KR20060104270A - File security system for tracing history of file draining out - Google Patents

Abstract

The present invention is directed to a file security system for tracking file leak history. The system of the present invention comprises a security management subsystem and a plurality of security clients connected thereto. The security client collects a log of various actions performed on the file, including creation and deletion of a file on a user computer, and transmits the log to the security management subsystem. Then, the security management subsystem databases the transmitted log and provides a history of file leakage when requested by the security manager. Further, the security client logs the user's application and website usage history and sends it to the security management subsystem. Then, the security management subsystem analyzes the work efficiency of a specific user and provides it to the security manager. In addition, when there is a print request for a file, the security client creates a log including a printed image to be drawn and transmits it to the security management subsystem. Then, the security management subsystem provides the print content of a specific file in the form of an image file when the security manager requests it. According to the present invention, there is an effect that allows members of the company to drive voluntary enforcement of file security.

Description

File Security System for Tracing History of File Draining Out}

The following drawings attached to this specification are illustrative of preferred embodiments of the present invention, and together with the detailed description of the invention to serve to further understand the technical spirit of the present invention, the present invention is a matter described in such drawings It should not be construed as limited to.

1 is a schematic system configuration diagram of a file security system according to an embodiment of the present invention.

Fig. 2 is a data structure diagram created to track the history of file leakage.

3 is a flowchart for calculating a file leakage history.

4 is an exemplary diagram of a file leakage history represented in a graphical interface.

5 is a flowchart illustrating a process of deleting unnecessary screen logs to reduce the capacity of a database.

6 conceptually illustrates an unnecessary screen log deletion process.

7 is a diagram illustrating a process of continuously playing back a plurality of screen image files captured before and after a specific file action point in time.

8 is an exemplary diagram of work efficiency analysis data of a specific user.

The present invention relates to techniques related to information security and auditing at an intranet level, and to a system for tracking and auditing the history of external leaks of files requiring security.

In recent years, files containing information requiring security have been leaked to the outside by malicious parties and are emerging as social problems. Representative examples include leakage of customer information by employees of credit card companies, leakage of celebrity privacy information by advertising agencies, and leakage of customer account information by bank employees.

Once leaked, the illegal file is spread quickly through the Internet. Therefore, even if the file leaker is cracked down and punished, it is impossible to recover or delete the leaked file completely. Therefore, the sequelae of leaking illegal files has to be serious for a long time. In addition, there is a problem that if the illegally leaked file is used for criminal purposes, a good cause of damage occurs.

On the other hand, with the rapid development of information and communication technology, many people are accustomed to exchanging data using messengers, mail programs, etc. while working in the company.

However, the problem is that the above program is used as a tool for leaking illegal files. Of course, the company may inherently prohibit the use of such programs. However, some programs are indispensable for business use, and it is not desirable to prevent the use of the above programs during non-working hours (eg, breaks), giving a sense of privacy control.

On the other hand, another means of illegal file leakage includes removable storage media such as floppy disk, CD-ROM, USB flash memory. In order to prevent illegal leakage of files containing security information, the use of these removable storage media should also be banned. However, considering the practical use, it is not a realistic solution to completely prohibit the use of removable storage media.

Rather, voluntary coercion of company members is the most important for information security inside the company. In other words, the company members themselves need to be aware of the security of their information. The reason is that even if a company has a security system in place, data leakage will occur in any form as long as company members have the intention of data leakage.

There is currently no systemized tool for driving voluntary coercion of company members. Usually, in-house security training emphasizes the security awareness of company members. However, the coercion of education depends solely on the ethics of the company's employees, so it has no choice but to show its limitations.

Therefore, the present invention was devised to solve the above-mentioned problems of the prior art, and even if the internal members do not control the use of various programs or removable storage media that may be used for illegal leakage of files, the internal members may leak out of files by voluntary motivation. The aim is to provide a system that can effectively enforce prevention.

The file security system according to the present invention for achieving the above technical problem, and a security management subsystem, and a security client connected to the security management subsystem via a network and installed in a plurality of user computers respectively.

The security client may (a1) generate a file action associated with a create, write, rename, copy, move, or delete file on a user's computer. A first agent hooking the file system to create and store a file action log including a user computer ID, an action occurrence time point, a file name, a source path and / or target path of the file, an action name, and a copy of the file data; (a2) When a file leakage action is attempted in the form of a file attachment through an application driven by the user's computer, the message transmitted to the operating system is hooked to the user computer ID, an action occurrence time, a file name, a file source path and a target path, And a second agent for creating and storing an application leakage action log including a copy of the file data; (a3) a third agent that periodically captures the screen of the user computer to generate an image file, and then periodically creates and stores a screen log including a user computer ID, a capture time, and a screen image file; (a4) When a file print action is attempted through an application running on the user's computer, a message is sent to the operating system for printing to hook a user computer ID, a print request time, a printed file name, a file source path, and a file. A fourth agent for creating and storing a print action log including a copy of the data; (a5) When an action occurs in which the file is leaked to an external network through a network communication program in the user computer, the message transmitted to the operating system is hooked up to communicate with the user ID, leak time, leaked file name, file A fifth agent for creating and storing a communication leakage action log including a source path, a target path of the file, and a copy of the file data; And (a6) a sixth agent which transmits various logs created and stored by the agents to the security management subsystem.

The security management sub-system may include: (b1) first sub-system means for storing various logs transmitted by the communication agent in a database; (b2) a second sub that calculates and provides chronologically the history until a predetermined file is generated and leaked to the outside by referring to a file action log, an application leak action log, a print log, and a communication leak action log stored in the database; System means; And (b3) third sub-system means for deleting the screen log created at the remaining time except for a predetermined time interval including various log creation time points related to the file action among the screen logs stored in the database.

Alternatively, the deletion of unnecessary screen logs may be performed by the security client. In this case, the agent that creates the screen log collects information on the time of action occurrence, which is the basis of log creation, from each agent. The screen log including the captured screen image file other than the predetermined time interval including the action occurrence time point is selectively deleted by referring to the collected action occurrence time information. Here, the action refers to an action related to a file leak that may be included in the file leak history. In this case, the agent sending the log to the security management subsystem selectively transmits only the log in which unnecessary screen log is deleted. In this case, the third sub system means may not be provided.

Preferably, the security management subsystem includes a fourth subsystem means for receiving a security policy level defining a type of action for which a log should be written from a security manager, storing it in a database, and propagating the security policy level to each security client. It further includes; each agent writes a log when an action recorded in the propagated security policy level is triggered.

Preferably, the security management subsystem further comprises: a fifth sub-system means for continuously playing back a plurality of screen image files captured for a predetermined time interval including a predetermined time point for generating an action.

Here, the predetermined action occurrence time point is a group consisting of a file creation time, name change time, copy time, moving time point, read time point, deletion time point, print time point, file attachment time point and file leakage time point by communication. It includes any one selected from or a combination thereof.

Preferably, the security management sub-system further includes a sixth sub-system means for receiving a work efficiency management policy including security program identification information and a list of URLs of a work website from a security manager in a database. In this case, the security client monitors an application process running on the user computer, generates and stores an application usage log including the identification information of the running application, the user computer ID, and the application usage time, and executes it on the user computer. And an eighth agent that hooks up an address input from an advanced web browser to generate and store a website usage log including a user computer ID, a URL, and a website connection maintenance time. The sixth agent may use the application. Send a log and the website usage log to the security management subsystem.

Preferably, the security management sub-system, the seventh sub-system means for calculating the relative usage ratio of the application and the website usage log and the website usage log in accordance with the work efficiency management policy to provide the relative percentage of the application and the website; It further includes;

In some cases, the print action log further includes a to-be-printed image file whose file contents are illustrated. In this case, the security management subsystem further includes an eighth sub-system means for providing the printed image file to a security manager. In terms of enhanced security, a security banner may be synthesized in the printed image file.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. Prior to this, terms or words used in the specification and claims should not be construed as having a conventional or dictionary meaning, and the inventors should properly explain the concept of terms in order to best explain their own invention. Based on the principle that can be defined, it should be interpreted as meaning and concept corresponding to the technical idea of the present invention. Therefore, the embodiments described in the specification and the drawings shown in the drawings are only the most preferred embodiment of the present invention and do not represent all of the technical idea of the present invention, various modifications that can be replaced at the time of the present application It should be understood that there may be equivalents and variations.

1 is a schematic structural diagram of a file security system for tracking file leakage history according to an embodiment of the present invention.

The system of the present invention is largely composed of a security management subsystem 10 and a plurality of security clients 20 connected thereto via a network 50. Preferably, the network 50 is an intranet within a company, separate from an external wide area network, such as the Internet. The network is separated by a router and a firewall (not shown).

The security client 20 is installed on each computer 30 used by members of the company for work. When the client 20 is installed, a user computer ID registered in the security management subsystem 10 is registered in the user computer 30. Preferably, the user computer ID is encrypted and stored in a registry referenced by the operating system of the user computer 30 for security. However, the present invention is not limited thereto.

Files that need to be secured in the company are created by a specific operator. And it is replicated from the specific user computer 30 to the specific user computer 30 via the network 50. At this time, the name of the file may be changed, printed or edited. It is also copied / moved to removable storage media such as CD-ROMs, floppy disks and USB flash memory.

On the other hand, sharing files only inside the intranet does not cause a big problem. The problem is that a file containing security information is leaked or printed out through e-mail, messenger, file attachment on a website, FTP network communication program, etc. and then exported out.

To prevent the above problems, you must completely prevent the use of programs that cause file leaks. However, this policy is not preferred is already described in the prior art. Therefore, the present invention intends to propose a means for spontaneously forcing users to file security without significantly affecting the use of various programs utilized in the business.

That is, the present invention provides a means for tracking and auditing the entire process from file creation to leakage to the outside (either in the form of a file or in the form of a document). In this way, when a file is illegally leaked, not only the searcher of the final leaker, but also who created the file initially, and how the file was moved and replicated to reach the final leaker, who printed the contents of the file and when I can tell.

Therefore, when the system of the present invention is applied to the company's intranet, the anonymity is no longer guaranteed, so the company members themselves pay attention to file security with caution.

Then, a more specific configuration of the present invention will be described.

1, the security client 20 is installed on a user computer 30 on which a Windows operating system is installed, and is composed of several agents. Of course, the technical scope of the present invention is not limited to the type of operating system.

Specifically, reference numeral 60 denotes a file agent, reference numeral 70 denotes an application agent, reference numeral 80 denotes a screen capture agent, reference numeral 90 denotes a print agent, reference numeral 100 denotes a network agent, and reference numeral 110 denotes a communication agent.

The agents are forcibly executed regardless of the user's intention by a service 130 registered in the Windows operating system. In addition, the service 130 communicates with each agent 60 to 110 periodically to check its execution state and if there is no response, re-executes the corresponding agent.

The service 130 is driven together when the operating system is driven. And watched by watch dog 140. The watchdog 140 executes the service 130 again when the service 130 is terminated.

The file agent 60 may be created, read, written, or renamed in a file browser such as Windows Explorer by a specific application on the user computer 30. When a file action such as a copy, a move, or a delete occurs, the file action message transmitted to the operating system's file system is hooked to the user's computer ID, when the action occurs, and the file name (file name change). , The file name after the change), the source and / or target path of the file, the action name (create, write, rename, copy, read, move, delete, etc.), the process name and process path that caused the file action, Create a file action log containing a copy of the file data and save it in a specific directory. When creating a file action log, the file agent 60 obtains a user computer ID by referring to a registry (hereinafter, the same). Meanwhile, the file action log stored in a specific directory is transmitted to the security management subsystem 10 by the communication agent 110.

Further, when the file agent 60 reads a specific file in an application for various document creation, coding, image work, etc., the file agent 60 transfers the name and storage path of the read file to the application agent 70 which will be described later.

The file source path refers to a file path where a file is generated when a file is generated, and refers to a file path where an original file is located when copying, reading, deleting, renaming, or moving a file. The file target path refers to a file path in which a file is stored as a result of a file action when a file is copied, renamed, or moved.

The file source path and the target path include a storage medium (hard disk) inside the user computer 30; Various known removable storage media such as floppy disk, CD-ROM, USB flash memory; Or a network drive assigned to a mass storage medium on the network 50.

The application agent 70 hooks a message that a web browser, a messenger, a mail program, etc. executed in the user computer 30 delivers to the operating system to leak (attach) the file to the external network. And the user computer ID (see registry) where the leak occurred, when the leak action occurred, the file name, the file source path (storage reference path) and target path (external source path) of the file, the name and path of the process that caused the leak, and Create an application leakage action log that contains a copy of the file data and store it in a specific directory. Logs stored in a specific directory are sent by the communication agent 110 to the security management subsystem 10.

Coding programs, such as Web authoring tools, on the other hand, have their own ability to upload (i.e. leak) certain work files to a remote repository outside the intranet. At this time, it is difficult to know which files are uploaded to the remote repository when there are a plurality of working files.

To this end, the application agent 70 receives file information (file name, storage path) from the file agent 60 whenever a plurality of files are read. In addition, the program hooks a message to the operating system for file upload and creates an application leak action log. The leak agreement is made for all files that the program leads, and an application leak action log is created.

The screen capture agent 80 periodically captures a screen of the user computer 30 to generate a screen image file. For each screen captured, a screen log containing the user's computer ID, screen capture time, and image file is created and stored in a specific directory. The logs stored in the specific directory are transmitted by the communication agent 110 to the supplemental management subsystem 10.

When the print agent 90 attempts to print a file through an application driven by the user computer 30, the print agent 90 hooks a print message transmitted to the operating system to display a user computer ID, a print request time, a printed file name, and a file. Create a print action log containing a copy of the source path and file data and save it in a specific directory. Preferably, the print action log further includes a to-be-printed image drawing the file contents. In this case, the print agent 90 may synthesize a security banner (security mark) on the printed image to enhance security. Logs stored in a specific directory are sent by the communication agent 110 to the security management subsystem 10.

The network agent 100 hooks a message that a network communication program (terminal service, telnet service, FTP service, etc.) sends to a network driver in a user computer 30 to transmit a file to an external network. When the message is hooked, the network agent 100 identifies the user computer ID (reference in the registry) that leaked the file, the time of the leak, the leaked file name, the source path of the file (storage path reference path), and the target path of the file (external transmission destination). Path), the process and process path that caused the leak, and a copy of the communication leak action log, which contains a copy of the file data, is created and stored in a specific directory. Logs stored in a specific directory are sent by the communication agent 110 to the security management subsystem 10.

Next, the security management subsystem 10 of the present invention will be described in detail.

The security management subsystem 10 includes several subsystem means as shown in FIG.

Specifically, reference numeral 150 denotes a DB means, reference numeral 160 denotes a screen log deletion means, reference numeral 170 denotes a file leakage tracking means, reference numeral 180 denotes a security policy management means, reference numeral 190 denotes a screenlog reproducing means, reference numeral 200 Is the efficiency management tool.

Here, reference numerals 170 to 200 are preferably implemented in the form of a web server. Accordingly, the security manager may input various information required to manage the security management subsystem 10 by communicating with reference numerals 170 to 200 by running a web browser on the computer 220. And various security audit data related to file leakage are provided.

The DBization means 150 accumulates and stores various logs transmitted by the communication agent 110 in the relational database DB. Preferably, all logs related to file creation, storage, renaming, copying, moving, deleting, external leakage, and printing are stored in the file history table of the database DB. This is to easily track the history of file leaks. The screen log is stored in a screen log table separate from the file history table.

The screen log deleting means 160 is a file log creation time, storage time, read time, name change time, deletion time, copy time, moving time, external outflow time, printing time, etc. Delete all screen logs collected at a time other than a predetermined time interval t _{0 ± Δt} including a time point t _{0 that} is directly / indirectly associated with the outflow. This can reduce the wasted capacity of the database table where the screen log is stored. The screen log deletion task may be set to be periodically performed at a specific time zone (for example, dawn time) outside of business hours.

The file leakage tracking means 170 receives a file leakage history investigation request by the name of a file from the computer 220 of the security manager through the web. For example, a security manager is asked to investigate a leak history of a file named 'x file'.

Then, the file outflow tracking means 170 tracks the history of the corresponding file by referring to the file history table of the database DB. Then, the file creation history, name change history, copy history, move history, deletion history, read history by the application, move history in the intranet, copy history to the portable storage medium, and external leakage history are displayed in chronological order. After the calculation is output to the computer 220 of the security manager. When the history of the file is output, the security manager can pinpoint the leak path of the file.

The security policy management unit 180 receives at least one security policy level from a security manager and stores the same in a security policy table of a database. Furthermore, after selecting a specific security policy level to be applied to each user from the security administrator, it is stored in the security policy table of the database. At this time, the security policy level may be set for each user and for each group. If the security policy level is stored for each user and / or group, the security policy management means 180 propagates the security policy level assigned to each security client 20.

The security policy level includes a setting for which of the actions performed on the user computer 30 is to be monitored. The monitored action includes copying, storing, reading, renaming, moving and deleting files using a hard drive of a computer itself, various removable storage media or a network drive, attaching a file from a web page, attaching a file from a mail program, or messenger. File attachment by, application by remote storage file upload by file, and file transfer by communication network program, or any combination thereof. The security policy level increases as the number of monitored objects increases.

The security policy level propagated to the security client 20 is encrypted and registered in the registry of the user computer 30. In addition, when various actions that generate a log are generated with reference to the registered security policy level, the security client 20 generates a corresponding log and transmits the generated log to the security management subsystem 10.

The screen log reproducing means 190 receives a request for continuous replay of the screen capture data of the user computer 30 at the time when a specific action is triggered for a predetermined file by the security manager, and inquires of the screen log table of the database. A plurality of screen images captured during a predetermined time interval t _{0 ± Δt} including the time t ₀ when an action is induced are read out and continuously reproduced at predetermined time intervals. Accordingly, the security administrator can more accurately confirm that a particular action actually took place on the user's computer 30.

The work efficiency management means 200 receives the identification information (execution file name or execution process name) of the work program and the URL list of the work website from the computer 220 of the security manager, and the work efficiency analysis factor of the database (DB). Save to a table.

On the other hand, the security client 20 further includes a work efficiency analysis agent 120 corresponding to the work efficiency management means 200. The work efficiency analysis agent 125 counts the time until the end of use when various applications are executed on the user computer 30, and then uses the user computer ID, application identification information (executive file name or execution process name), and use. Create a business analysis log containing the time and save it in a specific directory. If the application is a web browser, the business analysis log further includes URL information accessed by the user.

The business attendance log stored in the specific directory is transmitted to the security management subsystem 10 by the communication agent 110. When the work analysis log is transmitted, the DBization means 150 stores the work analysis log in a user-specific work analysis table of the database DB.

On the other hand, the work efficiency management means 200 receives the work efficiency analysis request of a specific user from the security manager computer 220, and extracts the work analysis log of the specific user contained in the work analysis table for each user of the database. Then, the user's time to use the program and the time to use the website are calculated by referring to the identification information of the work program and the URL list of the work website included in the previously established work efficiency analysis factor table. The result is calculated as a relative percentage and output to the computer 220 of the security manager. Then, the security manager can check not only the file leakage history but also the business utilization of various programs and websites, and can be used to establish a policy for improving the company's work efficiency.

Figure 2 illustrates the data structure of the file history table built in the security management subsystem. In FIG. 2, only relevant logs are extracted and displayed for convenience of understanding, but in the actual table, different file action logs are included between each log shown in FIG. 2. For example, in FIG. 2, file action logs corresponding to log ids 26293 to 26306 exist between log id 26292 (first record) and log id 26307 (second record).

In the figure, field 'id' is a record identification code, field 'agentid' is a user computer ID, field 'fname' is a file name to be subjected to a file action, and field 'path' is a file to which a file action is applied. Source path, field 'action' is the specific description of the file action, field 'target' is the file name of the result of the action being applied when the file is renamed or duplicated, and field 'targetpath' is the name of the result of the action being applied. The target path where the file is located, the field 'processname' is the executable file name of the application that caused the file action, and the field 'processpath' is the executable file path of the application.

FIG. 3 is a flow chart showing in detail the process until the history of the file "X file not. Ppt" leaked to the outside in the data structure illustrated in FIG. 2 is tracked and provided to the security manager.

2 and 3, the security manager first logs in to the security management subsystem 10 through the web (S10). And the file outflow tracking means 170 is called through the web (S20). Then, the security manager inputs a file name (x file not .ppt) to track the history in the user interface provided by the file outflow tracking means 170 (S30). Preferably, the file extension may not be entered.

Then, the file outflow tracking unit 170 checks the file name field (fname, target) of the file history table and checks whether there is at least one log including the file name input by the security manager (S40). As a result, if there is no log, an error message is output (S50). On the contrary, if there is a log, the most recent log is identified (S60). 2, the most recent log is id 26444. Then, the file name field (fname, target) is queried in the reverse order of history based on the identified log to construct a linked list (S70). Referring to FIG. 2, the connection list is represented by the log id, which is 26292-> 26307-> 26318-> 26384-> 26417-> 26418-> 26420-> 26444.

When the connection list is configured, the file leakage tracking means 170 analyzes the log contents in the order of the connection list, creates a leak history of the file in a graphic interface, and outputs it to the security manager's computer 220 (S80). Quit.

4 is a file outflow history represented in a graphical interface.

Referring to Figure 4, the security manager can know the following facts. User # 6 creates a file called 'Ad model DB building.ppt'. Created at 9:31 on path 'C: / document'. And at 9:32 I changed the file name to 'X file.ppt'. Then, I copied a file called 'X file.ppt' to the network folder '// networkfolder' at the same 10:10.

On the other hand, user # 2 was 2005.2.15. At 10:21, 'X file.ppt' was copied from the network folder to 'D: / downloads /' and printed at 11:01. The file was renamed 'X file not.ppt' at 12:00 on the same day, and the file was sent as a mail file at 9:10 the next day. He also copied the files to his removable disk at the same date as the mail delivery date.

Therefore, the security administrator can grasp the above facts and hold user # 2 and # 6 accountable for file leakage. Realizing the company's security policy by tracking the leakage history of these files allows company members to voluntarily comply with the file's security.

5 is a flowchart illustrating a process of arranging unnecessary screen logs in the screen log table of a database DB provided in the security management subsystem.

Referring to FIG. 5, the screen log deleting means 160 checks whether a scheduled time has arrived (S100). If it is determined that it has arrived, 1 is set to the user computer serial number N (S110). Then, the log list of the user computer # 1 is read out of the logs contained in the file history table of the database (S120). At this time, the ID of user computer # 1 is used. Then, the screen log table is queried for a predetermined time interval (t _{0 ± Δ} t) including an action occurrence time (t ₀ ) for each log acquired in step S120 among the screen image logs captured by the user computer # 1. All unnecessary screen logs acquired at the remaining time except for deletion are deleted (S130).

6 conceptually illustrates step S130. Referring to Fig. 6, screen image logs (indicated by 53 blocks in total) obtained from user computer # 1 are listed. Deleting the unnecessary screen log at step S130, for example, deletes all screen logs except for the screen log (shaded) obtained in the interval 2 △ t based on a plurality of file action occurrence times (t ₁ to t ₄ ). Say that.

Returning to the flowchart again, when the deletion of the unnecessary screen log is completed in step S130, it is determined whether N is less than the total number of user computers (S140). If small, N is increased by 1 and the process proceeds to step S120 (S150). Conversely, if N is equal to or greater than the total number of user computers, the deletion of unnecessary screen logs is terminated.

If you clean up the unnecessary screen log through the above process, it is possible to prevent the database (DB) space is wasted.

In alternative embodiments, the security client 20 may be responsible for deleting unnecessary screenlogs of the present invention. In this case, the file agent 60 and the application agent 70 of the security client 20 have an action related to file leakage such as file creation, storage, renaming, copying, moving, deleting, external leakage, printing, and the like. Each time is generated, each action occurrence time point information is transmitted to the screen capture agent 80. Of course, apart from this process, the screen capture agent 80 periodically creates and accumulates the screen log.

The screen capture agent 80 also periodically checks the accumulated stored log logs and includes a predetermined time interval t _{0 ±} including a plurality of action occurrence times t ₀ delivered by the file agent 60 and the application agent 70. _△ t) to delete all log screens containing the screen image captured at the time other than. When the deletion is completed, the referenced action occurrence time information is deleted. For reference, deleted screen logs are unnecessary logs that are not directly related to file leakage. Then, the screen logs, which have been inspected, are stored in a specific directory referred to by the communication agent 110. Accordingly, the communication agent 110 transmits the stored screen log to the security management subsystem 10. In this case, since only screen logs related to file leakage are selectively stored in the screen log table of the database DB, the screen log deleting means 160 does not need to be operated separately in order to delete unnecessary screen logs. Unnecessary screen log inspection, deletion, and transmission processes as described above are repeatedly performed at regular intervals.

FIG. 7 conceptually illustrates a process in which the screen log reproducing unit 190 continuously reproduces a screen image captured for a predetermined time interval based on a time point when a specific file action is performed. For reference, FIG. 7 is an example in which user # 2 captures and reproduces a screen for printing a 'X file. Ppt' file in FIG. 5.

The screen log reproducing means 190, when the security manager requests the continuous reproduction of the user computer screen captured during the file printing process on the file leakage history as shown in Figure 5, the screen log table of the database (DB) After reading a plurality of image files among the recorded screen image files, the plurality of image files are continuously output to the security manager's computer 220 at predetermined time intervals as shown in FIG. 7. For convenience, only two screen shots are illustrated. Then, the security administrator can clearly see what has been done on the screen of the user computer 30 before and after the specific file action point in time.

8 is a work efficiency analysis screen of a specific user provided by the work efficiency management means 200. Referring to the drawings, it is possible to grasp the usage rate of the various programs used by the user and the website visit rate, thereby analyzing the work efficiency of the user.

Meanwhile, in the above-described embodiment of the present invention, when a file action occurs in the user computer 30, a method of storing the file data copy itself in the security management subsystem 10 is adopted. The reason for storing a copy of the file data is to obtain evidence of file leakage.

However, the present invention is not limited thereto. For example, the present invention outputs a warning message to the user when a file action is attempted without storing a copy of the file in the security management subsystem 10, or transmits a mail containing the warning message to the user's mail account or user computer. It is possible to take measures such as stopping the operation of the keyboard or the mouse. It is determined by the security administrator whether the above warning measures are taken based on what criteria, and the related contents are reflected in the security policy level and propagated to the security client 20.

Furthermore, the printed action log stored in the security management subsystem 10 of the present invention may include a printed image. In this case, the security management subsystem 10 may provide the security manager with the printed content in the form of an image file through a print action if requested by the security manager. The security administrator can then remotely see what the user actually printed.

As described above, although the present invention has been described by way of limited embodiments and drawings, the present invention is not limited thereto and is intended by those skilled in the art to which the present invention pertains. Of course, various modifications and variations are possible within the scope of equivalents of the claims to be described.

According to the present invention, when a file containing security information is leaked to the outside, the path through which the file is leaked can be determined. Therefore, if the technology according to the present invention is applied to a company's intranet, company members voluntarily endeavor to secure the file.

The present invention captures the screen output from the user computer for a predetermined time before and after the time when the file action occurs in the form of an image file, so that when the file leakage occurs, the responsible person can be more clearly identified.

The present invention can analyze not only the history of file leakage but also analyze the work efficiency of company members, and based on this, it is possible to establish and execute a work management policy that can maximize the work efficiency of the entire company.

Since the present invention can include the printed image in the print log, the security administrator can remotely check what the user outputs.

Claims (9)

A file security system comprising a security management subsystem and a security client connected to the security management subsystem via a network and installed in a plurality of user computers, respectively, The security client, (a1) Hooking the file system when a file action occurs on the user's computer that involves creating, saving, renaming, copying, moving, or deleting a file. A first agent for creating and storing a file action log including a user computer ID, an action occurrence time point, a file name, a source path and / or target path of the file, an action name, and a copy of the file data; (a2) When a file leakage action is attempted in the form of a file attachment through an application driven by the user's computer, the message transmitted to the operating system is hooked to the user computer ID, an action occurrence time, a file name, a file source path and a target path, And a second agent for creating and storing an application leakage action log including a copy of the file data; (a3) a third agent that periodically captures the screen of the user computer to generate an image file, and then periodically creates and stores a screen log including a user computer ID, a capture time, and a screen image file; (a4) When a file print action is attempted through an application running on the user's computer, a message is sent to the operating system for printing to hook a user computer ID, a print request time, a printed file name, a file source path, and a file. A fourth agent for creating and storing a print action log including a copy of the data; (a5) When an action occurs in which the file is leaked to an external network through a network communication program in the user computer, the message transmitted to the operating system is hooked up to communicate with the user ID, leak time, leaked file name, file A fifth agent for creating and storing a communication leakage action log including a source path, a target path of the file, and a copy of the file data; And (a6) a sixth agent configured to transmit various logs created and stored by the agents to the security management subsystem. The security management subsystem, (b1) first sub-system means for storing various logs transmitted by the communication agent in a database; (b2) a second sub that calculates and provides chronologically the history until a predetermined file is generated and leaked to the outside by referring to a file action log, an application leak action log, a print log, and a communication leak action log stored in the database; System means; And (b3) third sub-system means for deleting the screen log created at the remaining time except for a predetermined time interval including various log creation points related to the file action among the screen logs stored in the database. system. The method of claim 1, The security management subsystem, A fourth subsystem means for receiving a security policy level defining a type of action for which a log should be written, stored in a database, and propagating the security policy level to each security client. Each agent writes a log when an action recorded in the propagated security policy level is triggered. The method of claim 1, wherein the security management subsystem, And a fifth sub-system means for continuously playing back the plurality of screen image files captured during a predetermined time interval including a predetermined time of action occurrence. The method of claim 3, The predetermined action occurrence time is selected from the group consisting of a file creation time, a name change time, a copy time, a movement time, a read time, a deletion time, a print time, a leak time by attaching a file, and a file leak time by communication. File security system comprising any one or a combination thereof. The method of claim 1, The security management subsystem, A sixth sub-system means for receiving a work efficiency management policy including a work program identification information and a list of URLs of a work website from a security manager and storing the work efficiency management policy in a database; The security client, Monitors the application process running on the user's computer, generates and stores an application usage log including the identification information of the running application, the user's computer ID, and the application's usage time. And an eighth agent for generating and storing a website usage log including a user computer ID, a URL, and a website connection maintenance time. And the sixth agent transmits the application usage log and the website usage log to the security management subsystem. The method of claim 5, wherein the security management subsystem, And a seventh sub-system means for classifying the application usage log and the website usage log according to the work efficiency management policy to calculate and provide a business use ratio of the application and the website as a relative percentage. Security system. The method of claim 1, The print action log further includes a print image file in which file contents are drawn, The security management subsystem further comprises: an eighth sub-system means for providing the printed image file to a security manager. The method of claim 7, wherein And a security banner is synthesized in the printed image file. A file security system comprising a security management subsystem and a security client connected to the security management subsystem via a network and installed in a plurality of user computers, respectively, The security client, (a1) Hooking the file system when a file action occurs on the user's computer that involves creating, saving, renaming, copying, moving, or deleting a file. A first agent for creating and storing a file action log including a user computer ID, an action occurrence time point, a file name, a source path and / or target path of the file, an action name, and a copy of the file data; (a2) When a file leakage action is attempted in the form of a file attachment through an application driven by the user's computer, the message transmitted to the operating system is hooked to the user computer ID, an action occurrence time, a file name, a file source path and a target path, And a second agent for creating and storing an application leakage action log including a copy of the file data; (a3) When a file print action is attempted through an application running on the user's computer, a message is sent to the operating system for printing to hook a user computer ID, a print request time, a printed file name, a file source path, and a file. A third agent for creating and storing a print action log including a copy of the data; (a4) When an action occurs in which the file is leaked to the external network through a network communication program, the user computer hooks a message transmitted to the operating system for communication, thereby identifying the ID, leak time, leaked file name, and file name of the user computer. A fourth agent for creating and storing a communication leakage action log including a source path, a target path of the file, and a copy of the file data; (a5) The screen of the user's computer is periodically captured to generate an image file, and then a screen log including the user's computer ID, capture time, and the screen image file is created and stored. A third agent selectively deleting the screen log including the captured screen image file in addition to a predetermined time interval including the action occurrence time point with reference to the generated action occurrence time information; And (a6) a sixth agent configured to transmit various logs created and stored by the agents to the security management subsystem. The security management subsystem, (b1) first sub-system means for storing various logs transmitted by the communication agent in a database; And (b2) referencing the file action log, the application leak action log, the print log, and the communication leak action log stored in the database, and calculating and providing a history in a time sequence until a predetermined file is generated and leaked to the outside. And a second sub-system means.

Images