[go: up one dir, main page]

CN114662123A - File tracking method and device - Google Patents

File tracking method and device Download PDF

Info

Publication number
CN114662123A
CN114662123A CN202210114442.3A CN202210114442A CN114662123A CN 114662123 A CN114662123 A CN 114662123A CN 202210114442 A CN202210114442 A CN 202210114442A CN 114662123 A CN114662123 A CN 114662123A
Authority
CN
China
Prior art keywords
file
target
event
information
operation event
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210114442.3A
Other languages
Chinese (zh)
Inventor
林皓
李胜家
王海波
杨泳
毕永东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing VRV Software Corp Ltd
Original Assignee
Beijing VRV Software Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing VRV Software Corp Ltd filed Critical Beijing VRV Software Corp Ltd
Priority to CN202210114442.3A priority Critical patent/CN114662123A/en
Publication of CN114662123A publication Critical patent/CN114662123A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application provides a file tracking method and a device, wherein the method comprises the following steps: monitoring file operation events; under the condition that the file operation event is detected to be triggered, acquiring and recording the circulation information of a target file corresponding to the file operation event; wherein the circulation information is used for tracking the circulation of the target file. The file tracking method and device provided by the application can realize tracking and monitoring of the files inside an enterprise under the condition that the client is not installed, and can avoid the occurrence of a divulgence condition.

Description

文件跟踪方法及装置File tracking method and device

技术领域technical field

本申请涉及文件溯源领域,尤其涉及一种文件跟踪方法及装置。The present application relates to the field of document traceability, and in particular, to a document tracing method and device.

背景技术Background technique

随着互联网技术的发展,信息安全变得越来越重要,尤其是企业内部的涉密文件。为了保证涉密文件在企业内部流转过程的安全,通常需要对涉密文件的流转过程进行跟踪监控。With the development of Internet technology, information security has become more and more important, especially the confidential documents within the enterprise. In order to ensure the security of the circulation process of confidential documents within the enterprise, it is usually necessary to track and monitor the circulation process of confidential documents.

在相关技术中,可以对涉密文件进行加密,员工可以使用客户端对其解密后进行访问,客户端还可以记录相关的访问信息,进而实现对企业内部文档的跟踪与监控。然而,这样的文件跟踪方法,需要在设备上安装客户端,并对涉密文件进行解密后才能够进行访问,操作不便。In the related art, confidential documents can be encrypted, employees can use the client to decrypt them to access, and the client can also record relevant access information, thereby realizing the tracking and monitoring of internal documents of the enterprise. However, in such a file tracking method, a client needs to be installed on the device, and the confidential files can be accessed only after decryption, which is inconvenient to operate.

发明内容SUMMARY OF THE INVENTION

本申请的目的是提供一种文件跟踪方法及装置,用于对文件流转过程的追踪和监控。The purpose of this application is to provide a file tracking method and device for tracking and monitoring the file transfer process.

本申请提供一种文件跟踪方法,包括:This application provides a document tracking method, including:

监控文件操作事件;在检测到所述文件操作事件被触发的情况下,获取并记录所述文件操作事件对应的目标文件的流转信息;其中,所述流转信息用于跟踪所述目标文件的流转。Monitoring file operation events; in the case of detecting that the file operation event is triggered, acquiring and recording the flow information of the target file corresponding to the file operation event; wherein, the flow information is used to track the flow of the target file. .

可选地,所述流转信息包括以下至少一项:上一节点的节点信息,当前节点的节点信息,所述目标文件的文件信息,所述文件操作事件的触发时间。Optionally, the flow information includes at least one of the following: node information of the previous node, node information of the current node, file information of the target file, and trigger time of the file operation event.

可选地,所述监控文件操作事件,包括:将所述文件操作事件与Hook函数相关联,并构建与所述Hook函数对应的回调函数;其中,所述文件操作事件包括以下至少一项:文件创建事件,文件打开事件,文件保存事件,文件关闭事件;所述回调函数用于获取并记录所述流转信息。Optionally, the monitoring of the file operation event includes: associating the file operation event with a Hook function, and constructing a callback function corresponding to the Hook function; wherein the file operation event includes at least one of the following: File creation event, file opening event, file saving event, file closing event; the callback function is used to obtain and record the flow information.

可选地,所述在检测到所述文件操作事件被触发的情况下,获取并记录所述文件操作事件对应的目标文件的流转信息,包括:在检测到所述文件操作事件被触发的情况下,通过所述回调函数获取所述流转信息,并通过COM组件将所述流转信息存储到所述目标文件的属性信息中,和/或,将所述流转信息存储到服务器中。Optionally, in the case of detecting that the file operation event is triggered, acquiring and recording the flow information of the target file corresponding to the file operation event includes: in the case of detecting that the file operation event is triggered Next, the circulation information is acquired through the callback function, and the circulation information is stored in the attribute information of the target file through the COM component, and/or the circulation information is stored in the server.

可选地,所述在检测到所述文件操作事件被触发的情况下,获取并记录所述文件操作事件对应的目标文件的流转信息之后,所述方法还包括:从所述目标文件的属性信息,和/或,所述服务器中提取所述目标文件在流转过程中每个节点对应的流转信息;根据所述目标文件在流转过程中每个节点对应的流转信息,生成流转路径,并基于所述流转路径对所述目标文件进行溯源。Optionally, after acquiring and recording the flow information of the target file corresponding to the file operation event when it is detected that the file operation event is triggered, the method further includes: from the attribute of the target file information, and/or, extract the circulation information corresponding to each node of the target file in the circulation process; generate the circulation path according to the circulation information corresponding to each node of the target file in the circulation process, and based on The circulation path traces the source of the target file.

可选地,所述在检测到所述文件操作事件被触发的情况下,获取并记录所述文件操作事件对应的目标文件的流转信息,包括:在触发的文件操作事件为所述文件创建事件的情况下,向所述文件创建事件所创建的目标文件中注入目标脚本;其中,所述目标脚本用于在访问所述目标文件时运行所述目标脚本,检测当前设备的运行环境,并在当前设备的运行环境不满足预设条件的情况下,禁止所述目标文件的访问。Optionally, in the case of detecting that the file operation event is triggered, acquiring and recording the flow information of the target file corresponding to the file operation event, including: when the triggered file operation event is the file creation event In the case of the target file created by the file creation event, the target script is injected into the target file; wherein, the target script is used to run the target script when accessing the target file, detect the operating environment of the current device, and in the In the case that the running environment of the current device does not meet the preset condition, the access to the target file is prohibited.

本申请还提供一种文件跟踪装置,包括:The application also provides a file tracking device, including:

监控模块,用于监控文件操作事件;记录模块,用于在检测到所述文件操作事件被触发的情况下,获取并记录所述文件操作事件对应的目标文件的流转信息;其中,所述流转信息用于跟踪所述目标文件的流转。a monitoring module for monitoring file operation events; a recording module for acquiring and recording the flow information of the target file corresponding to the file operation event when it is detected that the file operation event is triggered; wherein, the flow The information is used to track the flow of the target file.

可选地,所述流转信息包括以下至少一项:上一节点的节点信息,当前节点的节点信息,所述目标文件的文件信息,所述文件操作事件的触发时间。Optionally, the flow information includes at least one of the following: node information of the previous node, node information of the current node, file information of the target file, and trigger time of the file operation event.

可选地,所述监控模块,具体用于将所述文件操作事件与Hook函数相关联,并构建与所述Hook函数对应的回调函数;其中,所述文件操作事件包括以下至少一项:文件创建事件,文件打开事件,文件保存事件,文件关闭事件;所述回调函数用于获取并记录所述流转信息。Optionally, the monitoring module is specifically configured to associate the file operation event with a Hook function, and construct a callback function corresponding to the Hook function; wherein the file operation event includes at least one of the following: Create event, file open event, file save event, file close event; the callback function is used to obtain and record the flow information.

可选地,所述记录模块,具体用于在检测到所述文件操作事件被触发的情况下,通过所述回调函数获取所述流转信息,并通过COM组件将所述流转信息存储到所述目标文件的属性信息中,和/或,将所述流转信息存储到服务器中。Optionally, the recording module is specifically configured to obtain the circulation information through the callback function when it is detected that the file operation event is triggered, and store the circulation information to the In the attribute information of the target file, and/or, the flow information is stored in the server.

可选地,所述装置还包括:信息提取模块和生成模块;所述信息提取模块,用于从所述目标文件的属性信息,和/或,所述服务器中提取所述目标文件在流转过程中每个节点对应的流转信息;所述生成模块,用于根据所述目标文件在流转过程中每个节点对应的流转信息,生成流转路径,并基于所述流转路径对所述目标文件进行溯源。Optionally, the apparatus further includes: an information extraction module and a generation module; the information extraction module is configured to extract the attribute information of the target file from the server, and/or extract the target file from the server during the transfer process The flow information corresponding to each node in the file; the generation module is used to generate a flow path according to the flow information corresponding to each node of the target file in the flow process, and trace the source of the target file based on the flow path. .

可选地,所述装置还包括:注入模块;所述注入模块,用于在触发的文件操作事件为所述文件创建事件的情况下,向所述文件创建事件所创建的目标文件中注入目标脚本;其中,所述目标脚本用于在访问所述目标文件时运行所述目标脚本,检测当前设备的运行环境,并在当前设备的运行环境不满足预设条件的情况下,禁止所述目标文件的访问。Optionally, the apparatus further includes: an injection module; the injection module is configured to inject a target into the target file created by the file creation event when the triggered file operation event is the file creation event Script; wherein, the target script is used to run the target script when accessing the target file, detect the operating environment of the current device, and prohibit the target when the operating environment of the current device does not meet the preset conditions file access.

本申请还提供一种计算机程序产品,包括计算机程序/指令,该计算机程序/指令被处理器执行时实现如上述任一种所述文件跟踪方法的步骤。The present application also provides a computer program product, comprising a computer program/instruction, when the computer program/instruction is executed by a processor, implements the steps of any one of the above-mentioned file tracking methods.

本申请还提供一种电子设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现如上述任一种所述文件跟踪方法的步骤。The present application also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and running on the processor, when the processor executes the program, the file tracking method according to any one of the above-mentioned methods is implemented. A step of.

本申请还提供一种计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现如上述任一种所述文件跟踪方法的步骤。The present application also provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, implements the steps of any one of the above-mentioned file tracking methods.

本申请提供的文件跟踪方法及装置,为了能够实现对设备上访问的文件的跟踪及监控,需要在设备上监控文件操作事件,并在在检测到所述文件操作事件被触发的情况下,获取并记录文件操作事件对应的目标文件的流转信息,以便于根据记录的流转信息,对目标文件进行跟踪和监控。The file tracking method and device provided by the present application, in order to realize the tracking and monitoring of the files accessed on the device, it is necessary to monitor the file operation event on the device, and obtain the file operation event when it is detected that the file operation event is triggered. And record the flow information of the target file corresponding to the file operation event, so as to track and monitor the target file according to the recorded flow information.

附图说明Description of drawings

为了更清楚地说明本申请或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions in the present application or the prior art more clearly, the following briefly introduces the accompanying drawings that are needed in the description of the embodiments or the prior art. Obviously, the drawings in the following description are of the present application. For some embodiments of the present invention, for those of ordinary skill in the art, other drawings can also be obtained from these drawings without any creative effort.

图1是本申请提供的文件跟踪方法的流程示意图;1 is a schematic flowchart of a file tracking method provided by the application;

图2是本申请提供的文件跟踪装置的结构示意图;2 is a schematic structural diagram of a file tracking device provided by the present application;

图3是本申请提供的电子设备的结构示意图。FIG. 3 is a schematic structural diagram of an electronic device provided by the present application.

具体实施方式Detailed ways

为使本申请的目的、技术方案和优点更加清楚,下面将结合本申请中的附图,对本申请中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purpose, technical solutions and advantages of the present application clearer, the technical solutions in the present application will be described clearly and completely below with reference to the accompanying drawings in the present application. Obviously, the described embodiments are part of the embodiments of the present application. , not all examples. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative work fall within the protection scope of the present application.

本申请的说明书和权利要求书中的术语“第一”、“第二”等是用于区别类似的对象,而不用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便本申请的实施例能够以除了在这里图示或描述的那些以外的顺序实施,且“第一”、“第二”等所区分的对象通常为一类,并不限定对象的个数,例如第一对象可以是一个,也可以是多个。此外,说明书以及权利要求中“和/或”表示所连接对象的至少其中之一,字符“/”,一般表示前后关联对象是一种“或”的关系。The terms "first", "second" and the like in the description and claims of the present application are used to distinguish similar objects, and are not used to describe a specific order or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances so that the embodiments of the present application can be practiced in sequences other than those illustrated or described herein, and distinguish between "first", "second", etc. The objects are usually of one type, and the number of objects is not limited. For example, the first object may be one or more than one. In addition, "and/or" in the description and claims indicates at least one of the connected objects, and the character "/" generally indicates that the associated objects are in an "or" relationship.

以下对本申请实施例所涉及的专业术语进行解释:The technical terms involved in the embodiments of the present application are explained below:

进程注入:在Windows系统中,每个进程都有自己的私有内存地址空间,当使用指针访问内存时,一个进程无法访问另一个进程的内存地址空间。进程注入即让一个线程在别的进程中执行。在本申请实施例中,可以通过对特定应用的进程进行进程注入的方式,在该特定应用运行时监控文件操作时间。Process injection: In Windows system, each process has its own private memory address space, when using pointers to access memory, one process cannot access the memory address space of another process. Process injection is to let a thread execute in another process. In this embodiment of the present application, the file operation time can be monitored when the specific application is running by performing process injection into the process of the specific application.

钩子(Hook):是Windows系统消息处理机制的一个平台,中文译为“挂钩”或“钩子”。在对特定的系统事件进行hook后,一旦发生已hook事件,对该事件进行hook的程序就会收到系统的通知,这时程序就能在第一时间对该事件做出响应。Hook (Hook): It is a platform for the Windows system message processing mechanism, which is translated as "hook" or "hook" in Chinese. After hooking a specific system event, once a hooked event occurs, the program that hooks the event will receive a notification from the system, and the program can respond to the event as soon as possible.

每一个Hook都有一个与之相关联的指针列表,称之为钩子链表,由系统来维护。这个列表的指针指向指定的、应用程序定义的、被Hook子程调用的回调函数,也就是该钩子的各个处理子程序。当与指定的Hook子程关联的消息发生时,系统就把这个消息传递到对应的Hook子程。一些Hook子程可以只监视消息,或者修改消息,或者停止消息的前进,避免这些消息传递到下一个Hook子程或者目的窗口。最近安装的钩子放在链的开始,而最早安装的钩子放在最后,也就是后加入的先获得控制权。Each Hook has a list of pointers associated with it, called the hook list, which is maintained by the system. The pointer of this list points to the specified, application-defined callback function called by the Hook subroutine, that is, each processing subroutine of the hook. When a message associated with the specified Hook subroutine occurs, the system delivers the message to the corresponding Hook subroutine. Some hook subroutines can only monitor the message, or modify the message, or stop the progress of the message, to avoid these messages being passed to the next hook subroutine or destination window. The most recently installed hooks are placed at the beginning of the chain, and the earliest installed hooks are placed at the end, that is, those added later gain control first.

Windows系统并不要求钩子子程的卸载顺序一定得和安装顺序相反。每当有一个钩子被卸载,Windows系统便释放其占用的内存,并更新整个Hook链表。如果程序安装了钩子,但是在尚未卸载钩子之前就结束了,那么系统会自动为它做卸载钩子的操作。The Windows system does not require that the uninstallation order of hook subroutines must be reversed from the installation order. Whenever a hook is uninstalled, the Windows system releases the memory it occupies and updates the entire Hook list. If the program installs the hook, but ends before the hook is uninstalled, the system will automatically uninstall the hook for it.

钩子实际上是一个处理消息的程序段,通过系统调用,把它挂入系统。每当特定的消息发出,在没有到达目的窗口前,钩子程序就先捕获该消息,亦即钩子函数先得到控制权。这时钩子函数即可以加工处理该消息,也可以不作处理而继续传递该消息,还可以强制结束消息的传递。A hook is actually a program segment that processes a message and hooks it into the system through a system call. Whenever a specific message is sent, before reaching the destination window, the hook program first captures the message, that is, the hook function gets control first. At this time, the hook function can process the message, or continue to deliver the message without processing, or force the delivery of the message to end.

全局唯一标识符(Globally Unique Identifier,GUID):是一种由算法生成的二进制长度为128位的数字标识符。GUID主要用于在拥有多个节点、多台计算机的网络或系统中。在理想情况下,任何计算机和计算机集群都不会生成两个相同的GUID。GUID的总数达到了2^128(3.4×10^38)个,所以随机生成两个相同GUID的可能性非常小,但并不为0。所以,用于生成GUID的算法通常都加入了非随机的参数(如时间),以保证这种重复的情况不会发生。Globally Unique Identifier (GUID): It is a digital identifier with a binary length of 128 bits generated by an algorithm. GUIDs are mainly used in networks or systems with multiple nodes and multiple computers. In an ideal world, no computer or cluster of computers would generate two identical GUIDs. The total number of GUIDs reaches 2^128 (3.4×10^38), so the possibility of randomly generating two identical GUIDs is very small, but not 0. Therefore, the algorithms used to generate GUIDs usually add non-random parameters (such as time) to ensure that this kind of repetition does not occur.

为了保护企业内部涉密文件的泄露,同时能够对企业涉密文件进行跟踪和监控,现有的文件跟踪方法多数为在客户端的中使用文件加密技术对涉密文件进行加密和解密。该跟踪方法可以使文件在磁盘中保存时,保存为一个新的加密文件,新的文件中可以包含特定的加密信息和文件本身的信息,加密信息可以跟随文件同时进行分发,以此达到追踪文档流转过程的目的。In order to protect the leakage of secret-related files within the enterprise and at the same time to track and monitor the secret-related files of the enterprise, most of the existing file tracking methods use file encryption technology in the client to encrypt and decrypt secret-related files. This tracking method can save the file as a new encrypted file when it is saved on the disk. The new file can contain specific encrypted information and the information of the file itself, and the encrypted information can be distributed along with the file at the same time, so as to track the document. The purpose of the transfer process.

然而,现有的文件跟踪方法,需要在设备中安装客户端,在未安装客户端的设备中则无法对涉密文件进行访问。并且,若文件在解密后被流转到外部设备上,也无法对文件进行跟踪,导致涉密文件的泄密。However, in the existing file tracking method, a client needs to be installed in the device, and confidential files cannot be accessed in the device without the client installed. Moreover, if the file is streamed to an external device after decryption, the file cannot be tracked, resulting in the leakage of confidential files.

下面结合附图,通过具体的实施例及其应用场景对本申请实施例提供的文件跟踪方法进行详细地说明。The file tracking method provided by the embodiments of the present application will be described in detail below through specific embodiments and application scenarios with reference to the accompanying drawings.

如图1所示,本申请实施例提供的一种文件跟踪方法,该方法可以包括下述步骤101和步骤102:As shown in FIG. 1, a file tracking method provided by an embodiment of the present application may include the following steps 101 and 102:

步骤101、监控文件操作事件。Step 101 , monitor file operation events.

示例性地,上述文件操作事件可以是需要进行监控的文件类型所对应的目标应用所能触发的文件操作事件。上述监控的文件类型可以包括文档、图片等类型的文件。上述文件操作事件包括:文件创建事件,文件打开事件,文件保存事件,文件关闭事件等对文件进行操作时触发的事件。Exemplarily, the above-mentioned file operation event may be a file operation event that can be triggered by the target application corresponding to the file type to be monitored. The above-mentioned monitored file types may include documents, pictures and other types of files. The above-mentioned file operation events include: file creation event, file opening event, file saving event, file closing event and other events triggered when the file is operated.

示例性地,可以通过上述进程注入的方式,在上述目标应用的进程中注入包含有执行本申请实施例提供的文件跟踪方法的代码的动态链接库(Dynamic Link Library,DLL)文件,并通过在目标应用的进程中加载该DLL文件来实现对文件操作事件的监控。Exemplarily, a dynamic link library (Dynamic Link Library, DLL) file containing the code for executing the file tracking method provided by the embodiment of the present application may be injected into the process of the above target application by the above process injection method, and the The DLL file is loaded in the process of the target application to monitor file operation events.

步骤102、在检测到所述文件操作事件被触发的情况下,获取并记录所述文件操作事件对应的目标文件的流转信息。Step 102: In the case of detecting that the file operation event is triggered, acquire and record the flow information of the target file corresponding to the file operation event.

其中,所述流转信息用于跟踪所述目标文件的流转。The circulation information is used to track the circulation of the target file.

示例性地,在检测到文件操作事件被触发的情况下,表示当前设备正在访问需要监控的文件类型的文件,即上述目标文件。该目标文件可以是当前设备上存储的任一需要监控的文件,例如,doc、docx、ppt、pptx、xls、xlsx格式的办公文档。Exemplarily, when it is detected that a file operation event is triggered, it means that the current device is accessing a file of a file type that needs to be monitored, that is, the above-mentioned target file. The target file may be any file that needs to be monitored stored on the current device, for example, office documents in doc, docx, ppt, pptx, xls, and xlsx formats.

示例性地,在检测到文件操作事件被触发后,可以确定该文件操作事件所操作的目标文件,并获取上述流转信息。Exemplarily, after it is detected that the file operation event is triggered, the target file operated by the file operation event can be determined, and the above-mentioned flow information can be obtained.

示例性地,上述流转信息可以包括以下至少一项:上一节点的节点信息,当前节点的节点信息,所述目标文件的文件信息,所述文件操作事件的触发时间。Exemplarily, the above-mentioned flow information may include at least one of the following: node information of the previous node, node information of the current node, file information of the target file, and trigger time of the file operation event.

具体地,上述流转信息可以包括:目标文件的GUID,当前设备的用户的GUID,上一节点的GUID,当前节点的GUID,当前时间,目标文件的文件路径等。Specifically, the above-mentioned transfer information may include: the GUID of the target file, the GUID of the user of the current device, the GUID of the previous node, the GUID of the current node, the current time, the file path of the target file, and the like.

示例性地,在获取到目标文件在当前设备上的流转信息后,可以将上述流转信息存储到文件的属性信息,或者服务器中,以实现对目标文件的跟踪和监控。Exemplarily, after obtaining the circulation information of the target file on the current device, the foregoing circulation information may be stored in the attribute information of the file or in the server, so as to realize the tracking and monitoring of the target file.

如此,为了能够实现对设备上访问的文件的跟踪及监控,需要在设备上监控文件操作事件,并在在检测到所述文件操作事件被触发的情况下,获取并记录文件操作事件对应的目标文件的流转信息,以便于根据记录的流转信息,对目标文件进行跟踪和监控。In this way, in order to be able to track and monitor the files accessed on the device, it is necessary to monitor the file operation event on the device, and when it is detected that the file operation event is triggered, acquire and record the target corresponding to the file operation event. The flow information of the file is convenient for tracking and monitoring the target file according to the recorded flow information.

可选地,在本申请实施例中,可以通过Hook技术实现对文件操作事件的监控。Optionally, in this embodiment of the present application, the monitoring of file operation events may be implemented by using the Hook technology.

示例性地,上述步骤101,可以包括以下步骤101a:Exemplarily, the above step 101 may include the following step 101a:

步骤101a、将所述文件操作事件与Hook函数相关联,并构建与所述Hook函数对应的回调函数。Step 101a: Associate the file operation event with a Hook function, and construct a callback function corresponding to the Hook function.

其中,所述文件操作事件包括以下至少一项:文件创建事件,文件打开事件,文件保存事件,文件关闭事件;所述回调函数用于获取并记录所述流转信息。The file operation event includes at least one of the following: a file creation event, a file opening event, a file saving event, and a file closing event; the callback function is used to acquire and record the flow information.

示例性地,通过Hook函数关联目标应用的文件操作事件对应的函数,可以在文件操作事件对应的函数运行时,触发操作系统执行Hook函数的回调函数,以执行回调函数中的代码。Exemplarily, by associating the function corresponding to the file operation event of the target application with the hook function, when the function corresponding to the file operation event runs, the operating system can be triggered to execute the callback function of the hook function to execute the code in the callback function.

示例性地,上述文件操作事件对应的函数可以包括:打开open()函数、关闭close()函数、创建create()函数等。不同的函数对应不同的文件操作事件。Exemplarily, the functions corresponding to the above file operation events may include: opening an open() function, closing a close() function, creating a create() function, and the like. Different functions correspond to different file operation events.

需要说明的是,上述监控文件操作事件可以由注入到上述目标应用的进程中的目标线程来执行。It should be noted that the above monitoring file operation event may be executed by a target thread injected into the process of the above target application.

如此,通过Hook函数关联目标应用的文件操作事件对应的函数,可以实现对上述文件操作事件的监控。In this way, by associating the Hook function with the function corresponding to the file operation event of the target application, the monitoring of the above-mentioned file operation event can be realized.

进一步地,在本申请实施例中,在检测到上述文件操作事件被触发后,可以通过上述回调函数,获取当前设备的相关信息,并记录到目标文件的属性信息或者服务器中。Further, in this embodiment of the present application, after detecting that the above-mentioned file operation event is triggered, relevant information of the current device can be obtained through the above-mentioned callback function, and recorded in the attribute information of the target file or the server.

示例性地,上述步骤102,可以包括以下步骤102a:Exemplarily, the above step 102 may include the following step 102a:

步骤102a、在检测到所述文件操作事件被触发的情况下,通过所述回调函数获取所述流转信息,并通过COM组件将所述流转信息存储到所述目标文件的属性信息中,和/或,将所述流转信息存储到服务器中。Step 102a, when it is detected that the file operation event is triggered, obtain the flow information through the callback function, and store the flow information in the attribute information of the target file through the COM component, and/ Or, the circulation information is stored in the server.

示例性地,上述COM组件为上述目标应用提供的组件。即当获取到上述流转信息后,可以通过目标应用提供的COM组件,在目标文件的属性信息中添加上述流转信息。Exemplarily, the above-mentioned COM component is a component provided by the above-mentioned target application. That is, after obtaining the above-mentioned circulation information, the above-mentioned circulation information can be added to the attribute information of the target file through the COM component provided by the target application.

需要说明的是,通过目标应用提供的COM组件在目标文件的属性信息中添加上述流转信息,具有较好的兼容性,且无需进行单独的开发。It should be noted that the above-mentioned flow information is added to the attribute information of the target file through the COM component provided by the target application, which has better compatibility and does not require separate development.

进一步地,上述步骤102之后,本申请实施例提供的文件跟踪方法,还可以包括以下步骤103和步骤104:Further, after the above step 102, the file tracking method provided by the embodiment of the present application may further include the following steps 103 and 104:

步骤103、从所述目标文件的属性信息,和/或,所述服务器中提取所述目标文件在流转过程中每个节点对应的流转信息。Step 103: Extract the flow information corresponding to each node in the flow of the target file from the attribute information of the target file and/or the server.

步骤104、根据所述目标文件在流转过程中每个节点对应的流转信息,生成流转路径,并基于所述流转路径对所述目标文件进行溯源。Step 104: Generate a flow path according to the flow information corresponding to each node in the flow of the target file, and trace the source of the target file based on the flow path.

可以理解的是,每个设备对涉密文件进行访问时,均可以将通过当前设备获取的流转信息添加到涉密文件的属性信息中。并且,在当前设备上获取上述流转信息时,也需要读取该涉密文件在上一节点添加的流转信息。例如,根据上一节点的流转信息,可以得到上一节点的GUID等信息。It can be understood that, when each device accesses a secret-related file, the flow information obtained by the current device can be added to the attribute information of the secret-related file. In addition, when obtaining the above-mentioned circulation information on the current device, it is also necessary to read the circulation information added by the secret-related file on the previous node. For example, according to the flow information of the previous node, information such as the GUID of the previous node can be obtained.

示例性地,为了实现对企业内部所有涉密文件的远程监控,上述流转信息还可以存储到服务器中,服务器进行统计和汇总后,可以显示每个涉密文件的流转路径以及每个节点对应的流转信息。Exemplarily, in order to realize the remote monitoring of all secret-related files in the enterprise, the above-mentioned circulation information can also be stored in the server. After the server performs statistics and summarization, it can display the circulation path of each secret-related file and the corresponding information of each node. flow information.

举例说明,管理人员可以通过上传到服务器上的流转信息,监控目标文件流转的每个节点、访问的用户、访问时间等信息。For example, the administrator can monitor the information such as each node where the target file is circulated, the users accessing it, and the access time through the circulation information uploaded to the server.

可选地,在本申请实施例中,为了避免涉密文件流转到外部设备,导致涉密文件的泄密,本申请实施例提供的文件跟踪方法,还可以对设备运行环境进行检测,并在设备运行环境不满足预设条件的情况下,禁止该外部设备访问该涉密文件。Optionally, in this embodiment of the present application, in order to avoid the flow of secret-related files to an external device, resulting in the leakage of secret-related files, the file tracking method provided by the embodiments of the present application If the operating environment does not meet the preset conditions, the external device is prohibited from accessing the confidential file.

示例性地,上述步骤102,可以包括以下步骤102b:Exemplarily, the above step 102 may include the following step 102b:

步骤102b、在触发的文件操作事件为所述文件创建事件的情况下,向所述文件创建事件所创建的目标文件中注入目标脚本。Step 102b: In the case that the triggered file operation event is the file creation event, inject a target script into the target file created by the file creation event.

其中,所述目标脚本用于在访问所述目标文件时检测当前设备的运行环境,并在当前设备的运行环境不满足预设条件的情况下,禁止所述目标文件的访问。Wherein, the target script is used to detect the running environment of the current device when accessing the target file, and prohibit the access of the target file when the running environment of the current device does not meet a preset condition.

示例性地,为了避免外部设备对涉密文件(即上述目标文件)的访问,可以在文件创建时,向文件中注入目标脚本。该目标脚本在设备对文件进行访问时自动运行,用于检测当前设备的运行环境,若当前设备的运行环境与企业内部的设备的运行环境不同,则表示当前设备为外部设备,为了避免泄密,该目标脚本可以禁止设备访问该涉密文件。Exemplarily, in order to prevent an external device from accessing a secret-related file (ie, the above-mentioned target file), a target script may be injected into the file when the file is created. The target script runs automatically when the device accesses the file, and is used to detect the running environment of the current device. If the running environment of the current device is different from the running environment of the device inside the enterprise, it means that the current device is an external device. The target script can prevent the device from accessing the classified file.

可以理解的是,目标脚本禁止设备访问该涉密文件的方法可以包括:关闭该涉密文件,删除该涉密文件,对该涉密文件进行加密等操作。It can be understood that the method for the target script to prohibit the device from accessing the secret-related file may include: closing the secret-related file, deleting the secret-related file, and encrypting the secret-related file.

本申请实施例提供的文件跟踪方法,通过进程注入的方式,监控文件操作事件,并在文件操作事件触发时,获取文件操作事件对应的目标文件的流转信息,并将该流转信息存储到目标文件的属性信息,和/或,服务器中,方便对该目标文件进行跟踪和监控。同时,在目标文件创建时,还可以向该目标文件中注入目标脚本,使得外部设备无法访问该目标文件。如此,无需在设备上安装客户端,也能够实现对涉密文件的跟踪和监控,且涉密文件流转到外部环境后,也无法进行访问,避免了泄密情况的发生。The file tracking method provided by the embodiment of the present application monitors file operation events by means of process injection, and when the file operation event is triggered, obtains the flow information of the target file corresponding to the file operation event, and stores the flow information in the target file. attribute information, and/or in the server, to facilitate tracking and monitoring of the target file. Meanwhile, when the target file is created, the target script can also be injected into the target file, so that the external device cannot access the target file. In this way, the tracking and monitoring of confidential files can be realized without installing a client on the device, and the confidential files cannot be accessed after they are transferred to the external environment, thereby avoiding the occurrence of leakage.

需要说明的是,本申请实施例提供的文件跟踪方法,执行主体可以为文件跟踪装置,或者该文件跟踪装置中的用于执行文件跟踪方法的控制模块。本申请实施例中以文件跟踪装置执行文件跟踪方法为例,说明本申请实施例提供的文件跟踪装置。It should be noted that, in the file tracking method provided by the embodiments of the present application, the execution body may be a file tracking device, or a control module in the file tracking device for executing the file tracking method. In the embodiment of the present application, the file tracking device provided by the embodiment of the present application is described by taking the file tracking method performed by the file tracking device as an example.

需要说明的是,本申请实施例中,上述各个方法附图所示的。文件跟踪方法均是以结合本申请实施例中的一个附图为例示例性的说明的。具体实现时,上述各个方法附图所示的文件跟踪方法还可以结合上述实施例中示意的其它可以结合的任意附图实现,此处不再赘述。It should be noted that, in the embodiments of the present application, the above methods are shown in the accompanying drawings. The file tracking methods are all exemplarily described with reference to a figure in the embodiments of the present application. During specific implementation, the file tracking method shown in the drawings of the above methods can also be implemented in combination with any other drawings shown in the above embodiments that can be combined, and details are not described herein again.

下面对本申请提供的文件跟踪装置进行描述,下文描述的与上文描述的文件跟踪方法可相互对应参照。The file tracking device provided by the present application is described below, and the file tracking method described below and the file tracking method described above can be referred to each other correspondingly.

图2为本申请一实施例提供的文件跟踪装置的结构示意图,如图2所示,具体包括:FIG. 2 is a schematic structural diagram of a file tracking device provided by an embodiment of the application, as shown in FIG. 2 , which specifically includes:

监控模块201,用于监控文件操作事件;记录模块202,用于在检测到所述文件操作事件被触发的情况下,获取并记录所述文件操作事件对应的目标文件的流转信息;其中,所述流转信息用于跟踪所述目标文件的流转。The monitoring module 201 is used to monitor the file operation event; the recording module 202 is used to acquire and record the flow information of the target file corresponding to the file operation event when it is detected that the file operation event is triggered; The circulation information is used to track the circulation of the target file.

可选地,所述流转信息包括以下至少一项:上一节点的节点信息,当前节点的节点信息,所述目标文件的文件信息,所述文件操作事件的触发时间。Optionally, the flow information includes at least one of the following: node information of the previous node, node information of the current node, file information of the target file, and trigger time of the file operation event.

可选地,所述监控模块201,具体用于将所述文件操作事件与Hook函数相关联,并构建与所述Hook函数对应的回调函数;其中,所述文件操作事件包括以下至少一项:文件创建事件,文件打开事件,文件保存事件,文件关闭事件;所述回调函数用于获取并记录所述流转信息。Optionally, the monitoring module 201 is specifically configured to associate the file operation event with a Hook function, and construct a callback function corresponding to the Hook function; wherein, the file operation event includes at least one of the following: File creation event, file opening event, file saving event, file closing event; the callback function is used to obtain and record the flow information.

可选地,所述记录模块202,具体用于在检测到所述文件操作事件被触发的情况下,通过所述回调函数获取所述流转信息,并通过COM组件将所述流转信息存储到所述目标文件的属性信息中,和/或,将所述流转信息存储到服务器中。Optionally, the recording module 202 is specifically configured to obtain the flow information through the callback function when it is detected that the file operation event is triggered, and store the flow information to the file through the COM component. in the attribute information of the target file, and/or, store the transfer information in the server.

可选地,所述装置还包括:信息提取模块和生成模块;所述信息提取模块,用于从所述目标文件的属性信息,和/或,所述服务器中提取所述目标文件在流转过程中每个节点对应的流转信息;所述生成模块,用于根据所述目标文件在流转过程中每个节点对应的流转信息,生成流转路径,并基于所述流转路径对所述目标文件进行溯源。Optionally, the apparatus further includes: an information extraction module and a generation module; the information extraction module is configured to extract the attribute information of the target file from the server, and/or extract the target file from the server during the transfer process The flow information corresponding to each node in the file; the generation module is used to generate a flow path according to the flow information corresponding to each node of the target file in the flow process, and trace the source of the target file based on the flow path. .

可选地,所述装置还包括:注入模块;所述注入模块,用于在触发的文件操作事件为所述文件创建事件的情况下,向所述文件创建事件所创建的目标文件中注入目标脚本;其中,所述目标脚本用于在访问所述目标文件时运行所述目标脚本,检测当前设备的运行环境,并在当前设备的运行环境不满足预设条件的情况下,禁止所述目标文件的访问。Optionally, the apparatus further includes: an injection module; the injection module is configured to inject a target into the target file created by the file creation event when the triggered file operation event is the file creation event Script; wherein, the target script is used to run the target script when accessing the target file, detect the operating environment of the current device, and prohibit the target when the operating environment of the current device does not meet the preset conditions file access.

本申请提供的文件跟踪装置,通过进程注入的方式,监控文件操作事件,并在文件操作事件触发时,获取文件操作事件对应的目标文件的流转信息,并将该流转信息存储到目标文件的属性信息,和/或,服务器中,方便对该目标文件进行跟踪和监控。同时,在目标文件创建时,还可以向该目标文件中注入目标脚本,使得外部设备无法访问该目标文件。如此,无需在设备上安装客户端,也能够实现对涉密文件的跟踪和监控,且涉密文件流转到外部环境后,也无法进行访问,避免了泄密情况的发生。The file tracking device provided by the present application monitors file operation events by means of process injection, and when the file operation event is triggered, obtains the flow information of the target file corresponding to the file operation event, and stores the flow information in the attribute of the target file information, and/or, in the server, it is convenient to track and monitor the target file. Meanwhile, when the target file is created, the target script can also be injected into the target file, so that the external device cannot access the target file. In this way, the tracking and monitoring of confidential files can be realized without installing a client on the device, and the confidential files cannot be accessed after they are transferred to the external environment, thereby avoiding the occurrence of leakage.

图3示例了一种电子设备的实体结构示意图,如图3所示,该电子设备可以包括:处理器(processor)310、通信接口(Communications Interface)320、存储器(memory)330和通信总线340,其中,处理器310,通信接口320,存储器330通过通信总线340完成相互间的通信。处理器310可以调用存储器330中的逻辑指令,以执行文件跟踪方法,该方法包括:监控文件操作事件;在检测到所述文件操作事件被触发的情况下,获取并记录所述文件操作事件对应的目标文件的流转信息;其中,所述流转信息用于跟踪所述目标文件的流转。FIG. 3 illustrates a schematic diagram of the physical structure of an electronic device. As shown in FIG. 3 , the electronic device may include: a processor (processor) 310, a communication interface (Communications Interface) 320, a memory (memory) 330 and a communication bus 340, The processor 310 , the communication interface 320 , and the memory 330 communicate with each other through the communication bus 340 . The processor 310 can call the logic instruction in the memory 330 to execute the file tracking method, the method includes: monitoring the file operation event; when detecting that the file operation event is triggered, acquiring and recording the corresponding file operation event. The circulation information of the target file; wherein, the circulation information is used to track the circulation of the target file.

此外,上述的存储器330中的逻辑指令可以通过软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。In addition, the above-mentioned logic instructions in the memory 330 may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as an independent product. Based on this understanding, the technical solution of the present application can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: U disk, mobile hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes .

另一方面,本申请还提供一种计算机程序产品,所述计算机程序产品包括存储在计算机可读存储介质上的计算机程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,计算机能够执行上述各方法所提供的文件跟踪方法,该方法包括:监控文件操作事件;在检测到所述文件操作事件被触发的情况下,获取并记录所述文件操作事件对应的目标文件的流转信息;其中,所述流转信息用于跟踪所述目标文件的流转。On the other hand, the present application also provides a computer program product, the computer program product includes a computer program stored on a computer-readable storage medium, the computer program includes program instructions, and when the program instructions are executed by a computer, A computer can execute the file tracking method provided by the above methods, and the method includes: monitoring a file operation event; when detecting that the file operation event is triggered, acquiring and recording the flow of the target file corresponding to the file operation event information; wherein, the circulation information is used to track the circulation of the target file.

又一方面,本申请还提供一种计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现以执行上述各提供的文件跟踪方法,该方法包括:监控文件操作事件;在检测到所述文件操作事件被触发的情况下,获取并记录所述文件操作事件对应的目标文件的流转信息;其中,所述流转信息用于跟踪所述目标文件的流转。In yet another aspect, the present application also provides a computer-readable storage medium on which a computer program is stored, and the computer program is implemented when executed by a processor to execute the file tracking methods provided above, the method comprising: monitoring file operation events ; In the case of detecting that the file operation event is triggered, acquire and record the flow information of the target file corresponding to the file operation event; wherein, the flow information is used to track the flow of the target file.

以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。The device embodiments described above are only illustrative, wherein the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed over multiple network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution in this embodiment. Those of ordinary skill in the art can understand and implement it without creative effort.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到各实施方式可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,上述技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在计算机可读存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行各个实施例或者实施例的某些部分所述的方法。From the description of the above embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on this understanding, the above-mentioned technical solutions can be embodied in the form of software products in essence or the parts that make contributions to the prior art, and the computer software products can be stored in computer-readable storage media, such as ROM/RAM, magnetic A disc, an optical disc, etc., includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the methods described in various embodiments or some parts of the embodiments.

最后应说明的是:以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present application, but not to limit them; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be The technical solutions described in the foregoing embodiments are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions in the embodiments of the present application.

Claims (10)

1. A method for file tracking, comprising:
monitoring file operation events;
under the condition that the file operation event is detected to be triggered, acquiring and recording the circulation information of a target file corresponding to the file operation event;
wherein the circulation information is used for tracking the circulation of the target file.
2. The method of claim 1, wherein the circulation information comprises at least one of: the node information of the previous node, the node information of the current node, the file information of the target file and the trigger time of the file operation event.
3. The method of claim 1 or 2, wherein the monitoring file operation events comprises:
associating the file operation event with a Hook function, and constructing a callback function corresponding to the Hook function;
wherein the file operation event comprises at least one of: a file creating event, a file opening event, a file saving event and a file closing event; and the callback function is used for acquiring and recording the circulation information.
4. The method according to claim 3, wherein the obtaining and recording the circulation information of the target file corresponding to the file operation event when the file operation event is detected to be triggered comprises:
and under the condition that the file operation event is detected to be triggered, acquiring the circulation information through the callback function, storing the circulation information into the attribute information of the target file through a COM (component object model) component, and/or storing the circulation information into a server.
5. The method according to claim 4, wherein after the obtaining and recording the circulation information of the target file corresponding to the file operation event when the file operation event is detected to be triggered, the method further comprises:
extracting the circulation information corresponding to each node of the target file in the circulation process from the attribute information of the target file and/or the server;
and generating a circulation path according to circulation information corresponding to each node of the target file in the circulation process, and tracing the source of the target file based on the circulation path.
6. The method according to claim 2, wherein the obtaining and recording the circulation information of the target file corresponding to the file operation event when it is detected that the file operation event is triggered includes:
under the condition that the triggered file operation event is the file creation event, injecting a target script into a target file created by the file creation event;
the target script is used for running the target script when the target file is accessed, detecting the running environment of the current equipment, and forbidding the access of the target file under the condition that the running environment of the current equipment does not meet the preset condition.
7. An apparatus for file tracking, the apparatus comprising:
the monitoring module is used for monitoring file operation events;
the recording module is used for acquiring and recording the circulation information of the target file corresponding to the file operation event under the condition that the file operation event is detected to be triggered;
and the circulation information is used for tracking the circulation of the target file.
8. The apparatus of claim 7,
the monitoring module is specifically configured to associate the file operation event with a Hook function, and construct a callback function corresponding to the Hook function;
wherein the file operation event comprises at least one of: a file creating event, a file opening event, a file saving event and a file closing event; and the callback function is used for acquiring and recording the circulation information.
9. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of a file tracking method according to any one of claims 1 to 6.
10. A computer program product comprising computer program/instructions, characterized in that the computer program/instructions, when executed by a processor, implement the steps of the file tracking method of any of claims 1 to 6.
CN202210114442.3A 2022-01-30 2022-01-30 File tracking method and device Pending CN114662123A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210114442.3A CN114662123A (en) 2022-01-30 2022-01-30 File tracking method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210114442.3A CN114662123A (en) 2022-01-30 2022-01-30 File tracking method and device

Publications (1)

Publication Number Publication Date
CN114662123A true CN114662123A (en) 2022-06-24

Family

ID=82026333

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210114442.3A Pending CN114662123A (en) 2022-01-30 2022-01-30 File tracking method and device

Country Status (1)

Country Link
CN (1) CN114662123A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116305013A (en) * 2022-09-08 2023-06-23 上海飞机制造有限公司 Method, device, electronic equipment and medium for adding electronic files of traceability information
CN116684246A (en) * 2023-06-05 2023-09-01 平安银行股份有限公司 File operation monitoring method and device
CN119416199A (en) * 2024-10-09 2025-02-11 北京天融信网络安全技术有限公司 How to track processes created by Windows Task Scheduler

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108234488A (en) * 2017-12-29 2018-06-29 北京长御科技有限公司 A kind of file tracking method and device
CN111159126A (en) * 2019-12-31 2020-05-15 北京天融信网络安全技术有限公司 Auditing method and device for file compression operation, electronic equipment and storage medium
CN113254994A (en) * 2021-05-27 2021-08-13 平安普惠企业管理有限公司 Database access method and device, storage medium and computer equipment
CN113901001A (en) * 2021-12-09 2022-01-07 武汉华工安鼎信息技术有限责任公司 File identification processing method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108234488A (en) * 2017-12-29 2018-06-29 北京长御科技有限公司 A kind of file tracking method and device
CN111159126A (en) * 2019-12-31 2020-05-15 北京天融信网络安全技术有限公司 Auditing method and device for file compression operation, electronic equipment and storage medium
CN113254994A (en) * 2021-05-27 2021-08-13 平安普惠企业管理有限公司 Database access method and device, storage medium and computer equipment
CN113901001A (en) * 2021-12-09 2022-01-07 武汉华工安鼎信息技术有限责任公司 File identification processing method and device

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116305013A (en) * 2022-09-08 2023-06-23 上海飞机制造有限公司 Method, device, electronic equipment and medium for adding electronic files of traceability information
CN116684246A (en) * 2023-06-05 2023-09-01 平安银行股份有限公司 File operation monitoring method and device
CN119416199A (en) * 2024-10-09 2025-02-11 北京天融信网络安全技术有限公司 How to track processes created by Windows Task Scheduler

Similar Documents

Publication Publication Date Title
CN114662123A (en) File tracking method and device
US9852289B1 (en) Systems and methods for protecting files from malicious encryption attempts
US9246948B2 (en) Systems and methods for providing targeted data loss prevention on unmanaged computing devices
US20190253399A1 (en) Perimeter enforcement of encryption rules
US9171154B2 (en) Systems and methods for scanning packed programs in response to detecting suspicious behaviors
US9436814B2 (en) Fail-safe licensing for software applications
US10204235B2 (en) Content item encryption on mobile devices
US20150237070A1 (en) Systems and methods for applying data loss prevention policies to closed-storage portable devices
US10318272B1 (en) Systems and methods for managing application updates
CN108351922B (en) Method, system, and medium for applying rights management policies to protected files
CN110855698B (en) Terminal information obtaining method, device, server and storage medium
Keijzer The new generation of ransomware: an in depth study of Ransomware-as-a-Service
CN106326733A (en) Method and device for managing applications in mobile terminal
CN104281442A (en) Document processing system and document processing method
US9607176B2 (en) Secure copy and paste of mobile app data
US10169584B1 (en) Systems and methods for identifying non-malicious files on computing devices within organizations
US11423175B1 (en) Systems and methods for protecting users
CN113946873B (en) Off-disk file tracing method and device, terminal and storage medium
JP2016189201A (en) Inoculator and antibody for computer security
CH716699A2 (en) Systems and methods to counter the removal of digital forensic information by malicious software.
US8839374B1 (en) Systems and methods for identifying security risks in downloads
CN118606969A (en) Data volume encryption and decryption method, device, equipment, storage medium, computer program product and system
Bellizzi et al. Responding to living-off-the-land tactics using just-in-time memory forensics (JIT-MF) for android
US9754086B1 (en) Systems and methods for customizing privacy control systems
Eterovic‐Soric et al. Windows 7 antiforensics: a review and a novel approach

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination