CN117992994A

CN117992994A - Data protection method, device, computer equipment and storage medium

Info

Publication number: CN117992994A
Application number: CN202211329976.4A
Authority: CN
Inventors: 吴岳廷
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2022-10-27
Filing date: 2022-10-27
Publication date: 2024-05-07

Abstract

The embodiment of the application discloses a data protection method, a data protection device, computer equipment and a storage medium; the embodiment of the application can acquire the equipment data of the computer equipment and the data protection configuration file, wherein the data protection configuration file indicates the data to be protected; identifying the equipment data based on the data protection configuration file to obtain target equipment data to be protected; detecting the change of the target equipment data to obtain data change history information aiming at the target equipment data; performing data leakage detection on the target equipment data according to at least one data leakage detection rule to obtain a detection result; when the detection result represents that the target equipment data has the data leakage risk, anti-leakage processing is performed on the target equipment data based on the data protection rule corresponding to the data leakage detection rule, so that the target equipment data in the computer equipment are protected, and the flexibility of protecting the target equipment data is improved.

Description

Data protection method, device, computer equipment and storage medium

Technical Field

The present application relates to the field of computer technologies, and in particular, to a data protection method, apparatus, computer device, and storage medium.

Background

With the rapid development of computer and network technologies, more and more data in enterprises are stored in the form of electronic data in personal computer devices and enterprise-configured computer devices. In a networking environment, electronic data may be conveniently transferred and forwarded over a network, resulting in easy leakage of device data in computer devices. For example, data leakage from businesses in computer devices can cause significant losses to individuals and businesses, and data security issues are becoming increasingly important. In the prior art, a technology of encrypting and decrypting device data at a disk level or a file level is generally adopted to protect the device data in the computer device. However, the scheme for protecting the equipment data in the prior art has the problems of narrow application range and inflexibility and convenience.

Disclosure of Invention

The embodiment of the application provides a data protection method, a data protection device, computer equipment and a storage medium, which can improve the flexibility of protecting target equipment data.

The embodiment of the application provides a data protection method, which comprises the following steps:

Acquiring equipment data of computer equipment and a data protection configuration file, wherein the data protection configuration file indicates data to be protected;

Identifying the equipment data based on the data protection configuration file to obtain target equipment data to be protected;

Detecting the change of the target equipment data to obtain data change history information aiming at the target equipment data, wherein the data change history information comprises at least one history change operation information;

determining at least one data leakage detection rule and a data protection rule corresponding to the data leakage detection rule according to the at least one historical variation operation information;

performing data leakage detection on the target equipment data according to the at least one data leakage detection rule to obtain a detection result;

When the detection result represents that the target equipment data has the data leakage risk, performing anti-leakage processing on the target equipment data based on the data protection rule corresponding to the data leakage detection rule so as to realize protection of the target equipment data in the computer equipment.

Correspondingly, the embodiment of the application also provides a data protection device, which comprises:

The device comprises an acquisition unit, a data protection configuration file and a control unit, wherein the acquisition unit is used for acquiring device data of computer equipment and the data protection configuration file indicates data to be protected;

the identification unit is used for carrying out identification processing on the equipment data based on the data protection configuration file to obtain target equipment data to be protected;

a change detection unit, configured to perform change detection on the target device data, and obtain data change history information for the target device data, where the data change history information includes at least one history change operation information;

a rule determining unit, configured to determine at least one data leakage detection rule and a data protection rule corresponding to the data leakage detection rule according to the at least one historical variation operation information;

The data leakage detection unit is used for carrying out data leakage detection on the target equipment data according to the at least one data leakage detection rule to obtain a detection result;

And the anti-leakage unit is used for carrying out anti-leakage processing on the target equipment data based on the data protection rule corresponding to the data leakage detection rule when the detection result represents that the target equipment data has the data leakage risk so as to realize the protection of the target equipment data in the computer equipment.

In an embodiment, the identifying unit may include:

The file analysis subunit is used for analyzing the data protection configuration file to obtain at least one piece of protection data characteristic information;

the identification processing subunit is used for carrying out identification processing on the equipment data according to the at least one piece of protection data characteristic information to obtain the equipment data to be protected;

the process detection subunit is used for detecting an application process for triggering the equipment data to be protected;

and the expansion subunit is used for carrying out expansion processing on the equipment data to be protected based on the application process to obtain target equipment data to be protected.

In an embodiment, the identification processing subunit may include:

The request detection module is used for detecting the access request of the equipment data based on the protection data characteristic information;

the verification module is used for carrying out verification processing on the access request when the access request aiming at the equipment data is detected;

the range detection module is used for detecting the equipment data access range corresponding to the access request when the verification of the access request is passed;

And the data determining module is used for determining the equipment data to be protected according to the equipment data access range corresponding to the access request.

In an embodiment, the expansion subunit may include:

the detection module is used for detecting the application process to obtain the equipment data associated with the application process;

The denoising module is used for denoising the associated equipment data to obtain denoised equipment data;

and the integration module is used for integrating the denoised equipment data and the equipment data to be protected to obtain the target equipment data to be protected.

In an embodiment, the data leakage detecting unit may include:

a calling subunit, configured to call a plurality of environment detection components to detect environmental assessment values of the history variation operation information in a plurality of different dimensions based on the data leakage detection rule;

a score calculating unit for calculating a first security evaluation score of the history fluctuation operation information according to environmental evaluation scores of the history fluctuation operation information in a plurality of different dimensions;

The score updating unit is used for updating the first security assessment score to obtain a second security assessment score when the first security assessment score does not accord with a preset security threshold;

And the first result generating unit is used for generating a detection result of the risk of data leakage of the target equipment data when the second security assessment score does not accord with a preset security threshold value.

In an embodiment, the data leakage detecting unit may include:

an information detection subunit, configured to detect access description information of the target device data in at least one dimension based on the data leakage detection rule;

The condition detection subunit is used for determining the data leakage boundary condition corresponding to the access description information of each dimension according to the data leakage detection rule;

And the second result generating unit is used for generating a detection result of the risk of data leakage of the target equipment data when the access description information accords with the data leakage boundary condition.

In an embodiment, the leakage preventing unit may include:

The reading subunit is used for reading a storage linked list corresponding to the data change history information based on the data protection rule when the detection result represents that the target equipment data has a data leakage risk;

a file acquisition subunit, configured to acquire a full path file corresponding to the target device data in the storage linked list;

And the permission modification unit is used for performing permission modification processing on the full-path file and controlling the operation on the target equipment data based on the data protection rule so as to realize the protection of the target equipment data in the computer equipment.

In an embodiment, the leakage preventing unit may include:

An encryption data determining subunit, configured to determine, when the detection result characterizes that the target device data has a data leakage risk, device data to be encrypted in the target device data;

A key generation subunit, configured to generate an encryption key based on the data protection rule;

And the encryption processing subunit is used for carrying out encryption processing on the equipment data to be encrypted based on the encryption key to obtain encrypted equipment data so as to realize the protection of target equipment data in the computer equipment.

In an embodiment, the leakage preventing unit may further include:

the data leakage detection subunit is used for carrying out data leakage detection on the encrypted equipment data to obtain a detection result;

And the decryption subunit is used for decrypting the encrypted equipment data when the detection result represents that the encrypted equipment data has no data leakage risk, so as to restore the encrypted equipment data to the target equipment data.

In an embodiment, the variation detecting unit may include:

A change detection subunit, configured to perform change detection on the target device data;

The association processing subunit is used for carrying out association processing on the change operation corresponding to the application process and the data identifier corresponding to the target equipment data when the application process is detected to operate on the target equipment data, so as to obtain history change operation information corresponding to the target equipment data;

And the writing subunit is used for writing the history change operation information into a storage chain table corresponding to the target equipment data to obtain the data change history information.

In an embodiment, the rule determining unit may include:

the first mapping subunit is used for mapping each piece of history change operation information based on preset rule mapping logic to obtain a data leakage detection rule corresponding to each piece of history change operation information;

and the second mapping subunit is used for mapping each data leakage detection rule based on preset association rule mapping logic to obtain a data protection rule corresponding to each data leakage detection rule.

Embodiments of the present application also provide a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The computer instructions are read from a computer-readable storage medium by a processor of a computer device, and executed by the processor, cause the computer device to perform the methods provided in the various alternatives of the above aspect.

Correspondingly, the embodiment of the application also provides a storage medium, wherein the storage medium stores instructions which are executed by a processor to realize the data protection method provided by any one of the embodiments of the application.

The embodiment of the application can acquire the equipment data of the computer equipment and the data protection configuration file, wherein the data protection configuration file indicates the data to be protected; identifying the equipment data based on the data protection configuration file to obtain target equipment data to be protected; detecting the change of the target equipment data to obtain data change history information aiming at the target equipment data, wherein the data change history information comprises at least one history change operation information; determining at least one data leakage detection rule and a data protection rule corresponding to the data leakage detection rule according to at least one historical variation operation information; performing data leakage detection on the target equipment data according to at least one data leakage detection rule to obtain a detection result; when the detection result represents that the target equipment data has the data leakage risk, anti-leakage processing is performed on the target equipment data based on the data protection rule corresponding to the data leakage detection rule, so that the target equipment data in the computer equipment are protected, and the flexibility of protecting the target equipment data is improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic view of a scenario of a data protection method according to an embodiment of the present application;

FIG. 2 is a schematic flow chart of a data protection method according to an embodiment of the present application;

FIG. 3 is a schematic diagram of another scenario of a data protection method according to an embodiment of the present application;

FIG. 4 is a schematic diagram of another scenario of a data protection method according to an embodiment of the present application;

FIG. 5 is a schematic flow chart of a data protection method according to an embodiment of the present application;

FIG. 6 is a schematic diagram of a data protection device according to an embodiment of the present application;

Fig. 7 is a schematic structural diagram of a computer device according to an embodiment of the present application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which embodiments of the application are shown, however, in which embodiments are shown, by way of illustration, only, and not in any way all embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to fall within the scope of the application.

The embodiment of the application provides a data protection method which can be executed by a data protection device, and the data protection device can be integrated in computer equipment. The computer device may include at least one of a terminal, a server, and the like. That is, the data protection method provided by the embodiment of the present application may be executed by a terminal, a server, or both a terminal and a server capable of communicating with each other.

The terminals may include, but are not limited to, smart phones, tablet computers, notebook computers, personal computers (Personal Computer, PCs), smart appliances, wearable computer devices, VR/AR devices, vehicle terminals, smart voice interaction devices, and the like.

The server may be an interworking server or a background server among a plurality of heterogeneous systems, may be an independent physical server, may be a server cluster or a distributed system formed by a plurality of physical servers, and may be a cloud server for providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, basic cloud computing services such as big data and an artificial intelligence platform, and the like.

It should be noted that the embodiments of the present application may be applied to various scenarios, including, but not limited to, cloud technology, artificial intelligence, intelligent transportation, driving assistance, and the like.

In an embodiment, as shown in fig. 1, the data protection device may be integrated on a computer device such as a terminal or a server, so as to implement the data protection method according to the embodiment of the present application. Specifically, the server 11 may acquire device data of the terminal 10, and a data protection profile indicating data to be protected; identifying the equipment data based on the data protection configuration file to obtain target equipment data to be protected; detecting the change of the target equipment data to obtain data change history information aiming at the target equipment data, wherein the data change history information comprises at least one history change operation information; determining at least one data leakage detection rule and a data protection rule corresponding to the data leakage detection rule according to at least one historical variation operation information; performing data leakage detection on the target equipment data according to at least one data leakage detection rule to obtain a detection result; when the detection result indicates that the target device data has the data leakage risk, anti-leakage processing is performed on the target device data based on the data protection rule corresponding to the data leakage detection rule, so as to realize protection of the target device data in the terminal 10.

The following detailed description is given, respectively, of the embodiments, and the description sequence of the following embodiments is not to be taken as a limitation of the preferred sequence of the embodiments.

The embodiment of the application will be described from the perspective of a data protection device, which may be integrated in a computer device, and the computer device may be a server, a terminal, or other devices.

As shown in fig. 2, a data protection method is provided, and the specific flow includes:

101. Device data of the computer device is obtained, and a data protection configuration file is obtained, wherein the data protection configuration file indicates data needing protection.

In an embodiment, the method provided by the embodiment of the application can be applied to a zero-trust network architecture.

Where "zero trust" may refer to narrowing the boundaries of network defenses in a computer device to a single or smaller set of resources, the central idea is that the data access system of the computer device should not automatically trust anyone/thing inside or outside, should not grant fully trusted rights to the system based on physical or network location, should verify any person/thing attempting to access the data access system prior to authorization, and grant access to a data resource only when the resource is needed.

For example, for an enterprise, a zero-trust enterprise system should not automatically trust anyone/thing inside or outside, should not grant fully trusted rights to the system based on physical or network location, should verify any person/thing attempting to access the enterprise system before authorization, and grant access to data resources only when the resources are needed.

In one embodiment, the prior art generally employs a technology for encrypting and decrypting device data based on a disk level or a file level, so as to protect data in a computer device that needs to be protected. Compared with the prior art, the scheme provided by the invention adopts the integral protection idea to protect the data needed to be protected in the computer equipment. The method is characterized by dynamically and flexibly defining data to be protected in the computer equipment based on a zero trust network architecture and distinguishing the data to be protected from the data not to be protected in the equipment.

For example, more and more data in an enterprise is stored in the form of electronic data in personal computer devices and enterprise-configured computer devices. By the data protection method, enterprises can dynamically and flexibly define enterprise data based on a zero trust network architecture, so that sensitive enterprise data in computer equipment are distinguished from personal data of operators.

In an embodiment, the present application provides a zero trust security management system by which a user can configure data protection profiles, data protection rules, data leakage detection rules, resource allocation, and so on.

For example, as shown in fig. 3, a schematic configuration diagram of the data leak detection rule may be provided. As shown in fig. 3, a user may configure data leakage detection rules through a visual interface. For example, the user may configure the name of the rule as well as the specific content of the rule, and so on. For another example, as shown in FIG. 4, a configuration diagram of the resource addition may be displayed when the user clicks on the "Add resource" control in FIG. 3. For example, as shown in FIG. 4, a user may configure a resource name, a resource category, a domain name, and a grouping of resources, among others.

In one embodiment, device data for a computer device may be obtained along with a data protection profile.

Wherein the device data of the computer device may include all data stored locally on the computer. For example, when the computer device is a device that is enterprise-configured to employees, the device data on the computer device may include personal data of the employees in addition to enterprise data. As another example, the device data may include various documents, pictures, videos, and data stored in file form in a computer device.

Wherein the data protection profile may be used to indicate data in the computer device that needs to be protected. For example, the data protection profile may indicate that enterprise data in the device data needs to be protected. For another example, the data protection profile may be used to indicate protection of private data in the device data, and so on.

In one embodiment, since the data protection profile is manually configured, the user may generate the data protection profile based on the range configuration of the data he/she wants to protect. The data protection device may then protect the data in the computer device according to the data protection profile. Since the data protection configuration file can be flexibly configured and modified, the flexibility of data protection can be ensured through the data protection configuration file.

102. And carrying out identification processing on the device data based on the data protection configuration file to obtain target device data to be protected.

In an embodiment, the data protection device may perform identification processing on the device data based on the data protection configuration file to obtain the target device data to be protected.

The identifying the device data based on the data protection configuration file may refer to determining the device data to be protected from the device data of the computer device, so as to obtain the target device data to be protected.

The target device data to be protected may include data that meets the need for protection indicated in the protected configuration file. For example, when the data protection profile indicates that enterprise data in the computer device needs to be protected, the target device data to be protected may be enterprise data in the computer device.

In an embodiment, since a large amount of data is stored in the computer device, in order to improve the efficiency of identifying the target device data to be protected, the user may define the feature information of the data to be protected in the data protection configuration file. Then, the data protection device may determine the target device data to be protected according to the protection data characteristic information.

Specifically, the step of identifying the device data based on the data protection configuration file to obtain the target device data to be protected may include:

Analyzing the data protection configuration file to obtain at least one protection data characteristic information;

according to the at least one piece of protection data characteristic information, identifying and processing the equipment data to obtain the equipment data to be protected;

detecting an application process for triggering operation of equipment data to be protected;

and carrying out expansion processing on the device data to be protected based on the application process to obtain the target device data to be protected.

In an embodiment, the data protection configuration file may be parsed to obtain at least one protection data feature information.

Wherein the protection data characteristic information may be used to describe characteristics of the device data that need to be protected. For example, because of the large amount of data stored in a computer device, different device data may have a variety of different characteristics. When a user needs to protect a wide range of device data, multiple pieces of protection data feature information may be included in the data protection profile. And when the user needs to protect a smaller range of device data, only one piece of protection data characteristic information may be included in the data protection configuration file.

For example, the protection data characteristic information may include a file type or directory path of the device data to be protected. For example, when a particular file type of the device data is the device data to be protected. For another example, when the storage path of the device data is a specific target path, the device data may be the device data to be protected.

For another example, the protection data characteristic information may include an access manner of the device data to be protected. For example, the protection data characteristic information may be "successfully accessed through a zero trust network". For example, when the device data is data that is successfully accessed through a zero trust network, the device data may be the device data to be protected.

For another example, the protection data characteristic information of the device data to be protected may include a manner of obtaining the device data to be protected. For example, the protection data feature information may be "obtained through a screen capturing or screen recording operation". For example, when the device data is data obtained by a screen capturing or screen recording operation, the device data may be device data to be protected.

For another example, the protection data characteristic information may include keywords of the device data to be protected. For example, the protection data feature information may be a keyword of a file name or content of the device data to be protected. When the file name or content of the device data matches the keyword in the protection data feature information, the device data may be the device data to be protected.

In an embodiment, the protection data characteristic information may be presented in the form of a white list or a black list, so that the data protection configuration file may be flexibly adjusted. For example, a white list or a black list may be utilized to store file types or directory paths of device data to be protected. The white list defines the file type of the file or the range of the catalog where the data to be protected is located, and the data outside the white list can not be protected. The blacklist can list file types and catalogues of device data which do not need to be protected, and data outside the blacklist are data which need to be protected.

In an embodiment, the device data may be identified according to at least one protection data feature information, so as to obtain the device data to be protected.

For different protection data feature information, different identification modes may be provided to identify the device data, so as to obtain the device data to be protected.

For example, when the protection data feature information is "obtained through a screen capture or screen recording operation", the screen capture or screen recording operation on the computer device may be continuously detected. The picture and audio/video files generated by the screen capturing or recording operation may be the device data to be protected.

For another example, when the protection data feature information is a keyword of a file name or content of the device data to be protected, the device data in the computer device may be scanned. When the file name or the content of the device data is scanned, the key words in the characteristic information of the protection data are hit, and the device data can be the device data to be protected.

For another example, when the protection data characteristic information is a file type or directory path of the device data to be protected, the device data in the computer device may be scanned. When the file type or storage path of the scanned device data hits the file type or directory path in the protection data feature information, the device data may be the device data to be protected.

For another example, when the protection data feature information is an access manner of the device data to be protected, the step of "identifying the device data according to at least one protection data feature information to obtain the device data to be protected" may include:

Based on the protection data characteristic information, detecting an access request of the equipment data;

When an access request for the device data is detected, performing verification processing on the access request;

When the verification of the access request is passed, detecting the equipment data access range corresponding to the access request;

and determining the device data to be protected according to the device data access range corresponding to the access request.

In an embodiment, access request detection may be performed on the device data based on the protection data characteristic information, i.e. whether there is a request to access the device data in the computer device. For example, it may be detected whether there is a request for peer-zero trust network access to device data.

When an access request for device data is detected, the access request may be subjected to a verification process that determines whether the access request qualifies for access to the device data. For example, the access request may be validated based on a zero trust network. For example, account information in the access request may be identified through a zero trust network. And carrying out verification processing on account information in the access request. For example, it may be determined whether the account information has authority to access data, whether the account information is an abnormal account, and the like.

In one embodiment, when the verification of the access request is passed, the device data access range corresponding to the access request may be detected. Then, the device data to be protected can be determined according to the device data access range corresponding to the access request. For example, after verification of an access request is passed, it may be checked which device data in the computer device the access request has accessed. The data requested for access may then all be determined to be the device data to be protected.

In an embodiment, after obtaining the device data to be protected, the range of data to be protected may be further enlarged based on the device data to be protected. This is because the device data in the computer device is dynamically changed, and new data may be continuously generated, so that the device data to be protected needs to be detected, thereby expanding the data range to be protected and improving the accuracy and reliability of data protection.

Therefore, an application process that performs a trigger operation on the device data to be protected can be detected. And then, carrying out expansion processing on the device data to be protected based on the application process to obtain the target device data to be protected.

Specifically, the step of performing expansion processing on the device data to be protected based on the application process to obtain the target device data to be protected may include:

Detecting the application process to obtain the equipment data associated with the application process;

denoising the associated equipment data to obtain denoised equipment data;

and integrating the denoised equipment data with the equipment data to be protected to obtain target equipment data to be protected.

The process is one running activity of a program in a computer on a certain data set, is a basic unit for the system to allocate and schedule resources, and is the basis of an operating system structure. The application process may include a process that triggers an operation to the device data process to be protected. The triggering operation may include operations such as reading and writing.

In an embodiment, when detecting an application process that triggers an operation on device data to be protected, it may be described that a person operates the device data to be protected or that a system operates the device to be protected. For example, the application processes may detect read and write operations of device data to be protected through a file system micro-filter driver (FILE SYSTEM MINIFILTER DRIVERS).

In an embodiment, in order to reduce the detected data amount, an application process that performs a trigger operation on device data to be protected by ReadFile detection may be mainly focused on. Wherein ReadFile is an application programming interface (Application Program Interface, API) that represents the contents or attributes of the read file.

Then, it may be detected that the application process just started the first operation of reading the device data. For example, it may be detected that an application process has just started the first time an operation to read a block of file content. For example, the FLT_IO_PARAMETER_BLOCK type PARAMETER may be taken to filter out read operations with Offset equal to 0.

Because there may be a large number of ReadFile operations (each time a content block of a file is read and a pointer is used to identify a read position) when an application process reads a device, the method can effectively reduce the amount of data to be detected and improve the detection performance of the application process touching the device data. Similarly, if the application process has the operation of writing the target file, the application process is initially listed in the detection range.

In one embodiment, the device data associated with the application process is obtained by performing detection processing on the application process. The device data associated with the application process may include device data encountered by the application process. Then, denoising the associated data to obtain denoised device data. For example, device data of a particular file format and a particular installation directory may be excluded from device data encountered by an application process. For example, portable executable (Portable Executable, PE) files may be filtered out. And then, integrating the denoised equipment data with the equipment data to be protected to obtain the target equipment data to be protected.

103. And detecting the change of the target equipment data to obtain data change history information aiming at the target equipment data, wherein the data change history information comprises at least one history change operation information.

In an embodiment, the data protection device may continuously perform a change detection on the target device data, that is, detect whether a person performs a change operation on the target device data. Among other things, the change operation may include create, copy, move, rename, write, and delete operations. The history change operation information may include information describing the change operation, by which it is possible to describe what operation the user performed on the target device data at a certain point in time. For example, the historical modification operation information may be used to describe what the modification operation is, and what the target device data for which the modification operation is intended. The data change history information indicates what operation the user performed on the target device data within a certain period of time. Accordingly, the data movement history information may include at least one history movement operation information. In addition, the data change history information may also include other information related to the target device data. For example, the data change history information may include characteristic information such as absolute path, modification time, hash value, etc. of the target device data corresponding file.

For example, for device data in a certain target file F1, the target file F1 is read by the process P1, renamed as F2 by the process P2, and finally deleted by the process P1. Then, the data change history information may be F1 (source file) - > P1 (modification type: read) - > P2-F2 (modification action: rename) - > P1 (modification action: delete). Wherein F1 (source file) - > P1 (modification type: read) may be history change operation information. P1 (modification type: read) - > P2-F2 (modification action: rename) may be historical change operation information.

In one embodiment, the step of "detecting the change of the target device data to obtain the data change history information for the target device data" may include:

detecting the change of the target equipment data;

When detecting that an application process operates on target equipment data, performing association processing on change operation corresponding to the application process and data identification corresponding to the target equipment data to obtain historical change operation information corresponding to the target equipment data;

and writing the history change operation information into a storage chain table corresponding to the target equipment data to obtain the data change history information.

In one embodiment, change detection may be performed on the target device data. For example, whether a user is operating on target device data may be continuously detected by a security service of the zero trust network. When the application process is detected to operate on the target device data, the user can be stated to operate on the target device data.

In an embodiment, when the application process is detected to operate on the target device data, the change operation corresponding to the application process and the data identifier corresponding to the target device data may be associated and processed, so as to obtain change operation information corresponding to the target device data. The data identifier corresponding to the target device data may be a unique identifier of the target device data, so that the currently operated target device data is distinguished from other device data. For example, for device data in a certain target file F1, if the target file F1 is read by the process P1, the data identifier corresponding to the target file may be F1. And then, carrying out association processing on the change operation corresponding to the application process and the data identifier corresponding to the target equipment data to obtain change operation information corresponding to the target equipment data. For example, F1 (source file) - > P1 (modification type: read) may be history change operation information.

In one embodiment, the history handling information may be persisted.

For example, the history manipulation information may be stored in the form of a linked list such that the history manipulation information forms data movement history information. In addition to storing the history change information through the linked list, other information of the target device data can be correspondingly stored in the nodes of the linked list.

For example, after detecting that the target device data is read by the application process, the feature information of the application process is written into the next node of the target file, the modification type is marked as read, and the modification type is stored in a linked list form. Similarly, when it is detected that other application processes rename, write, move or delete the target device data, the feature information of the target device data is written into a new node after the last node of the linked list, and the corresponding modification type is marked.

The record stored in the persistent library is a change record of all target device data, and is composed of a plurality of storage structures similar to linked lists, and each linked list structure represents a change history record of the target device data. The last node of each linked list structure represents the current up-to-date state of the target device data.

In one embodiment, it should be noted that, for a scenario based on generating new data, for example, the target terminal data is copied or moved to another directory in the form of a file, and then a new file is generated by compressing the file together with other files, because the file has an action of being read or moved, the file change history in the persistent library only includes a record that the file is read and moved, and does not include a record generated by the new file, but based on step 102, because the application process has an action of touching the target device data, the file touched by the application process (excluding the device data of a specific file format and a specific installation directory) is regarded as the target device data, and is an object to be managed. The new file thus generated is stored as a new record in the persistent store.

In one embodiment, the server may issue a specific rule to control deletion of historical modification operation information of the target device data in the persistent library. For example, when the process modification type corresponding to the last node of a link list structure is deletion, the data protection device may automatically delete the history change operation information in the link list after exceeding N time periods based on the rule of the server.

104. And determining at least one data leakage detection rule and a data protection rule corresponding to the data leakage detection rule according to the at least one historical variation operation information.

The data leakage detection rule may specify a flow to be relied upon when performing data leakage detection on the target device data. Through the data leakage detection rule, the data protection device can know how to perform data leakage detection on the target device data, and under what scene, the target device data may have the risk of data leakage.

The data protection rule may specify a flow to be relied upon when the target device data is detected to have a data leakage risk. Through the data protection rule, the data protection device can know how to protect the target device data with the risk of data leakage.

In an embodiment, the data change history information may include at least one history change operation information, where data leak detection rules corresponding to different history change operation information may be different, and therefore, at least one data leak detection rule and a data protection rule corresponding to the data leak detection rule may be determined according to the at least one history change operation information.

Specifically, the step of determining at least one data leakage detection rule and a data protection rule corresponding to the data leakage detection rule according to the at least one historical variation operation information may include:

mapping processing is carried out on each history change operation information based on a preset rule mapping logic, so that a data leakage detection rule corresponding to each history change operation information is obtained;

and mapping each data leakage detection rule based on preset association rule mapping logic to obtain a data protection rule corresponding to each data leakage detection rule.

The preset rule mapping logic may be preset logic for mapping the historical variation operation information to the corresponding data leakage detection rule. The mapping relation between the history change operation information and the data leakage detection rule is recorded in the preset rule mapping logic. When the history change operation information is mapped to the corresponding data leakage detection rule based on the preset rule mapping logic, the data leakage detection rule corresponding to the history change operation information can be determined according to the mapping relation in the preset rule mapping logic.

The preset association rule mapping logic may be preset logic for mapping the data leakage detection rule to a corresponding data protection rule. Similarly, the mapping relation between the leakage detection rule and the data protection rule is recorded in the preset association rule mapping logic. Therefore, the data protection rule corresponding to the leak detection rule can be determined from the mapping relation.

105. And performing data leakage detection on the target equipment data according to at least one data leakage detection rule to obtain a detection result.

In an embodiment, the data leakage detection rule may specify a flow to be relied upon when performing data leakage detection on the target device data. The data leakage detection rule may include a rule condition of data leakage risk, and by using the rule condition, it may be determined whether there is a risk of data leakage when a user or an application process operates on a related file of the target device data. The risk of data leakage does not necessarily exist when data leakage actually occurs, and the risk of data leakage is formed as long as the data leakage may be caused by the operation of a user or an application process on the data of the target device.

In one embodiment, the change operation of the target device data is varied, and different history change operation information is not the same, so that different history change operation information can be corresponding based on different data leakage detection rules.

For example, the data leakage boundary condition of the data leakage detection rule may be: if a user accessing the target device data switches, there may be a risk of data leakage. For example, a user logging into a zero trust network is switched from user a to user B, and there may be a risk of data leakage.

For another example, the data leakage boundary condition of the data leakage detection rule may be: if the security assessment threshold of the subject accessing the target device data is lower than the preset security threshold, there may be a risk of data leakage. For example, if the security assessment threshold of the subject accessing the target device data is below a preset security threshold, the accessing subject may no longer be able to access the target device data and files associated with the target device data.

For another example, the data leakage boundary condition of the data leakage detection rule may be: if the network environment, access time and other data access factors of the subject of the access target device data are not satisfactory, there may be a risk of data leakage. For example, when a data access factor such as a network environment and an access time in which a subject accessing target device data is located hits a condition for prohibiting access to target device data in a data leakage detection rule, the access subject cannot access the target device data and a file related to the target device data.

For another example, the data leakage boundary condition of the data leakage detection rule may be: the risk that the data is sent to external systems including a third-party cloud disk, a business system and the like exists, and the risk of data leakage exists when the data is copied to mobile storage equipment or when sensitive operations such as audio and video type files are opened and recording is started.

In an embodiment, the data leakage detection flow in the data leakage rule may be different for different rule conditions.

For example, the data leakage boundary conditions of the data leakage detection rule are: if the user accessing the target device data performs the handover, the process of performing the data leakage detection on the target device data may include: and detecting the login account of the access subject, and when detecting that the login account of the access subject changes in transmission, indicating that the risk of data leakage possibly exists. For example, the zero trust network access service requires that the terminal user complete multi-factor identity authentication including Token (Token) login, short message authentication, biometric identification, etc. to be effective, if the authenticated user is changed from user a to user B by the same terminal device, user B cannot access the enterprise related data of user a.

For another example, if the data leakage boundary condition of the data leakage detection rule is that, when the security evaluation threshold of the main body accessing the target device data is lower than the preset security threshold, there may be a risk of data leakage, the step of performing data leakage detection on the target device data according to at least one data leakage detection rule to obtain a detection result may include:

invoking a plurality of environment detection components to detect environment assessment scores of the historical variation operation information in a plurality of different dimensions based on the data leakage detection rules;

calculating a first security assessment score of the historical change operation information according to the environmental assessment scores of the historical change operation information in a plurality of different dimensions;

When the first security assessment score does not accord with a preset security threshold value, updating the first security assessment score to obtain a second security assessment score;

And when the second security assessment score does not accord with the preset security threshold value, generating a detection result of the risk of data leakage of the target equipment data.

In one embodiment, a plurality of environment detection components may be invoked to detect environmental assessment scores for historical operating information in a plurality of different dimensions based on data leak detection rules.

The environment detection component can include, among other components, a compliance security detection service component and a User and entity behavioral analysis (User AND ENTITY Behavior Analytics, UEBA) component.

For example, the environmental state in which the accessing principal or application process is located when operating on the target device data may be detected by the environment detection component. Such as the state of the network environment and the provisioning state of network resources in which the access agent or application process is located, and so forth. Environmental assessment scores may then be generated across a plurality of different dimensions. In general, the better the access subject or application process is in the environment state, the higher the corresponding environment assessment score will be.

In one embodiment, a first security assessment score for the historical modification operation information may be calculated based on environmental assessment scores for the historical modification operation information over a plurality of different dimensions. For example, the environmental assessment score in each dimension may be weighted according to a certain weight, to obtain a plurality of weighted environmental assessment scores. And then, adding the weighted environmental assessment scores to obtain a first safety assessment score.

The first assessment value may then be compared to a preset safety threshold. And when the first security assessment score does not accord with the preset security threshold value, the risk of data leakage of the target equipment data is indicated. At this time, in order to improve accuracy of data leakage detection, the data is not subjected to leakage prevention processing immediately, but the first security assessment score may be updated to obtain a second security assessment score. For example, the data protection apparatus may acquire the latest history change operation information of the target device data, and then calculate the second security evaluation score based on the latest history change operation information. When the second security assessment score does not meet the preset security threshold value, the target device data is indicated to have the risk of data leakage, and therefore a detection result of the target device data having the risk of data leakage can be generated.

In one embodiment, the security assessment score process may also be re-detected within a limited number of times after the first security assessment score does not meet the preset security threshold. And when the security assessment scores do not accord with the preset security threshold value, a detection result of the risk of data leakage of the target equipment data can be generated.

For another example, the data leakage boundary condition of the data leakage detection rule may be: if the data access factors such as the network environment and the access time where the main body accessing the target device data is located do not meet the requirements, the step of performing data leakage detection on the target device data according to at least one data leakage detection rule to obtain a detection result may include:

detecting access description information of the target device data in at least one dimension based on the data leakage detection rule;

determining data leakage boundary conditions corresponding to the access description information of each dimension according to the data leakage detection rules;

and when the access description information accords with the data leakage boundary condition, generating a detection result of the risk of data leakage of the target equipment data.

Wherein the access description information of the target device data in at least one dimension may include access description information in an address dimension, a time dimension, and a port dimension, and so on. For example, access descriptive information for a time dimension may be used to describe the time at which the access subject accessed the target device data. The access profile for the address dimension may be used to describe the address at which the subject target device data is accessed. For example, whether the access subject is accessing target device data in china, in canada, etc. For another example, the address may also refer to a host address at the time of accessing subject target device data, and so on.

In an embodiment, according to the data leakage detection rule, a data leakage boundary condition corresponding to the access description information of each dimension may be determined.

For example, for access description information in the time dimension, the data leakage boundary condition may be: when the access subject accesses the target device data during the non-working time, there is a risk of data leakage; and when the access subject accesses the target device data at working time, the risk of data leakage does not exist.

For another example, for access description information of the address dimension, the data leakage boundary condition may be that when the access subject accesses the target device data abroad, there is a risk of data leakage; and when the access subject accesses the target device data in China, the risk of data leakage does not exist.

In one embodiment, the access profile for each dimension may be compared to a corresponding data leakage boundary condition. When the access description information in a certain dimension accords with the data leakage boundary condition, the risk of data leakage is indicated, and a detection result of the risk of data leakage of the target equipment data is generated.

For another example, the data leakage boundary condition of the data leakage detection rule may be: the risk that the data is sent to external systems including a third-party cloud disk, a business system and the like exists, and the risk of data leakage exists when the data is copied to mobile storage equipment or when sensitive operations such as audio and video type files are opened and recording is started. For the data leakage detection rule, the rule is sent out in a violation mode, the data is copied to the mobile storage device, and enterprise resources are obtained through sensitive screen capturing operation. In a zero trust network access scenario, there are a large number of scenarios in which local data is transferred to an enterprise business system. Such as ticket applications by zero trust access agents, and traffic forwarding awareness by access agents and gateways. If the identification is to send the file to the enterprise business system, then a determination is made that a normal network access is being made. If the data is sent to an external system, determining that the data is illegal and sent out.

In an embodiment, for the above several data leakage detection rules, the data protection device has a corresponding weight setting, and the rule handling rule with higher weight limits the data operation more. For example, rule 4 has the highest weight, and when data is likely to be sent out to an external site or copied to a mobile storage device, the most severe measure is taken to interrupt the operation of the user, and the box prompts the user to report alarm data to the server.

106. When the detection result represents that the target equipment data has the data leakage risk, performing anti-leakage processing on the target equipment data based on the data protection rule corresponding to the data leakage detection rule so as to realize protection of the target equipment data in the computer equipment.

In an embodiment, the data protection rules corresponding to different data leakage detection rules may be different. For example, for the first to third data leakage detection rules in step 105, the same data protection rule may be used to perform anti-leakage processing on the target device data, so as to implement protection on the target device data in the computer device. And for the fourth data leakage detection rule in step 105, another data protection rule may be used to perform anti-leakage processing on the target device data to implement protection on the target device data in the computer device.

In one embodiment, the flow of data protection rules to be adopted is substantially the same for the first through third data leak detection rules in step 105, and fine-tuning may be made in terms of parameters. The purpose is to limit the access rights of the user to the target device data. Specifically, the step of performing anti-leakage processing on the target device data based on the data protection rule corresponding to the data leakage detection rule when the detection result indicates that the target device data has a data leakage risk, so as to realize protection of the target device data in the computer device, may include:

When the detection result represents that the target equipment data has data leakage risk, reading a storage linked list corresponding to the data change history information based on a data protection rule;

acquiring a full path file corresponding to target equipment data in a storage chain table;

and carrying out authority modification processing on the full-path file, and controlling the operation aiming at the target equipment data based on the data protection rule so as to realize the protection of the target equipment data in the computer equipment.

For example, the tail node of each linked list structure storing the history change operation information in the persistent library can be read, and the read, write and delete rights of the target device data are controlled according to the content of the data protection rule by modifying the operation rights of the full path file corresponding to the target device data. If the process in the device has illegal operation on the file or the file directory of the target device data, the data protection device can prevent the operation so as to realize the protection of the target device data.

In one embodiment, for the fourth data leakage detection rule in step 105, dynamic encryption operations may be performed on the target device data in addition to limiting the user's execution access rights to the target device data. Specifically, the step of performing anti-leakage processing on the target device data based on the data protection rule corresponding to the data leakage detection rule when the detection result indicates that the target device data has a data leakage risk, so as to realize protection of the target device data in the computer device, may include:

When the detection result represents that the target equipment data has a data leakage risk, determining the equipment data to be encrypted in the target equipment data;

generating an encryption key based on the data protection rule;

and encrypting the device data to be encrypted based on the encryption key to obtain encrypted device data so as to protect target device data in the computer device.

Wherein, the encryption algorithm and the secret key are commonly agreed by the terminal and the server. And instead of performing dynamic encryption on all target device data, the file is dynamically encrypted only for target terminal data that may be at risk of data leakage. Therefore, when the detection result indicates that the target device data has a data leakage risk, the device data to be encrypted can be determined in the target device data. The encryption key may then be generated according to the data protection rules. The data protection rule may include an encryption algorithm agreed by the terminal and the server, so that an encryption key may be generated based on the encryption algorithm. Then, the device data to be encrypted can be encrypted based on the encryption key to obtain encrypted device data, so that the target device data in the computer device can be protected.

In an embodiment, the encryption operation is recorded in the persistent library, and when the encrypted device data is recovered to be normal (the boundary between the data security and the risk of data leakage is recovered to be in a data security state, for example, after the login user a switches to another user, the login user a is switched back to the login user a later), the dynamic decryption operation can be automatically performed on the encrypted device data, so as to recover the encrypted device data to the target device data. Specifically, the embodiment of the application can further include:

performing data leakage detection on the encrypted equipment data to obtain a detection result;

and when the detection result indicates that the encrypted equipment data does not have the risk of data leakage, decrypting the encrypted equipment data so as to restore the encrypted equipment data to the target equipment data.

The step of performing data leakage detection on the encrypted device data may refer to step 105, and will not be described in detail herein. And then, when the detection result represents that the encrypted device data has no data leakage risk, decrypting the encrypted device data so as to restore the encrypted device data to the target device data.

In one embodiment, it should be noted that the data protection rule for data leakage is dynamically changed, including the weight of the data protection rule, the parameters (limiting the read, write, delete rights of the target file, etc.), and the matching relationship between the parameters and the corresponding data leakage detection rule may be dynamically changed. For an enterprise system, an administrator can flexibly and efficiently adjust or eliminate the influence of treatment measures on original data by adjusting the treatment strategy, so that the huge risk that the business and resource systems of the enterprise are hijacked by a document and disk-level encryption and decryption system can be avoided, and the cost of adjusting the data protection strategy by the enterprise is reduced while the data security degree is ensured.

In the embodiment of the application, the equipment data of the computer equipment of the electronic equipment and the data protection configuration file can be obtained, wherein the data protection configuration file indicates the data to be protected; identifying the equipment data based on the data protection configuration file to obtain target equipment data to be protected; detecting the change of the target equipment data to obtain data change history information aiming at the target equipment data, wherein the data change history information comprises at least one history change operation information; determining at least one data leakage detection rule and a data protection rule corresponding to the data leakage detection rule according to at least one historical variation operation information; performing data leakage detection on the target equipment data according to at least one data leakage detection rule to obtain a detection result; when the detection result represents that the target equipment data has the data leakage risk, performing anti-leakage processing on the target equipment data based on the data protection rule corresponding to the data leakage detection rule. Compared with the prior art, the disk encryption mode has coarse granularity and poor flexibility, and file-level dynamic encryption and decryption can not greatly influence and change the use habit of an operator. However, frequent encryption and decryption processing is performed on the target device data, which results in high damage rate of the target device data. The proposal of the application is disposed at the boundary of data security and leakage risk. The data leakage detection rule can also improve the degree of leakage detection of the target equipment data which is easy to cause leakage, so that the probability of encrypting and decrypting the target equipment data is greatly reduced, and compared with the prior art, the data damage rate is greatly reduced.

On the other hand, the scheme provided by the invention comprises a dynamic data leakage detection rule for defining the boundary between data security and the risk of data leakage. When the data leakage detection rule is adjusted or the data is offline, an administrator can flexibly and efficiently adjust or eliminate the influence of the data protection measures on the data of the target equipment by adjusting the data protection logic, the offline risk is extremely low, and the flexibility of data protection is improved. In addition, for the enterprise system, the invention can avoid the huge risk that the business and resource system of the enterprise is hijacked by the document and disk-level encryption and decryption system, and reduce the cost of adjusting the data protection strategy of the enterprise while ensuring the data security degree.

According to the method described in the above embodiments, examples are described in further detail below.

The embodiment of the application will be described by taking the example of integrating the data protection method on the terminal.

In one embodiment, as shown in fig. 5, a data protection method specifically includes the following steps:

201. The terminal acquires device data of the terminal and a data protection configuration file, wherein the data protection configuration file indicates data to be protected.

For example, the terminal may be a personal terminal or an enterprise configured terminal having enterprise data stored thereon.

202. And the terminal performs identification processing on the device data based on the data protection configuration file to obtain target device data to be protected.

For example, for an enterprise, it is necessary to identify and protect enterprise data in a terminal.

For example, screen shots or screen recordings on the terminal may be continuously detected. The pictures and audio-video files generated by the screen capturing or recording operation may be enterprise data.

As another example, device data in the terminal may be scanned. When the file name or content of the device data is scanned, the device data may be enterprise data.

As another example, device data in the terminal may be scanned. The device data may be enterprise data when scanned for file types or storage paths hit file types or directory paths in the protected data feature information.

For another example, directories and files operated by trusted applications that can successfully access enterprise resources through a zero trust network are enterprise data.

The application of data is listed as an object of key detection by successfully accessing the enterprise business system through the zero trust network. The files (touch files) read and written by the application process and its derivative sub-processes are considered enterprise data.

The above 4 methods are configured by the management end in a combined way, can flexibly execute various combinations, and can be set by one or all of the methods. Based on the extent to which the enterprise is directed to data management. If none of the 4 items are configured, then the enterprise may be considered to turn off the data protection function.

203. The terminal performs change detection on the target device data to obtain data change history information aiming at the target device data, wherein the data change history information comprises at least one history change operation information.

204. And the terminal determines at least one data leakage detection rule and a data protection rule corresponding to the data leakage detection rule according to the at least one historical variation operation information.

205. And the terminal performs data leakage detection on the target equipment data according to at least one data leakage detection rule to obtain a detection result.

For example, the data leakage boundary condition of the data leakage detection rule may be: if a user accessing enterprise data switches, there may be a risk of data leakage. For example, a user logging into a zero trust network is switched from user a to user B, and there may be a risk of data leakage.

For another example, the data leakage boundary condition of the data leakage detection rule may be: if the security assessment threshold of the body accessing the enterprise data is below a preset security threshold, there may be a risk of data leakage. For example, if the security assessment threshold of the principal accessing the enterprise data is below a preset security threshold, the accessing principal can no longer access the enterprise data and files related to the enterprise data.

For another example, the data leakage boundary condition of the data leakage detection rule may be: if the network environment, access time, and other data access factors of the body accessing the enterprise data are not satisfactory, there may be a risk of data leakage. For example, when a data access factor such as a network environment and an access time in which a main body accessing enterprise data is located hits a condition for prohibiting access to enterprise data in a data leakage detection rule, the access main body cannot access enterprise data and files related to the enterprise data.

For another example, the data leakage boundary condition of the data leakage detection rule may be: the enterprise data has risks of being sent to external systems including a third-party cloud disk, a business system and the like, and the risks of data leakage exist when the enterprise data is copied to mobile storage equipment or is used for opening audio and video type files, opening sensitive operations such as recording screens and the like.

206. When the detection result represents that the target equipment data has the data leakage risk, the terminal performs anti-leakage processing on the target equipment data based on the data protection rule corresponding to the data leakage detection rule so as to realize protection of the target equipment data in the computer equipment.

For example, the tail node of each linked list structure storing the history change operation information in the persistent library can be read, and the read, write and delete rights of the enterprise data are controlled according to the content of the data protection rule by modifying the operation rights of the full path file corresponding to the enterprise data. If the process in the device has illegal operation on the file or the file directory of the target device data, the data protection device can prevent the operation so as to realize the protection of the enterprise data.

In the embodiment of the application, a terminal acquires equipment data of the terminal and a data protection configuration file, wherein the data protection configuration file indicates data to be protected; the terminal performs identification processing on the equipment data based on the data protection configuration file to obtain target equipment data to be protected; the terminal performs change detection on the target equipment data to obtain data change history information aiming at the target equipment data, wherein the data change history information comprises at least one history change operation information; the terminal determines at least one data leakage detection rule and a data protection rule corresponding to the data leakage detection rule according to at least one historical variation operation information; the terminal performs data leakage detection on the target equipment data according to at least one data leakage detection rule to obtain a detection result; when the detection result represents that the target equipment data has the data leakage risk, the terminal performs anti-leakage processing on the target equipment data based on the data protection rule corresponding to the data leakage detection rule, so that the target equipment data in the computer equipment is protected, and the flexibility of data protection can be improved.

In order to better implement the data protection method provided by the embodiment of the application, in an embodiment, a data protection device is also provided, and the data protection device can be integrated in computer equipment. Where nouns have the same meaning as in the data protection method described above, specific implementation details may be referred to in the description of the method embodiments.

In one embodiment, a data protection device is provided, which may be integrated in a computer apparatus, as shown in fig. 6, and includes: an acquisition unit 301, an identification unit 302, a fluctuation detection unit 303, a rule determination unit 304, a data leakage detection unit 305, and a leakage prevention unit 306 are specifically as follows:

an obtaining unit 301, configured to obtain device data of a computer device, and a data protection configuration file, where the data protection configuration file indicates data that needs to be protected;

the identifying unit 302 is configured to identify the device data based on the data protection configuration file, so as to obtain target device data to be protected;

A change detection unit 303, configured to perform change detection on the target device data, and obtain data change history information for the target device data, where the data change history information includes at least one history change operation information;

A rule determining unit 304, configured to determine at least one data leakage detection rule and a data protection rule corresponding to the data leakage detection rule according to the at least one historical variation operation information;

A data leakage detection unit 305, configured to perform data leakage detection on the target device data according to the at least one data leakage detection rule, so as to obtain a detection result;

And the anti-leakage unit 306 is configured to perform anti-leakage processing on the target device data based on a data protection rule corresponding to the data leakage detection rule when the detection result indicates that the target device data has a data leakage risk, so as to realize protection of the target device data in the computer device.

In an embodiment, the identifying unit 302 may include:

In an embodiment, the identification processing subunit may include:

In an embodiment, the expansion subunit may include:

In an embodiment, the data leakage detecting unit 305 may include:

In an embodiment, the leakage preventing unit 306 may include:

In an embodiment, the leakage preventing unit 306 may further include:

In an embodiment, the variation detecting unit 303 may include:

In an embodiment, the rule determining unit 304 may include:

In the implementation, each unit may be implemented as an independent entity, or may be implemented as the same entity or several entities in any combination, and the implementation of each unit may be referred to the foregoing method embodiment, which is not described herein again.

The data protection device can improve the flexibility of data protection.

The embodiment of the application also provides a computer device, which can comprise a terminal or a server, for example, the computer device can be used as a data protection terminal, and the terminal can be a mobile phone, a tablet computer and the like; for another example, the computer device may be a server, such as a data protection server, or the like. As shown in fig. 7, a schematic structural diagram of a terminal according to an embodiment of the present application is shown, specifically:

the computer device may include one or more processors 401 of a processing core, memory 402 of one or more computer readable storage media, a power supply 403, and an input unit 404, among other components. Those skilled in the art will appreciate that the computer device structure shown in FIG. 7 is not limiting of the computer device and may include more or fewer components than shown, or may be combined with certain components, or a different arrangement of components. Wherein:

The processor 401 is a control center of the computer device, connects various parts of the entire computer device using various interfaces and lines, performs various functions of the computer device and processes data by running or executing software programs and/or modules stored in the memory 402, and calling data stored in the memory 402. Optionally, processor 401 may include one or more processing cores; preferably, the processor 401 may integrate an application processor and a modem processor, wherein the application processor mainly processes an operating system, a user page, an application program, etc., and the modem processor mainly processes wireless communication. It will be appreciated that the modem processor described above may not be integrated into the processor 401.

The memory 402 may be used to store software programs and modules, and the processor 401 executes various functional applications and data processing by executing the software programs and modules stored in the memory 402. The memory 402 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program (such as a sound playing function, an image playing function, etc.) required for at least one function, and the like; the storage data area may store data created according to the use of the computer device, etc. In addition, memory 402 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device. Accordingly, the memory 402 may also include a memory controller to provide the processor 401 with access to the memory 402.

The computer device further comprises a power supply 403 for supplying power to the various components, preferably the power supply 403 may be logically connected to the processor 401 by a power management system, so that functions of charge, discharge, and power consumption management may be performed by the power management system. The power supply 403 may also include one or more of any of a direct current or alternating current power supply, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.

The computer device may also include an input unit 404, which input unit 404 may be used to receive input numeric or character information and to generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control.

Although not shown, the computer device may further include a display unit or the like, which is not described herein. In particular, in this embodiment, the processor 401 in the computer device loads executable files corresponding to the processes of one or more application programs into the memory 402 according to the following instructions, and the processor 401 executes the application programs stored in the memory 402, so as to implement various functions as follows:

The specific implementation of each operation above may be referred to the previous embodiments, and will not be described herein.

According to one aspect of the present application, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the methods provided in the various alternative implementations of the above embodiments.

It will be appreciated by those of ordinary skill in the art that all or part of the steps of the various methods of the above embodiments may be performed by a computer program, or by computer program control related hardware, which may be stored in a computer readable storage medium and loaded and executed by a processor.

To this end, an embodiment of the present application further provides a storage medium in which a computer program is stored, the computer program being capable of being loaded by a processor to perform the steps of any of the data protection methods provided by the embodiments of the present application. For example, the computer program may perform the steps of:

The steps in any data protection method provided by the embodiment of the present application can be executed by the computer program stored in the storage medium, so that the beneficial effects that any data protection method provided by the embodiment of the present application can be achieved, and detailed descriptions of the previous embodiments are omitted herein.

The foregoing has described in detail a data protection method, apparatus, computer device and storage medium provided by embodiments of the present application, and specific examples have been applied to illustrate the principles and embodiments of the present application, where the foregoing examples are provided to assist in understanding the method and core idea of the present application; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in light of the ideas of the present application, the present description should not be construed as limiting the present application.

Claims

1. A method of protecting data, comprising:

2. The method according to claim 1, wherein the identifying the device data based on the data protection configuration file to obtain the target device data to be protected includes:

According to the at least one piece of protection data characteristic information, carrying out identification processing on the equipment data to obtain the equipment data to be protected;

Detecting an application process for triggering the equipment data to be protected;

and carrying out expansion processing on the equipment data to be protected based on the application process to obtain target equipment data to be protected.

3. The method according to claim 2, wherein the identifying the device data according to the at least one protection data feature information, to obtain the device data to be protected, includes:

and determining the equipment data to be protected according to the equipment data access range corresponding to the access request.

4. The method of claim 2, wherein the expanding the device data to be protected based on the application process to obtain target device data to be protected includes:

Denoising the associated equipment data to obtain denoised equipment data;

And integrating the denoised equipment data with the equipment data to be protected to obtain the target equipment data to be protected.

5. The method according to claim 1, wherein the performing data leakage detection on the target device data according to the at least one data leakage detection rule to obtain a detection result includes:

invoking a plurality of environment detection components to detect environment assessment values of the historical variation operation information in a plurality of different dimensions based on the data leakage detection rules;

Calculating a first security assessment value of the history variation operation information according to the environmental assessment values of the history variation operation information in a plurality of different dimensions;

And when the second security assessment score does not accord with a preset security threshold value, generating a detection result of the risk of data leakage of the target equipment data.

6. The method according to claim 1, wherein the performing data leakage detection on the target device data according to the at least one data leakage detection rule to obtain a detection result includes:

7. The method according to claim 1, wherein when the detection result indicates that the target device data has a data leakage risk, performing anti-leakage processing on the target device data based on a data protection rule corresponding to the data leakage detection rule, so as to implement protection of the target device data in the computer device, including:

When the detection result represents that the target equipment data has data leakage risk, reading a storage linked list corresponding to the data change history information based on the data protection rule;

acquiring a full path file corresponding to the target equipment data in the storage linked list;

And carrying out authority modification processing on the full-path file, and controlling the operation on the target device data based on the data protection rule so as to realize the protection of the target device data in the computer device.

8. The method according to claim 1, wherein when the detection result indicates that the target device data has a data leakage risk, performing anti-leakage processing on the target device data based on a data protection rule corresponding to the data leakage detection rule, so as to implement protection of the target device data in the computer device, including:

when the detection result represents that the target equipment data has a data leakage risk, determining equipment data to be encrypted in the target equipment data;

generating an encryption key based on the data protection rule;

and encrypting the device data to be encrypted based on the encryption key to obtain encrypted device data so as to realize the protection of the target device data in the computer device.

9. The method of claim 8, wherein the method further comprises:

And when the detection result represents that the encrypted equipment data does not have the risk of data leakage, decrypting the encrypted equipment data so as to restore the encrypted equipment data to the target equipment data.

10. The method of claim 1, wherein said detecting the change of the target device data to obtain the data change history information for the target device data comprises:

Detecting the change of the target equipment data;

when detecting that an application process operates on the target equipment data, performing association processing on change operation corresponding to the application process and a data identifier corresponding to the target equipment data to obtain historical change operation information corresponding to the target equipment data;

And writing the history change operation information into a storage chain table corresponding to the target equipment data to obtain data change history information.

11. The method of claim 1, wherein determining at least one data leakage detection rule and a data protection rule corresponding to the data leakage detection rule according to the at least one historical variation operation information comprises:

mapping each history change operation information based on a preset rule mapping logic to obtain a data leakage detection rule corresponding to each history change operation information;

12. A data protection device, comprising:

13. A computer device comprising a memory and a processor; the memory stores an application program, and the processor is configured to execute the application program in the memory to perform the operations in the data protection method according to any one of claims 1 to 11.

14. A computer readable storage medium storing a plurality of instructions adapted to be loaded by a processor to perform the steps in the data protection method of any one of claims 1 to 11.

15. A computer program product comprising a computer program or instructions which, when executed by a processor, carries out the steps of the data protection method of any one of claims 1 to 11.