CN113342288B - Data protection method, client, server and system - Google Patents

Data protection method, client, server and system Download PDF

Info

Publication number
CN113342288B
CN113342288B CN202110730332.5A CN202110730332A CN113342288B CN 113342288 B CN113342288 B CN 113342288B CN 202110730332 A CN202110730332 A CN 202110730332A CN 113342288 B CN113342288 B CN 113342288B
Authority
CN
China
Prior art keywords
file
information
receiving end
data
user information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110730332.5A
Other languages
Chinese (zh)
Other versions
CN113342288A (en
Inventor
陆东峰
李仕毅
赵忠祥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Skyguard Network Security Technology Co ltd
Original Assignee
Beijing Skyguard Network Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Skyguard Network Security Technology Co ltd filed Critical Beijing Skyguard Network Security Technology Co ltd
Priority to CN202110730332.5A priority Critical patent/CN113342288B/en
Publication of CN113342288A publication Critical patent/CN113342288A/en
Application granted granted Critical
Publication of CN113342288B publication Critical patent/CN113342288B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/12Digital output to print unit, e.g. line printer, chain printer
    • G06F3/1201Dedicated interfaces to print systems
    • G06F3/1202Dedicated interfaces to print systems specifically adapted to achieve a particular effect
    • G06F3/1203Improving or facilitating administration, e.g. print management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/12Digital output to print unit, e.g. line printer, chain printer
    • G06F3/1201Dedicated interfaces to print systems
    • G06F3/1223Dedicated interfaces to print systems specifically adapted to use a particular technique
    • G06F3/1237Print job management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/12Digital output to print unit, e.g. line printer, chain printer
    • G06F3/1201Dedicated interfaces to print systems
    • G06F3/1223Dedicated interfaces to print systems specifically adapted to use a particular technique
    • G06F3/1237Print job management
    • G06F3/1259Print job monitoring, e.g. job status

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Human Computer Interaction (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a data protection method, a client, a server and a system, and relates to the technical field of computers. One embodiment of the method comprises the following steps: receiving a transmission operation aiming at a stored file, wherein the transmission operation indicates first user information, file information of the file to be transmitted and a file receiving end; if the file receiving end indicates the printing equipment or the mobile storage equipment, locating the file to be transmitted according to the file information; selecting characters from the positioned files to be transmitted, and adding graphic identifiers at the positions of the selected characters; and sending the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier to the protection server so that the protection server provides a query result aiming at the data leakage condition. This embodiment is advantageous for tracking the source of data leakage.

Description

Data protection method, client, server and system
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a data protection method, a client, a server, and a system.
Background
Data printing has become one of enterprise data or enterprise information leakage modes, and tracking the source of data printing leakage is the core of preventing data leakage from the data printing mode.
At present, the source of data printing leakage is mainly tracked, in the data printing process, information of a printer is added at a place where printing paper is obvious, and the source of data printing leakage can be determined by checking the information of the printer carried by the printed file.
Since the information of the printer is obvious, the printer is easy to draw attention, and once the printer finds out the information, the information is deleted, covered and the like, so that the effectiveness of data protection is low.
Disclosure of Invention
In view of the above, the embodiments of the present invention provide a data protection method, a client, a server, and a system, which are favorable for tracking a data leakage source, and can effectively improve the effectiveness of data protection.
To achieve the above object, according to an aspect of the embodiments of the present invention, there is provided a data protection method, including:
receiving a transmission operation aiming at a stored file, wherein the transmission operation indicates first user information, file information of the file to be transmitted and a file receiving end;
if the file receiving end indicates printing equipment or mobile storage equipment, positioning the file to be transmitted according to the file information;
Selecting a character from the positioned file to be transmitted, and adding a graphic identifier at the position of the selected character;
and sending the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier to a protection service end, so that the protection service end correspondingly stores the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier, and provides a query result aiming at the data leakage condition.
Optionally, the data protection method further includes: setting and storing various graphic identifiers;
the adding of the graphic mark at the position of the selected character comprises the following steps:
selecting a target graphic identifier from a plurality of graphic identifiers;
and adding the target graphic identifier at the position where the selected character is located.
Optionally, the selecting a character from the located file to be transmitted includes:
Randomly selecting a target row or a target column from the positioned file to be transmitted;
characters are selected from the target row or the target column.
Optionally, the data protection method further includes:
receiving a query request aiming at the data leakage condition, wherein the query request indicates second user information and file information to be queried;
and providing the first user information related to the file information to be queried and the information of the file receiving end under the condition that the second user information has the query authority.
Optionally, the data protection method further includes:
in case the file information to be queried comprises data source information,
comparing the data source information with the information of the file receiving end;
if the comparison result indicates that the data source information is inconsistent with the information of the file receiving end, a data leakage path is generated based on the data source information and the information of the file receiving end, and the data leakage path and the file information are correspondingly stored in the protection service end.
Optionally, the data protection method further includes:
and transmitting the third user information with the data leakage risk to the protection server so that the protection server marks a risk identifier for the stored third user information.
Optionally, after the receiving a transmission operation for the stored file, further comprising:
the first user information is sent to the protection server side, so that the protection server side analyzes whether risk identification exists in the first user information;
receiving an analysis result sent by the protection server;
if the analysis result indicates that the first user information has a risk identification, rejecting a transmission operation for the stored file; otherwise, executing the step of locating the file to be transmitted according to the file information.
In a second aspect, an embodiment of the present invention provides a data protection method, including:
receiving and correspondingly storing first user information sent by a client, information of a file receiving end corresponding to a transmission operation received by the client, file information of a file to be transmitted aiming at the transmission operation, a graphic identifier selected by the client for the file to be transmitted and a position of the graphic identifier in the file to be transmitted;
and receiving a query request aiming at the data leakage condition, and providing a query result aiming at the data leakage condition for the query request based on the corresponding stored first user information, the file receiving end information, the file information, the graphic identifier and the position of the graphic identifier.
Optionally, the query request indicates second user information and file information to be queried;
the providing the query result for the query request for the data leakage condition includes:
and providing the first user information related to the file information to be queried and the information of the file receiving end under the condition that the second user information has the query authority.
Optionally, the data protection method further includes:
receiving third information which is sent by the client and has data leakage risk;
and labeling risk identification for the stored third user information.
Optionally, the data protection method further includes:
receiving the first user information sent by the client;
and analyzing whether the first user information has the risk identifier or not based on the risk identifier of the third user information label, and sending an analysis result to the client.
In a third aspect, an embodiment of the present invention provides a client for data protection, including: a receiving unit and a data protection unit, wherein,
the receiving unit is used for receiving a transmission operation aiming at a stored file, wherein the transmission operation indicates first user information, file information of the file to be transmitted and a file receiving end;
The data protection unit is used for positioning the file to be transmitted according to the file information if the file receiving end indicates printing equipment or mobile storage equipment; selecting a character from the positioned file to be transmitted, and adding a graphic identifier at the position of the selected character; and sending the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier to a protection service end, so that the protection service end correspondingly stores the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier, and provides a query result aiming at the data leakage condition.
In a fourth aspect, an embodiment of the present invention provides a server for data protection, including: a storage unit and a query unit, wherein,
the storage unit is used for receiving and correspondingly storing first user information sent by a client, information of a file receiving end corresponding to transmission operation received by the client, file information of a file to be transmitted aiming at the transmission operation, a graphic identifier selected by the client for the file to be transmitted and the position of the graphic identifier in the file to be transmitted;
The query unit is configured to receive a query request for a data leakage situation, and provide a query result for the data leakage situation for the query request based on the first user information, the information of the file receiving end, the file information, the graphic identifier, and the position where the graphic identifier is located, which are stored correspondingly.
In a fifth aspect, an embodiment of the present invention provides a system for protecting data, including: the client provided by the embodiment of the third aspect and the server provided by the embodiment of the fourth aspect.
One embodiment of the above invention has the following advantages or benefits: because of the transmission operation of the stored file, if the file receiving end indicates the printing equipment or the mobile storage equipment, the file to be transmitted is positioned according to the file information; selecting characters from the positioned files to be transmitted, and adding graphic identifiers at the positions of the selected characters; and sending the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier, which are indicated by the transmission operation, to the protection service end so that the protection service end correspondingly stores the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier, and provides a query result aiming at the data leakage condition. Because the graphic mark is arranged at the character position, the graphic mark has better concealment and is easier to be found by a data leakage person, so the scheme provided by the embodiment of the invention is beneficial to tracking the data leakage source and can effectively improve the effectiveness of data protection.
Further effects of the above-described non-conventional alternatives are described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a schematic diagram of a system architecture upon which an application scenario depends according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of the main flow of a data protection method applied to a client according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of the main flow of adding graphical identifiers according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of the main flow of a data leakage situation query according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a main flow of a data protection method according to another embodiment of the present invention;
FIG. 6 is a schematic diagram of the main flow of a data protection method according to another embodiment of the present invention;
FIG. 7 is a schematic diagram of a main flow of a data protection method applied to a server according to an embodiment of the present invention;
FIG. 8 is a schematic diagram of the main units of a client of a data guard according to an embodiment of the invention;
FIG. 9 is a schematic diagram of main units of a server for data protection according to an embodiment of the present invention;
FIG. 10 is a schematic diagram of the primary devices of a system for data protection according to an embodiment of the present invention;
fig. 11 is a schematic diagram of a computer system suitable for use in implementing an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, in which various details of the embodiments of the present invention are included to facilitate understanding, and are to be considered merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Fig. 1 illustrates a system architecture 100 on which an application scenario, to which embodiments of the present invention described below may be applied, depends.
As shown in fig. 1, the system architecture 100 may include terminal devices 101, 102, 103, a network 104, a server 105, a printing device 106 connected to the terminal devices, and a removable storage device 107 connected to the terminal devices. The network 104 is a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105, the terminal devices 101, 102, 103, and the printing device 106. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may interact with the server 105 through the network 104 using the terminal devices 101, 102, 103, so that the server 105 obtains the first user information indicated by the transmission operation, the file information of the file to be transmitted, the file receiving end, and the like from the terminal devices 101, 102, 103. Various communication client applications, such as a web browser application, a search class application, an instant messaging tool, a mailbox client, social platform software, etc., may be installed on the terminal devices 101, 102, 103, as just examples.
The terminal devices 101, 102, 103 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (merely an example) that provides support for transmission operations of files stored by the user with respect to the terminal devices 101, 102, 103. The terminal device 101, 102, 103 transfers the stored file to the printing device 106 or the mobile storage device 107, and the terminal device 101, 102, 103 may locate the file to be transferred, select a character from the located file to be transferred, and add a graphic identifier at a location where the selected character is located. The background management server can store the received first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier, and can also receive the inquiry of the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier, and the like, and feed back the inquiry result to the terminal equipment.
It should be noted that, the data protection method provided in the embodiment of the present invention is generally performed by the combination of the terminal devices 101, 102, 103 and the server 105, and accordingly, the data protection devices are respectively disposed in the terminal devices 101, 102, 103 and the server 105.
It should be understood that the number of terminal devices, networks, servers, printing devices, and removable storage devices in fig. 1 are merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Fig. 2 is a data protection method applied to a client according to an embodiment of the present invention, and as shown in fig. 2, the data protection method may include the following steps:
step S201: receiving a transmission operation aiming at a stored file, wherein the transmission operation indicates first user information, file information of the file to be transmitted and a file receiving end;
the transmission operation may be to transmit the file to other terminal devices through communication software such as mail, instant messaging software, etc., or to a printing device or a mobile storage device such as a mobile hard disk, a usb disk, etc. At present, the monitoring is mainly aimed at communication software, because printing devices such as printing devices and mobile storage devices outside an enterprise intranet are difficult to track, and the monitoring is not effective for the transmission with hardware such as the printing devices or the mobile storage devices.
Step S202: if the file receiving end indicates the printing equipment or the mobile storage equipment, locating the file to be transmitted according to the file information;
the file information may be a file name, a file storage location, a storage path, and the like. The file to be transferred is typically an editable file such as word, excel, PDF.
Step S203: selecting characters from the positioned files to be transmitted, and adding graphic identifiers at the positions of the selected characters;
the selection character may be a character included in a random selection file. The selected characters may be one or a plurality of characters. The adding of the graphic identifier at the position of the selected character can be to take the graphic identifier as the background of the character or to cover the character by the graphic identifier, etc. The graphic mark can be in the shape of a simple line such as a circle, a square, a prism, a polygon and the like.
It should be noted that, in addition to adding the graphic identifier to the position where the selected character is located, the graphic identifier may be added to any position above, below, left, and right of the selected character.
Step S204: and sending the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier to the protection service end, so that the protection service end correspondingly stores the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier, and provides a query result aiming at the data leakage condition.
The first user information refers to user information such as a user name, a user identification, and the like of a user performing a transmission operation.
The information of the file receiving end refers to the characteristic identification, model and the like of the receiving end.
In the embodiment shown in fig. 2, if the file receiving end indicates a printing device or a mobile storage device due to a transmission operation for a stored file, the file to be transmitted is located according to file information; selecting characters from the positioned files to be transmitted, and adding graphic identifiers at the positions of the selected characters; and sending the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier, which are indicated by the transmission operation, to the protection service end so that the protection service end correspondingly stores the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier, and provides a query result aiming at the data leakage condition. Because the graphic mark is arranged at the character position, the graphic mark has better concealment and is easier to be found by a data leakage person, so the scheme provided by the embodiment of the invention is beneficial to tracking the data leakage source and can effectively improve the effectiveness of data protection.
According to the scheme, when the data disseminated in the printed file or other digital forms are found, the source of data leakage can be rapidly located through the query protection server according to the graphic identifier and the position of the graphic identifier included in the data.
In an embodiment of the present invention, as shown in fig. 3, the specific implementation of the step S203 may include the following steps:
step S301: setting and storing various graphic identifiers;
the step can be to receive various graphic identifications input by a user, or to randomly generate the graphic identifications by adopting a random algorithm.
Step S302: selecting a target graphic identifier from a plurality of graphic identifiers;
for example, the various graphic marks may be simple line shapes such as circles (solid circles, hollow circles), squares, prisms, polygons, and the like, and the target graphic mark selected by this step is a circle.
Step S303: and adding a target graphic identifier at the position where the selected character is.
The structure or type of the graphic identifier can be effectively controlled by selecting the target graphic identifier from a plurality of graphic identifiers so as to ensure that the printed file can be identified by the graphic identifier.
In the embodiment of the present invention, the specific implementation manner of selecting the character from the located file to be transmitted may include: randomly selecting a target row or a target column from the positioned file to be transmitted; characters are selected from the target row or target column. The character can be more accurately positioned or selected by randomly selecting the target row or column.
In an embodiment of the present invention, as shown in fig. 4, the data protection method may further include the following steps:
step S401: receiving a query request aiming at the data leakage condition, wherein the query request indicates second user information and file information to be queried;
step S402: and providing the first user information related to the file information to be queried and the information of the file receiving end under the condition that the second user information has the query authority.
Through the process, the user with the query authority can query the data leakage condition recorded by the protection server.
In an embodiment of the present invention, as shown in fig. 5, the data protection method may further include the following steps:
step S501: comparing the data source information with the information of the file receiving end under the condition that the file information to be queried comprises the data source information;
the data source information is typically entered by the second user via the terminal device. Such as printer location, printer model, location of the terminal device where the file is located, model of the mobile terminal, identification, etc.
Step S502: if the comparison result indicates that the data source information is inconsistent with the information of the file receiving end, a data leakage path is generated based on the data source information and the information of the file receiving end, and the data leakage path and the file information are correspondingly stored in the protection server.
For example, if the data source information is the printer a in the address 1, the information on the receiving end of the file is the mobile storage device a, and the file is transmitted to the mobile storage device a as the terminal device F, the data leakage path may be: terminal device f→mobile storage device a→printer a in address 1.
The data leakage path can be traced, and the data leakage path can be specially focused or blocked as far as possible.
In an embodiment of the present invention, the data protection method may further include sending third user information with a risk of data leakage to the protection server, so that the protection server marks a risk identifier for the stored third user information. The user with the risk of data leakage can be quickly identified through the risk identification, and the user with the risk of data leakage can be processed later, such as prohibiting file transmission to a printer or a mobile storage device.
In an embodiment of the present invention, as shown in fig. 6, after receiving a transmission operation for a stored file, the method may further include the steps of:
step S601: the first user information is sent to the protection server side, so that the protection server side analyzes whether the first user information has a risk identifier or not;
Step S602: receiving an analysis result sent by the protection server, and executing step S603 if the analysis result indicates that the first user information has a risk identifier; otherwise, step S604 is performed;
step S603: refusing the transmission operation aiming at the stored file and ending the current flow;
step S604: and executing the step of positioning the file to be transmitted according to the file information.
Fig. 7 shows a data protection method applied to a protection server, and as shown in fig. 7, the data protection method may include the following steps:
step S701: receiving and correspondingly storing first user information sent by a client, information of a file receiving end corresponding to transmission operation received by the client, file information of a file to be transmitted aiming at the transmission operation, a graphic identifier selected by the client for the file to be transmitted and a position of the graphic identifier in the file to be transmitted;
step S702: and receiving a query request aiming at the data leakage condition, and providing a query result aiming at the data leakage condition for the query request based on the corresponding stored first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier.
The protection server side correspondingly stores the first user information sent by the client side, the information of the file receiving side corresponding to the transmission operation received by the client side, the file information of the file to be transmitted aiming at the transmission operation, the graphic identification selected by the client side for the file to be transmitted and the position of the graphic identification in the file to be transmitted, so that the corresponding user information can be rapidly positioned according to the graphic identification and the position of the graphic identification in the file, and the data leakage source can be found. Because the graphic mark has concealment and is difficult to be found by a user, the effectiveness of data protection can be effectively improved.
In the embodiment of the invention, the query request indicates the second user information and the file information to be queried; accordingly, providing the query request with the query result for the data leakage case may include: and providing the first user information related to the file information to be queried and the information of the file receiving end under the condition that the second user information has the query authority. Only the user with the inquiry authority can check the data, so that the storage security of the data leakage condition is ensured.
In an embodiment of the present invention, the data protection method may further include: receiving third user information with data leakage risk sent by a client; and labeling the stored third user information with a risk identification. The user can mark the users with the risk of data leakage according to actual demands.
In an embodiment of the present invention, the data protection method may further include: receiving first user information sent by a client; and analyzing whether the first user information has the risk identification based on the risk identification of the third user information label, and sending an analysis result to the client.
As shown in fig. 8, an embodiment of the present invention provides a data-protected client 800, where the data-protected client 800 may include: a receiving unit 801, and a data protection unit 802, wherein,
A receiving unit 801, configured to receive a transmission operation for a stored file, where the transmission operation indicates first user information, file information of the file to be transmitted, and a file receiving end;
a data protection unit 802, configured to locate a file to be transmitted according to the file information if the file receiving end indicates a printing device or a mobile storage device; selecting characters from the positioned files to be transmitted, and adding graphic identifiers at the positions of the selected characters; and sending the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier to the protection service end, so that the protection service end correspondingly stores the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier, and provides a query result aiming at the data leakage condition.
In the embodiment of the present invention, the data protection unit 802 is further configured to set and store multiple graphic identifiers; selecting a target graphic identifier from a plurality of graphic identifiers; and adding a target graphic identifier at the position where the selected character is.
In the embodiment of the present invention, the data protection unit 802 is further configured to randomly select a target row or a target column from the located file to be transmitted; characters are selected from the target row or target column.
In the embodiment of the present invention, the data protection unit 802 is further configured to receive a query request for a data disclosure situation, where the query request indicates second user information and file information to be queried; and providing the first user information related to the file information to be queried and the information of the file receiving end under the condition that the second user information has the query authority.
In the embodiment of the present invention, the data protection unit 802 is further configured to compare the data source information with the information of the file receiving end when the file information to be queried includes the data source information; if the comparison result indicates that the data source information is inconsistent with the information of the file receiving end, a data leakage path is generated based on the data source information and the information of the file receiving end, and the data leakage path and the file information are correspondingly stored in the protection server.
In this embodiment of the present invention, the data protection unit 802 is further configured to send third user information that has a risk of data disclosure to the protection server, so that the protection server marks a risk identifier for the stored third user information.
In the embodiment of the present invention, the data protection unit 802 is further configured to send the first user information to the protection server, so that the protection server analyzes whether the first user information has a risk identifier; receiving an analysis result sent by a protection server; if the analysis result indicates that the first user information has a risk identification, rejecting a transmission operation for the stored file; otherwise, the step of locating the file to be transmitted according to the file information is executed.
Fig. 9 illustrates a data protection server 900, where the data protection server 900 may include: a storage unit 901, and a query unit 902, wherein,
the storage unit 901 is configured to receive and store, correspondingly, first user information sent by a client, information of a file receiving end corresponding to a transmission operation received by the client, file information of a file to be transmitted for the transmission operation, a graphic identifier selected by the client for the file to be transmitted, and a position of the graphic identifier in the file to be transmitted;
the query unit 902 is configured to receive a query request for a data leakage situation, and provide a query result for the data leakage situation for the query request based on the corresponding stored first user information, information of the file receiving end, file information, a graphic identifier, and a location where the graphic identifier is located.
In the embodiment of the invention, the query request indicates the second user information and the file information to be queried; the query unit 902 is further configured to provide, in a case where the second user information has a query authority, the first user information related to the file information to be queried and information of the file receiving end.
In the embodiment of the present invention, the query unit 902 is further configured to receive third user information sent by the client and having a risk of data leakage; and labeling the stored third user information with a risk identification.
In the embodiment of the present invention, the query unit 902 is further configured to receive first user information sent by the client; and analyzing whether the first user information has the risk identification based on the risk identification of the third user information label, and sending an analysis result to the client.
As shown in fig. 10, an embodiment of the present invention provides a data protection system 1000, where the data protection system 1000 may include: the data protection client 800 provided by the embodiment shown in fig. 8 and the data protection server 900 provided by the embodiment shown in fig. 9.
Referring now to FIG. 11, there is illustrated a schematic diagram of a computer system 1100 suitable for use in implementing a terminal device or server in accordance with an embodiment of the present invention. The terminal device shown in fig. 11 is only an example, and should not impose any limitation on the functions and the scope of use of the embodiment of the present invention.
As shown in fig. 11, the computer system 1100 includes a Central Processing Unit (CPU) 1101, which can execute various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 1102 or a program loaded from a storage section 1108 into a Random Access Memory (RAM) 1103. In the RAM 1103, various programs and data required for the operation of the system 1100 are also stored. The CPU 1101, ROM 1102, and RAM 1103 are connected to each other by a bus 1104. An input/output (I/O) interface 1105 is also connected to bus 1104.
The following components are connected to the I/O interface 1105: an input section 1106 including a keyboard, a mouse, and the like; an output portion 1107 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 1108 including a hard disk or the like; and a communication section 1109 including a network interface card such as a LAN card, a modem, and the like. The communication section 1109 performs communication processing via a network such as the internet. The drive 1110 is also connected to the I/O interface 1105 as needed. Removable media 1111, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like, is installed as needed in drive 1110, so that a computer program read therefrom is installed as needed in storage section 1108.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network via the communication portion 1109, and/or installed from the removable media 1111. The above-described functions defined in the system of the present invention are performed when the computer program is executed by a Central Processing Unit (CPU) 1101.
The computer readable medium shown in the present invention may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units involved in the embodiments of the present invention may be implemented in software or in hardware. The described units may also be provided in a processor, for example, described as: a processor includes a receiving unit and a data protection unit. The names of these units do not constitute a limitation on the unit itself in some cases, and for example, a receiving unit may also be described as "a unit that receives a transmission operation for a stored file". For another example, it can be described as: a processor includes a storage unit and a query unit. The names of these units are not limited to the unit itself in some cases, for example, the storage unit may also be described as "a unit that receives and corresponds to store the first user information sent by the client, information of the file receiving end corresponding to the transmission operation received by the client, file information of the file to be transmitted for the transmission operation, a graphic identifier selected by the client for the file to be transmitted, and a location of the graphic identifier in the file to be transmitted".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be present alone without being fitted into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to include: receiving a transmission operation aiming at a stored file, wherein the transmission operation indicates first user information, file information of the file to be transmitted and a file receiving end; if the file receiving end indicates the printing equipment or the mobile storage equipment, locating the file to be transmitted according to the file information; selecting characters from the positioned files to be transmitted, and adding graphic identifiers at the positions of the selected characters; and sending the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier to the protection service end, so that the protection service end correspondingly stores the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier, and provides a query result aiming at the data leakage condition.
According to the technical scheme of the embodiment of the invention, as the transmission operation of the stored file is performed, if the file receiving end indicates the printing equipment or the mobile storage equipment, the file to be transmitted is positioned according to the file information; selecting characters from the positioned files to be transmitted, and adding graphic identifiers at the positions of the selected characters; and sending the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier, which are indicated by the transmission operation, to the protection service end so that the protection service end correspondingly stores the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier, and provides a query result aiming at the data leakage condition. Because the graphic mark is arranged at the character position, the graphic mark has better concealment and is easier to be found by a data leakage person, so the scheme provided by the embodiment of the invention is beneficial to tracking the data leakage source and can effectively improve the effectiveness of data protection.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives can occur depending upon design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.

Claims (13)

1. A method of data protection, comprising:
receiving a transmission operation aiming at a stored file, wherein the transmission operation indicates first user information, file information of the file to be transmitted and a file receiving end;
if the file receiving end indicates printing equipment or mobile storage equipment, positioning the file to be transmitted according to the file information;
selecting a character from the positioned file to be transmitted, and adding a graphic identifier at the position of the selected character;
the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier are sent to a protection service end, so that the protection service end correspondingly stores the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier, and the protection service end correspondingly stores the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier and provides a query result aiming at the data leakage condition;
The data protection method further comprises the following steps:
receiving a query request aiming at the data leakage condition, wherein the query request indicates second user information and file information to be queried;
providing first user information related to the file information to be queried and information of a file receiving end under the condition that the second user information has query authority;
the data protection method further comprises the following steps:
in case the file information to be queried comprises data source information,
comparing the data source information with the information of the file receiving end;
if the comparison result indicates that the data source information is inconsistent with the information of the file receiving end, a data leakage path is generated based on the data source information and the information of the file receiving end, and the data leakage path and the file information are correspondingly stored in the protection service end.
2. The method of claim 1, wherein the step of determining the position of the substrate comprises,
further comprises: setting and storing various graphic identifiers;
the adding of the graphic mark at the position of the selected character comprises the following steps:
selecting a target graphic identifier from a plurality of graphic identifiers;
And adding the target graphic identifier at the position where the selected character is located.
3. The method of claim 1, wherein the selecting a character from the located file to be transmitted comprises:
randomly selecting a target row or a target column from the positioned file to be transmitted;
characters are selected from the target row or the target column.
4. A method according to any one of claims 1 to 3, further comprising:
and transmitting the third user information with the data leakage risk to the protection server so that the protection server marks a risk identifier for the stored third user information.
5. The method of claim 4, further comprising, after said receiving a transfer operation for a stored file:
the first user information is sent to the protection server side, so that the protection server side analyzes whether risk identification exists in the first user information;
receiving an analysis result sent by the protection server;
if the analysis result indicates that the first user information has a risk identification, rejecting a transmission operation for the stored file; otherwise, executing the step of locating the file to be transmitted according to the file information.
6. A method of data protection, comprising:
receiving and correspondingly storing first user information sent by a client, information of a file receiving end corresponding to a transmission operation received by the client, file information of a file to be transmitted aiming at the transmission operation, a graphic identifier selected by the client for the file to be transmitted and a position of the graphic identifier in the file to be transmitted;
receiving a query request aiming at the data leakage condition, and providing a query result aiming at the data leakage condition for the query request based on the corresponding stored first user information, the file receiving end information, the file information, the graphic identifier and the position of the graphic identifier;
the query request indicates second user information and file information to be queried;
the providing the query result for the query request for the data leakage condition includes:
providing first user information related to the file information to be queried and information of a file receiving end under the condition that the second user information has query authority;
in case the file information to be queried comprises data source information,
Comparing the data source information with the information of the file receiving end;
if the comparison result indicates that the data source information is inconsistent with the information of the file receiving end, a data leakage path is generated based on the data source information and the information of the file receiving end, and the data leakage path and the file information are correspondingly stored in a protection service end.
7. The method as recited in claim 6, further comprising:
receiving third information which is sent by the client and has data leakage risk;
and labeling risk identification for the stored third user information.
8. The method as recited in claim 7, further comprising:
receiving the first user information sent by the client;
and analyzing whether the first user information has the risk identifier or not based on the risk identifier of the third user information label, and sending an analysis result to the client.
9. A client for data protection, comprising: a receiving unit and a data protection unit, wherein,
the receiving unit is used for receiving a transmission operation aiming at a stored file, wherein the transmission operation indicates first user information, file information of the file to be transmitted and a file receiving end;
The data protection unit is used for positioning the file to be transmitted according to the file information if the file receiving end indicates printing equipment or mobile storage equipment; selecting a character from the positioned file to be transmitted, and adding a graphic identifier at the position of the selected character; the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier are sent to a protection service end, so that the protection service end correspondingly stores the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier, and the protection service end correspondingly stores the first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier and provides a query result aiming at the data leakage condition;
the data protection unit is further used for receiving a query request aiming at the data leakage condition, wherein the query request indicates second user information and file information to be queried; providing first user information related to the file information to be queried and information of a file receiving end under the condition that the second user information has query authority;
The data protection unit is further used for comparing the data source information with the information of the file receiving end under the condition that the file information to be queried comprises the data source information; if the comparison result indicates that the data source information is inconsistent with the information of the file receiving end, a data leakage path is generated based on the data source information and the information of the file receiving end, and the data leakage path and the file information are correspondingly stored in the protection server.
10. A server for data protection, comprising: a storage unit and a query unit, wherein,
the storage unit is used for receiving and correspondingly storing first user information sent by a client, information of a file receiving end corresponding to transmission operation received by the client, file information of a file to be transmitted aiming at the transmission operation, a graphic identifier selected by the client for the file to be transmitted and the position of the graphic identifier in the file to be transmitted;
the query unit is used for receiving a query request aiming at the data leakage condition and providing a query result aiming at the data leakage condition for the query request based on the corresponding stored first user information, the information of the file receiving end, the file information, the graphic identifier and the position of the graphic identifier;
The query request indicates second user information and file information to be queried;
the providing the query result for the query request for the data leakage condition includes:
the query unit is further configured to provide, when the second user information has a query authority, first user information related to the file information to be queried and information of a file receiving end; comparing the data source information with the information of the file receiving end under the condition that the file information to be queried comprises the data source information; if the comparison result indicates that the data source information is inconsistent with the information of the file receiving end, a data leakage path is generated based on the data source information and the information of the file receiving end, and the data leakage path and the file information are correspondingly stored in a protection service end.
11. A system for data protection, comprising: the client of claim 9 and the server of claim 10.
12. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
when executed by the one or more processors, causes the one or more processors to implement the method of any of claims 1-8.
13. A computer readable medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method according to any of claims 1-8.
CN202110730332.5A 2021-06-29 2021-06-29 Data protection method, client, server and system Active CN113342288B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110730332.5A CN113342288B (en) 2021-06-29 2021-06-29 Data protection method, client, server and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110730332.5A CN113342288B (en) 2021-06-29 2021-06-29 Data protection method, client, server and system

Publications (2)

Publication Number Publication Date
CN113342288A CN113342288A (en) 2021-09-03
CN113342288B true CN113342288B (en) 2024-03-22

Family

ID=77481668

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110730332.5A Active CN113342288B (en) 2021-06-29 2021-06-29 Data protection method, client, server and system

Country Status (1)

Country Link
CN (1) CN113342288B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103914639A (en) * 2014-04-02 2014-07-09 北京中软冠群软件技术有限公司 Document tracing method and document tracing device
CN104506545A (en) * 2014-12-30 2015-04-08 北京奇虎科技有限公司 Data leakage prevention method and data leakage prevention device
CN104598782A (en) * 2014-12-04 2015-05-06 广东欧珀移动通信有限公司 Data packaging and analysis method and device
CN105095791A (en) * 2015-08-12 2015-11-25 深圳市联软科技有限公司 Data security protection method and system
CN106131360A (en) * 2016-06-15 2016-11-16 珠海市魅族科技有限公司 Image data sending method and device
CN107423629A (en) * 2017-04-12 2017-12-01 李晓妮 A kind of anti-method and system divulged a secret with tracing of fileinfo output
CN108156135A (en) * 2017-12-05 2018-06-12 北京控制与电子技术研究所 A kind of classified network information-leakage risk monitoring method
CN112424774A (en) * 2018-06-19 2021-02-26 纳宝韦伯通有限会社 Method, apparatus, and program for preventing leakage of content
CN113012018A (en) * 2021-04-12 2021-06-22 中船重工汉光科技股份有限公司 Invisible office printing text encryption and decryption method

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103914639A (en) * 2014-04-02 2014-07-09 北京中软冠群软件技术有限公司 Document tracing method and document tracing device
CN104598782A (en) * 2014-12-04 2015-05-06 广东欧珀移动通信有限公司 Data packaging and analysis method and device
CN104506545A (en) * 2014-12-30 2015-04-08 北京奇虎科技有限公司 Data leakage prevention method and data leakage prevention device
CN105095791A (en) * 2015-08-12 2015-11-25 深圳市联软科技有限公司 Data security protection method and system
CN106131360A (en) * 2016-06-15 2016-11-16 珠海市魅族科技有限公司 Image data sending method and device
CN107423629A (en) * 2017-04-12 2017-12-01 李晓妮 A kind of anti-method and system divulged a secret with tracing of fileinfo output
CN108156135A (en) * 2017-12-05 2018-06-12 北京控制与电子技术研究所 A kind of classified network information-leakage risk monitoring method
CN112424774A (en) * 2018-06-19 2021-02-26 纳宝韦伯通有限会社 Method, apparatus, and program for preventing leakage of content
CN113012018A (en) * 2021-04-12 2021-06-22 中船重工汉光科技股份有限公司 Invisible office printing text encryption and decryption method

Also Published As

Publication number Publication date
CN113342288A (en) 2021-09-03

Similar Documents

Publication Publication Date Title
KR101177310B1 (en) Electronic document security transmission relay apparatus and method
US11113126B2 (en) Verifying transfer of detected sensitive data
CN104954322A (en) Account binding method, device and system
CN110719590B (en) One-key login method, device, equipment and storage medium based on mobile phone number
CN110222775A (en) Image processing method, device, electronic equipment and computer readable storage medium
CN109582873A (en) Method and apparatus for pushed information
CN112468482B (en) Data transmission method, device, server, storage medium and system
CN113342288B (en) Data protection method, client, server and system
CN110427759B (en) Network resource browsing control method and system supporting service security mark
CN115310059A (en) Data security processing method and device
CN103400066A (en) System and method for managing software
CN112948138A (en) Method and device for processing message
CN113342449A (en) Data protection method and device
CN109522211B (en) Interface parameter transmission method and device, electronic equipment and storage medium
CN109246686B (en) Multi-card user address book updating method and device based on cloud technology
CN112418944A (en) Coupon transfer method and device, electronic equipment and storage medium
JP2011076479A (en) Information processor, information processing method and program
CN115334006B (en) Gray level verification method and system based on client implementation
CN117034210B (en) Event image generation method and device, storage medium and electronic equipment
CN113766437B (en) Short message sending method and device
CN113360939B (en) Security access control method and device
CN110457268B (en) File operation auditing method and device supporting business security marking
CN110418020B (en) List state information processing method and device, electronic terminal and storage medium
CN109525630B (en) Method, apparatus, medium, and electronic device for transmitting data analysis request
CN109656519B (en) Method and device for automatically accessing service data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant