JP2005130214A - Document leakage detection management system, its method, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a document leakage detection management system, a method and a program which makes a user unaware of embedded encryption. <P>SOLUTION: The document leakage detection management system 200 comprises an encryption embedding means 210, an excluding means 230, a decryption means 240, and a determining means 250. The encryption embedding means 210 embeds encryption in image information contained in document data, using the steganography. The excluding means 230 decides whether target image information is contained in the document data based on a start tag contained in the image information, and excludes those data not containing the target image information from the decoding. The decoding means 240 decodes the encryption contained in the document data, before sending the document data to an external network from a user terminal. The determining means 250 determines a process for the document data based on the decoded encryption, and executes the determined process (send stop, report to a manager, etc.). <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a document leakage detection management system and method, and more particularly to a document leakage detection management system and method related to document data including image data.

In today's information society, it has become natural for companies to connect to the Internet. Accordingly, leakage of internal confidential information and customer information has become a serious problem. As a conventional technique, a countermeasure system for such information leakage has also been developed. However, the countermeasure system that has been developed so far requires dedicated equipment, or it is recognized that the user is under control to install a dedicated application, giving a feeling of psychological pressure, etc. There are drawbacks.
In addition, as a countermeasure against information leakage, there is a method of encrypting all information on the server, but it takes time and effort to decrypt when browsing, and the user is conscious of encryption. There is a drawback. In addition, when the content of the document data itself is encrypted, there is a disadvantage that the content impairs the user's accessibility and is inconvenient for the user.

Several information leakage prevention systems have been developed as prior art. There are roughly two methods for preventing the leakage of internal confidential documents in the conventional system.
(1) Encrypt the entire database.
(2) Full text search for prohibited characters.
The method (1) is encrypted even if the document is leaked due to unauthorized access, etc., so that the contents need not be known. However, in general, a dedicated application for decrypting is required. In addition, there is a problem that it takes time to decrypt and is not efficient, and the presence of decryption makes the user aware of document encryption.
In the method (2), a specific keyword included in the internal document is searched from the entire document. However, there is a possibility that false detection may occur depending on the keyword selection. Further, when no keyword is registered, it may be detected. That is, it is not possible to cope with a case where the method of expressing the secret information is changed (for example, replacement of a word related to the confidential information with a similar word).
In addition, a systematic management method of information leakage and related devices (refer to Patent Document 1) are disclosed. However, when this technology is used, it is possible to recognize that each user is under the control of some system, and there is a drawback in that the morale of employees may be adversely affected. Alternatively, recognizing that the document is under management also gives an opportunity to take document take-out means other than via the network. This technique is also one of the above-described full text search techniques (2) and has the same drawbacks.
As for steganography and digital watermarking, various known techniques are described in “Basics of Digital Watermarking” by Matsui (see Non-Patent Document 1). An object of the present invention is to provide a document leakage detection management technique using these known steganography techniques.
Japanese Patent Laid-Open No. 2002-232451 (FIG. 1, paragraphs 0005-0007) Kokoo Matsui, “Basics of Digital Watermarking” (issued August 21, 1998)

  An object of the present invention is to provide a document leakage detection management system, method and program that solve the above-mentioned problems of the prior art.

Therefore, the present invention uses a known steganographic technique to add signature information to a document without being conscious of the user, and to create a monitor for detecting the signature, thereby creating a dedicated device, server application, or client application. Provide a system and method for detecting document leaks without using.
A document leakage detection management system according to the present invention includes:
A document leakage detection management system connected to a LAN accommodating a plurality of user terminals and an external network (for example, WAN or Internet),
Encryption embedding means for embedding encryption using steganography in image information included in document data;
Storage means (storage device) for storing the document data;
Decryption means for decrypting the cipher included in the document data when transmitting the document data with the cipher embedded in the external network from the user terminal via the LAN;
Processing for the document data based on the decrypted encryption (for example, determining whether or not to transmit, simply recording information related to transmission of the document data, and notifying the network administrator, document data administrator, or senior document administrator) Decision means to decide),
It is characterized by including.
According to the present invention, it is possible to perform appropriate management such as detecting a leakage of a document and preventing the leakage without making the user aware of being monitored by using steganography. .

In addition, the document leakage detection management system according to the present invention includes:
The encryption embedding unit inserts predetermined image information (for example, a company logo) embedded with encryption using steganography into the document data.
It is characterized by that.
According to the present invention, for example, when a company logo is used as image information for insertion, it is possible to detect and manage document leakage without noticing that the user is under monitoring. It is also possible to deal with text-only documents.

In addition, the document leakage detection management system according to the present invention includes:
The encryption included in the document data is defined according to a desired hierarchical level for each of the document data,
The determining means determines the processing with reference to a predetermined standard that includes several hierarchical levels and that defines processing for the document data for each hierarchical level.
It is characterized by that.
According to the present invention, it is possible to hierarchically manage the outflow / leakage of documents according to the hierarchical level (document management level) preset for each document.

Furthermore, the document leakage detection management system according to the present invention includes:
The cipher embedding means selectively embeds the cipher only in image information having a specific file type (ie, including a specific start tag),
The system further comprises:
Excluding means for determining whether or not target image information is included in the document data based on a start tag included in the image information and excluding those not including target image information from the decoding Including
A system characterized by that.
According to the present invention, for example, by embedding encryption only in image data of a specific format such as JPEG, GIF, TIFF, etc., only the image data of this specific format can be targeted for decryption processing, and image data that is not the target Can be appropriately excluded, so that the processing can be made more efficient and faster.

Furthermore, the document leakage detection management system according to the present invention includes:
A router connected to a LAN accommodating the plurality of user terminals and an external network, or a packet capture function for capturing information transmitted from the LAN to the external network at a packet level;
It is characterized by that.
According to the present invention, since information transmitted to the outside can be monitored at the packet level, it is possible to almost completely prevent information embedded with the encryption of this system from leaking to the outside.

As described above, the solving means of the present invention has been described as a system (apparatus). However, the present invention can also be realized as a method, a program, and a storage medium storing the program. It should be understood that these are included in the scope of the invention.
For example, the document leakage detection management method according to the present invention is:
A document leakage detection management method for detecting and managing document leakage in a LAN accommodating a plurality of user terminals,
A cipher embedding step of embedding a cipher using a computing means (CPU) using steganography for image information included in document data;
Storing the document data in a storage device;
A decrypting step of decrypting a cipher included in the document data using the arithmetic means when transmitting the document data from the user terminal to the external network via the LAN;
A determination step of determining processing for the document data based on the decrypted encryption;
It is a method including.

In addition, the document leakage detection management method according to the present invention includes:
The encryption embedding step inserts predetermined image information embedded with encryption using steganography into the document data.
It is characterized by that.

Furthermore, the document leakage detection management method according to the present invention includes:
The encryption included in the document data is defined according to a desired hierarchical level for each of the document data,
The determining step determines the processing with reference to a predetermined standard that includes several hierarchical levels and that defines processing for the document data for each hierarchical level.
It is characterized by that.

Furthermore, the document leakage detection management method according to the present invention includes:
The cipher embedding step selectively embeds the cipher using the arithmetic means only in image information having a specific file type,
The method further comprises:
An exclusion step of determining whether or not target image information is included in the document data based on a start tag included in the image information, and excluding those that do not include target image information from the decoding Including
It is characterized by that.

Furthermore, the document leakage detection management method according to the present invention includes:
A step of routing packet data between a LAN accommodating the user terminal and an external network, and / or a packet capture step of capturing information transmitted from the LAN to the external network at a packet level Including,
It is characterized by that.

In addition, the document leakage detection management program according to the present invention includes:
A program for causing a computer to execute a document leakage detection management method for detecting and managing document leakage in a LAN accommodating a plurality of user terminals,
An encryption embedding step of embedding encryption using steganography in image information included in document data;
A decrypting step of decrypting a cipher included in the document data when transmitting the document data from the user terminal to the external network via the LAN;
A determination step of determining processing for the document data based on the decrypted encryption;
It is characterized by including.

  FIG. 1 is a network configuration diagram showing an embodiment of a document leakage detection management system according to the present invention. As shown in the figure, a document leakage detection management system 100 according to the present invention includes a router 105 and is connected to a plurality of user terminals 120 and a document manager terminal 130 via a hub 110. The user accesses and uses the document database 140 in which confidential documents are stored in the LAN 150 configured by the hub 110. The system 100 is connected to an external network 160 (such as the Internet), and a user can transmit a file such as a document to the external server 170 via the network 160. In this configuration, when the user transmits document data to the outside, the system 100 monitors whether or not the encryption is embedded in the document data. If the encryption is embedded, the system 100 decrypts the encryption. Then, based on the decrypted content, subsequent processing (document transmission stoppage, notification to the administrator, etc.) is determined, and the determined processing is executed, or a control signal instructing execution of the processing is output.

FIG. 2 is a block diagram showing the basic configuration of the document leakage detection management system according to the present invention. As shown in the figure, the document leakage detection management system 200 according to the present invention includes an encryption embedding unit 210, a storage unit 220, an exclusion unit 230, a decryption unit 240, and a determination unit 250. The document leakage detection management system 200 also includes a router function (not shown) and a packet capture function (not shown).
The encryption embedding unit 210 embeds encryption in the image information included in the document data using steganography, and the storage unit 220 stores the document data in which the encryption is embedded in the document database. The excluding unit 230 determines whether or not the target image information is included in the document data based on a start tag included in the image information. exclude.
The decrypting means 240 decrypts the cipher included in the document data before transmitting the document data from the user terminal to the external network.
The determination unit 250 determines a process for the document data based on the decrypted encryption, and performs the determined process.

As an example, a series of systems for capturing packets for transfer using FTP, detecting leakage of a document, and a program for concealing a JPEG image using steganography, which is the preparation, were actually created. This system is composed of a server that stores internal confidential documents and a monitor machine that monitors the transfer.
In many documents stored in the server, a company logo image concealed using steganography is inserted as an in-house standardized document standard. This cipher is a character string indicating the importance (hierarchical level for document management) of the document such as “top secret”, “classified”, “leak detect”, and the like. The cipher can be not only a direct expression whose security level can be easily understood as described above, but also, for example, a character string including arbitrary alphanumeric characters (ABC, 123, zyz, etc.). Considering the possibility of decryption, it is preferable to use a character string consisting of any appropriate alphanumeric characters. In this system, the subsequent correspondence can be changed according to the importance (hierarchy level) of the encryption. This time, JPEG images were used for logo images because of their ease of detection.
The monitor machine (document leakage detection management device) is connected to a location where the server's packets can be monitored using a shared hub (repeater hub), and always transfers data from the server to the outside using the packet capture function for transfers using FTP. Monitor at the packet level. Alternatively, server data can be monitored even if two NICs are installed on one machine and NAT is constructed. When a confidential document is going to be transmitted from the server to the outside, an attempt is made to extract a cipher from the JPEG image of the document, and when a cipher is detected, a response corresponding to the cipher level is taken. In this embodiment, a Microsoft Word document was used as an in-house standardized document standard.

About Embedding Signature (Encryption) in Logo Image In this embodiment, a JPEG image is selected as information data in which signature information (that is, encryption) is concealed by a known steganographic technique. JPEG compression includes lossless compression, but most of it is converted by lossy compression. That is, since the lower bit plane is compressed and information is lost, it is difficult to conceal the pixel replacement type like a BMP image. There are the following methods for embedding some information in a JPEG image.
(1) Embed information (encryption) in the comment part of JPEG
(2) Embed cryptography by using quantization error in the plane area
(3) Embed encryption using quantization error in frequency domain
The method (1) uses a comment tag prepared for JPEG compression, and even if you look at the image, you cannot tell that the information is hidden, but it is not applicable to steganography. Moreover, since a comment is displayed depending on software, the presence or absence of information will be recognized by the user.
In the method (3), the length of the zero run of the AC component is represented by 4 bits at the time of Huffman coding, and 0 or 1 is embedded in the least significant bit. This may cause the spatial frequency of the AC component to be +1 or −1, but if it is adjusted in subsequent runs, the image is hardly affected.

In this embodiment, encryption concealment in the quantization table is adopted as one of the methods of using the quantization error in the pixel area (2). This method is harder to analyze than (1) and can be extracted using only a quantization table.
Although the method (3) is the least difficult to analyze, it is difficult to extract because it is hidden in the image portion of the JPEG image. By the way, (2) is the longest time for cipher concealment, but since the cipher embedding in the document is not performed in real time, there is no practical problem.

  FIG. 3 is a flowchart for explaining the flow of encryption concealment in the embodiment of the document leakage detection management system of the present invention. First, create the original logo image in JPEG. As shown in the figure, this is subjected to Huffman decoding, and then inverse quantization is performed on the original quantization table to convert it into DCT data. Thereafter, the cipher is concealed using steganography in the quantization table. The DCT data is quantized using the concealed quantization table, and a JPEG image is created by Huffman coding. A typical 24-bit full-color JPEG image has two 8 × 8 quantization tables. In order to conceal the encryption bit by bit in each value of the table, 64 × 2 ÷ 8 = 16 bytes can be concealed in one JPEG image.

Extraction of JPEG images from Word documents
In a Word document, text and images are compressed and saved. However, JPEG images that were originally highly compressed are stored without further compression. This system searches for the start tag of JPEG using this property. Although the start tag is FFD8, since the next 1 byte has FF indicating the start of another tag, a packet including the data string of FFD8FF combined therewith is detected in real time. Note that the probability that an FFD8FF data string will appear in the packet is 224 = 1/16216216, and that the system understands the JPEG tag, so there is almost no possibility of misrecognizing the JPEG header.

  This monitor machine has a packet analysis function (for details, see W. Richard Stevens (authored). Yasuo Tachibana (translated) Naoji Inoue (supervised): Detailed TCP / IP Vol.1 (new edition) protocol, Pearson (Refer to Education (2000)), a function to extract a JPEG image from a document file, and a function to analyze a JPEG image and extract a cipher. In order to support FTP transfer, the monitor machine is equipped with an FTP command and FTP response analysis function. At the time of monitoring, only packets whose transmission source or transmission destination ports are 20 and 21 are acquired using a filter of the Windows (registered trademark) packet capture driver “WinPcap”.

FIG. 4 is a flowchart for explaining the flow of cipher detection by this system.
The FTP control port (port-21) is monitored, and when the start of FTP transfer is detected, the transfer is continuously monitored until the connection is released. The monitor acquires the file name to be transferred by monitoring the FTP command and response. If it is determined from the extension that the file is a document file, a JPEG image is searched in real time from the data port (port-21). When a JPEG image is detected, the quantization table is searched from the header and the cipher is extracted. The extracted cipher is compared with a keyword registered in advance, and if it matches, it is determined that the internal document is about to be leaked, and processing corresponding to the cipher is instructed.

By placing a JPEG image with the encryption hidden at the beginning of the document as an in-house standardized document standard, it is possible to determine whether it is a confidential document by analyzing only the first JPEG image. If the cipher cannot be extracted, it is determined that the document is not an internal confidential document and the analysis of the document is terminated.
The following processing, which is specified in advance according to the comics that detect leaks, keywords (“top secret”, “classified”, “leak detect”), that is, the hierarchical level, is performed.
・ Level 1 (leak detect): Notify the administrator by e-mail or an instant message (ICQ, etc.) ・ Level 2 (classified): Notify the administrator or officer by e-mail or an instant message ・ Level 3 (top secret): Blocks transmission to the outside, and notifies the administrator and officers by e-mail or an instant message. The contents to be transmitted include login time, user name, IP address, local IP address, MAC address, document name, and transfer. The document data and information on the sender such as a file name and a document confidential level can be included.

  For the performance test of this system, the experiment was conducted under the following conditions.

Test environment / server machine
OS: Red Hat Linux 7.0.1J
・ Monitor machine
OS: Microsoft Windows (registered trademark) XP Professional SP1
CPU: Athlon XP 1500+ (1.34GHz)
RAM: 256 MB
・ LAN: 100 base T
・ Microsoft Word 2002 SP2

For the experiment result measurement, the experiment from which the logo image (that is, with encryption) is inserted (Experiment 1 and 2) is the time from the data port connection request to the encryption extraction, the experiment without the logo image is inserted (no encryption) For (Experiments 3 and 4), the data port was measured until it was opened. All analysis times are the average of the results of 10 trials.

Experiment 1 (with logo image, text only)
FIG. 5 is a graph showing the relationship between the analysis time and the file size in Experiment 1. Insert a 2.24 Kbyte logo image concealed with encryption at the top of the first page of a standard document, and adjust the file size by inserting appropriate characters below.
Characteristic of Microsoft Word document is that the text is saved first and the image is on the back side. That is, as the number of characters increases, the time until the image is traced increases, and the analysis time increases accordingly.

Experiment 2 (with logo image, text and image)
FIG. 6 is a graph showing the relationship between the analysis time of Experiment 2 and the number of images. A dummy JPEG image of 200 Kbytes of encryption that is not concealed is inserted into a document file of size 1 Mbyte in Experiment 1 at regular intervals. For example, when the number of images is 4, one 2.24K logo image and three 200K dummy images are inserted. In all files, the logo image position is adjusted so that it starts around 827100 bytes.
In this system, when a cipher is detected from a JPEG image, the analysis ends at that point. In this experiment, since the logo image is analyzed first among a plurality of JPEG images, the analysis ends there. Therefore, the remaining images are not analyzed, and the analysis time is the same regardless of the number of images.

Experiment 3 (no logo image, text only)
FIG. 7 is a graph showing the relationship between the analysis time of Experiment 3 and the number of images. The logo image was deleted from the document of Experiment 1, and the file size was adjusted by filling the deleted text with appropriate characters. If the logo image is not inserted as in this experiment, the analysis is performed to the end of the file without completing the analysis. Therefore, the analysis time is proportional to the file size.

Experiment 4 (no logo image, text and image)
FIG. 8 is a graph showing the relationship between the analysis time of Experiment 4 and the number of images. The logo image was deleted from the document of Experiment 2, and the file size was adjusted by filling the deletion text with appropriate characters.
As in Experiment 3, no logo image is inserted, so the analysis is completed and the file is read to the end. Therefore, the analysis time is proportional to the file size.

  Using the system according to the present invention, it was possible to conceal signature information in a JPEG image using steganography and to detect leakage of an internal confidential document by FTP. As a result, it was confirmed that document leakage was detected using steganography and packet capture. The file with 15 images in FIG. 8 is about 4 Mbytes, but the analysis time is not much different from the 4 Mbyte results in Experiment 3 (FIG. 7). Therefore, it can be said that the analysis of the JPEG header is sufficiently fast.

In the case of the system and method of the present invention, the encryption for preventing leakage is hidden in an image file such as a company logo using steganography, and the presence of the encryption is not noticed by the user during browsing. There are advantages. Further, if only keywords determined in advance are used and if they are present at a specific location in the document, the encryption can be detected almost certainly.
Further, as in the above-described embodiment, the system according to the present invention can sufficiently perform real-time processing.
Above all, the use of steganography has the advantage that the user is not aware that it is being monitored. The data collected by the system of the present invention can also be used for personnel management.

In the present specification, the principle of the present invention has been described in various embodiments. However, the present invention is not limited to the above-described embodiments, and many variations and modifications can be made by those skilled in the art. It should be understood that these variations and modifications are also included in the present invention. For example, in the above-described embodiment, FTP transfer is used, but the present invention can also be applied to other known protocols such as SMTP and HTTP.
In the embodiment, the information included in the embedded cipher is 16 bytes. However, if other known steganography techniques are used, a cipher including more information can be embedded.

The document data described in this specification is not only a normal document file created by a word processor, but also any data file containing information (for example, a file by presentation software such as PowerPoint, a file by spreadsheet software such as Excel). Should be understood to include Such a document file by presentation software often includes a moving image, but the present invention can also embed encryption in moving image data using a steganography technique.
For example, in a moving image format such as MPEG2, a plurality of still images, that is, frames are continuously reproduced. Therefore, a method of embedding encryption embedding by a quantization error as described in the embodiment in each frame. It can be used as it is. In other words, it is possible to embed a cipher in a document including a moving image using the “cryptographic embedding technique using redundancy in the spatial axis direction”. Alternatively, in the case of moving image data, encryption is embedded using a technique using motion that is a difference between frames “encryption embedding technique using redundancy in the time axis direction (for example, encryption embedding by a motion vector)”. It is possible. Or, in the moving image format such as MPEG, several layers (six layers in the case of MPEG) are used, but a technique of embedding a cipher in each of these layers “a cipher embedding technique using a hierarchical structure” should be used. Is also possible.

It is a network block diagram which shows the embodiment of the document leakage detection management system by this invention. It is a block diagram which shows the basic composition of the document leakage detection management system by this invention. It is a flowchart explaining the flow of the encryption concealment in the embodiment of the document leakage detection management system of this invention. It is a flowchart explaining the flow of the encryption detection by this system. It is a graph which shows the relationship between the analysis time of Experiment 1, and a file size. It is a graph which shows the relationship between the analysis time of Experiment 2, and the number of images. It is a graph which shows the relationship between the analysis time of Experiment 3, and the number of images. It is a graph which shows the relationship between the analysis time of Experiment 4, and the number of images.

Explanation of symbols

100 Document Leakage Detection Management System 105 Router 110 Hub 120 User Terminal 130 Document Manager Terminal 140 Document Database 150 LAN
160 External network 170 External server 200 Document leakage detection management system 210 Encryption embedding means 220 Storage means 230 Exclusion means 240 Decoding means 250 Determination means

Claims (11)

A document leakage detection management system connected to a LAN accommodating a plurality of user terminals,
Encryption embedding means for embedding encryption using steganography in image information included in document data;
Decryption means for decrypting encryption included in the document data when the document data is transmitted from the user terminal to the external network via the LAN;
Determining means for determining processing for the document data based on the decrypted encryption;
Including system. The system of claim 1, wherein
The encryption embedding unit inserts predetermined image information in which encryption is embedded using steganography into the document data.
A system characterized by that. The system according to claim 1 or 2,
The encryption included in the document data is defined according to a desired hierarchical level for each of the document data,
The determining means determines the processing with reference to a predetermined standard that includes several hierarchical levels and that defines processing for the document data for each hierarchical level.
A system characterized by that. The system according to any one of claims 1 to 3,
The encryption embedding means selectively embeds the encryption only in image information having a specific file type,
The system further comprises:
Excluding means for determining whether or not target image information is included in the document data based on a start tag included in the image information and excluding those not including target image information from the decoding Including
A system characterized by that. The system according to any one of claims 1 to 4,
A router connected to the LAN accommodating the plurality of user terminals and the external network, and / or a packet capture function for capturing information transmitted from the LAN to the external network at a packet level,
A system characterized by that. A document leakage detection management method,
A document leakage detection management method for detecting and managing document leakage in a LAN accommodating a plurality of user terminals,
An encryption embedding step of embedding encryption using steganography in image information included in document data;
A decrypting step of decrypting a cipher included in the document data when transmitting the document data from the user terminal to the external network via the LAN;
A determination step of determining processing for the document data based on the decrypted encryption;
Including methods. The method of claim 6, wherein
The encryption embedding step inserts predetermined image information embedded with encryption using steganography into the document data.
A method characterized by that. The method according to claim 6 or 7, wherein
The encryption included in the document data is defined according to a desired hierarchical level for each of the document data,
The determining step determines the processing with reference to a predetermined standard that includes several hierarchical levels and that defines processing for the document data for each hierarchical level.
A method characterized by that. The method according to any one of claims 6 to 8, wherein
The encryption embedding step selectively embeds the encryption only in image information having a specific file type,
The method further comprises:
An exclusion step of determining whether or not target image information is included in the document data based on a start tag included in the image information, and excluding those that do not include target image information from the decoding Including
A method characterized by that. The method according to any one of claims 6 to 9, wherein
A packet capture step for capturing information transmitted from the LAN to the external network at a packet level;
A method characterized by that. A program for causing a computer to execute a document leakage detection management method for detecting and managing document leakage in a LAN accommodating a plurality of user terminals,
An encryption embedding step of embedding encryption using steganography in image information included in document data;
A decrypting step of decrypting a cipher included in the document data when transmitting the document data from the user terminal to the external network via the LAN;
A determination step of determining processing for the document data based on the decrypted encryption;
Including programs.

Images