KR101264305B1 - File securing apparatus, file securing method, and computer readable medium recorded thereon a program for file securing method - Google Patents

Abstract

The present invention relates to a file protection device, a file protection method, and a program recording medium, which replace a pattern of important data of a file with another pattern so that it can be shared even by an unauthorized application program.
By using the file protection device, the file protection method, and the program recording medium of the present invention, there is an effect of allowing users to share files including important data patterns without the user having to know or permit the application program.

Description

FILE SECURING APPARATUS, FILE SECURING METHOD, AND COMPUTER READABLE MEDIUM RECORDED THEREON A PROGRAM FOR FILE SECURING METHOD}

The present invention relates to a file protection apparatus, a file protection method, and a program recording medium, and specifically, a file which replaces a pattern of important data of a file with another pattern so that the file can be shared even for an unauthorized application program. A protection device, a file protection method, and a program recording medium.

As the credit society evolves and the credit society integrates with information technology, users can easily purchase various products through credit cards or giro conveniently online, withdraw cash from bank account or transfer to another account online. I can do it.

These advances in technology provide convenience to the user on the one hand, but on the other hand require and remember to correctly enter the information or account information of multiple credit cards owned by the user.

The card number or account number of the credit card is composed of a series of numbers, which makes it difficult for the user to remember. Accordingly, the information and account information of the credit card, which are easily lost or forgotten, are written and stored in the form of a file. It can be replaced.

The file stored in this way contains important information that should not be exposed to the user, but a method for protecting the file must be properly provided.

To protect this, there are several well known methods.

The first solution may be a method of encrypting a specific file designated by a user.

The second approach may be to block an unauthorized processor if it wants to access a particular file specified by the user.

However, these two solutions have some problems.

With the development of information technology, information technology is developing in various forms. For example, advances in information technology provide a variety of devices for one user, so that there is a need to share information between these various devices. For example, a user may have a personal computer (PC) or laptop and need to share files containing important data between them with a mobile phone or smart phone, a personal multimedia player (PMP), an interactive TV (iTV), etc. have. The user also needs to be shared between files that contain sensitive data or files that contain such sensitive data, either through cloud services or through peer-to-peer services.

When encrypting a file containing sensitive data, each device needs to have the high performance necessary for encryption and decryption, but it is not easy depending on the development purpose of each device. There is a problem of sharing, or a high performance load required for encryption and decryption, and a complicated process for sharing, storing, and processing encryption and decryption keys according to encryption and decryption.

On the other hand, a way to block unauthorized processes is not easy for the user to first determine which processor should or should not be authorized, that is, by looking at the name of the processor and the access path of a particular processor. It is not easy for the user to decide whether or not to grant the permission, so that certain files need to be protected even in the licensed processor.

For example, even if you use a PtoP service or a cloud service, some of the information that will be shared on the remote server (for example, account information or credit card information discussed above) should not be disclosed and only available to that user. It will be necessary for information security.

Therefore, in the information technology environment that has changed with the development of information technology, there is a way for the user to preserve important data stored in a file regardless of whether the user recognizes or installs a new process or external network environment. need.

SUMMARY OF THE INVENTION The present invention has been made to solve the above-mentioned problems. The present invention provides a file protection apparatus, a file protection method, and a program recording, which allow a file to be shared with an application or an external device by substituting an important data pattern with another pattern. The purpose is to provide the medium.

It is also an object of the present invention to provide a file protection device, a file protection method, and a program recording medium, which enable to restore a file having another pattern substituted by authentication at a remote external device.

The present invention also provides a file protection device, a file protection method, and a method for providing an original file or a replacement file to an external device or an application by using a replacement file having a pattern different from the original file having an important data pattern, and The purpose is to provide a program recording medium.

In addition, the present invention allows a file to be shared regardless of whether the user recognizes or permits the application program, and among the files having important data patterns are shared in the form of replaced files, network connectivity to the file It is an object of the present invention to provide a file protection device, a file protection method, and a program recording medium, which can be raised.

It is also an object of the present invention to provide a file protection apparatus, a file protection method, and a program recording medium, which replace only some important data patterns so that they can be executed in real time on a device having low performance.

In order to achieve the above object, a file protection device for protecting a file having a specific pattern is provided to an application program received from an access monitoring module and an access monitoring module for monitoring the access of the first file from any application. A service that determines whether an application is a licensed application for the first file based on the associated identification information, and if the application is not authorized, provides a second file which is a file changed from the first file having the first pattern. And a service module, wherein the service module replaces the first pattern identified from the first file with a corresponding second pattern in the second file.

In addition, to achieve the above object, a file protection method for protecting a file having a specific pattern, comprising the steps of identifying a first file having a first pattern in one or more files and the first pattern of the first file; Converting to the second pattern, storing the converted file to the second pattern, monitoring access of the first file from any application, and determining whether to allow access to the first file of the application; If the application is not allowed access to the first file, then allowing the application to access the file with the second pattern.

Also, in order to achieve the above object, a program recording medium having recorded a program includes: identifying a first file having a first pattern in one or more files and converting the first pattern of the first file into a second pattern. Storing the converted file in the second pattern; monitoring access of the first file from any application; determining whether to allow access to the first file of the application; And if the access is not allowed, allowing the application program access to the file with the second pattern.

Such a file protection device, a file protection method, and a program recording medium allow a file to be accessed by an application or an external device whose user does not know whether to allow access, but does not expose important data of the file. It works.

In addition, such a file protection device, a file protection method, and a program recording medium may restore, through authentication, a substitute file having a substituted or different pattern transmitted to an application or an external device whose user does not know whether to allow access. It has the effect of making it possible.

In addition, the file protection device, the file protection method, and the program recording medium as described above have an effect of allowing the file to be securely shared among a plurality of devices having a user by using the device identifier together with the safe protection of the file.

In addition, the file protection device, the file protection method, and the program recording medium as described above, by increasing the network expandability of the file stored in the user's device to an external device, the user can easily utilize a file having an important data pattern on multiple devices It has the effect of making it possible.

In addition, such a file protection device, a file protection method, and a program recording medium replace only some important data patterns, so that they can be executed in real time on low performance devices or can be executed at low load.

The effects obtained by the present invention are not limited to the above-mentioned effects, and other effects not mentioned can be clearly understood by those skilled in the art from the following description will be.

1 is a diagram showing an embodiment of a hardware block diagram of a file protection device according to the present invention.
2 is a diagram illustrating an embodiment of a functional block diagram of a file protection device that may be performed in a control processor.
3 is a diagram illustrating an embodiment of a detailed functional block diagram of a service module.
4 is a diagram illustrating an embodiment of a flowchart for protecting a file that may be performed by a control processor of a file protection device.
5 is a diagram illustrating a file protection system including a file protection device connected to a network.

The above objects, features, and advantages will become more apparent from the detailed description given hereinafter with reference to the accompanying drawings, and accordingly, those skilled in the art to which the present invention pertains may share the technical idea of the present invention. It will be easy to implement. In the following description, well-known functions or constructions are not described in detail since they would obscure the invention in unnecessary detail. Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings.

1 is a diagram showing an embodiment of a hardware block diagram of the file protection device 100 of the present invention.

According to FIG. 1, the file protection device 100 may include a volatile memory 101, a nonvolatile memory 103, a mass storage unit 105, a network interface 107, an input unit 109, an output unit 111, Control processor 113 and system bus / control bus 115.

Some of the blocks may be omitted according to the implementation example, or a block not included in FIG. 1 may be further included in the file protection device 100. For example, the mass storage unit 105 may be omitted depending on the form of the file protection device 100 and may be configured to store files necessary for the nonvolatile memory 103.

The file protection device 100 may store a file such as a personal computer (PC), a notebook, a mobile phone, a smartphone, a portable multimedia player (PMP), a personal digital assistant (PDA), an iTV, a set-top box, and the like. It is a device with.

Hereinafter, each hardware block of the file protection device 100 will be described. The volatile memory 101 is a memory in which data stored in the memory is erased when power such as SDRAM and DDR-DRAM is stopped.

The volatile memory 101 temporarily stores a program that can be executed by the control processor 113 and data such as a file to be transmitted and received by the control processor 113.

The nonvolatile memory 103 is a memory in which data stored in the memory is stored regardless of power supply interruption such as Nor Flash.

The nonvolatile memory 103 can store a bootloader or other important setting data necessary for booting the file protection device 100. In addition, the nonvolatile memory 103 may further store data such as a file.

The mass storage unit 105 is a device capable of storing a large number of files and programs such as a hard disk, a DVD / CD loader, a USB memory, an SD memory, and the like.

The mass storage unit 105 stores various programs that can be executed by the control processor 113 and stores files for use in various programs.

Here, the various programs include one or more programs of an editor type for reading and / or modifying a specific file, the editor type programs being designated, for example, PDF, Word, HWP, EXCEL, PowerPoint, etc. You can read, modify, and save types of files.

Here, these files can be read, modified and stored according to the type of the file (for example, by identifying an extension of a file name or identifying a format in the file) using a designated application program.

In addition, these types of files have a feature that can be read and modified when the same designated application exists not only in the file protection device 100 but also on other devices, and thus manages the distribution of these types of files, It is necessary to protect important data in the contents stored in files to prevent unauthorized disclosure.

The network interface 107 connects an external network to enable transmission and reception of files, applications, and the like from and / or to an external network.

For example, the network interface 107 may have a personal or home network interface such as Universal Serial Bus (USB), Bluetooth, IEEE 1394, or the like, and / or a cellular network such as CDMA, WCDMA, GSM, or the like. It may have a network interface for wireless / wired LAN.

The type of network to be included in the network interface 107 may vary depending on the type of the file protection device 100. For example, if the file protection device 100 is a smart phone, the network interface 107 may have a USB or Bluetooth interface along with a specific type of cellular network.

The input unit 109 receives an input from a user. The input unit 109 may include, for example, a keyboard, a mouse, a touch panel, and the like. By using the input unit 109, a user may set configuration information related to an application or an external device that is performed by the control processor 113 to access a specific type of file.

The output unit 111 outputs a variety of information such as a result performed in an application program to the user. The output unit 111 includes, for example, a display device such as an LCD, a PDP, and / or a speaker.

By using the output unit 111, the user can input the setting information, etc. to be used in the application program to check it.

The control processor 113 controls each block of the file protection device 100.

For example, the control processor 113 may perform various setting programs and applications stored in the volatile memory 101, the nonvolatile memory 103, and / or the mass storage unit 105, and perform the volatile memory 101, A file stored in the nonvolatile memory 103 and / or the mass storage unit 105 or a file to be stored may be transmitted and received through the network interface 107.

Alternatively, the control processor 113 can set various setting data from the user by using the output unit 111 and the input unit 109.

The control processor 113 may include one processor core or a plurality of processor cores.

The system bus / control bus 115 is a bus for transmitting / receiving control signals and / or data between blocks of the file protection device 100, for example, a PCI bus, a PCI Express bus, an IDE bus, or the like. It includes a bus for communication between chipsets within a data bus and a data bus provided to a processor, such as an Intel type bus or a Motorola type bus, and can transfer data and control data through a serial bus such as I2C, SPI, or UART. Including the bus which there is.

The above-described system bus / control bus 115 is configured to transfer data or control signals between blocks in the file protection device 100.

FIG. 2 is a diagram illustrating an embodiment of a functional block diagram of the file protection device 100 that may be performed by the control processor 113.

According to the functional block diagram of FIG. 2, the file protection device 100 includes an access monitoring module 150 and a service module 160, and the access monitoring module 150 includes a file filter module 151 and a network filter. Module 152. Some of these blocks may be omitted according to the implementation and other functional block modules may be further included.

The service module 160, in order to protect access of a file having a specific pattern (critical data) from an unauthorized application, identifies information and / or external information of an application to be accessed in conjunction with the access monitoring module 150. Receives identification information (identifier) of the device, and determines whether to allow the application to access based on the received identification information.

If it is determined that access is not permitted, the access monitoring module 150 provides identification information of a substitute file different from the file to be accessed, so that the application accesses a file different from the original intention. To lose.

To this end, the service module 160 receives various control data from the user in order to set the type information of the file to be monitored, and uses the same to access the access monitoring module 150 from an unauthorized application program. When access to a specific file of a file type to be monitored occurs, the access monitoring module 150 provides identification information on the replaced file of the specific file.

In addition, the service module 160 scans data of all files of the file type to be monitored in the volatile memory 101, the nonvolatile memory 103, and / or the mass storage unit 105, so that a specific pattern is applied to the file. If a file with a specific pattern is found, the specific pattern is converted into another pattern designated by the service module 160, and the converted file is converted into a different pattern in the volatile memory 101 and the nonvolatile memory 103. And / or stored in the mass storage unit 105 and stored therein.

Here, the specific pattern may include, for example, a string including 14 digits such as a social security number (of course, '-' or '' may be considered) or a number such as 12 to 16 digits, such as an account number. A string of characters, a 16-digit credit card number, or any other contiguous string of characters that represents the individual's private password, such as "Password" or "PW", "pw", or "Passwd". After a string indicating a number or a string in a certain area at a position below).

Or a string adjacent to a string of company names representing banks or credit card companies.

Scanning may occur at various points in time. For example, scanning can be done for all files when the file protection device 100 of the present invention is first installed. Alternatively, when a specified application program is executed to modify a file of a file type to be monitored, and the specified application program modifies a specific file, it may be performed only for the specific file. Or, when the specified application is executed, it can be configured to monitor only the modified part of a specific file and scan only the modified part.

In this way, scanning for a specific file or only a modified part can be configured to reduce a load that may occur.

Another pattern to be replaced may be, for example, a predetermined pattern (eg, a string including characters such as '*', 'X', 'x', etc.) in the service module 160 or an encrypted encryption code.

The encrypted code may be a code generated using an encryption key based on the characteristic information of the file. The encryption key may be an encryption key generated from a creation date (which may also include a time) or a modification date (which may also include a time) of the corresponding file.

Alternatively, the encryption key may be an encryption key generated by using characters in a plurality of specific locations designated by the service module 160 in the string (text) of the file including the specific pattern. Or it may be an encryption key generated based on the size (size) of the file. If an encryption key is generated using characters in a number of specific locations or an encryption key is generated using the size of a file, it will be apparent that the encryption key can be modified each time the file is changed. .

It is also possible to generate an encryption key from a combination of such characteristic information in a file.

More details about the service module 160 will be described with reference to FIG. 3.

The access monitoring module 150 monitors the access of the application program to the file system and / or the external network, and the file according to the identification information of the file provided from the service module 160 or the identification information from the application program. Access to the system

To this end, the access monitoring module 150 may include a file filter module 151 for monitoring access of a file system from an arbitrary application program and a network filter module for monitoring access of an external network from the arbitrary application program. 152).

The file filter module 151 monitors reading and / or writing to files in any number of application programs. The file filter module 151 may be implemented by hooking a function call or a message of an OS level file driver stage.

For example, the file filter module 151 may control data (or control signals), such as function calls, signals, or messages, from any application to access the file system. Intercepts information about the application such as identification information (e.g., process id, and / or process name, etc.) and read or write information of the application that can be known from or from this control data, Extract identification information (e.g., file directory, file name, etc.) of the access file.

The file filter module 151 extracting such control data accesses a specific file of a file type (such information may be received from the service module 160 in advance) to be monitored by the service module 160 in any application program. In the case of identifying, the service module further includes identification information (process id and / or process name, etc.) of the application, identification information of the access file, and an access method (for example, read or write). Forward to 160.

The file filter module 151 receives, from the service module 160, identification information necessary for access to a file in a file system, and the file filter module 151 accesses the file in the file system. Allow it.

For example, the file filter module 151 may make a function call to a file driver that can access the file system using the identification information (ie, alternative identification information) of the file received from the service module 160. .

Also, for example, when there is a specific pattern (resident registration number, etc.) that is important data in a specific file, and when any application program is not permitted in the service module 160, the identification of the file received from the service module 160 is identified. The information may be identification information about a file in which a specific pattern of a specific file is replaced with another pattern.

 Accordingly, the file filter module 151 allows any application to access the file in which the important data is replaced.

By taking this configuration, it is possible to protect important data even though any application program loaded and executed on the file protection device 100 allows access to the file system.

The network filter module 152 monitors access to external networks of any application program. Such external networks may be, for example, USB, Bluetooth, IEEE1394, cell phone networks, and / or wired or wireless LAN networks.

Here, the network filter module 152 intercepts control data (or control signals), such as function calls, signals, or messages, for accessing the network from any application program. and extracts an identifier (identification information) for the external device 200 to which the application program wants to access the network from the control data.

The network filter module 152 may be implemented by hooking a function call or a message of an OS level network driver.

Such a network filter module 152 hooks an identifier of a device to be connected to the external network and transmits the device identifier to the service module 160 when any application program accesses the external network.

The device identifier is for identifying the external device 200, and may be, for example, a phone number, a MAC address, an id (for example, PID, VID), etc. that may be used in Bluetooth or USB.

This device identifier may be further used by the service module 160 to determine whether to deny access to a particular file.

As described above, unlike the existing technology, the file filter module 151 and the network filter module 152 transmit the replaced file without blocking the access of the specific file when there is an access to the specific file. This is to increase network access to various devices while protecting sensitive data.

On the other hand, the application program, according to the implementation of the file protection device 100 may be set whether to allow access to the network or file system in advance. Even in this case, it will be necessary to block access to unauthorized external networks or external devices.

3 is a diagram illustrating an embodiment of a detailed functional block diagram of the service module 160.

According to FIG. 3, the service module 160 may include a setting interface unit 161, a setting information storage unit 162, a designated application program interface unit 163, a scanning unit 164, a pattern conversion unit 165, and a replacement. A file information storage unit 166 and an access monitoring module interface unit 167. Some of these functional blocks may be omitted depending on the design, and other functional blocks may be further added.

The setting interface unit 161 provides a user interface to the user of the file protection device 100 through the output unit 111 and receives various setting information to be set by the user through the input unit 109 through the user interface. . Alternatively, the setting interface unit 161 may receive such information through the management server 300 connected through an external network.

Such various setting information includes a file type having a specific pattern, a type of a specific pattern, a user identifier (id) and a password required to access the management server 300 or to use the file protection device 100, and an external device. It includes identifiers of devices that can be connected to the network, allowable applications, alternative policy information, and so on. All of these various setting information need not necessarily be included and some of them may be omitted.

For example, the type of the file having a specific pattern may be a file type such as Word, Excel, PDF, HWP, PowerPoint, or the like. By setting the file type, the service module 160 may automatically designate a designated application (Word application, Excel application, Adobe application, Korean application, etc.) that can be used for each file type. .

The selection of a file type having a specific pattern may be performed in a format for selecting an extension or for selecting an application.

Specific types of patterns may be social security numbers, social security numbers, individual credit card numbers, individual account numbers, etc., that allow each individual to be identified with another individual by an accredited agency (such as a government). This particular type of pattern may be selected by the user or by default automatically selected within the service module 160.

The user identifier (id) and the password are information for identifying the user in the file protection device 100 or the management server 300 connected via a network. Such information may be encrypted in the service module 160 or in the management server 300, to identify with others in the file protection device 100 or in the management server 300, and to provide a specialized service for a specific individual. Can be used to

The identifier of the devices is an identifier for the external device 200 that can be connected via the network interface 107. Such an identifier may be input by the user through the input unit 109 (eg, a telephone number) or may be configured to extract identification information through communication with an external device while connecting such a device through the network interface 107. Can be set.

Accordingly, the setting interface unit 161 may automatically recognize and store an identifier of a device that is automatically connected through the network interface 107.

The identifiers of these devices can also be received via the connected management server 300 (by user identifier and password login).

Acceptable applications include a program that can be loaded into the file protection device 100 together with an image icon to be predefined by the user, or when a new application is loaded from the external network or from the file protection device 100. You can let the user choose whether to allow or not.

When an application that is not selected for this allowable application accesses a file with a specific pattern, it can be provided as a replaced file.

The replacement policy information determines which application or which external device 200 provides the original or replacement of a file having a specific pattern in the service module 160. Such alternative policy information may, for example, provide an original or alternative based solely on whether the application is allowed or not, and also provides the original to the authorized external device 200 (identifier of the device) connected through the network for the authorized application. It may be provided to provide a substitute for the unauthorized external device 200.

Such alternative policy information is set according to the user's selection or, if there is no selection, according to the default setting.

The setting information storage unit 162 stores the various setting information described above.

The setting information storage unit 162 may encrypt and store such various setting information in the nonvolatile memory 103 and / or the mass storage unit 105. For example, the user identification information or the file protection device 100 may be encrypted. Can be encrypted based on the identification information (e.g., serial number).

The designated application program interface unit 163 interfaces with the designated application program to be used for each file type stored in the setting information storage unit 162.

The designated application program interface unit 163 may use a publicly available application programming interface (API) of the designated application program, and may monitor the case where the designated application program accesses or modifies a file of a corresponding type. .

In addition, the designated application program interface unit 163 may include a pattern converting unit 165 for file identification information that can identify the modified file when a specific type of file is modified, and information indicating the modified portion of the file. In this case, the pattern conversion unit 165 may induce a pattern conversion of the modified file.

The scanning unit 164 extracts identification information of each type of file stored in the volatile memory 101, the nonvolatile memory 103, and / or the mass storage unit 105, and replaces the identification information of the file with the replacement file information storage unit ( 166).

The scanning unit 164 may include a volatile memory 101, a nonvolatile memory 103, and / or a mass storage unit at boot time or when the present invention is installed or according to a scanning command of a user through the input unit 109. All files stored in 105 are scanned to find a particular type of file stored in the setting information storage unit 162. Identification information of the found files may be stored in the replacement file information storage unit 166.

The identification information of these files includes information such as the file type, the directory in which the file is located, the name of the file, and the like.

The replacement file information storage unit 166 may store the volatile memory 101, the nonvolatile memory 103, and / or the mass storage unit 105 having a specific file type stored in the configuration information storage unit 162. Stores identification information of files.

In addition, the replacement file information storage unit 166 may include identification information of files having a specific type of pattern, identification information of replaced files for a file having a specific type of pattern, in files having a specific file type, In files with a specific type of pattern, one or more location information (for example, offset from the beginning of the file and size information from that offset) with the specific type of pattern and the specific type of pattern of that file before being replaced (required Case, i.e., in case of substitution with a character, and may further store information such as substitution type (substitution with a specified character, or encryption (encryption information in any manner)).

In this case, the information stored in the replacement file information storage unit 166 may take the form of a data structure or a database, and thus, may directly identify identification information of files having a specific type of pattern and identification information of the corresponding replaced files. Allow extraction.

The identification information of the files replaced here may be the same as or different from the identification information of the files having a specific type of pattern.

That is, the identification information may include, for example, a directory and a file name as information that can identify the file on the file system. If the two identification information is the same, the replaced files may have a specific type of pattern. This means replacing files, while in other cases, creating and storing a different file (alternative) separately from files with a specific type of pattern (original).

In any case, information indicating such a relationship should be stored in the replacement file information storage unit 166.

For example, if the two pieces of identification information are the same, the replacement file information storage unit 166 stores the original character string or data of the replaced portion, so that the designated application program or the authorized application program and / or the authorized external device 200 may be used. ), The original file shall be recovered from the replaced file.

On the other hand, if the two pieces of identification information are different, the original file should be configured to provide an alternative file if the designated application program or the authorized application program and / or the authorized external device 200 access. .

Information stored in the replacement file information storage unit 166 may also be encrypted and stored.

In addition, the replacement file information storage unit 166 may further record an access log of an application program for files having a specific type of pattern. Therefore, together with the identification information of each file, the identification information or time of the application program accessed for each file, and the identification information of the connected external device can be recorded in this log according to the time zone. Can be used to track a file with

As described above, the replacement file information storage unit 166 may have a list of files having a specific type of pattern, and each entry of the list includes identification information of the file and identification information of the replaced file. (If necessary), access log information, one or more location information of a specific type that has been replaced, a replacement type, and a pattern of a specific type of the file (if necessary) before being replaced, as fields, from the file's identification information You can easily identify replaced files or replacement types.

The pattern converting unit 165 may include a specific type of pattern for all files having a specific file type stored in the substitute file information storage unit 166 or for a file monitored through the designated application program interface unit 163. Identify whether the file is present, convert the specific type of the pattern of the file with the specific type into another pattern, store the same file in a separate file, and store this information in the substitute file information storage unit 166. .

To this end, the pattern converting unit 165 reads a string from a specific type of file using an API provided through the designated application program interface unit 163, and identifies whether there is a specific pattern.

For example, the pattern conversion unit 165 may use a pattern search algorithm, which searches whether a specific pattern is on a string read from a file, and if the specific pattern is identified, the specific pattern. Is replaced with a predefined character or encrypted code.

The replaced location information and the size information are connected to the identification information of the corresponding file (for example, using a data structure or a pointer) and stored in the replacement file information storage unit 166, and a specific pattern is identified or When a specific pattern is not found, the replacement file information storage unit 166 stores the search result indicator along with the search date and time with respect to the file.

In addition, when the pattern conversion unit 165 searches for a pattern for a file monitored through the designated application program interface unit 163, the pattern conversion unit 165 executes only the search area received through the designated application program interface unit 163. FIG. Can be. For example, such a search area may be a search area including a modified portion.

By adopting such a structure, even if a specific file is modified, the pattern can be searched for only a part of the data, and the speed can be improved considerably.

The access monitoring module interface unit 167 interfaces with the access monitoring module 150 (file filter module 151) and replaces the file information based on the identification information associated with the application program received from the access monitoring module 150. The identification information of the original file or the identification information of the replacement file stored in the storage unit 166 is provided to the access monitoring module 150 (file filter module 151).

To this end, the access monitoring module interface unit 167 receives identification information from the access monitoring module 150 (file filter module 151 and network filter module 152).

This identification information includes identification information of the application that accessed the file filter module 151 or the network filter module 152 (for example, an application ID or an application name), and in addition, the application wants to access. Includes identification information of the file, and includes the identifier of the external device 200 when the application program accesses the network.

From this identification information, the access monitoring module interface unit 167 determines whether the corresponding application program is authorized to access the file identified from the identification information of the received file.

To this end, the access monitoring module interface unit 167 determines the type of the file from the identification information of the file, and determines whether the type of the determined file is the type of the stored file that is set in the configuration information storage unit 162 (of course, this part). May be directly determined by the access monitoring module 150 and may be omitted accordingly). The replacement file information storage unit 166 determines whether the corresponding file is set as the replaced file.

If the file is not set as a replaced file, the access monitoring module 150 transmits a signal indicating permission or transmits identification information about the original file so that the access monitoring module 150 is executed by the application program. Access the file identification information to access.

If the corresponding file is set as the replaced file, if the identification information of the application program is stored as the authorized application program in the setting information storage unit 162, the original file of the file to the access monitoring module 150 It transmits a signal to allow access to the network (also, at this time, the identification information of the original file can be transmitted).

In this case, the application program may include a designated application program that may be used to modify a specific type of file, and the designated application program may be automatically set as an authorized application program even if there is no user setting.

If not, the identification information of the replacement file of the file is transmitted to the access monitoring module 150 to allow access to the replacement file.

In this case, the replacement file may further include identification information of the user (for example, a user ID).

This structure allows file sharing even for unauthorized applications that the user may not intend to use, while preserving important data.

In this case, the replacement file may be stored as an overwrite of the original file. In this case, the original file may be provided by extracting a portion of the original stored in the replacement file information storage unit 166 from the replacement file. In this case, the original file may be configured to generate and provide an arbitrary file in real time, or to be provided by the replacement file information storage unit 166 at the request of the replaced part of the original.

On the other hand, when the application can move the file over the network, or when the application is loaded via the network, the access monitoring module interface unit 167 is an identifier of a device connected to the network from the access monitoring module 150 Receive more.

When the identifier of such a device is stored as an authorized device in the setting information storage unit 162, the original file may be provided to the access monitoring module 150 regardless of whether the application program is permitted.

This is because an authorized device is a device that has already been authenticated to a user, and therefore it must be able to be utilized in the device regardless of which application.

Alternatively, you can configure the device to allow access to the original file only if the identifier of the device is allowed and the application is authorized.

2 and 3 have been described in terms of the functional aspects of the file protection device 100 of the present invention. This functional block diagram may be produced as a program that may be executed on the control processor 113 or in the form of a program including a plurality of processes or threads, such a program being a CD or a DVD. It can be recorded in a USB memory or the like and distributed to a user or the like as a recording medium.

4 is a diagram illustrating an embodiment of a flowchart for protecting a file that may be performed by the control processor 113 of the file protection device 100. Hereinafter, overlapping contents among the contents disclosed for describing FIG. 2 and FIG. 3 will be omitted as briefly as possible.

The flowchart for protecting the file starts at step S100. In the step S100, when the file protection method of the present invention is first installed, when a request is made through a user input unit 109, or when there is a state change (write or the like) with respect to a file stored in the file protection device 100. Can be started.

In step S110, the file protection device 100 selects files of a specified specific type or selected files stored in the volatile memory 101, the nonvolatile memory 103, and / or the mass storage unit 105 of the file protection device 100. Identifies if there is a specific pattern in the file.

The specific type and specific pattern may be extracted from the setting information storage unit 162 and used.

In step S120, for a specific type of identified file having a specific pattern, the specific pattern is converted into a pattern different from this pattern. This different pattern can be any designated string or encrypted code.

In operation S130, a file having a string or a code converted into a different pattern is stored.

Here, the stored file may be replaced with identification information (file name, directory, etc.) of the same file as the identified file, or may be stored as a file having different identification information from the identified file.

Therefore, when replacing with the same file, it is necessary to store the position information of the different pattern and the character string of the specific pattern to be replaced in the replacement file.

Such step S110 to step S130 may be performed independently from the step S140 and below, and step S110 to step S130 may be performed after the designated application program is executed. It can be performed as a separate processor or program.

In step S140, access to a specific file of the application is monitored. This particular file can be a specific type of file with a specific pattern.

In step S150, it is determined whether the application has permission to access a specific file.

If the file is not a file of a type to be monitored by the file protection device 100, the file may be regarded as having authority regardless of whether the application is authorized or not, and the process may proceed to step S160.

Otherwise, in the case of the file of the type to be monitored, it is determined whether the specific file has a specific pattern. If there is no specific pattern, the application program is regarded as authorized and the process proceeds to step S160.

On the other hand, if there is a specific pattern, it is determined whether the application program is an authorized program. Or, in addition, when an application program accesses an external network or transmits a file to an external network, it is determined whether a specific file is accessible from an identifier of a device connected to the external network.

Therefore, according to the setting method, even if the application program is registered as an authorized program, if the identifier of the external device 200 is an unauthorized identifier, the process may proceed to step S170.

Step S160 is a case in which the specific file does not have a specific pattern or an application can access the specific file, so that the original file (that is, a file not replaced) of the specific file is provided to the application. Provides file identification (or data or strings from the original file).

On the other hand, in step S170, the identification information of the replacement file is provided to the application program so as to access the file having the replaced pattern different from the specific pattern (that is, the replaced file).

Through step S160 and step S170, it is possible to prevent the exposure of important data while allowing free access of various applications.

In step S180, this flowchart is terminated by termination by a user, interruption of power supply, or the like.

The file protection apparatus 100 or the file protection method described with reference to FIGS. 2 to 4 may be recorded and distributed on a medium on which a program is recorded.

5 is a diagram illustrating a file protection system including a file protection device 100 connected to a network. In FIG. 5, a network connecting a laptop, a mobile phone, and a server is disclosed for understanding, but this is for understanding and the file protection device 100, the external device 200, and the management server 300 are not limited thereto.

The file protection system may include one or more file protection devices 100 and one or more external devices 200, and may include a remotely accessible management server 300.

Here, the external device 200 may be, for example, a portable terminal such as a mobile phone, a smart phone, a PDA, a PMP, a stationary terminal such as a set-top box or an iTV. Alternatively, the external device 200 may be an execution server (eg, a cloud server on a cloud system) capable of executing a program and transmitting a result of executing the program.

The external device 200 is directly connected through the network interface 107 of the file protection device 100 or through a network interface 107 to a public communication network (for example, a mobile phone network, a wired LAN, a wireless LAN, etc.). Can be connected.

The file protection apparatus 100 may receive various contents from the connected external device 200, and may transmit files including the content stored in the file protection apparatus 100 to the external device 200.

Here, some of the files transmitted from the file protection device 100 to the external device 200 may be transmitted in the form of a file replaced according to the technology of the present invention. Therefore, when the external device 200 is registered as an allowable device in the file protection device 100, the external device 200 is transmitted in the form of an original including important data. Will be sent.

Accordingly, the external device 200 may share information of most files in the file protection device 100. However, for a file containing important data, the external device 200 receives the replacement file so that the important data is not exposed while the file is shared. The replaced file may then be sent with user identification information (e.g., user ID) for the owner of the file.

Meanwhile, the management server 300 including a processor, a network interface, a hard disk, and the like may authenticate the replaced file shared by the external device 200 and provide the original file according to the authentication. .

To this end, the management server 300 receives the replaced file from the external device 200 having the replaced file. The external device 200 is authenticated from the user ID in the received replaced file. Accordingly, the process of authenticating that the user can use the replaced file including the user ID and the password is performed through the external device 200.

Accordingly, in the case of a user who can use the replaced file, the original file is received from the file protection device 100 and transferred to the external device 200 according to a request from the external device 200 or the user's authentication is performed. Accordingly, the identifier of the external device 200 may be transferred to the file protection device 100, and the identifier of the external device 200 may be registered as an authorized device.

By going through this process, even if the external device 200 receiving the replaced file is registered in the file protection device 100 so that the original file can be easily accessed. Of course, if the external device 200 is already registered in the file protection device 100 may receive the original file.

Files (or data) transmitted and received between the external device 200 and the file protection device 100 may be encrypted through an arbitrary encryption process.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the invention. The present invention is not limited to the drawings.

100: file protection device 101: volatile memory
103: non-volatile memory 105: mass storage unit
107: network interface 109: input unit
111: output 113: control processor
115: system bus / control bus 150: access monitoring module
151: File Filter Module 152: Network Filter Module
160: service module 161: setting interface unit
162: setting information storage unit 163: designated application program interface unit
164: scanning unit 165: pattern conversion unit
166: alternate file information storage unit 167: access monitoring module interface unit
200: external device 300: management server

Claims (11)

As a file protection device to protect files,
An access monitoring module for monitoring access of the first file from any application program; And
Determines whether the application is an authorized application program for the first file based on identification information related to the application program received from the access monitoring module, and, if the application program is not authorized, designated by the file protection device. A service module for providing a second file which is a file changed from the first file including a string;
The service module is configured to replace the designated string identified from the first file with a string corresponding in the second file and different from the designated string,
File protection device. The method of claim 1,
The designated string includes a string including a specified number of numbers or a string specified by the file protection device and immediately following the string, which is included in the first file and is different from the designated string,
The replaced string is for a string containing the character designated by the service module for replacing the string of numbers or the subsequent string or for the first file recorded upon storage in accordance with the storage of the first file. Characterized in that it comprises an encryption code, encrypted on the basis of the file information,
File protection device. The method of claim 2,
The file information may include at least one of a character at a designated location that is different from a location in the first file with respect to the specified character string in a creation date, a modification date, and all character strings included in the first file. Characterized in that it comprises one or more,
File protection device. The method of claim 1,
The access monitoring module includes a network filter module for monitoring network access of the application program.
Wherein the service module determines whether the application program is an authorized application program based on a device identifier for an external device received from the network filter module.
File protection device. 5. The method of claim 4,
The service module,
A setting interface unit for receiving type information of a file to be monitored;
A designated application program interface unit for interfacing with a designated application program capable of modifying the file of the type information;
A pattern converting unit for identifying the designated character string in the file of the type information and converting the designated character string to the replaced character string using the designated application program interface unit; And
Receive identification information of the application and identification information of the first file from the access monitoring module, and if the application program is an unauthorized application program, identification information of the second file converted by the pattern conversion unit. It characterized in that it comprises an access monitoring module interface, provided to the access monitoring module,
File protection device. The method of claim 5,
The pattern converting unit identifies the specified string with respect to the recording string of the recording operation for the first file of the designated application program connected through the designated application program interface unit, and replaces the designated string in the recording string of the identified designated string. Characterized in that it converts to a string,
File protection device. The method of claim 5,
The setting interface unit further receives a device identifier for an external device connected to the file protection device to access the first file.
Wherein the device identifier is received via a connected network interface of the file protection device,
File protection device. The method of claim 5,
The service module may further include a configuration information storage unit configured to store configuration information including type information of a file to be monitored by the file protection device, authorized application program identification information, and authorized device identification information.
The access monitoring module interface unit, using the setting information stored in the setting information storage unit, determines whether the application program is an authorized program,
File protection device. As a file protection method to protect files,
Identifying a first file in at least one file comprising a string designated by the file protection method;
Converting the designated string of the first file into a string different from the designated string;
Storing the file converted to the different character string;
Monitoring access of the first file from any application;
Determining whether to allow access to the first file of the application; And
If the application is not allowed access to the first file, allowing the application to access the file converted to the different strings;
How to protect your files. 10. The method of claim 9,
Storing the file converted to the different string includes storing the first file including the specified string as a second file converted to the different string,
The identification information of the second file has identification information different from the identification information of the first file to be stored in the same or different file as the identification information of the first file to be stored in the same file. ,
How to protect your files. A computer readable recording medium having recorded thereon a program,
The program carries out the method according to claim 9.

Images