JP2015207140A - Information leakage prevention system and information leakage prevention method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To achieve information leakage prevention causing little error detection and inspection omission.SOLUTION: A first embedding rule table 123A stores a first embedding rule including label information. A second embedding rule table 123B stores a second embedding rule. An inspection rule table 142 stores an inspection rule including label information and inspection processing information. When a file is stored in a storage device 114, a file I/O hook unit 121 of a computer 101 embeds an inspection label specified by the label information in the first embedding rule in the file if a prescribed condition based on the first embedding rule and the second embedding rule is met. An information leakage prevention unit 141 of a gateway 102 extracts a file from communication data, and if an inspection label specified by the label information in the inspection rule stored in the inspection rule table 142 is included in an inspection label embedded in the file, it performs processing specified by inspection processing information in the inspection rule.

Description

  The present invention relates to an information leakage prevention system and an information leakage prevention method that prevent a confidential file on a computer from being transferred to the outside via a network to prevent information leakage.

  There is Data Leakage Protection (DLP) as a technique for detecting and preventing a confidential file on a computer being taken out. In DLP, a gateway inspects a file transmitted using e-mail, file transfer, Web (World Wide Web), or net storage. If the gateway determines that the file contains confidential information, the gateway stops the transmission of the file or warns the sender himself or his superior.

Non-Patent Document 1 describes a technical explanation of DLP products. Non-Patent Document 1 describes a technique for detecting confidential information such as describing, finger printing, and vector machine learning (VML).
Patent Document 1 discloses a document leakage detection management system that embeds document hierarchy information such as leak detect / classified / top secret in an image included in a document using a steganography technique and detects it.
Patent Document 2 discloses a method in which nodes having different security levels on a network and applications having different security levels on a Trusted OS can communicate safely.

JP 2005-130214 A US 2009/0282460 A1

Machine Learning Sets New Standard for Data Loss Prevention: Describe, Fingerprint, Learn, White Paper. [Online]. Symantec, DLP, 2010. [retrieved on 2014-02-24]. Retrieved from the Internet: <http: // eval .symantec.com / mktginfo / enterprise / white_papers / b-dlp_machine_learning.WP_en-us.pdf>.

In the detection by Describing described in Non-Patent Document 1, a keyword, pattern, or file type is specified, and the document to be inspected includes a keyword, a lexical that matches the pattern, or the file type matches. Find out what to do. In Fingerprinting, whether a whole document or a part of the document matches a confidential document is checked using a hash value. In VML, examples of confidential documents are collected, machine-learned and inspected.
However, the technique described in Non-Patent Document 1 has the following problems. Setting keywords and patterns necessary for describing is not easy. If the amount is too small, detection failure occurs. If the amount is too large, false detection increases. If you try to combine multiple keywords and patterns, the number will increase and you will not be able to grasp it manually. Fingerprinting also takes time and effort because it is necessary to collect confidential documents and specify confidential parts in the documents. As for VML, it is necessary to collect a large number of learning documents in order to increase detection accuracy. Even if a detection error or an erroneous detection occurs, the parameter setting is mechanized, so that manual adjustment is not possible.

  In the document leakage detection management system described in Patent Document 1, document hierarchy information necessary for confidential document detection is embedded in an image, and a document that does not include an image is excluded. Further, Patent Document 1 does not describe what means is used to determine the document hierarchy.

  Regardless of whether or not an image is included, a method of inspecting with reference to document attribute information such as creator, title, classification, and keyword is generally conceivable. However, if the document file is encrypted at the time of transmission, these attributes are also encrypted at the same time and cannot be inspected by the gateway.

  On the other hand, information such as the document creator / modifier / viewer, document file name, stored folder, PC (Personal Computer) accessing the document, and its location and time are used for checking whether it is confidential. Useful. However, these pieces of information are information managed by the PC or its OS (Operating System) and are not included in the document file itself, and cannot be used for inspection at the gateway. The file name can be inspected because it is sent separately from the file itself in communication protocols such as e-mail and file transfer, but if the sender changes the file name and sends it, the original file name is inspected It is not possible.

In the method described in Patent Document 2, it is assumed that one node or one application has one security level. However, with PCs, OSs, and applications that are in widespread use, various document hierarchies / security levels such as secret, confidential, and personal information, as well as various categories of documents such as by customer, by business, by group, etc. Are created and edited by a single PC or application, and preparing a plurality of PCs or applications in accordance with the security level is very expensive. Even if an application is modified to handle a plurality of level categories, an interface that does not exist in an existing OS is used, and it is difficult for an engineer who has no special knowledge to modify the application.
In the method described in Patent Document 2, one security label is assigned to one communication packet, and one level / category is obtained in one communication. However, in general offices, it is normal to send documents of a plurality of levels and categories attached to a single e-mail, and it is very troublesome to send e-mail separately for each level or category.

  The present invention can realize DLP (information leakage prevention) with few false detections and inspection omissions, and each user does not need to prepare a plurality of PCs and applications according to the security level and category. An object of the present invention is to provide an information leakage prevention system and an information leakage prevention method that can be introduced in the Internet.

In order to achieve the above object, the information leakage prevention system of the present invention is:
A first embedding rule that includes storage folder designation information that designates a storage folder and label information that designates an inspection label embedded in a file stored in the storage folder designated by the storage folder designation information is stored. A first embedded rule table,
Application specification information for specifying an application, file type specification information for specifying a file type, and embedding processing information for specifying whether or not to perform label processing on a file of a file type specified by the file type specification information A second embedding rule table storing a second embedding rule including:
An inspection rule table storing inspection rules including label information and inspection processing information for specifying processing to be performed when the inspection label specified by the label information is embedded in the file;
When the application closes the file and stores it in the storage device, the application, the file type of the file, and application designation information included in the second embedding rule stored in the second embedding rule table Specifies that the embedding process information included in the second embedding rule corresponding to the specified application and the file type specified in the file type specification information and included in the second embedding rule with the same application and file type performs label processing. A first embedding rule including storage folder designation information for designating a storage folder in which the file is stored is acquired from the first embedding rule table and included in the acquired first embedding rule. The inspection label that embeds the inspection label specified in the label information And Le embedding means,
When storage of data in a communication or portable storage medium is detected, a file is extracted from the communication data or data stored in the portable storage medium and specified by the label information included in the inspection rule stored in the inspection rule table Inspection processing means for performing processing specified by the inspection processing information included in the inspection rule when the inspection label to be included is included in the inspection label embedded in the file;
It is characterized by providing.

Preferably, the information leakage prevention system of the present invention is
When an application opens a file stored in the storage device, the application, the file type of the file, and an application designation included in the second embedding rule stored in the second embedding rule table The embedding processing information included in the second embedding rule in which the application specified by the information and the file type specified by the file type specifying information match, and the application and the file type match, perform the label processing. In the case of designating an inspection label, an inspection label deleting means for deleting an inspection label included in the file is provided.

Preferably, the information leakage prevention system of the present invention is
The first embedding rule stored in the first embedding rule table includes encryption information used for encrypting a file stored in the storage folder designated by the storage folder designation information. Including
When an application closes a file and stores it in the storage device, the application designation information included in the second embedding rule stored in the second embedding rule table and the file type of the application and the file The embedding process information included in the second embedding rule in which the application and file type specified in the file and the file type specified in the file type specifying information match and the application and file type match are encrypted. When the first embedding rule is stored, the first embedding rule including the storing folder designation information for designating the storing folder in which the file is stored is acquired from the first embedding rule table, and the acquired first embedding rule is acquired. Encryption means for encrypting the file based on the encryption information included in
When an application opens a file stored in the storage device, the application, the file type of the file, and an application designation included in the second embedding rule stored in the second embedding rule table The embedding process information included in the second embedding rule in which the application specified in the information and the file type specified in the file type specifying information match and the application and the file type match perform encryption processing. A first embedding including storage folder designation information for designating a storage folder storing the file after the inspection label included in the file is deleted by the inspection label deleting means. A rule is obtained from the first embedded rule table and Decoding means for decoding the encrypted file on the basis of the encryption information included in the first embedded rules and,
With
The inspection label embedding unit embeds an inspection label specified by the label information included in the acquired first embedding rule in the file after the file is encrypted by the encryption unit.
It is characterized by that.

Preferably, the information leakage prevention system of the present invention is
When the application changes the file path name of the file, it is specified by the application specification information included in the second embedding rule stored in the second embedding rule table and the file type of the application and the file. When the application and file type specified by the file type specification information match, and the embedding processing information included in the second embedding rule that matches the application and file type specifies that label processing is to be performed In addition, the inspection label deleting unit deletes the inspection label included in the file, and the inspection label embedding unit includes storage folder designation information for designating a storage folder indicated by the changed file path name. 1 embedding rule from the first embedding rule table Tokushi, the test label specified by the label information included in the first embedded rules the acquired, characterized in that embedded in the file.

In addition, the information leakage prevention method of the present invention includes:
Stored is a first embedding rule including storage folder designation information for designating a storage folder and label information for designating a test label embedded in a file stored in the storage folder designated by the storage folder designation information. Whether to perform label processing on the first embedded rule table, application specification information for specifying an application, file type specification information for specifying a file type, and a file of a file type specified by the file type specification information A second embedding rule table in which a second embedding rule including embedding processing information for designating is stored, and a label for inspection designated by the label information is embedded in the label information and the file. An inspection rule table storing inspection rules including inspection processing information for specifying processing to be performed An information leakage prevention method in the information leakage prevention system comprising,
When the application closes the file and stores it in the storage device, the application, the file type of the file, and application designation information included in the second embedding rule stored in the second embedding rule table Specifies that the embedding process information included in the second embedding rule corresponding to the specified application and the file type specified in the file type specification information and included in the second embedding rule with the same application and file type performs label processing. A first embedding rule including storage folder designation information for designating a storage folder in which the file is stored is acquired from the first embedding rule table and included in the acquired first embedding rule. The inspection label that embeds the inspection label specified in the label information And Le embedding step,
When storage of data in a communication or portable storage medium is detected, a file is extracted from the communication data or data stored in the portable storage medium and specified by the label information included in the inspection rule stored in the inspection rule table An inspection processing step for performing processing specified by the inspection processing information included in the inspection rule when the inspection label to be included is included in the inspection label embedded in the file;
It is characterized by providing.

  According to the present invention, it is possible to realize DLP (information leakage prevention) with few false detections and inspection omissions, and each user does not need to prepare a plurality of PCs and applications according to security levels and categories. It can be introduced at low cost.

It is a figure which shows an example of a structure of the information leakage prevention system which concerns on embodiment of this invention. It is a figure which shows an example of embedding the label for a test | inspection in a structured document file. It is a figure which shows an example of an embedding rule table. FIG. 3A shows an example of the first embedding rule table. FIG. 3B shows an example of the second embedding rule table. It is a figure which shows an example of the flow of a process of the file I / O hook part when an application opens or closes a file. It is a figure which shows an example of the flow of an encryption and label process at the time of file opening. It is a figure which shows an example of the flow of an encryption and label process at the time of a file close. It is a figure which shows an example of the flow of the label process at the time of file opening. It is a figure which shows an example of the flow of the label process at the time of a file close. It is a figure which shows an example of the flow of only the encryption at the time of file opening. It is a figure which shows an example of the flow of a process only of the encryption at the time of a file close. It is a figure which shows an example of the flow of a process of the file I / O hook part when an application changes a file path name. It is a figure which shows an example of the flow of an encryption / label process at the time of file path name change. It is a figure which shows an example of the flow of the label process at the time of file path name change. It is a figure which shows an example of the flow of an encryption only process at the time of file path name change. It is a figure which shows an example of the inspection rule stored in an inspection rule table. It is a figure which shows an example of the flow of the information leakage prevention process in the information leakage prevention part of a gateway.

  Hereinafter, an information leakage prevention system and an information leakage prevention method according to embodiments of the present invention will be described with reference to the drawings. In all the drawings for explaining the embodiments, common constituent elements are denoted by the same reference numerals, and repeated explanation is omitted.

FIG. 1 shows an example of the configuration of an information leakage prevention system 100 according to an embodiment of the present invention.
The information leakage prevention system 100 includes a computer 101 and a gateway 102. The gateway 102 is connected to the Internet 103 and can communicate with other computers (not shown) via the Internet 103. Further, the computer 101 and the gateway 102 are connected to the network 104 and can communicate with each other. The Internet 103 is an example of a network and may be another network.

The computer 101 includes a CPU (Central Processing Unit), a main memory including a RAM (Random Access Memory), a storage device 114 including a hard disk, an input unit including a keyboard, a display, etc. The output part comprised by these.
The storage device 114 of the computer 101 stores various files such as document files, an operating system (OS) 113, and various application programs such as a document creation / editing application program, a mail application program, and a spreadsheet calculation application.
When the CPU of the computer 101 reads the OS 113 from the storage device 114 to the main memory and executes it, the functions of the file I / O hook unit 121 and the storage I / O unit 122 are realized.
The first embedding rule table 123A and the second embedding rule table 123B are included in the OS 113. The first embedding rule table 123 </ b> A and the second embedding rule table 123 </ b> B store processing rules for the inspection label and encryption processing in the file I / O hook unit 121. Details of the first embedding rule table 123A and the second embedding rule table 123B will be described later with reference to FIG.

Further, the CPU of the computer 101 reads out various application programs such as a document creation / editing application program, a mail application program, and a spreadsheet calculation application program from the storage device 114 and executes them, thereby creating a document on the computer 101. Various applications such as an editing application 111, a mail application 112, and a spreadsheet calculation application operate.
The file I / O hook unit 121 monitors access to files on the storage device 114 by various applications such as the document creation / editing application 111, the mail application 112, and the spreadsheet calculation application, and adds / deletes inspection labels. Or encrypt / decrypt and change file data. The file I / O hook unit 121 is an example of the inspection label embedding unit, the inspection label deletion unit, the encryption unit, and the decryption unit of the present invention.
The storage I / O unit 122 performs I / O processing for the storage device 114. The storage I / O unit 122 is also called a driver.

The gateway 102 includes a CPU, a main memory composed of a RAM and the like, and a storage device composed of a hard disk and the like.
The storage device of the gateway 102 stores an information leakage prevention program and an inspection rule table 142. The function of the information leakage prevention unit 141 is realized by the CPU of the gateway 102 reading the information leakage prevention program from the storage device into the main memory and executing it. The inspection rule table 142 stores processing rules of the information leakage prevention unit 141 for inspection labels.
The information leakage prevention unit 141 examines the inspection label embedded in the file, and permits or stops the transmission of the file, or sends it back to the sender or its superior. In this way, the information leakage prevention unit 141 prevents the confidential document from leaking from the computer 101 to an external computer connected to the Internet 103.
Specifically, the information leakage prevention unit 141 monitors the communication to the Internet 103 that passes through the gateway 102, suspends the communication, and extracts a file included in a mail attachment file or file transfer data. Next, the information leakage prevention unit 141 extracts the inspection label from the extracted file, compares the extracted inspection label with the rules stored in the inspection rule table 142, and transmits the inspection label to the Internet 103. Determine permission or rejection. Then, according to the determination, the information leakage prevention unit 141 continues the suspended communication as it is or interrupts the communication.

FIG. 2 shows an example of embedding the inspection label in the structured document file.
The structured document file of FIG. 2 is a single file, but logically has a hierarchical structure consisting of directories (folders) and files. D: indicates a directory, followed by a directory name. F: indicates a file, followed by: is the name of the file.
The directory 201 is a directory that is the root of this structured file, and is named Root.
The directory 202 is a directory named “DataSpaces” and is directly under the Root directory 201.
The file 211 and the file 212 are files named EncryptionInfo and EncryptedPackage, respectively, and are directly under the Root directory 201.
The file 203, the file 204, and the file 210 are files named Version, DataSpaceMap, and DLPTag, respectively, and are directly under the DataSpaces directory 202. DLPTag is an inspection label to be embedded in the present embodiment. The DLPTag file 210 includes data indicating, for example, a storage folder name and a user name.
The directory 205 and the directory 207 are directories named DataSpaceInfo and TransformInfo, and are directly under the DataSpaces directory 202.
The file 206 is a file named StrongEncryptionDataSpace and is directly under the DataSpaceInfo directory 205.
The directory 208 is a directory named StrongEncryptionTransform, and is directly under the TransFormInfo directory 207.
The file 209 is a file named Primary and is directly under the StrongEncryptionTransform directory 208.

FIG. 2 shows an example in which the inspection label is embedded in the structured file. However, the inspection label is embedded at the end of the file, added to the beginning of the file, or a position determined from the beginning or end of the file. A method such as embedding can also be considered.
In addition to the information included in the above-described inspection label, the structured file also provides a digital signature for a document excluding the inspection label (that is, the original document before embedding the inspection label) and the inspection label. May include.

FIG. 3 is a diagram illustrating an example of the embedding rule table. FIG. 3A shows an example of the first embedding rule table 123A. FIG. 3B shows an example of the second embedding rule table 123B.
The first embedding rule table 123A stores the first embedding rule for determining the contents of the inspection label and the encryption password / key, and the second embedding rule table 123B is the process of the file I / O hook unit 121. A second embedding rule that determines the contents is stored.

Each record (first embedding rule) of the first embedding rule table 123A includes a storage folder path 301, label information 302, and an encryption key / password 303.
The storage folder path 301 indicates the path of the storage folder that stores the file. The storage folder path 301 is an example of storage folder designation information according to the present invention.
The label information 302 is information indicating the contents of the inspection label that is newly embedded in the file stored in the storage folder in the storage folder path 301 or added in addition to the inspection label embedded in the file. . The label information 302 is an example of label information of the present invention.
An encryption key / password 303 indicates an encryption key / password when encrypting a file stored in the storage folder in the storage folder path 301. The encryption key / password 303 is an example of the encryption information of the present invention.
In FIG. 3A, for example, the rule stored in the first line is applied to a file stored in the storage folder / customer proposal / Suzuki store, and a label for inspection called customer proposal in the label information 302 is embedded. This indicates that the password for encrypting this file is suzukipasswd.

The label information 302 can include the following information, for example.
・ File name ・ Storage folder name ・ Security level assigned to the storage folder ・ Category ・ User name ・ User security level ・ Computer name ・ Computer location ・ Indicates whether you are in a building or on a business trip Label, creation / edit date / time, creator, title, classification, keyword, etc. included in the document attribute before encryption, information included in the inspection label of the document before editing / saving The name of the editor / viewer / accessed computer and the location of the file not included in the original file can be designated as the inspection label.
In addition, when label information 302 such as a creator, a title, a classification, and a keyword included in the document attribute before encryption is included in the inspection label, after the encryption, it is originally encrypted and inspected. It is possible to inspect by document attributes such as creator, title, classification, and keyword that cannot be used for the.
The file name, computer name, date and time are dynamic information. For example, even if the file name is set as the label information 302, it means that the character string “file name” is not embedded in the label, but the file name is acquired and the file name is embedded in the label. The same applies to other dynamic information.

Further, when the file name or the storage folder is changed, the OS 113 can detect this and add the new file name, the storage folder name, and the security level of the storage folder to the inspection label.
Furthermore, when the document is opened, the OS 113 can add the user name and the user's security level to the inspection label.

FIG. 3B shows an example of the second embedding rule table 123B.
Each record (second embedding rule) of the second embedding rule table 123B includes an execution file name 304, a file type (extension) 305, and embedding processing information 306.
The execution file name 304 indicates the execution file name of the application that accesses the file. The execution file name 304 is an example of application designation information of the present invention.
A file type (extension) 305 indicates the file type of the file to be accessed. The file type is indicated by an extension corresponding thereto, for example. The file type (extension) 305 is an example of file type designation information of the present invention. The file type of the present invention is acquired from, for example, the file extension of the file name or the beginning of the document file.
The embedding processing information 306 indicates the content of processing performed by the file I / O hook unit 121. For example, when the embedding process information 306 is a label, the file I / O hook unit 121 gives an inspection label to the file or deletes the inspection label from the file. For example, when the embedding process information 306 is only encryption, the file I / O hook unit 121 encrypts the file or decrypts the encrypted file. For example, when the embedding process information 306 is encryption / label, the file I / O hook unit 121 encrypts the file and assigns the inspection label, or deletes the inspection label from the encrypted file and decrypts it. To do. The embedding process information 306 is an example of embedding process information of the present invention.
In FIG. 3B, for example, the file of which the execution file name 304 is Word.exe and the extension 305 of the access target file is wbk is applied only to the encryption by applying the rule of the second line. Shows you to do.

FIG. 4 shows an example of the processing flow of the file I / O hook unit 121 when various applications such as the document creation / editing application 111 open or close a file. Note that the processing of the file I / O hook unit 121 at the time of change is the file path name (the file path name is the one in which the name of the file is added to the end of the path of the storage folder storing the file). This will be described later with reference to FIG.
The file I / O hook unit 121 first acquires the file path name and file type of the file to be opened / closed, and the application name for opening / closing the file (S101). As the application name, the name, path name, hash value, etc. of the execution file of the application can be considered. Here, the execution file name that is the name of the execution file is used. The file type can be obtained from the file extension of the file name or the beginning of the document file.
Next, the file I / O hook unit 121 executes the execution file name and file type of the application acquired in step S101, and the execution file name 304 and file of the embedding rule stored in the second embedding rule table 123B. A process (/ label / encryption only / encryption / label) to be applied is determined by comparing with the type (extension) 305 (S102 to S107), and any one of the processes shown in FIGS. 5 to 10 is performed. If the second embedding rule to be applied is not included in the second embedding rule table 123B, the file I / O hook unit 121 does nothing.
As a specific process, the file I / O hook unit 121 performs the process of FIG. 5 if the embedded process information 306 is encrypted / labeled when the file is opened (S102), and the embedded process information is displayed when the file is closed. If 306 is encryption / label, the process shown in FIG. 6 is performed (S103). If the embedded process information 306 is a label when the file is opened, the process shown in FIG. 7 is performed (S104). If the file is a label, the process of FIG. 8 is performed (S105). If the embedded process information 306 is only encrypted when the file is opened, the process of FIG. 9 is performed (S106), and the embedded process information 306 is encrypted when the file is closed. If only, the process of FIG. 10 is performed (S107).

In the encryption (actual decryption) / label processing when the file is opened, as shown in FIG. 5, for example, the file I / O hook unit 121 first deletes the inspection label from the file (S201). Next, the file I / O hook unit 121 retrieves the path of the storage folder that stores the file from the file path name, and the storage folder path 301 from the first embedding rule table 123A most closely matches the retrieved path. And the corresponding encryption key / password 303 is acquired (S202). Here, rules / records for all folders are not set and stored in the first embedding rule table 123A, and a completely matching record is not always found. Then, the storage folder path 301 is compared with the extracted path, and the record that is the closest and the closest match is found. Next, the file I / O hook unit 121 decrypts the encrypted file with the encryption key / password acquired in step S202 (S203). At this time, it is necessary to read the encrypted file from the storage device 114, but this processing is performed by the storage I / O unit 122.
However, for example, when an encrypted file attached to an e-mail is received and stored, it is not possible to know where the original file was, and the process cannot be decrypted as it is in FIG. In such a case, it may be possible to deal with an alternative method such as trying to decrypt with all keys stored in the computer, and if any key cannot be decrypted, querying the user for a password. . If it cannot be decrypted by the alternative method, it remains encrypted.
In the case of opening a new file, it is not necessary to remove the inspection label or decrypt it, and the file I / O hook unit 121 does not perform any particular processing.
Step S201 is executed by an example of the inspection label deleting means of the present invention, and steps SS202 and S203 are executed by an example of the decoding means of the present invention.

In the encryption / label processing at the time of closing the file, as shown in FIG. 6, the file I / O hook unit 121 first extracts the path of the storage folder storing the file from the file path name and performs the first embedding. A record in which the storage folder path 301 and the extracted path most closely match is searched from the rule table 123A, and the corresponding label information 302 and encryption key / password 303 are acquired (S301). Next, the file I / O hook unit 121 encrypts the file with the encryption key / password acquired in step S301 (S302). Then, the file I / O hook unit 121 embeds the inspection label specified by the label information 302 acquired in step S301 in the encrypted file (S303). At this time, it is necessary to write out a file that is encrypted in the storage device 114 and embedded with the inspection label, but this processing is performed by the storage I / O unit 122.
Steps S301 and S302 are executed by an example of the encryption unit of the present invention, and step S303 is executed by an example of the inspection label embedding unit of the present invention.

In the label (actual deletion) process at the time of opening the file, as shown in FIG. 7, the file I / O hook unit 121 deletes the inspection label of the file to be opened (S401). At this time, it is necessary to read a file from the storage device 114, and this processing is performed by the storage I / O unit 122.
In the case of opening a new file, it is not necessary to remove the inspection label, and the file I / O hook unit 121 does not perform any particular processing.
Step S401 is executed by an example of the inspection label deleting means of the present invention.

In the label processing at the time of closing the file, as shown in FIG. 8, the file I / O hook unit 121 first extracts the path of the storage folder storing the file from the file path name, and first embedding rule table 123A. The record folder path 301 and the retrieved path are searched for the most identical record, and the corresponding label information 302 is acquired (S501). Then, the file I / O hook unit 121 embeds the inspection label specified by the label information 302 acquired in step S501 in the file (S502). At this time, it is necessary to write out the file in which the inspection label is embedded in the storage device 114, and this processing is performed by the storage I / O unit 122.
Steps S501 and S502 are executed by an example of the inspection label embedding unit of the present invention.

In the process of only encryption (actual decryption) at the time of opening a file, as shown in FIG. 9, the file I / O hook unit 121 first extracts the path of the storage folder storing the file from the file path name, A record in which the storage folder path 301 and the extracted path most closely match is searched from the embedded rule table 123A, and the corresponding encryption key / password 303 is acquired (S601). Then, the file I / O hook unit 121 decrypts the encrypted file to be opened with the encryption key / password acquired in step S601 (S602). At this time, it is necessary to read the encrypted file from the storage device 114, but this processing is performed by the storage I / O unit 122.
Also in this case, if the original file path name is not known and the key cannot be obtained by the above method, as in the case of an encrypted file attached to an e-mail, an alternative similar to the alternative method described in the processing of FIG. It is conceivable to deal with it by a method.
In the case of opening a new file, the file I / O hook unit 121 does not need to perform decryption and does not perform any processing.
Steps S601 and S602 are executed by an example of the decoding means of the present invention.

In the encryption only process at the time of closing the file, as shown in FIG. 10, the file I / O hook unit 121 first extracts the path of the folder storing the file from the file path name, and the first embedded rule table A record in which the storage folder path 301 matches the acquired path from 123A is searched for, and the corresponding encryption key / password 303 is acquired (S701). Then, the file I / O hook unit 121 encrypts the file to be closed with the encryption key / password acquired in step S701 (S702). At this time, it is necessary to write the encrypted file to the storage device 114, but this processing is performed by the storage I / O unit 122.
Note that steps S701 and S702 are executed by an example of the encryption means of the present invention.

FIG. 11 shows an example of the processing flow of the file I / O hook unit 121 when the application changes the file path name.
The change of the file path name includes a change of the storage folder in which the file is stored (moving or copying between files) and a change of the file name.
In the file path name change process, the file I / O hook unit 121 first performs the same process as the process of opening a file for the file before the file path name change, and then the file after the file path name change. The same processing as that for closing the file is performed. However, in the encryption process, the file before the file path name change is encrypted, and the encryption key / key of the first embedding rule table 123A in the folder before the file path name change and the folder after the file path name change. When the password 303 is the same, decryption / re-encryption is not performed.
First, the file I / O hook unit 121 acquires the changed file path name, the file type of the file, and the application name of the file (S801). As the application name, the name, path name, hash value, etc. of the execution file of the application can be considered. Here, the execution file name that is the name of the execution file is used. The file type is obtained from the file extension of the file name or the beginning of the document file.
Next, the file I / O hook unit 121 executes the execution file name and file type of the application acquired in step S801, and the execution file name of the second embedding rule stored in the second embedding rule table 123B. 304 and file type (extension) 305 are compared and applied (/ label / encryption only / encryption / label) to be applied (S802 to S804), and shown in FIGS. Do one of the processes. If the rule to be applied to the embedding rule 123A is not included, the file I / O hook unit 121 does nothing.

In the encryption / label processing, as shown in FIG. 12, the file I / O hook unit 121 first deletes the inspection label from the file (S901). Next, the file I / O hook unit 121 extracts the path of the folder in which the file is stored from the file path name before the change, and the storage folder path 301 and the acquired path most closely match from the first embedding rule table 123A. The corresponding encryption key / password 303 is acquired (S902). At this time, it is necessary to read the encrypted file from the storage device 114, but this processing is performed by the storage I / O unit 122. Next, the file I / O hook unit 121 extracts the path of the folder in which the file is stored from the changed file path name, and the storage folder path 301 and the acquired path most closely match from the first embedding rule table 123A. The corresponding label information 302 and encryption key / password 303 are acquired (S903).
If the encryption key / password 303 acquired in steps S902 and S903 is different (S904: Yes), the file I / O hook unit 121 is encrypted with the encryption key / password 303 acquired in step S902. The received file is decrypted (S905). Next, the file I / O hook unit 121 encrypts the file with the encryption key / password acquired in step S903 (S906). Then, the file I / O hook unit 121 embeds the inspection label specified by the label information 302 acquired in step S903 in the encrypted file (S907).
Further, when the encryption key / password 303 acquired in steps S902 and S903 are the same (S904: No), the file I / O hook unit 121 does not need to perform further encryption, and the label acquired in step S903. The inspection label specified by the information 302 is embedded in the encrypted file (S907). At this time, it is necessary to write out a file that is encrypted in the storage device 114 and embedded with the inspection label, but this processing is performed by the storage I / O unit 122.
Note that step S901 is executed by an example of the inspection label deletion unit of the present invention, steps S902 and S905 are executed by an example of the decryption unit of the present invention, and steps S903 and S906 are executed by an example of the encryption unit of the present invention. Step S907 is executed by an example of the inspection label embedding means of the present invention.

In the label process, first, as shown in FIG. 13, the file I / O hook unit 121 first deletes the inspection label from the file (S1001). Next, the file I / O hook unit 121 extracts the path of the folder in which the file is stored from the changed file path name, and the storage folder path 301 and the acquired path most closely match from the first embedding rule table 123A. The record to be searched is searched, and the corresponding label information 302 is acquired (S1002). At this time, it is necessary to read the file in which the inspection label is embedded from the storage device 114, and this processing is performed by the storage I / O unit 122. Next, the file I / O hook unit 121 embeds the inspection label specified by the label information 302 acquired in step S1002 in the file (S1003). At this time, it is necessary to write out the file in which the inspection label is embedded in the storage device 114, and this processing is performed by the storage I / O unit 122.
Note that step S1001 is executed by an example of the inspection label deleting means of the present invention, and steps S1002 and S1003 are executed by an example of the inspection label embedding means of the present invention.

In the encryption only process, first, as shown in FIG. 14, the file I / O hook unit 121 extracts the path of the folder in which the file is stored from the file path name before the change, and from the first embedding rule table 123A. The record with the best match between the storage folder path 301 and the acquired path is searched for, and the corresponding encryption key / password 303 is acquired (S1101). At this time, it is necessary to read the encrypted file from the storage device 114, but this processing is performed by the storage I / O unit 122. Next, the file I / O hook unit 121 extracts the path of the folder in which the file is stored from the changed file path name, and the storage folder path 301 and the acquired path most closely match from the first embedding rule table 123A. The corresponding encryption key / password 303 is acquired (S1102).
If the encryption key / password 303 acquired in steps S1101 and S1102 is different (S1103: Yes), the file I / O hook unit 121 is encrypted with the encryption key / password 303 acquired in step S1101. The received file is decrypted (S1104). Next, the file I / O hook unit 121 encrypts the file with the encryption key / password acquired in step S1102 (S1105).
If the encryption key / password 303 acquired in steps S901 and S902 are the same (S1103: No), the file I / O hook unit 121 does not need to be further encrypted and does nothing and ends. . At this time, it is necessary to write the encrypted file to the storage device 114, but this processing is performed by the storage I / O unit 122.
Note that steps S1101 and S1104 are executed by an example of the decrypting means of the present invention, and steps S1102 and S1105 are executed by an example of the encrypting means of the present invention.
In the above processing, according to the second embedding rule 123B, the file can be encrypted or the inspection label can be embedded according to the application (executable file name) and the file type.

For example, when the e-mail application 112 transmits an e-mail with a file attached, the e-mail application 112 copies the attached file from the folder in which the file is located to a folder unique to the attached file. This process can be regarded as a process for changing the file path name. In this case, the path of the folder containing the file is the storage folder path 310 before the file path name is changed, and the path of the folder unique to the attached file is the storage folder path 310 after the file path name is changed.
“Mail application 112”, “doc”, and “encryption / label” are set in the execution file name 304, file type (extension) 305, and embedding process information 306 of the second embedding rule table 123B, respectively. When the mail application 112 transmits an e-mail attached with a file with the extension “doc”, the file I / O hook unit 121 executes the encryption / label processing of FIG. .
If the mail application 112 is not set in the executable file name 304 of the second embedded rule table 123B, the above processing is not performed, and the attached file is attached without being decrypted. As a result, files that are encrypted or have their labels embedded are attached to the email.

FIG. 15 shows an example of inspection rules stored in the inspection rule table 142.
Each record (inspection rule) in the inspection rule table 142 includes label information 401 and inspection processing information 402.
The label information 401 is information for specifying an inspection label embedded in a file. The label information 401 is an example of label information according to the present invention.
The inspection processing information 402 indicates processing to be applied to communication including the file when the inspection label specified by the label information 401 is included in the inspection label embedded in the file. The inspection processing information 402 is an example of inspection processing information according to the present invention.
For example, if "abc.co.jp" is included as a domain name in the inspection label, the domain name of the mail destination is "suzuki@abc.co.jp" or "sato@xyz.abc.co.jp" As described above, transmission is permitted if it corresponds to the domain name included in the inspection label, and it is sent back to the sender if an incompatible destination is included.

FIG. 16 shows an example of the flow of information leakage prevention processing in the information leakage prevention unit 141 of the gateway 102.
The information leakage prevention unit 141 temporarily holds communication from the computer 101 to the Internet 103 and extracts a file from the communication data (S1201). Communication includes mail, Web, file transfer, and the like, and a file is extracted by a method suitable for each protocol. Next, the information leakage prevention unit 141 extracts the inspection label from the extracted file (S1202). Next, the information leakage prevention unit 141 determines how to process the extracted inspection label against the inspection rules stored in the inspection rule table 142 (S1203). For example, if “external secret” is included in the inspection label, it is sent back to the sender. Further, if “customer information” is included in the inspection label, transmission to the Internet 103 is permitted when the superior of the sender is included in the mail address. Such determination is equivalent to existing firewalls, HTTP filtering, mail gateways, etc., except that the inspection label is referred to, and will not be described further. Then, the information leakage prevention unit 141 performs processing according to the determination on the communication data (S1204). At that time, when the document file is sent to the Internet 103, the inspection label included may be removed.
The information leakage prevention unit 141 is an example of an inspection processing unit of the present invention.

In step S1202, if the inspection label is not found, leakage prevention power is enhanced by canceling communication or sending back the file.
If the digital signature is included in the label, this is verified. If the verification fails, the communication is canceled or the file is sent back to increase leakage prevention power.

Further, when the file I / O hook unit 121 deletes the inspection label from the file in the process of step S201 or S401 at the time of opening the file, the file I / O hook unit 121 stores it in the main memory or the like and acquires it in step S301 or S501. In addition to the inspection label specified by the label information, the inspection label stored in step S303 or S502 when the file is closed may be embedded in the file.
When the file I / O hook unit 121 deletes the inspection label from the file in the process of step S901 or S1001 when the file path name is changed, the file I / O hook unit 121 stores this in the main memory or the like, and saves the file in the process of step S907 or S1003. In addition to the inspection label after changing the path name, the inspection label before changing the file path name may be embedded in the file.
By performing such processing, even if the file is accessed or moved between folders, the inspection label before access and before movement is retained, so that stricter inspection can be performed. it can.

In the above-described embodiment, the file I / O hook unit 121 performs processing and encryption processing on the inspection label, but not the file I / O hook unit 121 but the document creation application 111, the mail application 112, or the like. The application has a first embedding rule table 123A and a second embedding rule table 123B, and processes and encryptions for inspection labels for files that are opened or closed or whose file path name is changed Processing may be performed. In this case, each record of the second embedding rule table 123B may not include the execution file name 304, but even in that case, the second embedding rule table 123B substantially includes the execution file name 304. The processing to be applied (/ label / encryption only / encryption / label) is determined based on the execution file name 304, the file type (extension) 305, and the embedding processing information 306.
Some applications have an interface for incorporating additional processing at the time of saving a file, but in such an application, processing for an inspection label and encryption processing can be incorporated using the interface.

  In the above-described embodiments, leakage of confidential documents via a network such as the Internet is targeted, but there is a path for copying and leaking from a computer to a portable storage medium such as a USB memory or a magneto-optical disk. By incorporating the same function as the information leakage prevention unit 141 into the module that monitors the portable medium, it is possible to prevent the confidential document from leaking through the portable storage medium.

  Of course, the present invention can be applied not only to document files but also to audio files, image files, and graphic files.

  As described above, according to the present invention, it is possible to check the file name of the document, the storage folder name, the security level of the storage folder, the name of the creator or the viewer, the security level, and the like at the gateway. These pieces of information can be used to determine whether the information is clearer than the keywords and patterns included in the document, and the determination conditions can be easily set. For this reason, false detection and inspection omission can be reduced.

DESCRIPTION OF SYMBOLS 100 ... Information leakage prevention system, 101 ... Computer, 102 ... Gateway, 103 ... Internet, 104 ... Network, 111 ... Document creation / editing application, 112 ... Mail application, 113 ... Operating system (OS), 114 ... Storage device, 121 ... File I / O hook part, 122 ... Storage I / O part, 123A ... First embedding rule table, 123B ... Second embedding rule table, 141 ... Information leakage prevention part, 142 ... Inspection rule table

Claims (5)

A first embedding rule that includes storage folder designation information that designates a storage folder and label information that designates an inspection label embedded in a file stored in the storage folder designated by the storage folder designation information is stored. A first embedded rule table,
Application specification information for specifying an application, file type specification information for specifying a file type, and embedding processing information for specifying whether or not to perform label processing on a file of a file type specified by the file type specification information A second embedding rule table storing a second embedding rule including:
An inspection rule table storing inspection rules including label information and inspection processing information for specifying processing to be performed when the inspection label specified by the label information is embedded in the file;
When the application closes the file and stores it in the storage device, the application, the file type of the file, and application designation information included in the second embedding rule stored in the second embedding rule table Specifies that the embedding process information included in the second embedding rule corresponding to the specified application and the file type specified in the file type specification information and included in the second embedding rule with the same application and file type performs label processing. A first embedding rule including storage folder designation information for designating a storage folder in which the file is stored is acquired from the first embedding rule table and included in the acquired first embedding rule. The inspection label that embeds the inspection label specified in the label information And Le embedding means,
When storage of data in a communication or portable storage medium is detected, a file is extracted from the communication data or data stored in the portable storage medium and specified by the label information included in the inspection rule stored in the inspection rule table Inspection processing means for performing processing specified by the inspection processing information included in the inspection rule when the inspection label to be included is included in the inspection label embedded in the file;
An information leakage prevention system comprising:   When an application opens a file stored in the storage device, the application, the file type of the file, and an application designation included in the second embedding rule stored in the second embedding rule table The embedding processing information included in the second embedding rule in which the application specified by the information and the file type specified by the file type specifying information match, and the application and the file type match, perform the label processing. 2. The information leakage prevention system according to claim 1, further comprising inspection label deleting means for deleting the inspection label included in the file when designating the file. The first embedding rule stored in the first embedding rule table includes encryption information used for encrypting a file stored in the storage folder designated by the storage folder designation information. Including
When an application closes a file and stores it in the storage device, the application designation information included in the second embedding rule stored in the second embedding rule table and the file type of the application and the file The embedding process information included in the second embedding rule in which the application and file type specified in the file and the file type specified in the file type specifying information match and the application and file type match are encrypted. When the first embedding rule is stored, the first embedding rule including the storing folder designation information for designating the storing folder in which the file is stored is acquired from the first embedding rule table, and the acquired first embedding rule is acquired. Encryption means for encrypting the file based on the encryption information included in
When an application opens a file stored in the storage device, the application, the file type of the file, and an application designation included in the second embedding rule stored in the second embedding rule table The embedding process information included in the second embedding rule in which the application specified in the information and the file type specified in the file type specifying information match and the application and the file type match perform encryption processing. A first embedding including storage folder designation information for designating a storage folder storing the file after the inspection label included in the file is deleted by the inspection label deleting means. A rule is obtained from the first embedded rule table and Decoding means for decoding the encrypted file on the basis of the encryption information included in the first embedded rules and,
With
The inspection label embedding unit embeds an inspection label specified by the label information included in the acquired first embedding rule in the file after the file is encrypted by the encryption unit.
The information leakage prevention system according to claim 2.   When the application changes the file path name of the file, it is specified by the application specification information included in the second embedding rule stored in the second embedding rule table and the file type of the application and the file. When the application and file type specified by the file type specification information match, and the embedding processing information included in the second embedding rule that matches the application and file type specifies that label processing is to be performed In addition, the inspection label deleting unit deletes the inspection label included in the file, and the inspection label embedding unit includes storage folder designation information for designating a storage folder indicated by the changed file path name. 1 embedding rule from the first embedding rule table Tokushi, information leakage prevention system according to claim 2 in which the test label specified by the label information included in the first embedded rules the acquired, characterized in that embedded in the file. Stored is a first embedding rule including storage folder designation information for designating a storage folder and label information for designating a test label embedded in a file stored in the storage folder designated by the storage folder designation information. Whether to perform label processing on the first embedded rule table, application specification information for specifying an application, file type specification information for specifying a file type, and a file of a file type specified by the file type specification information A second embedding rule table in which a second embedding rule including embedding processing information for designating is stored, and a label for inspection designated by the label information is embedded in the label information and the file. An inspection rule table storing inspection rules including inspection processing information for specifying processing to be performed An information leakage prevention method in the information leakage prevention system comprising,
When the application closes the file and stores it in the storage device, the application, the file type of the file, and application designation information included in the second embedding rule stored in the second embedding rule table Specifies that the embedding process information included in the second embedding rule corresponding to the specified application and the file type specified in the file type specification information and included in the second embedding rule with the same application and file type performs label processing. A first embedding rule including storage folder designation information for designating a storage folder in which the file is stored is acquired from the first embedding rule table and included in the acquired first embedding rule. The inspection label that embeds the inspection label specified in the label information And Le embedding step,
When storage of data in a communication or portable storage medium is detected, a file is extracted from the communication data or data stored in the portable storage medium and specified by the label information included in the inspection rule stored in the inspection rule table An inspection processing step for performing processing specified by the inspection processing information included in the inspection rule when the inspection label to be included is included in the inspection label embedded in the file;
An information leakage prevention method comprising:

Images