KR102621657B1 - File copy leakage prevention method - Google Patents

Abstract

The present invention relates to a method for preventing file copy leakage, and more specifically, to a method for preventing file copy leakage, which minimizes the processing load on client computers while blocking unauthorized copying and/or movement of confidential files to protect confidential files. It's about.
According to an embodiment of the present invention, detecting whether a copy or move event for a file occurs in a user device; calculating a hash value of the file when the copy or move event is detected; generating a random string as a symmetric key for the file; encrypting the file with the symmetric key; transmitting the hash value and symmetric key of the file to a server; Receiving whether or not a confidential file is confidential from the server; If the file is a confidential file: deleting the file; and if the file is a normal file: decrypting the file.

Description

File copy leakage prevention method}

The present invention relates to a method for preventing file copy leakage, and more specifically, to a method for preventing file copy leakage, which minimizes the processing load on client computers while blocking unauthorized copying and/or movement of confidential files to protect confidential files. It's about.

Confidential technologies of companies are protected by related laws such as the Trade Secret Protection Act and the Industrial Technology Leakage Prevention Act. However, despite being protected by law, corporate confidential information leaks are increasing every year. According to a survey by the Korea Industrial Technology Protection Association, the average annual economic damage to industrial secrets is 50 trillion won, which is similar to the annual sales of thousands of small and medium-sized businesses.

Leakage of industrial secrets can cause serious damage not only to the competitiveness of countries and companies, but also to the economy. Most companies find it difficult to respond to confidential leaks because they lack separate organizations, manpower, and budget to prevent confidential leaks. In particular, it is necessary to thoroughly block external exposure of military secrets because even a single leak of military secrets can affect not only national defense security but also national security.

EDLP, a technology to prevent such confidential leaks, consists of: Detect Agent, Server, and Database. The Detect Agent function detects and blocks user event activity according to policy and transmits event activity information to the server. The server function stores event activity information detected by the Detect Agent in the database. The function of the database stores information about the event activities of the Detect Agent and transmits the results of the Detect Agent information to the server. The configuration diagram of EDLP is shown in Figure 19.

Shin Gyu-jin, “Internal information leak prevention system through Hadoop-based user behavior analysis”, Daejeon University, (2018).

The problem that the present invention aims to solve is to minimize system load and improve accuracy by analyzing and determining signatures rather than classifying files only by extension, in order to solve the limitations of conventional confidentiality leak prevention technology as described above. It provides a method to prevent file copy leaks.

In order to solve the limitations of the conventional confidentiality leak prevention technology as described above, the present invention includes the steps of detecting whether a copy or move event for a file occurs on a user device; calculating a hash value of the file when the copy or move event is detected; generating a random string as a symmetric key for the file; encrypting the file with the symmetric key; transmitting the hash value and symmetric key of the file to a server; Receiving whether or not a confidential file is confidential from the server; If the file is a confidential file: deleting the file; and if the file is a normal file: decrypting the file.

Additionally, the step of transmitting the hash value and symmetric key of the file to the server includes: converting the hash value and symmetric key of the file into JSON format; Encrypting [the hash value and symmetric key of the JSON format file] with the public key of the server; and transmitting [the hash value and symmetric key of the encrypted JSON format file] to the server.

And, upon initial setup of the server, generating the server's public key and private key; Waiting for a client to connect; transmitting a public key to the client; Receiving a hash value and a symmetric key of a file from the client; querying a database for the hash value and symmetric key of the file; and transmitting to the client whether or not the file is confidential according to the results of the database query. It provides a server control method for preventing file copy leakage.

In addition, the step of waiting for the client to connect includes: dynamically creating a thread when the client connects to the server, and the step of querying the database for the hash value and symmetric key of the file includes: the client Decrypting [the hash value and symmetric key of the encrypted JSON format file] received from with the private key of the server; and parsing the hash value and symmetric key of the decrypted JSON format file and querying the database. The step of transmitting to the client whether the file is confidential according to the database query result is: Result of whether the file is confidential. It may include encrypting with the client's public key and transmitting it to the client.

Additionally, a file copy leak prevention system comprising a client, a server, a management module, and a database: a file copy leak prevention system using the file copy leak prevention client control method and/or the file copy leak prevention server control method as described above; provides.

According to an embodiment of the present invention, the processing load on a user device (PC, etc.) on which a confidential file leak prevention program is installed can be minimized.

In addition, the accuracy of document security can be improved by analyzing and determining the signature rather than classifying the file only by extension.

In addition, confidentiality can be improved by pre-registering and comparing the hash value of the file itself, rather than by extracting strings from a string or image within a file presumed to be a confidential document file.

1 is a configuration diagram of a file copy leak prevention system (FCLPS) according to an embodiment of the present invention.
Figure 2 is a data flow diagram of a file copy leak prevention system according to an embodiment of the present invention.
Figure 3 is an operation flowchart of a file copy leak prevention system management module according to an embodiment of the present invention.
Figure 4 is pseudocode of a file copy leak prevention system management module according to an embodiment of the present invention.
Figure 5 is a file hash registration screen for the file copy leak prevention system management module according to an embodiment of the present invention.
Figure 6 is a file hash deletion screen of the file copy leak prevention system management module according to an embodiment of the present invention.
Figure 7 is an operation flowchart of the file copy leak prevention system client module according to an embodiment of the present invention.
Figure 8 is a structural diagram of a file copy leak prevention system client module according to an embodiment of the present invention.
Figure 9 is pseudocode of a file copy leak prevention system client module according to an embodiment of the present invention.
Figure 10 is a screen showing the event results of the file copy leak prevention system client module according to an embodiment of the present invention.
Figure 11 is an operation flowchart of a file copy leak prevention system server according to an embodiment of the present invention.
Figure 12 is a structural diagram of a file copy leak prevention system server according to an embodiment of the present invention.
Figure 13 is a pseudocode of a file copy leak prevention system server according to an embodiment of the present invention.
Figure 14 is a screen showing the transmission and reception results of the file copy leak prevention system server according to an embodiment of the present invention.
Figure 15 is SQL Info of the file copy leak prevention system database according to an embodiment of the present invention.
Figure 16 is a screen showing database contents (stored data values) of a file copy leak prevention system according to an embodiment of the present invention.
Figures 17 and 18 show the results of measuring bottlenecks that occur when encrypting large files in a file copy leak prevention system according to an embodiment of the present invention.
Figure 19 is a configuration diagram of EDLP, a conventional confidentiality leak prevention technology.

Hereinafter, various embodiments of this document are described with reference to the attached drawings. However, this is not intended to limit the technology described in this document to specific embodiments, and should be understood to include various modifications, equivalents, and/or alternatives to the embodiments of this document. . In connection with the description of the drawings, similar reference numbers may be used for similar components.

In this document, expressions such as "comprises" or "may include" refer to the presence of the corresponding feature (e.g., a numerical value, function, operation, or component, etc.) and do not exclude the presence of additional features. No.

In this document, expressions such as “A or B,” “at least one of A or/and B,” or “one or more of A or/and B” may include all possible combinations of the items listed together. . For example, “A or B,” “at least one of A and B,” or “at least one of A or B” includes (1) at least one A, (2) at least one B, or (3) it may refer to all cases including both at least one A and at least one B.

Terms used in this document are merely used to describe specific embodiments and may not be intended to limit the scope of other embodiments. Singular expressions may include plural expressions, unless the context clearly indicates otherwise. Terms used herein, including technical or scientific terms, may have the same meaning as commonly understood by a person of ordinary skill in the technical field described in this document. Among the terms used in this document, terms defined in general dictionaries may be interpreted to have the same or similar meaning as the meaning they have in the context of related technology, and unless clearly defined in this document, have an ideal or excessively formal meaning. It is not interpreted as In some cases, even terms defined in this document cannot be interpreted to exclude embodiments of this document.

Of course, various modifications can be made by those skilled in the art without departing from the gist of the present invention as claimed in the claims of the present invention, and these modifications do not reflect the technical idea or the technical spirit of the present invention. It should not be understood in isolation from the perspective.

Additionally, the method according to the present invention can be implemented as computer-readable code (program) on a computer-readable recording medium. Computer-readable recording media may include all types of recording devices that store data that can be read by a computer system. Examples of computer-readable recording media include ROM, RAM, CD-ROM, magnetic tape, floppy disk, and optical data storage devices, and can also be implemented in the form of a carrier wave (e.g., transmitted via the Internet). Includes. Additionally, the computer-readable recording medium may store computer-readable code that can be executed in a distributed manner by a distributed computer system connected to a network.

The “module” described in the description of the present invention may be composed of a combination of software or/and hardware for information processing or/and control.

“User” and/or “administrator” described in the description of the present invention may mean “user device” and “administrator device,” respectively.

According to an embodiment of the present invention, a file copy leak prevention system (FCLPS: File Copy Leakage Prevention System) that can detect events of a central control server and a target control PC in real time to prevent leakage of confidential document files can be configured. .

In the description of the present invention, in cases where English notation is more common for those skilled in the art, such as variable names and class names, the words are written as they are in English.

In an embodiment of the present invention, for testing to implement the technical idea of the present invention, the CPU is Octa Core of 3.60GHz, RAM is 16GB, the network environment is 1000Mbps, and the OS (Operation System) is Microsoft's Windows 10 Pro 20H2, Dev. The language was Microsoft's C# .Net Framework 4.7.2, and the database was MySQL 8.0.24.

1. File copy leak prevention system (FCLPS) configuration diagram

FCLPS is composed of a client, server, management module, and database as shown in Figure 1.

The FCLPS management module is a module provided for administrators to register confidential document files in the database. After logging in to the management module, the administrator designates a confidential file and registers the hash value for that file in the database.

The FCLPS client module detects events related to copying and/or moving files on the controlled PC, calculates the hash value of the file, verifies the hash value for the confidential document file through the central control server, and files the corresponding file according to the results. Proceed with deletion or decryption.

The FCLPS server verifies whether a confidential document file exists through the database based on the hash value of the file received from the FCLPS client module (FCLPP).

The database stores hash values of confidential document files and administrator account information.

The procedures of the File Copy Leakage Prevention System (FCLPS) are as follows.

① The administrator logs in to the FCLPS management module and registers the hash value of the confidential document file in the database.

② The FCLPS client module detects in real time when users generate copy or/and move events for confidential document files.

③ The FCLPS client module detects the event and automatically calculates the hash value of the file (file where the event occurred). Then, a random 16-character string is created as a symmetric key and the file is encrypted using the symmetric key.

④ The FCLPS client module converts the hash value and symmetric key of the file into JSON format to send the hash value and symmetric key of the file to the FCLPS server.

⑤ The FCLPS client module encrypts data in JSON format with the public key of the FCLPS server and then sends it to the FCLPS server.

⑥ The FCLPS server, which receives the encrypted data from the FCLPS client module, decrypts the encrypted data with the private key.

⑦ The FCLPS server stores the hash value and symmetric key of the file successfully decrypted with the private key in variables, respectively.

⑧ Check whether the file is confidential by querying the database for the hash value of the file among the variable values stored in the FCLPS server.

⑨ The FCLPS server receives the query results from the database.

⑩ The result of whether the FCLPS server has a confidential document file (symmetric key for a regular file, delete command for a confidential document file) is encrypted with the public key of the FCLPS client module and sent to the FCLPS client module.

⑪ The FCLPS client module decrypts the result of the confidential document file from the FCLPS server using the private key and proceeds with deletion or decryption.

2. FCLPS data flow diagram

Hash values for all confidential document files are stored in FCLPS' database.

When a new confidential document file is created, the administrator stores the confidential document file hash value in the database through the FCLPS management module. As shown in Figure 2, the file copy leak prevention method is carried out by the user, OS (Operation System), FCLPS client module, FCLPS server, and database.

A user may be an authorized user (general user) or an unauthorized user (malicious user), and may issue copy or/and move commands for files using a computer, etc.

At this time, the operating system executes the command received from the user, verifies permissions for the file, and generates a file copy or file move event.

The FCLPS client module continuously monitors the system, and when a copy or/and move event occurs for a file, it calculates the hash value for the original file and generates a symmetric key of a random 16-character string to encrypt the file. Then, the hash value and encryption key of the file are encrypted with the public key of the FCLPS server and sent to the FCLPS server.

The FCLPS server queries the database for the hash value of the file received from the FCLPS client module to determine whether it is a confidential document file. Afterwards, depending on whether the file is a confidential document, the FCLPS server transmits a symmetric key to the FCLPS client module if it is a regular file, and a delete command to the FCLPS client module if it is a confidential document file.

3. FCLPS implementation

The FCLPS client module detects leaks of confidential document files, calculates hash values, encrypts files with symmetric keys, and performs deletion or decryption functions depending on the results.

The FCLPS server generates a key pair of public and private keys, waits for client connection, creates a client socket, and performs database request and response functions.

3.1 FCLPS Management Module

Hereinafter, the operation method of the FCLPS management module will be described with reference to FIG. 3.

① The administrator enters the ID and password.

② Verify the entered IP address and password from the database.

③ Execute ④ according to the administrator’s command to delete document files or add document files.

④ In case of a delete command: Delete the hash value of the document file from the database and exit (⑦). In case of additional command: Calculate the hash value of the selected file.

⑤ Add the calculated hash value of the document file to the database.

⑥ The hash value of the document file added to the database is displayed in a list view.

⑦ End.

The variable Admin ID and variable Admin Password are string variables provided by .Net. The administrator ID is entered in the variable Admin ID and the administrator password is entered in the variable Admin Password.

Afterwards, the variable Admin ID and variable Admin Password are compared with the administrator ID and administrator password saved in the database. If login is successful, the hash value of the document file saved in the database is displayed in the list view. If login is not successful, a message to confirm the administrator ID and administrator password is displayed. Print out.

In the management program, the document file addition event is the File Hash Value Add Event, and the document file deletion event is the File Hash Value Delete Event. In the File Hash Value Add Event, the file path is entered into the variable FileInfo when the administrator selects the document file, and the variable FileHash stores the hash value of the document file using the Calculate function that calculates the hash value of the document file.

Afterwards, the hash value of the document file is stored in the database through the Insert database function. And in the File Hash Value Delete Event, the variable ListView stores the path of the document file when the administrator selects the hash value of the document file displayed in the list view, and the variable FileHash stores the hash value of the document file selected by the administrator. And the hash value of the document file stored in the variable FileHash is deleted through the Delete database function.

The pseudocode of the FCLPS management module is shown in Figure 4.

The case of registering the hash value of a file is as follows. When the administrator accesses the FCLPS management module, the hash value and path of the file stored in the database are displayed in the list view. If the administrator needs it, the hash value stored in the database can be updated and confirmed in the list view through the "Refresh" button.

Among the FCLPS server management functions, the "Select File" button specifies the file to be registered in the database and allows you to check the file number, file path, and file hash value through the list view. In the list view, the file number is the sequential number of the file, and the file path is the absolute path of the file to be registered, including the file location, file name, and file extension. And the hash value of the file is automatically calculated and displayed in the list view. The File hash registration screen of FCLPS server management is shown in Figure 5.

Cases for deleting the hash value of a file are as follows. The administrator connects to FCLPS server management. Based on the file information output in the list view, double-click the hash value of the file you want to delete to execute the delete event. The event for double-clicking the list view is an event specified in the list view in advance and occurs when the administrator double-clicks the corresponding list view list.

When the hash value deletion event requested by the administrator from the database is completed successfully, the hash value is deleted from the list view list. The Delete File Hash of FCLPS server management is shown in Figure 6.

3.2 FCLPS client module

Hereinafter, the operating method of the FCLPS client module will be described with reference to FIG. 7.

① In order to detect users or malicious users copying and/or moving confidential document files, the FCLPS client module continuously detects file copying and/or moving events using FileSystemWatch, a system function of .NET.

② The File Copy Event module detects file copy and/or movement events.

③ When a file copy or/and move event is detected, the FCLPS client module calculates the hash value for the confidential document file.

④ The FCLPS client module generates a symmetric key of a random 16-character string and then encrypts the file using Rijndael Managed's encryption function.

⑤ The FCLPS client module converts the hash value and encryption key of the file into JSON format and encrypts it with the public key of the FCLPS server.

⑥ The FCLPS client module transmits the result encrypted with the public key to the FCLPS server.

⑦ The FCLPS server decrypts the value received from the FCLPS client module with the private key. And the result is sent to the FCLPS client module.

⑧ The FCLPS client module deletes or decrypts confidential document files according to the verification results. The FCLPS client module terminates.

The FCLPS client module requires a Network Module, Files Module, Encryption & Decryption Module, and Watcher Module, as shown in Figure 8.

The Network Module is implemented as a network class for reliability-based TCP communication with the FCLPS server.

The Files Module is a system module that consists of the presence or absence of a specific file, hash calculation for the file, and a random function for generating an encryption key for a symmetric password.

The Encryption & Decryption Module is a public key encryption and decryption module that encrypts and decrypts using public key encryption to prevent man-in-the-middle attacks in communication with the FCLPS server.

The Watcher Module is a system event detection function that detects when a file copy or/and move event occurs on the PC where the agent is installed and prevents leakage of confidential document files.

The pseudocode of the FCLPS client module is shown in Figure 9.

When a user or a malicious user causes a file copy or/and move event, the leaked file is encrypted with a symmetric key encryption. At this time, the encryption key for symmetric key encryption consists of a 16-digit random string. Afterwards, the hash value and encryption key of the file are sent to the FCLPS server. Depending on the presence or absence of confidential document files, general files are decrypted and confidential document files are deleted. The event results of the FCLPS client module are shown in Figure 10.

3.3 FCLPS Server

The FCLPS server proceeds in five steps: RSAPrivateKeyGen, RSAPublic -KeyGen, TCP Listener, Dynamic Thread Create, and database Query Request & Response. And the pseudocode of the FCLPS server is written by applying two essential modules: Network Module and Encryption & Decryption Module.

Hereinafter, the operating method of the FCLPS server will be described with reference to FIG. 11.

① When the FCLPS server is first run, it automatically generates a key pair of public key and private key. Here, RSAPrivateKeyGen is a function that generates a private key and RSAPublicKeyGen is a function that generates a public key.

② On the FCLPS server, the TCP Listener waits for the FCLPS client module to connect to verify the hash value of the confidential document file.

③ When the FCLPS client module connects to the FCLPS server, the FCLPS server dynamically creates Threads to manage multiple network connections. And the FCLPS server transmits the public key to the FCLPS client module (FCLPP).

④ The FCLPS server parses the hash value and encryption key of the file received from the FCLPS client module into JSON and queries the database.

⑤ The FCLPS server sends the verification result of the confidential document file to the FCLPS client module according to the database query result.

As shown in Figure 12, the FCLPS server requires four essential modules: Network Module, Encryption & Decryption Module, Database Module, and TCP Listener Module.

The Network Module is implemented as a network class for TCP communication with the FCLPS client module.

The Encryption & Decrytion Module is an encryption/decryption module for public key encryption and is used for encryption/decryption communication with the FCLPS client module.

The TCP Listener Module is a module that manages network sockets accessed by the FCLPS client module and maintains a continuous TCP network.

The database module is a module that interfaces with the database based on data received from the FCLPS client module.

The variable RSAPrivateKeyCreate creates and stores the private key of the public key encryption using the algorithm function of the public key encryption provided by the Cryptographic Service Provider. And the variable RSAPublicKeyCreate creates and stores a public key using the RSAParameters function based on the generated private key.

Afterwards, it waits for the connection of the FCLPS client module through TcpListener. When connecting from the FCLPS client module, transmit the generated public key and wait for a response.

The pseudocode of the FCLPS server is shown in Figure 13.

When a file copy or/and movement event occurs by a malicious user or a normal user, the FCLPS client module transmits and receives the hash value for the file and the encryption key of the symmetric key encryption to the FCLPS server. The FCLPS server uses the received information to make a query request to the database and sends the results of verifying the presence of confidential document files to the FCLPS client module.

The public key and private key of the FCLPS server's public key encryption generate a 1,024-bit encryption and decryption key to prevent man-in-the-middle attacks in communication with the FCLPS client module (FCLPP). When the FCLPS client module (FCLPP) first connects to the FCLPS server, it automatically transmits and receives the public key of the FCLPS server and encrypts and decrypts the data of the FCLPS client module with the private key of the FCLPS server.

The hash value information for the file sent from the FCLPS client module to the FCLPS server is set as the variable value of FileHash, and the key value used to encrypt the file is set as the variable value of FileKey. The transmission and reception results of the FCLPS server are shown in Figure 14.

3.4 Database

The database used MySQL v8.0.24 to store hash values and paths of FCLPS' confidential files.

The database name of FCLPS is "fclps_db" and the table name is "file_info". The column names of "file_info" are No, File_Path, File_Hash, and File_Date, and the string format is utf-8 unicode.

And among the elements of the columns, No is an AUTO_INCREMENT attribute whose value automatically increases each time a row in the table is added, specifying the sequence number of the confidential file. File_Path and File_Hash are the path to the file and the hash value of the file, supporting up to 255 strings. do.

And File_date stores the current date and time to check when the administrator registered the confidential document file when the administrator stores the hash value of the confidential file in the database. The SQL Info of the database is shown in Figure 15.

The database results of FCLPS are shown in Figure 16. When a confidential file is selected in FCLPS server management and a registration request is made to the database, No, File_Path, File_Hash, and File_date are saved.

No is the sequential number of the confidential file, and File_Path is the absolute path to the confidential file.

And File_Hash is the hash value of the confidential file, and File_date is the storage date of the confidential file. Column elements of the table support Unicode and can be stored in the database as various characters.

4. Analysis

General companies use EDLP to prevent confidential file leaks.

EDLP consumes a lot of resources because it detects and tracks events for every file.

On the other hand, in an embodiment of the present invention to reduce resource consumption, hash values for pre-designated confidential files are stored on the server, and when an event occurs, hash values are compared and determined, and then encryption and decryption operations and deletion are performed.

At this time, since a bottleneck occurs in the CPU during the encryption process, the time required for the encryption process is measured and the error range of the bottleneck is analyzed.

4.1. Qualitative comparison with prior art

We compare the efficiency of the proposed FCLPS with several EDLPs used by companies to prevent confidential file leaks.

EDLP in use at home and abroad includes Secure genie's Gradius DLP, Symantec's Symantec DLP, WaterWall's WaterWall DLP, NicsTech's SafePC Enterprise, and Comtrue Technologies' Sherlock Holmes PC Information Security.

Among these, detection methods based on keywords within files are WaterWall DLP and Gradius DLP, and detection methods based on content within files are SafePC Enterprise, Symantec DLP, and Sherlock Holmes PC Information Security.

The keyword-based detection method for files is that when an agent is installed on the target PC, the system automatically scans at certain times through system scheduling, and keywords important to the company, such as "core", "confidential", "internal", and "confidential", are used to detect data inside the file. If included, the event is blocked.

And the content-based detection method installs an agent on the controlled PC, automatically scans the system, analyzes the data inside the file for specific keywords or words in the image, and blocks the event if it contains a confidential string.

When running a DLP agent according to the prior art to prevent leakage of confidential files, system load occurs due to excessive resource use.

The DLP system scans all files within a company at regular intervals and blocks events if they contain keywords in the file or in the image. However, since it is inefficient to analyze and block all files within a company, it is more efficient for administrators to pre-screen and manage confidential document files. Additionally, due to the nature of confidential document files, only authorized users can access them, so the same applies to DLP agents.

The detection method according to an embodiment of the present invention does not extract keywords or phrases from the file, but verifies and determines them through the server based on the hash value of the file itself. The detection method according to an embodiment of the present invention is a hash value-based detection method using selective events.

In an embodiment of the present invention, in order to minimize the system load, only specific events are monitored in real time and verified on the server, rather than scanning the entire system.

FCLPS minimizes system load by selectively monitoring events, and improves accuracy by determining files by specific signatures rather than classifying them only by extension.

In addition, confidentiality was improved by comparing the hash value of the confidential document file itself with the pre-registered hash value, rather than by extracting strings from strings or images within files presumed to be confidential document files.

4.2. Encryption time taken

When encrypting document files in the Encryption & Decryption Module within the FCLPS client to prevent leakage of confidential document files, a bottleneck occurs due to high CPU usage and the CPU speed and voltage are forcibly lowered to minimize system damage, thereby reducing performance. This deteriorates. Therefore, the time required for encryption is analyzed depending on the file type and size.

4.2.1 Encryption time by file type

Since the signature is different for each type of file and the size of all confidential document files is different, the time required for encryption was measured by type and size of file. Calculate the time required to encrypt each file type using FCLPS. Since most confidential documents are document files, the PDF, HWP, DOC, PPT, and XLS extensions were measured to analyze the time required for encryption of document files.

Confidential document files are encrypted using the Encryption & Decryption Module, a module within the FCLPS client module.

To encrypt document files, a 16-character random string symmetric key is generated. Then, using a symmetric key, 100 PDF, HWP, DOC, PPT, and XLS document files are encrypted in a total of 10 rounds, and the same process is repeated in each round. Here, 1 round is the time required to encrypt 100 files once.

When encrypting PDF, HWP, DOC, PPT, and XLS document files for each round, the time required is calculated by using the Start and Reset methods in the Stopwatch function, a time measurement class in .Net, and calculating the result in milliseconds. The stopwatch function is used to calculate the time required for encryption for each round.

, 라운드 횟수를

, 전체 라운드의 평균 시간을

이라 한다. 전체 라운드의 평균 시간을 초 단위로 표현하기 위해서 천장함수를 사용한다. 이와 같은 계산은 수학식 1과 같다.Time required to encrypt 100 PDF, HWP, DOC, PPT, and XLS document files each.

, the number of rounds

, the average time of the entire round is

It is said. The ceiling function is used to express the average time of the entire round in seconds. Such calculation is as shown in Equation 1.

As a result of calculating the average time required when encrypting document files of PDF, HWP, DOC, PPT, and XLS according to Equation 1, the result was 5 minutes 23 seconds for PDF, 5 minutes 40 seconds for HWP, and 5 minutes 29 seconds for DOC. seconds, PPT was measured at 5 minutes 22 seconds, and XLS was measured at 5 minutes 43 seconds. When encrypting a document file 10 rounds, the difference between the minimum and maximum time required is 21 seconds on average.

The types of document files are PDF, HWP, DOC, PPT, and XLS, and the results of measuring the time required to encrypt document files with sizes of 1MB, 3MB, 5MB, 10MB, and 15MB are shown in Table 1.

Type
Size PDF HWP DOC ppt XLS 1MB 69 67 66 68 64 3MB 138 140 142 142 139 5MB 212 212 212 221 250 10MB 430 515 491 414 431 15 MB 762 761 733 764 827 Average 323 340 329 322 343

(Unit: seconds)

4.2.2 Encryption time by file size

, 라운드 횟수를

, 전체 라운드의 평균 시간을

라 한다. 이와 같은 계산은 수학식 2와 같다.The time required for encryption in each round is calculated using the same method as for each file type.

, the number of rounds

, the average time of the entire round is

It is said that Such calculation is as shown in Equation 2.

According to Equation 2, the average result for the time taken when encrypting document files of PDF, HWP, DOC, PPT, XLS is 1 minute and 7 seconds for 1MB, 2 minutes and 21 seconds for 3MB, 3 minutes and 42 seconds for 5MB, and 10MB is 1 minute and 7 seconds. 7 minutes 37 seconds, 15MB is 12 minutes 50 seconds. When encrypting a document file 10 rounds, the minimum and maximum difference in time required is 5 seconds for 1MB, 4 seconds for 3MB, 38 seconds for 5MB, 101 seconds for 10MB, and 94 seconds for 15MB.

Table 2 shows the results of measuring the time required to encrypt document files when the sizes of document files PDF, HWP, DOC, PPT, and XLS are 1MB, 3MB, 5MB, 10MB, and 15MB, respectively.

Size
Type 1MB 3MB 5MB 10MB 15 MB PDF 69 138 212 430 762 HWP 67 140 212 515 761 DOC 66 142 212 491 733 ppt 68 142 221 414 764 XLS 64 139 250 431 827 Average 67 141 222 457 770

(Unit: seconds)

4.2.3 Bottleneck phenomenon

When encrypting large document files in the Encryption & Decryption Module within the FCLPS client to prevent leakage of confidential document files, a bottleneck occurred in which the file encryption time was longer than the average encryption time due to high CPU usage.

Therefore, the number of encryption repetitions to measure the encryption time is changed to 100 and the section where bottlenecks occur is analyzed for large files of 10MB and 15MB.

first. The analysis of the bottleneck phenomenon of the 10MB document file is as follows.

, 라운드 횟수를

, 전체 라운드의 평균 시간을

라 한다. 전체 라운드의 평균 시간을 초 단위로 표현하기 위해서 천장함수를 사용한다.The time required for encryption in each round is calculated in the same way as for each file type.

, the number of rounds

, the average time of the entire round is

It is said that The ceiling function is used to express the average time of the entire round in seconds.

Such calculation is as shown in Equation 3.

) 10번을 100번으로 변경하여 전체 라운드의 평균 시간(

)을 계산하는 수식이다.Equation 3 is the number of rounds in Equation 1 (

) Change 10 times to 100 times to get the average time for the entire round (

) is the formula for calculating.

As a result of measuring the bottleneck phenomenon of a 10MB document file, HWP with the lowest average value is constant at 4,000 seconds from round 1 to round 7 and 4,000 seconds from round 9 to round 10, except for 4,300 seconds in round 8, and DOC with the highest average value is 6. Except for 5,800 seconds of the first round and 5,800 seconds of the 7th round, a bottleneck occurs in the remaining rounds, so the time required to encrypt the document file is not constant.

The results of measuring the bottleneck phenomenon of a 10MB document file are shown in Figure 17.

second. The analysis of the bottleneck of the 15MB document file is as follows.

Using the same method as Equation 3, a 15MB document file is encrypted 100 times and the bottleneck section is analyzed.

As a result of the bottleneck of the 15MB document file, the PDF with the lowest average value is constant at 5,800 seconds for the remaining rounds, except for 5,810 seconds in round 1, 5,790 seconds in round 3, and 5,810 seconds in round 6. In addition, XLS, which has the highest average value, has a bottleneck in the remaining rounds except for 7,200 seconds in the 5th round and 7,200 seconds in the 9th round, so the time required to encrypt the document file is not constant.

The results of measuring the bottleneck phenomenon of a 15MB document file are shown in Figure 18.

Claims (5)

(a) continuously detecting file copy or move events in the File Copy Event module to detect copying or moving confidential document files on the user device;
(b) calculating a hash value for the confidential document file when a copy or move event of the file is detected;
(c) generating a symmetric key of a random 16-character string and then encrypting the file using an encryption function;
(d) converting the hash value and encryption key of the file into JSON format and then encrypting it with the server's public key;
(e) transmitting the result of encryption with a public key to the server;
(f) the server decrypts the received value with a private key and transmits the result;
(g) deleting or decrypting the confidential document file according to the verification result; a file copy leak prevention client control method comprising: delete (A) automatically generating a key pair of a public key and a private key when first executed;
(B) TCP Listener waiting for the client module to connect to verify the hash value of the confidential document file;
(C) when the client module connects, dynamically creating a Thread to manage multiple network connections and transmitting a public key to the client module;
(D) parsing the hash value and encryption key of the file received from the client module into JSON and querying the database;
(E) transmitting a verification result of a confidential document file to the client module according to the database query result. A file copy leak prevention server control method comprising a. delete In a file copy leak prevention system including a client module, server, management module, and database,
When the hash value of a confidential document file is registered in the database,
The client module detects in real time when a user generates a copy or move event for a confidential document file, detects the event, automatically calculates the hash value of the file, and uses a random 16-character string as a symmetric key. Create and encrypt the file with a symmetric key, convert the hash value and symmetric key of the file into JSON format to transmit the hash value and symmetric key of the file to the server, and encrypt the data in JSON format with the public key of the server. Sent to the server,
The server receives encrypted data from the client, decrypts the encrypted data with a private key, stores the hash value and the symmetric key of the file successfully decrypted with the private key in variables, and hashes of the file among the variable values stored in the server. Query the value to the database to check whether it is a confidential file, and receive the result of the query from the database,
Encrypt the result of whether the server has a confidential document file (symmetric key for a normal file, delete command for a confidential document file) with the public key of the client module and transmit it to the client module,
The client module is a file copy leak prevention system, characterized in that the client module decrypts a result of whether a confidential document file exists from the server using a private key and performs a deletion or decryption operation.