| With the development of computer network and information technology, enterprise data divulgence is myriads of changes, which not only brings substantial economic losses to enterprises, but also threats enterprise's survival. According to Price Waterhouse Coopers "trend of confidential information loss" report, 1000 large enterprises and other 600 enterprises lose up to 53 billion to 59 billion dollars a year because of the loss of confidential information and intellectual property. It is not enough to reduce the loss just by using intrusion detection systems, vulnerability scanning systems or other regular network security tools. Traditional network products are helpless in dealing with data leak, especially the internal data leak. Therefore, we need a new solution dedicated to data leaks.As the domestic and international environment is different, such as legal system, cultural idea and network environment, there exists internal data link and external data leak but differ from emphasis point. In overseas, in awe of the relatively perfect legal system as well as the establishment of individual credit system, hacker invasion and staff leak become the main way of data leak. In domestic, In China, for the lack of legal deterrence and difficulty in tracking .It would be easier for data divulgence to escape from justice; Meanwhile, for the variety of management systems are imperfect in China, it increases the probability of data leak by stuff and hacking, the main form of data leak is external leakage. Transparent encryption technologies emerge as the context. Transparency is unknown to the users, which means it will not affect the original operation habit. When users save or open the confidential documents, the system will automatically encrypt the unencrypted files while decrypted the encrypted files. Files exist in the form of cipher text on the hard disk but in the form of plain text in memory. Due to files can not be opened without the decryption service when they leave the application environment files are protected as a result. Even if the external invasion successes, the intruder can only get encrypted confidential documents which can not be used properly. This technology is able to prevent malicious and unintentional leak effectively.Transparent encryption consists of three key stages: API HOOK,KERNEL HOOK and file system filter driver. Windows provides an information processing mechanism called Hook, which allows an application itself installs to other programs as a subroutine, in order to monitor certain types of messages from the specified window. When the information comes, the mechanism deals with the subroutine then the original program. PI HOOK is an classic example of this mechanism, it works in user mode (ring 3), by the "hook" of the documents related to the Windows API function makes transparent encryption come true. KERNEL HOOK works in kernel mode (ring 0) and realizes transparent encryption feature by the hook of documents related to the KERNEL function; File system filter driver realizes transparent encryption in the way of adding a new layer without changing the upper and lower interfaces.APIHOOK, KERNEL HOOK and application are closely related. They are all started by monitoring the application start. Once the application name is changed, they can not be "hook." Also, because different applications read and write files in different methods and different versions of software also change when dealing with data, so both of the ways has to be developed according to each application, even each version of the program. Although from safety and efficiency angle, KERNEL HOOK is better than API HOOK, but they have been unable to meet the growth of customer demand and gradually withdrawn from the historic stage.Transparent encryption has been developed from the initial user mode to kernel mode. The security and efficiency has increased although it is more and more difficult to achieve, In order to obtain better security, most of the current transparent encryption technology are based on file system filter driver and encryption strategies are based on the file name suffix, which means some suffix are defined as a confidential document. When data is written to these files, they are transparently encrypted, transparently decrypted when reading data from these files. Although the implementation of this encryption strategy is easier, there are also serious security issues, for any process opens this class files which are suffix definition of confidential documents is able to transparently decrypt them read them easily. When instant messaging software read confidential documents and send them through the network, the receiver will get the confidential documents explicitly, which results in leakage of information. This system is also based on file system filter driver transparent encryption but we spurn the original strategy and select the strategy based on the encryption process. The encryption process is divided into confidential process and the normal process, in this strategy, only confidential process reading secret documents can decrypt them and only those processes which are able create files can be defined as confidential process. Under such rules, the instant messaging software will be defined as the general process. They can only read the cipher text and could not result in leakage of information even if they send them. The strategy we present resolves the security problem effectively.The realization of process-based encryption strategy has many difficulties. So in our system, we build debugging environment using the debugging tools WinDbg and virtual machines VMware. For the various problems, we debug them repeatedly and finally solve the problems.The goal of our system is to focus on preventing internal malicious, unintentional leaks and prevent the files from external leakage.The system consists of four modules: the application layer control module, initialization module, binding module and filter module. According to the user needs application-layer control module is responsible for configuring the system, including encryption rules, keys, etc. Initialization module is responsible for the communication with application layer and transferring configuration information. Binding module is responsible for binding the file system device object in order to prepare for the filter. Filter module is responsible for filtering I / O request and doing some special treatment for some request.Finally, we set up a test environment. Experimental tests show that the system with our system can effectively prevent from the confidential documents without affecting the premise of the original operation, which are caused by U disk, mobile hard drives and other mobile devices. Also the system effectively prevents from the confidential documents leak caused by the adoption of instant messaging software, Email and other Internet tools. And our system achieves the desired objectives in safety and efficiency. |
PDF Full Text Request