TWI579726B - Method for recording operation history, and method and systme for managing information security - Google Patents

Method for recording operation history, and method and systme for managing information security Download PDF

Info

Publication number
TWI579726B
TWI579726B TW101101002A TW101101002A TWI579726B TW I579726 B TWI579726 B TW I579726B TW 101101002 A TW101101002 A TW 101101002A TW 101101002 A TW101101002 A TW 101101002A TW I579726 B TWI579726 B TW I579726B
Authority
TW
Taiwan
Prior art keywords
data
screen
user host
intercepting
picture
Prior art date
Application number
TW101101002A
Other languages
Chinese (zh)
Other versions
TW201329772A (en
Inventor
陳怡堯
Original Assignee
精品科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 精品科技股份有限公司 filed Critical 精品科技股份有限公司
Priority to TW101101002A priority Critical patent/TWI579726B/en
Publication of TW201329772A publication Critical patent/TW201329772A/en
Application granted granted Critical
Publication of TWI579726B publication Critical patent/TWI579726B/en

Links

Landscapes

  • Debugging And Monitoring (AREA)

Description

操作歷程的記錄方法、以及資訊安全的管理方法和系統 Operation history recording method, and information security management method and system

本發明是有關於一種資訊安全的管理方法,且特別是有關於一種適用於企業內部的資訊安全之管理方法。The present invention relates to an information security management method, and in particular to a management method suitable for information security within an enterprise.

在這個網際網路普遍以及有突破性發展的現今,資料取得變得更加容易。在早期的社會,當人們要查找資料,可能需要到圖書館查詢許多相關的書籍,才能夠找到相關的資料。然而現今,人們只要坐在家中,然後連結至入口網站,並且鍵入關鍵字,就可以獲得許多相關的資訊。雖然網際網路讓人類的生活更加便利,但是從反面來說,資訊的保密程度也愈來愈低。In today's Internet and the groundbreaking development, data acquisition has become easier. In the early days of society, when people were looking for information, they might need to go to the library to inquire about many related books before they could find relevant information. Today, however, people can get a lot of relevant information by sitting at home, linking to the portal, and typing in keywords. Although the Internet makes human life more convenient, on the other hand, the confidentiality of information is getting lower and lower.

一般企業的資訊安全管理,主有兩方面。其中一方面是防範外來的侵入,例如惡意程式或駭客的入侵。為了防範外部的入侵,可以設置防火牆,或是安裝防毒軟體或防駭軟體。另一方面,企業也要防範內部員工的洩密。對於防範內部的洩密,大致上有可分為兩類技術,其一是禁止防堵,另一是彈性管理。There are two main aspects of information security management for general enterprises. One of them is to prevent foreign intrusions, such as the invasion of malicious programs or hackers. To protect against external intrusions, you can set up a firewall or install anti-virus software or anti-virus software. On the other hand, companies must also guard against the leakage of internal employees. There are two types of technologies that can be divided into two types of technologies: one is to prohibit anti-blocking and the other is to manage elastically.

所謂的禁止防堵,就是關閉所有可能洩密的管道,例如禁止使用外接式儲存設備、禁止使用者連結至大部分的對外網站、禁止使用即時通訊軟體等。然而這樣的防範方式,有時會引起內部員工的反彈,而導致士氣低落。另外,也可能讓企業的執行效率下降。因此,目前有些企業,是採用彈性管理的方式來防範資料外洩。The so-called prohibition of anti-blocking is to close all pipelines that may be leaked, such as prohibiting the use of external storage devices, prohibiting users from connecting to most external websites, and prohibiting the use of instant messaging software. However, such a precautionary approach sometimes causes a rebound in internal staff, which leads to low morale. In addition, it may also reduce the efficiency of the execution of the enterprise. Therefore, some enterprises currently adopt flexible management methods to prevent data leakage.

習知彈性管理來防範資料外洩的技術,是從遠端的監控主機,監控企業中每一終端主機。而其監控的手段,包括定期截取終端主機的螢幕上所顯示的畫面。如此一來,管理者就可以從所截取的畫面,來判斷內部員工是否洩漏不允許洩漏的資訊。The technology of the traditional flexible management to prevent data leakage is to monitor the host from the remote end and monitor each terminal host in the enterprise. The means of monitoring includes periodically intercepting the screen displayed on the screen of the terminal host. In this way, the manager can judge whether the internal staff leaks information that is not allowed to leak from the intercepted picture.

然而,這樣的方式卻不適用於大企業。由於大企業的員工眾多,因此終端主機的數量也非常龐大。換句話說,所要儲存的截取畫面資料量也非常龐大,因此就需要非常大的儲存設備來儲存這些所截取到的畫面資料。如此一來,就要耗費較多的硬體成本。即便有如此大的儲存設備來儲存所截取到的畫面資料,管理者也幾乎無法從如此龐大的資料中找出所需要的資訊,導致防範的效果不彰。However, this approach does not apply to large companies. Due to the large number of employees in large enterprises, the number of terminal hosts is also very large. In other words, the amount of data to be stored is very large, so a very large storage device is needed to store the captured picture data. As a result, it costs a lot of hardware. Even with such a large storage device to store the captured image data, the manager can hardly find the information needed from such a large amount of information, resulting in poor prevention.

有鑑於此,本發明提供一種操作歷程的記錄方法,可以記錄一使用者在一使用者主機上的操作情形。In view of this, the present invention provides a recording method of an operation history, which can record an operation situation of a user on a user host.

本發明也提供一種資訊安全的管理方法,可以不需要龐大的儲存空間,就可以管理一使用者主機的操作歷程。The invention also provides an information security management method, which can manage the operation history of a user host without requiring a large storage space.

另外,本發明更提供一種資訊安全管理系統,可以有效率地防範資訊的外洩。In addition, the present invention further provides an information security management system, which can effectively prevent leakage of information.

本發明提供一種操作歷程的記錄方法,可以用於一使用者主機,其安裝有一作業系統。本實施例所提供的記錄方法會在一第一預設時間點截取使用者主機上所顯示的畫面,而產生一畫面截取資料,並且判斷使用者主機所顯示的畫面是否發生一重畫事件。若是使用者主機所顯示的畫面發生重畫事件時,則截取作業系統對重畫事件所輸出之至少一字串輸出指令的內容。另外,此記錄方法還會在發生重畫事件後,在第一預設時間點之後的一第二預設時間點截取使用者主機上所顯示的畫面,而產生一第二畫面截取資料。藉此,就可以將第二畫面截取資料與該第一畫面截取資料進行交集比對,以尋找該第二畫面截取資料和該第一畫面截取資料的相異處。接著,記錄第一畫面截取資料和第二畫面截取資料二者至少其中之一,並記錄第二畫面截取資料和第一畫面截取資料的相異處所對應之字串輸出指令的內容。The invention provides a recording method of an operation history, which can be used for a user host, which is equipped with an operating system. The recording method provided in this embodiment intercepts the picture displayed on the user host at a first preset time point, generates a picture interception data, and determines whether a picture redraw event occurs on the picture displayed by the user host. If the replay event occurs on the screen displayed by the user host, the content of the at least one string output command output by the operating system for the redraw event is intercepted. In addition, the recording method also intercepts the screen displayed on the user host at a second preset time point after the first preset time point after the redraw event occurs, and generates a second screen intercepting data. In this way, the second picture interception data can be compared with the first picture interception data to find the difference between the second picture intercepted data and the first picture intercepted data. Then, at least one of the first picture interception data and the second picture interception data is recorded, and the content of the string output instruction corresponding to the difference between the second picture interception data and the first picture interception data is recorded.

從另一觀點來看,本發明也提供一種資訊安全的管理方法,可以用於一使用者主機,其安裝有一作業系統。本發明之管理方法包括偵測使用者主機是否被啟動。當使用者主機被啟動時,則開始計時。每經過一第一預設時間,則截取使用者主機上所顯示的畫面,而產生一畫面截取資料,並且偵測使用者主機所顯示的畫面是否發生一重畫事件。當偵測到使用者主機所顯示的畫面發生重畫事件時,則截取作業系統對重畫事件所輸出之至少一字串輸出指令的內容。另外,此記錄方法還會在發生重畫事件後,在取得第一畫面截取資料後經過一第二預設時間,截取使用者主機上所顯示的畫面,而產生一第二畫面截取資料。藉此,就可以將第二畫面截取資料與該第一畫面截取資料進行交集比對,以尋找第二畫面截取資料和第一畫面截取資料的相異處。接著,依據第二畫面截取資料和第一畫面截取資料之相異處所對應的字串輸出指令的內容,而獲得輸入至使用者主機的字元,並且產生一輸入字元截取資料。當此輸入字元截取資料符合多個預設關鍵字詞其中之一時,則儲存第一畫面截取資料和第二畫面截取資料二者至少其中之一,以供一管理者檢視。From another point of view, the present invention also provides an information security management method that can be applied to a user host that has an operating system installed. The management method of the present invention includes detecting whether the user host is activated. When the user host is started, timing begins. Each time a first preset time elapses, the screen displayed on the user host is intercepted, and a screen capture data is generated, and whether a picture redraw event occurs on the screen displayed by the user host is detected. When it is detected that the picture displayed by the user host has a redraw event, the content of the at least one string output instruction output by the operating system for the redraw event is intercepted. In addition, after the redraw event occurs, the recording method displays a screen displayed on the user host after a second preset time is obtained, and a second screen interception data is generated. In this way, the second picture interception data can be compared with the first picture interception data to find the difference between the second picture interception data and the first picture interception data. Then, according to the content of the string output instruction corresponding to the difference between the second picture interception data and the first picture interception data, the character input to the user host is obtained, and an input character interception data is generated. When the input character intercepting data conforms to one of the plurality of preset keyword words, at least one of the first screen intercepting data and the second screen intercepting data is stored for viewing by a manager.

另外,當輸入字元截取資料不符合上述預設關鍵字詞任一時,則刪除該第一畫面截取資料和該第二畫面截取資料。In addition, when the input character intercepting data does not meet any of the preset keyword words, the first screen intercepting data and the second screen intercepting data are deleted.

在本發明之一實施例中,字串輸入指令的內容包括輸入字串在使用者主機畫面上的起始座標資料、輸入字串的長寬資料以及輸入字串的內容。In an embodiment of the present invention, the content of the string input instruction includes the starting coordinate data of the input string on the user host screen, the length and width data of the input string, and the content of the input string.

從另一觀點來看,本發明更提供一種資訊安全管理系統,可以管理一使用者主機。本發明的資訊安全管理系統,包括連線模組、控制模組和管理工具。連線模組會透過一網路連線至使用者主機。另外,控制模組則是耦接連線模組,以透過連線模組監測使用者主機。管理工具也會與控制模組連線,以在發現使用者主機開機時,每經過一第一預設時間則截取使用者主機上所顯示的畫面以產生一第一畫面截取資料。此時,若是使用者主機上所顯示的畫面上一重畫事件時,則截取作業系統所產生之至少一字串輸出指令的內容,並且再次截取該使用者主機上所顯示的畫面而產生一第二畫面截取資料。藉此,就可以將第二畫面截取資料與該第一畫面截取資料進行交集比對,以尋找該第二畫面截取資料和該第一畫面截取資料的相異處。接著,依據第二畫面截取資料和第一畫面截取資料之相異處所對應的字串輸出指令的內容,而獲得輸入至該使用者主機的字元,並且產生一輸入字元截取資料。因此,管理工具會依據輸入字元截取資料來決定是否儲存第一畫面截取資料和第二畫面截取資料。From another point of view, the present invention further provides an information security management system that can manage a user host. The information security management system of the invention comprises a connection module, a control module and a management tool. The connection module is connected to the user host through a network. In addition, the control module is coupled to the connection module to monitor the user host through the connection module. The management tool is also connected to the control module to intercept the screen displayed on the user host every time a first preset time is elapsed to generate a first screen interception data when the user host is found to be powered on. At this time, if a redraw event is displayed on the screen displayed on the user host, the content of the at least one string output command generated by the operating system is intercepted, and the screen displayed on the user host is intercepted again to generate a The second screen intercepts the data. In this way, the second picture interception data can be compared with the first picture interception data to find the difference between the second picture intercepted data and the first picture intercepted data. Then, according to the content of the string output instruction corresponding to the difference between the second picture interception data and the first picture interception data, the character input to the user host is obtained, and an input character interception data is generated. Therefore, the management tool will intercept the data according to the input character to determine whether to store the first screen interception data and the second screen interception data.

由於本發明是在所截取到的輸入字元截取資料符合預設關鍵字其中之一的條件下,才會儲存對應的畫面截取資料,因此本發明不需要龐大的儲存設備。也因為如此,本發明也能輔助管理者更精確地並且更有效率地判斷是否發生洩密事件。Since the present invention stores the corresponding picture interception data under the condition that the intercepted input character intercepts the data according to one of the preset keywords, the present invention does not require a huge storage device. As such, the present invention also assists the manager in determining whether a leak event has occurred more accurately and more efficiently.

為讓本發明之上述和其他目的、特徵和優點能更明顯易懂,下文特舉較佳實施例,並配合所附圖式,作詳細說明如下。The above and other objects, features and advantages of the present invention will become more <RTIgt;

圖1繪示為依照本發明之一較佳實施例的一種資訊安全管理系統的方塊圖。請參照圖1,本實施例所提供的資訊安全管理系統100,可以透過網路150而連線至一使用者主機160。在本實施例中,資訊安全管理系統100利用伺服器、個人電腦、可攜式電腦或平板電腦來實現。另外,網路150可以是有線網路或是無線網路,其例如是區域網路。1 is a block diagram of an information security management system in accordance with a preferred embodiment of the present invention. Referring to FIG. 1 , the information security management system 100 provided in this embodiment can be connected to a user host 160 through the network 150 . In the present embodiment, the information security management system 100 is implemented using a server, a personal computer, a portable computer, or a tablet. In addition, the network 150 can be a wired network or a wireless network, such as a regional network.

本實施例中的資訊安全管理系統100包括控制模組102、連線模組104和管理工具106。連線模組104會與網路150連線,並且透過網路150連結至使用者主機160。控制模組102則與管理工具106連線,並且耦接至連線模組104。藉此,控制模組102可以透過網路150來監控使用者主機160。The information security management system 100 in this embodiment includes a control module 102, a connection module 104, and a management tool 106. The connection module 104 is connected to the network 150 and is coupled to the user host 160 via the network 150. The control module 102 is connected to the management tool 106 and coupled to the connection module 104. Thereby, the control module 102 can monitor the user host 160 through the network 150.

在一些實施例中,資訊安全管理系統100還具有一儲存單元110,例如是硬碟、快閃記憶體等,其可以耦接控制模組102。此外,在一些實施例中,管理工具106可以利用軟體來實現,其可以儲存在儲存單元110內,並且用來記錄一使用者在使用者主機160上的操作歷程。另外,在儲存單元110中,還可以安裝一資料庫112,其可以與管理工具106連線。其中,資料庫112可以存有多個預設關鍵字詞,其可以由管理者自行設定。In some embodiments, the information security management system 100 further has a storage unit 110, such as a hard disk, a flash memory, or the like, which can be coupled to the control module 102. Moreover, in some embodiments, the management tool 106 can be implemented using software, which can be stored in the storage unit 110 and used to record the history of a user's operation on the user host 160. In addition, in the storage unit 110, a database 112 can also be installed, which can be connected to the management tool 106. The database 112 can store a plurality of preset keyword words, which can be set by the administrator.

請繼續參照圖1,使用者主機160也可以是個人電腦、可攜式電腦或是平板電腦。使用者主機160可以耦接螢幕162和鍵盤164。在一些實施例中,螢幕162和鍵盤164是外接的周邊裝置。然而,在另外一些實施例中,螢幕162和鍵盤164是被包含在使用者主機160內。當使用者主機160被啟動時,控制模組102會將此資訊通知管理工具106。此時,管理工具106會在一第一預設時間點透過網路150,而截取使用者主機160之螢幕162上所顯示的畫面,並且產生一第一畫面截取資料。Referring to FIG. 1, the user host 160 can also be a personal computer, a portable computer or a tablet computer. The user host 160 can be coupled to the screen 162 and the keyboard 164. In some embodiments, screen 162 and keyboard 164 are external peripheral devices. However, in other embodiments, screen 162 and keyboard 164 are included within user host 160. When the user host 160 is activated, the control module 102 notifies the management tool 106 of this information. At this time, the management tool 106 intercepts the screen displayed on the screen 162 of the user host 160 through the network 150 at a first preset time point, and generates a first screen interception data.

當取得第一畫面截取資料後,管理工具106還會偵測使用者主機106之螢幕162所顯示的畫面上,是否發生重畫事件。所謂的重畫事件,就是當使用者在使用者主機160之螢幕162上進行任何操作時,安裝在使用者主機160中的作業系統會因應使用者的操作,而對螢幕162所顯示的畫面進行重畫操作。After the first screen capture data is obtained, the management tool 106 also detects whether a redraw event occurs on the screen displayed by the screen 162 of the user host 106. The so-called redraw event is that when the user performs any operation on the screen 162 of the user host 160, the operating system installed in the user host 160 performs the screen displayed on the screen 162 in response to the user's operation. Redraw operation.

圖2A~圖2C分別繪示為使用者在一入口網站輸入字元的示意圖。請分別參照圖2A到圖2C,並且合併參照圖1,當使用者操作使用者主機160連結至一入口網站時,在螢幕162上就會顯示此入口網站的網頁200。若是使用者在第一時間點於網頁200上的關鍵字輸入欄位202中鍵入字元“N”(如圖2A所示);接著在第二時間點於關鍵字輸入欄位202再輸入字元“N”(如圖2B所示);然後在第三時間點再於關鍵字輸入欄位202輸入字元“N”(如圖2C所示),此時使用者主機160的作業系統就會在第一時間點、第二時間點和第三時間點分別對螢幕162相對於關鍵字輸入欄位202的位置進行重畫動作,以在關鍵字欄位202中分別顯示“N”、“NN”和“NNN”。另外,若是使用者操作滑鼠而在螢幕162上移動整個入口網站的頁面200,則使用者主機160的作業系統會對整個螢幕162的範圍進行重畫操作。2A-2C are schematic diagrams respectively showing a user inputting a character at an entrance website. Referring to FIG. 2A to FIG. 2C respectively, and referring to FIG. 1 in combination, when the user operates the user host 160 to connect to an portal website, the web page 200 of the portal website is displayed on the screen 162. If the user types the character "N" in the keyword input field 202 on the web page 200 at the first time (as shown in FIG. 2A); then enter the word in the keyword input field 202 at the second time point. The element "N" (as shown in Fig. 2B); then at the third time point, the character "N" is entered in the keyword input field 202 (as shown in Fig. 2C), at which time the operating system of the user host 160 is The positions of the screen 162 relative to the keyword input field 202 are respectively redrawn at the first time point, the second time point, and the third time point to display "N" and ", respectively" in the keyword field 202. NN" and "NNN". In addition, if the user operates the mouse to move the page 200 of the entire portal site on the screen 162, the operating system of the user host 160 re-drawing the range of the entire screen 162.

當使用者主機160的作業系統對螢幕162所顯示的畫面進行重畫操作時,會發出字串輸出指令,例如是TextOut或是TextOutW。因此,當管理工具106取得畫面截取資料時,偵測到使用者主機160的螢幕162發生重畫事件,就會去截取使用者主機160之作業系統所發出的至少字串輸出指令的內容。在一些實施例中,管理工具106截取字串輸出指令的方式,是利用使用者主機160中所提供的鉤子應用程式來截取。此時,管理工具106會記錄字串輸出指令的內容,例如是輸入至使用者主機160之字元資料在其畫面上的起始座標資料、輸入至使用者主機160之字元資料的長寬值以及內容。在圖2A到圖2C中,輸入至使用者主機160之字串輸出指令的內容分別是“N”、“NN”和“NNN”。When the operating system of the user host 160 repaints the screen displayed on the screen 162, a string output command such as TextOut or TextOutW is issued. Therefore, when the management tool 106 obtains the screen capture data, it detects that the screen 162 of the user host 160 has a redraw event, and intercepts the content of at least the string output command issued by the operating system of the user host 160. In some embodiments, the manner in which the management tool 106 intercepts the string output instructions is intercepted using a hook application provided in the user host 160. At this time, the management tool 106 records the content of the string output command, for example, the start coordinate data input to the character data of the user host 160 on the screen, and the length and width of the character data input to the user host 160. Value and content. In FIGS. 2A to 2C, the contents of the string output command input to the user host 160 are "N", "NN", and "NNN", respectively.

另一方面,管理工具106會在使用者主機160之螢幕162所顯示的畫面發生重畫事件後,在第一預設時間點後的一第二預設時間點再次截取使用者主機160之螢幕162上所顯示的畫面,而產生一第二畫面截取資料。此時,管理工具就會將第一畫面截取資料和第二畫面截取資料進行交集比對,以找出第一畫面截取資料和第二畫面截取資料二者的相異處。藉此,管理工具106就可以記錄第一畫面截取資料和第二畫面截取資料二者相異處所對應之字串輸出指令的內容,而產生一輸入字元截取資料。接著,管理工具106會將所獲得的輸入字元截取資料與資料庫112中的預設關鍵字詞進行比對。On the other hand, the management tool 106 intercepts the screen of the user host 160 again at a second preset time after the first preset time point after the redraw event occurs on the screen displayed on the screen 162 of the user host 160. The screen displayed on 162 generates a second screen capture data. At this time, the management tool will perform the intersection comparison between the first screen intercepting data and the second screen intercepting data to find out the difference between the first screen intercepting data and the second screen intercepting data. Thereby, the management tool 106 can record the content of the string output instruction corresponding to the difference between the first picture interception data and the second picture interception data, and generate an input character interception data. Next, the management tool 106 compares the obtained input character interception data with the preset keyword words in the database 112.

例如,管理工具106在第一時間點所獲得的第一畫面截取資料,是圖2A所繪示的畫面,而在第二時間點所獲得的第二畫面截取資料則是圖2C所繪示的畫面。此時,管理工具106將第一畫面截取資料和第二畫面截取資料進行交集比對,就會發現相異處是關鍵字輸入欄位202的區域。此時,管理工具106就會記錄關鍵字輸入欄位202之區域所對應的字串輸出指令的內容,而產生輸入字元截取資料。For example, the first picture captured by the management tool 106 at the first time point is the picture shown in FIG. 2A, and the second picture intercepted data obtained at the second time point is the picture shown in FIG. 2C. Picture. At this time, the management tool 106 compares the first screen capture data and the second screen capture data, and finds that the difference is the region of the keyword input field 202. At this time, the management tool 106 records the content of the string output instruction corresponding to the area of the keyword input field 202, and generates the input character interception data.

另外,上述管理工具106將第一畫面截取資料和第二畫面截取資料進行交集比對的步驟,可以是對第二畫面截取資料與第一畫面截取資料中之焦點視窗的區域進行比對。所謂的焦點視窗,就是位於使用者主機160之螢幕162所顯示之畫面最上層的視窗。當一顯示畫面上被開啟多個視窗,而位於最上層的視窗就是目前正在被使用的視窗,在此被定義為焦點視窗。In addition, the step of the management tool 106 performing the intersection alignment of the first screen intercepting data and the second screen intercepting data may be: comparing the second screen intercepting data with the region of the focus window in the first screen intercepting data. The so-called focus window is the window at the top of the screen displayed on the screen 162 of the user host 160. When a plurality of windows are opened on a display screen, the window at the top level is the window currently being used, and is defined herein as a focus window.

在另外一些實施例中,當管理工具106取得第一畫面截取資料後,還會偵測使用者主機的鍵盤164是否被使用。當管理工具106偵測到使用者主機160的鍵盤164在獲得該第一畫面截取資料後被使用時,則會延遲一延遲時間後,也就是在上述的第二時間點,再截取螢幕162上所顯示的畫面而產生第二畫面截取資料。In some other embodiments, after the management tool 106 obtains the first screen capture data, it also detects whether the keyboard 164 of the user host is used. When the management tool 106 detects that the keyboard 164 of the user host 160 is used after acquiring the first screen interception data, it will delay the delay 162, that is, at the second time point, and then intercept the screen 162. The displayed picture produces a second picture capture.

若是管理工具106發現所獲得的輸入字元截取資料符合存於資料庫112中的預設關鍵字詞其中之一時,則將畫面截取資料存於儲存單元110中,以讓管理者檢視。在一些實施例中,管理工具106還會將輸入字元截取資料儲存在儲存單元110內。相對地,若是管理工具106發現輸入字元截取資料不符合資料庫112中之預設關鍵字詞任一時,則刪除所獲得的畫面截取資料。If the management tool 106 finds that the obtained input character interception data matches one of the preset keyword words stored in the database 112, the screen capture data is stored in the storage unit 110 for the administrator to view. In some embodiments, the management tool 106 also stores the input character intercept data in the storage unit 110. In contrast, if the management tool 106 finds that the input character interception data does not match any of the preset keyword words in the database 112, the obtained screen capture data is deleted.

在一些實施例中,當管理工具106發現輸入字元截取資料符合預設關鍵字詞其中之一時,還可以呼叫控制模組102產生一通知訊息通知管理者。此通知訊息例如是語音通知訊息、音訊通知訊息、在資訊安全管理系統100的螢幕上顯示通知對話框等。In some embodiments, when the management tool 106 finds that the input character interception data conforms to one of the preset keyword words, the call control module 102 can also generate a notification message to notify the administrator. The notification message is, for example, a voice notification message, an audio notification message, a notification dialog displayed on the screen of the information security management system 100, and the like.

圖3A和圖3B繪示為依照本發明之一較佳實施例的一種資訊安全之管理方法的步驟流程圖。請先參照圖3A,本實施例所提供的管理方法,可以適用於一使用者主機。首先,本實施例可以如步驟S302所述,判斷使用者主機是否被開機。當使用者開機時(就如步驟S302所標示的“是”),則進行步驟S304,就是開始計時,以在每經過一第一預設時間就截取使用者主機上所顯示的畫面,而產生一第一畫面截取資料,就是步驟S306。接著,如步驟S308所述,判斷使用者主機所顯示的畫面上是否發生重畫事件。3A and 3B are flow charts showing the steps of a method for managing information security according to a preferred embodiment of the present invention. Referring to FIG. 3A, the management method provided in this embodiment may be applied to a user host. First, the embodiment may determine whether the user host is powered on as described in step S302. When the user turns on (as indicated by YES in step S302), step S304 is performed to start timing to intercept the displayed image on the user host every time a first preset time elapses. A first picture intercepts the data, which is step S306. Next, as described in step S308, it is determined whether a redraw event occurs on the screen displayed by the user host.

若是在步驟S308中,本實施例的管理方法在取得第一畫面截取資料後,發現使用者主機所顯示的畫面上發生重畫事件(就如步驟S308所標示的“是”),則進行步驟S310,就是截取使用者主機之作業系統對於重畫事件所產生之字串輸出指令的內容。另外,本實施例之管理方法還會如步驟S312所述,在取得第一畫面截取資料後經過一第二預設時間,再次截取使用者主機所顯示的畫面而產生一第二畫面截取資料。由於在步驟S310所取得的字串輸出指令的內容可能太過龐大,所以需要進一步的將其過濾,以找出所需要的資料。If it is in step S308, the management method of the embodiment finds that a redraw event occurs on the screen displayed by the user host after obtaining the first screen interception data (as indicated by "YES" in step S308), then the steps are performed. S310, that is, intercepting the content of the string output instruction generated by the operating system of the user host for the redraw event. In addition, the management method of the embodiment further generates a second screen interception data by intercepting the screen displayed by the user host after a second preset time after obtaining the first screen interception data, as described in step S312. Since the content of the string output instruction obtained at step S310 may be too large, it is further filtered to find the required data.

因此,請參照圖3B,本實施例此時可以進行步驟S314,就是將第一畫面截取資料和第二畫面截取資料進行交集比對,以找出二者的相異處。藉此,本實施例的管理方法就可以如步驟S312所述,記錄第一畫面截取資料和第二畫面截取資料二者相異處所對應之字串輸出指令的內容,而產生一輸入字元截取資料。如此一來,就可以取得所需要的字串輸出指令的內容。Therefore, referring to FIG. 3B, in this embodiment, step S314 may be performed, that is, the first picture intercepted data and the second picture intercepted data are intersected and compared to find the difference between the two. Therefore, the management method of the embodiment may record the content of the string output instruction corresponding to the difference between the first picture interception data and the second picture interception data, as described in step S312, to generate an input character interception. data. In this way, the content of the required string output command can be obtained.

接著,如步驟S318所述,判斷輸入字元截取資料是否符合多個預設關鍵字詞其中任一。若是所獲得的輸入字元截取資料不符合預設關鍵字詞任一時(就如步驟S318所標示的“否”),則進步驟S320,就是刪除第一畫面截取資料和第二畫面截取資料。當然,也會刪除輸入字元截取資料。相對地,若是輸入字元截取資料符合預設關鍵字詞其中之一時(就如步驟S318所標示的“是”),則如步驟S322所述,就是儲存畫面截取資料,以供管理者檢視。在一些實施例中,還會儲存所取得的輸入字元截取資料,以供管理者分析。Next, as described in step S318, it is determined whether the input character interception data conforms to any of the plurality of preset keyword words. If the obtained input character interception data does not match any of the preset keyword words (as indicated by "NO" in step S318), then proceeding to step S320, the first screen capture data and the second screen capture data are deleted. Of course, the input character interception data will also be deleted. In contrast, if the input character intercepts the data in accordance with one of the preset keyword words (as indicated by the step S318, YES), as described in step S322, the screen capture data is stored for the administrator to view. In some embodiments, the retrieved input character intercept data is also stored for analysis by the manager.

綜上所述,本發明在截取使用者主機畫面的時候,還會截取輸入至使用者主機的字元資料,並且以此作為是否儲存畫面截取資料的依據。因此,本發明不需要太大的儲存設備,就可以實現彈性監控遠端使用者主機的技術。另外,管理者不必檢視許多不相干的資料,而僅要檢視符合預設關鍵字詞之輸入字元截取資料所對應的畫面截取資料。因此,本發明也可以讓使用者更有效率地並且更準確地判斷是否發生資訊外洩的事件。In summary, the present invention intercepts the character data input to the user host when intercepting the user host screen, and uses this as a basis for storing the screen interception data. Therefore, the present invention can realize the technology of elastically monitoring the remote user host without requiring too much storage device. In addition, the manager does not have to view a lot of irrelevant data, but only needs to view the screenshots corresponding to the input characters intercepted by the preset keyword words. Therefore, the present invention can also allow the user to judge whether or not an event of information leakage has occurred more efficiently and more accurately.

雖然本發明已以較佳實施例揭露如上,然其並非用以限定本發明,任何熟習此技藝者,在不脫離本發明之精神和範圍內,當可作些許之更動與潤飾,因此本發明之保護範圍當視後附之申請專利範圍所界定者為準。While the present invention has been described in its preferred embodiments, the present invention is not intended to limit the invention, and the present invention may be modified and modified without departing from the spirit and scope of the invention. The scope of protection is subject to the definition of the scope of the patent application.

100...資訊安全管理系統100. . . Information security management system

102...控制模組102. . . Control module

104...連線模組104. . . Connection module

106...管理工具106. . . Management tool

110...儲存單元110. . . Storage unit

112...資料庫112. . . database

150...網路150. . . network

160...使用者主機160. . . User host

162...螢幕162. . . Screen

164...鍵盤164. . . keyboard

200...網頁200. . . Web page

202...關鍵字輸入欄位202. . . Keyword input field

S302、S304、S306、S308、S310、S312、S314、S316、S318、S322...資訊安全之管理方法的步驟流程S302, S304, S306, S308, S310, S312, S314, S316, S318, S322. . . Step process of information security management method

圖1繪示為依照本發明之一較佳實施例的一種資訊安全管理系統的方塊圖。1 is a block diagram of an information security management system in accordance with a preferred embodiment of the present invention.

圖2A~圖2C分別繪示為使用者在一入口網站輸入字元的示意圖。2A-2C are schematic diagrams respectively showing a user inputting a character at an entrance website.

圖3A和圖3B繪示為依照本發明之一較佳實施例的一種資訊安全之管理方法的步驟流程圖。3A and 3B are flow charts showing the steps of a method for managing information security according to a preferred embodiment of the present invention.

S302、S304、S306、S308、S310、S312...資訊安全之管理方法的步驟流程S302, S304, S306, S308, S310, S312. . . Step process of information security management method

Claims (16)

一種操作歷程的記錄方法,適用於一使用者主機,其安裝有一作業系統,且該記錄方法包括下列步驟:在一第一預設時間點截取該使用者主機上所顯示的畫面,而產生一第一畫面截取資料,並判斷該使用者主機所顯示的畫面是否發生一重畫事件;只有在該使用者主機所顯示的畫面發生該重畫事件時,才截取該作業系統對該重畫事件所輸出之字串輸出指令的內容,並在該第一預設時間點之後的一第二預設時間點截取該使用者主機上所顯示的畫面,而產生一第二畫面截取資料;將第二畫面截取資料與該第一畫面截取資料進行交集比對,以尋找該第二畫面截取資料和該第一畫面截取資料的相異處;以及記錄該第一畫面截取資料和該第二畫面截取資料二者至少其中之一,並記錄該第二畫面截取資料和該第一畫面截取資料的相異處所對應之字串輸出指令的內容。 A recording method of an operation history is applicable to a user host, and an operation system is installed, and the recording method includes the following steps: intercepting a screen displayed on the user host at a first preset time point, and generating a The first screen intercepts the data, and determines whether a picture redraw event occurs on the screen displayed by the user host; only when the redraw event occurs on the screen displayed by the user host, the operating system intercepts the redraw event The output string outputs the content of the instruction, and intercepts a picture displayed on the user host at a second preset time point after the first preset time point to generate a second picture interception data; The screen intercepting data is compared with the first screen intercepting data to find a difference between the second screen intercepting data and the first screen intercepting data; and recording the first screen intercepting data and the second screen intercepting data At least one of the two, and recording the second picture interception data and the string output instruction corresponding to the difference between the first picture interception data . 如申請專利範圍第1項所述的記錄方法,其中該字串輸入指令的內容包括輸入字串在使用者主機畫面上的起始座標資料、輸入字串的長寬資料以及輸入字串的內容。 The recording method of claim 1, wherein the content of the string input instruction comprises a starting coordinate data of the input string on the user host screen, a length and width data of the input string, and a content of the input string. . 如申請專利範圍第1項所述的記錄方法,其中將該第二畫面截取資料與該第一畫面截取資料進行交集比對的步驟,包括將該第二畫面截取資料與該第一畫面截取資料中位於最上層之視窗的區域進行交集比對。 The recording method of claim 1, wherein the step of comparing the second picture intercepted data with the first picture intercepted data comprises: intercepting the second picture and intercepting the first picture The intersection of the uppermost window in the middle is performed. 如申請專利範圍第1項所述的記錄方法,更包括下列步驟:在獲得該第一畫面截取資料後,偵測該使用者主機的鍵盤是否被使用;以及當偵測到該使用者主機的鍵盤在獲得該第一畫面截取資料後被使用時,則延遲一延遲時間後再截取該第二畫面截取資料。 The recording method of claim 1, further comprising the steps of: detecting whether the keyboard of the user host is used after obtaining the intercepted data of the first screen; and detecting the host of the user When the keyboard is used after the first picture is intercepted, the second picture interception data is intercepted after a delay time. 如申請專利範圍第1項所述的記錄方法,其中截取該字串輸出指令的步驟,包括利用一鉤子應用程式來截取該字串輸出指令的內容。 The recording method of claim 1, wherein the step of intercepting the string output instruction comprises intercepting the content of the string output instruction by using a hook application. 一種資訊安全的管理方法,適於管理一使用者主機,其安裝有一作業系統,而該管理方法包括下列步驟:偵測該使用者主機是否被啟動;當該使用者主機被啟動時,則開始計時;每經過一第一預設時間,則截取該使用者主機上所顯示的畫面,而產生一第一畫面截取資料,並判斷該使用者主機所顯示的畫面是否發生一重畫事件;只有在該使用者主機所顯示的畫面發生該重畫事件時,才截取該作業系統對該重畫事件所輸出之字串輸出指令的內容,並在取得該第一畫面截取資料後經過一第二預設時間,截取該使用者主機上所顯示的畫面,而產生一第二畫面截取資料;將第二畫面截取資料與該第一畫面截取資料進行交集比 對,以尋找該第二畫面截取資料和該第一畫面截取資料的相異處;依據該第二畫面截取資料和該第一畫面截取資料之相異處所對應的字串輸出指令的內容,而獲得輸入至該使用者主機的字元,並產生一輸入字元截取資料;以及當該輸入字元截取資料符合多個預設關鍵字詞其中之一時,則儲存該第一畫面截取資料和該第二畫面截取資料二者至少其中之一,以供一管理者檢視。 An information security management method, suitable for managing a user host, which has an operating system installed, and the management method includes the following steps: detecting whether the user host is started; when the user host is started, starting Timing; each time a first preset time is passed, the screen displayed on the user host is intercepted, and a first screen interception data is generated, and it is determined whether a picture of the user host displays a redraw event; When the redraw event occurs on the screen displayed by the user host, the content of the string output command output by the operating system for the redraw event is intercepted, and a second pre-pass is obtained after the first screen capture data is obtained. Setting a time, intercepting a screen displayed on the user host, and generating a second screen intercepting data; and intersecting the second screen intercepting data with the first screen intercepting data Pairing, searching for the difference between the intercepted data of the second screen and the intercepted data of the first screen; and outputting the content of the command according to the string corresponding to the difference between the intercepted data of the second screen and the intercepted data of the first screen, and Obtaining a character input to the user host, and generating an input character intercepting data; and when the input character intercepting the data conforms to one of the plurality of preset keyword words, storing the first screen intercepting data and the The second screen intercepts at least one of the data for viewing by a manager. 如申請專利範圍第6項所述的管理方法,其中當該輸入字元截取資料不符合該些預設關鍵字詞任一時,則刪除該第一畫面截取資料和該第二畫面截取資料。 The management method of claim 6, wherein when the input character interception data does not match any of the preset keyword words, the first screen interception data and the second screen interception data are deleted. 如申請專利範圍第6項所述的管理方法,其中該字串輸入指令的內容包括輸入字串在使用者主機畫面上的起始座標資料、輸入字串的長寬資料以及輸入字串的內容。 The management method of claim 6, wherein the content of the string input instruction comprises a starting coordinate data of the input string on the user host screen, a length and width data of the input string, and a content of the input string. . 如申請專利範圍第6項所述的管理方法,其中將該第二畫面截取資料與該第一畫面截取資料進行交集比對的步驟,包括將該第二畫面截取資料與該第一畫面截取資料中位於最上層之視窗的區域進行交集比對。 The management method of claim 6, wherein the step of comparing the second picture intercepted data with the first picture intercepted data comprises: intercepting the second picture and intercepting the first picture The intersection of the uppermost window in the middle is performed. 如申請專利範圍第6項所述的管理方法,更包括下列步驟:在獲得該第一畫面截取資料後,偵測該使用者主機的鍵盤是否被使用;以及 當偵測到該使用者主機的鍵盤在獲得該第一畫面截取資料後被使用時,則延遲一延遲時間後再截取該第二畫面截取資料。 The management method described in claim 6 further includes the following steps: after obtaining the intercepted data of the first screen, detecting whether the keyboard of the user host is used; When it is detected that the keyboard of the user host is used after acquiring the first picture interception data, the second picture interception data is intercepted after delaying a delay time. 如申請專利範圍第6項所述的管理方法,其中截取該字串輸出指令的步驟,包括利用一鉤子應用程式來截取該字串輸出指令的內容。 The management method of claim 6, wherein the step of intercepting the string output instruction comprises intercepting the content of the string output instruction by using a hook application. 如申請專利範圍第6項所述的管理方法,更包括建立一資料庫,以儲存該些預設關鍵字詞,並儲存需要被儲存的畫面截取資料。 The management method described in claim 6 further includes establishing a database to store the preset keyword words and storing the screen capture data to be stored. 一種資訊安全管理系統,適於管理一使用者主機,包括:一連線模組,透過一網路連線至該使用者主機,其中該使用者主機安裝有一作業系統;一控制模組,耦接該連線模組,以透過該連線模組監測該使用者主機;以及一管理工具,連線至該控制模組,以在該使用者主機開機後,定期截取該使用者主機上所顯示的畫面而產生一第一畫面截取資料,並只有在判斷在該使用者主機上所顯示的畫面上發生一重畫事件時,才截取作業系統所產生之至少一字串輸出指令的內容,並再次截取該使用者主機上所顯示的畫面而產生一第二畫面截取資料,以將該第二畫面截取資料與該第一畫面截取資料進行交集比對,而取得輸入至該使用者主機的字元資料,且該管理工具更依據輸入至該使用者主機的字元資料而決 定是否儲存該第一畫面截取資料和該第二畫面截取資料二者至少其中之一,以供一管理者檢視。 An information security management system, configured to manage a user host, comprising: a connection module, connected to the user host through a network, wherein the user host is installed with an operating system; a control module, coupled The connection module is configured to monitor the user host through the connection module; and a management tool is connected to the control module to periodically intercept the user host after the user host is powered on Displaying a screen to generate a first screen interception data, and intercepting the content of at least one string output instruction generated by the operating system only when it is determined that a redraw event occurs on the screen displayed on the user host, and The second screen capture data is generated by intercepting the screen displayed on the user host to compare the second screen capture data with the first screen capture data, and obtain the input word to the user host. Metadata, and the management tool is based on the character data input to the user host. Whether to store at least one of the first picture interception data and the second picture interception data for a manager to view. 如申請專利範圍第13項所述的資訊安全管理系統,其中該網路包括有線網路和無線網路。 The information security management system of claim 13, wherein the network comprises a wired network and a wireless network. 如申請專利範圍第13項所述的資訊安全管理系統,其中該網路為區域網路。 For example, the information security management system described in claim 13 wherein the network is a regional network. 如申請專利範圍第13項所述的資訊安全管理系統,更包括一資料庫,耦接該控制模組,並儲存多個預設關鍵字詞,以讓該管理工具將該輸入字元截取資料與該些預設關鍵字詞進行比對,再依據比對的結果來決定是否儲存該畫面截取資料。 The information security management system of claim 13 further includes a database coupled to the control module and storing a plurality of preset keyword words for the management tool to intercept the input characters. Comparing with the preset keyword words, and then determining whether to store the screen interception data according to the result of the comparison.
TW101101002A 2012-01-10 2012-01-10 Method for recording operation history, and method and systme for managing information security TWI579726B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW101101002A TWI579726B (en) 2012-01-10 2012-01-10 Method for recording operation history, and method and systme for managing information security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW101101002A TWI579726B (en) 2012-01-10 2012-01-10 Method for recording operation history, and method and systme for managing information security

Publications (2)

Publication Number Publication Date
TW201329772A TW201329772A (en) 2013-07-16
TWI579726B true TWI579726B (en) 2017-04-21

Family

ID=49225753

Family Applications (1)

Application Number Title Priority Date Filing Date
TW101101002A TWI579726B (en) 2012-01-10 2012-01-10 Method for recording operation history, and method and systme for managing information security

Country Status (1)

Country Link
TW (1) TWI579726B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI553503B (en) * 2014-02-27 2016-10-11 國立交通大學 Method of generating in-kernel hook point candidates to detect rootkits and system thereof

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW200745846A (en) * 2006-06-09 2007-12-16 Yan-Ting Ye Method of monitoring remote computer for host computer
TW200841171A (en) * 2007-04-10 2008-10-16 Wins Electronics Co Ltd T Method of monitoring remote programs
US7836171B2 (en) * 2007-03-27 2010-11-16 Verint Americas Inc. Communication link interception using link fingerprint analysis
TW201137662A (en) * 2010-04-26 2011-11-01 Jhih-Syong Zeng Online information protection system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW200745846A (en) * 2006-06-09 2007-12-16 Yan-Ting Ye Method of monitoring remote computer for host computer
US7836171B2 (en) * 2007-03-27 2010-11-16 Verint Americas Inc. Communication link interception using link fingerprint analysis
TW200841171A (en) * 2007-04-10 2008-10-16 Wins Electronics Co Ltd T Method of monitoring remote programs
TW201137662A (en) * 2010-04-26 2011-11-01 Jhih-Syong Zeng Online information protection system

Also Published As

Publication number Publication date
TW201329772A (en) 2013-07-16

Similar Documents

Publication Publication Date Title
US10944761B2 (en) Endpoint detection and response system event characterization data transfer
US10354067B2 (en) Retention and accessibility of data characterizing events on an endpoint computer
US8826452B1 (en) Protecting computers against data loss involving screen captures
US10572694B2 (en) Event-based display information protection system
US8695090B2 (en) Data loss protection through application data access classification
US10509905B2 (en) Ransomware mitigation system
WO2013159725A1 (en) Method and apparatus for accessing application
US11036714B2 (en) Systems and methods for locating application specific data
CN105025170A (en) Detection and alarm method of mobile phone in non-normal use
US10922405B2 (en) Data generation for data protection
TWI579726B (en) Method for recording operation history, and method and systme for managing information security
TWI467410B (en) Method for recording operation history, and method and systme for managing information security
CN103207968B (en) The recording method of operation course and the management method of information security and system
KR101572665B1 (en) Security system to supply screen watch information to prepare information leak and method thereof
TW201329769A (en) Method and system for managing information security
KR101562109B1 (en) Forgery verification system by comaparing pixels of a screenshot
CN103207826B (en) The recording method of operation course and the management method of information security and system
CN101872403A (en) System and method for protecting display information of browser
TW201017469A (en) Real-time comparison and protection method for input data and its hardware
CN103207966A (en) Method and system for management of information safety
TWI528215B (en) Date collecting method, information secure management method and information secure management host thereof
Findlay et al. An assessment of data leakage in Firefox under different conditions
TW201512894A (en) Data access system and data and instruction transmission device thereof
JP2015111368A (en) Information processing apparatus and file attribute display method
TWI528214B (en) Date collecting method, information secure management method and information secure management host thereof