[go: up one dir, main page]

CN112565196A - Data leakage prevention method and device with network monitoring capability and storage medium - Google Patents

Data leakage prevention method and device with network monitoring capability and storage medium Download PDF

Info

Publication number
CN112565196A
CN112565196A CN202011244861.6A CN202011244861A CN112565196A CN 112565196 A CN112565196 A CN 112565196A CN 202011244861 A CN202011244861 A CN 202011244861A CN 112565196 A CN112565196 A CN 112565196A
Authority
CN
China
Prior art keywords
data
detecting
network
files
monitoring
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011244861.6A
Other languages
Chinese (zh)
Inventor
丁周华
蒋纳成
王渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Shenjia Technology Co ltd
Original Assignee
Hangzhou Shenjia Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Shenjia Technology Co ltd filed Critical Hangzhou Shenjia Technology Co ltd
Priority to CN202011244861.6A priority Critical patent/CN112565196A/en
Publication of CN112565196A publication Critical patent/CN112565196A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a data leakage prevention method with network monitoring capability, a device and a storage medium, belonging to the technical field of network security. It has solved the network security scheduling problem among the prior art. The invention comprises a computer terminal and the following steps: s1, setting intelligent identification content, including: s11: keyword detection techniques; s12: regular expression techniques; s13: setting regular minimum hit times; s14: data dictionary detection techniques; s2: performing network monitoring, comprising: s21: network protocol support; s22: network application support; s23: playing off-line PCAP message flow; s24: the event shows the MAC address; s25: a sensitive data processing mode; s3: the management and display of the monitoring result comprise: s31: a built-in policy data source and a policy; s32: strategy definition and distribution; s33: managing an event and a DLP report; s34: log management; s35: authorization management and user management; s36: backup and restoration; s37: ease of use and extensibility. The invention has the advantages of multiple functions and the like.

Description

Data leakage prevention method and device with network monitoring capability and storage medium
Technical Field
The invention belongs to the field of network security, and particularly relates to a data leakage prevention method and device with network monitoring capability and a storage medium.
Background
In recent years, data has become an important part of the development of human society, and has penetrated into various fields of economic development. The advantage of data-centric technologies is that they can provide an online platform for humans to do various tasks, such as: cloud services, cloud recruitment, cloud office, and the like.
Due to the development of 5G, the application of human beings to data is continuously developed and expanded, and technological means such as big data collection, cloud computing, artificial intelligence and the like are continuously perfected.
However, data application is continuously developed, and human awareness of protecting data security cannot be gradually improved, so that accidents and disputes caused by data leakage are continuously generated.
Although each country has issued a directive for protecting data, the key of data leakage is external malicious attack and incomplete internal protection measures, and if internal and external leakage can be prevented, the security is greatly improved.
Therefore, an intelligent data protection method capable of protecting data, identifying risks of external input, finding internal hidden dangers as soon as possible and protecting important data is needed.
Disclosure of Invention
The present invention is directed to the above-mentioned problems in the prior art, and an object of the present invention is to provide a method, an apparatus, and a storage medium for preventing data leakage, which have network security monitoring capability.
The first object of the present invention can be achieved by the following technical solutions: a data leakage prevention method with network monitoring capability is characterized by comprising the following steps of:
s1, setting intelligent identification content, including:
s11: keyword detection techniques;
s12: regular expression techniques;
s13: setting regular minimum hit times;
s14: data dictionary detection techniques;
s2: performing network monitoring, comprising:
s21: network protocol support;
s22: network application support;
s23: playing off-line PCAP message flow;
s24: the event shows the MAC address;
s25: a sensitive data processing mode;
s3: the management and display of the monitoring result comprise:
s31: a built-in policy data source and a policy;
s32: strategy definition and distribution;
s33: managing an event and a DLP report;
s34: log management;
s35: authorization management and user management;
s36: backup and restoration;
s37: ease of use and extensibility.
The working principle of the invention is as follows: firstly, defining basic intelligent content identification capability, including keyword identification, file identification and the like; then setting network protocol support, network application support and specific address field monitoring and filtering, confirming the type of the document which can be uploaded in the network, and the type of the document which can be prevented from being uploaded, and confirming the processing mode after detecting the violation; and finally, setting a management and display mode of the file monitoring result, setting user authority and system internal authority, and archiving the detection result on a management platform.
In the above method for preventing data leakage with network monitoring capability, the following steps should be provided after step S11:
s111: detecting a single keyword;
s112: detecting the multiple keywords according to the matching times and the number of matched words;
s113: matching adjacent characters of the keywords;
s114: chinese word segmentation.
In the above method for preventing data leakage with network monitoring capability, the following steps should be provided after step S15:
s15: an unstructured data fingerprint detection technique, comprising:
s151: data type escape detection;
s152: matching the fingerprint similarity;
s16: structured data detection techniques include:
s161: matching data record fields;
s162: matching accurate data;
s17: semantic analysis and data identification detection techniques;
s18: supporting automatic classification and clustering of documents;
s19: seal identification detection technology;
s190: support to identify the compound file and the compressed file as a whole; supporting independent identification of each Sheet page;
s1901: an OCR detection technique;
s1902: a content recognition feature extraction tool;
s1903: and identifying the file.
In the above method for preventing data leakage with network monitoring capability, the content recognition feature extraction tool includes: the system comprises an unstructured data fingerprint online extraction tool, an offline unstructured tool, a fingerprint library generation support for online periodic updating, an IP2USER tool USER mapping support and an offline semantic analysis tool.
In the above method for preventing data leakage with network monitoring capability, the file identification includes: identifying common file type contents, finding encrypted files, checking compressed files, checking multi-layer compressed files, finding evasive processing data, identifying custom file types and detecting nested files.
In the above method for preventing data leakage with network monitoring capability, the network application support includes: detecting IM instant communication software outgoing files, detecting HTTP protocol Web library uploaded files, detecting FTP uploaded files, detecting HTTP Web mail, detecting POP3 protocol, detecting IMAP protocol, detecting HTTP protocol network disk and cloud disk files, monitoring and identifying HTTP protocol downloading sensitive data, monitoring and identifying SMTP protocol sent sensitive mails, monitoring and identifying Telnet protocol sent sensitive information, monitoring and identifying FTP downloading sensitive files, monitoring and identifying SMB protocol uploading/downloading sensitive files, detecting mail client end leakage, displaying senders, receivers, copy senders and secret senders according to domain names and user names, detecting Web microblog, forum posting leakage, detecting super 50MB files, and the method supports on-line direct viewing of the content of the outgoing sensitive mail and supports the SMTP white list.
In the above method for preventing data leakage with network monitoring capability, the following steps should be provided after step S26:
s26: monitoring address settings, including:
s261: support monitoring only specific IP addresses or IP address segments;
s262: filtering the formulated IP address or IP address segment without monitoring;
s27: setting a proxy server;
s28: full flow capture support, comprising:
s281: the single kilomega supports the flow above 800Mbps to implement content identification;
s282: the multi-mirror image port works in real time;
s283: supporting the real-time monitoring of the flow of the ten-gigabit network card;
s29: high availability deployment.
In the above method for preventing data leakage with network monitoring capability, the event and DLP report management comprises: the management platform provides rich report functions; the management platform provides a user-defined event report function and supports export; the management platform provides event summary and custom instrumentation.
The second object of the present invention can be achieved by the following technical solutions: a data leakage prevention method and apparatus with network monitoring capability, comprising:
a computer terminal;
detecting a server;
a management platform;
one or more processors;
a memory;
and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the programs comprising instructions for performing a data leakage prevention method with network monitoring capabilities as described above.
The third object of the present invention can be achieved by the following technical solutions: a storage medium storing a computer program for use in conjunction with a computer-side, display, the computer program being executable by a processor to perform a method for data leakage prevention with network monitoring capability as described above.
Compared with the prior art, the invention has the advantage of good quality.
Drawings
Fig. 1 is a schematic structural view of the present invention.
Fig. 2 is a schematic structural diagram of the present invention.
Fig. 3 is a schematic structural diagram of the present invention.
Detailed Description
The following are specific embodiments of the present invention and are further described with reference to the drawings, but the present invention is not limited to these embodiments.
As shown in fig. 1, the data leakage prevention method with network monitoring capability is characterized by comprising the following steps:
s1, setting intelligent identification content, including:
s11: keyword detection techniques;
s12: regular expression techniques;
s13: setting regular minimum hit times;
s14: data dictionary detection techniques;
s2: performing network monitoring, comprising:
s21: network protocol support;
s22: network application support;
s23: playing off-line PCAP message flow;
s24: the event shows the MAC address;
s25: a sensitive data processing mode;
s3: the management and display of the monitoring result comprise:
s31: a built-in policy data source and a policy;
s32: strategy definition and distribution;
s33: managing an event and a DLP report;
s34: log management;
s35: authorization management and user management;
s36: backup and restoration;
s37: ease of use and extensibility.
The whole system can be divided into three modules of intelligent identification content, network monitoring, monitoring result management and display, wherein the intelligent identification content module mainly takes content characteristics as a main identification target and sets sensitive characters as keywords, and when the sensitive characters appear in an leaked file, the system can monitor the sensitive characters; the intelligent identification content module is also internally provided with a regular expression detection technology to make up the deficiency of the keyword detection technology, the deficiency is mainly reflected in the leakage behavior of relevant information such as mobile phone numbers, and the regular minimum hit times of the regular expression technology arranged by the intelligent identification content module, namely when the leakage file has the set minimum hit times, the management platform can record the violation event; the intelligent identification content module is also internally provided with a data dictionary, the data dictionary can support a data dictionary algorithm and can be identified according to the number or weight of keywords, the weight setting supports a plurality of numbers, and when information violating the data dictionary policy appears in outgoing mails, the information is detected by the management platform; the network monitoring module is a means of utilizing network monitoring established on the basis of an intelligent identification function, and supports sensitive data monitoring auditing on network protocols such as HTTP, FTP, SMTP, POP3, IMAP, web mailbox, TIM, TELNET, SMB and the like; the network monitoring module supports recovery and identification of the PCAP message flow on the captured network, and if sensitive flow occurs in the message flow, the message flow is recorded by the management platform; the network monitoring module also supports obtaining the MAC address of the divulged machine from the DHCP message flow, and the MAC address is used for the subsequent event to pass through MAC associated personnel, namely when the divulged file is audited by the network monitoring module, the management platform displays the MAC address of the divulged machine; when the network monitoring module identifies the outgoing behavior of the sensitive file, the network monitoring module notifies the relevant personnel of the event through an electronic mail, and the outgoing sensitive file is uploaded to the management platform and can be normally downloaded so as to provide evidence by tracing the source at any time; in the display module function of monitoring result and management, there are policy data source and policy built-in, the data source includes: classifying and grading safety strategy rules of part of industry data; the method is characterized in that Chinese citizen identity card numbers, social credit codes, vehicle identification codes, international mobile equipment identification codes, nearly 700 kinds of bank card numbers and IPv4 address identification algorithms are built in; the method is characterized in that a commonly used dictionary violating national laws and regulations, a political sensitive data dictionary and the like are built in, and meanwhile, the strategy supports customization, and the formulated strategy can be distributed to a specified detection server according to strategy groups for detection of the detection server; the management and display functions comprise abundant log management, including system logs and the like, the running condition of the system can be known in real time, and the system logs can be inquired in a multi-dimensional combination manner, such as time, types, states, server names, severity levels, users and the like; the management and display function supports license control, management of the security module and the identification algorithm is realized, when a user needs to log in, the user can remotely manage user login control and also can designate a specific IP address to log in, and three administrators including a system, an audit and a strategy are set in the system according to a three-right separation principle; the strategy and the data in the database support backup and reduction operations; the system has easy use and supports the self-definition of strategies, data configuration files and discovery and scanning, and each data classification can carry out security strategy configuration according to different service requirements and then is issued to a corresponding component; the system also has the expansibility simultaneously, supports other data of follow-up dilatation and prevents leaking the subassembly, supports to manage and operate all subassemblies through unified management platform, and the subassembly includes: bypass network flow audit, network DLP gateway, sensitive mail outgoing approval, terminal data leakage prevention, sensitive data discovery, application system uploading/downloading flow audit/blocking and the like.
In more detail, the following steps are provided after step S11:
s111: detecting a single keyword;
s112: detecting the multiple keywords according to the matching times and the number of matched words;
s113: matching adjacent characters of the keywords;
s114: chinese word segmentation.
The keyword detection technology is provided with single keyword detection, the detection rule is supported to only contain one keyword, and the matching according to words is supported, such as: the cost is hard; the keyword detection technology is also provided with the steps of detecting multiple keywords according to the matching times and the number of matched words, supporting the logical relation of 'sum' and 'or' between the keywords, also supporting the detection of the keyword by dividing information through special symbols or blank spaces and having a leakage behavior with a fixed interval of one or n characters between the keywords, and also supporting more accurate identification of sensitive keywords, for example, after Chinese participles are started, when a computer key appears in an leaked file, a 'secret' two-character can not be detected as a sensitive character.
In more detail, the following steps are provided after step S14:
s15: an unstructured data fingerprint detection technique, comprising:
s151: data type escape detection;
s152: matching the fingerprint similarity;
s16: structured data detection techniques include:
s161: matching data record fields;
s162: matching accurate data;
s17: semantic analysis and data identification detection techniques;
s18: supporting automatic classification and clustering of documents;
s19: seal identification detection technology;
s190: support to identify the compound file and the compressed file as a whole; supporting independent identification of each Sheet page;
s1901: an OCR detection technique;
s1902: a content recognition feature extraction tool;
s1903: and identifying the file.
The data type evasion detection means that the document with the fingerprint extracted is a word document, the outgoing divulgence file converts the document with the fingerprint extracted into a PDF form to be sent, and the fingerprint detection technology can still detect the data type evasion detection; the fingerprint similarity matching is to set a threshold value for the fingerprint similarity, and when the fingerprint similarity of the outgoing file reaches the similarity threshold value, the outgoing behavior can be found by the fingerprint detection technology; data record field matching refers to that structured data accurate fingerprint detection supports flexible field content combination matching, namely when an outgoing file has a 'name': when information such as 'bank card number', 'password', 'salary' and the like is disturbed, the structured data fingerprint detection technology can carry out rule matching on the information; when the 'name' appears in the key words, the key words which are mixed with the blank spaces can be detected by the structured data accurate fingerprint detection technology; the semantic analysis detection technology is that a semantic analysis tool provided by a system is used for establishing an analysis model for the data content of a user-specified directory in a machine learning mode, and the model establishment can be used as a detection strategy to be applied to a detection server; the data identification detection technology means that a system is internally provided with multi-field data characteristic identification rules, and the characteristic identifications can be directly used for detection during data detection; the system provides an off-line semantic analysis tool and automatically classifies, grades and clusters the documents; the seal identification technology refers to intelligent identification and can realize keyword detection on common electronic seals, namely when outgoing files are pictures, the seals on the pictures can be detected, and the identification of the files conforming to the files and the compressed files as a whole or the individual identification of subfiles of the compressed files is supported, for example: creating an event, wherein a file with ten times of occurrence of sensitive words is defined as a sensitive file, a file with 4 times of occurrence of sensitive words is set as an A file, a file with 3 times of occurrence of sensitive words is set as a B file, a file with 6 times of occurrence of sensitive words is set as a C file, a file with 10 times of occurrence of sensitive words is set as a D file, A, B, C and the files are compressed into an E compression package, a A, D file is compressed into an F compression package, two compression packages are sent, and the F compression package can be identified as the sensitive file by an intelligent identification module; for the excel file, the method supports individual identification of each sheet page and also supports the summary identification of the whole excel; the OCR technology supports detection of keywords on common JPG, TIF, TIFF and BMP format pictures.
In further detail, the content recognition feature extraction tool includes: the system comprises an unstructured data fingerprint online extraction tool, an offline unstructured tool, an IP2USER tool USER mapping support, an offline semantic analysis tool, an unstructured data fingerprint extraction support, a local extraction support and a remote extraction support, when the fingerprint is extracted remotely, only the fingerprint of data transmitted in a network is ensured, original data are not transmitted, file fingerprints are generated from FTP, shared directories and git warehouses regularly and automatically distributed; the fingerprint file is also supported to be added offline through a management platform; an online file fingerprint generation tool is also supported; and file fingerprints are generated from FTP, shared directories and git warehouses regularly and automatically distributed.
In further detail, the file identification includes: identifying common file type content, finding encrypted files, checking compressed files, checking multilayer compressed files, finding evasive processing data, identifying custom file types, detecting nested files, aiming at identifying and detecting common file formats, listing all file formats which can be supported by a reference product and explaining the number of supported formats, wherein the common file formats comprise: doc, docx, xls, xlsxx, ppt, pptx, pdf, zip, rar, 7z, txt; the encrypted files can also be identified, such as office files with passwords, ppt, doc and the like, PDF files and rar compressed files, and the files are highlighted when a safety warning is given out; the method can also decompress compressed files in RAR, ZIP, 7Z and other formats and check whether the decompressed files contain sensitive data; the number of layers is not limited aiming at the decompression of the compressed file, namely, one file is repeatedly compressed into a plurality of layers, and the sensitive data content contained in the most original file can be found by the file identification function; sensitive files with converted formats can be detected, and the original format of the files is highlighted; document type identification can also be customized; the nested document can also be identified, namely a TXT text containing confidential information is embedded in the leaked word document and is detected when the document is sent out; the method can also support the identification of the compound file and the compressed file as a whole or the individual identification of the subfiles therein; for excel, individual identification of each sheet page is supported, and collective identification of the whole excel is also supported.
In further detail, the network application support includes: detecting IM instant communication software outgoing files, detecting HTTP protocol Web library uploaded files, detecting FTP uploaded files, detecting HTTP Web mail, detecting POP3 protocol, detecting IMAP protocol, detecting HTTP protocol network disk and cloud disk files, monitoring and identifying HTTP protocol downloading sensitive data, monitoring and identifying SMTP protocol sent sensitive mails, monitoring and identifying Telnet protocol sent sensitive information, monitoring and identifying FTP downloading sensitive files, monitoring and identifying SMB protocol uploading/downloading sensitive files, detecting mail client end leakage, displaying senders, receivers, copy senders and secret senders according to domain names and user names, detecting Web microblog, forum posting leakage, detecting super 50MB files, and the method supports on-line direct viewing of the content of the outgoing sensitive mail and supports the SMTP white list.
In more detail, the following steps are provided after step S26:
s26: monitoring address settings, including:
s261: support monitoring only specific IP addresses or IP address segments;
s262: filtering the formulated IP address or IP address segment without monitoring;
s27: setting a proxy server;
s28: full flow capture support, comprising:
s281: the single kilomega supports the flow above 800Mbps to implement content identification;
s282: the multi-mirror image port works in real time;
s283: supporting the real-time monitoring of the flow of the ten-gigabit network card;
s29: high availability deployment.
The administrator can customize information such as required IP addresses or IP sections according to the detection requirements, and data packets which are not in the detection range are discarded, so that the detection performance is improved, and the storage consumption is reduced, namely, the PC outgoing sensitive files in the monitored IP addresses can be monitored, and the PC outgoing sensitive files in the non-monitored addresses cannot be monitored; the administrator can also filter the designated IP address or IP address field according to the detection requirement without monitoring so as to improve the detection performance and reduce the storage consumption, namely, the PC outgoing sensitive file in the filtered IP address cannot be monitored, and the PC outgoing sensitive file in the non-filtered IP address and in the monitored IP address field can be monitored; the network monitoring module can analyze the address of the proxy server and identify the real IP address of the sender of the outgoing sensitive file; the fact that the single gigabit supports the content recognition of the traffic of more than 800Mbps means that the outgoing sensitive files with the network traffic of more than 800Mbps can be monitored, and the real-time monitoring of the traffic of the ten-gigabit network card can monitor the events of the files which are sent out by using webmail and exceed 2 Gbps; the real-time working of the multiple image ports refers to supporting simultaneous monitoring of more than two image network cards, supporting load collection and load balancing flow, and identifying outgoing data, namely webmail sensitive files sent out by more than two computers can be monitored; the high-availability deployment means that the network monitoring module supports the deployment in the master-slave mode, namely, a master-slave network monitoring PC is set, and when the master process is abnormal or is shut down, the slave process can still monitor the event of the outgoing sensitive file.
In further detail, the event and DLP report management comprises: the management platform provides rich report functions; the management platform provides a user-defined event report function and supports export; the management platform provides event summary and self-defined reports, supports the network, the terminal and the data to find different DLP reports, can display the reports, and meanwhile, the user can also carry out the self-defined reports according to the parameters defined in advance, and further formulates and displays a DLP instrument panel.
The second object of the present invention can be achieved by the following technical solutions: a data leakage prevention method and apparatus with network monitoring capability, comprising:
a computer terminal;
detecting a server;
a management platform;
one or more processors;
a memory;
and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the programs comprising instructions for performing a data leakage prevention method with network monitoring capabilities as described above.
The third object of the present invention can be achieved by the following technical solutions: a storage medium storing a computer program for use in conjunction with a computer-side, display, the computer program being executable by a processor to perform a method for data leakage prevention with network monitoring capability as described above.
The specific embodiments described herein are merely illustrative of the spirit of the invention. Various modifications or additions may be made to the described embodiments or alternatives may be employed by those skilled in the art without departing from the spirit or ambit of the invention as defined in the appended claims.
Although a large number of terms are used here more, the possibility of using other terms is not excluded. These terms are used merely to more conveniently describe and explain the nature of the present invention; they are to be construed as being without limitation to any one of the additional limitations.

Claims (10)

1. A data leakage prevention method with network monitoring capability is characterized by comprising the following steps of:
s1, setting intelligent identification content, including:
s11: keyword detection techniques;
s12: regular expression techniques;
s13: setting regular minimum hit times;
s14: data dictionary detection techniques;
s2: performing network monitoring, comprising:
s21: network protocol support;
s22: network application support;
s23: playing off-line PCAP message flow;
s24: the event shows the MAC address;
s25: a sensitive data processing mode;
s3: the management and display of the monitoring result comprise:
s31: a built-in policy data source and a policy;
s32: strategy definition and distribution;
s33: managing an event and a DLP report;
s34: log management;
s35: authorization management and user management;
s36: backup and restoration;
s37: ease of use and extensibility.
2. A method for data leakage prevention with network monitoring capability according to claim 1, characterized by:
step S11 is followed by the following steps:
s111: detecting a single keyword;
s112: detecting the multiple keywords according to the matching times and the number of matched words;
s113: matching adjacent characters of the keywords;
s114: chinese word segmentation.
3. A method for data leakage prevention with network monitoring capability according to claim 1, characterized by:
step S15 is followed by the following steps:
s15: an unstructured data fingerprint detection technique, comprising:
s151: data type escape detection;
s152: matching the fingerprint similarity;
s16: structured data detection techniques include:
s161: matching data record fields;
s162: matching accurate data;
s17: semantic analysis and data identification detection techniques;
s18: supporting automatic classification and clustering of documents;
s19: seal identification detection technology;
s190: support to identify the compound file and the compressed file as a whole; supporting independent identification of each Sheet page;
s1901: an OCR detection technique;
s1902: a content recognition feature extraction tool;
s1903: and identifying the file.
4. A method for data leakage prevention with network monitoring capability according to claim 1, characterized by: the content recognition feature extraction tool comprises: the system comprises an unstructured data fingerprint online extraction tool, an offline unstructured tool, a fingerprint library generation support for online periodic updating, an IP2USER tool USER mapping support and an offline semantic analysis tool.
5. A method for data leakage prevention with network monitoring capability according to claim 1, characterized by: identifying common file type contents, finding encrypted files, checking compressed files, checking multi-layer compressed files, finding evasive processing data, identifying custom file types and detecting nested files.
6. A method for data leakage prevention with network monitoring capability according to claim 1, characterized by: detecting IM instant communication software outgoing files, detecting HTTP protocol Web library uploaded files, detecting FTP uploaded files, detecting HTTP Web mail, detecting POP3 protocol, detecting IMAP protocol, detecting HTTP protocol network disk and cloud disk files, monitoring and identifying HTTP protocol downloading sensitive data, monitoring and identifying SMTP protocol sent sensitive mails, monitoring and identifying Telnet protocol sent sensitive information, monitoring and identifying FTP downloading sensitive files, monitoring and identifying SMB protocol uploading/downloading sensitive files, detecting mail client end leakage, displaying senders, receivers, copy senders and secret senders according to domain names and user names, detecting Web microblog, forum posting leakage, detecting super 50MB files, and the method supports on-line direct viewing of the content of the outgoing sensitive mail and supports the SMTP white list.
7. A method for data leakage prevention with network monitoring capability according to claim 1, characterized by:
step S26 is followed by the following steps:
s26: monitoring address settings, including:
s261: support monitoring only specific IP addresses or IP address segments;
s262: filtering the formulated IP address or IP address segment without monitoring;
s27: setting a proxy server;
s28: full flow capture support, comprising:
s281: the single kilomega supports the flow above 800Mbps to implement content identification;
s282: the multi-mirror image port works in real time;
s283: supporting the real-time monitoring of the flow of the ten-gigabit network card;
s29: high availability deployment.
8. A method for data leakage prevention with network monitoring capability according to claim 1, characterized by: the event and DLP report management comprises the following steps: the management platform provides rich report functions; the management platform provides a user-defined event report function and supports export; the management platform provides event summary and custom instrumentation.
9. The second object of the present invention can be achieved by the following technical solutions: a data leakage prevention method and apparatus with network monitoring capability, comprising:
a computer terminal;
detecting a server;
a management platform;
one or more processors;
a memory;
and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the programs comprising instructions for performing a data leakage prevention method with network monitoring capabilities as described above.
10. The third object of the present invention can be achieved by the following technical solutions: a storage medium storing a computer program for use in conjunction with a computer-side, display, the computer program being executable by a processor to perform a method for data leakage prevention with network monitoring capability as described above.
CN202011244861.6A 2020-11-10 2020-11-10 Data leakage prevention method and device with network monitoring capability and storage medium Pending CN112565196A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011244861.6A CN112565196A (en) 2020-11-10 2020-11-10 Data leakage prevention method and device with network monitoring capability and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011244861.6A CN112565196A (en) 2020-11-10 2020-11-10 Data leakage prevention method and device with network monitoring capability and storage medium

Publications (1)

Publication Number Publication Date
CN112565196A true CN112565196A (en) 2021-03-26

Family

ID=75042889

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011244861.6A Pending CN112565196A (en) 2020-11-10 2020-11-10 Data leakage prevention method and device with network monitoring capability and storage medium

Country Status (1)

Country Link
CN (1) CN112565196A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114329366A (en) * 2022-03-14 2022-04-12 天津联想协同科技有限公司 Network disk file control method and device, network disk and storage medium
CN114579961A (en) * 2021-12-21 2022-06-03 中国信息安全测评中心 Sensitive data identification method based on multi-industry detection rules and related device
CN116032509A (en) * 2021-10-27 2023-04-28 中移系统集成有限公司 Mail encryption and decryption method and device

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160301693A1 (en) * 2015-04-10 2016-10-13 Maxim Nikulin System and method for identifying and protecting sensitive data using client file digital fingerprint
US9553849B1 (en) * 2013-09-11 2017-01-24 Ca, Inc. Securing data based on network connectivity
CN106446707A (en) * 2016-08-31 2017-02-22 北京明朝万达科技股份有限公司 Dynamic data leakage prevention system and method
US20170366507A1 (en) * 2014-09-10 2017-12-21 Fortinet, Inc. Data leak protection in upper layer protocols
CN107577939A (en) * 2017-09-12 2018-01-12 中国石油集团川庆钻探工程有限公司 Data leakage prevention method based on keyword technology
CN107733834A (en) * 2016-08-10 2018-02-23 中国移动通信集团甘肃有限公司 A kind of leakage prevention method and device
CN108734026A (en) * 2018-05-25 2018-11-02 云易天成(北京)安全科技开发有限公司 Data leakage prevention method, system, terminal and medium
CN111131183A (en) * 2019-12-05 2020-05-08 任子行网络技术股份有限公司 Network security monitoring method, computer device and computer readable storage medium
CN111314292A (en) * 2020-01-15 2020-06-19 上海观安信息技术股份有限公司 Data security inspection method based on sensitive data identification

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9553849B1 (en) * 2013-09-11 2017-01-24 Ca, Inc. Securing data based on network connectivity
US20170366507A1 (en) * 2014-09-10 2017-12-21 Fortinet, Inc. Data leak protection in upper layer protocols
US20160301693A1 (en) * 2015-04-10 2016-10-13 Maxim Nikulin System and method for identifying and protecting sensitive data using client file digital fingerprint
CN107733834A (en) * 2016-08-10 2018-02-23 中国移动通信集团甘肃有限公司 A kind of leakage prevention method and device
CN106446707A (en) * 2016-08-31 2017-02-22 北京明朝万达科技股份有限公司 Dynamic data leakage prevention system and method
CN107577939A (en) * 2017-09-12 2018-01-12 中国石油集团川庆钻探工程有限公司 Data leakage prevention method based on keyword technology
CN108734026A (en) * 2018-05-25 2018-11-02 云易天成(北京)安全科技开发有限公司 Data leakage prevention method, system, terminal and medium
CN111131183A (en) * 2019-12-05 2020-05-08 任子行网络技术股份有限公司 Network security monitoring method, computer device and computer readable storage medium
CN111314292A (en) * 2020-01-15 2020-06-19 上海观安信息技术股份有限公司 Data security inspection method based on sensitive data identification

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
刘树春: "《深度实践OCR 基于深度学习的文字识别》", 31 May 2020, 机械工业出版社 *
梁向阳: "数据泄露防护技术综述", 《保密科学技术》 *
绿盟科技: "绿盟数据泄漏防护系统产品白皮书", 《绿盟科技》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116032509A (en) * 2021-10-27 2023-04-28 中移系统集成有限公司 Mail encryption and decryption method and device
CN114579961A (en) * 2021-12-21 2022-06-03 中国信息安全测评中心 Sensitive data identification method based on multi-industry detection rules and related device
CN114329366A (en) * 2022-03-14 2022-04-12 天津联想协同科技有限公司 Network disk file control method and device, network disk and storage medium
CN114329366B (en) * 2022-03-14 2022-07-26 天津联想协同科技有限公司 Network disk file control method and device, network disk and storage medium

Similar Documents

Publication Publication Date Title
US11962608B2 (en) Cyber threat defense system protecting email networks with machine learning models using a range of metadata from observed email communications
CN107577939B (en) Data leakage prevention method based on keyword technology
US20230007042A1 (en) A method and system for determining and acting on an email cyber threat campaign
US11985142B2 (en) Method and system for determining and acting on a structured document cyber threat risk
US8707431B2 (en) Insider threat detection
US8312023B2 (en) Automated forensic document signatures
US8199965B1 (en) System, method, and computer program product for preventing image-related data loss
CA3042934A1 (en) Method and system for managing electronic documents based on sensitivity of information
US20070198420A1 (en) Method and a system for outbound content security in computer networks
CN107172022B (en) APT threat detection method and system based on intrusion path
US20090064326A1 (en) Method and a system for advanced content security in computer networks
CN113098892A (en) Data leakage prevention system and method based on industrial Internet
US20090164517A1 (en) Automated forensic document signatures
CN112565196A (en) Data leakage prevention method and device with network monitoring capability and storage medium
CN112532693A (en) Data leakage prevention method and device with network protection capability and storage medium
CN111274276A (en) Operation auditing method and device, electronic equipment and computer-readable storage medium
CN116361784A (en) Data detection method and device, storage medium and computer equipment
Chechulin et al. Cybercrime investigation model
US20250086275A1 (en) Email security system and operation method thereof for blocking and responding to targeted email attacks, which perform inspection of unauthorized email server access attack
Stallings Data loss prevention as a privacy-enhancing technology
Chen et al. Analyzing system log based on machine learning model
WO2023172462A1 (en) A system to detect malicious emails and email campaigns
KR20220167034A (en) Server and method for monitoring loss of data
RU2830388C1 (en) Information leakage prevention system and method of information leakage prevention
KR20120069130A (en) A realtime monitoring method based on log data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210326

RJ01 Rejection of invention patent application after publication