CN117478423A - Data security communication system and method - Google Patents
Data security communication system and method Download PDFInfo
- Publication number
- CN117478423A CN117478423A CN202311622501.9A CN202311622501A CN117478423A CN 117478423 A CN117478423 A CN 117478423A CN 202311622501 A CN202311622501 A CN 202311622501A CN 117478423 A CN117478423 A CN 117478423A
- Authority
- CN
- China
- Prior art keywords
- information data
- data packet
- client
- information
- receiving client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000006854 communication Effects 0.000 title claims abstract description 53
- 238000004891 communication Methods 0.000 title claims abstract description 48
- 238000000034 method Methods 0.000 title claims abstract description 33
- 230000007246 mechanism Effects 0.000 claims abstract description 51
- 230000005540 biological transmission Effects 0.000 claims abstract description 49
- 238000012795 verification Methods 0.000 claims abstract description 9
- 230000009471 action Effects 0.000 claims abstract description 7
- 230000001960 triggered effect Effects 0.000 claims description 14
- 238000012550 audit Methods 0.000 claims description 13
- 230000009365 direct transmission Effects 0.000 claims description 11
- 230000009349 indirect transmission Effects 0.000 claims description 7
- 238000012546 transfer Methods 0.000 claims description 7
- 238000012545 processing Methods 0.000 abstract description 8
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012216 screening Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000005520 cutting process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000003058 natural language processing Methods 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 238000010008 shearing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
Abstract
The invention relates to the technical field of data processing, in particular to a data security communication system and a method, comprising the following steps: acquiring receiving client information of a receiving information data packet, and determining a transmitting mode and a transmission path of the information data packet based on the receiving client information and the transmitting client information; determining the importance level of the information data packet; the transmitting client determines a protection mechanism of the information data packet according to the transmitting mode and the importance level of the information data packet; the protection mechanism responds to the received client information and records the comprehensive access record log of the information data packet according to the prestored identity verification rule, the user action rule and the access quantity rule; in response to the integrated access log, a vanishing protocol is initiated upon triggering a vanishing condition and the integrated access log is sent to a sending client of the information data packet. The invention realizes safer and controllable information data packet transmission and protects confidentiality, integrity and usability of data.
Description
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a data security communication system and method.
Background
In the digital age, research and development of data security communication systems and methods are a critical part of ensuring confidentiality and integrity of information transmission. Conventional communication methods often have risks of data leakage and tampering, and thus the need for secure communication systems is increasing.
Chinese patent publication No. CN 115514561B discloses a data security communication system and method, in which a request user and a receiving user are determined according to a data communication request by receiving the data communication request, and corresponding security authority information is matched; constructing a first communication channel with a requesting user and constructing a second communication channel with a receiving user; acquiring real-time communication data sent by a request user through a first communication channel, and performing screening encryption processing to obtain screening encryption data; transmitting the screening encrypted data to a receiving user through a first communication channel; and performing monitoring record of data safety communication, and generating monitoring record data. The method and the device can match corresponding security authority information according to the identities of the requesting user and the receiving user, and further screen and encrypt real-time communication data in the real-time communication process of the requesting user and the receiving user, so that the data security of communication among different users is comprehensively ensured. It follows that the invention does not contemplate ensuring the security of the data packets by providing protection mechanisms on the communication data packets.
Disclosure of Invention
Therefore, the present invention provides a data security communication system and method, which are used for overcoming the problem that the security of the data packet is not ensured by arranging a protection mechanism on the information data packet in the prior art.
To achieve the above object, in one aspect, the present invention provides a data security communication method, including:
generating an information data packet;
acquiring information of a receiving client for receiving an information data packet, and determining a transmission mode and a transmission path of the information data packet based on the information of the receiving client and the information of a transmitting client;
determining the importance level of the information data packet;
the sending client determines a protection mechanism of the information data packet according to the sending mode and the importance level of the information data packet, is used for maintaining confidentiality of the information data packet, and records information of a receiving client of the information data packet through comprehensive access record logs so as to analyze whether security threat to the information data packet exists or not;
the protection mechanism responds to the information of the receiving client, and records the comprehensive access record log of the information data packet according to a prestored identity verification rule, a user action rule and an access quantity rule;
starting a vanishing protocol when a vanishing condition is triggered based on the protection mechanism and sending the comprehensive access record log to a sending client;
adjusting the identity verification rule of the protection mechanism according to the information of the receiving client triggering the vanishing condition and the triggering reason in the comprehensive access record;
the receiving client information comprises a receiving client name and a receiving client mac address;
the comprehensive access record log comprises a downloading audit log, a transmission tracking log and an access control audit log.
Further, the transmission mode includes transmission through a local area network using VPN and transmission through the internet without using VPN.
Further, the transmission path includes direct transmission and indirect transmission;
the direct transmission is that the sending client transmits the information data packet to the receiving client directly;
and the indirect transmission is that the sending client indirectly transmits the information data packet to the receiving client through other clients, intermediate nodes or transfer stations of the non-receiving client.
Further, the method for determining the importance level of the information data packet comprises the following steps:
determining a content category according to the content of the information data packet;
determining the importance level based on the content category and the number of receiving clients;
wherein the content categories include text, images, and audio.
Further, the authentication rule includes:
presetting mac addresses of a plurality of receiving clients to form a white list of mac addresses;
confirming whether the mac address of the receiving client is coincident with the address in the white list, and if the mac address of the receiving client is identical to any one of the addresses in the white list, judging that the information data packet is allowed to be checked by the receiving client by the protection mechanism;
when the mac address of the receiving client fails to be the same as any address in the white list, the protection mechanism judges that the information data packet is not allowed to be checked by the receiving client, if the receiving client opens the information data packet, the receiving client triggers a vanishing condition and starts a vanishing protocol, and the information related to the information data packet stored by the receiving client is deleted and destroyed.
Further, the user action rules include that the receiving client is not allowed to copy information data packets and is only allowed to cut and/or transmit information data packets.
Further, when the sending client establishes communication with the receiving client by adopting a sending mode of sending information data packets through the internet without using VPN, triggering an access number rule of the protection mechanism of the sending client, wherein the access number rule is that the number of clients downloading the information data packets is less than or equal to a preset number.
Further, triggering of the traceout condition satisfies that the mac address of the receiving client that opens the information packet is not in the white list, and/or the receiving client transmits the information packet in a duplicate manner.
Further, the traceout protocol includes disabling access rights to the information data packet, data obfuscation, deleting data associated with the information data packet in the client and sending a comprehensive access log to the sending client.
In another aspect, the present invention also provides a processing system, including:
the sending client is used for determining the importance level of the information data packet, determining the sending mode of the information data packet and a protection mechanism corresponding to the sending mode according to the importance level and the information of the receiving client, and sending the information data packet;
the protection mechanism module is connected with the sending client and used for starting the protection mechanism to ensure that the information data packet can only be opened by the receiving client with the same mac address in the white list;
and the receiving client is connected with the sending client and is used for receiving the information data packet and viewing the content of the information data packet.
Compared with the prior art, the data security communication system and the data security communication method have the advantages that safer and more controllable information data packet transmission is realized, and confidentiality, integrity and usability of data are protected.
Further, by acquiring the receiving client information and the transmitting client information, an optimal information data packet transmitting mode and an optimal information data packet transmitting path can be determined, the efficiency and the reliability of data transmission can be improved, and delay and tamper risks in the transmission process are reduced to the greatest extent.
Further, determining the importance level of the information data packets helps the sending client to formulate a proper protection mechanism, and the sending client can select proper encryption, authentication and access control measures for each data packet by identifying the data packets with different levels, which means that the protection policy can be adaptively adjusted according to different situations so as to ensure confidentiality and integrity of important data.
Further, according to the received client information, the system records comprehensive access record logs of the information data packet, including a download audit log, a transmission tracking log and an access control audit log, to track the access history of the data packet, monitor potential security events and abnormal behavior, and provide trusted audit evidence.
Further, when the comprehensive access log triggers a vanishing condition, the system starts a vanishing protocol to ensure the thorough clearing of sensitive data; and meanwhile, the comprehensive access record log is sent to a sending client of the information data packet, so that the sending client can know the detailed access condition of the data packet, and the possible safety risk is reminded.
Drawings
FIG. 1 is a flow chart of a method of secure communication of data according to an embodiment of the present invention;
FIG. 2 is a flow chart of a data security communication process according to an embodiment of the present invention;
FIG. 3 is a transmission process of an information packet according to an embodiment of the present invention;
fig. 4 is a connection diagram of a data security communication system according to an embodiment of the present invention.
Detailed Description
In order that the objects and advantages of the invention will become more apparent, the invention will be further described with reference to the following examples; it should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Preferred embodiments of the present invention are described below with reference to the accompanying drawings. It should be understood by those skilled in the art that these embodiments are merely for explaining the technical principles of the present invention, and are not intended to limit the scope of the present invention.
It should be noted that, in the description of the present invention, terms such as "upper," "lower," "left," "right," "inner," "outer," and the like indicate directions or positional relationships based on the directions or positional relationships shown in the drawings, which are merely for convenience of description, and do not indicate or imply that the apparatus or elements must have a specific orientation, be constructed and operated in a specific orientation, and thus should not be construed as limiting the present invention.
Furthermore, it should be noted that, in the description of the present invention, unless explicitly specified and limited otherwise, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be either fixedly connected, detachably connected, or integrally connected, for example; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the above terms in the present invention can be understood by those skilled in the art according to the specific circumstances.
Fig. 1 is a flowchart of a data security communication method according to the present invention. The embodiment of the invention provides a data security communication method, which comprises the following steps:
generating an information data packet;
acquiring information of a receiving client for receiving an information data packet, and determining a transmission mode and a transmission path of the information data packet based on the information of the receiving client and the information of a transmitting client;
determining the importance level of the information data packet;
the sending client determines a protection mechanism of the information data packet according to the sending mode and the importance level of the information data packet, is used for maintaining confidentiality of the information data packet, and records information of a receiving client of the information data packet through comprehensive access record logs so as to analyze whether security threat to the information data packet exists or not;
the protection mechanism responds to the information of the receiving client, and records the comprehensive access record log of the information data packet according to a prestored identity verification rule, a user action rule and an access quantity rule;
starting a vanishing protocol when a vanishing condition is triggered based on the protection mechanism and sending the comprehensive access record log to a sending client;
adjusting the identity verification rule of the protection mechanism according to the information of the receiving client triggering the vanishing condition and the triggering reason in the comprehensive access record;
the receiving client information comprises a receiving client name and a receiving client mac address;
the comprehensive access record log comprises a downloading audit log, a transmission tracking log and an access control audit log.
It will be appreciated that the download audit log includes a download timestamp (recording the specific time that the information packet was downloaded), the identity of the download (recording the client information that performed the download operation), and the source of the download (recording the source of the information packet download, e.g., whether it was accessed via a corporate intranet or outside access); the transmission trace log includes a transmission time stamp (record the exact time of transmission of the information packet), a transmission mode (record the mode by which the packet is transmitted), a transmission source and destination (record the information of the transmission origin and transmission destination of the packet, including IP address, device identification, and mac address), and a transmission status (record the status in the transmission process, such as whether the transmission was successful, whether the information packet was successfully opened, whether a vanishing condition was triggered); the access control audit log includes an access timestamp (recording the exact time that access was made to the data or resource), the visitor identity (recording the identity information of the client or system performing the access operation), the type of access (recording the type of access, e.g., download, read, etc.), the access object, and the access result (recording the result of the access operation, e.g., whether the access was successful, was denied, etc.).
Fig. 2 is a flowchart of a data security communication process according to an embodiment of the invention. The communication process of the data security communication method provided by the embodiment of the invention comprises the following steps:
step S1, packaging information to be transmitted to generate an information data packet;
step S2, determining the sending mode and the transmission path of the information of the receiving client and the information data packet:
step S21, acquiring the name and the MAC address of a receiving client;
step S22, analyzing the information of the receiving client and the information of the transmitting client, and determining the transmitting mode and the transmission path of the data packet;
step S3, determining the importance level of the information data packet, and determining the importance level by analyzing the content of the information data packet and the number of receiving clients by utilizing a preset importance standard;
step S4, determining a protection mechanism, and determining a specific protection mechanism before the sending client sends the information data packet based on the sending mode and the importance level;
s5, recording comprehensive access record logs, including comprehensive access records of downloading audit logs, transmission tracking logs and access control audit logs;
s6, security threat analysis, wherein a protection mechanism detects whether security threats (whether a vanishing condition is triggered) exist on the data packet through the comprehensive access record;
step S7, the protection mechanism responds, and if the security threat exists (a vanishing condition is triggered), the protection mechanism protects the information data packet according to a vanishing protocol in the preset protection mechanism;
step S9, starting a vanishing protocol and a sending record, starting the vanishing protocol immediately when a vanishing condition is triggered, and sending the comprehensive access record log to a sending client so as to enable the sending client to analyze and adjust;
step S10, adjusting the protection mechanism rule, and adjusting the identity verification rule of the protection mechanism according to the received client information of the triggering vanishing condition and the triggering reason in the comprehensive access record, including but not limited to updating the white list of the information data packet.
Specifically, the transmission method includes transmission through a local area network using VPN and transmission through the internet without using VPN.
It will be appreciated that (1) when both endpoints of a communication (a sending client and a receiving client) are in the same internal network, an information packet may be sent through the internal network; (2) When the sending client and the receiving client are not in the same internal network, the receiving client uses the VPN to connect the internal local area network to receive the information data packet; (3) When the internal network does not support VPN connection and the sending client and the receiving client are not in the same internal network, the sending client uploads the information data packet to the Internet, and the receiving client receives the information data packet on the Internet.
In implementations, the receiving client and the sending client are in the same network: selecting to directly transmit information data packets through an internal network;
the receiving client and the sending client are not in the same network (e.g., the receiving client is at business trip):
if the internal network of the company allows VPN access, firstly selecting to use the VPN connection to send the internal network where the client is located and then receiving the information data packet by accessing the internal network;
if the internal network of the company does not allow VPN access, the network is selected to communicate through the Internet, the sending client uploads the information data packet to the Internet, and the receiving client receives the information data packet on the Internet.
Specifically, the transmission path includes direct transmission and indirect transmission;
the direct transmission is that the sending client transmits the information data packet to the receiving client directly;
and the indirect transmission is that the sending client indirectly transmits the information data packet to the receiving client through other clients, intermediate nodes or transfer stations of the non-receiving client.
It will be appreciated that in transmitting information packets: (1) If the sending client and the receiving client are in the same department or team, direct transmission is usually selected; if the sending client and the receiving client are respectively located in different departments or different teams, the sending client and the receiving client generally choose to send the information data packet to other clients, and then the other clients send the information data packet to the receiving client for indirect transmission. (2) If the size of the transmitted information data packet is smaller than the size of the preset file, the direct transmission does not influence the communication efficiency, and then the direct transmission is selected; if the direct transmission of the information data packet which needs to be transmitted is larger than or equal to the preset file size, the transmission efficiency is lower, and the information data packet needs to be indirectly transmitted through a file transmission transfer station. Wherein, the preset file size is 0.5G.
In practice, it is first determined whether the sending client and the receiving client are in the same department or team, and then whether the size of the communication file is suitable for direct transmission. For example:
if the staff of the sales department wants to transmit the sales report file to the manager of the sales department or other staff of the sales department, and the size of the transmitted sales report file is less than 0.5G, the staff of the same department is directly transmitted to the staff of the same department;
if the staff of the sales department wants to transmit the sales report file to the manager of the sales department or other staff of the sales department, and the size of the transmitted sales report file is more than or equal to 0.5G, the staff is transmitted to the colleagues of the same department indirectly through the file transmission transfer station;
if the staff of the sales department wants to transmit the sales report file to a manager or other staff of other departments (such as financial departments) except the sales department, and the size of the transmitted sales report file is less than 0.5G, the staff needs to transmit the sales report file to a process between departments, and then the process transmits the file to a receiving client;
if an employee of the sales department wants to transmit the sales report file to a manager or other employee of a department other than the sales department (such as a financial department), and the size of the transmitted sales report file is more than or equal to 0.5G, the employee needs to upload the sales report file to the file transfer station first, and then the receiving client obtains the sales report file through the file transfer station.
Specifically, the method for determining the importance level of the information data packet comprises the following steps:
determining a content category according to the content of the information data packet;
determining the importance level based on the content category and the number of receiving clients;
wherein the content categories include text, images, and audio.
It is understood that determining which one or more of text, image or audio the content category of the information packet belongs to; then determining whether the content of the information data packet contains sensitive words, key information, identified content or specific elements related to business inside the company; the number of receiving clients and the level of the client user inside the company (total manager, department manager, general staff) are then determined.
In practice, the important levels of information packets are classified as high, medium and low.
It can be understood that, first, the content, the topic and the keywords of the information packet are determined after being processed according to different content categories: (1) The importance level of an information packet that does not contain sensitive words, critical information, identified content or specific elements related to a business inside a company is low. (2) Information packets containing sensitive words, key information, identified content or specific elements related to the business inside the company, the importance level of the receiving client is determined according to the number of the receiving clients and the level of the receiving client user inside the company. Then, when the number of the receiving clients is more than or equal to 5, and/or the receiving client user comprises a total manager or manager, the importance level of the information data packet is high; the importance level of the information data packet is medium when the user of the receiving client comprises department management.
In practice, the step of determining the importance level of the information data packet comprises:
step A01, processing information data packets of different content categories to determine the information data packet with the importance level of low level:
low level: the data packet does not contain sensitive words, key information and identification content in the company, and does not relate to specific elements related to the service;
middle level/high level: the data packets contain sensitive words, key information, identifying content, or specific elements related to the business within the company.
Step A02, determining the information data packets with the importance levels of medium and high levels:
high level: the number of the receiving clients is more than or equal to 5, or the receiving client user comprises a total manager or a manager, and when any one or both of the conditions are met, the information data packet is marked as high-level;
medium level: when the receiving client user level is highest as department director, the information data packet is marked as medium level.
In an implementation, a method of processing information packets of different content categories includes: text in the data packet is analyzed using natural language processing techniques, features (including color, shape, text) of images in the data packet are extracted using image processing algorithms, and audio content is converted into analyzable text using speech recognition techniques.
Specifically, the authentication rule includes:
presetting mac addresses of a plurality of receiving clients to form a white list of mac addresses;
confirming whether the mac address of the actual receiving client is coincident with the address in the white list, and if the mac address of the actual receiving client is identical to any one of the addresses in the white list, judging that the information data packet is allowed to be checked by the receiving client by the protection mechanism;
when the mac address of the actual receiving client fails to be the same as any address in the white list, the protection mechanism judges that the information data packet is not allowed to be checked by the receiving client, if the receiving client opens the information data packet, the receiving client triggers a vanishing condition and starts a vanishing protocol to delete and destroy the information related to the information data packet stored by the receiving client.
In implementation, the same information data packet is sent to n (n is greater than or equal to 1) receiving clients, and mac addresses containing the n receiving clients are added in a protection mechanism of the information data packet to form a white list of the information data packet.
When transmitting information data packets, the protection mechanism firstly performs identity verification to acquire the MAC address of the actual receiving client; and then verifying whether the MAC address is matched with the white list, if so, checking the information data packet by the client, and if not, checking the information data packet by the client without being in the white list, and only allowing the client to transmit the information data packet as other clients.
In particular, the user action rules include that the receiving client is not allowed to copy information data packets and is only allowed to cut and/or transmit information data packets.
In practice, (1) the receiving client is prohibited from copying the information data packet, i.e. the receiving client cannot copy the information data packet to other locations by conventional copying operations; (2) Allowing a user to cut the file information data packet, namely enabling a receiving client to move the information data packet to other internal storage positions of the receiving client through cutting operation; (3) When a certain receiving client transmits an information data packet to another receiving client, the information data packet can only be transmitted in a shearing mode, namely after the receiving client transmits the information data packet, the receiving client does not have the relevant content of the information data packet any more; for example, when an information data packet is indirectly transmitted, when the intermediate client receives the information data packet from the transmitting client and transmits the information data packet to the receiving client, the intermediate client can only cut the information data packet and transmit the information data packet, and no file related to the information data packet exists in the intermediate client.
It will be appreciated that any client, except the sending client, may cut and/or transmit information packets, but cannot save the file content to other locations through copy operations; the information packet can be prevented from being copied on a large scale, and confidentiality during movement of the information packet can be ensured.
Specifically, when the sending client uses a sending mode of sending information data packets through the internet without using VPN to establish communication with the receiving client, the access number rule of the protection mechanism of the sending client is triggered, wherein the access number rule is that the number of clients downloading the information data packets is smaller than or equal to the preset number.
It will be appreciated that the sending client will set the access number rules of the protection mechanism only if the VPN is not used to send information packets over the internet.
In implementation, the preset number = number of receiving clients in the whitelist; for example, if the white list includes 3 receiving clients, the preset number=6; and after the sending client uploads the information data packet to the Internet, only 3 clients with different mac addresses are allowed to download, and when the 3 rd client applies for downloading, the access quantity rule is triggered. Once the access number rule triggers, the protection mechanism takes corresponding protection measures, including rejecting new connection requests to prevent further communication connection establishment, and sending the comprehensive access record log to the sending client to timely take measures to investigate possible anomalies. The sending client re-uploads the information data packet with the security confirmed or otherwise sends the information data packet to the receiving client in the white list to protect the security of the communication process.
Specifically, triggering of the traceout condition satisfies that the mac address of the receiving client that opens the information packet is not in the white list, and/or that the receiving client transmits the information packet in a duplicate manner.
It will be appreciated that the vanishing condition is triggered when one of the following conditions is met: the MAC address of the receiving client that opened the information packet is not in the white list and the receiving client replicates the information packet.
In implementation, when the MAC address of the receiving client is not in the white list, the protection mechanism set by the information data packet refuses to display the content in the information data packet to the client so as to prevent the unauthorized client from accessing the sensitive information; and, if the system detects that the receiving client adopts the copy information data packet, the system may indicate that there is a potential risk of data leakage, in which case the protection mechanism triggers the traceout protocol to timely handle the potential risk of information leakage.
Specifically, the traceout protocol includes disabling access rights to the information data packet, data obfuscation, deleting data associated with the information data packet in the client, and sending a comprehensive access log to the sending client.
In practice, disabling the access rights to the information data packets means that the information data packets in the client that triggered the vanishing condition are set to disable the client from performing any operations on it, including clipping and transmission; at the same time, when the vanishing condition is triggered, all the contents stored in the information data packet are converted into messy codes or encrypted forms so as to prevent the contents from being read or analyzed, and encryption algorithm, compression technology or other confusing means are used; and all data associated with the information package is deleted from the client system, including any locally stored caches, configuration files, or metadata. All three processing modes are simultaneously carried out when the vanishing condition is triggered, and because the deleting of the information data packet is too large, the deleting needs time, and the content in the information data packet needs to be protected by prohibiting access and data confusion during the time.
It can be understood that the sending client receives the comprehensive access record log sent from the client triggering the vanishing condition, and re-determines the sending mode, the transmission mode and the protection mechanism of the information data packet according to the comprehensive access record log. For example, the protection mechanism is also preset with blacklist rules: for a client that tries to open an information packet because the client address is not in the white list, it may be set to the black list so that the client cannot receive the information packet later; for the client triggering the vanishing condition due to the duplication of the information data packet, the client can be considered to be misoperation caused by false touch, the sending client records the client address and resends the information data packet to the client, and if the number of times of the client duplicating the information data packet is more than or equal to 3, the client is set to be a blacklist.
Fig. 3 and fig. 4 are respectively a transmission process of an information packet according to an embodiment of the present invention and a connection diagram of a data security communication system according to an embodiment of the present invention. The embodiment of the invention also provides a data security communication system, which is used for supporting the data security communication method and comprises the following steps:
the sending client is used for determining the importance level of the information data packet, determining the sending mode of the information data packet and a protection mechanism corresponding to the sending mode according to the importance level and the information of the receiving client, and sending the information data packet;
the protection mechanism module is connected with the sending client and used for starting the protection mechanism to ensure that the information data packet can only be opened by the receiving client with the same mac address in the white list;
and the receiving client is connected with the sending client and is used for receiving the information data packet and viewing the content of the information data packet.
The data security communication system and the method provided by the invention realize safer and controllable information data packet transmission and protect confidentiality, integrity and availability of data.
Thus far, the technical solution of the present invention has been described in connection with the preferred embodiments shown in the drawings, but it is easily understood by those skilled in the art that the scope of protection of the present invention is not limited to these specific embodiments. Equivalent modifications and substitutions for related technical features may be made by those skilled in the art without departing from the principles of the present invention, and such modifications and substitutions will be within the scope of the present invention.
The foregoing description is only of the preferred embodiments of the invention and is not intended to limit the invention; various modifications and variations of the present invention will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A method of secure communication of data, comprising:
generating an information data packet;
acquiring information of a receiving client for receiving an information data packet, and determining a transmission mode and a transmission path of the information data packet based on the information of the receiving client and the information of a transmitting client;
determining the importance level of the information data packet;
the sending client determines a protection mechanism of the information data packet according to the sending mode and the importance level of the information data packet, is used for maintaining confidentiality of the information data packet, and records information of a receiving client of the information data packet through comprehensive access record logs so as to analyze whether security threat to the information data packet exists or not;
the protection mechanism responds to the information of the receiving client, and records the comprehensive access record log of the information data packet according to a prestored identity verification rule, a user action rule and an access quantity rule;
starting a vanishing protocol when a vanishing condition is triggered based on the protection mechanism and sending the comprehensive access record log to a sending client;
adjusting the identity verification rule of the protection mechanism according to the information of the receiving client triggering the vanishing condition and the triggering reason in the comprehensive access record;
the receiving client information comprises a receiving client name and a receiving client mac address;
the comprehensive access record log comprises a downloading audit log, a transmission tracking log and an access control audit log.
2. The data security communication method according to claim 1, wherein the transmission means includes transmission through a local area network using VPN and transmission through the internet without using VPN.
3. The data security communication method according to claim 1, wherein the transmission path includes direct transmission and indirect transmission;
the direct transmission is that the sending client transmits the information data packet to the receiving client directly;
and the indirect transmission is that the sending client indirectly transmits the information data packet to the receiving client through other clients, intermediate nodes or transfer stations of the non-receiving client.
4. The method of claim 1, wherein the step of determining the importance level of the information packet comprises:
determining a content category according to the content of the information data packet;
determining the importance level based on the content category and the number of receiving clients;
wherein the content categories include text, images, and audio.
5. The data security communication method according to claim 1, wherein the authentication rule includes:
presetting mac addresses of a plurality of receiving clients to form a white list of mac addresses;
confirming whether the mac address of the receiving client is coincident with the address in the white list, and if the mac address of the receiving client is identical to any one of the addresses in the white list, judging that the information data packet is allowed to be checked by the receiving client by the protection mechanism;
when the mac address of the receiving client fails to be the same as any address in the white list, the protection mechanism judges that the information data packet is not allowed to be checked by the receiving client, if the receiving client opens the information data packet, the receiving client triggers a vanishing condition and starts a vanishing protocol, and the information related to the information data packet stored by the receiving client is deleted and destroyed.
6. A data security communication method according to claim 1, wherein the user action rules include that the receiving client is not allowed to copy information data packets and is only allowed to cut and/or transmit information data packets.
7. The data security communication method according to claim 2, wherein when the sending client establishes communication with the receiving client by adopting a sending mode of sending information data packets through internet without using VPN, the access number rule of the protection mechanism of the sending client is triggered, and the access number rule is that the number of clients downloading the information data packets is less than or equal to a preset number.
8. The method according to claim 1, wherein the triggering of the traceout condition satisfies that the mac address of the receiving client opening the information packet is not in the white list and/or that the receiving client transmits the information packet in a duplicated manner.
9. The data security communication system of claim 8, wherein the traceout protocol includes disabling access rights for information data packets, data confusion, deleting data associated with information data packets in a client, and sending a comprehensive access log to the sending client.
10. A data security communication system as claimed in any one of claims 1 to 9, comprising:
the sending client is used for determining the importance level of the information data packet, determining the sending mode of the information data packet and a protection mechanism corresponding to the sending mode according to the importance level and the information of the receiving client, and sending the information data packet;
the protection mechanism module is connected with the sending client and used for starting the protection mechanism to ensure that the information data packet can only be opened by the receiving client with the same mac address in the white list;
and the receiving client is connected with the sending client and is used for receiving the information data packet and viewing the content of the information data packet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311622501.9A CN117478423B (en) | 2023-11-30 | Data security communication system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311622501.9A CN117478423B (en) | 2023-11-30 | Data security communication system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117478423A true CN117478423A (en) | 2024-01-30 |
| CN117478423B CN117478423B (en) | 2024-05-03 |
Family
ID=
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130067572A1 (en) * | 2011-09-13 | 2013-03-14 | Nec Corporation | Security event monitoring device, method, and program |
| WO2018107943A1 (en) * | 2016-12-13 | 2018-06-21 | 腾讯科技(深圳)有限公司 | Network access control method, apparatus and system |
| CN112699357A (en) * | 2020-12-29 | 2021-04-23 | 蓝盾信息安全技术有限公司 | Big data security system access operation platform and data retrieval method |
| CN113132404A (en) * | 2021-04-28 | 2021-07-16 | 平安国际智慧城市科技股份有限公司 | Identity authentication method, terminal and storage medium |
| CN113312632A (en) * | 2021-06-21 | 2021-08-27 | 清华大学 | Positive defense system based on zero trust verification |
| CN115455485A (en) * | 2022-09-23 | 2022-12-09 | 多点生活(武汉)科技有限公司 | Database access method, device, client and storage medium |
| CN116827675A (en) * | 2023-08-15 | 2023-09-29 | 罗富财 | Network information security analysis system |
| CN116894259A (en) * | 2023-07-19 | 2023-10-17 | 西安翻译学院 | Safety access control system of database |
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130067572A1 (en) * | 2011-09-13 | 2013-03-14 | Nec Corporation | Security event monitoring device, method, and program |
| WO2018107943A1 (en) * | 2016-12-13 | 2018-06-21 | 腾讯科技(深圳)有限公司 | Network access control method, apparatus and system |
| CN112699357A (en) * | 2020-12-29 | 2021-04-23 | 蓝盾信息安全技术有限公司 | Big data security system access operation platform and data retrieval method |
| CN113132404A (en) * | 2021-04-28 | 2021-07-16 | 平安国际智慧城市科技股份有限公司 | Identity authentication method, terminal and storage medium |
| CN113312632A (en) * | 2021-06-21 | 2021-08-27 | 清华大学 | Positive defense system based on zero trust verification |
| CN115455485A (en) * | 2022-09-23 | 2022-12-09 | 多点生活(武汉)科技有限公司 | Database access method, device, client and storage medium |
| CN116894259A (en) * | 2023-07-19 | 2023-10-17 | 西安翻译学院 | Safety access control system of database |
| CN116827675A (en) * | 2023-08-15 | 2023-09-29 | 罗富财 | Network information security analysis system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8844016B2 (en) | System and method for monitoring unauthorized transport of digital content | |
| US7874012B2 (en) | Privileged access to encrypted data | |
| US8677132B1 (en) | Document security | |
| JP3590143B2 (en) | Email transfer device | |
| Kent et al. | Guide to Computer Security Log Management:. | |
| USRE44364E1 (en) | Method of encrypting information for remote access while maintaining access control | |
| AU2002225312A1 (en) | A system and method for monitoring unauthorized transport of digital content | |
| US7590844B1 (en) | Decryption system and method for network analyzers and security programs | |
| US9118617B1 (en) | Methods and apparatus for adapting the protection level for protected content | |
| KR20060095946A (en) | Data message mirroring and redirection | |
| CN102999732A (en) | Multi-stage domain protection method and system based on information security level identifiers | |
| US20060010322A1 (en) | Record management of secured email | |
| CN106302328A (en) | Sensitive user data processing system and method | |
| EP3210120B1 (en) | Tunneled monitoring service and methods | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| CN117478423B (en) | Data security communication system and method | |
| CN117478423A (en) | Data security communication system and method | |
| KR101400062B1 (en) | System of security management for iptv set top box | |
| Kent et al. | Sp 800-92. guide to computer security log management | |
| KR101032134B1 (en) | The system of web service contents control and management for a encrypted and normal contents include a confidential data | |
| KR102432835B1 (en) | Security Event De-Identification System and Its Method | |
| KR100673137B1 (en) | Security system and method in electronic document repository | |
| Stallings | Data loss prevention as a privacy-enhancing technology | |
| US20240095383A1 (en) | Mutual transport layer security (tls) verification using an authorized viewer | |
| CN116781357A (en) | Method for improving data exchange safety |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |