CN1838587A - Document transmission monitoring method based on course association - Google Patents
Document transmission monitoring method based on course association Download PDFInfo
- Publication number
- CN1838587A CN1838587A CN200610039898.9A CN200610039898A CN1838587A CN 1838587 A CN1838587 A CN 1838587A CN 200610039898 A CN200610039898 A CN 200610039898A CN 1838587 A CN1838587 A CN 1838587A
- Authority
- CN
- China
- Prior art keywords
- file
- packet
- network
- document transmission
- monitoring method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000012544 monitoring process Methods 0.000 title claims description 23
- 230000005540 biological transmission Effects 0.000 title claims description 13
- 238000012546 transfer Methods 0.000 claims abstract description 4
- 238000007689 inspection Methods 0.000 claims description 3
- 238000012360 testing method Methods 0.000 abstract 4
- 238000003786 synthesis reaction Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 6
- 238000001914 filtration Methods 0.000 description 3
- 238000004886 process control Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
Images
Abstract
The invention relates to a file transmitting monitor method based on the association process, which arranges a file visiting monitor point in the file system driver; it arranges a network testing point between the NDIS middle layers to capture all of the sending IP data packages; when the linking data package through the network testing point, it obtains the instantaneous process information and immediately transfers the instantaneous process information to the file visit monitor driver which starts to capture all of the file information of the process visit; when the linking data package through the network testing point, it dose protocol analysis to all the data packages and quotes weather the data package sends the file information to the outer; when it comes with the data package which has the probability to send the file information, it uses the process association to test the data package and the association process visits or has visited the file at the same time to ascertain the transmitting file.
Description
Technical field
The present invention relates to a kind of technology of a kind of computer user's of preventing fileinfo leakage, design a kind of document transmission monitoring method especially based on process context.Belong to computer network security field.
Background technology
Because it is not under NT5.0 (windows2000 and windows xp) operating system nucleus environment, file system and network system are two separate assembly modules, directly related therebetween.Therefore, when via certain file of Network Transmission, we can't directly obtain the comspec of associated documents, and then can not effectively control this process.Therefore file system is combined with the process control module of operating system respectively with network system, carry out association by identical process again, be undoubtedly a kind of solution well.
Summary of the invention
The objective of the invention is to file system be combined with the process control module of operating system respectively with network system based on the document transmission monitoring method of process context, the behavior of the intrasystem file data of single computer outflow (or LAN system file unofficial biography) is monitored and controls, distributed by internal staff's malice to prevent the confidential information in the computer system.
The object of the present invention is achieved like this: based on the document transmission monitoring method of process context, it is characterized in that the realization of document transmission monitoring comprises following steps at least:
Step 1: in file system drives, pass through file system filter drive module setting file access control point;
Step 2: by articulating network system kernel interface SendHandler and SendPacketsHandle the Network Check point is set in the NDIS intermediate layer, catches the IP packet that all outwards send;
Step 3: when the packet that initiate to connect is put by Network Check, obtains instant progress information, this progress information of existing side by side soon passes to the file access monitoring and drives, and the file access monitoring drives the information that begins to catch the All Files that this process visits;
Step 4: when all packets of this connection are put by Network Check, packet is carried out protocal analysis, judge whether this packet may outwards send fileinfo, it is based on following aspect:
A) whether the form of this packet meets the POST method of http protocol,
B) whether the form of this packet meets the PUT method of File Transfer Protocol,
C) whether the form of this packet meets smtp protocol, and finds to carry annex through protocal analysis;
Step 5: when occurring sending the packet of fileinfo, when sending this packet, associated process is being visited or file once by the process context inspection;
Step 6: under the situation that step 5 is described, associated process visiting or the listed files of ever accessed in search, meet the item that sends file characteristic, then write down this document information.
Characteristics of the present invention are: the document transmission monitoring method based on process context combines file system respectively with network system with the process control module of operating system, and carries out association by identical process, can address the above problem preferably.At first, when the packet of initiating to connect was put by Network Check, we obtained instant progress information; Simultaneously, the filtration drive in the circular document system begins to catch the comspec of the All Files of this process visit.Secondly, when all packets of this connection are put by Network Check, packet is carried out protocal analysis, judge whether this connection may outwards send fileinfo.At last when occurring sending the packet of fileinfo, by the process context inspection when sending this packet, associated process or the file of ever accessed, with the file that is defined as transmitting.
Description of drawings
Fig. 1 is the system module structure chart of a realization of the present invention.
Fig. 2 is an analysis-by-synthesis module flow chart.
Embodiment
The present invention will be further described below in conjunction with the drawings and specific embodiments
Referring to Fig. 1, the concrete supervisory control system that we realize is made up of four modules, and wherein file system filter drives with the network monitoring driver module and then is operated in inner nuclear layer, and kernel communication, two modules of analysis-by-synthesis are in application layer.
Network monitoring drives by articulating network system core A PI and realizes that the interface that specifically articulates is SendHandler and SendPacketsHandler, and this driving loads by the kernel level service routine is installed.It is responsible for the network operating position of supervisory control system, when certain process is brought into use network, network monitoring drives this request of intercepting and capturing, and the analysis-by-synthesis module of process kernel communication notice application layer, the analysis-by-synthesis module begins to monitor the file system operating position of this process again by kernel communication circular document system filtration module; When certain monitored connection began to carry out known file transfer behavior, the network monitoring driving to the analysis-by-synthesis module, by process context, was analyzed the physical location of the concrete file that transmits with this document features convey.
The filter Driver on FSD module is as the part of I/O subsystem, and its main task is that the operation of process access file is monitored.In the record certain hour, the file access situation of process, and deliver application layer analysis-by-synthesis module by the kernel communication.
The kernel communication module, the control appliance of in application layer opens file system filtration driving and network monitoring driving respectively, creating, and the equipment of acquisition handle, mode with DeviceIoCtrol is carried out the communication of kernel and application layer by handle, for analysis-by-synthesis module and file system filter drive, network monitoring is carried out data passes between driving.
Referring to Fig. 2, the analysis-by-synthesis module is by driving the information of collecting to file system monitoring driving and network monitoring, compare based on identical progress information, analyze in conjunction with the time of file access and the time of packet transmission again, final acquisition system outwards sends the physical location information of file by network, and record in addition.
Claims (4)
1. based on the document transmission monitoring method of process context, it is characterized in that comprising at least following steps:
Step 1: in file system drives, the file access control point is set;
Step 2: the Network Check point is set in the NDIS intermediate layer, catches the IP packet that all outwards send;
Step 3: when the packet that initiate to connect is put by Network Check, obtains instant progress information, this progress information of existing side by side soon passes to the file access monitoring and drives, and the file access monitoring drives the information that begins to catch the All Files that this process visits;
Step 4: when all packets of this connection are put by Network Check, packet is carried out protocal analysis, judge whether this packet may outwards send fileinfo;
Step 5: when occurring sending the packet of fileinfo, when sending this packet, associated process is being visited or the file of ever accessed by the process context inspection;
Step 6: under the situation that step 5 is described, the data that transmit in the comparison network with the tabulation of associated process access file, are determined and fileinfo that record is just transmitting.
2. the document transmission monitoring method based on process context according to claim 1 is characterized in that the setting of file access control point realizes by the file system filter drive pattern.
3. the document transmission monitoring method based on process context according to claim 1 is characterized in that the setting of Network Check point realizes that by articulating network system core A PI the interface that specifically articulates is SendHandler and SendPacketsHandler.
4. the document transmission monitoring method based on process context according to claim 1 is characterized in that whether may outwards sending packet the judgement of fileinfo, based on to using the analysis of layer protocol:
A) whether the form of this packet meets the POST method of http protocol;
B) whether the form of this packet meets the PUT method of File Transfer Protocol;
C) whether the form of this packet meets smtp protocol, and finds to carry annex through protocal analysis.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200610039898.9A CN1838587A (en) | 2006-04-26 | 2006-04-26 | Document transmission monitoring method based on course association |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200610039898.9A CN1838587A (en) | 2006-04-26 | 2006-04-26 | Document transmission monitoring method based on course association |
Publications (1)
Publication Number | Publication Date |
---|---|
CN1838587A true CN1838587A (en) | 2006-09-27 |
Family
ID=37015857
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN200610039898.9A Pending CN1838587A (en) | 2006-04-26 | 2006-04-26 | Document transmission monitoring method based on course association |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN1838587A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101986602A (en) * | 2010-08-11 | 2011-03-16 | 山东大学 | Method for setting checkpoints and recovering failure process based on message number checking and non-blocking |
CN104156661A (en) * | 2014-07-26 | 2014-11-19 | 珠海市君天电子科技有限公司 | Device and method for preventing account passwords from being tampered |
CN114465922A (en) * | 2021-12-21 | 2022-05-10 | 中孚安全技术有限公司 | Visual monitoring method, system and device for user access baseline |
-
2006
- 2006-04-26 CN CN200610039898.9A patent/CN1838587A/en active Pending
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101986602A (en) * | 2010-08-11 | 2011-03-16 | 山东大学 | Method for setting checkpoints and recovering failure process based on message number checking and non-blocking |
CN101986602B (en) * | 2010-08-11 | 2012-08-15 | 山东大学 | Method for setting checkpoints and recovering failure process based on message number checking and non-blocking |
CN104156661A (en) * | 2014-07-26 | 2014-11-19 | 珠海市君天电子科技有限公司 | Device and method for preventing account passwords from being tampered |
CN114465922A (en) * | 2021-12-21 | 2022-05-10 | 中孚安全技术有限公司 | Visual monitoring method, system and device for user access baseline |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102771088B (en) | Using aggregated DNS information originating from multiple sources to detect anomalous DNS name resolutions | |
CN102387038B (en) | Network video fault positioning system and method based on video detection and comprehensive network management | |
CN108494672A (en) | A kind of industrial communication gateway, industrial data security isolation system and method | |
CN102624706B (en) | Method for detecting DNS (domain name system) covert channels | |
CN100534096C (en) | System and method for reverse network fishing | |
US20070234425A1 (en) | Multistep integrated security management system and method using intrusion detection log collection engine and traffic statistic generation engine | |
JP6794553B2 (en) | Door controller with integrated data collection and transmission equipment, network chain, and data processing and transmission method | |
CN103746992B (en) | Based on reverse intruding detection system and method thereof | |
CN103200230A (en) | Vulnerability scanning method based on movable agent | |
CN106101130A (en) | A kind of network malicious data detection method, Apparatus and system | |
CN1799912A (en) | Method and apparatus for online test control of operation status of hydraulic switch machine turnout | |
CN113507436A (en) | Power grid embedded terminal fuzzy test method aiming at GOOSE protocol | |
CN106209902A (en) | A kind of network safety system being applied to intellectual property operation platform and detection method | |
CN100493065C (en) | Method for using immediate information software by data detection network address switching equipment | |
CN102035895A (en) | Web site supervision method based on HTTP (hypertext transfer protocol) analysis | |
CN1832417A (en) | Data collecting method and system | |
CN103796343B (en) | M2M gateway devices and its application process | |
CN1838587A (en) | Document transmission monitoring method based on course association | |
CN1551570A (en) | Remote-support system for an analysing apparatus | |
CN101728871A (en) | Remote control system for chromatographic data of transformer | |
CN206023812U (en) | The gating device of integrated data collecting transmitter | |
CN1141659C (en) | Remote user operation process recording and restoring method | |
CN102469098A (en) | Information safety protection host machine | |
CN102299958A (en) | Method for monitoring video through IE (Internet Explorer) client side and system | |
CN109600395A (en) | A kind of device and implementation method of terminal network access control system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C12 | Rejection of a patent application after its publication | ||
RJ01 | Rejection of invention patent application after publication |
Open date: 20060927 |