KR102656375B1 - System and method for operating digital rights management for enhancing security of shared contents - Google Patents

Abstract

The present invention discloses a digital rights management system and method of operating the same for improving shared content security. A digital rights management system for improving shared content security according to an embodiment includes a user terminal that connects to a server through a wired or wireless network and transmits at least one user command, a shared content database that stores and manages content under the control of the server, and It may include a digital rights management server that receives user commands from the user terminal and manages a shared content database.
At this time, the digital rights management server may include at least one processor and a memory that stores instructions that instruct the at least one processor to perform at least one step.
At least one step is a user authentication step that verifies the identity of the user accessing the digital rights management server using the user terminal and confirms whether the user has legitimate access rights to the digital rights management server, and digital rights management using the user terminal. A user pattern analysis step that analyzes usage patterns for user access, content use, and management based on the access and activity history of the rights management server, and at least one action regarding the user and the content accessed by the user according to the usage pattern analysis results. It may include a security score calculation step of calculating a pattern score, calculating a security score based on the calculated behavior pattern score, and generating warnings and notifications about security threats based on the calculated security score.

Description

Digital rights management system and method of operation for improving shared content security {SYSTEM AND METHOD FOR OPERATING DIGITAL RIGHTS MANAGEMENT FOR ENHANCING SECURITY OF SHARED CONTENTS}

The present invention relates to a digital rights management system for improving the security of shared content and a method of operating the same. More specifically, the present invention relates to a digital rights management system for improving the security of shared content that provides active security control for content selectively shared between users in a cloud space. It relates to a digital rights management system and its operating method.

Conventionally, the general form of office work was centered on direct face-to-face work through the mutual exchange of physical data and printed materials by gathering people performing work in the same space, and with the trend of the times, documents were digitized.

This naturally leads to the natural development of not only work using original documents, but also the use of electronic communication equipment to exchange data in the form of electronic documents that can be created by digitized documents, images, audio and video, and their combinations. did. However, while the nature of business data in the form of electronic documents makes it easy to copy and edit, many security methods have been required to track or prevent this.

In addition, recently, due to the global pandemic, business collaboration not only between members of the same organization but also with third parties, including competitors, has become natural. In this case, in the exchange of business data in the form of electronic documents, We have sought to improve the security of the work environment by providing proof of forgery and alteration and granting or restricting access rights.

Nevertheless, there is still a lack of research to solve the problem of uploading work data in the form of electronic documents to online data storage space and cloud data storage space and securing security for access to data by a specific or unspecified number of people.

Accordingly, research on digital rights management systems to improve the security of shared content, including shared electronic documents handled in shared data spaces, is required.

Domestic Patent Publication No. 10-2063033

The purpose of the present invention to solve the above problems is to provide a digital rights management system and a method of operating the same to improve shared content security.

One aspect of the present invention for achieving the above object provides a user terminal, a digital rights management server, and a content management database. A digital rights management system for improving shared content security according to an embodiment includes a user terminal that connects to a server through a wired or wireless network and transmits at least one user command, a shared content database that stores and manages content under the control of the server, and It may include a digital rights management server that receives user commands from the user terminal and manages a shared content database.

At this time, the digital rights management server may include at least one processor and a memory that stores instructions that instruct the at least one processor to perform at least one step.

At least one step is a user authentication step that verifies the identity of the user accessing the digital rights management server using the user terminal and confirms whether the user has legitimate access rights to the digital rights management server, and digital rights management using the user terminal. A user pattern analysis step that analyzes usage patterns for user access, content use, and management based on the access and activity history of the rights management server, and at least one action regarding the user and the content accessed by the user according to the usage pattern analysis results. It may include a security score calculation step of calculating a pattern score, calculating a security score based on the calculated behavior pattern score, and generating warnings and notifications about security threats based on the calculated security score.

In addition, the user authentication step is a step of verifying the user's identity and the access rights granted to the user through an ID to confirm the user's identity and a user verification identifier corresponding to each ID, and using the user verification identifier for the user's ID. It may include the step of performing primary authentication and then performing secondary authentication using a user verification identifier that was not used in primary authentication to perform user authentication.

At this time, the user verification identifier is a password, PIN number, answer to a preset question, or authentication through confirmation of user information including identification through a photo, and confirmation of the location information of the user terminal, so that the user can be used in the office or at the user's office. This may be either authentication using location information of the user terminal to confirm whether the user is at home, or time authentication based on input of an authentication code using SMS, voice call, OTP password, or email authentication within a predetermined time.

In addition, in the user authentication step, n-th authentication is performed using user verification identifiers that do not overlap with each other, but the process sequence of the n-th authentication is used as the final user verification identifier, and the user is It may further include providing a UI (User Interface) for directly selecting a user verification identifier to be entered.

At this time, the user pattern analysis step tracks the user's location and IP address to track whether the user is accessing from a pre-designated location, the user's key input speed, key input accuracy, and input time of the user's ID and user verification identifier. , tracking the user authentication method, the speed and accuracy of the interaction between the user terminal and the digital rights management server, identifying the device used by the user, tracking whether the device used by the user is the same device, and tracking results. Accordingly, if a deviation in the user's usage pattern exceeds a certain range occurs, at least one of the following methods is used: blocking access based on the user's ID, additional authentication for user verification, or verification of the user's identity by another user related to the user. A step of restricting user access may be further included.

In addition, the security score calculation step multiplies the access control level score for each content by the encryption level score applied to the content, the data usage score for each content, the user behavior pattern deviation conversion score, and the abnormal behavior frequency conversion score. Calculated by dividing by the value, the access control level score is calculated by dividing the number of access control methods applied for each user by the total number of access control methods that can be supported by the digital rights management server, and the data usage score for each content is calculated as the product of the amount of data transmitted and received per unit time, the data transmission frequency per unit time, and the sum of the sensitivity scores preset according to data properties for each content accessed by the user, and the encryption level score applied to the content is the user terminal Alternatively, it is calculated by dividing the number of encryption protocol methods applied to each content by the total number of encryption protocol methods that can be supported by the digital rights management server, and the user behavior pattern deviation conversion score is a predetermined deviation based on the trend line. Excess deviation exceeding predetermined deviation at Contrast excess deviation Weight determined as a ratio of is calculated by multiplying, and the abnormal behavior frequency conversion score is the number of times the user accessed the content during a certain period of time. Average number of content accesses based on the user's previous access history It can be calculated by dividing by .

When using the digital rights management system and its operation method for improving the security of shared content according to the present invention as described above, when a large number of users use shared content and a security vulnerability is discovered, a security warning notification is issued to generate shared content. Security can be strengthened.

In addition, by generating security warning notifications based on user-generated signals generated by the business activities of hosts providing shared content and guests using them, the efficiency of preventing hacking and technology leaks due to security protocol infiltration can be maximized.

The effects that can be obtained from the present invention are not limited to the effects mentioned above, and other effects not mentioned can be clearly understood by those skilled in the art from the description below. will be.

The above-described and other aspects, features and benefits of certain preferred embodiments of the present invention will become more apparent from the following description taken in conjunction with the accompanying drawings.
Figure 1 is an exemplary diagram showing the operating environment of a digital rights management system for improving shared content security according to an embodiment of the present invention.
Figure 2 is an example diagram for explaining an example of creating a snapshot of an original file.
Figure 3 is an exemplary diagram showing an example for explaining a digital rights management server.
FIGS. 4A and 4B are exemplary diagrams for explaining user authentication and secondary authentication.
Figure 5 is an example diagram to explain the deviation and frequency of user behavior patterns.
FIG. 6 is a hardware configuration diagram of the digital rights management system for improving shared content security according to FIG. 1.
It should be noted that throughout the drawings, like reference numerals are used to illustrate identical or similar elements, features and structures.

Hereinafter, embodiments of the present invention will be described in detail with reference to the attached drawings.

In describing the embodiments, descriptions of technical content that is well known in the technical field to which the present invention belongs and that are not directly related to the present invention will be omitted. This is to convey the gist of the present invention more clearly without obscuring it by omitting unnecessary explanation.

For the same reason, some components are exaggerated, omitted, or schematically shown in the accompanying drawings. Additionally, the size of each component does not entirely reflect its actual size. In each drawing, identical or corresponding components are assigned the same reference numbers.

The advantages and features of the present invention and methods for achieving them will become clear by referring to the embodiments described in detail below along with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below and may be implemented in various different forms. The present embodiments are merely provided to ensure that the disclosure of the present invention is complete and to provide common knowledge in the technical field to which the present invention pertains. It is provided to fully inform those who have the scope of the invention, and the present invention is only defined by the scope of the claims. Like reference numerals refer to like elements throughout the specification.

At this time, it will be understood that each block of the processing flow diagrams and combinations of the flow diagram diagrams can be performed by computer program instructions. These computer program instructions can be mounted on a processor of a general-purpose computer, special-purpose computer, or other programmable data processing equipment, so that the instructions performed through the processor of the computer or other programmable data processing equipment are described in the flow chart block(s). It creates the means to perform functions. These computer program instructions may also be stored in computer-usable or computer-readable memory that can be directed to a computer or other programmable data processing equipment to implement a function in a particular manner, so that the computer-usable or computer-readable memory It is also possible to produce manufactured items containing instruction means that perform the functions described in the flowchart block(s). Computer program instructions can also be mounted on a computer or other programmable data processing equipment, so that a series of operational steps are performed on the computer or other programmable data processing equipment to create a process that is executed by the computer, thereby generating a process that is executed by the computer or other programmable data processing equipment. Instructions that perform processing equipment may also provide steps for executing the functions described in the flow diagram block(s).

Additionally, each block may represent a module, segment, or portion of code that includes one or more executable instructions for executing specified logical function(s). Additionally, it should be noted that in some alternative execution examples it is possible for the functions mentioned in the blocks to occur out of order. For example, it is possible for two blocks shown in succession to be performed substantially at the same time, or it is possible for the blocks to be performed in reverse order depending on the corresponding function.

At this time, the term '~unit' used in this embodiment refers to software or hardware components such as FPGA (field-programmable gate array) or ASIC (Application Specific Integrated Circuit), and '~unit' refers to what role perform them. However, '~part' is not limited to software or hardware. The '~ part' may be configured to reside in an addressable storage medium and may be configured to reproduce on one or more processors. Therefore, as an example, '~ part' refers to components such as software components, object-oriented software components, class components, and task components, processes, functions, properties, and procedures. , subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays, and variables. The functions provided within the components and 'parts' may be combined into a smaller number of components and 'parts' or may be further separated into additional components and 'parts'. Additionally, components and 'parts' may be implemented to regenerate one or more CPUs within a device or a secure multimedia card.

In describing the embodiments of the present invention in detail, the main focus will be on the example of a specific system, but the main point claimed in this specification is that the scope disclosed in this specification is applicable to other communication systems and services with similar technical background. It can be applied within a range that does not deviate significantly, and this can be done at the discretion of a person with skilled technical knowledge in the relevant technical field.

Figure 1 is an exemplary diagram showing the operating environment of a digital rights management system for improving shared content security according to an embodiment of the present invention.

Referring to Figure 1, a digital rights management system 100 (hereinafter referred to as 'system') for improving shared content security includes a user terminal 10 and a digital rights management server 20 (hereinafter referred to as 'server'). ) and a shared content database 30.

Here, the user terminal is a terminal used by a user who wants to utilize the system according to the present invention, and may be a desktop computer, laptop computer, laptop, smart phone, or tablet PC capable of communication. (tablet PC), mobile phone, smart watch, smart glass, e-book reader, PMP (portable multimedia player), portable game console, navigation device, digital camera ( digital camera), DMB (digital multimedia broadcasting) player, digital audio recorder, digital audio player, digital video recorder, digital video player, PDA ( Personal Digital Assistant), etc.

Additionally, the server 20 can receive user commands from the user terminal 10 and manage the shared content database 30.

In addition, here, the user is a user who wants to utilize the system according to the present invention, and can be classified subjectively by holding different rights depending on the user's category, and can be classified objectively by imposing restrictions on the content the user can access. It can be.

As an example, the server 20 can be divided into at least one organization (e.g., project, business, work organization) according to the properties of the content, and can distinguish organization members by granting different rights according to the properties of the organization members within the same organization. You can. Additionally, in the system 100, organization members, including organization leaders belonging to different organizations among at least one organization, may be excluded from accessing content shared with each other regardless of the rights granted to members of the different organizations. .

Meanwhile, there may be at least one user terminal 10, and as will be described in detail below, the user terminal 10 may connect to the server 20 through a wired or wireless network and transmit at least one user command. In addition, the user terminal 10 can store, edit, and manage content in the shared content database 30 through the server 20, and adjust rights such as granting or deleting management rights.

At this time, the user command may include commands for performing a series of operations to perform functions provided by the server 20, such as user authentication, access, storage, modification, authorization, and change of content, but the above-mentioned functions It is not limited and may include a series of commands for controlling the operation of the system 100.

Additionally, the shared content database 30 can be provided in a form that is physically separated from the server 20 using cloud storage space, and can be implemented as part of the system in an on-premise form. In addition, it is not limited to this, and the shared content database 30 can also be implemented as part of the server 20. In this case, the shared content database 30 is a solid state drive (SSD), MMC, or eMMC. , multimedia cards in the form of RS-MMC and micro-MMC, secure digital cards in the form of SD, mini-SD, and microSD, USB (universal storage bus) storage devices, and UFS (universal flash storage) devices. , PCMCIA (personal computer memory card international association) card-type storage device, PCI (peripheral component interconnection) card-type storage device, PCI-E (PCI-express) card-type storage device, CF (compact flash) card, It may consist of any one of various types of storage devices such as smart media cards, memory sticks, etc.

Meanwhile, here, the content may include text, image, voice, video, and digital materials generated by a combination thereof, but is not limited thereto, and is a series of digital materials that can be stored in the shared content database 30 in digital form. All data can be included.

The shared content database 30 can store and manage content under the control of the server 20.

For example, storage and management of content includes management including storage of content delivered to the shared content database 30 through the server 20 by the user terminal 10 and granting and modification of content content and permissions. This may mean, but is not limited to, a series of operations according to user commands between the user terminal 10 and the server 20 may be stored.

As an example, a user may access the server 20 using the user terminal 10. At this time, before processing the user command including the connection request from the user terminal 10, the server 20 may check whether the user has legitimate authority for the user command and determine whether to allow the connection.

For example, the server 20 receives an ID and password through the user terminal 10, checks the connected IP address, or determines whether the connection is made according to a predetermined path (e.g., link required for connection). Thus, it is possible to determine whether to allow the user to access the server 20 through the user terminal 10.

After allowing access, the server 20 grants content management rights including access, modification, storage, and deletion of content stored in the shared content database 30 according to the user level when executing a user command of the connected user. It can be limited.

For example, while user A of the organization leader level can access and modify content stored in the shared content database 30 without any authority restrictions, user B of the organization member level can only read content stored in the shared content database 30. However, editing and saving permissions may not be granted. Through this, even if the content is the same, the server 20 can prevent forgery and alteration of the content by a user without access rights by varying whether or not to allow access depending on the content management authority granted to the subject attempting access.

Additionally, the server 20 can set access rights to individual content stored in the shared content database 30, thereby collectively restricting access to individual content based on user information rather than individual users. For example, access to Content 1 might allow access to Organization A, while blocking all access to Organization B. Through this, the server 20 can prevent forgery and alteration of content by users without access rights by varying whether or not to allow access, even for the same user, depending on the access rights granted to the content attempting to access.

Meanwhile, when the user terminal 10 attempts to access content stored in the shared content database 30, the server 20 provides a snapshot of the original content instead of providing the original content, thereby providing a snapshot of the original content. You can prevent forgery or modification of original content without permission.

Figure 2 is an example diagram for explaining an example of creating a snapshot of an original file.

Referring to Figures 1 and 2, after receiving content from the user terminal 10, the server 20 can automatically create a snapshot of the content and store it in the shared content database 30. At this time, the server 20 may encrypt the content and store a snapshot of the original file.

For example, when document content is uploaded to the server 20 through the user terminal 10 (e.g., a word or ppt file), the server 20 stores the uploaded file in the shared content database 30 before or after storing it. While doing so, you can create snapshots of each piece of content.

At this time, a snapshot is a copy of a file created at a specific point in time and can be used in various fields such as data backup, version recovery, or forensic recovery. A snapshot can be created by capturing the state of a file or system at a specific point in time. , by creating a copy of the content and then only tracking changes in the snapshot provided to the user, changes to the content can be tracked while preventing forgery or alteration of the original content.

For example, the server 20 encrypts the original content to block access by individual users and then stores it, and the use of the content, such as transmitting or modifying the content, can be shared by providing snapshot content. At this time, the snapshot may be provided in the same file format as the original content, but is not limited to this and the content can be shared in image format.

In addition, the server 20 can fundamentally block access to the shared content database 30 by unauthorized users by identifying the access IP accessing the shared content database 30 and controlling access to the identified access IP. .

For example, the server 20 may fundamentally block access to the shared content database 30 by limiting the number of simultaneous connections to the access IPs to the shared content database 30 to a predetermined number. For example, if the connection IP assigned to group A using the shared content database 30 is "192.168.0.10" and the preset number of simultaneous connections is 10, the server 20 has the connection IP "192.168.0.10". The number of simultaneous connections to IPs is limited to 10, and connections that exceed this limit can be blocked.

Additionally, the server 20 can ensure security by encrypting the content stored in the shared content database 30. For example, content stored in the shared content database 30 is encrypted and stored separately in a data-only storage space, and data for sharing is provided as duplicate content, thereby creating an entry barrier to the original content. , unauthorized modifications can be excluded.

As an example, the server 20 may encrypt content using the AES (Advanced Encryption Standard) 256 encryption method.

In addition, the server 20 records the server 20 access history of users using the user terminal 10 and the information created and generated by each user when the users access the system 100 and collaborate or share content within the cloud space. Data leaks and abnormal behavior can be detected by creating detailed logs for each user from the activity history and analyzing user behavior patterns through analysis of the detailed logs.

For example, the server 20 may collect access and use logs of the system 100 for individual users and analyze patterns to detect data leakage or abnormal behavior of individual users and generate a notification for warning.

Additionally, the server 20 may restrict rights to each content. As an example, the server 20 may differentially restrict the rights to use content, such as access IP address, password, number of accesses, and number of downloads, for individual users. For example, organization leader A and organization member B may be granted different authority.

Meanwhile, when the user accesses the system 100 through the user terminal 10, the server 20 provides different passwords that grant different access rights to the ID given to the user, and when attempting to connect, The authority can be restricted differently depending on the password provided by the user.

For example, if a user accesses by entering a password he or she set when registering as a user, the server 20 may not restrict separate access rights for the user. On the other hand, when the server 20 accesses the system 100 using a password granting preset access rights, it may grant different access rights even for the same user ID.

For example, when accessing the system 100 by entering a password (e.g., “master”) that grants all rights to the content, the server 20 can grant all rights related to the content to the user, and all rights related to the content can be granted to the user. When accessing the server 20 by entering a password that restricts permissions (e.g., “guest”), the server 20 may restrict all permissions related to content to the user. Through this, the server 20 can secure security by granting different permissions depending on the access password even for the same user using the same user ID.

Additionally, the server 20 can block access outside of the designated period and time by specifying the access period and time for each user, thereby preventing leakage of internal information. For example, the server 20 can specify a period of access for organization leader A and organization member B (e.g., before 120 hours have elapsed from the start of work), while allowing organization leader A to access 24 hours a day. , Organization member B may be permitted to access the server 20 only at certain times every day (e.g., 9 to 18 o'clock).

Additionally, the server 20 can strengthen security by allowing a user to perform secondary authentication including OTP, email, and SMS when accessing the server 20 using the user terminal 10.

For example, when a user attempts to connect through the user terminal 10, the server 20 may request an additional procedure to confirm whether the connection attempt was made by a legitimate user. For example, secondary authentication can be performed by verifying user information such as a two-step password, PIN number, answer to a preset question, or identification through a photo (e.g. ID card), and the user terminal 10 Additional authentication can be performed using the location information of the user terminal, such as checking whether the location is in the office or the user's home, and additional user authentication using SMS, voice call, OTP password, and email authentication within a predetermined time, and a combination of these. Additional authentication can be performed.

Figure 3 is an exemplary diagram showing an example for explaining a digital rights management server.

Referring to FIG. 3, the digital rights management server 20 (hereinafter referred to as 'server') may include a user authentication unit 210, a usage pattern analysis unit 220, and a security score calculation unit 230. .

Referring to Figures 1 and 3, the user authentication unit 210 verifies the identity of the user accessing the server 20 using the user terminal 10, and verifies the user's legitimate access to the server 20. You can check whether you have permission.

For example, the user authentication unit 210 may verify the identity of a user who wishes to access the server 20 through the user terminal 10. For example, the server 20 can identify a user by checking the ID previously assigned to each user. In this case, the ID may be in a form pre-specified by the user or an identifier automatically assigned by the server 20. there is. Additionally, the server 20 can identify whether the user has access rights to the server 20 through the user verification identifier corresponding to each user ID. At this time, the user verification identifier may be a password corresponding to each user ID, and the password may be in a form pre-specified by the user or generated in advance by the server 20 to correspond to each user ID. Additionally, without being limited thereto, the user verification identifier may include OTP, email, and SMS.

FIGS. 4A and 4B are exemplary diagrams for explaining user authentication and secondary authentication.

Referring to FIGS. 1, 2, 4a, and 4b, the user authentication unit 210 provides an ID for verifying the user's identity when the user attempts to connect through the user terminal 10, and a user verification identifier corresponding to each ID. You can check the user's identity and the access rights granted to the user. For example, the user verification identifier may be a password set to correspond to each ID by the user or the user authentication unit 210.

Additionally, the user authentication unit 210 may complete primary authentication using a user ID and user verification identifier and then perform secondary authentication in a form that does not overlap with primary authentication.

For example, in order to identify the user's identity and access rights, the user authentication unit 210 uses a user verification identifier corresponding to each user ID, a password, a PIN number, an answer to a preset question, or a photo. Authentication can be performed by verifying user information such as identity verification (e.g. ID card), and authentication can be performed using location information to check whether the user is in the office or at home by checking the location information of the user terminal 10. and time authentication based on entry of an authentication code using SMS, voice call, OTP password, or email authentication within a predetermined time can be used as the user verification identifier.

Through this authentication method, primary authentication is performed using a user verification identifier for each user ID, and then the user authentication unit 210 performs secondary authentication using a user verification identifier in a form not used in primary authentication. You can perform user authentication by performing .

For example, in primary authentication, a primary password for each user ID may be entered, and in secondary authentication, secondary authentication may be performed using a secondary password for each user ID.

It is not limited to this, and the user authentication unit 210 may perform n-th authentication using user verification identifiers that do not overlap each other.

Additionally, the user authentication unit 210 may use the n-th authentication process sequence as an end-user verification identifier. For example, there are 1st to 5th authentication, and the order is predetermined by the user or the server 20, 1st authentication is password, 2nd authentication is 2nd password, 3rd authentication is OTP authentication, and 4th authentication is. If the authentication number is entered via email or the 5th authentication is entered through SMS, the order of authentication is different from the established order, and even if the individual user verification identifier for the 1st to 5th authentication is entered correctly, user authentication is performed. Unit 210 may determine that the user's verification identification is not legitimate and may not complete the user's identification.

To this end, the user authentication unit 210 may provide a user interface (UI, User Interface) that allows the user to directly select a user verification identifier input method for each user ID. At this time, the user authentication unit 210 may provide a UI for directly selecting a user verification identifier to be input by the user for each level of authentication for the nth authentication.

The usage pattern analysis unit 220 may analyze the user's usage patterns for access, content use, and management based on the user's access and activity history of the server 100 using the user's user terminal 10.

For example, the usage pattern analysis unit 220 can track the user's location and IP address to track whether the user is accessing from a pre-designated location. For example, the usage pattern analysis unit 220 continuously monitors the location of the area where user A accesses, analyzes whether the location of the area where user A accesses is outside the existing access area, and determines the usage pattern. You can track it.

In addition, the usage pattern analysis unit 220 determines the user's key input speed, key input accuracy, input time of the user's ID and user verification identifier, user authentication method, and interaction between the user terminal 10 and the server 20. Speed and accuracy can be tracked and analyzed.

For example, if user A's input speed and accuracy of the user's ID and user verification identifier are 150 strokes/minute and 90%, the user pattern analysis unit 220 determines the input speed and accuracy that deviates from the pattern, e.g. If analyzed at 300 strokes/minute and 99%, it can be analyzed that the user is not the same user. In addition, the user pattern analysis unit 220 analyzes the user's pattern by analyzing the user verification identifier mainly used by the user to perform user authentication, its input time, and whether the user authentication method is the same as the type used in the existing connection. can do.

Additionally, the usage pattern analysis unit 220 may analyze the previous activity record of the user terminal 10 and analyze whether the usage pattern matches the past usage pattern. For example, if user A generally accesses the server 20 from an office computer during regular business hours (e.g., 9 to 18 p.m.), the usage pattern analysis unit 220 may use the server 220 at a location other than the office outside of regular business hours. If a connection to the server 20 is detected, the corresponding activity can be analyzed as abnormal behavior.

Additionally, the usage pattern analysis unit 220 can identify the device used by the user and track and analyze whether the device used by the user is the same device. For example, the usage pattern analysis unit 220 tracks the unique identifier of the user device, a device identifier such as a MAC address, or an identifier assigned to the user device by the usage pattern analysis unit 220, and the user uses the usage pattern analysis unit 220. If an attempt is made to connect to the server 20 using a device other than a device known to ), it can be analyzed as deviating from the general usage pattern.

Through this, the usage pattern analysis unit 220 analyzes the user's usage pattern and, if the user's usage pattern deviates beyond a certain range, determines it to be a potential insurance threat and generates a warning flag to notify the user. You can create notifications.

According to the tracking results, the usage pattern analysis unit 220 blocks access based on the user's ID and provides additional authentication for user verification when the user's usage pattern deviates beyond a certain range (e.g., 20% or a pre-designated location). , the user's access can be restricted by verifying the user's identity by other users related to the user (e.g., other organization members, etc.). For example, according to the tracking results, the usage pattern analysis unit 220 determines whether user A leaves the existing work area, key input speed, or interaction speed with the server 20 as a result of tracking user A (an organization member). And if the accuracy deviates by more than 20%, the identity of User A can be confirmed by User B (organization leader or another organization member other than User A). At this time, User B can confirm User A's identity using messenger, phone, or other subjective methods that can confirm User A's identity, and approve User A's access to the server 20.

Through this, the system 100 can continuously monitor and analyze user patterns to detect and prevent security threats before they damage or damage sensitive data.

The security score calculation unit 230 may calculate a security score according to the analysis result of the usage pattern analysis unit 220.

For example, when at least one user connects to the server 20 and performs work activities, the security score calculation unit 230 uses a combination of user usage pattern analysis, access control, and secure data transmission protocols for each user. and calculate at least one behavior pattern score for the content accessed by each user, calculate a security score based on the calculated behavior pattern score, and generate warnings and notifications about security threats based on the calculated security score. You can.

For example, the security score calculation unit 230 can calculate the security score using the equation below.

Here, S means the security score, A means the access control level score for each content, B is the data usage score for each content, C is the encryption level score applied to the content, and D is the score. E refers to the user's behavioral pattern deviation conversion score according to the user's usage pattern analysis, and E refers to the abnormal behavior frequency conversion score according to the user's usage pattern analysis.

In other words, the security score (S) is calculated by multiplying the access control level score (A) for each content by the encryption level score (C) applied to the content, the data usage score (B) for each content, and the data usage score (B) applied to the content. It can be calculated by dividing by the product of the encryption level score (D) and the abnormal behavior frequency conversion score (E).

Specifically, A, which refers to the access control level for each content, refers to the access control level for users accessing the server 20, and refers to an access level restricted according to the role assigned to each user or organization. For example, while an organization leader-level user can access all content related to his or her job, the level of access control may be different depending on the role so that an organization member-level user can only access content related to his or her job.

Additionally, user may refer to attribute-based access control, in which the level of access control varies depending on the attributes of content classified by a specific project, department, or geographical location. At this time, the higher the score for the access control level, the stronger the access control level and the lower the risk of unauthorized access to the content.

For example, the security score calculation unit 230 may grant a high access control level score when specific access restrictions are granted according to the attributes of each user. For example, the access control level score can be calculated as shown in the equation below.

The access control level score A can be calculated by dividing the number of access control methods applied for each user by the total number of access control methods that can be supported by the server, and can have a value between 1 and 2. For example, the total number of access control methods for each user provided by the server 20 is 5 (e.g., user level, accessible time, accessible area, accessible department (organization), specific project), If the number of access control methods applied to each user is three (e.g., user level, access time, access area), the access control level can be calculated as follows.

In addition, B, which refers to the amount of data usage for each content, refers to the total amount of data for the content exchanged between the user terminal 10 and the server 20, and is the amount of data per hour, unit, equal to the amount of data transmitted per second. Expressed as a converted score based on the data transmission frequency, which refers to the number of data transmissions between the user terminal 10 and the server 20 per hour, and a predetermined sensitivity to the type of data transmitted, such as personal identification information, financial data, or intellectual property. It can be. At this time, data usage based on data amount, data transmission frequency, and data type may indicate that a higher score means a larger amount of data is transmitted and a higher risk of data leakage or unauthorized access.

For example, data usage score B can be derived through the equation below.

At this time, the amount of data transmitted and received per unit time means the total amount of data transmitted and received between the user terminal 10 and the server 20 during a predetermined unit time, for example, the amount of data transmitted and received between the user terminal 10 and the server 20 for 10 minutes. ), if the total amount of data transmitted and received between them was 100Mb, the amount of data transmitted and received per unit time could be 10Mb/minute.

In addition, the data transmission frequency per unit time refers to the transmission frequency of commands or data exchanged between the user terminal 10 and the server 20 during a predetermined unit time. For example, for 10 minutes, the user terminal 10 and the server ( 20) If the frequency of transmission and reception of commands or data occurring in the interval is 50 times, the data transmission frequency per unit time may be 5 times/minute.

Through this, even when the amount of data transmitted and received per unit time is low, the data usage score B can be calculated high if the frequency of data transmission per unit time is high, which means that a large amount of data is transmitted and the risk of data leakage or unauthorized access is high. You can.

Additionally, the data type may be a score given to each individual content according to a type predetermined by the user terminal 10 or the server 20, and may be expressed as a score of 1 to 10.

For example, if the user saves content on the server 20 and designates it as an “important” item, the server 20 gives priority to the actual content of the content and classifies the data type for the content as sensitive data, giving a high score. can be given. It is not limited to this, and the server 20 may manage a preset sensitivity score according to the data type for standardized data types. For example, personal identification information, financial data, or intellectual property are content elements that must be managed relatively sensitively, and the server 20 is preset to 10, 8, and 6 for each content type, and for each content accessed by the user. , can be expressed as the sum of preset sensitivity scores according to data properties.

For example, the security score calculation unit 230 has a per-hour transmission/reception data volume of 10Mb/min, a data transmission frequency per unit time of 5 times/min, and accesses personal identification information, financial data, or intellectual property once each to obtain a sensitivity score. If 10, 8, and 6 points are given respectively, the data usage score can be calculated as follows.

C, which stands for the level of encryption applied to the content, is a measure of the level of encryption, which may include measures such as the strength of the encryption algorithm, the length of the encryption key, and the use of additional security protocols such as SSL/TLS; the higher the score, the higher the score. This means the level of encryption is stronger and the risk of unauthorized access to your data is lower.

For example, whether an encryption algorithm that provides strong encryption with a variable key length, such as Advanced Encryption Standard (AES), has been applied and the connection between the user terminal 10 and the server 20 is encrypted to add additional data to the data being transmitted. A score can be calculated based on whether security protocols that provide protection have been applied. For example, the security score calculation unit 230 may calculate the number by dividing the number of encryption protocol methods applied to each user terminal 10 or each content by the total number of encryption protocol methods that the server 20 can support.

In other words, the security score calculation unit 230 calculates an encryption level scale score by determining how robustly the server 20 provides the encryption protocol for data transmission and reception with the user terminal 10 and the shared content database 30. can do. For example, when there are two encryption methods and protocols that can be supported by the server 20 (e.g., AES-256 and SSL/TLS), and both encryption methods and protocols provided by the server 20 are supported. , the encryption level score can be calculated as follows.

In addition, D, which refers to the deviation of the user's behavior pattern according to the analysis of the user's usage pattern, may mean measuring the degree to which the user's behavior deviates from the expected pattern. This can include measures such as frequency and severity of deviations and type of deviation, with higher scores indicating greater deviation and a higher risk of security threats.

At this time, the deviation frequency refers to the number of times the user's behavior deviates from the expected pattern, and the severity of the deviation refers to the deviation in the content or permissions that the user accessed or attempted to access compared to the amount of data accessed by the user or the level of permission granted. Impact can mean a conversion score, and violation type can mean a conversion score for network activity based on unauthorized access attempts, changes to access control settings, or other suspicious behavior.

Figure 5 is an example diagram to explain the deviation and frequency of user behavior patterns.

Referring to Figure 5, the x-axis represents time and the y-axis represents user behavior. For example, the usage pattern analysis unit 220 may analyze the user's key input speed per unit time, where the x-axis may be time and the y-axis may be the user's average key input speed per unit time.

Here, the usage pattern analysis unit 220 may generate a trend line 500 for the user's average key input speed per unit time, and a preset deviation ( d) can be determined. At this time, the security score calculation unit 230 determines the user's average key input speed per unit time as a predetermined deviation ( Excess deviation exceeding d) If it occurs, it is judged as a sign of abnormality and excessive deviation A behavioral pattern deviation conversion score can be calculated from the sum of .

For example, the security score calculation unit 230 can calculate the user's behavioral pattern deviation conversion score using the equation below. As an example, a predetermined deviation over a certain period of time ( Excess deviation in which anomalies exceeding d) occurred The security score can be calculated from the sum of the values as follows.

For example, a predetermined deviation ( If d) is 100 strokes/min, and the user's average keystroke time at 10, 15, and 20 seconds is 120, 130, and 150 strokes/min, then the excess deviation is each It can be calculated as

In addition, the security score calculation unit 230 can assign weight according to the excess ratio of the average deviation, and a predetermined deviation ( Excess deviation for abnormal behavior exceeding d) ( ) weight for can be calculated as in the equation below.

For example, a predetermined deviation ( If d) is 100 strokes/minute and the key input speed that occurred at time x is 160 strokes/minute and is determined to be abnormal behavior, the excess deviation ( ) can be 60, the weight for this can be calculated as 1.6.

Through this, the user behavior pattern deviation conversion score is calculated as follows.

However, for convenience of explanation, the calculation of the user behavior pattern deviation conversion score was explained based on the trend line for the user's key input speed and the deviation therefrom, but the user behavior pattern deviation conversion score is a log record of the user's behavior pattern. , location record at the time of user access that tracks the user's location and IP address, accuracy of the user's key input, input time of the user's ID and user verification identifier, user authentication method, interaction between the user terminal and the digital rights management server. You can use log records about the speed and accuracy of the user's usage terminal and the consistency of the user's terminal through identification of the device used by the user, analyze trend lines or usage patterns based on the log records, and use the usage pattern to determine predetermined usage patterns. Excess deviation if it exceeds a certain percentage By calculating , the user behavior pattern deviation conversion score can be calculated.

E, which refers to the frequency of abnormal behavior according to the analysis of user usage patterns, is a measure of the frequency of abnormal user behavior detected. This may include measures such as the number of anomalies detected per unit of time, the severity of the anomalies, and the effectiveness of responses to the anomalies, with higher scores indicating a higher frequency of anomalies and a higher risk of security threats.

For example, the frequency of detected anomalies refers to the number of anomalies that occur with respect to user behavior, and the severity of anomalies refers to the impact of user behavior anomalies on system security, such as the amount of data accessed or the level of privileges granted. Means the conversion score for , and the effectiveness of the response means the converted score for the speed and accuracy of the response to the user's abnormal behavior and the effectiveness of the level of automated response used.

Additionally, referring again to FIG. 5, the usage pattern analysis unit 220 may calculate the access frequency based on the number of times the user accesses the content. The usage pattern analysis unit 220 calculates the number of times a user accesses content during a certain period of time (t1 to t2), By analyzing , the user's average content access frequency can be calculated. At this time, the security score calculation unit 230 determines it as an abnormality sign when the number of times the user's content accesses occur during a certain period of time exceeds or falls below a predetermined ratio (e.g., 20%) of the previously calculated average content access frequency. Scores can be calculated.

For example, if the number of times (f) a user accesses content during a certain period of time (t1 to t2) is 10, the frequency of abnormal symptoms can be calculated using the equation below. here, is the number of times a user accesses content during a certain period of time. is the average number of content accesses based on the previous access history of the same user. For example, the average number of content accesses per user access ( ) is 10, which is the number of times the currently connected user accesses content during a certain period of time ( ) is 20, the content access frequency score can be calculated as 2, which is classified as abnormal behavior as it exceeds a predetermined ratio (e.g. 20%) to the average number of content accesses, and the abnormal behavior frequency conversion score is calculated. can do.

Reflecting the previous example, the security score calculated by the security score calculation unit 230 is as follows.

The security score calculation unit 230 calculated the access control level score A and the encryption level score C applied to the content to be high, but the data usage score B for the content, D, which is the sum of the user's behavior pattern deviation, and user abnormal behavior As the frequency E has a relatively large value, a security score of 0.5 is calculated, and the security score calculation unit 230 calculates the security score of less than a predetermined threshold (e.g., 0.5) by calculating the user's use. If it is determined that the pattern shows signs of abnormality, a warning notification can be generated to the user.

Meanwhile, in the above example, in calculating conversion scores for conversion of transmission/reception data amount, transmission frequency, and abnormal behavior frequency, Mb/min unit was applied, and conversion values of 1000 and 60 were applied to the denominators in equations 4 and 7, respectively. , it should be noted that the conversion value may vary depending on the amount of data used and the reference time.

FIG. 6 is a hardware configuration diagram of the digital rights management system for improving shared content security according to FIG. 1.

Referring to FIG. 6, the digital rights management server 600 for improving shared content security includes at least one processor 610 and instructions instructing the at least one processor 610 to perform at least one step. It may include a memory (620) that stores (instructions).

Here, the at least one processor 610 may mean a central processing unit (CPU), a graphics processing unit (GPU), or a dedicated processor on which methods according to embodiments of the present invention are performed. You can. Each of the memory 620 and the storage device 660 may be comprised of at least one of a volatile storage medium and a non-volatile storage medium. For example, the memory 620 may be comprised of at least one of read only memory (ROM) and random access memory (RAM).

Additionally, the digital rights management server 600 for improving shared content security may include a transceiver 630 that communicates through a wireless network. Additionally, the digital rights management server 600 for improving shared content security may further include an input interface device 640, an output interface device 650, a storage device 660, etc. Each component included in the digital rights management server 600 for improving shared content security is connected by a bus 670 and can communicate with each other.

Methods according to the present invention may be implemented in the form of program instructions that can be executed through various computer means and recorded on a computer-readable medium. Computer-readable media may include program instructions, data files, data structures, etc., singly or in combination. Program instructions recorded on a computer-readable medium may be specially designed and constructed for the present invention or may be known and usable by those skilled in the computer software art.

Examples of computer-readable media may include hardware devices specifically configured to store and execute program instructions, such as ROM, RAM, flash memory, etc. Examples of program instructions may include machine language code such as that created by a compiler, as well as high-level language code that can be executed by a computer using an interpreter, etc. The above-described hardware device may be configured to operate with at least one software module to perform the operations of the present invention, and vice versa.

Additionally, the above-described method or device may be implemented by combining all or part of its components or functions, or may be implemented separately.

Although the present invention has been described above with reference to preferred embodiments, those skilled in the art may make various modifications and changes to the present invention without departing from the spirit and scope of the present invention as set forth in the claims below. You will understand that you can do it.

Claims (5)

As a digital rights management system for improving shared content security,
A user terminal that connects to a server through a wired or wireless network and transmits at least one user command;
a shared content database that stores and manages content under the control of the server; and
A digital rights management server that receives user commands from the user terminal and manages the shared content database;
The digital rights management server,
at least one processor; and
a memory storing instructions that instruct the at least one processor to perform at least one step;
The at least one step is,
A user authentication step of verifying the identity of the user accessing the digital rights management server using the user terminal and confirming whether the user has legitimate access rights to the digital rights management server;
A user pattern analysis step of analyzing usage patterns for the user's access, content use, and management based on the access and activity history of the digital rights management server using the user terminal; and
According to the results of the usage pattern analysis, at least one behavior pattern score is calculated for the user and the content accessed by the user, a security score is calculated based on the calculated behavior pattern score, and based on the calculated security score Including a security score calculation step that generates warnings and notifications about security threats,
The security score calculation step is,
The access control level score (A) for each content is multiplied by the encryption level score (C) applied to the content, the data usage score (B) for each content, the user behavior pattern deviation conversion score (D), and abnormal behavior. Calculated by dividing the frequency conversion score (E) by the multiplied value.
The access control level score (A) is,
It is calculated by dividing the number of access control methods applied for each user by the total number of access control methods that can be supported by the digital rights management server and adding 1,
The data usage score (B) for each content above is,
It is calculated as the product of the amount of data transmitted and received per unit time, the frequency of data transmission per unit time, and the sum of the sensitivity scores preset according to data properties for each content accessed by the user.
The encryption level score (C) applied to the above content is,
Calculated by adding 1 to the number of encryption protocol methods applied to the user terminal or each content divided by the total number of encryption protocol methods that can be supported by the digital rights management server,
The user behavior pattern deviation conversion score (D) is,
By analyzing the user's key input speed per unit time with time on the x-axis and the user's average key input speed per unit time on the y-axis, a trend line for the user's average key input speed per unit time is generated, and the generated Predetermined deviation from the trend line Excess deviation exceeding to the predetermined deviation Contrast to above deviation Weight determined as a ratio of It is calculated as the total of the values calculated by multiplying,
The abnormal behavior frequency conversion score (E) is,
Number of times the user accesses content during a certain period of time The average number of content accesses based on the user's previous access history Calculated by dividing by
A digital rights management system to improve shared content security.

In claim 1,
The user authentication step is,
Confirming the user's identity and access rights granted to the user through an ID for confirming the user's identity and a user verification identifier corresponding to each ID; and
Performing primary authentication for the user's ID using the user identification identifier, and then performing secondary authentication using a user identification identifier of a type not used in the primary authentication to perform user authentication; Including,
The user verification identifier is,
Authentication through verification of user information, including password, PIN number, answer to pre-set questions, or identification through photo, and confirmation of location information of the user terminal to determine whether the user is in the office or at the user's home. Characterized by either authentication using location information of the user terminal to be confirmed and time authentication based on input of an authentication code using SMS, voice call, OTP password, or email authentication within a predetermined time,
A digital rights management system to improve shared content security.
In claim 2,
The user authentication step is,
The n-th authentication is performed using the above user verification identifiers that do not overlap each other,
Using the n-th authentication process sequence as an end-user verification identifier; and
Further comprising providing a UI (User Interface) for directly selecting the user confirmation identifier to be entered by the user for each level of authentication for the nth authentication,
A digital rights management system to improve shared content security.
In claim 1,
The user pattern analysis step is,
Track the user's location and IP address to track whether the user is accessing from a pre-designated location,
Tracking the user's key input speed, key input accuracy, input time of the user's ID and user verification identifier, user authentication method, and the speed and accuracy of interaction between the user terminal and the digital rights management server,
Identify the device used by the user and track whether the device used by the user is the same device,
If a deviation in the user's usage pattern exceeds a certain range occurs according to the tracking results, at least one of the following: blocking access based on the user's ID, additional authentication for user verification, or verification of the user's identity by another user related to the user Restricting the user's access through a method; further comprising,
A digital rights management system to improve shared content security.


delete

Images