CN102254117B - Virtualized technology-based data anti-disclosure system - Google Patents
Virtualized technology-based data anti-disclosure system Download PDFInfo
- Publication number
- CN102254117B CN102254117B CN2011101895392A CN201110189539A CN102254117B CN 102254117 B CN102254117 B CN 102254117B CN 2011101895392 A CN2011101895392 A CN 2011101895392A CN 201110189539 A CN201110189539 A CN 201110189539A CN 102254117 B CN102254117 B CN 102254117B
- Authority
- CN
- China
- Prior art keywords
- data
- module
- file
- data anti
- disclosure
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000005516 engineering process Methods 0.000 title claims abstract description 32
- 238000012544 monitoring process Methods 0.000 claims abstract description 14
- 238000007726 management method Methods 0.000 claims description 8
- 238000012550 audit Methods 0.000 claims description 4
- 238000005192 partition Methods 0.000 claims description 3
- 238000000034 method Methods 0.000 abstract description 6
- 230000001902 propagating effect Effects 0.000 abstract 1
- 230000001681 protective effect Effects 0.000 abstract 1
- 230000002265 prevention Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000005336 cracking Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 231100000279 safety data Toxicity 0.000 description 1
- 230000035899 viability Effects 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a virtualized technology-based data anti-disclosure system, which is characterized in that: the data anti-disclosure system is realized by constructing virtualized operating environment in a work station by utilizing the virtualized technology on the basis of an operating system and redirecting the input/output calling, system calling and the calling of a dynamic library of the host operating system; and the data anti-disclosure system consists of a management module, a driving redirection module, monitoring module, a log auditing module and a data encryption/decipherment module. The data anti-disclosure system has the advantage that a data anti-disclosure protective method for preventing unauthorized users from wiretapping, breaking and copying and propagating confidential data illegally by ensuring that limited users only can access key data under the virtual safety environment and the physical storage of the key data is also concentrated in virtual storage space which is subjected to encrypting protection simultaneously is provided.
Description
Technical Field
The invention belongs to the technical field of information security, relates to a system with a virtualization technology applied to the field of data security protection, and particularly relates to a data anti-disclosure system based on the virtualization technology; meanwhile, the invention also relates to an anti-leakage method of the data anti-leakage system.
Background
With the vigorous development of informatization in China, electronic data has become an important asset for each department, each enterprise and each individual. Confidentiality, integrity, and availability of data are relevant to the viability and competitiveness of governments, major industries, and enterprises. Data security, therefore, is receiving increasing attention as an important component in the field of information security. Data security covers multiple aspects of loss prevention, leakage prevention, abuse prevention and the like. Data leakage prevention is a hot spot problem which is particularly prominent at present. The wide application of computer science achievements such as e-mail, instant messaging, removable storage media and the like improves the working efficiency of people, and inevitably expands a data leakage channel, and particularly the active secret leakage behavior of a user is rather defensive. In the face of such a severe situation, domestic and foreign security manufacturers have developed their own data leakage protection solutions in recent years. The existing data leakage protection takes a dynamic encryption and decryption technology as a core and is divided into two modes of document-level dynamic encryption and decryption and disk-level dynamic encryption and decryption.
Based on the file-level dynamic encryption and decryption technology, in different operating systems (such as WINDOWS, LINUX, UNIX and the like), when an application program accesses data of storage equipment, a file system is generally called through an API (application program interface) provided by an operating system, and then the file system accesses a specific storage medium through a drive program of the storage medium; the disk-level dynamic encryption and decryption technology is that when the system is started, the dynamic encryption and decryption system decrypts data of the hard disk in real time, the system reads the data, the data is directly decrypted in the memory, and then the decrypted data is submitted to the operating system.
The disadvantage of the document-level dynamic encryption and decryption technology is that some File systems support dynamic encryption and decryption of files, such as NTFS File systems in Windows systems, which provide EFS (encryption File System) support, and as a general system, it is difficult to meet the requirements of various user personalization, such as automatic encryption of certain types of files.
The disadvantage of the disk-level dynamic encryption and decryption technique is that the speed of the encryption and decryption algorithm used by the technique is directly affected by the system performance.
Disclosure of Invention
The invention aims to provide a data anti-leakage system based on a virtualization technology, which is not limited by system performance and can meet the requirements of various user individuation aiming at the defects of the prior art.
A data anti-leakage system based on virtualization technology is realized by constructing a virtualization working environment in a workstation by utilizing virtualization technology on an operating system and redirecting I/O call, system call and dynamic library call of a host operating system; the data anti-leakage system is composed of a management module, a drive redirection module, a monitoring module, a log audit module and a data encryption and decryption module.
The management module is mainly used for setting a login mode and constructing a virtual layer on an operating system so as to realize a special file system; the drive redirection module is mainly used for modifying and redirecting the system message events of the host operating system drive layer; the monitoring module is mainly used for monitoring local directories and files in real time and controlling the access rights of the local directories and files; the log auditing module is used for recording the operation record of the user; the data encryption and decryption module is mainly used for encrypting the document to be protected and the document edited and written back and decrypting the document opened and redirected to the protection directory.
Furthermore, the login mode comprises an administrator login mode and a common user login mode, after login is carried out in the administrator mode, the file of the local disk can be copied to the area corresponding to the special file system, and attribute authority and a use range can be set for the electronic document of the area to serve as a controlled document; after logging in the ordinary user login mode, the user can only set the use range of the electronic document.
Furthermore, the starting address and the storage position of the file partition table led out by the special file system are different from those of other conventional file systems, and different attributes can be expanded aiming at different files.
Further, the extensible file attribute comprises the forwardable of the electronic document and the access times of the electronic document: access time authority of the electronic document, unprintable limit of the electronic document.
When the electronic document is created in the area corresponding to the special file system and the control information is set, the drive redirecting module obtains the PID of the electronic document and the control information of the file, and redirects the file to the set position.
A data anti-disclosure system monitoring module based on virtualization technology monitors documents and document contents in real time, intercepts system events including but not limited to copying, printing, additional storage, screen copying and network sending from a driver layer of an operating system in real time, classifies the events, and performs document access control according to a security policy.
The monitoring module encrypts and locks data of the memory buffer area in real time, and erases all data in real time when the memory buffer area is released.
The invention has the advantages that: the data anti-leakage protection method is characterized in that a data anti-leakage system based on a virtualization technology is provided, which is not limited by system performance and can meet the requirements of various user individualities, and particularly, the data anti-leakage protection method is provided, which prevents unauthorized users from eavesdropping, cracking, illegally copying and spreading confidential data by ensuring that the users are limited to access the critical data only under a virtual security environment and simultaneously the physical storage of the critical data is also concentrated in a virtual storage space protected by encryption; the protected file can be accessed only when the user enters the safe working environment, the operation of the user is limited by each virtual resource, and the leakage behaviors of network transmission, peripheral access and the like are completely controlled or prohibited; the safety data are always stored in the virtual working area and cannot be copied and dumped, so that the active secret divulging behavior of the user is effectively prevented; the content of the electronic document is always in a controlled state by controlling the execution of an application program, data reading and writing, a cut-and-paste copying operation, a file saving operation, a screen copying operation, a printing operation, the number of file access times, the file access time and the like.
Drawings
FIG. 1 is a schematic diagram of a data anti-disclosure system based on virtualization technology.
Fig. 2 is a schematic diagram of the operation of a data anti-disclosure system based on a virtualization technology.
Fig. 3 is a usage pattern diagram of a data anti-disclosure system based on virtualization technology.
Detailed Description
As shown in fig. 1, a data anti-disclosure system based on virtualization technology is implemented by constructing a virtualization work environment in a workstation by using virtualization technology on top of an operating system, and redirecting an I/O call, a system call, and a dynamic library call of a host operating system; the data anti-leakage system is composed of a management module, a drive redirection module, a monitoring module, a log audit module and a data encryption and decryption module.
The management module is mainly used for setting a login mode and constructing a virtual layer on an operating system so as to realize a special file system; the drive redirection module is mainly used for modifying and redirecting the system message events of the host operating system drive layer; the monitoring module is mainly used for monitoring local directories and files in real time and controlling the access rights of the local directories and files; the log auditing module is used for recording the operation record of the user; the data encryption and decryption module is mainly used for encrypting the document to be protected and the document edited and written back and decrypting the document opened and redirected to the protection directory.
Furthermore, the login mode comprises an administrator login mode and a common user login mode, after login is carried out in the administrator mode, the file of the local disk can be copied to the area corresponding to the special file system, and attribute authority and a use range can be set for the electronic document of the area to serve as a controlled document; after logging in the ordinary user login mode, the user can only set the use range of the electronic document.
Furthermore, the starting address and the storage position of the file partition table led out by the special file system are different from those of other conventional file systems, and different attributes can be expanded aiming at different files.
When the electronic document is created in the area corresponding to the special file system and the control information is set, the drive redirecting module obtains the PID of the electronic document and the control information of the file, and redirects the file to the set position.
A data anti-disclosure system based on virtualization technology monitors documents and document contents in real time, intercepts system events including but not limited to copying, printing, additional storage, screen copying and network transmission from a driver layer of an operating system in real time, classifies the events, and performs document access control according to a security policy.
The monitoring module encrypts and locks data of the memory buffer area in real time, and erases all data in real time when the memory buffer area is released.
The login mode in the management module can prevent violent cracking of data of the data anti-leakage system based on the virtualization technology by setting the upper limit of the number of password attempts, and the system is automatically locked after the login attempt reaches the upper limit and needs to be opened by a login party in the administrator mode. If the administrator password tries to reach the upper limit, the virtual working environment working area is automatically destroyed.
After the identity authentication is passed, the data anti-leakage system based on the virtualization technology automatically loads a driver to prepare for processing system events.
A data anti-disclosure system based on virtualization technology utilizes PID of document to distinguish controlled file and non-controlled file, prevents content of controlled file from being cut into non-protected file, prevents characters in controlled file from being dragged into non-protected file, prevents OLE access, and controls whether controlled file can be printed or not, wherein Office series software can be obtained by other tools in OLE mode.
As shown in fig. 2, when a user opens a file, a data anti-disclosure system based on virtualization technology determines whether the file is a controlled file, if so, determines whether the file passes through attribute protection again, if so, determines whether a virtual environment needs to be loaded, and if so, runs the file with attributes in a virtual security environment.
Further, if the opened file is not a controlled file or is not protected by attributes or does not require loading of a virtual environment, the file is opened while the file is closed.
As shown in fig. 3, after the user logs in the data anti-disclosure system based on virtualization technology in the manner of an administrator or a general user, in the administrator mode, the file of the local disk can be copied to a secure area, and the attribute authority and the use range can be set for the electronic document in the secure area as a controlled document; after logging in the ordinary user logging mode, after logging in successfully, detecting the electronic document attribute set by an administrator, in the controlled design of the electronic document, firstly detecting whether the file type is a safe controlled file, detecting the file extension name and the extension attribute in a file system, calling a corresponding function to obtain the current attribute authority of the electronic document, and then sequentially checking the validity of the authority, if the opening frequency authority of the electronic document is reduced to 0, prompting that the service life authority directly exits after reaching a dialog box, and not calling the electronic document. And reducing the opening times once every time the memo is opened until the opening times are 0, not accessing the file, and popping up the dialog box of which the opening times are reduced to 0.
A file extension attribute which can be set by a special file system of a data anti-leakage system based on a virtualization technology comprises the following steps:
forwarding of electronic documents: the owner of the electronic document may set whether the electronic document may be forwarded to other users. After the administrator sets the authority for the electronic document, the ordinary user can send the electronic document with the attribute to other users in a ciphertext outgoing mode.
Reading and writing control of the electronic document: the administrator can set whether the file can be read or not for the electronic document, the file is accessed by the ordinary user after login, if the file is set as read-only, the file cannot be modified after the ordinary user is opened, and if the file is set as read-write, the ordinary user can write the file. The setting for the owner of the file is that the owner has no read-only right.
Number of accesses of electronic document: the access times of the electronic document attribute are preset before the electronic document is sent to a common user by an administrator, the access times can be reduced by 1 when the common user opens the electronic document once, and the file cannot be opened until the access times are reduced to 0, and the user needs to remove the file by himself.
Access time rights of electronic document: the administrator sets the file access limit time, and the ordinary user has the property when using the electronic document, for example, the electronic document is only allowed to be used before 2009-09-22 days, and when the time for accessing the file by the ordinary user is after the access time period, the electronic document is not allowed to be opened. There is no access time right for the owner of the electronic document himself.
Non-printable restriction of electronic documents: the "administrator" can set the attribute of the electronic document to the unprintable authority, and the "general user" operation using this electronic document is restricted, and this electronic document will not be printable. The electronic document may be printed if printable attributes are set.
Claims (1)
1. A data anti-leakage system based on virtualization technology is characterized in that the data anti-leakage system is realized by constructing a virtualization working environment in a workstation by utilizing virtualization technology on an operating system and redirecting I/0 call, system call and dynamic library call of a host operating system; the data anti-leakage system consists of a management module, a drive redirection module, a monitoring module, a log audit module and a data encryption and decryption module; wherein,
the system comprises a management module, a drive redirection module, a monitoring module, a log audit module, a data encryption and decryption module, a host operating system drive layer and a virtual layer, wherein the management module is mainly used for setting a login mode and constructing the virtual layer on the operating system to realize a special file system;
the monitoring module monitors documents and document contents in real time, intercepts system events for a driving layer of an operating system in real time, classifies the events, and performs document access control according to a security policy; and simultaneously, the monitoring module encrypts and locks the data of the memory buffer area in real time, and erases all the data in real time when the memory buffer area is released.
The data anti-disclosure system based on virtualization technology as claimed in claim 1, wherein the login mode includes an administrator login mode and a general user login mode, after login is performed in the administrator login mode, files of a local disk can be copied to an area corresponding to a special file system, and attribute authority and a use range can be set for electronic documents in the area to serve as controlled documents; after logging in the ordinary user login mode, the user can only set the use range of the electronic document.
3. The data anti-disclosure system based on virtualization technology as claimed in claim 1, wherein the starting address and the storage location of the file partition table of the private file system lead-out are different from other conventional file systems and can be extended with different attributes for different files.
4. The data anti-disclosure system based on virtualization technology as claimed in claim 1, wherein the extensible file attributes include forwardability of electronic documents, access times of electronic documents, access time rights of electronic documents, unprintable limits of electronic documents.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011101895392A CN102254117B (en) | 2011-07-07 | 2011-07-07 | Virtualized technology-based data anti-disclosure system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011101895392A CN102254117B (en) | 2011-07-07 | 2011-07-07 | Virtualized technology-based data anti-disclosure system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102254117A CN102254117A (en) | 2011-11-23 |
| CN102254117B true CN102254117B (en) | 2013-10-02 |
Family
ID=44981377
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011101895392A Expired - Fee Related CN102254117B (en) | 2011-07-07 | 2011-07-07 | Virtualized technology-based data anti-disclosure system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102254117B (en) |
Families Citing this family (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102523255B (en) * | 2011-11-30 | 2015-04-29 | 北京京航计算通讯研究所 | Printing security monitoring and auditing system based on virtual printing technique |
| CN102495986A (en) * | 2011-12-15 | 2012-06-13 | 上海中标凌巧软件科技有限公司 | Calling control method for avoiding embezzlement of enciphered data in computer system |
| CN102495987B (en) * | 2011-12-18 | 2015-08-19 | 西安安智科技有限公司 | The method and system of the anti-access of divulging a secret in a kind of electronic information this locality |
| CN102592102B (en) * | 2011-12-31 | 2014-09-17 | 深信服网络科技(深圳)有限公司 | Anti-leakage control method of terminal and terminal |
| CN103218181A (en) * | 2012-01-19 | 2013-07-24 | 郑州鼎昌计算机科技有限公司 | Data safety printing control method based on virtual printer technology |
| CN102708326A (en) * | 2012-05-22 | 2012-10-03 | 南京赛孚科技有限公司 | Protection method for confidential files |
| CN102750493B (en) * | 2012-06-26 | 2016-01-06 | 华为终端有限公司 | Access right control method, Apparatus and system |
| CN103716354B (en) * | 2012-10-09 | 2017-02-08 | 慧盾信息安全科技(苏州)股份有限公司 | Security protection system and method for information system |
| CN103455763B (en) * | 2013-07-29 | 2016-08-31 | 孙伟力 | A kind of internet log record system and method protecting individual subscriber privacy |
| WO2015070376A1 (en) * | 2013-11-12 | 2015-05-21 | 华为技术有限公司 | Method and system for realizing virtualization security |
| CN104036197B (en) * | 2014-06-05 | 2017-02-15 | 哈尔滨工程大学 | Vector map data protection and access control method based on file filter driver |
| CN104182691B (en) * | 2014-08-22 | 2017-07-21 | 国家电网公司 | data encryption method and device |
| CN104346582A (en) * | 2014-11-05 | 2015-02-11 | 山东乾云启创信息科技有限公司 | Method for preventing mirror image from being tampered in desktop virtualization |
| CN106295386B (en) | 2015-06-02 | 2021-04-27 | 阿里巴巴集团控股有限公司 | Data file protection method and device and terminal equipment |
| CN105354294A (en) * | 2015-11-03 | 2016-02-24 | 杭州电子科技大学 | Nested file management system and method |
| CN109327455A (en) * | 2018-11-01 | 2019-02-12 | 郑州云海信息技术有限公司 | A NAS device access method, device, device and readable storage medium |
| CN109800094B (en) * | 2018-12-28 | 2021-04-06 | 北京指掌易科技有限公司 | Method for realizing communication between single application and multiple public applications |
| CN109960511B (en) * | 2019-03-22 | 2022-09-09 | 北京智游网安科技有限公司 | Dynamic library issuing method based on virtualization technology, storage medium and intelligent terminal |
| CN111143850B (en) * | 2019-11-22 | 2022-03-04 | 航天恒星科技有限公司 | Safety protection system and method for satellite data distributed virtual storage |
| CN111310131B (en) * | 2020-01-19 | 2022-11-04 | Oppo广东移动通信有限公司 | So library calling processing method, device, electronic device and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101727545A (en) * | 2008-10-10 | 2010-06-09 | 中国科学院研究生院 | Method for implementing mandatory access control mechanism of security operating system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2004164192A (en) * | 2002-11-12 | 2004-06-10 | Kubota Corp | Electronic information leakage prevention method, electronic information system, and computer program |
| WO2006137057A2 (en) * | 2005-06-21 | 2006-12-28 | Onigma Ltd. | A method and a system for providing comprehensive protection against leakage of sensitive information assets using host based agents, content- meta-data and rules-based policies |
-
2011
- 2011-07-07 CN CN2011101895392A patent/CN102254117B/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101727545A (en) * | 2008-10-10 | 2010-06-09 | 中国科学院研究生院 | Method for implementing mandatory access control mechanism of security operating system |
Non-Patent Citations (1)
| Title |
|---|
| JP特开2004-164192A 2004.06.10 |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102254117A (en) | 2011-11-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102254117B (en) | Virtualized technology-based data anti-disclosure system | |
| EP1977364B1 (en) | Securing data in a networked environment | |
| CN102043927B (en) | Data divulgence protection method for computer system | |
| CN101853363B (en) | File protection method and system | |
| JP4089171B2 (en) | Computer system | |
| US20150227748A1 (en) | Method and System for Securing Data | |
| KR101705550B1 (en) | Method and software product for controlling application program which access secure saving area | |
| KR20110096554A (en) | Client computer, and server computer thereof, and method and computer program for protecting confidential files | |
| CN201682524U (en) | Document transfer authority control system based on document filtering driver | |
| CN103530570A (en) | Electronic document safety management system and method | |
| CN102799539B (en) | A kind of safe USB disk and data active protection method thereof | |
| CN104102595A (en) | High security removable storage device | |
| KR20130079004A (en) | Mobile data loss prevention system and method for providing virtual security environment using file system virtualization on smart phone | |
| RU84594U1 (en) | STORAGE WITH PROTECTION FROM UNAUTHORIZED ACCESS TO MEMORY | |
| CN101561851A (en) | Open file encrypting method without distinguishing file types | |
| CN108319867A (en) | Dualized file divulgence prevention method and system based on HOOK and window filter | |
| KR100948812B1 (en) | Security zone management system and its management method | |
| CN113407984A (en) | System and method for providing security protection for database | |
| CN105205403A (en) | Method and system for managing and controlling file data of local area network based on file filtering | |
| KR100547556B1 (en) | Secure kernel system supporting encrypted file system | |
| KR102338774B1 (en) | Data protection method to prevent data leakage and corruption by preventing file contents from being read and written at the kernel level of the storage operating system | |
| Liu et al. | A file protection scheme based on the transparent encryption technology | |
| KR20030005760A (en) | Method of access control according to access right of user in Personal Computer and apparatus thereof | |
| JP4974246B2 (en) | File export monitoring system | |
| JP2007323548A (en) | How to manage files with network folders |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20170331 Address after: 230000 Anhui Hefei District Wanda Plaza office building, No. 2001, No. 4, No. Patentee after: Anhui cloud Bay Mdt InfoTech Ltd Address before: 100084 Beijing city Haidian District No. 123 Zhongguancun Huateng Technology Building Room 451 Patentee before: Hu Jianbin Patentee before: Li Peng |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20180326 Address after: 100084 Beijing city Haidian District No. 123 Zhongguancun Huateng Technology Building Room 451 Co-patentee after: Hu Jianbin Patentee after: Li Peng Address before: 230000 Anhui Hefei District Wanda Plaza office building, No. 2001, No. 4, No. Patentee before: Anhui cloud Bay Mdt InfoTech Ltd |
|
| TR01 | Transfer of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20131002 Termination date: 20190707 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |