[go: up one dir, main page]

TWI574172B - The method of encrypting the network to monitor confidentiality - Google Patents

The method of encrypting the network to monitor confidentiality Download PDF

Info

Publication number
TWI574172B
TWI574172B TW101119976A TW101119976A TWI574172B TW I574172 B TWI574172 B TW I574172B TW 101119976 A TW101119976 A TW 101119976A TW 101119976 A TW101119976 A TW 101119976A TW I574172 B TWI574172 B TW I574172B
Authority
TW
Taiwan
Prior art keywords
network
confidential
program
file
monitoring
Prior art date
Application number
TW101119976A
Other languages
Chinese (zh)
Other versions
TW201351189A (en
Inventor
ming-zhe Zhang
bing-yan Xie
ke-hua Xu
Can-Xiong Liu
Original Assignee
Chunghwa Telecom Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chunghwa Telecom Co Ltd filed Critical Chunghwa Telecom Co Ltd
Priority to TW101119976A priority Critical patent/TWI574172B/en
Publication of TW201351189A publication Critical patent/TW201351189A/en
Application granted granted Critical
Publication of TWI574172B publication Critical patent/TWI574172B/en

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Description

在加密網路監控機密之方法 Method of monitoring confidentiality in an encrypted network

本發明係關於一種在加密網路監控機密的方法,主要應用於機密防護系統,由於電腦及網路科技日益進步,資料可能外洩的管道也愈趨多樣化,機密防護系統必須能偵測到有資料正在透過各種網路協定對外傳出,進而避免機密文件的外流,屬於機密防護領域的關鍵性技術。 The invention relates to a method for monitoring confidentiality in an encrypted network, which is mainly applied to a confidential protection system. Due to the advancement of computer and network technology, the pipelines for which data may be leaked are increasingly diversified, and the confidential protection system must be able to detect Some materials are being transmitted through various network agreements, thus avoiding the outflow of confidential documents, which is a key technology in the field of confidential protection.

機密防護系統的網路監控通常是採用一個專屬的網路閘道器或代理器,在組織對外的網路架構中進行傳輸內容的分析與監控,但也可以利用端點監控技術來分析電腦的網路傳輸內容,兩者的特性與比較如表1所列。 The network monitoring of the confidential protection system usually uses a dedicated network gateway or agent to analyze and monitor the transmission content in the organization's external network architecture, but it can also use the endpoint monitoring technology to analyze the computer. The content of the network transmission, the characteristics and comparison of the two are listed in Table 1.

理論上若採用SSL之類的加密協定,其網路傳輸內容是 機密防護系統無法分析與監控的。但是這個問題有兩種可能的解決方法,其一是在網路閘道端設置SSL的代理伺服器,在客戶端電腦進行SSL的連線時,由SSL代理伺服器冒充該URL的伺服端,並代客戶端執行相關的請求,再將遠端URL的回應傳給原來的客戶端,這就像中間人攻擊(Man in the Middle Attack)的作法。當然這種方法的缺點就是客戶端會產生安全警告訊息,因為目標URL與SSL憑證所載不同,而且網路效能也會因代理伺服器的轉接而變慢一點。若是預先將代理伺服器的憑證設定為所有電腦的信任憑證,讓代理伺服器立即簽署該URL的SSL憑證再進行上述的中間人轉接,就可避免客戶端的安全警告訊息,但SSL的連線時間也會因簽署臨時憑證的負擔而變慢。目前已經可以利用新版的SQUID代理器加上ICAP模組,達到上述的SSL監視功能。但是因為許多SSL連線是應用在登入密碼的保護,例如:網路銀行及各類電子商務網站的登入作業,這個SSL監視方法就有侵犯使用者隱私權的問題。 In theory, if you use a cryptographic protocol such as SSL, the network transmission content is The confidential protection system cannot be analyzed and monitored. However, there are two possible solutions to this problem. One is to set up a proxy server for SSL on the network gateway. When the client computer performs SSL connection, the SSL proxy server pretends to be the server of the URL, and The client performs the relevant request and then passes the response of the remote URL to the original client, which is like Man in the Middle Attack. Of course, the disadvantage of this method is that the client will generate a security warning message, because the target URL is different from the SSL certificate, and the network performance will be slowed down due to the proxy server transfer. If the proxy server's credentials are set to the trust credentials of all computers in advance, and the proxy server immediately signs the SSL certificate of the URL and then performs the above-mentioned intermediary transfer, the client's security warning message can be avoided, but the SSL connection is avoided. Time will also be slowed by the burden of signing temporary documents. At present, the new version of the SQUID agent plus the ICAP module can be used to achieve the above SSL monitoring function. However, because many SSL connections are applied to the protection of login passwords, such as online banking and various e-commerce websites, this SSL monitoring method has the problem of infringing the privacy of users.

另一種解決的方法是利用系統底層功能監控本機電腦的網路行為,機密防護系統偵測到某一網路應用軟體在SSL連線之後要進行檔案的傳遞時,就可能搶先一步分析這個檔案的內容而加以防護。這種方法的缺點是必須深入系統底層,針對各類網路應用軟體的不同行為模式,一一開發相對應的監控功能,不利於產品的版本維護。但由於是針對網路協定的源頭,亦即網路應用軟體的資料流進行監控,即使是未安裝機密防護閘道器的傳輸管道,例如:Wi-Fi,3G無線網路或是電話撥接連線等,也都能夠被監控。另外因為機密防護程式不會側錄密碼欄的資料,所以也能避免侵犯到使用者的隱私權。 Another solution is to use the underlying functions of the system to monitor the network behavior of the local computer. When the confidential protection system detects that a network application software needs to transfer files after SSL connection, it may take the first step to analyze the file. Protected by the content. The disadvantage of this method is that it must go deep into the bottom layer of the system, and develop the corresponding monitoring functions for different behavior modes of various network application software, which is not conducive to product version maintenance. However, because it is the source of the network protocol, that is, the data flow of the network application software is monitored, even if the transmission pipeline of the confidential security gateway is not installed, for example: Wi-Fi, 3G wireless network or telephone dial-up Connections, etc. can also be monitored. In addition, because the confidential protection program does not record the data in the password field, it can also avoid infringement of the user's privacy.

本專利採用端點監控的技術進行電腦網路的傳輸內容分 析及行為管制,相較於先前習用的透過網路閘道或代理器的監控方法,除了不會影響整體網路的效能,還可更完整地監控各種網路傳輸管道,並免於侵害使用者的帳戶隱私權。另於美國US 2008/0066180 A1:Instant Message Scanning專利案當中可發現與本案有類似的技術構想,然而該案僅對於IM即時通所傳遞的惡意軟體進行分析與防護,未如本案可防止機密文件透過加密網路對外洩漏。 This patent uses the technology of endpoint monitoring to transmit the content of the computer network. Analysis and behavior control, in addition to the previous monitoring methods through network gateways or agents, in addition to not affecting the overall network performance, can also more completely monitor various network transmission pipelines, and avoid infringement Account privacy. In the US US 2008/0066180 A1: Instant Message Scanning patent case, a similar technical concept can be found in this case. However, this case only analyzes and protects the malware transmitted by IM Instant. The encrypted network leaks externally.

本案發明人鑑於上述習用方式所衍生的各項缺點,乃亟思加以改良創新,終於成功研發完成本件一種在加密網路監控機密的方法。 In view of the shortcomings derived from the above-mentioned conventional methods, the inventor of the present invention has improved and innovated, and finally successfully developed a method for monitoring confidentiality in an encrypted network.

本發明專利目的在於建立一種在加密網路監控機密的方法,主要應用於機密防護系統,當使用者採用加密的網路協定,例如SSL或SSH,理論上機密防護系統就無法進行傳輸內容的分析及控管,本發明提出一個解決方案,可在任何的網路加密環境中進行資料傳輸內容的監控。 The purpose of the invention patent is to establish a method for monitoring confidentiality in an encrypted network, which is mainly applied to a confidentiality protection system. When a user adopts an encrypted network protocol, such as SSL or SSH, the confidentiality protection system cannot theoretically analyze the transmission content. And control, the present invention proposes a solution for monitoring the content of data transmission in any network encryption environment.

本發明提出一種在加密網路監控機密的方法,該監控方法首先針對目標執行緒進行應用程式介面掛勾(API Hook)處理,所掛勾的API為網路傳輸行為相關的系統API,例如ws2_32.dll的send()或是kernel32.dll的CreateFile()等,在應用軟體啟動時置入這些掛勾進行監控,一旦執行緒以加密協定連接對外的網路並且讀取本機檔案時,即可透過程序間溝通管道(Inter-Process Communication)將檔案名稱傳遞給機密防護系統之程序,進行該檔案的內容分析,接著再傳回分析的結果讓應用軟體據以執行政策所規定的防護作業,如此即可在任何的加密協定環境中,進行網路傳輸內容的早期分析與防護,且不會影響整體網路的效能,也可監控任何的網路 管道。 The invention provides a method for monitoring confidentiality in an encrypted network. The monitoring method first performs an application interface hook (API Hook) processing on a target thread, and the hooked API is a system API related to network transmission behavior, for example, ws2_32 .dll's send() or kernel32.dll's CreateFile(), etc., these hooks are placed for monitoring when the application software starts. Once the thread is connected to the external network by encryption protocol and reads the local file, The program name can be transmitted to the confidential protection system through Inter-Process Communication, and the content of the file can be analyzed, and then the result of the analysis can be returned to allow the application software to perform the protection operations specified by the policy. This allows for early analysis and protection of network transmission content in any cryptographic environment without affecting the overall network performance and monitoring any network. pipeline.

一種在加密網路監控機密之方法,係用於機密防護系統之網路監控作業,該監控之方法係包括下列步驟:步驟一、當系統偵測到使用者啟用網路應用程式之際,即載入一個監控機密之動態函式庫,並置入網路傳輸行為相關之應用程式介面掛鉤;步驟二、當置入之該掛鉤在偵測到該網路應用程序有連接對外之網路,且有讀取檔案或編輯文字資料之行為時,即透過程序間通訊管道通知機密防護系統程序,進行檔案或文字的內容分析作業,以便判斷該網路應用程序是否有機密外洩之風險;以及步驟三、該網路應用程序於收到該機密防護系統程序傳回的內容分析結果時,對於非機密文件允許其繼續進行網路傳輸作業,而該機密文件則依照回傳值進行相應的防護作業。 A method for monitoring confidentiality in an encrypted network is used for network monitoring operations of a confidential protection system. The method for monitoring includes the following steps: Step 1: When the system detects that the user enables the network application, Load a dynamic library that monitors confidentiality and place an application interface hook associated with the network transmission behavior; Step 2: When the hook is placed, it detects that the network application has a connection to the external network. When there is an act of reading a file or editing a text file, the confidential protection system program is notified through an inter-program communication channel to perform an analysis of the content of the file or text to determine whether the network application is confidentially exposed; and Step 3: When receiving the content analysis result returned by the confidential protection system program, the network application allows the non-confidential file to continue the network transmission operation, and the confidential file performs corresponding protection according to the returned value. operation.

其中該機密防護系統程序,係為一個預先安裝於使用者電腦系統之常駐程序,負責該機密防護系統程序之政策載入與應用、內容分析、稽核記錄之作業;該網路傳輸行為相關之應用程式介面掛鉤,係指利用應用程式介面掛鉤技術,針對該應用程序進行讀取檔案、編輯文字資料、網路傳送資料、開啟檔案之作業時,必需使用之作業系統函式庫,介入其間進行額外之監控處理;其中步驟一於該網路應用程式於啟動時置入網路傳輸相關應用程式介面掛鉤之方法,係載入機密監控之動態函式庫時進行該應用程序是否為該網路應用程式之判斷,若認定該程序為該網路應用程式則置入網路傳輸行為相關的應用程式介面掛鉤,以監控其後續的網路傳輸行為,若判斷該程序不是該網路應用程式,則結束機密監控該動態函式庫之載入作業;該網路應用程式介面掛鉤監控網路應用程式之方法,係在網路應用程序對外連線後,有讀取檔案或編輯文字資料之行為,即進入相關掛鉤之監控流程,該 流程係利用程序間通訊管道通知機密防護程序,並請求該程序進行目標檔案或文字之內容分析作業,已取得分析結果。 The confidential protection system program is a resident program pre-installed in the user's computer system, and is responsible for the policy loading and application, content analysis, audit record operation of the confidential protection system program; the network transmission behavior related application Program interface hook refers to the operating system library that must be used when reading files, editing text data, transferring data, and opening files for the application by using the application interface hooking technology. The monitoring process; wherein the first step is when the web application is launched, the method for hooking the network application related application interface is loaded, and when the dynamic function library of the confidential monitoring is loaded, whether the application is the network application If the program is determined to be the network application, the application interface hook associated with the network transmission behavior is set to monitor the subsequent network transmission behavior. If the program is not the network application, End confidential monitoring of the loading of the dynamic library; the web application interface is linked to the supervisor Methods of web applications, web-based application after the external connection, a reader or edit text files of information act, that is, into the monitoring process of the relevant hook, the The process uses the inter-program communication pipeline to notify the confidential protection program, and requests the program to perform the content analysis of the target file or text, and the analysis result has been obtained.

該程序間通訊管道,係對於檔案所採用之該程序間通訊管道為具名管線協定,傳遞該檔案之完整路徑檔名給機密防護程序進行檔案的內容分析,對於文字編輯資料則利用作業系統之剪貼簿機制傳遞文字內容,並採用該具名管線協定向該機密防護程序查詢最近一次之剪貼簿文字分析結果。 The inter-program communication pipeline is a named pipeline agreement for the inter-program communication pipeline used in the file, and the complete path file name of the file is transmitted to the confidential protection program for content analysis of the file, and for the text editing data, the operation system is used for scraping The book mechanism passes the text content and uses the named pipeline agreement to query the confidential protection program for the most recent scrapbook text analysis result.

該具名管線協定係為收到該機密防護系統傳回之內容分析結果時,若目標檔案或文字內容並非機密資料,則繼續該程序之網路傳輸行為,不做任何防護,對於機密文件則依照回傳值進行相應的防護作業,其該防護作業係包括稽核、加密或阻止之作業。 The named pipeline agreement is to continue the network transmission behavior of the program if the target file or text content is not confidential, and the confidential file is in accordance with the content analysis result returned by the confidential protection system. The return value is used for the corresponding protection operation, and the protection operation includes the operation of auditing, encrypting or blocking.

該利用作業系統之剪貼簿機制傳遞文字方法,係當使用者在編輯區輸入複數個文字資料後,該應用程式介面掛鉤先保存該剪貼簿原有內容以及游標位置,再利用該作業系統函式庫下達文字編輯內容之全選、複製指令並恢復游標位置,接著於取得該機密防護程序傳回的之內容分析結果後,再恢復該剪貼簿原有之內容。 The method of transferring text by using the scrapbooking mechanism of the operating system is that after the user inputs a plurality of text materials in the editing area, the application interface hooks to save the original content of the scrapbook and the cursor position, and then uses the operating system function. The library downloads the text editing content, selects and copies the command, and restores the cursor position. Then, after obtaining the content analysis result returned by the confidential protection program, the original content of the scrapbook is restored.

一種在加密網路監控機密之方法,其該機密之內容分係及稽核方法之步驟為:步驟一、該機密防護系統之常駐程序於系統中開設特定之該具名管線協定;步驟二、當接收到網路程式端所傳送之該具名管線協定請求時,即解析請求資訊;以及步驟三、依該請求資訊進行相對應之作業後,將解析結果回傳。 A method for monitoring confidentiality in an encrypted network, the steps of the confidential content classification and auditing method are: Step 1: The resident program of the confidential protection system opens a specific named pipeline agreement in the system; Step 2: When receiving The request information is parsed when the named pipeline agreement is transmitted by the network terminal; and the third step is performed, and the corresponding result is returned according to the requested information.

其中若該具名管線協定所接收到之請求為要求進行檔案分析,就使用傳達之檔名對於該檔案進行內容分析作業,接著再把該內容分析所得之結果組成該具名管線協定之回應資料,回傳給網路應用程式端。 If the request received by the named pipeline agreement is to request file analysis, the content analysis operation is performed on the file using the file name conveyed, and then the result of the content analysis is formed into the response data of the named pipeline agreement, and Pass to the web application.

其中若該具名管線協定所接收到之請求係取得執行緒文字編輯之分析結果,即取出最近一次之該剪貼簿內容分析結果,再進行該具名管線協定之回傳作業。 If the request received by the named pipeline agreement is to obtain the analysis result of the executive text editing, the latest analysis result of the scrapbook content is taken out, and then the return operation of the named pipeline agreement is performed.

其中若該具名管線協定所接收到之請求係進行機密防護事件之稽核作業,則將相關之事件資訊組成稽核記錄上傳至機密管理端。 If the request received by the named pipeline agreement is an auditing operation for the confidentiality protection event, the relevant event information composition audit record is uploaded to the confidential management terminal.

本發明所提供之一種在加密網路監控機密的方法,與前述引證案及其他習用技術相互比較時,更具有下列之優點: The method for monitoring confidentiality in an encrypted network provided by the present invention has the following advantages when compared with the aforementioned citations and other conventional techniques:

1.本發明之一種在加密網路監控機密的方法,可於任何的加密網路環境裡,防止機密文件對外洩露。 1. A method of monitoring confidentiality in an encrypted network of the present invention to prevent leakage of confidential files in any encrypted network environment.

2.本發明之一種在加密網路監控機密的方法,不會隨著網路流量的增加在閘道伺服端形成瓶頸,而衝擊整體網路的傳輸效率。 2. A method for monitoring confidentiality in an encrypted network according to the present invention does not form a bottleneck in the gateway servo end as the network traffic increases, thereby impacting the transmission efficiency of the entire network.

3.本發明之一種在加密網路監控機密的方法,可監控任何的網路傳輸管道,並無網路架構及監控裝置之實體限制。 3. A method of monitoring confidentiality in an encrypted network of the present invention, which can monitor any network transmission pipeline without physical limitations of the network architecture and monitoring device.

請參考圖一,為本發明在加密網路監控機密的方法之系統架構圖,使用者110於操作電腦系統150時,所啟用的網路應用程序130採取加密協定連接至對外的網路120,當網路應用程序130啟動時會先載入機密監控動態函式庫160,載入方式可利用作業系統提供的機制或由機密防護系統程序180持續監視所有程序之啟動並由遠端置入,當網路應用程序130讀取某一文件140或編輯複數個文字資料時,預置於網路應用程序130的應用程序介面(Application Programming Interface,API)掛鉤即以程序間通訊(Inter Process Communication)方式通知機密防護系統程序180,進行檔案或 文字內容的分析,以便網路應用程序130決定是否允許這些資料透過網路對外傳遞,若有機密防護事件發生,則依政策所示從API掛鉤裡阻止網路之傳遞,並由機密防護系統程序180將記錄上傳至機密管理中心170伺服端進行稽核管理。 Please refer to FIG. 1 , which is a system architecture diagram of a method for monitoring confidentiality in an encrypted network according to the present invention. When the user 110 operates the computer system 150 , the enabled network application 130 is connected to the external network 120 by using an encryption protocol. When the web application 130 is launched, the confidential monitoring dynamic library 160 is loaded first, and the loading mode can continuously monitor the startup of all programs and be placed by the remote end by using the mechanism provided by the operating system or by the confidential protection system program 180. When the web application 130 reads a certain file 140 or edits a plurality of text materials, the application programming interface (API) preset to the web application 130 is inter-process communication (Inter Process Communication). Way to notify the confidential protection system program 180, to file or The analysis of the text content, so that the web application 130 decides whether to allow the data to be transmitted to the outside through the network. If the confidentiality protection event occurs, the network is prevented from being transmitted from the API hook according to the policy, and the confidential protection system program is used. 180 uploads the record to the confidential management center 170 server for audit management.

請參考圖二,為本發明在加密網路監控機密的方法之網路應用程式監控流程圖,當系統偵測到有網路應用程序啟動200時,本系統的主掛鉤進入執行點,於此判斷是否為網路應用程式以便置入網路相關之掛鉤功能,並進入偵測與過濾之處理流程,過濾方式可為:執行緒名稱若列於本系統定義的監控名單裡或載入了Windows底層的網路程式庫ws2_32.dll,即進行網路行為相關API之掛鉤設置210,監控其後續的網路傳輸行為,當該執行緒進行對外連線或傳送資料220時,即開始監視該執行緒的檔案讀取行為或文字編輯作業,而是否對外連線的判斷方法,可比對作業系統的網際網路連線設定,或解析HTTP協定內容而得知,接下來如果在Kernel32.dll的ReadFile或Comdlg32.dll的GetOpenFileName掛鉤裡發現了讀取檔案行為230,則先查出檔案與路徑名稱再傳遞檔名給機密防護程序進行內容分析250,以決定是否對此執行緒之網路傳輸行為加以防護,作法為藉由具名管線(Named Pipe)協定傳遞檔名給機密防護系統的常駐程序,請求進行檔案內容的分析,如果是在User32.dll的SetCaretPos掛鉤裡發現執行緒有編輯文字資料240的行為,則以剪貼簿將文字資料傳遞給機密防護系統的常駐程序260,進行文字內容的分析,至於如何利用剪貼簿傳遞使用者編輯中的文字資料,方法可為,當偵測到使用者於編輯文字的特定時刻,例如換行時,應用程式的掛鉤可下達Ctl-A或Ctl-C等鍵盤指令,立即把編輯文字之內容以剪貼簿傳遞給機密防護程序,觸發該程序對於剪貼簿內容之分析作業,而在 這項以剪貼簿將文字資料傳遞給機密防護程序260的處理流程當中,必需先保存原有的剪貼簿內容以及游標位置,並於傳遞文字資料後加以回復。 Please refer to FIG. 2, which is a flowchart of a network application monitoring method for encrypting a network in a secret network. When the system detects that a network application starts 200, the main hook of the system enters an execution point. Determine whether it is a web application to put in the network-related hook function, and enter the detection and filtering process. The filtering method can be: the thread name is listed in the monitoring list defined by the system or loaded into Windows. The underlying network library ws2_32.dll, which is the hook setting 210 of the network behavior related API, monitors its subsequent network transmission behavior, and when the thread performs external connection or transmits the data 220, the monitoring is started. The file reading behavior or text editing operation, and whether the external connection is judged, can be compared to the Internet connection setting of the operating system, or the content of the HTTP protocol is resolved, and then if the ReadFile in Kernel32.dll Or the read file behavior 230 found in the GetOpenFileName hook of Comdlg32.dll, first find the file and path name and then pass the file name to the confidential protection program for content. Analysis 250, to determine whether to protect the network transmission behavior of this thread, by means of a named pipeline (Named Pipe) agreement to transfer the file name to the resident program of the confidential protection system, request analysis of the file content, if it is In the SetCaretPos hook of User32.dll, it is found that the thread has the behavior of editing the text data 240, and the text data is transferred to the resident program 260 of the confidential protection system in the scrapbook to analyze the text content, and how to use the scrapbook to transfer the user edit. In the text data, the method can be: when detecting the user at a specific moment of editing the text, for example, when the line is changed, the hook of the application can issue a keyboard command such as Ctl-A or Ctl-C, and immediately edit the content of the text. The scrapbook is passed to the confidentiality protection program, which triggers the program to analyze the contents of the scrapbook, but In the process of transferring the text data to the confidential protection program 260 in the scrapbook, it is necessary to save the original scrapbook content and the cursor position, and then reply after the text data is transmitted.

當機密防護程序完成該檔案或文字資料的內容分析並傳回分析的結果時,網路應用程序即依據回傳碼判斷該檔案是否為機密文件,假設其值為0代表檔案無機密外洩風險,就可繼續完成網路傳輸的作業280,若是回傳碼為1到3的值則代表該檔案為機密文件,必須進行稽核此事件270與網路防護作業290的處理,稽核程序270:藉對話盒讓使用者選擇、確認本事件之處理方式後,再以具名管線協定通知機密防護程序進行該事件的稽核作業,網路防護作業290程序:依回傳值採取不同的防護措施,例如回傳值為1僅稽核此事件但不阻擋網路之傳送;2則將檔案加密後傳出;或是其值為3須阻止網路的傳送作業。 When the confidentiality protection program completes the content analysis of the file or text material and returns the result of the analysis, the network application determines whether the file is a confidential file based on the return code, and assumes that the value is 0, indicating that the file is confidential. The operation 280 of the network transmission can be continued. If the value of the return code is 1 to 3, the file is a confidential file, and the event 270 and the network protection operation 290 must be audited. The audit program 270: The dialog box allows the user to select and confirm the handling of the event, and then notify the confidential protection program by the named pipeline agreement to perform the audit of the event. The network protection operation 290 program: adopt different protection measures according to the return value, for example, A value of 1 only audits this event but does not block the transmission of the network; 2 encrypts the file and transmits it; or a value of 3 prevents the network from transmitting.

請參考圖三,為本發明在加密網路監控機密的方法之機密分析與稽核流程圖,機密防護之常駐程序於系統中開設特定的具名管線協定,當接收到網路程式端所傳送的具名管線請求310時,即解析該請求資訊,若是要求進行檔案分析就使用傳達的檔名對於該檔案進行內容分析320的作業,接著再進行具名管線傳回內容分析結果340,把內容分析所得的結果組成具名管線協定的回應資料,回傳給網路應用程式,若該請求是要取得執行緒文字編輯的分析結果,即進行取得最近一次的剪貼簿內容分析結果330再進行回傳作業340,若該具名管線請求是要進行機密防護事件的稽核作業,則進行將相關的稽核記錄上傳至機密管理端350。 Please refer to FIG. 3 , which is a confidential analysis and auditing flowchart of the method for monitoring confidentiality in an encrypted network according to the present invention. The resident program of the confidential protection establishes a specific named pipeline agreement in the system, and receives the named name transmitted by the network terminal. When the pipeline request 310 is performed, the request information is parsed. If the file analysis is requested, the file name is used to perform the content analysis 320 on the file, and then the named pipeline returns the content analysis result 340, and the content analysis result is obtained. The response data constituting the named pipeline agreement is sent back to the web application. If the request is to obtain the analysis result of the executor text editing, the latest scrapbook content analysis result 330 is obtained, and then the backhaul operation 340 is performed. The named pipeline request is an auditing operation to perform a confidential protection event, and the related audit record is uploaded to the confidential management terminal 350.

上述之實施流程,可監控應用程式的網路傳輸行為,縱使在加密的網路協定中,亦可針對網路應用軟體的資料流進行分析,並在機密資料實際流入網路之前加以控管。 The above implementation process can monitor the network transmission behavior of the application, even in the encrypted network protocol, the data flow of the network application software can be analyzed and controlled before the confidential data actually flows into the network.

上列詳細說明乃針對本發明之一可行實施例進行具體說明,惟該實施例並非用以限制本發明之專利範圍,凡未脫離本發明技藝精神所為之等效實施或變更,均應包含於本案之專利範圍中。 The detailed description of the present invention is intended to be illustrative of a preferred embodiment of the invention, and is not intended to limit the scope of the invention. The patent scope of this case.

綜上所述,本案不僅於技術思想上確屬創新,並具備習用之傳統方法所不及之上述多項功效,已充分符合新穎性及進步性之法定發明專利要件,爰依法提出申請,懇請 貴局核准本件發明專利申請案,以勵發明,至感德便。 To sum up, this case is not only innovative in terms of technical thinking, but also has many of the above-mentioned functions that are not in the traditional methods of the past. It has fully complied with the statutory invention patent requirements of novelty and progressiveness, and applied for it according to law. Approved this invention patent application, in order to invent invention, to the sense of virtue.

110‧‧‧系統使用者 110‧‧‧System users

120‧‧‧網際網路 120‧‧‧Internet

130‧‧‧網路應用程序 130‧‧‧Web application

140‧‧‧文件讀取 140‧‧‧Document reading

150‧‧‧電腦系統作業環境 150‧‧‧Computer system operating environment

160‧‧‧機密監控動態函式庫 160‧‧‧Confidential Monitoring Dynamic Library

170‧‧‧機密管理中心 170‧‧‧Confidential Management Center

180‧‧‧機密防護系統程序 180‧‧‧Confidential Protection System Program

200~290‧‧‧網路應用程式監控流程 200 ~ 290‧‧‧Web application monitoring process

310~350‧‧‧機密分析與稽核流程 310 ~ 350‧‧‧ Confidential Analysis and Audit Process

請參閱有關本發明之詳細說明及其附圖,將可進一步瞭解本發明之技術內容及其目的功效;有關附圖為:圖一係為本發明在加密網路監控機密之方法之系統架構圖;圖二係為本發明在加密網路監控機密之方法之網路應用程式監控流程圖;圖三係為本發明在加密網路監控機密之方法之機密分析與稽核流程圖。 Please refer to the detailed description of the present invention and the accompanying drawings, which can further understand the technical content of the present invention and its function. The related drawings are: FIG. 1 is a system architecture diagram of the method for monitoring confidentiality in an encrypted network according to the present invention. FIG. 2 is a flow chart of the network application monitoring of the method for monitoring confidentiality in the encrypted network of the present invention; FIG. 3 is a flow chart of confidential analysis and auditing of the method for monitoring confidentiality in the encrypted network of the present invention.

圖一係為本發明更改資料庫綱要之軟體服務不中斷系統與方法之實施例圖; 1 is a diagram of an embodiment of a software service uninterrupted system and method for modifying a database schema of the present invention;

110‧‧‧系統使用者 110‧‧‧System users

120‧‧‧網際網路 120‧‧‧Internet

130‧‧‧網路應用程序 130‧‧‧Web application

140‧‧‧文件讀取 140‧‧‧Document reading

150‧‧‧電腦系統作業環境 150‧‧‧Computer system operating environment

160‧‧‧機密監控動態函式庫 160‧‧‧Confidential Monitoring Dynamic Library

170‧‧‧機密管理中心 170‧‧‧Confidential Management Center

180‧‧‧機密防護系統程序 180‧‧‧Confidential Protection System Program

Claims (8)

一種在加密網路監控機密之方法,係用於機密防護系統之網路監控作業,該監控之方法係包括下列步驟:步驟一、當系統偵測到使用者啟用網路應用程式之際,即載入一個監控機密之動態函式庫,並置入網路傳輸行為相關之應用程式介面掛鉤;步驟二、當置入之該掛鉤在偵測到該網路應用程序有連接對外之網路,且有讀取檔案或編輯文字資料之行為時,即透過程序間通訊管道通知機密防護系統程序,進行檔案或文字的內容分析作業,以便判斷該網路應用程序是否有機密外洩之風險;以及步驟三、該網路應用程序於收到該機密防護系統程序傳回的內容分析結果時,對於非機密文件允許其繼續進行網路傳輸作業,而該機密文件則依照回傳值進行相應的防護作業。 A method for monitoring confidentiality in an encrypted network is used for network monitoring operations of a confidential protection system. The method for monitoring includes the following steps: Step 1: When the system detects that the user enables the network application, Load a dynamic library that monitors confidentiality and place an application interface hook associated with the network transmission behavior; Step 2: When the hook is placed, it detects that the network application has a connection to the external network. When there is an act of reading a file or editing a text file, the confidential protection system program is notified through an inter-program communication channel to perform an analysis of the content of the file or text to determine whether the network application is confidentially exposed; and Step 3: When receiving the content analysis result returned by the confidential protection system program, the network application allows the non-confidential file to continue the network transmission operation, and the confidential file performs corresponding protection according to the returned value. operation. 如申請專利範圍第1項所述之在加密網路監控機密之方法,其中該機密防護系統程序,係為一個預先安裝於使用者電腦系統之常駐程序,負責該機密防護系統程序之政策載入與應用、內容分析、稽核記錄之作業。 The method for monitoring confidentiality in an encrypted network as described in claim 1, wherein the confidential protection system program is a resident program pre-installed in a user computer system, and is responsible for policy loading of the confidential protection system program. Work with applications, content analysis, and audit records. 如申請專利範圍第1項所述之在加密網路監控機密之方法,其中該網路傳輸行為相關之應用程式介面掛鉤,係指利用應用程式介面掛鉤技術,針對該應用程序進行讀取檔案、編輯文字資料、網路傳送資料、開啟檔案之作業時, 必需使用之作業系統函式庫,介入其間進行額外之監控處理。 The method for monitoring confidentiality in an encrypted network, as described in claim 1, wherein the application interface hook associated with the network transmission behavior refers to using an application interface hooking technology to read a file for the application, When editing text data, transferring data on the Internet, and opening files, The operating system library that must be used, intervening for additional monitoring. 如申請專利範圍第1項所述之在加密網路監控機密之方法,其中步驟一於該網路應用程式於啟動時置入網路傳輸相關應用程式介面掛鉤之方法,係載入機密監控之動態函式庫時進行該應用程序是否為該網路應用程式之判斷,若認定該程序為該網路應用程式則置入網路傳輸行為相關的應用程式介面掛鉤,以監控其後續的網路傳輸行為,若判斷該程序不是該網路應用程式,則結束機密監控該動態函式庫之載入作業。 For example, in the method for monitoring confidentiality in an encrypted network as described in claim 1, the first step is to load the network application related application interface hook when the network application is started, and load the confidential monitoring. The dynamic library is used to determine whether the application is a judgment of the web application. If the program is determined to be the web application, the application interface hook associated with the network transmission behavior is placed to monitor the subsequent network. The transmission behavior, if it is determined that the program is not the web application, ends the confidential monitoring of the loading of the dynamic library. 如申請專利範圍第1項所述之在加密網路監控機密之方法,其中該網路應用程式介面掛鉤監控網路應用程式之方法,係在網路應用程序對外連線後,有讀取檔案或編輯文字資料之行為,即進入相關掛鉤之監控流程,該流程係利用程序間通訊管道通知機密防護程序,並請求該程序進行目標檔案或文字之內容分析作業,已取得分析結果。 The method for monitoring confidentiality in an encrypted network, as described in claim 1, wherein the method for linking the network application to the network application is to read the file after the network application is externally connected. Or the act of editing the text data, that is, entering the monitoring process of the relevant hook, the process is to notify the confidential protection program by using the inter-program communication channel, and request the program to perform the content analysis operation of the target file or text, and the analysis result has been obtained. 如申請專利範圍第5項所述之在加密網路監控機密之方法,其中該程序間通訊管道,係對於檔案所採用之該程序間通訊管道為具名管線協定,傳遞該檔案之完整路徑檔名給機密防護程序進行檔案的內容分析,對於文字編輯資料則利用作業系統之剪貼簿機制傳遞文字內容,並採用該具名管線協定向該機密防護程序查詢最近一次之剪貼簿文字分析結果。 The method for monitoring confidentiality in an encrypted network as described in claim 5, wherein the inter-program communication pipeline is a named pipeline agreement for the inter-program communication pipeline used for the file, and the complete path name of the file is transmitted. The confidential protection program is used to analyze the content of the file. For the text editing data, the text file content is transmitted by using the scrapbooking mechanism of the operating system, and the confidential pipeline program is used to query the confidential protection program for the latest scrapbook text analysis result. 如申請專利範圍第6項所述之在加密網路監控機密之方法,其中該具名管線協定係為收到該機密防護系統傳回之 內容分析結果時,若目標檔案或文字內容並非機密資料,則繼續該程序之網路傳輸行為,不做任何防護,對於機密文件則依照回傳值進行相應的防護作業,其該防護作業係包括稽核、加密或阻止之作業。 The method for monitoring confidentiality in an encrypted network, as described in claim 6, wherein the named pipeline agreement is received by the confidential protection system. In the case of content analysis results, if the target file or text content is not confidential, the network transmission behavior of the program is continued without any protection. For the confidential file, the corresponding protection operation is performed according to the return value, and the protection operation includes Audit, encrypt, or block jobs. 如申請專利範圍第6項所述之在加密網路監控機密之方法,其中該利用作業系統之剪貼簿機制傳遞文字方法,係當使用者在編輯區輸入複數個文字資料後,該應用程式介面掛鉤先保存該剪貼簿原有內容以及游標位置,再利用該作業系統函式庫下達文字編輯內容之全選、複製指令並恢復游標位置,接著於取得該機密防護程序傳回的之內容分析結果後,再恢復該剪貼簿原有之內容。 The method for monitoring confidentiality in an encrypted network, as described in claim 6, wherein the method for transmitting text by using a scrapbooking mechanism of the operating system is when the user inputs a plurality of text materials in the editing area, the application interface The hook first saves the original content of the scrapbook and the position of the cursor, and then uses the operating system library to release the full selection of the text editing content, copy the command and restore the cursor position, and then obtain the content analysis result returned by the confidential protection program. After that, restore the original content of the scrapbook.
TW101119976A 2012-06-04 2012-06-04 The method of encrypting the network to monitor confidentiality TWI574172B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW101119976A TWI574172B (en) 2012-06-04 2012-06-04 The method of encrypting the network to monitor confidentiality

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW101119976A TWI574172B (en) 2012-06-04 2012-06-04 The method of encrypting the network to monitor confidentiality

Publications (2)

Publication Number Publication Date
TW201351189A TW201351189A (en) 2013-12-16
TWI574172B true TWI574172B (en) 2017-03-11

Family

ID=50158026

Family Applications (1)

Application Number Title Priority Date Filing Date
TW101119976A TWI574172B (en) 2012-06-04 2012-06-04 The method of encrypting the network to monitor confidentiality

Country Status (1)

Country Link
TW (1) TWI574172B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI240178B (en) * 2001-06-15 2005-09-21 Fine Art Technology Co Ltd Transparent encrypting and decrypting method and system
US20070169184A1 (en) * 2006-01-13 2007-07-19 Fortinet, Inc. Computerized system and method for advanced network content processing
TW201032559A (en) * 2009-02-24 2010-09-01 Fineart Technology Co Ltd Conditional electric document right management system and method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI240178B (en) * 2001-06-15 2005-09-21 Fine Art Technology Co Ltd Transparent encrypting and decrypting method and system
US20070169184A1 (en) * 2006-01-13 2007-07-19 Fortinet, Inc. Computerized system and method for advanced network content processing
TW201032559A (en) * 2009-02-24 2010-09-01 Fineart Technology Co Ltd Conditional electric document right management system and method

Also Published As

Publication number Publication date
TW201351189A (en) 2013-12-16

Similar Documents

Publication Publication Date Title
US12363134B2 (en) Method and system for forensic data tracking
US10545884B1 (en) Access files
US10623431B2 (en) Discerning psychological state from correlated user behavior and contextual information
US10554635B2 (en) Protecting documents using policies and encryption
US9027108B2 (en) Systems and methods for secure file portability between mobile applications on a mobile device
CN102592069B (en) Apparatus and method for managing digital rights through hooking a kernel native API
US8893223B1 (en) Scanning protected files for violations of a data loss prevention policy
TWI410106B (en) Electronic file transfer method
US10164980B1 (en) Method and apparatus for sharing data from a secured environment
Lazouski et al. Stateful data usage control for android mobile devices
TWI488066B (en) System and method to prevent confidential documents from being encrypted and delivered out
US12164625B2 (en) Context based authorized external device copy detection
JP2005222155A (en) Secret document management device, secret document management method, and secret document management program
TWI574172B (en) The method of encrypting the network to monitor confidentiality
KR101414186B1 (en) Method for real-time preventing leak data
Smorti Analysis and improvement of ransomware detection techniques
JP2016115037A (en) Terminal analyzing device, behavior detection device, terminal analyzing program, and behavior detection program
JP6371255B2 (en) Terminal device, server, content operation monitoring system, content operation monitoring method and program
Al-Sharif et al. Intelligent Field Infrastructure Embedded Cyber Security Protection

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees