KR20010078840A - Security System detecting the leak of information using computer storage device - Google Patents

Abstract

PURPOSE: A security system for sensing an outflow of information through a computer storing medium is provided to sense outputs(storing) of data to all auxiliary memories of members and to code and store the outputs and related detail information. CONSTITUTION: A data tracking unit(5) senses all copying processes of attached all auxiliary memories and captures consecutive operations of a copying related operation as a starting and ending history and a file created in an application and codes the information and stores the information in a local disk. In addition, the data tracking unit(5) makes a network agent unit(6) transmit the extracted principal file list contents to a designated data server(7). The data server(7) comprises a data processing unit(9) and an alarm processing unit(10). A manager computer(11) monitors and controls the corresponding member's computer through a function of a remote place control unit(13) after receiving information outflow contents and analyzes detail log information.

Description

Security System detecting the leak of information using computer storage device}

The present invention includes a research result of an important project owned by an organization (an institution, a company, a research institute, a military unit, etc.), a confidential business activity, a strategy, a confidential document, etc., by a member of a computer storage medium to illegally provide it to another competitor. It aims to prevent the leakage of key information for delivery, retirement, and use as the main business of your business, or for the sale of data such as personally identifiable information for the purpose of individuals.

There is a statistic that most channels of information leakage are done by insiders, not outsiders. Rather than infiltrating external hackers through the Internet network, members of the organization leak information online through the network like spies, through information types such as prints, drawings, and books, and security information on computer storage media. Some people sneak them out and leak it to the outside, and information leakage through computer storage media is very serious. Many organizations have a great interest in information leakage prevention, and as part of this, proxies (firewalls) are installed to prevent information leakage through the network of external hackers and internal members.

However, a member who knows the firewall installation wants to steal information, but not through the firewall. We will choose to leak information through off-line computer storage, which is very easy, not easy to be traced, and where evidence is hard to find in the future. For this reason, the information leakage security monitoring system through offline computer storage media is essential.

Therefore, the present invention is to solve the above problems, all the auxiliary memory devices (floppy, removable hard disk tape, CDR, CDRW, DVDR, DVDRAM, Zip, Jazz, optical disk, flash memory, etc.) attached to the member's computer system The data output (save) is monitored and the detailed information about the data before and after the data leakage is stored in the local computer system, whether it is normal or illegal, and the file list copied to the media and the program list used in the adjacent time zone It transmits the information to the data server for storage and utilizes it as a legal basis for the event. If the copied file is a security level file and is not authorized, the administrator is notified immediately. Real-time security for remote monitoring and remote control of the computer Configure the system.

1 is an agent system in an organization in which a wired / wireless network to which the present invention is applied is configured to automatically detect information leakage through a computer storage medium from a member's computer and transmit the facts and leakage details to a data server, and leakage information. And a data analysis processing system that logs and statistics information on media usage and provides real-time notification to management and supervisors in case of important security documents, and a monitor console system that can remotely monitor or remotely control member computers. It is also.

2 is an agent system configuration mounted on member computers to monitor information leakage.

3 is a block diagram of a data analysis processing system for storing information leakage history, making a database of the status of media use, and informing the administrator of the information leakage.

4 is a configuration of a monitor console system that can be remotely monitor the computer or search for various statistical information, such as to directly check the information leakage history of the administrator.

5 is a control flowchart of an agent system.

6 is a control flowchart of a data analysis processing system;

7 is a control flowchart of the monitor console system.

To this end, the present invention configures an agent system that automatically detects when data is copied to all auxiliary storage devices attached to the member computer and transmits the copy history to the data server. In case of copying to an unauthorized storage medium, the administrator immediately determines whether the license is authorized and the administrator immediately monitors the member computer for remote monitoring, remote control, and detailed log in order to investigate the fact of information leakage. Configure the system to do file analysis.

The following describes the monitoring and control of information leakage in detail based on the accompanying drawings.

1 is an overall configuration diagram of an information security device system for monitoring and controlling information leakage through an offline computer storage medium according to the present invention.

The agent system mounted inside the computer is largely composed of a data tracking unit 5 and a network agent unit 6. Members who use the computer 1 connected to the wired or wireless network (2, 15) may use the data of other computers connected to the network (servers, mainframes, etc.) and information stored in their own computers (hereinafter referred to as local computers) (hereinafter, internal data). This information is copied to the storage medium 3 by using various types of computer storage devices. In this process, the data tracking unit copies all the auxiliary storage devices attached thereto. The type of application that was started up until the data was saved to any auxiliary storage, the startup and shutdown history, and a series of operations (rename, copy, delete, attribute change, etc.) on the files inside the application. After capturing the file, encrypting the information and saving it on the local disk, Only the main file list details the extraction shall be sent to the specified data server (7).

In addition, when receiving a service such as a remote monitoring request and a remote control request from the administrator computer 11, the network agent unit provides information on local system resources (monitor, various setting information) or executes an instruction instructed, and details log. When receiving a service request such as a request, the data tracking part is requested to transmit the log data to the administrator computer.

The data server 7 is largely composed of a data processing unit 9 and an alarm processing unit 10. The data processing unit locks the received information leakage data to a database, processes usage statistics for each storage medium, and whether the leakage information is confidential. In addition, the alarm processing unit promptly informs the manager of the leakage in case of exceptional exception that is not subject to permission.

After receiving the information leakage, the manager computer 11 remotely monitors and remotely controls the member computer through the function of the remote management unit 13, analyzes detailed log information existing in the member computer, and the database search unit 14 Through this, you can search and search data such as statistical information and usage statistics by storage media by organization or member.

2 is a block diagram of components and interactions of an agent system applied to the member computer 1.

The agent system is largely divided into the data tracking unit 200 and the network agent unit 205. The data tracking unit includes various hardware (CPU, Memory, Disk, peripheral device, etc.) and software (operating system, application program, etc.) installed in the member computer. It identifies resources and automatically detects when a peripheral device is added or removed, and instructs the network agent to transmit the detection details to the data server. The data monitoring unit 202, which is a component of the data tracking unit, monitors the leakage of information on all auxiliary storage devices, grasps the startup and shutdown status of all applications, and performs a series of operations (creation and renaming) of files generated in the application. , Copy, delete, attribute changes, etc.). The encryption processing unit 203 encrypts the information extracted from the data monitoring unit and adds data such as a checksum (CRC) to infer the facts of the member's manipulation and change in order to ensure the integrity of the data.

The detail log processing unit 204 stores the completed encrypted data on the local disk and causes the alarm processing unit 206 to transmit the extracted file details to the data server. The monitoring and interruption processing unit 208 performs an operation of ringing an emergency alarm or paralyzing the system when the extracted file history is transmitted to the data server, when an intentional disconnection of the member, deletion of a log file, or the like occurs.

The remote monitoring processing unit 210 performs a task of completely blocking the use of a system such as a keyboard and a mouse by a system lock processing unit 209 of a member of an administrator in an administrator computer. When the administrator requests the detailed log file, the log file transfer processing unit 207 requests the detailed log file from the data tracking unit and transmits the information to the administrator, thereby enabling detailed information analysis.

3 is a diagram showing the components of the data analysis processing system applied to the data server 7 and their interaction.

The data analysis processing system is largely divided into a data processing unit 300 and an alarm processing unit 304, and the data processing unit is configured with a data logging processing unit 301 and an organization for logging computer resource information and leakage details received from member computers into a database or a file. Whether or not the data file processor 302 processes statistical data on media usage and computer resources according to the physical places (buildings, floors, arcs), departments, ages, genders, positions, etc. It is composed of a security data processing unit 303 for instructing the alarm processing unit 304 to inform the administrator of the contents in the exceptional case by checking whether or not the license.

The alarm processing unit is responsible for notifying the monitor console system and the administrator through the various transmission means of the alarm request instructed by the security data processing unit.

4 is a diagram illustrating components and interaction of the monitor console system applied to the manager computer 11.

The monitor console system is largely divided into the remote management unit 400 and the database search unit 401. The remote management unit prevents the members from using the remote monitoring unit 401 and the remote computer to remotely monitor the computer where the information leakage occurred. Remote control unit 402 to set the configuration and the remote log logging analysis unit 403 that analyzes the detailed log file existing in the remote computer inside the trace back information leakage process in detail.

The database search unit 404 searches for leaked file contents accumulated in the database, registers various licenses, and searches and reports statistical data on storage media in the organization.

5 is a control flowchart of an agent system that is installed and executed in a member computer and operates as follows. If there is no phrase to move in the description of the flowchart, it implicitly moves to the stage immediately below.

S-500. If the program ends, the program ends through S-501. Otherwise, the program moves to S-502.

The S-503 keeps track of the hardware and software resources installed on the computer, and adds or deletes computer storage devices. It is necessary to use a separate application to drive the storage devices (CDR, DVDR, etc.). When major computer resource changes occur, such as when installing or uninstalling applications, send these changes to S-502. In other words, it is to track the portable drive that is temporarily imported from the outside for information leakage.

S-504 monitors the creation and termination of programs, monitors file and data manipulations occurring within each program, and monitors cases where internal data is stored as leaked data. Send a message to S-502.

If the S-505 receives a service request from the administrator computer, such as remote monitoring, remote control, or detail log file, or passes the hotkey and password verification that informs the system to be unblocked from the local computer, the S-505 sends the message to S-502.

S-502. Reads processing request messages generated by processes (threads) such as S-503, S-504, and S-505. Message processing from S-503 moves to S-506, and messages from S-504. Processing moves to S-507, and message processing from S-505 moves to S-511.

S-506. It moves to S-517 to extract the changed hardware storage and software details identified in S-503 and transmit the details to the data server.

S-507. The history of various application launches and a series of file operations, spilled data files, types of storage devices used, media types, including time information until information leaks among various data monitored by S-504. Extract data such as media serial number.

It also extracts network configuration information such as IP number, computer name, workgroup name, domain name, gateway, and DNS of the member's local computer.

S-508. Data integrity is set by configuring checksum logic such as encryption and CRC to prevent members from reading, manipulating, and changing data extracted from S-507. Of course, the encryption algorithm is diversified, and various encryption keys are also diversified and configured to be changed through the network if necessary. Through this encryption process, the member is absolutely not allowed to operate the log file. It also configures the logic that the administrator decrypts in preparation for the detailed log file request.

S-509. The detailed information of the tracked data is kept in the member's local computer. Afterwards, the administrator can analyze the contents of the file directly from a remote site, upload it to the administrator if necessary, maintain the detailed log file for a long time, and solve the capacity problem that may occur when sending the log file to the administrator computer. Stored in a compressed file. Of course, it also supports the log file retention period setting and the additional function to periodically back up the contents to the remote backup server. It also organizes the major leak data and other important resource information to be sent to the data server.

S-510. Set up the network and send it to S-517 to send the leaked data and other important resource information organized in S-509 to the designated data server or administrator computer.

S-511. If the administrator makes a service request for the detailed log file existing on the member's computer, the administrator moves to S-512.

S-512. The administrator can request the detailed log file within the period to be acquired by the detailed log processing unit (S-509) and bring the data therein. If necessary, the detailed log information after the decryption is performed in association with the encryption processing unit (S-508). You can also import The reason is that it is difficult to decrypt the encrypted log file on the administrator computer when the encryption key is changed and the encryption algorithm is changed several times. The log file thus obtained is moved to S-517 for data transfer.

S-513. If the administrator requests remote monitoring service for member's computer, go to S-514.

S-514. The data is configured to transfer the monitor screen and various computer setting information of the local computer to the administrator computer. Of course, the information can be transferred to the administrator's computer periodically, or automatically sent when the monitor screen of the local computer is changed. When the data is configured, go to S-517.

S-515. If the administrator requests the system lock service for the member's computer, go to S-516. Otherwise, go to S-500.

S-516. Special hotkey actions to completely block network and mouse movements and reboot the network and unblock the system, even if a reboot is performed, to completely block members from operating the computer if the administrator is confident that the information has been leaked. Only make it possible. It also restores all keyboard and mouse inputs to service requests to unlock the system. Then move on to the S-500.

S-517. If a member detects an interruption such as unplugging the network cable to change the information, changing the network setting to prevent communication, or moving to S-518.

S-518. Send an alarm sound, display a warning message on the screen by using a speaker inside the local computer, or perform warning message processing, and then go back to S-517.

S-519. Transfer data over network and move to S-500. FIG. 6 is a control flowchart of a data analysis processing system for analyzing and statistically processing various information received from member computers and notifying an administrator when necessary.

S-600. If the program ends, the program ends through S-601.

S-602. Collect resource information, information leakage, etc. received from member computers.

S-603. Store statistical data on the use of computer peripherals and storage media by members of the organization in a database.

S-604. If the information received from the member computer is the information leakage history and there is a security document in the data, go to S-605; otherwise, go to S-609.

S-605. If the leaked information includes a security document and is used by the authorized user to determine whether it is used by the authorized user, go to S-606. Otherwise, go to S-607.

S-606. If the leaked information is a security document, an authorized user, and is included within the authorized time, it is part of normal work, so go back to S-600, otherwise go to S-607.

S-607. If unauthorized information leakage occurs or hardware and software resources that require attention change, the facts are recorded in the database and used for tracking and legal grounds, and the S-608 is sent to notify the administrator. Of course, notification of resource changes may be suspended depending on the circumstances under which it is operating.

S-608. Notify the administrator according to the type set. Basically, important information such as information leakage, member personal information, network setting information, etc. is sent to the administrator computer so that the administrator can check it quickly. After contacting with a secondary communication such as S-600.

S-609. If hardware resource information related to the storage device is changed, or a program used to drive the storage device is changed, or a change is received that requires attention, the controller moves to S-607. If not, go to S-600.

7 is a control flowchart of the monitor console system that can check the various information received from the member computer or data server or, if necessary, to remotely monitor and query the statistical data of the organization as follows.

S-700. If the program ends, the program ends through S-701.

S-703 sends this information to S-702 when emergency information is received from the member computer or data server.

S-704 sends this information to S-702 when requested to execute various services through the user interface screen.

S-702. By reading processing request messages generated by processes (threads) such as S-703 and S-704, message processing from S-703 moves to S-705, and message processing from S-704 is S-706. Go to.

S-705. It informs the administrator that the emergency message has arrived in various forms. By default, the message is displayed visually on the screen, and voice and internal speakers also notify you of its arrival. Then move on to the S-700.

S-706. If a remote monitoring service request is made, go to S-707; otherwise, go to S-708.

S-707. After recognizing the arrival of the emergency message through S-705, the administrator can check through the remote monitoring whether the contents of the message occurred on the member's computer. The remote screen can be viewed directly from the administrator's computer and various system setting information can be monitored. Then move on to the S-700.

S-708. If it is a remote control request, move to S-709, otherwise, go to S-710.

S-709. Unauthorized information is stored in unauthorized storage media, and the detailed log files of S-711 are analyzed, and if it is determined that there is a risk of danger, the system can be shut down for a while to check its authenticity. This is because members may delete evidence files or format the operating system. Then move on to the S-700.

If it is a request for analysis processing, the detailed log file stored in the S-710 member computer is moved to S-711; otherwise, the log file is moved to S-712.

S-711 Receives detailed log files from the member computer within the period designated by the administrator, and allows the user to simulate the leakage process. In order to facilitate the analysis of the administrator, a timer is set so that the process can be automatically played, word and forward play in chronological order. Of course, detailed log files in separate backup systems or detailed log files in a member's computer can be directly analyzed without network transmission. Then move on to the S-700.

If it is a S-712 database search request, go to S-713; otherwise, go to S-700.

S-713 Various reports and searches are available. You can search the contents of information leaks, media usage, computer network setting changes, etc. within each member's period and search by demographic factors such as department, location, gender, position, etc. Do. In addition, various report outputs and various chart information can be viewed. Then move on to the S-700.

Due to the rapid development of networks and computer systems, all sectors of society are advanced and many tasks are performed through computer systems, which increases their productivity and efficiency, while exploiting those computers and investing in them over the years. Or business results, strategic business information, sales information, customer information, and various military, administrative, and personal information that should never be leaked are contained in a few simple computer tasks and small computer storage media and leaked to the outside without anyone knowing. The reality is that even if the situation is leaked in the future, it is very difficult to find out the person who leaked the information and to obtain evidence that can identify the leaked route and present it on a legal basis.

According to the present invention, information leakage through computer storage media, which occupies most of the information leakage, is monitored at the source, and the members raise awareness of security and prevent the leakage of the majority of information through offline storage media. Information security system can be established.

Claims (5)

In a system that automatically detects internal data existing on a local disk in a member computer and remote data on all wired and wireless networks accessible by the member computer to a storage medium through a secondary storage device attached to the local computer, the member computer is configured as follows. Includes a computer. All devices that can communicate, including desktop computers, floor-type computers, supermicro computers, minicomputers, portable computers such as laptop computers and palmtop computers, portable terminals such as PDAs and IMT2000 terminals, set-top boxes, and Brutus information devices Include them. Auxiliary storage devices include peripherals using removable storage media, including floppy, movable hard disks, CDRs, CDRW, DVDR, DVDRAM, MOD, Zip, Jazz, tape, and Flash Memory drives. The agent system of claim 1, wherein the agent system automatically detects and transmits unstructured data and a file history list to be stored when data is copied to a storage medium in the auxiliary storage device. A data analysis processing system for logging, statistically analyzing and processing information leakage data received from the agent system and determining whether to be authorized. Monitor console system for remote monitoring the confidential leakage received from the agent system or data analysis processing system and performs a detailed log analysis. The agent system of claim 2, further comprising: a resource management unit for identifying various hardware and software resources installed in the member computer and automatically detecting when the peripheral device is added or removed; Application startup, termination history and time information that was performed on the member computer until the data was stored in the secondary memory attached to the local computer and the internal data stored in the member computer and other data accessible through the wired / wireless network, and A data tracking unit that automatically captures a series of operations (copy, rename, delete, attribute change, etc.) on files and unstructured data processed in the application, an encryption processing unit that encrypts and checksums leaked contents, and A detailed log processing unit which compresses the encrypted data and stores it on the local disk, and extracts the detailed log file from the administrator upon request; An alarm processing unit for transmitting the extracted main leaked data information to a designated data server; A monitoring and interruption processing unit that detects a series of disturbing operations that prevent information transmission to a data server and performs auxiliary functions such as emergency signal computer system paralysis and auxiliary log file preparation for log file deletion; Remote monitoring processing unit that controls the local system when the administrator monitors the computer from a remote location, An information leakage monitoring method characterized by a system lock processing unit that performs an administrator's attempt to block the computer operation. The data analysis processing system of claim 2, further comprising: a data logging processing unit for storing information leakage history information received from the agent system of claim 3, and changes in hardware and software resources in a database or a file; A data statistics processing unit for processing various statistical data based on demographic factors such as media, location, department, rank, salary, age, and gender; A security data processing unit which judges whether there is a license for information leakage, security level, allowable time, etc., and handles changes in hardware and software resources to be noted; A data analysis processing method characterized by an alarm processing unit for notifying an administrator of an emergency message generated by the security data processing unit. A monitoring console system according to claim 2, further comprising: a remote monitoring unit that is notified of the information leakage received from the data analysis processing system of claim 4 and monitors the remote computer; Remote logging system that helps managers make immediate decision-making by analyzing and visualizing detailed information including information leakage process; A remote control unit that secures a computer that is suspected of having leaked and uses it as a legal basis, and sets a system lock to block operation of a remote computer system; Monitor console method characterized by a statistical search unit that can search, search and view demographic statistical data within the organization.