CN115391134A - Data leakage tracing method, device and system - Google Patents

Data leakage tracing method, device and system Download PDF

Info

Publication number
CN115391134A
CN115391134A CN202210982142.7A CN202210982142A CN115391134A CN 115391134 A CN115391134 A CN 115391134A CN 202210982142 A CN202210982142 A CN 202210982142A CN 115391134 A CN115391134 A CN 115391134A
Authority
CN
China
Prior art keywords
data leakage
information
data
screenshot
event
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210982142.7A
Other languages
Chinese (zh)
Inventor
汤利平
李仕毅
杨胜超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Skyguard Network Security Technology Co ltd
Chengdu Sky Guard Network Security Technology Co ltd
Original Assignee
Beijing Skyguard Network Security Technology Co ltd
Chengdu Sky Guard Network Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Skyguard Network Security Technology Co ltd, Chengdu Sky Guard Network Security Technology Co ltd filed Critical Beijing Skyguard Network Security Technology Co ltd
Priority to CN202210982142.7A priority Critical patent/CN115391134A/en
Publication of CN115391134A publication Critical patent/CN115391134A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3065Monitoring arrangements determined by the means or processing involved in reporting the monitored data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3065Monitoring arrangements determined by the means or processing involved in reporting the monitored data
    • G06F11/3072Monitoring arrangements determined by the means or processing involved in reporting the monitored data where the reporting involves data filtering, e.g. pattern matching, time or event triggered, adaptive or policy-based reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3438Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment monitoring of user actions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/16File or folder operations, e.g. details of user interfaces specifically adapted to file systems
    • G06F16/164File meta data generation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Bioethics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Human Computer Interaction (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a data leakage tracing method, device and system, and relates to the technical field of data security. The method is applied to the terminal, and the specific implementation mode of the method comprises the following steps: under the condition that the data leakage event is detected, obtaining visitor information of the data leakage event; calling an interface process of the visitor information, and carrying out user-agnostic screen capture on a screen where the visitor information is located; and acquiring associated information related to the data leakage event from the running process corresponding to the visitor information, and correspondingly storing the associated information, the data leakage event and the screenshot of the user non-perception screen to the management terminal, so that the manager determines the source of the data leakage through the associated information, the data leakage event and the screenshot which are correspondingly stored by the management terminal. The embodiment can completely and accurately acquire the relevant evidence of the data leakage event of the visitor, and is convenient for tracing the data leakage.

Description

Data leakage tracing method, device and system
Technical Field
The invention relates to the technical field of data security, in particular to a data leakage tracing method, device and system.
Background
The informatization is rapidly developed, various data leakage events are frequent, and the data leakage source is obtained, so that the data leakage source can help to repair and reduce the leakage risk.
At present, the way of recording data leakage is mainly in the form of file log. The log record is added in the scene where the leakage is likely to occur, and the log is also added and recorded in some common scenes such as key pressing and mouse clicking. However, file log records can be recorded only by means of predicting various possible scenes by developers in advance, otherwise, the records can be recorded only blindly, so that the recorded log amount is huge, and maintenance personnel cannot find effective records from the records, so that data leakage is difficult to trace to the source.
Disclosure of Invention
In view of this, embodiments of the present invention provide a data leakage tracing method, apparatus, and system, when a data leakage event is detected, by acquiring associated information related to the data leakage event, recording the associated information, the data leakage event, and a screen shot on a screen visited by a visitor, and completely and accurately acquiring a relevant evidence of the data leakage event of the visitor, so that a management end traces a data leakage source based on the relatively complete and accurate evidence, so that the tracing of data leakage has a relatively strong pertinence, and meanwhile, the tracing of data leakage is facilitated.
In order to achieve the above object, according to an aspect of the embodiments of the present invention, there is provided a data leakage tracing method applied to a terminal, including:
under the condition that a data leakage event is detected, obtaining visitor information of the data leakage event;
calling an interface process of the visitor information, and carrying out user-imperceptible screen capture on a screen where the visitor information is located;
and acquiring associated information related to the data leakage event from an operation process corresponding to the visitor information, and correspondingly storing the associated information, the data leakage event and a screenshot of a user imperceptible screen to a management terminal, so that a manager determines a source of data leakage through the associated information, the data leakage event and the screenshot which are correspondingly stored by the management terminal.
Optionally, the performing a user-agnostic screen capture on the screen where the visitor information is located includes:
acquiring an interface displayed by a display screen through an operating system interface of the display screen where the visitor information is located;
and carrying out user-imperceptible screen capture on the interface displayed by the display screen through the interface process.
Optionally, the data leakage tracing method further includes: storing the screenshot into a preset file;
correspondingly storing the associated information, the data leakage event and the screenshot to a management end comprises:
packing the file storing the screenshot, the associated information and the data leakage event;
and storing the packaged file to a management end.
Optionally, the data leakage tracing method further includes: configuring a data management policy for a plurality of visitor information, wherein the data management policy indicates one or more data leakage events configured by each of the visitor information;
after the obtaining the visitor information of the data leakage event, further comprising:
and judging whether the detected data leakage event meets the data management strategy or not according to the acquired visitor information, and if so, executing the step of calling the interface process of the visitor information.
Optionally, the data leakage tracing method further includes:
issuing the data management strategy to each operation system;
alternatively, the first and second electrodes may be,
and issuing one or more data leakage events configured by the visitor information indicated by the data management strategy to an operating system to which the visitor information belongs.
Optionally, the packaging the file storing the screenshot, the associated information, and the data leakage event includes:
and renaming the file of the screenshot by using a preset naming strategy and the name of the associated information and the name of the data leakage event.
In a second aspect, an embodiment of the present invention provides a data leakage tracing apparatus, which is applied to a terminal, and includes: an information acquisition unit, an automatic screen capture unit and a data management unit, wherein,
the information acquisition unit is used for acquiring visitor information of the data leakage event under the condition that the data leakage event is detected;
the automatic screen capturing unit is used for calling an interface process of the visitor information and carrying out user-imperceptible screen capturing on the screen where the visitor information acquired by the information acquiring unit is located;
the data management unit is used for acquiring the associated information related to the data leakage event from the running process corresponding to the visitor information, and correspondingly storing the associated information, the data leakage event and the screenshot of the user imperceptible screen to a management end, so that a manager can determine the source of data leakage through the associated information, the data leakage event and the screenshot which are correspondingly stored by the management end.
In a third aspect, an embodiment of the present invention provides a data leakage tracing system, including: a management terminal and a terminal installed with the data leakage tracing apparatus provided by the second aspect embodiment, wherein,
the management terminal is used for correspondingly storing the associated information, the data leakage event and the screenshot which are sent by the terminal and are related to the data leakage event, processing and analyzing the associated information, the data leakage event and the screenshot, and receiving the inquiry of any one of the stored associated information, the data leakage event and the screenshot by a manager so as to determine the source of the data leakage.
One embodiment of the above invention has the following advantages or benefits: under the condition that a data leakage event is detected, by acquiring visitor information of the data leakage event and carrying out user-unaware screen capture on a screen where the visitor information is located, information on the screen is recorded through screen capture of the screen capture, information related to the data leakage event is prevented from being tampered through the screen capture, meanwhile, information of the screen and information related to the data leakage event can be recorded completely and accurately, associated information related to the data leakage event is acquired from an operation process corresponding to the visitor information, the associated information, the data leakage event and screen capture of the user-unaware screen are stored to a management end correspondingly, a subsequent management end can analyze the screen capture, the associated information and the data leakage event correspondingly, so that a source of the data leakage is determined through the complete and accurate screen capture and other information, the management end is enabled to trace back the data leakage source based on the complete and accurate data leakage source, the tracing back of the data leakage has strong pertinence, and meanwhile, the data leakage is convenient to trace back to the source.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a schematic diagram of a system architecture upon which an application scenario depends, according to an embodiment of the invention;
FIG. 2 is a schematic diagram illustrating a main flow of a data leakage tracing method according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a main flow of user-agnostic screen capture of a screen on which visitor information is located, according to an embodiment of the invention;
fig. 4 is a schematic diagram of a main flow of correspondingly storing the association information, the data leakage event, and the screenshot in the management end according to an embodiment of the present invention;
FIG. 5 is a schematic diagram illustrating the main flow of another data leakage tracing method according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of the main units of a data leakage tracing apparatus according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of the main devices of a data leakage tracing system according to an embodiment of the invention;
fig. 8 is a schematic block diagram of a computer system suitable for use in implementing a terminal device of an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Fig. 1 illustrates a system architecture 100 upon which application scenarios may be applied in accordance with embodiments of the present invention, described below.
As shown in fig. 1, the system architecture 100 may include terminal devices 101, 102, 103 sharing the same operating system, terminal devices 104, 105 using different operating systems, a network 106, and a terminal management server 107. The network 106 is used to provide a medium of communication links between the terminal devices 101, 102, 103, 104, 105, between the terminal devices 101, 102, 103, 104, 105 and the terminal management server 107. Network 106 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may use the terminal device 101, 102, 103, 104, 105 to interact with the terminal management server 107 through the network 106, so that the terminal management server 107 issues a data management profile to the terminal device 101, 102, 103, 104, 105, so that the terminal device 101, 102, 103, 104, 105 detects an operation belonging to a data leakage event in the operations of the terminal device 101, 102, 103, 104, 105 by one or more data leakage events configured according to visitor information indicated by the data management profile, acquires visitor information of the data leakage event in the detected case, performs user-unaware screen capture on a screen where the visitor information is located by calling an interface process of the visitor information, acquires associated information related to the data leakage event from an operation process corresponding to the visitor information, and correspondingly stores the associated information, the data leakage event, and the screen capture of the user-unaware screen to the terminal management server 107, and so on. The terminal devices 101, 102, 103, 104, 105 may have installed thereon various communication client applications, such as a web browser application, a search-type application, an instant messaging tool, a mailbox client, social platform software, etc. (by way of example only).
The terminal devices 101, 102, 103, 104, 105 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The terminal management server 107 may be a server providing various services, for example, a background management server (for example only) providing terminal devices 101, 102, 103, 104, and 105 with a targeted data management policy, for example, providing terminal device 101 with data management policy 1, providing terminal devices 102 and 103 with data management policy 2, providing terminal device 104 with data management policy 3, providing terminal device 105 with data management policy 4, and the like, and providing support for screenshot of terminal device screenshot, data leakage event, and the like. The background management server can manage and adjust data management strategies of various terminal devices of the terminal devices, and can also combine screenshots of terminal device screenshots and related information analysis of data leakage events to determine whether the terminal devices have data leakage, whether the terminal devices are leakage sources and the like.
It should be noted that the data leakage tracing method provided by the embodiment of the present invention is generally executed by the terminal devices 101, 102, 103, 104, and 105, and accordingly, the data security processing apparatus is generally disposed in the terminal devices 101, 102, 103, 104, and 105.
It should be understood that the number of terminal devices, networks, and terminal management servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and terminal management servers, as desired for implementation.
Fig. 2 is a schematic main flow chart of a data leakage tracing method according to an embodiment of the present invention. As shown in fig. 2, the data leakage tracing method may include the following steps:
step S201: under the condition that the data leakage event is detected, obtaining visitor information of the data leakage event;
the data leakage event generally refers to a specific operation performed on the terminal interface, and may be configured accordingly according to different user rights. For example, the data leakage event may be file printing, information transmission (e.g., sending a mail to a mailbox outside a local area network, transmitting information by using instant messaging software), copy operation, file/program deletion operation, screen capture operation of a user on an interface, access to a limited website, and the like.
The visitor information may be a user name, a device code of the terminal device, etc.
Step S202: calling an interface process of the visitor information, and carrying out user-imperceptible screen capture on a screen where the visitor information is located;
the user-unaware screen capture means that a user of the terminal device does not perceive the screen capture operation of the terminal device in the screen capture process.
Step S203: and acquiring associated information related to the data leakage event from the running process corresponding to the visitor information, and correspondingly storing the associated information, the data leakage event and the screenshot of the user non-perception screen to the management terminal, so that the manager determines the source of the data leakage through the associated information, the data leakage event and the screenshot which are correspondingly stored by the management terminal.
The associated information may be running processes of applications, software and the like running on the terminal device, user information, running system information, login user names, screen capturing time, display numbers and the like.
In the embodiment shown in fig. 2, under the condition that a data leakage event is detected, by acquiring visitor information of the data leakage event and performing user-insensitive screenshot on a screen where the visitor information is located, recording information on the screen through the screenshot, preventing the information related to the data leakage event from being tampered through the screenshot, and simultaneously, completely and accurately recording information on the screen and information related to the data leakage event, and the like, acquiring associated information related to the data leakage event from an operating process corresponding to the visitor information, and correspondingly storing the associated information, the data leakage event and the screenshot of the user-insensitive screen to a management end, the subsequent management end can correspondingly analyze the screenshot, the associated information and the data leakage event to determine a source of the data leakage through the complete and accurate screenshot and other information, so that the management end traces back the data leakage source based on the complete and accurate evidence, and the tracing back the data leakage source is relatively strong and convenient to trace back the data leakage.
In an embodiment of the present invention, as shown in fig. 3, the specific implementation of the step S202 may include the following steps:
step S301: acquiring an interface displayed by a display screen through an operating system interface of the display screen where the visitor information is located;
in the solution provided by the embodiment of the present invention, a plurality of display screens (i.e., a plurality of displays) may use the same operating system, and each screen (i.e., each display) corresponds to one visitor information, i.e., each display has a user authorized to use it. Accordingly, each screen/display corresponds to an operating system interface, so that the operating system can be used to allocate applications, software and the like with authority to the display through the operating system interface.
Step S302: and carrying out user-unaware screen capture on the interface displayed on the display screen through the interface process.
Through the process, the interfaces/screens of different displays of the same operation system can be subjected to targeted screen capturing, so that different screen interfaces can be monitored.
In an embodiment of the present invention, the data leakage tracing method may further include: storing the screenshot into a preset file; as shown in fig. 4, the specific implementation of correspondingly storing the association information, the data leakage event, and the screenshot in the management side may include the following steps:
step S401: packing the file stored with the screenshot, the associated information and the data leakage event;
step S402: and storing the packaged file to a management end.
The screenshots are stored in the file, so that the screenshots, the associated information and the data leakage events can be conveniently and correspondingly managed, and in addition, a plurality of screenshots can be uniformly managed.
The specific implementation manner of step S401 may include: and renaming the file of the screenshot by using a preset naming strategy and adopting the associated information and the name of the data leakage event.
The naming strategy is to sort the acquired related information and data leakage events according to a specific sequence, and to sort the sorted information according to a specific conversion mode (such as MD5 algorithm, ASCII code conversion, hash value conversion, serialization conversion, etc.), so that it is difficult for the user to retrieve the file based on the keyword through renaming, and the security of the file including the screenshot is ensured.
In an embodiment of the present invention, the data leakage tracing method may further include: configuring a data management policy for the plurality of visitor information, wherein the data management policy indicates one or more data leakage events configured for each visitor information; accordingly, after obtaining the visitor information of the data leakage event, the method may further include: judging whether the detected data leakage event meets a data management strategy or not according to the acquired visitor information, and if so, executing a step of calling an interface process of the visitor information; otherwise, the current flow is ended. Different configurations can be realized for different users through the data management strategy, for example, configuring an address for prohibiting accessing the external network for the user 1, prohibiting copying information in the application A, configuring a function for prohibiting sending mails to other mailboxes except a company mailbox for the user 2, prohibiting accessing some functions of the management system, and the like, and when the user 1 accesses the address for prohibiting accessing the external network, screen capturing can be performed on a screen of a display of the user 1. For another example, when the user 2 sends a mail to an external mailbox, a screen of the display of the user 2 is captured.
In an embodiment of the present invention, the data leakage tracing method may further include: issuing the data management strategy to each operation system; that is, the data management policies of all the managed terminal devices are issued to each terminal device, and then, according to the characteristic information of the terminal device, such as a user name, a device number, and the like, a policy, a data leakage event, and the like, which are matched with the characteristic information are selected for the terminal device. In addition, in addition to sending all the data management policies to each terminal device, one or more data leakage events configured by the visitor information indicated by the data management policies can also be issued to the operating system to which the visitor information belongs.
The following explains a specific embodiment of the data leakage tracing method by taking an example that a data management policy configured by the server for the user 1 includes copy inhibition information and print inhibition. As shown in fig. 5, the data leakage tracing method may include the following steps:
step S501: configuring a data management policy for the plurality of visitor information, wherein the data management policy indicates one or more data leakage events configured for each visitor information;
for example, the data management policy configured for the user 1 includes data leakage events such as copy inhibition information and print inhibition.
Step S502: issuing the data management strategy to each operation system;
this step can be replaced by: and issuing one or more data leakage events configured by the visitor information indicated by the data management strategy to an operating system to which the visitor information belongs.
Step S503: under the condition of detecting that information copying or file printing occurs on the terminal equipment of the user 1, acquiring the information of the user 1 of a data leakage event;
step S504: judging whether the detected information copying or printing file meets the data management strategy or not according to the acquired information of the user 1, and if so, executing a step S505; otherwise, ending the current flow;
step S505: acquiring an interface displayed by a display screen through an operating system interface of the display screen where the information of the user 1 is located;
step S506: carrying out user-imperceptible screen capture on an interface displayed by a display screen through an interface process;
step S507: acquiring relevant information related to the data leakage event from an operating process corresponding to the visitor information;
step S508: storing the screenshot into a preset file;
step S509: renaming the screenshot file by using a preset naming strategy and adopting the associated information and the name of the data leakage event;
step S510: storing the packed file to a management end;
step S511: and the manager determines the source of the data leakage through the associated information, the data leakage event and the screenshot which are correspondingly stored by the management terminal.
The data leakage tracing method can be executed by means of the operating system, so that the authenticity of the acquired information related to the operating process is effectively improved.
As shown in fig. 6, an embodiment of the present invention provides a data leakage tracing apparatus 600, which is applied to a terminal. The data leakage tracing apparatus 600 may include: an information acquisition unit 601, an automated screen capture unit 602, and a data management unit 603, wherein,
an information acquisition unit 601 for acquiring visitor information of a data leakage event in a case where the data leakage event is detected;
the automatic screen capture unit 602 is configured to invoke an interface process of the visitor information, and perform user-unaware screen capture on a screen where the visitor information acquired by the information acquisition unit 601 is located;
the data management unit 603 is configured to obtain associated information related to the data leakage event from an operating process corresponding to the visitor information, and correspondingly store the associated information, the data leakage event, and a screenshot of a user imperceptible screen to the management end, so that the manager determines a source of the data leakage through the associated information, the data leakage event, and the screenshot, which are correspondingly stored by the management end.
In the embodiment of the present invention, the automatic screen capture unit 602 is further configured to obtain an interface displayed by the display screen through an operating system interface of the display screen where the visitor information is located; and carrying out user-unaware screen capture on the interface displayed on the display screen through the interface process.
In this embodiment of the present invention, the data management unit 603 is further configured to store the screenshot in a preset file; packing the file stored with the screenshot, the associated information and the data leakage event; and storing the packaged file to a management end.
In an embodiment of the present invention, the visitor information is configured with a data management policy, wherein the data management policy indicates one or more data leakage events configured by the visitor information; the automatic screen capture unit 602 is further configured to determine whether the detected data leakage event meets the data management policy according to the visitor information acquired by the information acquisition unit 601, and if so, execute a step of invoking an interface process of the visitor information.
In this embodiment of the present invention, the data management unit 603 is further configured to rename the file of the screenshot by using a preset naming policy and using the association information and the name of the data leakage event.
As shown in fig. 7, an embodiment of the present invention provides a data leakage tracing system 700, where the data leakage tracing system 700 may include: a management terminal 701, and a terminal 702 on which the data leakage tracing apparatus 600 is installed, wherein,
the management terminal 701 is configured to correspond to the associated information, the data leakage event, and the screenshot related to the data leakage event sent by the storage terminal 702, process and analyze the associated information, the data leakage event, and the screenshot, and receive a query of a manager on any one of the stored associated information, the data leakage event, and the screenshot, so as to determine a source of the data leakage.
In this embodiment of the present invention, the management terminal 701 is further configured to issue the data management policy to an operating system of each terminal 702.
In this embodiment of the present invention, the management terminal 701 is further configured to send one or more data leakage events configured by the visitor information indicated by the data management policy to the operating system of the terminal 702 to which the visitor information belongs.
Referring now to FIG. 8, shown is a block diagram of a computer system 800 suitable for use with a terminal device or server implementing an embodiment of the present invention. The terminal device shown in fig. 8 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 8, a computer system 800 includes a Central Processing Unit (CPU) 801 which can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM) 802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. In the RAM 803, various programs and data necessary for the operation of the system 800 are also stored. The CPU 801, ROM 802, and RAM 803 are connected to each other via a bus 804. An input/output (I/O) interface 805 is also connected to bus 804.
The following components are connected to the I/O interface 805: an input portion 806 including a keyboard, a mouse, and the like; an output section 807 including components such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage portion 808 including a hard disk and the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. A drive 810 is also connected to the I/O interface 805 as necessary. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as necessary, so that the computer program read out therefrom is mounted on the storage section 808 as necessary.
In particular, according to embodiments of the present disclosure, the processes described above with reference to the flow diagrams may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 809 and/or installed from the removable medium 811. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 801.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present invention may be implemented by software or hardware. The described units may also be provided in a processor, and may be described as: a processor comprises an information acquisition unit, an automatic screen capture unit and a data management unit. The names of these units do not in some cases constitute a limitation on the unit itself, and for example, the information acquisition unit may also be described as a "unit that acquires visitor information of the data leak event".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: under the condition that the data leakage event is detected, obtaining visitor information of the data leakage event; calling an interface process of the visitor information, and carrying out user-imperceptible screen capture on a screen where the visitor information is located; and acquiring associated information related to the data leakage event from the running process corresponding to the visitor information, and correspondingly storing the associated information, the data leakage event and the screenshot of the user non-perception screen to the management terminal, so that the manager determines the source of the data leakage through the associated information, the data leakage event and the screenshot which are correspondingly stored by the management terminal.
According to the technical scheme of the embodiment of the invention, under the condition of detecting the data leakage event, by acquiring visitor information of the data leakage event and carrying out user-imperceptible screenshot on a screen where the visitor information is located, information on the screen is recorded through screenshot, the information related to the data leakage event is prevented from being tampered through the screenshot, meanwhile, the information on the screen, the information related to the data leakage event and the like can be recorded completely and accurately, the associated information related to the data leakage event is acquired from an operation process corresponding to the visitor information, the associated information, the data leakage event and the screenshot of the user-imperceptible screen are correspondingly stored to a management end, the subsequent management end can correspondingly analyze the screenshot, the associated information and the data leakage event, so that the source of the data leakage is determined through the complete and accurate screenshot and other information, the management end traces back the source of the data leakage based on the complete and accurate evidence, the tracing back the source of the data leakage is relatively strong, and the data leakage is convenient to trace back the source.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A data leakage tracing method is applied to a terminal and comprises the following steps:
under the condition that a data leakage event is detected, obtaining visitor information of the data leakage event;
calling an interface process of the visitor information, and carrying out user-imperceptible screen capture on a screen where the visitor information is located;
and acquiring associated information related to the data leakage event from an operation process corresponding to the visitor information, and correspondingly storing the associated information, the data leakage event and a screenshot of a user imperceptible screen to a management terminal, so that a manager determines a source of data leakage through the associated information, the data leakage event and the screenshot which are correspondingly stored by the management terminal.
2. The data leakage tracing method according to claim 1, wherein the performing of the user-imperceptible screen capture on the screen where the visitor information is located includes:
acquiring an interface displayed by a display screen through an operating system interface of the display screen where the visitor information is located;
and carrying out user-imperceptible screen capture on the interface displayed by the display screen through the interface process.
3. The data leakage tracing method of claim 1,
further comprising: storing the screenshot into a preset file;
correspondingly storing the associated information, the data leakage event and the screenshot to a management terminal, including:
packing the file storing the screenshot, the associated information and the data leakage event;
and storing the packaged file to a management end.
4. The data leakage tracing method according to claim 1,
further comprising: configuring a data management policy for a plurality of visitor information, wherein the data management policy indicates one or more data leakage events configured by each of the visitor information;
after the obtaining the visitor information of the data leakage event, further comprising:
and judging whether the detected data leakage event meets the data management strategy or not according to the acquired visitor information, and if so, executing the step of calling the interface process of the visitor information.
5. The data leakage tracing method according to claim 4, further comprising:
the management terminal issues the data management strategy to each operation system;
alternatively, the first and second electrodes may be,
and the management terminal issues one or more data leakage events configured by the visitor information indicated by the data management strategy to an operating system to which the visitor information belongs.
6. The data leakage tracing method according to claim 3, wherein the packaging the file storing the screenshot, the associated information, and the data leakage event includes:
and renaming the file of the screenshot by using a preset naming strategy and the name of the data leakage event by using the association information.
7. The utility model provides a data leakage traceability device which is characterized in that, is applied to the terminal, includes: an information acquisition unit, an automatic screen capture unit and a data management unit, wherein,
the information acquisition unit is used for acquiring visitor information of the data leakage event under the condition that the data leakage event is detected;
the automatic screen capturing unit is used for calling an interface process of the visitor information and carrying out user-imperceptible screen capturing on the screen where the visitor information acquired by the information acquiring unit is located;
the data management unit is used for acquiring the associated information related to the data leakage event from the running process corresponding to the visitor information, and correspondingly storing the associated information, the data leakage event and the screenshot of the user imperceptible screen to a management end, so that a manager can determine the source of data leakage through the associated information, the data leakage event and the screenshot which are correspondingly stored by the management end.
8. A data leakage traceability system, comprising: a management terminal and a terminal installed with the data leakage tracing apparatus according to claim 7, wherein,
the management terminal is used for correspondingly storing the associated information, the data leakage event and the screenshot which are sent by the terminal and are related to the data leakage event, processing and analyzing the associated information, the data leakage event and the screenshot, and receiving the inquiry of any one of the stored associated information, the data leakage event and the screenshot by a manager so as to determine the source of the data leakage.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-6.
10. A computer-readable medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-6.
CN202210982142.7A 2022-08-16 2022-08-16 Data leakage tracing method, device and system Pending CN115391134A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210982142.7A CN115391134A (en) 2022-08-16 2022-08-16 Data leakage tracing method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210982142.7A CN115391134A (en) 2022-08-16 2022-08-16 Data leakage tracing method, device and system

Publications (1)

Publication Number Publication Date
CN115391134A true CN115391134A (en) 2022-11-25

Family

ID=84120623

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210982142.7A Pending CN115391134A (en) 2022-08-16 2022-08-16 Data leakage tracing method, device and system

Country Status (1)

Country Link
CN (1) CN115391134A (en)

Similar Documents

Publication Publication Date Title
CN109716343B (en) Enterprise graphic method for threat detection
US10614233B2 (en) Managing access to documents with a file monitor
US11290494B2 (en) Reliability prediction for cloud security policies
US9525695B2 (en) Mechanism to augment IPS/SIEM evidence information with process history snapshot and application window capture history
CN109981322B (en) Method and device for cloud resource management based on label
US8621613B1 (en) Detecting malware in content items
US20220014561A1 (en) System and methods for automated internet-scale web application vulnerability scanning and enhanced security profiling
CN109522751B (en) Access right control method and device, electronic equipment and computer readable medium
US10958687B2 (en) Generating false data for suspicious users
CN110737726B (en) Method and device for determining test data of interface to be tested
US20120151036A1 (en) Identifying stray assets in a computing enviroment and responsively taking resolution actions
US10129278B2 (en) Detecting malware in content items
CN109213824B (en) Data capture system, method and device
US20190236269A1 (en) Detecting third party software elements
CN112835863A (en) Processing method and processing device of operation log
CN110674426A (en) Webpage behavior reporting method and device
CN115391134A (en) Data leakage tracing method, device and system
CN109087097B (en) Method and device for updating same identifier of chain code
CN113254325A (en) Test case processing method and device
CN111858782A (en) Database construction method, device, medium and equipment based on information security
CN111367898A (en) Data processing method, device, system, electronic equipment and storage medium
US9251145B2 (en) Content management
CN110262756B (en) Method and device for caching data
CN112749078B (en) Buried point testing method and device
CN113094332B (en) File management method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination