional code watermarking, picture watermarking and vector watermarking, wherein the sensitive transaction comprises: at least one of policy content, copyright content and confidential content.
Optionally, the processing module is further configured to:
adding a plurality of watermark information to the virtual print content; the watermark information at least comprises an IP address, a MAC address, administrator definition information and content ciphertext.
Optionally, the printing module is further configured to:
identity authentication and authority authorization are carried out on the printing users in the virtual printing content; wherein the identity authentication comprises at least one of user name and password authentication, fingerprint identification and face recognition, and the authority authorization comprises at least one of role authority and access control list so as to ensure that only authorized users can execute printing operation.
Optionally, the printing module is further configured to:
performing security audit on the virtual printing content;
and after the auditing is finished, the virtual printing content, the control mode and the user information are recorded in an auditing log.
Optionally, the processing module is further configured to:
when the control mode is determined to be approval printing, the virtual printing content is sent to an approval client;
after the approval client finishes approval, if the approval passes, printing is continued, and if the approval is refused, a corresponding refused printing flow is generated; wherein the refusal to print process includes at least one of resubmitting an audit and failing to print.
The embodiment of the application also provides electronic equipment, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the steps of the printing management and control method based on data leakage prevention according to any one of the above steps when executing the program.
The embodiments of the present application also provide a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of a data leakage-proof print management method as described in any one of the above.
According to the printing control method, system, electronic equipment and medium based on data leakage prevention, confidential information can be effectively prevented from being printed carelessly, whether the printing content contains sensitive information or not can be determined, the sensitive information is effectively controlled, and finally the target printer is controlled to prevent the sensitive information from being leaked. The method can comprehensively solve the problem of document printing leakage behavior without dead angles, and effectively improves the information security level of enterprises.
The foregoing description is only an overview of the technical solutions of the present application, and may be implemented according to the content of the specification in order to make the technical means of the present application more clearly understood, and in order to make the above-mentioned and other objects, features and advantages of the present application more clearly understood, the following detailed description of the present application will be given.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, a brief description will be given below of the drawings that are needed in the embodiments or the prior art descriptions, and it is obvious that the drawings in the following description are some embodiments of the present application, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 schematically illustrates a flow chart of a print management and control method based on data leakage prevention according to some embodiments of the present application;
FIG. 2 schematically illustrates a system diagram of another data leakage-based print management method provided by some embodiments of the present application;
FIG. 3 schematically illustrates one of the use case schematics of another data leak-proof based print management method provided by some embodiments of the present application;
FIG. 4 schematically illustrates a print interception implementation flow chart of another print control method based on data leakage prevention according to some embodiments of the present application;
FIG. 5 schematically illustrates an output print flow diagram of another data leakage-based print management method provided by some embodiments of the present application;
FIG. 6 schematically illustrates a print control flow diagram of another data leakage-based print control method provided by some embodiments of the present application;
FIG. 7 schematically illustrates a schematic diagram of a control action of another data leakage-based print control method provided by some embodiments of the present application;
FIG. 8 schematically illustrates a second example of a print control method based on data leakage prevention according to some embodiments of the present application;
FIG. 9 schematically illustrates a schematic structural diagram of a print management and control apparatus based on data leakage prevention according to some embodiments of the present application;
FIG. 10 schematically illustrates a block diagram of a computing processing device for performing methods according to some embodiments of the present application;
fig. 11 schematically illustrates a storage unit for holding or carrying program code for implementing methods according to some embodiments of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
Fig. 1 schematically illustrates a flow chart of a print management method based on data leakage prevention according to some embodiments of the present application, where the method includes:
and step 101, when a print job is detected, intercepting the print job and extracting virtual print content in the print job.
In the embodiment of the application, in the system, for each print job, the system checks, i.e. intercepts the print job and extracts the content in the print job before printing occurs. These extracted contents are referred to as virtual print contents. The aim of this is to ensure that the printed content does not contain sensitive information, prevent confidential information from being printed out carelessly, and protect the information security.
In this embodiment, for example, in an enterprise, an employee needs to print a financial statement, after the employee clicks the "print" button, the system intercepts the print job, extracts virtual print contents in the financial statement, and if sensitive information exists in the contents, the system can avoid the sensitive information being printed out through corresponding control measures (such as prohibiting printing).
And 102, performing sensitive information matching on the virtual printing content in a sensitive information base to obtain a matching result.
In the embodiment of the application, the extracted virtual printing content is matched with the sensitive information in the sensitive information base, so that a matching result is obtained. The purpose of this step is to determine whether sensitive information is contained in the printed content. The sensitive information base is pre-established by an enterprise or an organization administrator, and keywords or modes of some sensitive information are stored in the sensitive information base, for example: financial statements, secret plans, employee personal information, and the like. When matching is performed, the system compares the virtual printed content with information in the sensitive information base, and if the same keywords or modes exist, the system considers the content as the sensitive information and obtains a matching result.
In the embodiment of the application, for example, in an enterprise, a keyword 'financial statement' is stored in a sensitive information base, when an employee prints one financial statement, a system can match virtual printing content in the financial statement with the keyword 'financial statement' in the sensitive information base, if the matching is successful, the system can obtain a matching result, and corresponding management and control measures are adopted to protect information safety.
And step 103, determining a control mode of the virtual printing content according to the matching result.
In the embodiment of the application, a control mode of the virtual printing content is determined according to the obtained matching result. And determining whether to take control measures such as limiting printing, adding watermarks, printing applications and the like according to the matching result to protect information security. Illustratively, it is assumed that the matching result is that the financial statement contains sensitive information. The system determines the manner in which to manage the financial statement based on this result. The system may provide that only staff in the financial sector can print financial statements and that each financial statement be watermarked to prevent sensitive information from being revealed.
And 104, controlling the target printer to print the virtual printing content according to the control mode.
In the embodiment of the application, the printer is controlled to print the virtual printing content according to the determined control mode. That is, a control mode is executed to ensure information security. Illustratively, the financial statements contain sensitive information in such a way that only staff in the financial sector can print the financial statements and add a watermark to each financial statement. The system will control the target printer and only the staff of the fiscal department will print the fiscal statement and add the watermark to the fiscal statement before printing.
According to the embodiment of the application, the secret information can be effectively prevented from being printed carelessly by the method, whether the printing content contains the sensitive information or not can be determined, the sensitive information is effectively managed and controlled, and finally the target printer is controlled to prevent the sensitive information from being revealed. The method can comprehensively solve the problem of document printing leakage behavior without dead angles, and effectively improves the information security level of enterprises.
Optionally, before step 102, the method includes:
establishing a sensitive information base by loading preset sensitive information rules, wherein the sensitive information base at least comprises: sensitive information key, data, file name, user ID.
In the embodiment of the present application, this section is for the purpose of creating a sensitive information base for storing relevant rules of sensitive information. And establishing a sensitive information base by loading preset sensitive information rules. These sensitive information rules are preset by the enterprise or organization administrator prior to system set-up. The rules may include sensitive information keywords, data, file names, user IDs, etc. that will be loaded into the sensitive information repository.
In the embodiment of the application, for example, the enterprise ABC has a set of anti-disclosure system, and an administrator presets some sensitive information rules, including: sensitive information key: "secret", "secret"; data: financial statement; file name: financial statement; user name: "administrator". When an employee attempts to print a document "financial statement," the system detects the print job. The system will query the sensitive information repository for the presence of file names or data rules including "financial statements". If so, it will inquire whether the employee has authority to print the document, and whether the document contains the sensitive information keywords "secret", "confidential". If the staff does not have permission to print the file or the file contains sensitive information keywords, the system intercepts the print task and informs an administrator to check; if the employee has authority to print the file and the file does not contain sensitive information keywords, the system will allow the printing and recording of the printing operation. In addition, depending on the matching result, the system may perform other operations on the printed content, such as watermarking, print application, recording statistics, etc. These operations are all to better protect sensitive information and prevent data leakage.
In the embodiment of the application, the sensitive information can be better detected and managed by matching the sensitive information in the sensitive information base, and the safety of the system is improved.
Optionally, step 103 includes:
step 103A, determining the control mode of the virtual printing content as watermark printing when the matching result comprises a sensitive transaction; wherein the watermark printing comprises: at least one of plaintext watermarking, two-dimensional code watermarking, picture watermarking and vector watermarking, wherein the sensitive transaction comprises: at least one of policy content, copyright content and confidential content.
In the embodiment of the application, when the system matches the sensitive transaction in the sensitive information base, the system determines the control mode of the printing content as watermark printing. Watermark printing refers to the operation of adding a watermark to a print file. Wherein, the watermark printing may comprise plain watermark printing, i.e. adding a text watermark, such as a confidential file, which prohibits external transmission, on a printed file; two-dimensional code watermark printing, namely adding two-dimensional code watermarks, such as numbers and the like, on a printing file; printing picture watermarks, namely adding picture watermarks, such as company LOGO, on a printed file; vector watermark printing, i.e. adding vector watermarks, such as lines, etc., to a printed document. The sensitive transaction may include at least one of policy content, copyrighted content, confidential content. Policy content refers to information related to national security and politics, copyright content refers to information related to copyright, and confidential content refers to information related to confidentiality.
In the embodiment of the application, for example, the enterprise ABC has a document "confidential report", when an employee tries to print the document, the system adds a clear watermark "confidential document" to the printed document, prohibits the export "and records this printing operation for the convenience of the administrator to review. Thus, the secret report can be effectively prevented from being accidentally leaked. In addition, if the system matches copyrighted content in a sensitive information repository, the system may add a picture watermark, such as corporate LOGO, to prevent the file from being stolen. If the system matches the confidential content in the sensitive information base, the system may add a two-dimensional code watermark, such as a file number, to prevent the file from being stolen.
In the embodiment of the application, the watermark printing function is added into the system, so that sensitive information can be effectively prevented from being leaked, and enterprise data security is protected.
Optionally, after step 103A, it includes:
adding a plurality of watermark information to the virtual print content; the watermark information at least comprises an IP address, a MAC address, administrator definition information and content ciphertext.
In the embodiment of the application, a plurality of watermark information is added in the system, so that the enterprise data security can be better protected. Wherein the watermark information may include: IP address, MAC address, administrator definition information, content ciphertext. IP address: i.e., the source IP address of the print file, e.g., the IP address of the printer, so that the source of the print file can be known. MAC address: i.e., the source MAC address of the print file, e.g., the MAC address of the printer, so that the source of the print file can be known. Administrator definition information: i.e. information manually set by the administrator, such as the name of the administrator, the department to which the administrator belongs, the date, etc., so that it is known by whom the document is printed. Content ciphertext: i.e., a ciphertext version of the file content, which may prevent the file from being stolen.
In the embodiment of the application, when the system detects that a confidential report needs to be printed, the system adds a plurality of watermark information, such as an IP address of a printer, a name of an administrator, a content ciphertext of a file, and the like. In this way, even if the file is stolen, the source of the file can be determined and tracked through the watermark information.
In the embodiment of the application, the sensitive information can be effectively prevented from being leaked by adding a plurality of watermark information, and the enterprise data security is protected.
Optionally, before step 104, the method includes:
identity authentication and authority authorization are carried out on the printing users in the virtual printing content; wherein the identity authentication comprises at least one of user name and password authentication, fingerprint identification and face recognition, and the authority authorization comprises at least one of role authority and access control list so as to ensure that only authorized users can execute printing operation.
In the embodiment of the application, when the print task is detected, the identity and the authority of the print user are verified. Only authenticated users can print files. Illustratively, when the system detects that a user is attempting to print a confidential report, the system may verify a priori whether the user has authority to print the document. If the user is not authenticated or has no print authority, the system will reject the print request. Thus, unauthorized users can be restricted from printing confidential files, and the enterprise data security is effectively protected.
Optionally, after step 104, it includes:
and step A1, performing security audit on the virtual printing content.
In embodiments of the present application, the virtual printed content will be securely audited to ensure that no inappropriate or harmful information is contained therein. The audit may include manual audit and automatic audit. Manual review may involve a manual inspection of the printed content by an administrator or security specialist to ensure that it meets the security policies and standards of the company or organization. Automatic auditing may include the system evaluating the security of the printed content using preset rules and algorithms. Illustratively, in a company, the system automatically scans the print to ensure that keywords or sensitive information associated with the company's confidential information are not contained therein. If the system discovers these keywords or sensitive information, the printing will be disabled and the administrator will be notified for further review.
And step A2, after the auditing is completed, the virtual printing content, the control mode and the user information are recorded in an auditing log.
In the embodiment of the application, the recording is performed after the security audit is completed, and the purpose of the recording is to record information in the audit process for subsequent audit and analysis. Specifically, in this step, the system records virtual print content, management and user information in an audit log. This information can be used to assist a system administrator or security specialist in further analysis to identify and resolve security issues that may exist. Illustratively, assume that an employee attempts to print a document containing sensitive information. During the auditing process, the system will detect that this document contains sensitive information and mark it as requiring watermark printing. After the audit is completed, the system records the information of the file (including file name, user name, printing time, etc.), the control mode (i.e. watermark printing) and the user information (such as IP address and MAC address) in the audit log. This information can be used in subsequent reviews to identify and resolve security issues.
In the embodiment of the application, the virtual printing content, the control mode and the user information are recorded in the audit log, so that subsequent audit and analysis can be conveniently carried out on the printing content to find and prevent the occurrence of sensitive information leakage events. Meanwhile, the printer monitoring system can help an administrator to monitor the use condition of the printer, discover abnormal behaviors in time and take measures.
Optionally, step 103 includes:
and step S1, when the control mode is determined to be approval printing, the virtual printing content is sent to an approval client.
In this embodiment of the present application, when it is determined that the control manner is approval printing, the system sends the virtual printing content to the approval client. An approval client refers to a specific system or application for approving a document to be printed. This may be performed by security or management personnel in the company. In this way, the administrator can view the file and determine whether printing is allowed, and the user can only print approved files. This helps to prevent confidential documents from being accidentally printed out, protecting the company's sensitive information from leakage. Illustratively, when an employee needs to print a confidential document, the system will send the document to the approval client of the security group, the administrator of the security group will look at the document and decide whether to allow printing, if so, the document will be printed out, otherwise the print request will be denied.
Step S2, after the approval client finishes approval, if the approval passes, printing is continued, and if the approval is refused, a corresponding refused printing flow is generated; wherein the refusal to print process includes at least one of resubmitting an audit and failing to print.
In the embodiment of the application, when the control mode is determined to be approval printing, the system sends the file to an approval client, and the client may be operated by an administrator of the security group. These administrators will look at the file and decide whether to allow printing. If the approval passes, printing will continue, and if rejected, there will be a corresponding reject print flow. These flows may include resubmitting audits and inability to print. For example, when an employee needs to print a confidential document, the system may send the document to the approval client of the security group, and the security group's administrator may view the document and decide whether to allow printing, and if rejected, the document may need to be resubmitted for approval or not be able to be printed.
In the embodiment of the application, the security of the printing content is ensured through the approval process. When the system detects sensitive information, approval is performed by sending virtual print content to an approval client. And determining whether printing is allowed or not through the approval result of the approval client, so that leakage of sensitive information is avoided. If the approval is denied, security may be ensured by resubmitting the approval or not printing.
As shown in fig. 2, in the embodiment of the present application, a data leakage-proof terminal management system implements management and control of printing activities of a PC end by connecting between the PC end and a server end. At the PC end, the data leakage-proof terminal intercepts the detected print task, extracts virtual print content and matches the virtual print content in a sensitive information base of the server end. And determining a management and control mode of the virtual printing content according to the matching result, and if the virtual printing content is matched with the sensitive information, performing watermark printing, authority authentication, security verification and the like by the system.
Specifically, first, the print job is redirected to the virtual printer when the user operates the print through the remote injection and Hook Windows process print interface. This allows for monitoring of print events and acquisition of print content. And secondly, the server side can configure sensitive information, authority content and other information to be issued to the terminal, so that the dynamic analysis of the printing content is realized. And the terminal generates a printing management and control action after analyzing the printing content according to the strategy. And finally, the terminal sends and records the information such as the printing content, the printing action, the sensitive information snapshot and the like to the server. Therefore, the traceability of printing events, printing contents and printing control actions can be realized, and the paper watermark content can also be traced. Illustratively, a company has a document about the company's secrets that can only be printed by an administrator. The administrator can set "company secret" as a sensitive information key at the server side and install a data leakage-proof terminal on the terminal. When staff prints the file on own computer, the terminal intercepts the print task and redirects the print task to the virtual printer, and the terminal detects that the file contains a sensitive information keyword of 'company secret', and sends the file to an approval client for approval according to the strategy of the server. After approval is completed, if the approval is passed, the file will be printed out, and if the approval is refused, the printing flow will be refused correspondingly, such as resubmitting for approval or failing to print. Thus, the confidential document can be effectively prevented from being leaked.
Further, the system includes a dynamic management action: according to the strategy and the analysis result of the printing content, various control actions can be dynamically carried out on the printing actions: including normal printing, watermark printing, approval printing, prohibition printing, printing records, etc. Dynamically adding watermarks: when a user prints a file on an office or production computer, the watermark content can be defined as IP, MAC, administrator user-defined content, corresponding content ciphertext and the like when the watermark is added, and a printing natural person can be directly identified through watermark information, so that tracking responsibility can be determined for a compromised file. Printing approval: when a user prints a document, the document of the relevant sensitivity level can be printed, so that the printing operation of the document is performed in a state of being monitored by a person. Printing log audit: the related information such as the printing log, the watermark content, the printing user name and the like is uploaded to the server for recording, so that the fact that only a printer knows confidential information printing is avoided, and no supervision is made by the printer. Thereby avoiding that the confidential material is printed only by the printer.
As shown in fig. 3, in the embodiment of the present application, at the user end, the user may select a general printer to print, process hook print api intercepts, redirects to a virtual print driver, and performs content analysis filtering on the print (the server end may provide print content analysis parameters including sensitive keyword-sensitive level configuration, sensitive level-print management type configuration, print management type-watermark type configuration, and sensitive file configuration in this step, and the server end may further provide terminal parameter configuration including user authority configuration and printer black-and-white list configuration) and then perform print management type analysis filtering, and perform normal print/inhibit print/watermark print/approval print based on the analysis result, and record an audit log, where the audit log is stored in a stored print record database, and includes records such as print tasks, management and watermark content, for querying, statistics, and tracing. The watermark printing adds corresponding watermarks, and the approval printing performs approval of whether the approval file passes approval or not, and the approval business of the printed file comprises that an approver completes approval through Web and PC. And then the approval results provide the query. And finally, the printing content is sent to a target physical printer for printing.
As shown in FIG. 4, in an embodiment of the present application, print interception implementation refers to monitoring print operations in a computer system by a technique called Hook and redirecting print jobs to a virtual printer. Specifically, print redirection may be accomplished by first hooking (Hook) the interface associated with the printer handle and printer attributes, obtaining information about the printer to ensure that the file will be printed from the printer when printing, and the required data is the printer handle and printer attributes, intercepted using Hook), and then replacing the print handle and printer attributes that are returned to the virtual printer. These interfaces include, but are not limited to OpenPrinter, documentProperties, getDefaultPrinter, etc. In this way, when the user operates printing, the print job is redirected to the virtual printer instead of the actual printer, thereby achieving the purposes of print event monitoring and print content acquisition.
As shown in FIG. 5, in an embodiment of the present application, when a user selects a universal printer, the system intercepts the print operation using the Hook API and redirects it to the virtual printer. Specifically, the system saves the original printer name and joold (print job number) and returns a virtual drive handle. The system can record and analyze parameters such as printing content, double-sided printing, printing number of copies and the like, and control the parameters. Finally, the system acquires the original target printer name according to the joold and outputs the managed print content to the target printer. In this way, the printing operation can be effectively monitored and managed.
As shown in fig. 6, in the embodiment of the present application, the print content parsing dynamic management is implemented by analyzing the print content. When the user selects printing, the system analyzes the printing content and analyzes the printing content according to a preset strategy. These policies may include sensitive keywords, user configuration, document type, rights management, printer configuration, and watermark configuration. According to the analysis result, the system performs corresponding control actions, such as normal printing, watermark printing, printing prohibition and the like. Thus, the security of the print content can be ensured.
As shown in fig. 7, in the embodiment of the present application, the print control is based on the policy and the print content analysis result, and the terminal generates corresponding print control actions, including normal printing, watermark printing, approval printing, and prohibition printing. If the printing is normal, the corresponding printing content is output to the target printer again for printing; and (5) approval printing, namely transmitting the corresponding printing content to carry out approval, and printing the content again after the approval passes. The watermark printing comprises a plaintext watermark, a ciphertext watermark, a two-dimensional code watermark, a dot matrix watermark and the like. Meanwhile, the terminal can send the printing content, the action record and the sensitive information snapshot to the server, so that traceability of printing events, the printing content and printing management and control actions is realized. In this way, the company can better manage the print content and ensure data security.
As shown in fig. 8, the basic process flow of the client is as follows: each PC end monitors local printing events in a remote injection mode, an Api Hook mode and the like; detecting a print job, and acquiring relevant print parameters (the number of copies, whether double-sided, the number of boards and the like) of user operation; redirecting the print job to a virtual print drive; virtual drive obtains print content; and performing sensitivity matching on the information such as file name, file id, user name, user id, sensitive information keywords and the like on the printing content. And further print management and control. For example, if the king is the core leader, the user name or user id of the king is placed in the database with the confidentiality level of 1, and then the encryption printing or other special control measures are performed in a matching manner. The method comprises the steps of carrying out a first treatment on the surface of the The control actions comprise normal printing, watermark printing (plaintext, two-dimensional code, picture, vector (invisible watermark)), printing prohibition, file approval and the like; the service module can send relevant management and control actions, sensitive information snapshots and other information to the server side, so that the tracing and inquiring are facilitated. The method comprises the steps of carrying out a first treatment on the surface of the And outputting the printing content to a target printer for printing according to the related parameters (the number of copies, whether double sides, the number of boards and the like) of the user operation.
As shown in fig. 9, some embodiments of the present application provide a print-management apparatus 30 based on data leakage prevention, the apparatus 30 including:
the detection module 301 is used for intercepting a print job and extracting virtual print content in the print job when the print job is not detected;
the processing module 302 is configured to match the sensitive information of the virtual print content in a sensitive information base, so as to obtain a matching result; determining a control mode of the virtual printing content according to the matching result;
and the printing module 303 is used for controlling the target printer to print the virtual printing content according to the control mode.
Optionally, the processing module 302 is further configured to:
establishing a sensitive information base by loading preset sensitive information rules, wherein the sensitive information base at least comprises: sensitive information key, data, file name, user ID.
Optionally, the processing module 302 is further configured to:
when the matching result comprises a sensitive transaction, determining a control mode of the virtual printing content as watermark printing; wherein the watermark printing comprises: at least one of plaintext watermarking, two-dimensional code watermarking, picture watermarking and vector watermarking, wherein the sensitive transaction comprises: at least one of policy content, copyright content and confidential content.
Optionally, the processing module 302 is further configured to:
adding a plurality of watermark information to the virtual print content; the watermark information at least comprises an IP address, a MAC address, administrator definition information and content ciphertext.
Optionally, the printing module 303 is further configured to:
identity authentication and authority authorization are carried out on the printing users in the virtual printing content; wherein the identity authentication comprises at least one of user name and password authentication, fingerprint identification and face recognition, and the authority authorization comprises at least one of role authority and access control list so as to ensure that only authorized users can execute printing operation.
Optionally, the printing module 303 is further configured to:
performing security audit on the virtual printing content;
and after the auditing is finished, the virtual printing content, the control mode and the user information are recorded in an auditing log.
Optionally, the processing module 302 is further configured to:
when the control mode is determined to be approval printing, the virtual printing content is sent to an approval client;
after the approval client finishes approval, if the approval passes, printing is continued, and if the approval is refused, a corresponding refused printing flow is generated; wherein the refusal to print process includes at least one of resubmitting an audit and failing to print.
According to the method, the secret information can be effectively prevented from being printed carelessly, whether the printing content contains the sensitive information or not can be determined, the sensitive information is effectively managed and controlled, and finally the target printer is controlled to prevent the sensitive information from being revealed. The problem of document printing leakage behavior can be comprehensively solved without dead angles, and the information security level of enterprises is effectively improved.
The above described embodiments of the apparatus are only illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
Various component embodiments of the present application may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that some or all of the functions of some or all of the components in a computing processing device according to embodiments of the present application may be implemented in practice using a microprocessor or Digital Signal Processor (DSP). The present application may also be embodied as an apparatus or device program (e.g., computer program and computer program product) for performing a portion or all of the methods described herein. Such a program embodying the present application may be stored on a non-transitory computer readable medium, or may have the form of one or more signals. Such signals may be downloaded from an internet website, provided on a carrier signal, or provided in any other form.
For example, FIG. 10 illustrates a computing processing device that may implement methods according to the present application. The computing processing device conventionally includes a processor 410 and a computer program product in the form of a memory 420 or a non-transitory computer readable medium. The memory 420 may be an electronic memory such as a flash memory, an EEPROM (electrically erasable programmable read only memory), an EPROM, a hard disk, or a ROM. Memory 420 has storage space 430 for program code 431 for performing any of the method steps described above. For example, the memory space 430 for the program code may include individual program code 431 for implementing the various steps in the above method, respectively. The program code can be read from or written to one or more computer program products. These computer program products comprise a program code carrier such as a hard disk, a Compact Disc (CD), a memory card or a floppy disk. Such a computer program product is typically a portable or fixed storage unit as described with reference to fig. 11. The storage unit may have memory segments, memory spaces, etc. arranged similarly to the memory 420 in the computing processing device of fig. 10. The program code may be compressed, for example, in a suitable form. Typically, the storage unit comprises computer readable code 431', i.e. code that can be read by a processor, such as 410, for example, which when run by a computing processing device causes the computing processing device to perform the steps in the method described above.
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited in order and may be performed in other orders, unless explicitly stated herein. Moreover, at least some of the steps in the flowcharts of the figures may include a plurality of sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, the order of their execution not necessarily being sequential, but may be performed in turn or alternately with other steps or at least a portion of the other steps or stages.
Reference herein to "one embodiment," "an embodiment," or "one or more embodiments" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Furthermore, it is noted that the word examples "in one embodiment" herein do not necessarily all refer to the same embodiment.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the present application may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The application may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order. These words may be interpreted as names.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limiting thereof; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.
Claims (10)
1. A print management and control method based on data leakage prevention, the method comprising:
when a print job is detected, intercepting the print job and extracting virtual print content in the print job;
performing sensitive information matching on the virtual printing content in a sensitive information base to obtain a matching result;
determining a control mode of the virtual printing content according to the matching result;
and the control target printer prints the virtual printing content according to the control mode.
2. The method of claim 1, wherein before the matching of the sensitive information to the virtual printed content in the sensitive information repository results in a matching result, the method further comprises:
establishing a sensitive information base by loading preset sensitive information rules, wherein the sensitive information base at least comprises: sensitive information key, data, file name, user ID.
3. The method according to claim 1, wherein determining a manner of controlling the virtual print content according to the matching result comprises:
when the matching result comprises a sensitive transaction, determining a control mode of the virtual printing content as watermark printing; wherein the watermark printing comprises: at least one of plaintext watermarking, two-dimensional code watermarking, picture watermarking and vector watermarking, wherein the sensitive transaction comprises: at least one of policy content, copyright content and confidential content.
4. A method according to claim 3, wherein after determining the controlled manner of the virtual print content as watermark printing when the matching result comprises a sensitive transaction, the method further comprises:
adding a plurality of watermark information to the virtual print content; the watermark information at least comprises an IP address, a MAC address, administrator definition information and content ciphertext.
5. The method according to claim 1, wherein before the control-target printer prints the virtual print content in the managed manner, the method includes:
identity authentication and authority authorization are carried out on the printing users in the virtual printing content; the identity authentication comprises at least one of user name and password authentication, fingerprint identification and face recognition, and the authority authorization comprises at least one of role authority and an access control list; the identity authentication comprises at least one of user name and password authentication, fingerprint identification and face recognition, and the authority authorization comprises at least one of role authority and an access control list.
6. The method according to claim 1, wherein after the control-target printer prints the virtual print content in the controlled manner, the method further comprises:
Performing security audit on the virtual printing content;
and after the auditing is finished, the virtual printing content, the control mode and the user information are recorded in an auditing log.
7. The method according to claim 1, comprising, after said determining a control mode for said virtual print content based on said matching result:
when the control mode is determined to be approval printing, the virtual printing content is sent to an approval client;
after the approval client finishes approval, if the approval passes, printing is continued, and if the approval is refused, a corresponding refused printing flow is generated; wherein the refusal to print process includes at least one of resubmitting an audit and failing to print.
8. A data leakage-based print management and control apparatus, the apparatus comprising:
the detection module is used for intercepting the print task and extracting virtual print content in the print task when the print task is not detected;
the processing module is used for carrying out sensitive information matching on the virtual printing content in the sensitive information base to obtain a matching result; determining a control mode of the virtual printing content according to the matching result;
And the printing module is used for controlling the target printer to print the virtual printing content according to the control mode.
9. An electronic device, the device comprising a processor and a memory:
the memory is used for storing a computer program;
the processor is configured to execute the data leakage-proof print management method according to any one of claims 1 to 7 according to the computer program.
10. A computer-readable storage medium storing a computer program for executing the data leakage-proof print managing method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310093398.7A CN116305250A (en) | 2023-01-19 | 2023-01-19 | Printing control method and device based on data leakage prevention, electronic equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310093398.7A CN116305250A (en) | 2023-01-19 | 2023-01-19 | Printing control method and device based on data leakage prevention, electronic equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116305250A true CN116305250A (en) | 2023-06-23 |
Family
ID=86815900
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310093398.7A Pending CN116305250A (en) | 2023-01-19 | 2023-01-19 | Printing control method and device based on data leakage prevention, electronic equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116305250A (en) |
-
2023
- 2023-01-19 CN CN202310093398.7A patent/CN116305250A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11895125B2 (en) | Method and system for forensic data tracking | |
| US9838432B2 (en) | System and method for automatic data protection in a computer network | |
| US8898802B2 (en) | Electronic computer data management method, program, and recording medium | |
| US8141159B2 (en) | Method and system for protecting confidential information | |
| KR100930018B1 (en) | Digital Information Security System, Kernel Driver Device, and Digital Information Security Method | |
| US8341756B2 (en) | Securing data in a networked environment | |
| JP4451814B2 (en) | Printing system and program | |
| Viega | Building security requirements with CLASP | |
| US20070220061A1 (en) | Method and system for tracking an operation performed on an information asset with metadata associated therewith | |
| WO2019041917A1 (en) | Secure printing method and system | |
| CN110889130B (en) | Database-based fine-grained data encryption method, system and device | |
| WO2012089109A1 (en) | Method and system for document printing management and control and document source tracking | |
| US10785383B2 (en) | System and method for managing security settings of a print device using a lockdown mode | |
| US20090271839A1 (en) | Document Security System | |
| US20070118760A1 (en) | Image processor, job log creating method, and storage medium | |
| JP4185546B2 (en) | Information leakage prevention device, information leakage prevention program, information leakage prevention recording medium, and information leakage prevention system | |
| CN117215506A (en) | Information processing apparatus, control method for information processing apparatus, and storage medium | |
| CN116305250A (en) | Printing control method and device based on data leakage prevention, electronic equipment and medium | |
| JP5327894B2 (en) | Management server and terminal management method thereof | |
| CN117150453B (en) | Network application detection method, device, equipment, storage medium and program product | |
| Stallings | Data loss prevention as a privacy-enhancing technology | |
| JP7409621B2 (en) | Printing device, printing device control method and program | |
| JP2019513254A (en) | Data loss prevention by print interface technology diagnosis via printing operation | |
| Kovnat | The'IT'Issues of SecurITy. | |
| CN113553554A (en) | Operation and maintenance system for radio stations in data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |