KR20230100850A - File copy leakage prevention method - Google Patents

Abstract

The present invention relates to a file copy leakage prevention method, and more particularly, to a file copy leakage prevention method that minimizes the processing load of a client computer while blocking unauthorized copying or/and moving of confidential files for confidential file protection. it's about
According to an embodiment of the present invention, detecting whether a copy or move event for a file occurs in a user device; calculating a hash value of the file when the copy or move event is detected; generating a random character string as a symmetric key for the file; encrypting the file with the symmetric key; Transmitting the hash value and the symmetric key of the file to a server; Receiving whether or not a confidential file is received from the server; If the file is a confidential file: deleting the file; and when the file is a general file: decrypting the file.

Description

File copy leakage prevention method}

The present invention relates to a file copy leakage prevention method, and more particularly, to a file copy leakage prevention method that minimizes the processing load of a client computer while blocking unauthorized copying or/and moving of confidential files for confidential file protection. it's about

Confidential technologies of companies are protected by relevant laws such as the Trade Secret Protection Act and the Industrial Technology Leakage Prevention Act. However, despite being protected by the law, leaks of corporate secrets are increasing every year. As a result of the investigation by the Korea Industrial Technology Protection Association, the annual average economic damage to industrial secrets is 50 trillion won, which is similar to the annual sales of thousands of SMEs.

Leakage of industrial secrets can cause serious damage not only to the competitiveness of countries and companies, but also to the economy. Most companies find it difficult to respond to confidential leaks because they lack a separate organization, manpower, and budget to prevent leaks. In particular, it is necessary to thoroughly block the exposure of military secrets to the outside because leaking military secrets can affect not only national security but also national security if it occurs even once.

EDLP, a technology to prevent such confidential leakage, consists of: Detect Agent, Server, and Database. The function of Detect Agent detects and blocks the user's event activity according to the policy and transmits the event activity information to the server. The function of the server stores the event activity information detected by the Detect Agent in the database. The function of the database is to store the information on the event activity of the detect agent and transmit the result of the detect agent information to the server. The configuration diagram of EDLP is shown in FIG. 19 .

Kyoo Jin Shin, “Internal Information Leakage Prevention System through Hadoop-based User Behavior Analysis”, Daejeon University, (2018).

The problem to be solved by the present invention is to minimize the system load and to improve the accuracy by analyzing and determining the signature rather than classifying the file only by the extension, in order to solve the limitations of the conventional confidential leakage prevention technology as described above. It is to provide a way to prevent file copy leakage.

The present invention, in order to solve the limitations of the conventional confidential leakage prevention technology as described above, detecting whether a copy or move event for a file occurs in a user device; calculating a hash value of the file when the copy or move event is detected; generating a random character string as a symmetric key for the file; encrypting the file with the symmetric key; Transmitting the hash value and the symmetric key of the file to a server; Receiving whether or not a confidential file is received from the server; If the file is a confidential file: deleting the file; and when the file is a general file: decrypting the file.

In addition, the step of transmitting the hash value and the symmetric key of the file to the server: converting the hash value and the symmetric key of the file into JSON format; Encrypting [hash value and symmetric key of a file in JSON format] with the public key of the server; and transmitting [a hash value of an encrypted JSON-type file and a symmetric key] to the server.

Then, when the server is initially set, generating a public key and a private key of the server; waiting for a client to connect; sending a public key to the client; Receiving a hash value and a symmetric key of a file from the client; querying a database for a hash value and a symmetric key of the file; and transmitting to the client whether or not the confidential file is in accordance with the database query result.

In addition, the step of waiting for the connection of the client includes: dynamically creating a thread when the client accesses the server, and the step of querying the database for the hash value and the symmetric key of the file: Decrypting the [hash value and symmetric key of the encrypted JSON-type file] received from the server with the private key of the server; and querying the database by parsing the hash value and the symmetric key of the decrypted JSON-formatted file. Encrypting with the public key of the client and transmitting to the client; may include.

In addition, in a file copy leakage prevention system including a client, a server, a management module, and a database: a file copy leakage prevention system using the above file copy leakage prevention client control method or/and file copy leakage prevention server control method provides

According to an embodiment of the present invention, it is possible to minimize the processing load of a user device (PC, etc.) in which a confidential file leakage prevention program is installed.

In addition, the accuracy of document security can be improved by analyzing and determining the signature instead of classifying files only by extension.

In addition, confidentiality can be improved by comparing and comparing the hash value of the file itself, rather than determining by extracting a string in a file or an image in a file that is assumed to be a confidential document file.

1 is a block diagram of a file copy leakage prevention system (FCLPS) according to an embodiment of the present invention.
2 is a data flow diagram of a file copy leakage prevention system according to an embodiment of the present invention.
3 is an operation flowchart of a file copy leakage prevention system management module according to an embodiment of the present invention.
4 is pseudo code of a file copy leakage prevention system management module according to an embodiment of the present invention.
5 is a file hash registration screen of a file copy leakage prevention system management module according to an embodiment of the present invention.
6 is a file hash deletion screen of a file copy leakage prevention system management module according to an embodiment of the present invention.
7 is a flowchart illustrating an operation of a file copy leakage prevention system client module according to an embodiment of the present invention.
8 is a structural diagram of a file copy leakage prevention system client module according to an embodiment of the present invention.
9 is pseudo code of a file copy leakage prevention system client module according to an embodiment of the present invention.
10 is a screen showing event results of the file copy leakage prevention system client module according to an embodiment of the present invention.
11 is a flowchart of an operation of a file copy leakage prevention system server according to an embodiment of the present invention.
12 is a structural diagram of a file copy leakage prevention system server according to an embodiment of the present invention.
13 is pseudo code of a file copy leakage prevention system server according to an embodiment of the present invention.
14 is a screen showing transmission/reception results of the file copy leakage prevention system server according to an embodiment of the present invention.
15 is SQL Info of a file copy leakage prevention system database according to an embodiment of the present invention.
16 is a screen showing contents (stored data values) of a file copy leakage prevention system database according to an embodiment of the present invention.
17 and 18 are measurement results of a bottleneck occurring when encrypting a large file in the file copy leakage prevention system according to an embodiment of the present invention.
19 is a configuration diagram of EDLP, which is a conventional secret leak prevention technology.

Hereinafter, various embodiments of this document will be described with reference to the accompanying drawings. However, it should be understood that this is not intended to limit the technology described in this document to specific embodiments, and includes various modifications, equivalents, and/or alternatives of the embodiments of this document. . In connection with the description of the drawings, like reference numerals may be used for like elements.

In this document, expressions such as "comprises" or "may include" indicate the presence of corresponding features (eg, components such as numerical values, functions, operations, or parts), and do not exclude the presence of additional features. don't

In this document, expressions such as “A or B,” “at least one of A and/and B,” or “one or more of A or/and B” may include all possible combinations of the items listed together. . For example, “A or B,” “at least one of A and B,” or “at least one of A or B” (1) includes at least one A, (2) includes at least one B, Or (3) may refer to all cases including at least one A and at least one B.

Terms used in this document are only used to describe a specific embodiment, and may not be intended to limit the scope of other embodiments. Singular expressions may include plural expressions unless the context clearly dictates otherwise. Terms used herein, including technical or scientific terms, may have the same meaning as commonly understood by a person of ordinary skill in the technical field described in this document. Among the terms used in this document, terms defined in a general dictionary may be interpreted as having the same or similar meaning as the meaning in the context of the related art, and unless explicitly defined in this document, an ideal or excessively formal meaning. not be interpreted as In some cases, even terms defined in this document cannot be interpreted to exclude the embodiments of this document.

Of course, various modifications can be made by those skilled in the art without departing from the gist of the present invention claimed in the claims of the present invention, and these modifications are the technical spirit of the present invention or It should not be understood individually from the perspective.

In addition, the method according to the present invention can be implemented as a computer readable code (program) on a computer readable recording medium. A computer-readable recording medium may include all types of recording devices storing data that can be read by a computer system. Examples of computer-readable recording media include ROM, RAM, CD-ROM, magnetic tape, floppy disk, and optical data storage devices, and also those implemented in the form of carrier waves (for example, transmission through the Internet). include In addition, the computer-readable recording medium may store computer-readable codes that can be executed in a distributed manner by distributed computer systems connected through a network.

The "module" described in the description of the present invention may be composed of a combination of software or/and hardware for information processing or/and control.

"User" and/or "manager" described in the description of the present invention may mean a "user device" and a "manager device", respectively.

According to an embodiment of the present invention, a file copy leakage prevention system (FCLPS) capable of detecting events of a central control server and a target control PC in real time for preventing the leakage of confidential document files can be configured. .

In the description of the present invention, when English notation is more common to those skilled in the art, such as variable names and class names, the corresponding words are written in English.

In the embodiment of the present invention, for a test to implement the technical idea of the present invention, the CPU is an Octa Core of 3.60 GHz, the RAM is 16 GB, the network environment is 1000 Mbps, the OS (Operation System) is Microsoft's Windows 10 Pro 20H2, Dev The language was Microsoft's C# .Net Framework 4.7.2, and the database used MySQL 8.0.24.

1. File copy leakage prevention system (FCLPS) diagram

As shown in FIG. 1, FCLPS includes a client, a server, a management module, and a database.

The FCLPS management module is provided for administrators to register confidential document files in the database. After logging in to the management module, the administrator designates confidential files and registers the hash value of the files in the database.

The FCLPS client module detects events related to file copying or/and moving on the controlled PC, calculates the hash value of the file, verifies the hash value of the confidential document file through the central control server, and based on the result, Deletion or decryption is performed on .

The FCLPS server verifies whether the file is confidential through the database based on the hash value of the file received from the FCLPS client module (FCLPP).

The database stores hash values of confidential document files and account information of administrators.

The procedure of File Copy Leak Prevention System (FCLPS) is as follows.

① The administrator logs in to the FCLPS management module and registers the hash value of the confidential document file in the database.

② The FCLPS client module detects in real time when a user generates copy or/and move events for confidential document files.

③ The FCLPS client module detects the above event and automatically calculates the hash value of the file (the file where the event occurred). Then, a random 16-digit character string is generated as a symmetric key and the file is encrypted with the symmetric key.

④ The FCLPS client module converts the hash value and symmetric key of the file into JSON format to transmit the hash value and symmetric key of the file to the FCLPS server.

⑤ The FCLPS client module encrypts JSON-type data with the public key of the FCLPS server and sends it to the FCLPS server.

⑥ The FCLPS server that receives the encrypted data from the FCLPS client module decrypts the encrypted data with the private key.

⑦ The FCLPS server stores the hash value of the file successfully decrypted with the private key and the symmetric key in variables.

⑧ Among the variable values stored in the FCLPS server, the hash value of the file is queried to the database to check whether it is a confidential file.

⑨ The FCLPS server receives the query result from the database.

⑩ The result of whether the FCLPS server has a confidential document file (a symmetric key in case of a general file, or a delete command in case of a confidential document file) is encrypted with the public key of the FCLPS client module and transmitted to the FCLPS client module.

⑪ The FCLPS client module decrypts the result of confidential document file status from the FCLPS server with the private key, and proceeds with deletion or decryption.

2. FCLPS data flow diagram

Hash values for all confidential document files are stored in FCLPS's database.

When a new confidential document file is created, the manager stores the hash value of the confidential document file in the database through the FCLPS management module. As shown in FIG. 2, the file copy leakage prevention method is performed by a user, an OS (Operation System), an FCLPS client module, an FCLPS server, and a database.

A user, as an authorized user (general user) or an unauthorized user (malicious user), may issue a copy or/and move command for a file using a computer or the like.

At this time, the operating system executes the command received from the user, verifies the authority for the file, and generates a file copy or file move event.

The FCLPS client module continuously monitors the system, and when a file copy or/or move event occurs, it calculates a hash value for the original file and generates a symmetric key of a random 16-digit string to encrypt the file. Then, the hash value and encryption key of the file are encrypted with the FCLPS server's public key and transmitted to the FCLPS server.

The FCLPS server queries the database for the hash value of the file received from the FCLPS client module to determine whether it is a confidential document file. After that, the FCLPS server transmits a symmetric key to the FCLPS client module in the case of a general file, and transmits a delete command to the FCLPS client module in the case of a confidential document file.

3. FCLPS Implementation

The FCLPS client module detects leakage of confidential document files, calculates the hash value, encrypts the file with a symmetric key, and performs deletion or decryption according to the result value.

The FCLPS server generates a key pair of public and private keys, waits for client connection, creates client socket, and performs database request and response functions.

3.1 FCLPS management module

Hereinafter, the operation method of the FCLPS management module will be described with reference to FIG. 3 .

① The administrator enters the ID and password.

② Verify the entered IP and password from the database.

③ Execute ④ according to the administrator's command to delete document files or add document files.

④ In the case of a delete command: Delete the hash value of the document file from the database and exit (⑦). In case of additional commands: Calculate the hash value of the selected file.

⑤ Add the hash value of the calculated document file to the database.

⑥ The hash value of the document file added to the database is displayed as a list view.

⑦ End.

The variable Admin ID and variable Admin Password are string variables provided by .Net. The variable Admin ID receives the administrator ID and the variable Admin Password receives the administrator password.

Then, the variable Admin ID and Admin Password are compared with the admin ID and password stored in the database. If login is successful, the hash value of the document file stored in the database is output in the list view. print out

In the management program, the document file addition event is the File Hash Value Add Event, and the document file deletion event is the File Hash Value Delete Event. In the File Hash Value Add Event, when the manager selects the corresponding document file, the file path is input to the variable FileInfo and the variable FileHash stores the hash value of the document file using the Calculate function that calculates the hash value of the document file.

Then, the hash value of the document file is stored in the database through the Insert database function. And in the File Hash Value Delete Event, the variable ListView stores the path of the document file when the administrator selects the hash value of the document file displayed in the list view, and the variable FileHash stores the hash value of the document file selected by the administrator. Then, the hash value of the document file stored in the variable FileHash is deleted through the Delete database function.

The pseudo code of the FCLPS management module is shown in FIG.

The case of registering the hash value of a file is as follows. When an administrator accesses the FCLPS management module, the hash value and path of the file stored in the database are displayed in the list view, and the hash value stored in the database is updated through the "Refresh" button according to the administrator's needs, and can be checked in the list view.

Among the FCLPS server management functions, the "Select File" button designates a file to be registered in the database, and the file number, file path, and file hash value can be checked through the list view. In the list view, the file number is the order of the file, and the file path is the absolute path of the file to be registered, including the file location, file name, and file extension. And the hash value of the file is automatically calculated and displayed in the list view. The File hash registration screen of FCLPS server management is shown in FIG. 5.

The case of deleting the hash value of a file is as follows. The administrator connects to FCLPS Server Management. Based on the file information displayed in the list view, double-click the hash value of the file to be deleted to execute the delete event. The double-click event of the list view is an event specified in the list view in advance, and occurs when the manager double-clicks the corresponding list view list.

When the hash value deletion event requested by the administrator to the database is completed normally, the corresponding hash value is deleted from the list view list. The Delete File Hash of the FCLPS server management is shown in FIG. 6.

3.2 FCLPS Client Module

Hereinafter, a method of operating the FCLPS client module will be described with reference to FIG. 7 .

① In order to detect that a user or a malicious user copies or/or moves a confidential document file, the FCLPS client module continuously detects file copying or/or moving events with FileSystemWatch, a system function of .Net.

② Detect file copy or/and move events in the File Copy Event module.

③ When a file copy or/and move event is detected, the FCLPS client module calculates the hash value for the confidential document file.

④ The FCLPS client module generates a symmetric key of a random 16-digit character string and encrypts the file using Rijndael Managed's encryption function.

⑤ The FCLPS client module converts the hash value and encryption key of the file into JSON format and encrypts it with the public key of the FCLPS server.

⑥ The FCLPS client module transmits the result value encrypted with the public key to the FCLPS server.

⑦ The FCLPS server decrypts the value received from the FCLPS client module with the private key. Then, the result value is transmitted to the FCLPS client module.

⑧ The FCLPS client module deletes or decrypts confidential document files according to the verification result. The FCLPS client module terminates.

The FCLPS client module requires Network Module, Files Module, Encryption & Decryption Module, and Watcher Module as shown in FIG.

The Network Module is implemented as a network class for TCP communication based on reliability with the FCLPS server.

The Files Module is a system module that consists of the existence of a specific file, hash calculation for the file, and a random function for generating an encryption key for symmetric encryption.

The Encryption & Decryption Module is a public key encryption/decryption module that encrypts/decrypts with public key cryptography to prevent man-in-the-middle attacks in communication with the FCLPS server.

The Watcher Module is a system event detection function that detects when a file copy or/and move event occurs on the PC where the agent is installed, and prevents leakage of confidential document files.

The pseudo code of the FCLPS client module is shown in FIG.

When a user or a malicious user generates a file copy or/or move event, the leaked file is encrypted with a symmetric key encryption. At this time, the encryption key of the symmetric key cryptography is composed of 16 random character strings. Then, the hash value and encryption key of the file are transmitted to the FCLPS server. Depending on the existence of confidential document files, general files are decrypted and confidential document files are deleted. The event result of the FCLPS client module is shown in FIG. 10 .

3.3 FCLPS Server

The FCLPS server proceeds in 5 steps: RSAPrivateKeyGen, RSAPublic -KeyGen, TCP Listener, Dynamic Thread Create, and Database Query Request & Response. And the pseudo code of the FCLPS server is written by applying two essential modules: Network Module, Encryption & Decryption Module.

Hereinafter, a method of operating the FCLPS server will be described with reference to FIG. 11 .

① When the FCLPS server is first executed, a key pair of public and private keys is automatically generated. Here, RSAPrivateKeyGen is a function that generates a private key and RSAPublicKeyGen is a function that generates a public key.

② In the FCLPS server, the TCP listener waits for the connection of the FCLPS client module to verify the hash value of the confidential document file.

③ When the FCLPS client module connects to the FCLPS server, the FCLPS server dynamically creates threads to manage multiple network connections. Then, the FCLPS server transmits the public key to the FCLPS client module (FCLPP).

④ The FCLPS server parses the hash value and encryption key of the file received from the FCLPS client module into JSON and queries the database.

⑤ The FCLPS server transmits the verification result of the confidential document file to the FCLPS client module according to the database query result.

As shown in FIG. 12, the FCLPS server requires four essential modules: Network Module, Encryption & Decryption Module, Database Module, and TCP Listener Module.

The Network Module is implemented as a network class for TCP communication with the FCLPS client module.

The Encryption & Decrytion Module is a public key cryptographic encryption/decryption module used for encryption/decryption communication with the FCLPS client module.

The TCP Listener Module is a module that manages network sockets accessed by the FCLPS client module and maintains a continuous TCP network.

The database module is a module that interoperates with the database based on the data received from the FCLPS client module.

The variable RSAPrivateKeyCreate creates and stores the private key of public key cryptography using the algorithm function of public key cryptography provided by the Cryptographic Service Provider. And the variable RSAPublicKeyCreate creates and stores the public key using the RSAParameters function based on the generated private key.

Afterwards, it waits for the connection of the FCLPS client module through the TcpListener. When accessing from the FCLPS client module, transmit the generated public key and wait for a response.

The pseudocode of the FCLPS server is shown in FIG. 13.

When a file copy or/or move event occurs by a malicious user or a general user, the FCLPS client module transmits and receives the hash value of the file and the encryption key of the symmetric key encryption to and from the FCLPS server. The FCLPS server makes a query request to the database using the received information and transmits the result of verifying the existence of confidential document files to the FCLPS client module.

The public and private keys of the public key encryption of the FCLPS server generate a 1,024-bit encryption/decryption key to prevent man-in-the-middle attacks in communication with the FCLPS client module (FCLPP). When the FCLPS client module (FCLPP) connects to the FCLPS server for the first time, it automatically transmits and receives the public key of the FCLPS server and encrypts/decrypts the data of the FCLPS client module with the private key of the FCLPS server.

The hash value information about the file transmitted by the FCLPS client module to the FCLPS server is set as a variable value of FileHash, and the key value used for file encryption is set as a variable value of FileKey. The results of transmission and reception of the FCLPS server are shown in FIG. 14 .

3.4 Database

The database used MySQL v8.0.24 to store the hash value and path of FCLPS confidential files.

The database name of FCLPS is "fclps_db" and the table name is "file_info". The column names of "file_info" are No, File_Path, File_Hash, File_Date, and the string format is utf-8 unicode.

And among the elements of the columns, No is the AUTO_INCREMENT attribute, and the value is automatically increased whenever a table row is added to specify the order of confidential files. do.

And File_date stores the current date and time to confirm the time when the manager registered the confidential document file when the manager stores the hash value of the confidential file in the database. SQL Info of the database is shown in FIG. 15 .

The database results of FCLPS are shown in FIG. 16 . When a confidential file is selected in FCLPS server management and a registration request is made to the database, No, File_Path, File_Hash, and File_date are saved.

No is the sequence number of the confidential file and File_Path is the absolute path of the confidential file.

And File_Hash is the hash value of the confidential file, and File_date is the storage date of the confidential file. Column elements of the table support Unicode and can be stored in the database in various characters.

4. Analysis

General enterprises use EDLP to prevent the leakage of confidential files.

EDLP consumes a lot of resources because it detects and tracks events for every file.

On the other hand, in an embodiment of the present invention for reducing resource consumption, a hash value for a previously specified confidential file is stored in the server, and when an event occurs, the hash value is compared and determined, and then encryption and decryption and deletion are performed.

At this time, since a bottleneck for the CPU occurs in the system during encryption, the time required for encryption is measured and the error range of the bottleneck is analyzed.

4.1. Qualitative comparison with prior art

We compare the efficiency of several EDLPs and the proposed FCLPS, which are used by companies to prevent leakage of confidential files.

EDLPs in use at home and abroad include Secure Genie's Gradius DLP, Symantec's Symantec DLP, WaterWall's WaterWall DLP, NicsTech's SafePC Enterprise, and Comtrue Technologies' Sherlock Holmes PC Information Security.

Among them, keyword-based detection methods in files are WaterWall DLP and Gradius DLP, and content-based detection methods in files are SafePC Enterprise, Symantec DLP, and Sherlock Holmes PC Information Security.

In the keyword-based detection method for files, when an agent is installed on the target PC, it is automatically scanned at regular intervals by system scheduling so that important keywords within the company, such as “core”, “confidential”, “internal”, and “confidential”, are detected in the internal data of the file. If included in , the event is blocked.

In addition, the content-based detection method installs an agent on the controlled PC, automatically scans the system, analyzes specific keywords or words in images in the data inside the file, and blocks the event if confidential related strings are included.

When a DLP agent according to the prior art is executed to prevent leakage of confidential files, system load is generated due to excessive use of resources.

The DLP system scans all files in the company at regular intervals and blocks events if keywords in files or keywords in images are included. However, since it is inefficient to analyze and block all files within a company, it is efficient to select and manage confidential document files in advance by administrators. Also, due to the nature of confidential document files, only authorized users can access them, so the same applies to DLP agents.

The detection method according to an embodiment of the present invention does not extract keywords or phrases from files, but verifies and determines through a server based on the hash value of the file itself. A detection method according to an embodiment of the present invention is a hash value-based detection method using a selective event.

In an embodiment of the present invention, only specific events are monitored in real time and verified in the server without scanning the entire system in order to minimize the load on the system.

FCLPS minimizes system load by selectively monitoring events, and improves accuracy by identifying files by specific signatures instead of classifying files only by extension.

In addition, confidentiality is improved by comparing the hash value of the confidential document file itself with the pre-registered hash value, rather than determining by extracting a string in a file or an image in a file that is assumed to be a confidential document file.

4.2. encryption time

When encrypting document files in the Encryption & Decryption Module in the FCLPS client to prevent leakage of confidential document files, bottlenecks occur due to high CPU usage, and CPU speed and voltage are forcibly lowered to minimize system damage. this is lowered Therefore, the time required for encryption is analyzed according to the file type and size.

4.2.1 Encryption time by file type

Since each file type has a different signature and all confidential document files have different sizes, the time required for encryption was measured for each file type and size. Calculate the time required for encryption by file type using FCLPS. Since most confidential documents are document files, PDF, HWP, DOC, PPT, and XLS extensions were measured to analyze the time required for encryption of document files.

Confidential document files are encrypted using the Encryption & Decryption Module, a module within the FCLPS client module.

Generates a symmetric key of 16 digits of random string to encrypt the document file. Then, using a symmetric key, 100 PDF, HWP, DOC, PPT, XLS document files are encrypted in a total of 10 rounds, and the same process is repeated for each round. Here, 1 round is the time required to encrypt 100 files once.

The time taken to encrypt PDF, HWP, DOC, PPT, and XLS document files per round is calculated by using the Start and Reset methods in the Stopwatch function, a time measurement class of .Net, and calculating the result in Milliseconds. The Stopwatch function is used to calculate the amount of time required for encryption in each round.

, 라운드 횟수를

, 전체 라운드의 평균 시간을

이라 한다. 전체 라운드의 평균 시간을 초 단위로 표현하기 위해서 천장함수를 사용한다. 이와 같은 계산은 수학식 1과 같다.Reduce the time required to encrypt 100 PDF, HWP, DOC, PPT, and XLS document files each.

, the number of rounds

, the average time for all rounds

It is called The ceiling function is used to express the average time of all rounds in seconds. Such calculation is as in Equation 1.

As a result of calculating the average of the time taken to encrypt document files of PDF, HWP, DOC, PPT, and XLS by Equation 1, PDF was 5 minutes and 23 seconds, HWP was 5 minutes and 40 seconds, and DOC was 5 minutes and 29 seconds. Seconds, PPT was measured at 5 minutes and 22 seconds, and XLS at 5 minutes and 43 seconds. When encrypting a document file for 10 rounds, the difference between the minimum and maximum time required is 21 seconds on average.

The types of document files are PDF, HWP, DOC, PPT, and XLS, and the results of measuring the time required to encrypt document files of 1MB, 3MB, 5MB, 10MB, and 15MB in size are shown in Table 1.

Type
Size PDF HWP DOC PPT XLS 1MB 69 67 66 68 64 3MB 138 140 142 142 139 5MB 212 212 212 221 250 10MB 430 515 491 414 431 15MB 762 761 733 764 827 Average 323 340 329 322 343

(unit: seconds)

4.2.2 Encryption time by file size

, 라운드 횟수를

, 전체 라운드의 평균 시간을

라 한다. 이와 같은 계산은 수학식 2와 같다.The time required for encryption in each round is reduced using the same method as for each file type.

, the number of rounds

, the average time for all rounds

say Such calculation is as shown in Equation 2.

According to Equation 2, the average result for the time taken to encrypt document files of PDF, HWP, DOC, PPT, and XLS is 1 minute and 7 seconds for 1MB, 2 minutes and 21 seconds for 3MB, 3 minutes and 42 seconds for 5MB, and 3 minutes and 42 seconds for 10MB. 7 minutes 37 seconds, 15MB is 12 minutes 50 seconds. When encrypting a document file for 10 rounds, the minimum and maximum time difference is 5 seconds for 1MB, 4 seconds for 3MB, 38 seconds for 5MB, 101 seconds for 10MB, and 94 seconds for 15MB.

When the document file PDF, HWP, DOC, PPT, and XLS sizes are 1MB, 3MB, 5MB, 10MB, and 15MB, respectively, the results of measuring the time required to encrypt the document file are shown in Table 2.

Size
Type 1MB 3MB 5MB 10MB 15MB PDF 69 138 212 430 762 HWP 67 140 212 515 761 DOC 66 142 212 491 733 PPT 68 142 221 414 764 XLS 64 139 250 431 827 Average 67 141 222 457 770

(unit: seconds)

4.2.3 Bottlenecks

When encrypting a large document file in the Encryption & Decryption Module in the FCLPS client to prevent the leakage of confidential document files, a bottleneck occurred in which the time required for file encryption increased than the average time required for encryption due to high CPU usage.

Therefore, the number of repetitions of encryption to measure the required encryption time is changed to 100, and the section where the bottleneck occurs is analyzed for large files of 10MB and 15MB.

first. The bottleneck analysis of the 10MB document file is as follows.

, 라운드 횟수를

, 전체 라운드의 평균 시간을

라 한다. 전체 라운드의 평균 시간을 초 단위로 표현하기 위해서 천장함수를 사용한다.In the same way as for each file type, the time required for encryption in each round is

, the number of rounds

, the average time for all rounds

say The ceiling function is used to express the average time of all rounds in seconds.

Such calculation is as in Equation 3.

) 10번을 100번으로 변경하여 전체 라운드의 평균 시간(

)을 계산하는 수식이다.Equation 3 is the number of rounds in Equation 1 (

) by changing 10 rounds to 100 rounds, the average time for all rounds (

) is the formula for calculating

As a result of measuring the bottleneck of the 10MB document file, the HWP with the lowest average value was constant at 4,000 seconds from rounds 1 to 7 and 4,000 seconds from rounds 9 to 10 except for 4,300 seconds in round 8, and the DOC with the highest average value was 6 Except for 5,800 seconds of round and 5,800 seconds of round 7, bottlenecks occur in the remaining rounds, and the time required to encrypt document files is not constant.

The bottleneck measurement result of the 10MB document file is shown in FIG. 17 .

second. The bottleneck analysis of the 15MB document file is as follows.

Using the same method as in Equation 3, a 15MB document file is encrypted 100 times and the bottleneck section is analyzed.

As a result of the bottleneck of the 15MB document file, the PDF with the lowest average value is constant at 5,810 seconds for round 1, 5,790 seconds for round 3, and 5,810 seconds for round 6, and 5,800 seconds for the remaining rounds. In addition, the XLS with the highest average value has a bottleneck in all other rounds except for 7,200 seconds in round 5 and 7,200 seconds in round 9, so the time required to encrypt document files is not constant.

The bottleneck measurement result of the 15MB document file is shown in FIG. 18 .

Claims (5)

Detecting whether a copy or move event for a file occurs in a user device;
calculating a hash value of the file when the copy or move event is detected;
generating a random character string as a symmetric key for the file;
encrypting the file with the symmetric key;
Transmitting the hash value and the symmetric key of the file to a server;
Receiving whether or not a confidential file is received from the server;
If the file is a confidential file: deleting the file; and
If the file is a general file: decrypting the file; file copy leakage prevention client control method including The method of claim 1,
The step of sending the hash value and symmetric key of the file to the server is:
converting the hash value and the symmetric key of the file into JSON format;
Encrypting [hash value and symmetric key of a file in JSON format] with the public key of the server; and
To the server, transmitting [hash value and symmetric key of the file in encrypted JSON format]; generating a public key and a private key of the server when initially setting the server;
waiting for a client to connect;
sending a public key to the client;
Receiving a hash value and a symmetric key of a file from the client;
querying a database for a hash value and a symmetric key of the file; and
A file copy leakage prevention server control method comprising the; The method of claim 3,
The step of waiting for the connection of the client is:
Dynamically creating a thread when the client accesses the server;
The step of querying the database for the hash value and symmetric key of the file is:
Decrypting the [hash value and symmetric key of the encrypted JSON-type file] received from the client with the private key of the server; and
Parsing the hash value and symmetric key of the decrypted JSON format file and querying the database;
The step of sending whether or not a confidential file is a confidential file according to the database query result to the client:
File copy leakage prevention server control method including; encrypting the result of whether the confidential file is determined by using the public key of the client and transmitting the result to the client. In the file copy leak prevention system, including a client, server, management module and database:
File copy leakage prevention system using any one of the file copy leakage prevention client control method of claims 1 and 2 and the file copy leakage prevention server control method of claims 3 and 4

Images