TWI520548B - Information System and Its Method of Confidential Data Based on Packet Analysis - Google Patents

Description

Confidential data blocking system based on packet analysis and method thereof

The invention relates to a confidential data blocking system and a method thereof, in particular to a confidential data blocking system based on packet analysis and a method thereof.

In recent years, as the awareness of personal privacy protection has risen, the demand for confidential data protection has gradually increased. The loss of a single data loss in 2011 was only $214, and the average loss due to data leakage was $7,200,000. China's new version of the capital law will also be implemented in the near future, making the need for personal protection more important. Therefore, how to provide a method for reliably protecting and blocking the leakage of confidential information is a technical problem to be solved in the field.

The known data leakage prevention technology, DLP (Data Lost Prevention) technology, uses a proxy server to connect and control. Because its network control is usually limited to using HTTP(s), SMTP, and some IM (Instant Messaging) software that supports proxy server connection, the versatility of this technology is insufficient. In addition to the use of proxy server connection for control, the conventional technology is also controlled by the packet monitoring software, such as wireshark ^TM software, but its function can only monitor and record the packet, but can not achieve the blocking effect. So that confidential information is still at risk of leakage. In addition, when non-malicious users do not use proxy server connection to leak confidential information, the existing network protection technology is mostly notified by email or similar message notification, and it lacks immediate warning users. The mechanism is such that there will be more leakage of confidentiality during the period from the user's confidentiality to the warning window.

On the other hand, in order to reliably block confidential information, the known product technology provides software installation on the endpoint machine to protect confidential information to avoid confidentiality on the personal computer. However, in addition to affecting the performance of the computer, the end point protection needs to be re-configured every time the robot force is changed. In addition, the personal computer model has different software. In addition to the problem of support, the endpoint machine often has a protective corner, so that the secret leakage can not be effectively eliminated.

The conventional technology provides a network to block the packet, and a common practice is to use a firewall to block the operation. Part of the technology that uses the firewall not only looks at the packet header, but also further analyzes the contents of the packet and blocks the packet depending on the result. For example, the Republic of China patent: packet filtering method and the system using the method SYSTEM AND METHOD FOR PACKET FILTERING (patent number: I312246), that is, viewing the packet from the perspective of the application layer, whether the content of the viewing corresponds to its port (Port) Agreement and decide whether the packet can be delivered. However, including the patent, the existing firewall mechanism can not reorganize the overall data content transmitted by the connection corresponding to the packet, and can only analyze from a single or a small number of packets, and cannot meet the needs of analyzing confidential data.

It can be seen that there are still many shortcomings in the above-mentioned household items, which is not a good designer and needs to be improved. In view of the shortcomings derived from the above-mentioned conventional methods, the inventors of the present invention have improved and innovated, and after years of painstaking research, they finally succeeded in researching and developing the confidential data blocking method based on packet analysis.

In order to solve the technical problem of the prior art, one object of the present invention is to provide a confidential data blocking system and method for intercepting confidential data through packet analysis. industry.

To achieve the above object, the present invention provides a confidential data blocking system based on packet analysis. It includes a policy group dispatch server, a data analysis audit server, and a packet monitoring switch router. The policy group dispatch server stores confidential policy information, while the confidential policy information records the characteristic values of the blocked control data. Data Analysis Audit Server Electrical Connection Policy Group Server. The packet monitoring and switching router is an electrical connection data analysis auditing server, and the packet monitoring switching router further includes a packet analyzing unit and a network behavior detecting unit. The packet analysis unit receives a plurality of network packets from the internal network, and sets the network packet to one of the plurality of network talk groups according to the connection category of each network packet. The network behavior detecting unit is electrically connected to the packet analyzing unit and performs a detection comparison. The detection comparison system determines whether each network packet set in each network talk group contains content information, and triggers the data analysis auditing server to perform confidential information comparison. The confidential information comparison system restores the content information of the aforementioned network packet to the file format and the confidential policy information. The network behavior detecting unit blocks the network packet according to the confidential data comparison result.

To achieve the above objective, the present invention provides a confidential data blocking method based on packet analysis, which is applied to a confidential data blocking system and includes the following steps: First, receiving a plurality of network packets from an internal network. Then, the foregoing network packet is set to one of a plurality of network talk groups according to the connection category of each network packet. Furthermore, a detection comparison is performed, and the detection comparison pair determines whether each of the network packets set in each network talk group includes content information. Then, the confidential data comparison is performed, and the confidential information comparison system restores the content information of the foregoing network packet to the file format and the confidential policy information for comparison. Finally, the network packet is blocked based on the confidential data comparison result.

Through the above-mentioned system and method for matching confidential data analysis, the management terminal can start the instant packet blocking and connection blocking for the confidential data leakage event to block the confidential information transmitted by the network. Coupled with policy settings, network administrators can easily control the form and content of data transmitted by each network segment to achieve confidential protection.

The invention further provides a mechanism for promptly warning the user to secretly leak, so that the user who accidentally leaks the secret will not make a mistake in the unknown situation, thereby reducing the damage of the confidential leakage event.

1‧‧‧Confidential Data Blocking System

10‧‧‧ Packet Monitoring Switch Router

11‧‧‧Packet Analysis Unit

12‧‧‧Network Behavior Detection Unit

20‧‧‧Data Analysis Audit Server

30‧‧‧policy group delivery server

S101~S104‧‧‧Steps

S201~S209‧‧‧Steps

FIG. 1 is a schematic structural diagram of a confidential data blocking system based on packet analysis according to the present invention.

Figure 2 is a block diagram showing the architecture of a packet monitoring switching router of the present invention.

Figure 3 is a confidential data blocking method based on packet analysis of the present invention.

Figure 4 is a flow chart showing an embodiment of the present invention.

The specific embodiments are described below to illustrate the embodiments of the invention, but are not intended to limit the scope of the invention.

Please refer to FIG. 1 , which is a confidential data blocking system based on packet analysis of the present invention. The confidential data blocking system 1 includes a packet monitoring switching router 10, a data analysis auditing server 20, and a policy group dispatching server 30. The router and each server use an ASUSTM rack server. The policy group dispatch server 30 stores a confidential policy information, and the confidential policy information records the characteristic values of the blocked control data. The confidential policy information is divided into five categories: keyword policy, file fingerprint policy, Archive similarity comparison policy, part Document comparison policy and individual sample policy. The content of the feature value varies according to the policy category. The feature value of the keyword policy is the set of words; the feature value of the file fingerprint policy is the hash value of the file defined as confidential; the feature value of the file similarity comparison policy is The common words and their weights in the archives defined as confidential; the characteristic values of some of the document comparison policies are the check codes of a text defined as confidential; the individual sample policy is different from the first four types of policies, and there are no features. The concept of value is mainly to define the information on the control of individual funds. The fields are as follows: name, identity card size, address, telephone number and birthday. The model policy can define those fields to be included in the regulation. The data analysis auditing server 20 is electrically connected to the policy group dispatch server 30 to access its confidential policy information. The packet monitoring and switching router 10 is electrically connected to the data analysis auditing server 20. Please refer to FIG. 2 together, and the packet monitoring switching router 10 further includes a packet analyzing unit 11 and a network behavior detecting unit 12. The packet analysis unit 11 receives a plurality of network packets from the internal network of the user's operating environment, and sets each network packet to a plurality of network session groups according to a connection category of each network packet. one of them. The network behavior detecting unit 12 is electrically connected to the packet analyzing unit 11, and the network behavior detecting unit 12 further performs a detecting comparison, and the detecting comparison system determines the network set in each network meeting group. Whether the packet contains a content information, and triggers the data analysis auditing server 20 to perform confidential data comparison, and the content information describes whether the content contained in each network packet is combined into a complete text. The foregoing confidential information comparison device restores the content information of the plurality of network packets to the file format and the confidential policy information, and the network behavior detecting unit 12 performs the network packet according to the confidential data comparison result. Block control.

The detection comparison performed by the network behavior detecting unit 12 described above is based on the agreement of the network talk group (possibly SMTP protocol or HTTP protocol, etc.), and the content information is located in the packet. All are different due to differences in the agreement, so they must be based on the agreements. Define to locate the beginning and end of the content information, and write the content information to a file synchronously. For example, employee A sends a letter to the co-operator within the enterprise. The letter contains a text and a PDF attached file. When the packet analysis unit 11 receives the network packet, an SMTP network talk group is created. The network behavior detecting unit 12 respectively locates the beginning and the end of the letter body according to the definition of the SMTP protocol, and writes the text of the letter into a text file (TXT); parses the file name and locates the additional file. At the beginning and end of the page, and restore the file to a PDF file based on the above information. The trigger data analysis auditing server 20 then performs the confidential data comparison of the two files.

In the foregoing, the connection category includes a nickname information, a source Internet Protocol (IP) information, a network packet sequence number information, or a network protocol information (such as HTTP, FTP protocol, etc.). ). And the blocking control system delays the transmission, discards the handling, blocks the transmission, and transmits the warning information to the use ends of the network packets.

Please refer to FIG. 3, which is a confidential data blocking method based on packet analysis according to the present invention. The method is applied to a confidential data blocking system and includes the following steps:

Step S101: Receive a plurality of network packets from the internal network.

Step S102: The foregoing network packet is set to one of a plurality of network talk groups according to a connection category of each network packet.

Step S103: Perform a detection comparison, and determine whether the comparison pair is set in each network packet of each network talk group to determine whether a content information is included.

Step S104: Perform a confidential data comparison according to the comparison result of the detection comparison, and the confidential data comparison system restores the content information of the network packet to an archive form and compares the confidential policy information.

Step S105: Perform a blocking control on the network packet according to the comparison result of the confidential data.

The connection category of the above method includes a nickname information, a source internet protocol information, a network packet sequence number information, or a network protocol information. The interception control system delays transmission, discards, blocks transmission, and transmits warning information to the use ends of the network packets.

Please refer to FIG. 1 to FIG. 3 together, which is an embodiment of the present invention. Please refer to Figure 3 below for an implementation flow diagram as follows:

S201: After the packet monitoring switching router 10 receives the plurality of network packets, the packet analyzing unit 11 analyzes the connection category of the packet, and the packet analyzing unit 11 analyzes the header information of the network packet.

S202: classify each network packet according to the network meeting group to which it belongs, such as: a first network meeting group, a second network meeting group, a third network meeting group, and the like.

S203: Determine each network talk group to analyze whether there is content information or a file for outgoing behavior. If not, let the network packet pass and jump to S209, and if yes, continue to execute S204.

S204: Analyze whether each network meeting group content information can form a text message or file.

S205: If the text information or the file cannot be combined, the network packet is passed, and the process jumps to S209. If the text information can be combined, the S206 is executed.

S206: The network behavior detecting unit 12 pre-restores the content of the network packet before the end of the transmission behavior, recombines the content of the network packet into a text message or a file, and triggers the data analysis auditing server. 20 Conduct confidential data analysis comparison.

S207: According to the confidentiality policy information defined in the auditing server 20, perform feature comparison on the text information or the file, and determine whether the network packet is untransferable according to the analysis result. Send confidential information.

S208: If the network packet includes the confidential information for the controlled transmission, the network packet is discarded, delayed, blocked, transmitted, or blocked to send the IP of the network packet.

S209: After the next batch of network packets enters the packet monitoring switching router 10, the packet analysis unit compares the received network packet connection category with the current network negotiation group matching connection category, if it meets the current The network talk group then jumps to S203 for repeated execution. If not, it jumps to S201 to execute repeatedly to establish a new network talk group.

The confidential data blocking system and method based on packet analysis provided by the present invention have the following advantages when compared with the conventional technology:

(1) The present invention can pre-recognize the transmitted information according to the contents of the packet before the connection is completed, and provides a network protection mechanism different from the proxy server for the confidential data blocking.

(2) Unlike the protection mechanism that can only monitor the traffic of the recorded network, the present invention can detect the event before the packet has been transmitted to the destination, and can timely determine that the data can be Transfer or block.

(3) When the present invention monitors the confidential leakage event, the packet monitoring and switching router can immediately give the user's application confidential leakage warning. If the user sends the confidentiality by using the email software such as OutlookTM, the packet monitoring switching router will directly send back the packet. Forged warning packets; OutlookTM will be used as a warning signaling user replied directly by the email server (Email Server) to receive a warning when the secret is leaked, rather than waiting for the general protection mechanism to notify the user otherwise. By.

In summary, this case contains more than the above-mentioned functions compared with the prior art, and should fully comply with the statutory invention patent requirements of novelty and progressiveness, and apply for it according to law. The bureau approved the application for the invention patent, in order to invent the invention, to the sense of virtue.

The detailed description above is a detailed description of one of the possible embodiments of the present invention, and is not intended to limit the scope of the present invention. The patent scope of this case.

1‧‧‧Confidential Data Blocking System

10‧‧‧ Packet Monitoring Switch Router

20‧‧‧Data Analysis Audit Server

30‧‧‧policy group delivery server

Claims (6)

A confidential data blocking system based on packet analysis, comprising: a policy group dispatching server, storing a confidential policy information, the confidential policy information recording a characteristic value of the interception control data; a data analysis auditing server, electrical Connecting the policy group to deliver the server; a packet monitoring switching router electrically connecting the data analysis auditing server, the packet monitoring switching router further comprises: a packet analyzing unit, receiving a plurality of network packets, according to each network One of the packet connection categories sets the network packets to one of the plurality of network talk groups; and a network behavior detection unit electrically connects the packet analysis unit, and the network behavior detection unit further Performing a detection comparison, the detection comparison determining whether each of the network packets set in each of the network talk groups includes a content information, wherein the content information describes whether the content included in the network packets is Synthesizing the complete text, the network behavior detecting unit further triggers the data analysis auditing server to perform a confidential data comparison, The confidential data comparison device restores the content information of the network packets to an archive form and compares the confidential policy information, and the network behavior detecting unit performs the network packet according to the confidential data comparison result. Block control. The system of claim 1, wherein the confidential policy information further comprises a keyword policy, an archival fingerprint policy, an archive similarity comparison policy, a partial document comparison policy, or a personal sample policy, wherein the keyword policy The feature value is a collection of keyword words, and the feature value of the file fingerprint policy is a hash value of the confidential file, and the feature value of the file similarity comparison policy is a common word in the file defined as confidential and its weight, The partial feature of the document comparison policy is a segment It is defined as the check code of the confidential text. The template policy is the information of the column management. The system of claim 1, wherein the interception control delays transmission, discards processing, blocks transmission, and transmits warning information to the network packets of the network packets. A confidential data blocking method based on packet analysis, which is applied to a confidential data blocking system, comprising the steps of: receiving a plurality of network packets; setting the network packets to a plurality of network packets according to a connection category of each of the network packets One of the network talk groups; performing a detection comparison, the detection comparison pair determining whether each of the network packets in each of the network talk groups includes a content information, wherein the content information is described Whether the content contained in the network packets can be combined into a complete text; a confidential data comparison is performed according to the comparison result of the detection comparison, and the confidential data comparison is to encapsulate the contents of the network packets. The information is restored to the file format and the confidential policy information is compared; and the network packets are blocked according to the confidential information comparison result. The method of claim 4, wherein the confidential policy information further comprises a keyword policy, an archival fingerprint policy, an archive similarity comparison policy, a partial document comparison policy, or a personal sample policy, wherein the keyword policy The feature value is a collection of keyword words, and the feature value of the file fingerprint policy is a hash value of the confidential file, and the feature value of the file similarity comparison policy is a common word in the file defined as confidential and its weight, The characteristic value of the partial document comparison policy is a check code of a text that is defined as confidential. The sample policy is a personal field control information. The method of claim 4, wherein the blocking control system delays transmission of the network packets Send, discard, block, and send warning messages to the end of the network packets.