TWI488066B - System and method to prevent confidential documents from being encrypted and delivered out - Google Patents

System and method to prevent confidential documents from being encrypted and delivered out Download PDF

Info

Publication number
TWI488066B
TWI488066B TW101150378A TW101150378A TWI488066B TW I488066 B TWI488066 B TW I488066B TW 101150378 A TW101150378 A TW 101150378A TW 101150378 A TW101150378 A TW 101150378A TW I488066 B TWI488066 B TW I488066B
Authority
TW
Taiwan
Prior art keywords
file
application
confidential
protection
content
Prior art date
Application number
TW101150378A
Other languages
Chinese (zh)
Other versions
TW201426393A (en
Inventor
Ming Che Chang
Ke Hua Hsu
Ping Yen Hsieh
Shu Ling Chou
Pao Chung Chang
Original Assignee
Chunghwa Telecom Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chunghwa Telecom Co Ltd filed Critical Chunghwa Telecom Co Ltd
Priority to TW101150378A priority Critical patent/TWI488066B/en
Priority to CN201310072416XA priority patent/CN103150499A/en
Publication of TW201426393A publication Critical patent/TW201426393A/en
Application granted granted Critical
Publication of TWI488066B publication Critical patent/TWI488066B/en

Links

Description

防止檔案以加密形式外洩的防護方法Protection method to prevent files from being leaked in encrypted form

本發明是一種防止檔案以加密形式外洩的防護方法,主要應用於機密防護(Data Leakage Prevention)系統。機密防護系統在進行檔案的內容分析時,如果使用者的文件已經過加密處理再對外傳送,理論上機密防護系統就無法對這些密文進行內容分析並決定如何控管。本發明提出一個解決方案,防止機密文件以加密的形式對外洩露,屬於機密防護領域的核心技術。The invention is a protection method for preventing files from being leaked in an encrypted form, and is mainly applied to a Data Leakage Prevention system. When the confidentiality protection system performs the content analysis of the file, if the user's file has been encrypted and then transmitted, the confidentiality protection system cannot theoretically analyze the content of the ciphertext and decide how to control it. The invention proposes a solution to prevent confidential documents from being leaked in an encrypted form, and belongs to the core technology in the field of confidential protection.

機密防護系統需要進行檔案的內容分析,以決定是否允許使用者對外傳送這些檔案。但如果使用者先將檔案予以加密處理再對外傳送,理論上機密防護系統就無法對這些密文進行內容分析的作業。某些機密防護系統採用全面禁止疑似密文檔案對外傳送的監控方式,但這涉及眾多密文格式的辨識,也會限縮使用者的應用系統功能與便利性。而本專利從系統底層針對使用者的加密及壓縮行為進行監控,能防止機密檔案被使用者以加密形式對外洩露,也不至於影響使用者的應用系統功能與便利性。The confidentiality protection system needs to analyze the content of the file to determine whether to allow users to transfer these files. However, if the user first encrypts the file and then transmits it to the outside, the confidentiality protection system cannot theoretically perform content analysis on the ciphertext. Some confidentiality protection systems use a comprehensive monitoring method that prohibits the transmission of suspected ciphertext files, but this involves the identification of many ciphertext formats and also limits the functionality and convenience of the user's application system. The patent monitors the encryption and compression behavior of the user from the bottom of the system, and prevents the confidential file from being leaked by the user in an encrypted form, and does not affect the function and convenience of the user's application system.

其他防止機密檔案對外洩露的習知技術,例如我國專利公告號343301,『用以追蹤資訊外流狀況之資訊保全系統及方法』,提出的方法為利用不同的安全策略來執行不同的資料保護方法,其重點為只要企業內部的資料要外流時,使用者端就必須與特定的監視伺服端連線,取得授權之後才得以放行,或是由伺服端將資料予以轉碼之後再傳出假資料。這個方法要求伺服端能夠立即回應使用者端的需求,增加了企業內部網路的負荷而影響到網路服務的速度及品質,也需要 安裝維、護特定的伺服系統才可防止機密資料的對外洩露。Other conventional techniques for preventing leakage of confidential files, such as China Patent Publication No. 343301, "Information Security System and Method for Tracking Information Outflow Status", proposes to use different security policies to implement different data protection methods. The key point is that as long as the internal data of the enterprise is to be outflowed, the user terminal must be connected to a specific monitoring server to obtain the authorization before being released, or the server can transcode the data and then transmit the fake data. This method requires the server to respond immediately to the needs of the user, increasing the load on the internal network of the enterprise and affecting the speed and quality of the network service. Installation of maintenance and protection of specific servo systems can prevent the leakage of confidential information.

另於我國專利公開號200839549,『一種檔案外流追蹤的方法』當中,可發現與本案有若干相似的技術構想。然而該案係利用使用者端可辨識檔案的檔名、檔案容量大小、檔案片段字串的比對方法,以解決習知技術中無法立即追蹤且迅速找到相關洩密檔案及洩密者等問題。其另一目的在於防止使用者端使用不該持有之檔案進行非法之行為或將機密檔案外流之情事發生,以達到追蹤、監督與管理檔案之功用。但該案亦未如本專利針對使用者將檔案先加密後再對外傳出的行為進行監控,理論上如果使用者對外傳送的文件已經過加密處理,則任何的機密防護系統將難以對這些密文的內容進行分析與控管的作業。本發明提出了一個解決方案,從系統底層針對使用者的加密行為進行監控,可在第一時間管制機密文件被應用程序加密,從而提高了機密防護作業的效率與應用系統功能面。In addition, in China Patent Publication No. 200839549, "A Method for Tracking Files Outflow", it can be found that there are several similar technical ideas in this case. However, the case utilizes the file name of the file, the file size, and the file segment string comparison method to solve the problem that the prior art cannot immediately track and quickly find the relevant leak file and leaker. Another purpose is to prevent the user from using the files that should not be held to carry out illegal acts or the outflow of confidential files to achieve the function of tracking, supervising and managing files. However, this case is not as disclosed in this patent for the user to encrypt the file and then send it out. In theory, if the file transmitted by the user has been encrypted, any confidential protection system will be difficult to access the secret. The content of the text is analyzed and controlled. The invention proposes a solution for monitoring the encryption behavior of the user from the bottom of the system, and can control the confidential file to be encrypted by the application program at the first time, thereby improving the efficiency of the confidential protection operation and the application system function surface.

本案發明人鑑於上述習用方式所衍生的各項缺點,乃亟思加以改良創新,並經多年苦心孤詣潛心研究後,終於成功研發完成本件防止檔案以加密形式外洩的防護方法。In view of the shortcomings derived from the above-mentioned conventional methods, the inventor of the present invention has improved and innovated, and after years of painstaking research, he finally succeeded in researching and developing the protection method for preventing the file from being leaked in encrypted form.

本發明專利目的在於建立一種防止檔案以加密形式外洩的防護方法,主要應用於機密防護系統。當使用者先對機密文件進行加密作業之後再對外傳送密文時,理論上機密防護系統就無法進行這些密文檔案的內容分析及控管,本發明提出一個解決方案,防止機密檔案以加密的形式對外洩露,且不會限縮應用系統的功能與可用性。The purpose of the patent of the present invention is to establish a protection method for preventing files from being leaked in an encrypted form, and is mainly applied to a confidential protection system. When the user first encrypts the confidential file and then transmits the ciphertext, the confidentiality protection system cannot theoretically analyze and control the content of the ciphertext file. The present invention proposes a solution to prevent the confidential file from being encrypted. The form is leaked and does not limit the functionality and usability of the application.

機密防護系統在進行機密監控作業時,必須能夠正確地判斷一份文件的內容是否包含政策所定義的機密,以便執行 適當的防護作業。但是在進行文件檔案的內容分析時,如果使用者對外傳送的文件已經過加密處理,理論上機密防護系統就無法對這個密文檔案進行內容分析以及後續的控管作業。When conducting confidential monitoring operations, the confidential protection system must be able to correctly determine whether the contents of a document contain the confidentiality defined by the policy for execution. Proper protective work. However, in the content analysis of the file file, if the file transmitted by the user has been encrypted, theoretically, the confidentiality protection system cannot perform content analysis and subsequent control operations on the ciphertext file.

本發明提出一種防止檔案以加密形式外洩的防護方法,該機密監控方法首先針對目標執行緒進行應用程式介面掛勾(API Hook)的處理,所掛勾的API為檔案讀寫行為相關的系統API,例如kernel32.dll的ReadFile與WriteFile等API,在應用軟體啟動時置入這些掛勾進行監控,一旦某執行緒讀取了機密檔案之後,本發明系統即進入防止加密寫檔之保護狀態,於此狀態中該執行緒所有寫出檔案的動作都會被分析,以判斷該程序是否將機密文件加密轉碼並寫出密文檔案,若分析結果認為該執行緒已執行加密寫檔之作業,則本發明系統將依機密防護政策所規定,進行警示、再加密、刪除、稽核等防護作業,如此即可在第一時間防止應用程序將機密文件進行加密處理,從而避免使用者後續對外傳送機密密文檔時的監控難題,為了能夠辨識眾多的加密檔案格式以進行正確的防護作業,本發明採用一種基於資訊熵值以及檔案比對的綜合分析方法,可有效地判斷大多數加密演算法所產生的密文檔案格式。The invention provides a protection method for preventing a file from being leaked in an encrypted form. The confidential monitoring method first performs an application interface hook (API Hook) processing on a target thread, and the hooked API is a system related to file read and write behavior. APIs, such as the ReadFile and WriteFile APIs of kernel32.dll, are placed in the application software to install these hooks for monitoring. Once a thread reads a confidential file, the system of the present invention enters a protection state for preventing encrypted write files. In this state, all the actions of the thread to write the file are analyzed to determine whether the program encrypts and transcodes the confidential file and writes the ciphertext file. If the analysis result is that the thread has performed the operation of encrypting the file, The system of the present invention will perform protection operations such as warning, re-encryption, deletion, auditing, etc. according to the confidentiality protection policy, so that the application can prevent the application from encrypting the confidential file in the first time, thereby preventing the user from subsequently transmitting the confidentiality. Monitoring problems in dense documents, in order to be able to identify a large number of encrypted file formats for proper protection The present invention employs a comprehensive analysis of the information entropy, and a method based on the comparison file, the ciphertext can be effectively determined file format most encryption algorithms generated.

一種防止檔案以加密形式外洩的防護方法,係於機密防護系統之內容分析與端點監控作業,其中該端點監控作業之方法包括下列步驟:步驟a.當該機密防護系統偵測到使用者啟用應用程式之際,即載入一個監控機密的動態函式庫,並置入檔案讀寫相關的應用程式介面掛鉤;步驟b.當置入之該應用程式介面掛鉤在偵測到該應用程序有讀取檔案時,即透過程序間通訊管道通知一機密防護程序,進行該檔案的內容分析作業,以判斷該應用程序是否有將機密文件予以加密之 行為;步驟c.該應用程序於收到該機密防護系統傳回的內容分析結果時,若為非機密文件則允許其繼續進行檔案讀寫作業,對於機密文件則進入寫檔監控狀態;步驟d.該應用程序於該寫檔監控狀態中將分析所有寫出檔案的格式,若判斷為加密格式則依照機密政策所訂進行相應的防護作業。A protection method for preventing a file from being leaked in an encrypted form is a content analysis and an endpoint monitoring operation of the confidential protection system, wherein the method for monitoring the operation of the endpoint includes the following steps: Step a. When the confidential protection system detects the use When the application is enabled, a dynamic library that monitors the secret is loaded, and the application interface hook associated with the file is read and written; step b. When the application interface is placed, the application is detected. When the program reads the file, it notifies a confidential protection program through the inter-program communication channel to perform the content analysis operation of the file to determine whether the application encrypts the confidential file. Behavior; Step c. When receiving the content analysis result returned by the confidential protection system, the application allows the file to be read and written if it is a non-confidential file, and enters the file monitoring state for the confidential file; The application will analyze the format of all written files in the file monitoring state. If it is determined to be an encrypted format, the corresponding protection operation is performed according to the confidentiality policy.

其中該機密防護程序,係以一個預先安裝於使用者電腦系統的常駐程序,負責機密防護系統的政策載入與執行、內容分析、稽核記錄作業,該檔案讀寫相關的應用程式介面掛鉤,係指該應用程式介面掛鉤技術,針對該應用程序進行讀取檔案、寫出檔案作業時必需使用的作業系統函式庫,介入其間進行額外的監控處理,該應用程式介面掛鉤,在該應用程序讀取檔案時,即進入相關該掛鉤的監控流程,該監控流程係利用程序間通訊管道通知該機密防護程序,請求該機密防護程序進行目標檔案的內容分析作業,並取得分析結果,該應用程式介面掛鉤在控制加密寫檔時,該程序間通訊管道收到該機密防護系統傳回的內容分析結果時,若該目標檔案並非機密文件,則繼續該程序的該檔案讀寫,不做任何的防護,若為機密文件則進入該寫檔監控狀態,該應用程序當進入該寫檔監控狀態時,將分析所有寫出檔案的格式,若判斷其為加密格式則依照該機密政策所訂進行相應的防護作業,包括稽核、警示、再加密或刪除檔案作業,若寫出的檔案並非加密格式,則繼續該程序的該檔案讀寫,不做任何的防護,該分析該檔案是否為加密格式的方法,係基於資訊熵值以及檔案長度之比對分析,其步驟為:a.檢查並過濾該應用程序寫出的檔案即為原檔案的情形,以免誤判密文格式;b.檢查並過濾該應用程序寫出的檔案為Base64編碼的情形,以免誤判密文格式;c.計算已寫出檔案內容的熵值,若熵值低於某一內定之門檻值則視為非加密格式;d.若該檔案內容的熵值高於該 門檻值,則進一步分析該檔案內容是否為常用的壓縮格式,以避免壓縮格式造成誤判的情形;e.若該檔案內容不是壓縮格式則再進行該檔案內容長度的比對分析,以決定該寫出之該檔案內容是否為加密格式。The confidentiality protection program is a resident program pre-installed in the user's computer system, and is responsible for the policy loading and execution of the confidential protection system, the content analysis, the audit recording operation, and the application interface associated with the file reading and writing. Refers to the application interface hooking technology, the operating system library necessary for the application to read files and write out the file job, intervening to perform additional monitoring processing, the application interface hooks, read in the application When the file is taken, the monitoring process of the hook is entered. The monitoring process notifies the confidential protection program by using the inter-program communication channel, requests the confidential protection program to perform the content analysis operation of the target file, and obtains the analysis result, the application interface. When the hook is in control of the encrypted write file, when the inter-program communication pipeline receives the content analysis result returned by the secret protection system, if the target file is not a confidential file, the file is read and written by the program, and no protection is performed. If it is a confidential file, enter the file monitoring state, the application When entering the file monitoring state, all the formats of the written files will be analyzed. If it is determined to be the encrypted format, the corresponding protection operations, including auditing, warning, re-encrypting or deleting the file operations, may be performed according to the confidentiality policy. The written file is not in the encrypted format, and the file is read and written by the program without any protection. The method for analyzing whether the file is in an encrypted format is based on the comparison of the information entropy value and the file length. To: a. Check and filter the file written by the application as the original file, so as not to misjudge the ciphertext format; b. Check and filter the file written by the application as Base64 encoding, so as to avoid misjudging the ciphertext format. ;c. Calculate the entropy value of the written file content, if the entropy value is lower than a certain threshold, it is regarded as a non-encrypted format; d. If the entropy value of the file content is higher than the Threshold value, further analyze whether the file content is a commonly used compression format to avoid a situation in which the compression format causes misjudgment; e. If the file content is not a compressed format, then perform comparison analysis of the file content length to determine the write Whether the file content is in an encrypted format.

其中依據該檔案內容長度進行比對分析的方法,其步驟為:a.計算原檔案內容壓縮後的長度做為參考值;b.進行與該寫出檔案長度之比較;c.做為該比較基準的密文檔案長度為:原檔案內容壓縮後之長度的特定倍數範圍,以及該原檔案內容長度的特定倍數範圍,兩者均為密文長度;d.若該寫出檔案之長度符合該密文檔案長度,則判斷寫出之檔案為密文格式,否則即為非密文格式。The method for performing the comparison analysis according to the length of the file content is as follows: a. calculating the compressed length of the original file content as a reference value; b. performing comparison with the length of the written file; c. The length of the ciphertext file of the reference is: a specific multiple of the length of the original file content, and a specific multiple of the length of the original file content, both of which are ciphertext lengths; d. if the length of the written file matches the length If the length of the ciphertext file is determined, the written file is judged to be in cipher text format, otherwise it is in non-cipher text format.

本發明所提供之防止檔案以加密形式外洩的防護方法,與前述引證案及其他習用技術相互比較時,更具有下列之優點:The protection method for preventing the file from being leaked in an encrypted form provided by the present invention has the following advantages when compared with the foregoing cited documents and other conventional techniques:

1.本發明之防止檔案以加密形式外洩的防護方法,於應用程序將機密文件進行加密處理的第一時間進行防護作業,從而避免後續使用者對外傳送密文檔時的監控難題。1. The protection method for preventing the file from being leaked in an encrypted form according to the present invention performs the protection operation at the first time when the application encrypts the confidential file, thereby avoiding the monitoring problem when the subsequent user transmits the confidential document.

2.本發明之防止檔案以加密形式外洩的防護方法,不會限縮使用者的應用系統功能與便利性。2. The protection method for preventing the file from being leaked in an encrypted form of the present invention does not limit the function and convenience of the user's application system.

3.本發明之防止檔案以加密形式外洩的防護方法,採用一種基於資訊熵值以及檔案比對的綜合分析方法,可以有效地判斷大多數加密演算法所產生的密文檔案格式。3. The protection method for preventing leakage of files in encrypted form according to the present invention adopts a comprehensive analysis method based on information entropy value and file comparison, which can effectively judge the ciphertext file format generated by most encryption algorithms.

請參考圖1,為本發明防止檔案以加密形式外洩的防護方法之系統架構圖,由圖中可知,使用者110於操作電腦系統 150時,所啟用的加密應用程序130會讀取機密文件120再進行轉碼加密的作業,當加密應用程序130啟動時會先載入本發明的機密監控動態函式庫160,載入方式可利用作業系統提供的機制或由機密防護系統程序180持續監視所有程序之啟動並由遠端置入,當加密應用程序130讀取某一機密文件120時,預置於加密應用程序130的動態函式庫160所監控的API掛鉤,即利用程序間通訊(Inter Process Communication)的方式通知機密防護系統程序180,進行該檔案的內容分析,以便加密應用程序130判斷是否已讀取含有機密內容的檔案而須進入加密寫檔的防護狀態,若在此防護狀態中加密應用程序130寫出了某一個檔案140,此時應用程序130會立即分析該寫出之檔案140是否為加密檔案,若經判斷為加密檔案則依機密防護政策所示刪除該檔案140,或是進行再加密、隔離、稽核等防護作業,而機密防護系統程序180則將此一事件記錄上傳至機密管理中心170伺服端進行稽核管理。Please refer to FIG. 1 , which is a system architecture diagram of a protection method for preventing a file from being leaked in an encrypted form. As can be seen from the figure, the user 110 operates the computer system. At 150 o'clock, the enabled encryption application 130 reads the confidential file 120 and performs the transcoding and encryption operation. When the encryption application 130 is started, the confidential monitoring dynamic library 160 of the present invention is loaded first, and the loading mode can be loaded. The dynamics of the encryption application 130 is preset by the mechanism provided by the operating system or by the confidential protection system program 180 continuously monitoring the startup of all programs and being placed by the remote. When the encryption application 130 reads a certain confidential file 120, it is preset to the dynamic application of the encrypted application 130. The API hook monitored by the library 160, that is, the confidential protection system program 180 is notified by means of Inter Process Communication, and the content analysis of the file is performed, so that the encryption application 130 determines whether the file containing the confidential content has been read. However, it is necessary to enter the protection state of the encrypted write file. If the encryption application 130 writes out a certain file 140 in this protection state, the application 130 will immediately analyze whether the written file 140 is an encrypted file, if it is judged. To encrypt the file, delete the file 140 as shown in the confidential protection policy, or perform re-encryption, isolation, auditing and other protection operations. Program secret protection system 180 of this event record is uploaded to a server end 170 confidential management center audit management.

請參考圖2,為本發明防止檔案以加密形式外洩的防護方法之加密應用程式監控流程圖,當系統偵測到有加密應用程序啟動200時即進入偵測與分析之處理流程,首先進行檔案讀寫作業相關API之掛鉤設置210,以監控其後續的加密寫檔相關行為,當該執行緒讀取了某一檔案220時,讀檔相關的API掛鉤,例如Kernel32.dll的ReadFile,立即會以具名管線(Named Pipe)的方法通知機密防護程序進行該檔案的內容分析230,若該檔案分析的結果為無機密內容231則不需進行加密寫檔之防護,應用程序可繼續完成其檔案讀寫的作業270,若分析結果表示已讀取的檔案為機密文件321,則需進行此應用程序寫檔作業的監控240,接下來如果該應用程序有任何寫出檔案的行為250,則寫檔相關的API掛鉤,例如Kernel32.dll的WriteFile與CloseHandle會先查出檔案與路徑名稱再進行 是否為一般文件格式251或加密檔案252的分析,若分析結果251表示已寫出的檔案為一般文件格式,則可繼續完成其檔案讀寫的作業270,若不為一般文件格式252,則進行是否為加密檔案的分析252,再依機密防護政策所示進行警示、再加密、稽核或刪除等相關防護作業260。若該檔案分析的結果251不是密文格式則無需進行防護,應用程序可繼續完成其檔案讀寫的作業270。Please refer to FIG. 2, which is a flow chart of the encryption application monitoring method for preventing the file from being leaked in an encrypted form. When the system detects that the encrypted application starts 200, it enters the processing process of detection and analysis, firstly, The file read/write job related API hook setting 210 is used to monitor the subsequent encrypted write file related behavior. When the thread reads a file 220, the file related API hook, such as Kernel32.dll ReadFile, is immediately The confidential protection program will be notified to the content analysis of the file by means of a named pipeline (230). If the result of the file analysis is inorganic confidential content 231, the protection of the encrypted file is not required, and the application can continue to complete its file. The read/write job 270, if the analysis result indicates that the file that has been read is the confidential file 321, the monitoring of the application writing job is performed 240, and then if the application has any behavior of writing the file 250, then write File-related API hooks, such as Kernel32.dll's WriteFile and CloseHandle will first find the file and path name and then proceed Whether it is the analysis of the general file format 251 or the encrypted file 252, if the analysis result 251 indicates that the written file is in the general file format, the operation 270 of the file reading and writing can be continued, if not the general file format 252, Whether it is the analysis of the encrypted file 252, and the related protection operations 260 such as warning, re-encryption, auditing or deletion are performed according to the confidential protection policy. If the result 251 of the file analysis is not in ciphertext format, no protection is required and the application can continue to complete its file read and write operation 270.

請參考圖3,為本發明防止檔案以加密形式外洩的防護方法之密文格式分析流程圖,首先讀取已寫出之檔案內容300,接著與原檔案進行內容的相互比較310,經過比對後若兩者內容相同即表示不是密文格式311而傳回False值380並結束密文格式的分析流程,否則再判斷檔案內容是否為Base64編碼格式311,若為Base64編碼格式312則進行解碼作業320,然後再回到上述的檔案內容比對流程310,若不是Base64編碼格式312則計算資料內容熵(Entropy)值330,熵值是一種基於資訊理論(Information Theory)關於不確定性(Uncertainty)的數學度量,如下所示: Please refer to FIG. 3, which is a flow chart of analyzing the ciphertext format of the protection method for preventing the file from being leaked in an encrypted form. First, the file content 300 that has been written is read, and then the content is compared with the original file. If the content of the two is the same, it means that the ciphertext format 311 is not returned to the False value 380 and the analysis process of the ciphertext format is ended. Otherwise, it is determined whether the file content is the Base64 encoding format 311, and if the Base64 encoding format 312 is decoded. The job 320 then returns to the above-mentioned file content comparison process 310. If it is not the Base64 encoding format 312, the data content entropy value 330 is calculated. The entropy value is based on Information Theory regarding uncertainty (Uncertainty The mathematical metrics are as follows:

其表示單位通常為bits/byte,最小值趨近於0,最大值趨近於8,本發明將之應用於密文檔案格式的判斷,一般而言,若計算出的熵值偏高則代表該檔案內容的編碼組合相當隨機,且難以進一步壓縮該檔案內容,大多數的密文檔案、已壓縮過的檔案或是多媒體影音檔等格式,都是具有高熵值的檔案內容,若計算結果該檔案內容的熵值小於內定的門檻值331,例如小於7.0,則傳回False值380結束密文格式的分析流程,反之若該檔案內容的熵值大於內定門檻值331,則進行檔案內容是否為一般壓縮格式之分析332,在此所謂的一般壓縮格式 是指ZIP、GZIP、RAR、ARJ、LZH等常見的檔案壓縮格式,當判斷該檔案內容為壓縮格式時則進一步分析是否屬於壓縮加密的格式333,分析結果若不是壓縮加密格式則傳回False值360,否則即傳回True值結束密文格式分析流程370;若之前判斷該檔案內容並非一般的壓縮格式332,則繼續進行與原檔案內容的比較,在這裡係利用檔案長度的比較350以進一步判斷該寫出之檔案內容內容是否為密文格式351,這是基於一般的加密演算法所產製的密文檔案長度,通常會等於或稍大於原來的明文檔案長度Lo,但因為許多加密程式會整合壓縮的功能,造成密文檔案長度反較原檔案長度為小,所以本方法於此處也需計算出原檔案內容執行標準ZIP壓縮後的長度Lc作為參考值340,而作為判斷基準的密文可能長度Le則可定義為:該原檔案內容的壓縮後長度Lc的0.8倍至Lc的1.3倍左右,以及原檔案長度Lo至Lo的1.1倍左右,兩者都是可能的密文長度Le。當寫出的檔案內容長度並非上述兩種可能的密文長度時,則傳回False值380結束流程,若為密文長度則可視為密文格式而傳回True值370結束密文格式分析的流程。The unit indicates that the unit is usually bits/byte, the minimum value approaches 0, and the maximum value approaches 8. The present invention applies the judgment to the ciphertext file format. Generally speaking, if the calculated entropy value is high, it represents The coding combination of the file content is quite random, and it is difficult to further compress the file content. Most ciphertext files, compressed files or multimedia files and files are files with high entropy values, if the calculation result The entropy value of the file content is less than the default threshold value 331, for example, less than 7.0, the False value 380 is returned to end the analysis process of the ciphertext format, and if the entropy value of the file content is greater than the default threshold 331, For the analysis of general compression formats 332, the so-called general compression format It refers to the common file compression format such as ZIP, GZIP, RAR, ARJ, LZH, etc. When it is judged that the file content is compressed, it is further analyzed whether it belongs to the compressed encryption format 333. If the analysis result is not the compressed encryption format, the False value is returned. 360, otherwise, returning the True value ends the ciphertext format analysis process 370; if it is determined that the file content is not the general compression format 332, then the comparison with the original file content is continued, where the file length comparison 350 is used to further Determining whether the content of the written file content is cipher text format 351, which is based on the length of the ciphertext file produced by the general encryption algorithm, usually equal to or slightly larger than the original plaintext file length Lo, but because of many encryption programs The compression function will be integrated, and the length of the ciphertext file is smaller than the original file length. Therefore, the method also needs to calculate the length Lc of the original file content to perform the standard ZIP compression as the reference value 340, and as a reference. The possible length of the ciphertext Le can be defined as: 0.8 times the compressed length Lc of the original file content to about 1.3 times of the Lc, and the original About 1.1 to text length Lo Lo, both of which are possible ciphertexts Le. When the length of the written file content is not the above two possible ciphertext lengths, the False value 380 is returned to the end of the process. If the ciphertext length is ciphertext format, the cipher text format is returned and the cipher text format is terminated. Process.

上列詳細說明乃針對本發明之一可行實施例進行具體說明,惟該實施例並非用以限制本發明之專利範圍,凡未脫離本發明技藝精神所為之等效實施或變更,均應包含於本案之專利範圍中。The detailed description of the present invention is intended to be illustrative of a preferred embodiment of the invention, and is not intended to limit the scope of the invention. The patent scope of this case.

綜上所述,本案不僅於技術思想上確屬創新,並具備習用之傳統方法所不及之上述多項功效,已充分符合新穎性及進步性之法定發明專利要件,爰依法提出申請,懇請 貴局核准本件發明專利申請案,以勵發明,至感德便。To sum up, this case is not only innovative in terms of technical thinking, but also has many of the above-mentioned functions that are not in the traditional methods of the past. It has fully complied with the statutory invention patent requirements of novelty and progressiveness, and applied for it according to law. Approved this invention patent application, in order to invent invention, to the sense of virtue.

110‧‧‧使用者110‧‧‧Users

120‧‧‧機密文件120‧‧‧Confidential documents

130‧‧‧加密應用程序130‧‧‧Encryption application

140‧‧‧檔案140‧‧‧Files

150‧‧‧電腦系統150‧‧‧ computer system

160‧‧‧動態函式庫160‧‧‧Dynamic Library

170‧‧‧機密管理中心170‧‧‧Confidential Management Center

180‧‧‧機密防護系統程序180‧‧‧Confidential Protection System Program

200~ 260‧‧‧加密應用程式監控流程200 ~ 260‧‧‧Encrypted application monitoring process

300~ 380‧‧‧密文格式分析流程300 ~ 380‧‧‧ ciphertext format analysis process

請參閱有關本發明之詳細說明及其附圖,將可進一步瞭解本發明之技術內容及其目的功效;有關附圖為:圖1為本發明防止檔案以加密形式外洩的防護方法之系統架構圖。Please refer to the detailed description of the present invention and the accompanying drawings, which can further understand the technical content of the present invention and its function. The related drawings are: FIG. 1 is a system architecture of the protection method for preventing the file from being leaked in an encrypted form. Figure.

圖2為本發明防止檔案以加密形式外洩的防護方法之加密應用程式監控流程圖。2 is a flow chart of the encryption application monitoring of the protection method for preventing the file from being leaked in an encrypted form according to the present invention.

圖3為本發明防止檔案以加密形式外洩的防護方法之密文格式分析流程圖。FIG. 3 is a flow chart of analyzing a ciphertext format of a method for preventing a file from being leaked in an encrypted form.

110‧‧‧使用者110‧‧‧Users

120‧‧‧機密文件120‧‧‧Confidential documents

130‧‧‧加密應用程序130‧‧‧Encryption application

140‧‧‧檔案140‧‧‧Files

150‧‧‧電腦系統150‧‧‧ computer system

160‧‧‧動態函式庫160‧‧‧Dynamic Library

170‧‧‧機密管理中心170‧‧‧Confidential Management Center

Claims (8)

一種防止檔案以加密形式外洩的防護方法,係於機密防護系統之內容分析與端點監控作業,其中該端點監控作業之方法包括下列步驟:步驟a.當該機密防護系統偵測到使用者啟用應用程式之際,即載入一個監控機密的動態函式庫,並置入檔案讀寫相關的應用程式介面掛鉤;步驟b.當置入之該應用程式介面掛鉤在偵測到該應用程序有讀取檔案時,即透過程序間通訊管道通知一機密防護程序,進行該檔案的內容分析作業,以判斷該應用程序是否有將機密文件予以加密之行為;步驟c.該應用程序於收到該機密防護系統傳回的內容分析結果時,若為非機密文件則允許其繼續進行檔案讀寫作業,對於機密文件則進入寫檔監控狀態;步驟d.該應用程序於該寫檔監控狀態中將分析所有寫出檔案的格式,若判斷為加密格式則依照機密政策所訂進行相應的防護作業。A protection method for preventing a file from being leaked in an encrypted form is a content analysis and an endpoint monitoring operation of the confidential protection system, wherein the method for monitoring the operation of the endpoint includes the following steps: Step a. When the confidential protection system detects the use When the application is enabled, a dynamic library that monitors the secret is loaded, and the application interface hook associated with the file is read and written; step b. When the application interface is placed, the application is detected. When the program reads the file, it notifies a confidential protection program through the inter-program communication channel to perform the content analysis operation of the file to determine whether the application has the function of encrypting the confidential file; step c. the application receives When the result of the content analysis returned by the confidential protection system, if it is a non-confidential file, it is allowed to continue the file reading and writing operation, and for the confidential file, it enters the writing file monitoring state; step d. The application is in the writing file monitoring state. The lieutenant will analyze the format of all written files. If it is judged to be an encrypted format, the corresponding protection work shall be carried out in accordance with the confidentiality policy. 如申請專利範圍第1項所述之防止檔案以加密形式外洩的防護方法,其中該機密防護程序,係以一個預先安裝於使用者電腦系統的常駐程序,負責機密防護系統的政策載入與執行、內容分析、稽核記錄作業。The protection method for preventing the file from being leaked in an encrypted form as described in the first paragraph of the patent application, wherein the confidential protection program is a resident program pre-installed in the user's computer system, and is responsible for the policy loading of the confidential protection system. Execution, content analysis, audit record operations. 如申請專利範圍第1項所述之防止檔案以加密形式外洩的防護方法,其中該檔案讀寫相關的應用程式介面掛鉤, 係指該應用程式介面掛鉤技術,針對該應用程序進行讀取檔案、寫出檔案作業時必需使用的作業系統函式庫,介入其間進行額外的監控處理。 For example, the protection method for preventing the file from being leaked in an encrypted form as described in the first application of the patent scope, wherein the file interface is related to the application interface of the file. Refers to the application interface hooking technology, for the application to read the file, write the file system job must use the operating system library, intervene for additional monitoring processing. 如申請專利範圍第1項所述之防止檔案以加密形式外洩的防護方法,其中該應用程式介面掛鉤,在該應用程序讀取檔案時,即進入相關該掛鉤的監控流程,該監控流程係利用程序間通訊管道通知該機密防護程序,請求該機密防護程序進行目標檔案的內容分析作業,並取得分析結果。 The protection method for preventing the file from being leaked in an encrypted form as described in the first aspect of the patent application, wherein the application interface is hooked, and when the application reads the file, the monitoring process of the hook is entered, and the monitoring process is The confidentiality protection program is notified by the inter-program communication pipeline, and the confidential protection program is requested to perform the content analysis operation of the target file, and the analysis result is obtained. 如申請專利範圍第1項所述之防止檔案以加密形式外洩的防護方法,其中該應用程式介面掛鉤在控制加密寫檔時,該程序間通訊管道收到該機密防護系統傳回的內容分析結果時,若目標檔案並非機密文件,則繼續該程序的該檔案讀寫,不做任何的防護,若為機密文件則進入該寫檔監控狀態。 The protection method for preventing the file from being leaked in an encrypted form as described in the first aspect of the patent application, wherein the application interface hook receives the content returned by the confidential protection system when controlling the encrypted write file. As a result, if the target file is not a confidential file, the file of the program is read and written without any protection, and if it is a confidential file, the file is monitored. 如申請專利範圍第5項所述之防止檔案以加密形式外洩的防護方法,其中該應用程序當進入該寫檔監控狀態時,將分析所有寫出檔案的格式,若判斷其為加密格式則依照該機密政策所訂進行相應的防護作業,包括稽核、警示、再加密或刪除檔案作業,若寫出的檔案並非加密格式,則繼續該程序的該檔案讀寫,不做任何的防護。 The protection method for preventing the file from being leaked in an encrypted form as described in claim 5, wherein the application analyzes the format of all the written files when entering the file monitoring state, and if it is determined to be an encrypted format, According to the confidentiality policy, the corresponding protection operations, including auditing, warning, re-encryption or deletion of file operations, if the written file is not in an encrypted format, continue to read and write the file of the program without any protection. 如申請專利範圍第6項所述之防止檔案以加密形式外洩的防護方法,其中該分析該檔案是否為加密格式的方法,係基於資訊熵值以及檔案長度之比對分析,其步驟為:a.檢查並過濾該應用程序寫出的檔案即為原檔案的情形,以免誤判密文格式; b.檢查並過濾該應用程序寫出的檔案為Base64編碼的情形,以免誤判密文格式;c.計算已寫出檔案內容的熵值,若熵值低於某一內定之門檻值則視為非加密格式;d.若該檔案內容的熵值高於該門檻值,則進一步分析該檔案內容是否為常用的壓縮格式,以避免壓縮格式造成誤判的情形;e.若該檔案內容不是壓縮格式則再進行該檔案內容長度的比對分析,以決定該寫出之該檔案內容是否為加密格式。 The method for preventing the file from being leaked in an encrypted form as described in claim 6 of the patent application scope, wherein the method for analyzing whether the file is an encrypted format is based on an analysis of the information entropy value and the file length, and the steps are: a. Check and filter the file written by the application as the original file, so as not to misjudge the cipher text format; b. Check and filter the file written by the application as Base64 encoding to avoid misjudging the ciphertext format; c. Calculate the entropy value of the written file content, if the entropy value is lower than a certain threshold value, it is regarded as Non-encrypted format; d. If the entropy value of the file content is higher than the threshold, further analyze whether the file content is a commonly used compression format to avoid a situation in which the compressed format causes misjudgment; e. if the file content is not a compressed format Then, the comparison analysis of the length of the file content is performed to determine whether the written file content is in an encrypted format. 如請求項7所述之防止檔案以加密形式外洩的防護方法,其中依據該檔案內容長度進行比對分析的方法,其步驟為:a.計算原檔案內容壓縮後的長度做為參考值;b.進行與該寫出檔案長度之比較;c.做為該比較基準的密文檔案長度為:原檔案內容壓縮後之長度的特定倍數範圍,以及該原檔案內容長度的特定倍數範圍,兩者均為密文長度;d.若該寫出檔案之長度符合該密文檔案長度,則判斷寫出之檔案為密文格式,否則即為非密文格式。 The method for preventing the file from being leaked in an encrypted form as described in claim 7, wherein the method for performing the comparison analysis according to the length of the file content is as follows: a. calculating the compressed length of the original file content as a reference value; b. performing a comparison with the length of the written file; c. the length of the ciphertext file as the comparison reference is: a specific multiple range of the length of the original file content after compression, and a specific multiple range of the length of the original file content, All are ciphertext lengths; d. If the length of the written file matches the length of the ciphertext file, it is judged that the written file is in cipher text format, otherwise it is a non-cipher text format.
TW101150378A 2012-12-27 2012-12-27 System and method to prevent confidential documents from being encrypted and delivered out TWI488066B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
TW101150378A TWI488066B (en) 2012-12-27 2012-12-27 System and method to prevent confidential documents from being encrypted and delivered out
CN201310072416XA CN103150499A (en) 2012-12-27 2013-03-07 Protection method for preventing file from being leaked in encrypted form

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW101150378A TWI488066B (en) 2012-12-27 2012-12-27 System and method to prevent confidential documents from being encrypted and delivered out

Publications (2)

Publication Number Publication Date
TW201426393A TW201426393A (en) 2014-07-01
TWI488066B true TWI488066B (en) 2015-06-11

Family

ID=48548572

Family Applications (1)

Application Number Title Priority Date Filing Date
TW101150378A TWI488066B (en) 2012-12-27 2012-12-27 System and method to prevent confidential documents from being encrypted and delivered out

Country Status (2)

Country Link
CN (1) CN103150499A (en)
TW (1) TWI488066B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI608379B (en) * 2015-12-31 2017-12-11 玉山商業銀行股份有限公司 Information management method, host device and system for data protection in accessing process
CN106156651A (en) * 2016-04-13 2016-11-23 上海旗帜信息技术有限公司 The system and method judging enterprise's confidential electronic data based on cloud computing technology
CN106548083B (en) * 2016-11-25 2019-10-15 维沃移动通信有限公司 A kind of note encryption method and terminal
CN107423634B (en) * 2017-06-30 2018-11-09 武汉斗鱼网络科技有限公司 File decryption method, apparatus, computer readable storage medium and equipment
CN107480538A (en) * 2017-06-30 2017-12-15 武汉斗鱼网络科技有限公司 File encrypting method, device, computer-readable recording medium and equipment
CN112287067A (en) * 2020-10-29 2021-01-29 国家电网有限公司信息通信分公司 Sensitive event visualization application implementation method, system and terminal based on semantic analysis

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040111389A1 (en) * 2002-12-09 2004-06-10 Microsoft Corporation Managed file system filter model and architecture
US20060190723A1 (en) * 2005-02-18 2006-08-24 Jp Morgan Chase Bank Payload layer security for file transfer
CN1917676A (en) * 2005-08-19 2007-02-21 佛山市顺德区顺达电脑厂有限公司 Encryption method for hinding data from specific source
CN100385367C (en) * 2005-08-05 2008-04-30 四零四科技股份有限公司 Encryption method for program
CN101957893A (en) * 2009-07-15 2011-01-26 精品科技股份有限公司 File permission management system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100452076C (en) * 2007-07-10 2009-01-14 北京鼎信高科信息技术有限公司 Method for constructing transparent coding environment
US20110035783A1 (en) * 2008-03-03 2011-02-10 Hiroshi Terasaki Confidential information leak prevention system and confidential information leak prevention method
CN101853184A (en) * 2010-05-21 2010-10-06 中兴通讯股份有限公司 Management method and device for application program and terminal

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040111389A1 (en) * 2002-12-09 2004-06-10 Microsoft Corporation Managed file system filter model and architecture
US20060190723A1 (en) * 2005-02-18 2006-08-24 Jp Morgan Chase Bank Payload layer security for file transfer
CN100385367C (en) * 2005-08-05 2008-04-30 四零四科技股份有限公司 Encryption method for program
CN1917676A (en) * 2005-08-19 2007-02-21 佛山市顺德区顺达电脑厂有限公司 Encryption method for hinding data from specific source
CN101957893A (en) * 2009-07-15 2011-01-26 精品科技股份有限公司 File permission management system

Also Published As

Publication number Publication date
TW201426393A (en) 2014-07-01
CN103150499A (en) 2013-06-12

Similar Documents

Publication Publication Date Title
TWI488066B (en) System and method to prevent confidential documents from being encrypted and delivered out
US10671724B2 (en) Techniques for detecting encryption
US9027123B2 (en) Data dependence analyzer, information processor, data dependence analysis method and program
EP3103051B1 (en) System and process for monitoring malicious access of protected content
CN101430752B (en) Sensitive data switching control module and method for computer and movable memory device
KR101522445B1 (en) Client computer for protecting confidential file, server computer therefor, method therefor, and computer program
KR101817636B1 (en) Ransomware detection apparatus and method
WO2009028792A1 (en) Method of digital rights management about a compressed file
CN109151506B (en) Method, system and server for operating video file
US20180307855A1 (en) Access management system, file access system, encrypting apparatus and program
US10164980B1 (en) Method and apparatus for sharing data from a secured environment
US8776258B2 (en) Providing access rights to portions of a software application
TW201530344A (en) Application program access protection method and application program access protection device
US20160078240A1 (en) Device and method for providing security in remote digital forensic environment
JP5334739B2 (en) Log monitoring program, log monitoring system
JP4471129B2 (en) Document management system, document management method, document management server, work terminal, and program
CN111914275B (en) File leakage prevention monitoring method
US9450965B2 (en) Mobile device, program, and control method
US20150286839A1 (en) Methods, systems, and apparatus to protect content based on persona
JP2007188307A (en) Data file monitor apparatus
CN108900550B (en) Unified password management method for server
TWI501106B (en) Storage medium securing method and media access device thereof background
KR20110034351A (en) System and method for preventing leak information through a security usb memory
KR20180032999A (en) device and method for Region Encryption
TWI574172B (en) The method of encrypting the network to monitor confidentiality

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees