TWI607338B - Storage device, data protection method therefor, and data protection system - Google Patents

Description

Storage device and its data protection method and data protection system

The invention relates to a data protection technology for a computer, in particular to a storage device and a data protection method thereof and a data protection system.

With the development of information technology, the rapid processing of information and communication has brought about great convenience or improvement in people's work, life and academics. However, the continuous spread of computer viruses or malicious programs on the Internet or in the exchange of information and the loss of malicious information has become a nightmare for modern people.

In addition, computer viruses will also actively infect USB flash drives, memory cards, portable hardware and other external storage devices. As long as the computer is plugged into a virus-infected storage device, the host itself will be poisoned, causing serious disasters. Because people often use the storage device on different computers at work, personal, or academic needs, computer viruses can also spread quickly, causing chain infections.

To this end, the industry has developed a portable storage device with independent anti-virus capabilities, such as disclosed in U.S. Patent No. 7,975,304. The portable portable storage device includes a removable device interface and non-dynamic memory with a read-only partition and a conventional storage partition. Read-only partitions can contain virus scans that protect programs for data in regular storage partitions. Once the portable portable storage device is connected to the computer, if the computer allows its automatic operation function (that is, the computer allows the execution of the path recorded in the autorun.inf file on the storage device), the operating system automatically runs the read-only partition to start. The protection program. If the computer is disabled automatically, use The protection program can be started manually. The protection program only scans the data in the portable USB storage device; this advantageously allows for an independent, cost effective, and minimally invasive portable portable storage device.

However, the above-mentioned portable storage device with independent anti-virus capability can automatically execute the protection program (ie, by autorun.inf file) because the function of automatic operation is allowed, and the operating system currently in operation such as Microsoft. Windows (Microsoft Windows) systems, such as Windows Vista, Windows 7, Windows Server 2008 and later, auto-execute functions only support CD and DVD media. When a user uses a USB device, network share, or other non-CD/DVD media containing the autorun.inf file, the system does not perform the automatic execution of the protection program. That is, the conventional storage device can only be manually activated by the user under the current operating system. Moreover, regardless of whether the protection program is manually or actively activated, the virus that has been resident on the computer will be able to take the opportunity to infect the portable storage device before the protection program is executed.

In addition, the protection program only scans the data in the portable USB storage device. When the computer is damaged by a computer virus or malicious program from the network, it cannot protect the entire computer system in time, and is more likely to be portable. The USB storage device is infected. Therefore, the conventional USB storage device still has information security vulnerabilities and is not sufficient to securely protect the data in the USB storage device.

In addition, there are so-called "blackmail viruses", "Cryptolocker" (Cryptolocker, CryptoWall, etc.) can also be called "kidnapping virus" or "rogue virus". The main intrusion method is like using a sensational or attractive mail headline. Send an email with malicious code to attract everyone to open, and automatically download and execute malicious programs after opening and clicking. For example, a malicious program encrypts a non-system file such as jpg, pdf, mp3, doc, txt, etc. in a storage device in a computer system into a .crypl file, even if the antivirus software of the computer cannot solve the problem. In addition, the ransomware will display a blackmail message requesting a ransom and threaten the user. It must be paid in a short period of time (such as 3 days), otherwise the key will be destroyed, so that the user can no longer unlock the file. In addition, there are also ZCRYPT ransomware families that attempt to spread via USB flash drives.

Therefore, there is a need for an information security technology for an external storage device, so that users can safely store data to avoid infection by computer viruses and spread viruses.

In view of this, the storage device of the invention and the data protection method and the data protection system thereof can effectively prevent the encrypted data in the storage device from being abducted and infected by the malicious software, and can also prevent the malicious software virus from being scattered to other non-encrypted. The storage device can also perform, for example, active/passive monitoring, anti-virus, detoxification, and related disinfection actions on all storage devices (such as system memory, etc.) of the storage device and the electronic computing device to which the storage device is connected. At least one. For example, the storage device has an active boot antivirus and encryption and decryption engine and a dynamic spatial partitioning data encryption space.

According to an aspect of the present invention, a data protection method for a storage device is provided, which includes: a startup step, a monitoring step, and a file access step. The initiating step includes: when a storage device is connected to the data interface of the electronic computing device, loading at least one core module of the operating system of the electronic computing device and initiating the data protection program stored in the storage device. a monitoring step performed by the at least one core module and the data protection program and comprising: (a1) monitoring the accessed file for any accessed file in the electronic computing device, corresponding to the stored file Obtaining the access source program of the file and the related program module/subprogram of the access source program to determine whether there is an abnormality; (b1) if the step (a1) determines the accessed file, the access source program, If at least one of the relevant program modules/subprograms of the access source program has an abnormality, the abnormality is disabled; if there is no abnormality, the release is performed. a file accessing step performed by the at least one core module and the data protection program and comprising: (a2) performing identity verification and determining whether access to the encrypted file is permitted in the storage device; (b2) when The electronic computing device accesses the encrypted file At the time of the case, the encrypted file is monitored by the monitoring step. The data protection method performs at least one of monitoring, virusing, and detoxification on the storage device and all the memory devices of the electronic computing device based on the above steps.

In an embodiment, if the identity verification is passed, the encrypted file is allowed to be accessed in the storage device; if the identity verification fails, the operating system cannot access the encrypted file.

In an embodiment, the data protection method further comprises: performing, according to the data protection method, the storage device and all the memory devices of the electronic computing device based on the foregoing steps: at least one of monitoring, scanning, and detoxification Generate detection processing results. For example, in some embodiments, the storage device (such as an encrypted file) and all the memory devices in the electronic computing device (such as built-in or external memory devices such as system memory) may be actively or passively monitored, At least one of the processing actions of the anti-virus, detoxification, and related disinfection actions and the detection processing results; the results may also be collectively referred to as the "detection and prevention" results.

In an embodiment, the data protection method further comprises: generating, according to the detection processing result, the record data of the detection and resolution result and storing in the storage device.

In an embodiment, the data protection method further comprises: determining whether the electronic computing device can establish a communication connection with the remote server, and if so, transmitting the recorded data of the detection and resolution result to the server.

According to another aspect of the present invention, a storage device is provided, which is a computer readable and writable recording medium, and the storage device stores at least a data protection program. When an electronic computing device loads the data protection program, the executable device can perform any of the foregoing The data protection method described in the examples. The storage device is a variety of readable and writable recording media such as a USB flash drive, an SD memory card, a portable hard disk, a solid state hard disk, or a readable and writable DVD.

In one embodiment of the storage device, the storage device includes: a data interface electrically coupled to the electronic computing device; and a memory unit coupled to the data interface and configured to store at least the data protection program.

According to another aspect of the present invention, a data protection system is provided, comprising: the electronic computing device and the storage device in any of the foregoing embodiments.

In an embodiment of the data protection system, the data protection system further includes: a server, wherein the electronic computing device is configured to determine whether the electronic computing device can establish a communication connection with a remote server, and if yes, actively/ Record data of passive detection, anti-virus, detoxification, and related disinfection actions are transmitted to the server; if not, the active/passive monitoring, anti-virus, detoxification, and related disinfection actions are detected The recorded data of the resolution result is stored in the storage device.

10‧‧‧Electronic computing device

20‧‧‧Storage device

30‧‧‧Network

40‧‧‧Server

110‧‧‧Processing unit

120‧‧‧Input device

130‧‧‧Display unit

140‧‧‧Local memory device

150‧‧‧ memory unit

151‧‧‧ operating system

153‧‧‧core module

160‧‧‧Information interface

170‧‧‧Communication interface

210‧‧‧ memory unit

220‧‧‧Control unit

230‧‧‧Information interface

240‧‧‧Data Protection Program

241‧‧‧Antivirus engine module

242‧‧‧Auxiliary Antivirus Engine Module

243‧‧‧Addition and decryption module

245‧‧‧File Synchronization Module

247‧‧‧recording module

249‧‧‧Information update module

1 shows a schematic block diagram of one embodiment of a data protection system in which a storage device is coupled to an electronic computing device.

Figure 2 shows a schematic block diagram of one embodiment of a storage device.

Figure 3 shows a schematic block diagram of one embodiment of a data protection method.

Figure 4 shows a schematic block diagram of another embodiment of a data protection system.

Figure 5 shows a schematic block diagram of one embodiment of a software architecture for implementing a data protection method.

6 shows a schematic block diagram of one embodiment of a software architecture for implementing a data protection method.

Embodiments of the test storage device and its data protection method and data protection system are described below to illustrate embodiments of different aspects of the present invention.

The storage device and the data protection method and the data protection system disclosed in the following embodiments. For example, the encrypted data in the storage device can be effectively prevented from being abducted and infected by malicious software, and the malicious software can be prevented from being transmitted to other non-encrypted memory devices, and the electronic connection of the storage device can also be connected. All memory devices (such as system memory, hard disk, etc.) of devices (such as notebooks, desks, or smart devices) perform any of active/passive monitoring, anti-virus, detoxification, and related disinfection actions. For example, the storage device has a built-in data protection program (such as an antivirus and encryption/decryption engine) and a dynamic space segmentation data encryption space.

In some embodiments, the data protection program of the storage device can be synchronized with the file stored by the computer to securely back up the data in the computer.

In addition, in some embodiments, the data protection program of the storage device can store the records accessed by the file into the storage device and/or record the records through the communication interface of the computer connected to the storage device. The server 40 is transmitted to the remote end, for example, to further record and monitor data security.

1 shows a schematic block diagram of one embodiment of a data protection system in which a storage device is coupled to an electronic computing device. As shown in FIG. 1, the electronic computing device 10 refers to an electronic device having computing power, such as a computer, such as a server 40, a blade server 40, an industrial computer, a personal computer, a notebook computer, a tablet computer, or a mobile device. A mobile phone or the like, or an electronic device or device of any executable program, such as any electronic device or device containing an embedded system, such as a machine for industrial manufacturing or control. Therefore, for example, as shown in FIG. 1 , the electronic computing device 10 can include a processing unit 110 , an input device 120 , a display unit 130 , a local memory device 140 , a memory unit 150 , and a data interface 160 . The data interface 160 is, for example, a connection terminal capable of connecting (or accessing) any of various readable and writable recording media such as a USB flash drive, an SD memory card, a portable hard disk, a solid state hard disk, and a readable and writable DVD. However, the present invention is not limited to the architecture and components of the electronic computing device.

In addition, the storage device 20 can be any readable and writable recording medium, such as a USB flash drive, an SD memory card, a portable hard disk, a solid state hard disk, a readable and writable DVD, and the like. For example, FIG. 2 shows a schematic block diagram of one embodiment of a storage device 20. As shown in FIG. 2, the storage device 20 includes a memory unit 210, a control unit 220, and a data interface 230. The memory unit 210 and the data interface 230 are electrically coupled to the control unit 220. For example, the memory unit 210 is a non-volatile memory, such as a flash memory. The data interface 230 is a data interface of a USB or a memory card, and is electrically coupled to the control unit 220. The control unit 220 is configured to process the data interface 230. The access request is received, thereby performing data access to the memory unit 210. As shown in this embodiment, the storage device may refer to various storage devices external to the electronic computing device. However, the present invention is not limited to whether the storage device is externally connected, and thus the present invention can also be applied to an internal storage device. .

In addition, as shown in FIG. 2, the memory unit 210 of the storage device 20 stores at least the data protection program 240. When the storage device 20 is connected to the data interface 160 of the electronic computing device 10, the core module 153 of the electronic computing device 10 and the data protection program 240 of the storage device 20 are loaded by the operating system 151 for use in the storage device 20 And all the memory devices (such as the memory unit 150 and the local memory device 140) of the electronic computing device 10 perform operations such as file access monitoring or anti-virus scanning. For example, the data protection program 240 can be used to instantly monitor key areas of the system, such as system memory, boot objects, and boot magnetic areas. In addition, the user can also use the data protection program 240 to manually scan specified files or directories. .

In addition, the memory unit 210 of the storage device 20 is further configured to provide the data encryption space 250, and protects the user's data by performing identity verification (eg, using a password), so it may be referred to as an "encrypted disc." In other words, the electronic computing device 10 must be encrypted by the core module 153 and/or the data protection program 240 when writing the file to the storage device 20; when the electronic computing device 10 wants to read the encrypted file in the storage device 20, it must pass through the core module. Group 153 and/or data protection program 240 decrypt. The method of encryption and decryption is based on the conditions of identity verification (such as password, other The verification condition, other credential conditions, or any combination thereof is encrypted or decrypted in at least one of RSA-2048, RSA-4096, or AES-128, AES-256, etc., however, the present invention is implemented The way of encryption and decryption is not limited by the above examples.

Moreover, when the storage device 20 is not logged into the operating system 151 of the electronic computing device 10, the operating space 151 of the electronic computing device 10, the encrypted space 250 of the storage device 20 is hidden, and the computer virus will not find It is impossible to infect or abduct the storage device 20 to the hidden "encrypted disc". After the storage device 20 is logged into the operating system 151 of the electronic computing device 10, the core module 153 and the data protection program 240 perform file access monitoring to protect the "encrypted disk" and the electronic computing device 10. Therefore, the anti-virus monitoring of the core module 153 and the data protection program 240 and the dual protection function of the "encrypted disc" can effectively prevent the computer virus from being infected with the "encrypted disc" and prevent the kidnapping virus.

Embodiments of the data protection method are further disclosed below. Figure 3 shows a schematic block diagram of one embodiment of a data protection method. As shown in the embodiment of FIG. 3, the data protection method of the storage device 20 includes at least steps S10, S20, and S30. Therefore, in the implementation, the core module 153 and the data protection program 240 can be implemented based on the data protection method to achieve the dual protection function of the antivirus monitoring and the "encrypted disc".

In FIG. 3, in the startup step shown in step S10, when the storage device 20 is connected to the data interface of the electronic computing device 10, the core module 153 of the operating system 151 of the electronic computing device 10 is loaded and started to be stored. The data protection program 240 of the storage device 20. Here, the core module 153 is, for example, a driver, a dynamic link library (DLL), a shared library, or any program module used for the operating system or the core. In addition, for the core module 153 described herein, those of ordinary skill in the art can also understand that it can be implemented as one or more core modules according to the needs of the implementation; The same is true for the data protection program 240.

The monitoring step shown in step S20 is performed by at least the core module 153 and the data protection program 240 to monitor any accessed file in the electronic computing device 10, and further antivirus for the abnormal file. deal with.

For example, step S20 may include the following steps. As shown in step S210 of FIG. 3, the accessed file, the access source program corresponding to the accessed file, and the access source program are monitored for any accessed file in the electronic computing device 10. The relevant program module/subprogram to determine if there is an exception. Step S220, as shown in FIG. 3, if it is determined in step S210 that at least one of the accessed file, the access source program, and the related program module/subprogram of the access source program is abnormal, then the process is disabled. There are abnormalities. If there is no abnormality, the release is performed, as shown in step S230, wherein the release refers to the execution of the program or module, or any action, request, or access thereof. For example, in the above steps, any accessed file in the electronic computing device 10 may include at least: a file to be accessed by the program or the operating system (or a file to be accessed), being accessed. file.

The file accessing step, as shown in step S30, is performed by at least the core module 153 and the data protection program 240 to determine whether to allow the electronic computing device 10 to access the encrypted space 250 in the storage device 20, wherein The file accessed in the encrypted space 250 in the storage device 20 is monitored by step S20. In addition, storing the encrypted file means that the file is encrypted and stored; and the encrypted file is read after decrypting the file.

For example, step S30 may include the following steps. In step S310 shown in FIG. 3, identity verification is performed and it is determined whether access to the encrypted file is permitted in the storage device 20. In step S320, as shown in FIG. 3, if the identity verification is passed (if the password entered by the user is correct and matches the existing one in the system), the encrypted file is allowed to be accessed in the storage device 20, wherein the electronic computing device When the encrypted file is accessed by 10, the encrypted file is monitored by the monitoring step shown in step S20. In step S330 shown in FIG. 3, if the identity verification fails (if the password is incorrect), the electronic computing device 10 is not allowed to access the encrypted file.

For example, for the operating system 151, the format of the encrypted file (or encrypted space 250) accessed in the storage device 20 or its file system is implemented differently from the operating system 151 (such as Windows, Mac, or Linux). The file system used (such as FAT, exFAT, NTFS, HFS, HFS+, ext2, ext3, ext4, ISO9660, ODS-5, or UDF), so the operating system 151 cannot know that there is an encrypted file in the storage device 20. (or encryption space 250). In other words, the encrypted file (or encrypted space 250) in the storage device 20 is "hidden" to the operating system 151. Therefore, by performing step S320, if the identity verification is passed, the encrypted file (or the encrypted space 250) is allowed to be accessed in the storage device 20, wherein the electronic computing device 10 accesses the encrypted file by using the step. The monitoring step shown in S20 monitors the encrypted file. In this case, the encrypted file or the encrypted file can be read by the encryption and decryption module in the core module 153 and/or the data protection program 240 during the implementation. In the case where the identity verification as shown in step S330 does not pass, the operating system 151 cannot know that there is an encrypted file (or the encrypted space 250) in the storage device 20. Therefore, whether the identity verification passes or not, or even if the computer poison has invaded the electronic computing device 10, the computer poison cannot further infect, destroy, or abduct the encrypted file (or the encrypted space 250) in the storage device 20. In addition, the format of the encrypted file (or the encrypted space 250) in the storage device 20 or its file system is, for example, in any of the foregoing file systems or file formats (such as FAT, exFAT, NTFS, HFS, HFS+, ext2, ext3). A new file system or file format resulting from a change in one or more of the parameters, ext4, ISO9660, ODS-5, or UDF, etc.). Thus, the new file system or file format is incompatible with the conventional file system or file format. By using the new file system or file format for encrypting the file, the operating system 151 will not be able to know that the storage device 20 has encryption. file. However, the format of the encrypted file (or encrypted space 250) of the present invention or the implementation of its file system is not limited by this example, and may be implemented in other ways. In addition, the storage space in which the data protection program 240 is located is relative to the encryption space 250. Different from the encryption space 250, the file format or file system of the storage space can be implemented as readable or readable and writable by the electronic computing device 10.

In addition, for example, in other embodiments of the present invention, other authentication methods such as biometrics (such as fingerprints, faces, irises, or fingerprint veins) may be utilized to implement the verification action in step S30, or Password verification and other verification methods are combined to determine whether access is allowed. In some embodiments, the credential card can also be utilized for identity verification. In the implementation of biometric identification and password verification, in some embodiments, the processing unit 110 in the electronic computing device 10 and other built-in or external cameras such as the electronic computing device 10, and/or fingerprint identification devices, And / or other biometric devices to achieve. Therefore, the verification method of the above step S30 is not limited to password verification; for example, the user can use the voucher card, the voucher object (bracelet or any object) to read the card through the built-in or external certificate of the electronic computing device 10. Machine, and / or credential reader to achieve. Furthermore, the encryption and decryption method is based on conditions of identity verification (such as passwords, other verification conditions, other voucher conditions, or any combination of the above), such as RSA-2048, RSA-4096, or AES-128, AES-256, etc. At least one of the modes is used for encryption or decryption; however, the manner of encryption and decryption employed in the implementation of the present invention is not limited by the above examples.

In an embodiment, in the operating system 151 of the electronic computing device 10, at least two or more threads may be respectively established to implement steps S20 and S30 to be simultaneously executed; thereby, the foregoing antivirus monitoring and "encryption" The dual protection function of the disc is realized and synchronized.

In addition, in some embodiments, step S20 may further include: cutting off automatically executed programs and/or descriptive language files in the storage device 20 to prevent malicious software viruses from being distributed.

In an embodiment, after the step S220, the method further includes performing additional processing on the abnormal person (or called an abnormal object). For example, disinfecting or isolating an object with an abnormality, or deleting it under user confirmation.

In an embodiment, after step S320, the data protection method may further include: a file synchronization step. The same step of the file includes: receiving the file synchronization indication, and encrypting the selected file and its path in the electronic computing device 10 and storing the file in the storage device 20. In addition, when implemented, the data protection program 240 can be designed to provide a graphical user interface or an instruction interface, thereby setting conditions for the associated file synchronization, such as synchronization time, synchronization direction (electronic computing device 10 or storage device 20). One is set for the source). Thus, the user can obtain the effect of a secure backup. For example, when the selected file in the electronic computing device 10 is damaged or accidentally deleted, it can be restored to the electronic computing device 10 by the synchronization function of the storage device 20. For example, when the electronic computing device 10 is kidnapped by a computer virus without using the storage device 20, the "encrypted disc" backup data can be synchronized back to the electronic computing device 10 to restore the abducted file.

In addition, in some embodiments, the results of detection, anti-virus, or detoxification (hereinafter referred to as "detection") may be recorded and/or transmitted to the server 40 for data security management of the storage device 20. In one of the embodiments, based on any of the embodiments of FIG. 3 and implementing step S210, the method includes: monitoring any accessed file in the electronic computing device 10 to generate a first monitoring result; monitoring the corresponding An access source program of the accessed file and a related program module and/or subroutine of the access source program to generate a second monitoring result. In addition, in the other of the embodiments, at least one of all the memory devices (such as system memory, etc.) of the electronic computing device 10 to which the storage device 20 and the storage device 20 are connected may be actively or passively monitored. At least one of the anti-virus, detoxification, and related disinfection actions and the detection processing result, which may be collectively referred to as the "detection and defense solution" result. For example, the defensive solution result may be at least one of a name, an identification code, a path, an operational behavior, an abnormality, and the like of the file or program or the like (or may be referred to as an object). In one of the embodiments, it may be based on any of the embodiments of FIG. 3 and includes: generating a record of the detection result based on the detection processing result The data is recorded and stored in the storage device 20. In addition, the record information is not limited to the results of the investigation and prevention, and may include other information.

In some embodiments, the record data of the defensive solution result may be further transmitted to the server 40 for data security management of the storage device 20. For example, FIG. 4 shows another embodiment of a data security system that includes a storage device 20, an electronic computing device 10, and a server 40. The storage device 20 establishes a communication link with the server 40 through the electronic computing device 10 and the network. The server 40 can be regarded as another electronic computing device 10. One of the embodiments may be based on the data protection method shown in FIG. 3, and further includes: determining whether the electronic computing device 10 to which the storage device 20 is connected can establish a communication connection with the server 40, and if so, The record data of the defensive solution result is transmitted to the server 40 for data security management of the storage device 20; if not, the record data of the defensive solution result is stored in the storage device 20. For example, the record data of the defensive solution result may be stored in the storage space or the encrypted space where the data protection program 240 is located in the storage device 20. In another of the embodiments, the data protection method may further include, for example, the data protection program 240 and/or the core module 153 at a certain time interval (eg, every 3, 5, 10, or 15 minutes). Or within 1 hour) or at certain times (such as 9:00, 12:00, 20:00), the above-mentioned detection and resolution results (for example, the results of the detection or prevention that are immediately generated or stored in the storage device 20) are returned. It is passed to the server 40. In addition, the embodiments can also facilitate data security management for a plurality of storage devices 20. As shown in FIG. 4, a plurality of storage devices 20 and 21 having a data protection program 240 can be used according to the above embodiments. The detection and resolution results are recorded in the storage devices 20, 21, or when the electronic computing device 10 can establish a communication connection with the server 40, the detection and resolution results are transmitted to the server 40. In this way, the administrator can use the detection and resolution results received by the server 40 to perform analysis and judgment, for example, to warn or record the user of the information security device 21, or by the data protection program 240 and / or the core module 153 issues a warning or prevents further access to the file in the storage device 21. In addition, even if there is data leakage, it can be known from the results of the investigation and prevention. The problematic storage device 20, the connected computer, and even related information can be further tracked. However, implementations of the invention are not limited by the examples described above. For example, the data protection program 240 and/or the core module 153 can be utilized to implement any of the embodiments for transmitting monitoring record data to the server 40.

Various embodiments of the data protection method are further exemplified below, but the implementation of the present invention is not limited thereto.

The implementation of the core module 153 is discussed below.

In the embodiment shown in FIG. 3, the core module 153 is already present in or installed in the operating system 151 of the electronic computing device 10 before the storage device 20 is coupled to the electronic computing device 10. In different operating systems 151, for example, in the Microsoft Windows operating system, the core module 153 is, for example, a driver installed under the Windows\System32\drivers directory with a .sys file name, for example, a "window driver model". (WDM) or "Windows Driver Foundation" (WDF) or the application interface (API) of the operating system to implement. For example, in the case of Apple's Mac OS X operating system, the core module 153 can be implemented using an application interface (API) of an "I/O Kit" architecture. For example, in Google's Android operating system (Google Android), the core module 153 can be implemented using an application interface (API) of a "Hardware Abstraction Layer" (HAL) and a User Space. However, the implementation of the core module 153 of the present invention is not limited by the above examples. For example, the core module 153 can be used in other operating systems (such as various versions of Unix, Linux, or other real-time operating systems, embedded systems). System(s) can be implemented on and/or using other application interfaces (APIs). However, the implementation of the core module 153 of the present invention is not limited by the above examples.

In addition, the core module 153 is configured to monitor the writing or reading operation of any file in the operating system 151, and the related program and program module of the file; for example, the core module 153 is configured to monitor the accessed The file, the access source program corresponding to the accessed file, and the related program module/subprogram of the access source program. In other words, the core module 153 is The object of monitoring includes file access to the following hardware: all the memory devices connected to the electronic computing device 10: such as a main memory unit (such as main memory, etc.), a local memory device (such as a hard disk, a CD player, etc.) , peripheral memory devices (such as flash drives, or external hard drives, etc.). Therefore, the core module 153 can also be referred to as a "file monitoring driver." For example, the core module 153 is for the operation of files or folders of any program in the electronic computing device 10 (such as File Management Functions in the Windows operating system such as ReadFile( ), WriteFile( ), CreateFile( ), OpenFile( ), Close( ), etc. are monitored, and further use the API of the operating system 151 to perform a backtracking or reverse checking operation, thereby accessing the access source program corresponding to the accessed file and the The relevant program modules/subprograms of the source program are taken for further monitoring. However, the implementation of the core module 153 of the present invention is not limited by the above examples, that is, the core module 153 can additionally implement other functions, and can be changed as needed; for example, controlling file access of the storage device 20 or Determine if the file or program module has an exception or other function.

The following discussion discusses the implementation of the core module 153, the data protection program 240 being actively activated, and the dual protection function of quickly launching antivirus monitoring and "encrypted disc".

In the operating system 151, the core module 153 has established information about the association between the storage device 20 and the data protection program 240 of the storage device 20, such as the core module 153 and data protection. The set of the path of the program 240, the file name, the identification code of the storage device 20, and the like are recorded in the operating system 151; therefore, in the startup step shown in step S10, the operating system 151 of the electronic computing device 10 is loaded. The core module 153 also activates the data protection program 240 accordingly.

Moreover, as described above, after the storage device 20 is logged into the operating system 151 of the electronic computing device 10, the data protection program 240 performs file access monitoring to protect the "encrypted disk" and the electronic computing device 10. That is, when the operating system 151 detects that the storage device 20 is inserted or connected to the electronic computing device 10, the operating device 20 and the core module are actively activated. The core module 153 and the data protection program 240 are activated by the information of the association between the data protection program 240 of the storage device 20, so that the dual protection functions of the antivirus monitoring and the "encrypted disc" are realized and synchronized. get on.

Therefore, the data protection method can realize the dual protection function of the anti-virus monitoring and the "encrypted disc" quickly and actively when the storage device 20 is connected to the electronic computing device 10, so that the virus that has been resident in the computer cannot be protected. The storage device 20 is infected before the program is executed. In contrast, when the portable storage device 20 with independent antivirus capability of autorun.inf is inserted into the computer, the protection program of the portable storage device 20 is passively waiting for the permission of the operating system 151. The booting or waiting for the user to click is initiated, thus generating a situation in which the virus trap resident in the computer infects the portable storage device 20 before the protection program of the portable storage device 20 is executed.

Embodiments regarding the installation of the core module 153 are discussed below.

Still other embodiments of the data protection method of the present invention relate to the case where the storage device 20 is connected to an electronic computing device that does not have the core module 153 installed. For example, the embodiments may be considered to be based on any of the embodiments of FIG. 3, and before the starting step S10, further comprising: an installation step comprising: installing the core module 153 to the electronic computing device 10 In system 151. For example, the core module 153 is installed by manually starting the data protection in the storage device 20 and including the installation of the core module 153 after the storage device 20 is connected to an electronic computing device 10. The program thus installs the core module 153. Furthermore, after the installation step, the startup step shown in step S10 can be further implemented to load the core module 153 and activate the data protection program 240 accordingly.

However, the present invention is not limited by the manner in which this example is installed, and can be implemented in other ways. For example, the user can download and install the installation program including the core module 153 from the network or other means to be used when the storage device 20 storing the data protection program 240 is connected. In addition, the operating system 151 or the customized operation can also be realized. The system 151 causes the core module 153 to be resident in the operating system 151 or already present in the operating system 151 and loaded as needed. In summary, the core module 153 can be installed in the operating system 151 of the electronic computing device 10 by any means, whereby any embodiment based on FIG. 3 can be further executed, so that the storage device 20 is connected to the When the electronic computing device 10 is used, the dual protection function of the antivirus monitoring and the "encrypted disc" is quickly activated.

The following discussion discusses the implementation of the data protection program 240 using the core module 153.

For example, in step S20, as shown in FIG. 3, in an embodiment, the core module 153 can be used to monitor the accessed file for any accessed file in the electronic computing device 10, Corresponding to the access source program of the accessed file and the related program module/subprogram of the access source program. Furthermore, the data protection program 240 can be used to determine whether the files, programs, etc. are abnormal. In an implementation, the core module 153 can be designed to directly return the detection result to the data protection program 240, or call the API of the core module 153 in the data protection program 240; for example, Table 1 below The pseudo code is as follows:

However, implementations of the invention are not limited by this example, and may be implemented in other ways.

The following discussion discusses how the antivirus engine is implemented.

In order to enable the data protection program 240 to effectively detect and prevent computer viruses, it is necessary to determine whether the object being monitored (hereinafter referred to as the object to be tested) is abnormal. In some embodiments, the data protection program 240 uses at least two antivirus engines for antivirus. To this end, a virus pattern database is used to compare with the object to be tested, and/or the behavior or behavior of the object to be tested is analyzed to determine whether the object to be tested is abnormal.

In an embodiment, the virus code database is stored in the storage device 20. When the data protection program 240 is executed in the electronic computing device 10, if it is determined that it can provide a source code with the remote virus code (such as antivirus) If the engine company's server 40) is connected, the virus code database may be updated or periodically updated and stored in the storage device 20. The antivirus engine of the data protection program 240 uses a virus code database (which can be compared to a fingerprint of a plurality of computer viruses) to compare with the object to be tested, thereby judging whether the object to be contained contains a computer virus code and determining that it is abnormal. .

In addition, the antivirus engine of the data protection program 240 can be analyzed by the behavior or operation of the object to be tested to determine whether the object to be tested is abnormal. To this end, the patterns of such actions or operations can also be provided in the form of a database for analysis, or implemented in a code or module in the antivirus engine. Whether the object to be treated is abnormal. For example, the antivirus engine can determine whether the object to be tested has a behavior or operation written in a certain critical area (such as a critical area of the system: system memory/starting object/booting magnetic area); and the behavior or operation of the object to be tested can utilize the foregoing The core module 153 is tracked or monitored and fed back to the antivirus engine, such as the virtual code shown in Table 1 above. For example, the function, the API name or the identification code to be accessed by the object to be tested, the source to be accessed, the destination location, and the like can be grasped by the core module 153 and illustrated by the code. For example, the set [1024, 1000, 2000, 10000] represents the behavior or operation of the object to be tested, which can be interpreted as a function with a call identification code of 1024 (such as a function for copying files), and the logical memory of the operating system 151 The 2000 block of position 1000 of the space is copied into the memory space headed by position 10000. If the location 10000 is represented by a certain critical area, it indicates that the behavior or operation of the object to be tested is abnormal. Thereby, after the behavior or operation of the object to be tested is encoded, the logical operation method can be used for comparison and analysis. The patterns of such abnormal behaviors or operations can also be recorded using a table for use, as shown in Table 2. Thus, for the multiple or multiple actions or operations of the object to be tested, it can be coded, analyzed and judged in this way.

Figure 5 shows a schematic block diagram of one embodiment of a software architecture for implementing a data protection method. The software architecture includes a core module 153 and a data protection program 240. As shown in FIG. 5, the data protection program 240 may include an antivirus engine module 241, an encryption and decryption module 243, a file synchronization module 245, and a recording module 247. As shown in FIG. 5, the core module 153 requests for file management from the operating system 151, that is, various requests for copying, reading, writing, deleting, etc. related to file processing (also referred to as an API or a function call). It will be monitored and combined with the anti-virus engine module 241 to determine whether there is an abnormality.

6 shows a schematic block diagram of one embodiment of a software architecture for implementing a data protection method. The software architecture includes a core module 153 and a data protection program 240. As shown in FIG. 6, the data protection program 240 may include: an antivirus engine module 241, an auxiliary antivirus engine module 242, an encryption and decryption module 243, a file synchronization module 245, a recording module 247, and a data update module 249. As shown in FIG. 5, the core module 153 requests for file management from the operating system 151, that is, various requests for copying, reading, writing, deleting, etc. related to file processing (also referred to as an API or a function call). The monitoring will be performed together with the anti-virus engine module 241 and the auxiliary anti-virus engine module 242 to determine whether there is an abnormality. In an embodiment, for example, an anti-virus engine that is commercially available or can provide an API for customization can be applied as the anti-virus engine module 241, for example, mainly using a virus code database as a function of scanning for viruses; An auxiliary anti-virus engine module 242 is additionally created to determine the actions or operations of the file, such as scanning viruses for abnormal behavior or operation in accordance with the manner described in Table 2 above and related examples. In this way, the use of dual anti-virus engine modules, or even multiple anti-virus engine modules, will take advantage of the various anti-virus engines, thereby greatly enhancing the anti-virus effect of the data protection program 240. Moreover, the data update module 249 can be used to update the virus code database and/or to transmit the detection solution result to the server 40.

Furthermore, in addition to the foregoing embodiment of FIG. 4 or FIG. 5, in some embodiments, a plurality of core modules can be implemented, such as based on FIG. 4 or The core module 153 in FIG. 5, and the modules originally belonging to the data protection program 240 in FIG. 4 or FIG. 5, such as the encryption and decryption module 243, the file synchronization module 245, the recording module 247, and the data update module. At least one of the groups 249 is implemented in one or more core modules. As such, the software architecture of the data protection method includes: a data protection program 240 and a plurality of core modules. The data protection program 240 includes at least: an antivirus engine module 241 and/or Or the auxiliary anti-virus engine module 242, the core modules include at least: a core module 153 and an encryption and decryption module 243. In other embodiments, the software architecture of the data protection method includes: a data protection program 240 and a plurality of core modules. The data protection program 240 includes at least: an antivirus engine module 241 and an auxiliary antivirus engine module 242. The module has at least two of the core module 153, the encryption and decryption module 243, the file synchronization module 245, the recording module 247, and the data update module 249. However, the implementation of the software architecture of the data protection method of the present invention is not limited by the above embodiments. As long as any embodiment of the data protection method can be implemented, any arrangement or combination of various programs and core modules can be used. And generate a specific software architecture.

In addition, for the above-mentioned encryption and decryption module 243, in addition to providing encryption and decryption processing, in an embodiment, a virtual disk driver can be used to present the storage device 20. Encrypt the contents of space 250. A virtual disk drive simulates random access memory into a disk drive. Therefore, there will be a virtual disk drive in the system. Just like other drivers, it accepts the input and output requirements. The processing of any command occurs directly on the memory configured as a virtual disk drive. As for the memory being configured, in addition to the main memory on the system, it may also be a random access memory on the additional interface card.

A storage device, a data protection method thereof and a data protection system as disclosed in the different embodiments described above. For example, when the storage device is connected to the electronic computing device, Effectively prevent the encrypted data in the storage device from being kidnapped and infected by malicious software, and can prevent the malware virus from being spread to other non-encrypted other memory devices, and can also store all the storage devices and the electronic computing device. The device (such as system memory) performs any one of active or passive monitoring, anti-virus, detoxification, and related disinfection actions. In addition, as described in one embodiment above, the encrypted file (or encrypted space) in the storage device is "hidden" to the operating system, so whether the user identity verification passes or not, or even the computer poison The disease has invaded into the electronic computing device, and the computer poison can not further infect, destroy, or abduct the encrypted file (or encrypted space) in the storage device, so the storage device can help to secure the data in the computer. Backup. In some embodiments, the recorded data may be further stored in the storage device or returned to the server for use as a data security management device for the storage device.

In summary, the content of the present invention has been exemplified by the above embodiments, but the present invention is not limited to the embodiments. It will be apparent to those skilled in the art that various modifications and changes can be made without departing from the spirit and scope of the invention. For example, the technical contents illustrated in the foregoing embodiments may be combined or changed. As a new embodiment, these embodiments are of course considered as one of the contents of the present invention. Therefore, the scope of the patent to be protected in this case also includes the scope of the patent application and the scope defined by it.

S10, S20, S30‧‧‧ steps

S210-S230‧‧‧Steps

S310-S330‧‧‧Steps

Claims (8)

A data protection method for a storage device, comprising: a startup step, comprising: loading a storage device into a data interface of an electronic computing device, loading at least one core module of the operating system of the electronic computing device, and starting up a data protection program in the storage device; the monitoring step is performed by at least the at least one core module and the data protection program and includes: (a1) monitoring any accessed file in the electronic computing device, corresponding to the An access source program of the accessed file, and a related program module/subprogram of the access source program to determine whether there is an abnormality; and (b1) if the step (a1) determines the accessed file, the deposit If at least one of the source program and the related program module/subprogram of the access source program is abnormal, the abnormality is disabled; if there is no abnormality, the release is performed; and the file access step is performed by the file access step Executing at least one core module and the data protection program and including: (a2) performing identity verification and determining whether access to the encrypted file located in the encrypted space is permitted in the storage device; Passing the license allows access to the encrypted file in the storage device; if the identity verification fails, the operating system will not be able to access the encrypted file; wherein the format of the encrypted file or its file system is implemented differently from the operating system The file system used, so the operating system cannot know that the storage device has an encrypted file; and (b2) when the electronic computing device accesses the encrypted file, the monitoring step is used to monitor the encrypted file; The file synchronization step: receiving the file synchronization indication when the identity verification is passed, and storing the selected file and its path in the electronic computing device in the storage device; wherein the data protection method is based on the foregoing steps The storage device and all of the memory devices of the electronic computing device perform at least one of monitoring, disinfecting, and detoxification. The data protection method according to claim 1, wherein the data protection method further comprises: performing, according to the data protection method, the storage device and all the memory devices of the electronic operation device based on the foregoing steps: monitoring, scanning, detoxification At least one of the actions to generate a detection process result. The data protection method of claim 2, wherein the data protection method further comprises: generating the record data based on the detection process result and storing the record data in the storage device. The data protection method of claim 3, wherein the data protection method further comprises: determining whether the electronic computing device is capable of establishing a communication link with a remote server, and if so, transmitting the recorded data to the server. A storage device is a computer readable and writable recording medium, and the storage device stores at least a data protection program. When an electronic computing device is loaded into the data protection program, the storage device can perform the method according to any one of claims 1 to 4. Data protection method. The storage device of claim 5, wherein the storage device comprises: a data interface electrically coupled to the electronic computing device; and a memory unit coupled to the data interface and configured to store at least the data protection Program. A data protection system includes: an electronic computing device; and a storage device, including: The data interface is electrically coupled to the electronic computing device; and the memory unit is coupled to the data interface, wherein the memory unit stores at least a data protection program; wherein: when the data interface of the storage device is connected to the data interface The electronic computing device is configured to load at least one core module in the operating system of the electronic computing device and activate the data protection program; the at least one core module and the data protection program are used to monitor the electronic operation Determining whether there is any abnormality in any accessed file in the device, the accessed file, the access source program corresponding to the accessed file, and the related program module/subprogram of the access source program. If there is an abnormality, disable those who are abnormal; if there is no abnormality, release; the at least one core module and the data protection program are used to: perform identity verification and determine whether it is allowed in the storage device Accessing an encrypted file located in the encrypted space; if the identity verification is passed, the electronic computing device allows access to the encrypted file in the storage device; if the identity verification is not If there is a pass, the electronic computing device will not be able to access the encrypted file; when the electronic computing device accesses the encrypted file, the core module and the data protection program also monitor the encrypted file; and when the identity verification is passed, Receiving a file synchronization indication, and encrypting the selected file and its path in the electronic computing device and storing the file in the storage device; wherein the format of the encrypted file or its file system is implemented differently from the operating system The file system, so the operating system cannot know that there is an encrypted file in the storage device. The data protection system of claim 7, wherein the electronic computing device is configured to monitor, by the at least one core module and the data protection program, the storage device and all the memory devices of the electronic computing device: At least one of the actions of the anti-virus and the detoxification, and the detection processing result is generated; the data protection system further includes: a server, wherein the electronic computing device is configured to determine whether the electronic computing device can establish a communication connection with the server, if Base The recorded data generated by detecting the processing result is transmitted to the server; if not, the recorded data is stored in the storage device.