KR101552688B1 - Security method and system at endpoint stage using user policy - Google Patents

Abstract

The present invention relates to a device for automatically encoding and decoding a file and a method for preventing a file from being transferred and copied into a USB at an endpoint stage based on Windows operating system (OS), in order to prevent internal information from being leaked. According to the present invention, a data security method at an endpoint stage based on Windows OS comprises the steps of: encoding a file on a kernel mode operated in a file drive of the Windows OS; and decoding the encoded file on a user mode realized by the registry of the Windows OS. In addition, the steps of encoding and decoding are selectively executed for a data file set according to user policy established in the user mode in the Windows OS. According to the present invention as described above, files are not operated during file I/O processing by applying a post-processing method when encoding files; and when decoding files, index information on encoded files are registered in the registry and related decoding modules are automatically called to decode the files, thus damage or errors in files during encoding or decoding processes can be specifically reduced.

Description

TECHNICAL FIELD [0001] The present invention relates to a data security method and system according to a user policy setting of an endpoint,

More particularly, the present invention relates to a device for automatically encrypting and decrypting files for preventing internal information leakage at an end point stage based on a Windows operating system (OS) , And a copy protection method.

Most organizations or organizations require technical and managerial measures to ensure that key internal information, including privacy information, is not leaked out. In particular, effective anti-cancer / anti-decryption technology should be provided to prevent electronic files generated and stored in a personal computer (PC) from being prejudiced by carelessness or intentional outflow of an individual.

The explosive growth of the Internet has created an environment in which so many people can share information or data. This increases the risk of data modification due to the ease of access to data by a large number of unspecified users, and the necessity of data / information protection becomes more important as the data to be unmodified is modulated. Even if you have good data, if you do not secure the data, you lose the value and meaning of modern social informatization.

Firewalls, intrusion detection, and audit trails are commonly used to solve security problems in computer systems. Firewall and intrusion detection do not prevent intrusion from inside, and audit trail has the disadvantage that it is impossible to prevent in advance because trace after trail is possible after death.

Among them, various types of DRM (Digital Rights Management) technologies exist for protecting contents (data files). Most of these DRM solutions provide technologies related to encryption / decryption.

An automatic encryption / decryption technique (hereinafter referred to as a technology) provides a technique for managing and controlling the use of a file or a content within a permitted scope of authority for a computer file created using a specific application. In other words, it is possible to automatically encrypt / decrypt the files created by the personal PC so that the contents of the file can not be confirmed in the absence of the decryption key even if the file is exported to the outside, or the access authority of the file is set differently based on the organization chart and user authority, The computer files created by the application are provided with the function of limiting the viewing and utilization according to the user's authority.

In existing DRM, the target of encryption / decryption has been developed to be performed only for specific applications that require encryption / decryption. That is, under a personal PC window environment, a new program is installed and a new DLL must be created and added every time a process is added. Therefore, whenever a new application is installed and used in a personal PC, there is a problem that a customizing operation must be performed in order to perform encryption / decryption for the application.

There are two typical paths through which personal files can be leaked to the external environment: 1) files are transferred to the external network via an NIC (Network Interface Card) connected to the Internet, or 2) It is the case that it is carried out.

In the first case (through a network), firewall, Intrusion Prevention Systems (IPS), etc., can block transmission using network security equipment. However, even with such a network security device, it is not possible to obtain a 100% reliable interception. Therefore, the automatic file encryption / decryption function of the computer file is used to automatically encrypt the file related to a specific application, It is possible to enhance the security of the information leak prevention aspect.

In the second case (via the USB interface), files in the personal computer may be leaked to the outside via USB.

In the case of using the existing DRM in the conventional personal PC environment shown in FIG. 1, since the digital file encryption / decryption is performed based on an application, it is schematically shown that a customizing operation for file encryption / decryption is required for each application FIG.

In the existing method of performing automatic encryption / decryption using DRM technology, the filter driver detects a file I / O request, detects an event condition of opening and closing a computer file, In the user space, file information (process information, file path) is transmitted to the encryption / decryption module that operates in the application format, and a related operation is requested to the encryption / decryption module.

The operation method of encrypting / decrypting in the user space using the file I / O information detected by the filter drive of the kernel space of the prior art is to delay the requested file I / It is a process that is performed by adding a separate process, so there is a high possibility that an error will occur when processing a file I / O. To avoid this risk, a separate temp file is created and used to stably backup the original file even if the file is damaged.

In this case, the original file is backed up, but the possibility of errors due to time delay is also higher. In other words, it is quite difficult to determine the timing of a file I / O event and perform the encryption / decryption operation at the correct timing because a file I / O interrupt occurs during the operation of the file or the temporary file is damaged. It corresponds to high work.

Therefore, in a Windows PC environment, a file opened or closed by a specific application is detected beforehand by using a file system filter driver, and the file can be decrypted / decrypted before the file is opened or closed. There is a problem that a file is damaged or an error is likely to occur

The file system driver provided by the Windows operating system does not provide encryption / decryption of files by default. Therefore, when adding the encryption / decryption function to the file, a program running in the user space linked with the file system filter driver is created and implemented.

As shown in FIG. 2A, a Windows-based file system filter driver (FSFD) is an intermediate driver included in an executable part of an operating system, and is a WDM (Windows Driver) Device drivers, such as Legacy Drivers, are important to communicate with hardware, but file system drivers need to be interoperable with other elements that make up the executable part of the operating system to handle file input / output (I / O) Do.

This file system filter driver intercepts file I / O requests sent to the file system driver or the disk driver to complement the functions provided by existing drivers, or to interoperate with new functions (such as encryption / decryption). It is designed to support.

2B, when a file I / O processing request 230 occurs when an application is running, the filter driver transfers the associated File I / O request to the hardware device driver, Requests the hardware driver to process the / O event.

The file I / O event request process is finally completed at the hardware level (step 250), and the file I / O process result is transferred to the user program via the kernel space. If the file I / O request is not processed by the file system filter driver and is blocked, the file I / O request processing result is transferred to the hardware level and can not be processed. In the kernel space, space), and the result of the blocked processing is returned and notified.

3 shows a system for preventing information leakage using a conventional USB medium. As shown in the figure, in the related art, when a file in the hard disk is transferred to the USB or when a new file is to be created or stored in the personal computer, the user can access the file via the USB, Disable or disable (disable) the connection itself, even if it is recognized, disconnecting it, and making it impossible for a personal PC to move or copy files through USB removable storage media.

FIG. 4 shows a specific embodiment of USB blocking according to the prior art. In order to block the process by the process, a hook method using a win API is used in a user space or a kernel area So as to prevent the file I / O from occurring in all processes, so that it is impossible to leak information to all the stored files in the PC regardless of the application currently in use. However, this method has the problem that it is impossible to move the file to the USB medium for all the processes and all the files, even if the user desires to unauthorizedly export the file with proper authority to the USB.

Disclosure of Invention Technical Problem [7] Accordingly, the present invention has been made to solve the problems of the conventional DRM-based encryption and decryption, and it solves the problems such as file corruption and error occurrence when hardware interrupt occurs during file encryption / decryption and solves the inconvenience of customization for each application And to provide a data security method and system for a data security system.

The present invention is to provide a data security method and system that are not encrypted based on an application-based file encryption / decryption but are encrypted / decrypted by a user policy established based on a window process name or an extension name.

The present invention also provides a data security method and system capable of selectively copying or moving files to and from a USB device using user policy means applied at the time of encryption, thereby enhancing user convenience without deteriorating security due to USB .

According to an aspect of the present invention, there is provided a data security method in an endpoint stage under a window operating system environment, the method comprising: encrypting a file on a file driver of the window operating system; ; And decrypting the encrypted file in a user mode implemented as a registry of the window operating system, wherein the encrypting step is performed after the I / O event of the file is processed And the encrypting and decrypting includes a data security method according to a user policy setting of an endpoint that is selectively performed according to a user policy established in a user mode of the window operating system.

At this time, the user policy is set by the user's input in the user mode of the window operating system, and the process name and extension indicating the name of the drive program for the security object data file may be registered and registered.

The encrypting step may include: (A) a communication unit of the RTM detecting a close event; (B) comparing the file information where the close event received by the table search unit of the RTM received by the communication unit with the file information registered in the encryption policy / blocking policy list of the user policy; (C) when the file in which the close event occurs is a file to be encrypted, as a result of the search in the table searching unit, the logging module of the RTM kernel area calls the encryption module; (D) maintaining the time step while the logging module finishes processing the corresponding file I / O event; (E) after the I / O event of the file is completed and storage of the file is completed, the encryption module encrypts the file to generate a modulation data file; (F) storing the modulation data file; And (G) deleting the file stored in the step (E).

In addition, an index indicating that the file is encrypted may be added to the modulation data file of the step (E).

And recording the index information of the modulated data file to which the index is added in a hardware stage through a low-level driver of the kernel mode.

In addition, the hardware unit may include a removable disk.

And the decoding step is performed before an open (oepn) event of the file is executed in the file driver of the window operating system; (a) determining whether the open event target file is a file in which index information is registered in a registry of a window operating system; (b) when the open object file is a file to be decrypted registered on the registry, the corresponding decryption module is driven by a window registry; (c) deciphering the object file by the decryption module; And (d) transferring the decrypted file information to the window file system filter driver, and completing file processing at the hardware level.

According to another aspect of the present invention, there is provided a data security method at an endpoint stage under a window operating system environment, the method comprising: receiving a move command of a data file through a user input unit; Executing a command according to a security policy for movement of the file when the data file matches the security data file defined in the user policy received by the block module; And a data security method according to a user policy setting of an endpoint end in which a process name indicating the name of the drive program for the target data file and an extension are registered and configured.

Here, the command according to the security policy may block the movement of the data file.

The user policy further includes a filtering policy in which specific content to be filtered is listed. The command according to the security policy includes: (a1) scanning the data file using the filter library in the user area; ; (b1) determining whether content of the data file is included in the filtering policy; And (c1) stopping the transmission of the data file when the content set in the filtering policy is included in the data file as a result of the determining in step (b1).

The user policy may further include a filtering policy in which specific contents to be filtered are listed. The command according to the security policy includes: (a2) using the filter library in the user domain, Scanning; (b2) determining whether content of the data file is included in the filtering policy; (c2) deleting or converting the content set in the filtering policy among the data files to generate a converted data file; And (d2) transmitting the converted data file.

According to another aspect of the present invention, there is provided a data security system in an endpoint stage under a window operating system environment, the system comprising: a user input unit for establishing a user policy for an encryption target; A communication unit that receives file information corresponding to a file in which a close event occurs, and communicates with the encryption module and the decryption module; A table search unit for comparing the file information of the file in which the close event occurs and the user policy to determine whether the file is an object file to be encrypted; And a locking module for calling the encryption module to encrypt the file if the file is an encryption target file.

In this case, the user policy is set by a user's input in a user mode of a window operating system, and a process name and extension indicating a name of a drive program for a security object data file are registered and configured: The search unit may determine whether the file is an encryption target file by comparing the process name or extension of the file in which the close event occurred and the process name or extension set in the user policy.

The logging module maintains a time step until the completion of the close event of the file. After the completion of the closing event of the file and the storage of the file is completed, the logging module encrypts the file through the encryption module, .

An index indicating that the file is an encrypted file may be added to the modulation data file.

The locking module may record the index information of the modulation data file to which the index is added on the window registry.

In addition, when a file open event is generated, the Windows registry may determine whether the open event target file is a file in which index information is registered in the registry of the Windows operating system, and perform decoding by the decryption module.

The following effects can be expected in the data security method and system according to the user policy setting of the endpoint unit according to the present invention as described above.

That is, in the present invention, the file is not manipulated during the file I / O processing by applying the post-processing method when encrypting the file, and when the decryption is performed, the index information of the encrypted file is registered in the registry to automatically call the related decryption module Thus, there is an effect that it is possible to significantly reduce the possibility of file corruption or error in the process of encrypting or decrypting the file.

In the present invention, unlike encryption / decryption of a conventional application-based limited program or process, a user policy is established based on a window process and an extension, and an encryption or USB blocking policy is thus performed, It is possible to control the encryption and the USB data movement based on the user policy for all the programs / processes to be executed in the PC, thereby providing an effective security policy.

1 is an exemplary diagram showing a DRM structure in a conventional PC environment;
2A is a conceptual diagram showing a file input / output model of a conventional Windows-based file system;
FIG. 2B is a conceptual diagram illustrating a conventional Windows-based file I / O processing structure. FIG.
3 is an exemplary view showing a structure for preventing information leakage using a conventional USB medium.
4 is an exemplary diagram showing a specific embodiment of a method of USB interruption according to the prior art.
5 is an exemplary diagram illustrating an embodiment of a user policy according to the present invention;
FIG. 6 is a block diagram schematically showing a configuration of a data security system according to the present invention; FIG.
Figure 7A is a flow diagram illustrating a file I / O processing event associated with encryption in accordance with the present invention;
7B is a flow diagram illustrating a file I / O processing event associated with decoding in accordance with the present invention.
FIG. 7C is an exemplary view showing a flow of data transfer processing to a recording medium according to the present invention; FIG.
8 is a block diagram illustrating another embodiment of a security device at an endpoint end according to the present invention;
9 is an exemplary view showing an embodiment of a user input unit of an encryption apparatus according to the present invention.
10 is an exemplary view showing an example of an interface for setting a monitoring drive type and a surveillance area of a security system at an end point end according to the present invention;

Hereinafter, a data security method and system according to an embodiment of the present invention will be described in more detail with reference to the accompanying drawings.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. In addition, the technical terms described below are defined in consideration of functions and the like in the present invention, and these may be changed according to the intention or custom of the person skilled in the art. Therefore, the definitions of the terms should be judged based on the contents described throughout the specification.

The endpoint terminal in the present invention collectively refers to a computing system operated by a user who creates, changes and deletes data information, and generally refers to a PC (personal computer), but is not limited thereto , And a virtual computer (VC) in a cloud computer.

It can be said that all the computing systems capable of exporting the file data generated by the user to the outside of the organization.

In the present invention, a data file collectively refers to a file in units of a storage, a call, and a move (copy), and is used as a term including all files regardless of security object.

(1) User area (2) Kernel area (3) The hardware area is divided into areas when the overall structure of the window system is divided from the driver viewpoint. In this case, ) Is executed in a privileged user mode (Least privileged mode) like other programs running on Windows, and is an area where system data can be accessed only through the system service function of the Win32 API.

And (2) the kernel space is a component of the execution unit that constitutes the operating system, and uses various functions provided by the operating system. These functions include functions that support input / output, Plug and Play (PnP), power management support functions, and memory management related functions. In addition, the kernel mode driver is classified as a file system, PnP, or a legacy driver according to its location in the window hierarchy.

(3) The hardware space is a medium space for storing a generated file or an encrypted file.

In the present invention, a window process is an instance of a program that is being executed.

An extension is a character appended to the end of a file name to distinguish the file type.

The present invention relates to a method and apparatus for processing a file I / O request in a user space, in order to process a file I / O request more safely than a conventional method of detecting a file I / Thereby increasing the stability of the decoding process and reducing the error occurrence rate.

A file system filter drive method that is run in the kernel space is used. When a document is encrypted, a logging module that operates in the kernel area driver is used. In the decryption process, a file using a Windows registry Different methods are adopted for encryption / decryption to directly call the decryption module using the index registration method.

In the security system and the security method according to the present invention, the kernel area driving unit of the present invention is composed of three main function modules, namely, a logging module, a blocking module, and a callback module. When the encryption / A block module of the < / RTI >

In addition, a blocking policy (hereinafter, referred to as 'user policy') defined by the user in the present invention is set by inputting a process name and a file extension of a specific application from a user terminal. When a file I / Whether encryption is performed according to the user policy by process or extension and whether the electronic document is copied or moved to the USB medium by comparing the file information value (process information, path information) of the file with the value registered in the user policy. .

As shown in FIG. 5, the user policy applied to the present invention can be defined by the user based on the process name of the file and the extension name of the file. It is possible to use different application extension information such as .txt, .ppt, .xls, Or by using a process name such as hwp.exe, or by a combination of an extension name and a process name.

This user policy can configure the user interface unit so that it can be checked in the 'encryption / blocking policy list' when a file I / O event of a specific file is requested in the encryption target of FIG.

According to the present invention, the encryption / blocking policy based on the file extension and the process name is checked, and if the process or extension is to be encrypted, the encryption / blocking policy is blocked or processed.

5, all the processes (notepad, wordpad, notepad ++) using the .txt extension in the user input unit are registered and controlled to encrypt documents having a .txt extension as an encryption target, and encryption is performed by discriminating the .txt extension An example is shown.

6 is a block diagram schematically illustrating the configuration of a data security system according to the present invention.

The security system at the endpoint stage under the window operating system environment according to the present invention includes a user input unit 110, a table search unit 120 and a communication unit 130 operating in a user space, and a real time monitoring (RTM) module 100 including a logging module 140 and a blocking module 150 (Block module) operating in a kernel space.

The user input unit 110 is a part driven in a user space and is a part for establishing a user policy to define an encryption target.

After the close event is requested, the communication unit 130 receives the file information (process information, path information) or encrypts / decodes the file information.

Also, the table searching unit 120 compares the file information generated by the file close event received by the communication unit 130 with the file information registered in the encryption / blocking policy list.

On the other hand, after the file close I / O event occurs, the logging module 140 of the RTM module 100 driven in the kernel space detects file information (process information, path information) of the file, And transmits it to the table searching unit 120 via the communication unit 130.

When the value of the file information (process information, path information) transmitted from the logging module 140 is compared with the contents of the user policy registered in the table search unit 120 and the same file information value exists, Can be confirmed.

If the search result of the table searching unit 120 indicates that the file is an encryption target file, the logging module 140 of the RTM module 100 monitors the close event of the corresponding file and determines whether the file I / O request processing is completed (I.e., after confirming the close state of the file), the encryption module 310 is called to perform encryption of the file.

After processing the file close event request, the logging module 140 confirms that the corresponding file I / O event has been processed, and then when calling the encryption module 310, an arbitrary time step is determined and a specific Encryption can also be performed on files whose event processing has been completed within the time interval.

That is, when the file to be processed is a file registered as a file to be encrypted in the user policy, the communication unit 130 calls the encryption module 310 to perform an encryption operation after a predetermined time step, Adds an index indicating that the file whose encryption operation has been completed is an encrypted file. At this time, the encryption time may be adjusted based on a specific time step by designating a specific directory or file group in the PC.

The decryption process according to the present invention uses a method of registering a file extension in a registry 200 of a window operating system when a Windows application program is run.

That is, the decryption in the present invention registers the application to be decrypted in the registry 200 in advance and causes the decryption application to be executed when a file having the corresponding extension is executed.

Specifically, the index information of the encrypted file is manually or automatically registered in the registry 200, and each time a file of the same file extension as the file extension registered in the registry 200 is opened, Module 320 is called. That is, the registered index information redirects the execution position on the memory of the corresponding process so that the process for the window necessary for driving the corresponding encryption file can be driven in the registry 200 of the Windows operating system, Allows the process to run automatically.

6, when a request r1 for file decryption is generated in the file request r, the decryption module 320 registered in the registry 200 directly without passing through the RTM module 100 of the present invention, The RTM module 100 may be firstly called and the decryption module 320 may be called by the RTM module 100 through the communication unit 130 in the registry 200. [

On the other hand, the blocking module 150 blocks the leakage of file data to a recording medium (for example, a USB memory, etc.).

FIG. 7A is a flowchart illustrating file I / O processing events related to encryption according to the present invention, and FIG. 7B is a flowchart illustrating file I / O processing events related to decryption according to the present invention.

7A, when a file close event occurs, a log closing module 140 (Logging module) among the drivers of the kernel area of the RTM module 100 detects a file close event And transmits a file close event request item to process at the hardware level (S110).

In the kernel space, the logging module 140 determines whether the corresponding file information (process information, path information) is included in the encryption / blocking policy list defined in the user policy or not by using the table search unit 120 (S120).

If the file is not included in the encryption / blocking policy list, the logging module 140 blocks the encryption module 150 from proceeding through the block module 150.

However, when the file information (process information, path information) is included in the encryption / blocking policy list, the logging module 140 checks whether the close request processing of the file is processed (S130) After confirming the completion of the request item processing, the encryption module 310 is called (S140).

Then, the encryption module 310, after an appropriate time step The encryption operation is performed (S150).

Thereafter, when the encryption process of the file is performed, an encryption file including specific index information is generated (S160).

Next, the index information of the encrypted file is registered in the registry 200 of the Windows operating system (S170).

Then, the encrypted modulated file is stored (S180), and the unencrypted file stored by the end of the file close event is deleted in operation 130 (S190).

Next, referring to FIG. 7B, when a file open event is generated (S210), it is determined whether the file is to be decrypted through the widow registry (S220). At this time, Since the index information is already registered in the registry 200 of the window operating system by the above-described encryption process, the decryption module 320 is called every time the specific file format to which the index is assigned is executed (S230 ).

That is, since all files of a specific format are to be decoded, the decryption module 320 is invoked without going through the RTM module 100 for a specific file format without determining whether to decode the RTM module separately (using the RTM module). Of course, it is also possible that the call of the decoding module is called through the communication unit 130 of the RTM module 100.

That is, when a file having the same format as that of the index format registered in the Registry is opened, the corresponding decryption module 320 is driven by the window registry, and the file information whose decryption is completed by the decryption module 320 is re- And file processing is completed at the hardware level (S240).

Hereinafter, an embodiment of data transmission security to a recording medium will be described with reference to FIG. 7C.

The present invention does not disable or disable the driver itself for the USB removable recording medium and allows the blocking module 150 to access the file information (process information, path information, and so on) received from the logging module 140 of the kernel space Information) is compared with the user policy and the file is prohibited from being stored and moved to the USB when the file is prohibited from storing and moving the file.

The USB interface driver is not always disconnected or deactivated in the USB interface driver itself for the recording medium, and the process and the extension are stored in the user policy and the table search unit 120), and determines whether to move the file to the USB device or not according to the comparison result.

In FIG. 7C, the blocking of the file I / O request using the blocking module 150 is performed when the file information (process information, path information) in the logging module 140 is encrypted / Block policy list, it is determined whether the file is moved / blocked by comparing only the file information without searching for the contents of the file contents. Therefore, the contents are compared with the contents filtering method, And can be performed in a relatively high speed mode.

8 is a block diagram illustrating a security apparatus and method in an endpoint according to an exemplary embodiment of the present invention. Referring to FIG. 8, a callback module, which is a kernel space driving unit of the RTM module 100, (Process information, path information) as well as file content information, and then performs a blocking policy.

That is, according to the embodiment of the present invention, instead of judging the file information unit as a unit of file information, the contents of the file are examined to determine whether the contents are leaked. For example, when the contents include certain contents such as a resident registration number An embodiment for blocking this is shown.

In this case, the user policy should further include a filtering policy in addition to the policy for checking the file content, that is, the encryption / blocking policy list.

If a specific type of content such as a resident registration number or a passport number is set on the filtering policy, filtering may be performed on the content including specific information such as a resident registration number or a passport number.

When a callback module is called, a filter library in a user space is used to determine whether a specific content is included in a file in which a file I / O request has occurred. If the specified content is not included, the result is sent to the hardware level and the requested file I / O operation proceeds as it is.

However, if the content is included in the content, the entire file is blocked using the block module 150 of the kernel driver of the RTM module 100 or the blocking module 150 of the RTM.

9 is a diagram illustrating an embodiment of a user input 110 of an encryption apparatus according to the present invention.

9, the user policy is set by setting or registering the user input unit 110. In the user input unit 110, a policy is set based on a process name of a file and an extension name of a file, I / O event request, encryption / blocking policy list.

FIG. 10 shows an example in which a monitoring drive type and a surveillance area can be set as another embodiment of the security device and method at the endpoint end according to the present invention. In the present invention, the user input unit 110 directly inputs A screen for inputting a process name and an extension that can be executed and a screen for designating a type of drive type for defining an area to be monitored when the corresponding process is activated or a screen for designating a certain area in the drive, You can assign the physical and logical areas to which the policy applies.

For example, the mask information includes 1) a plurality of file extension information, 2) a plurality of process information, 3) a directory information in which a corresponding process is executed or stored, and 4) , Which can be used to define user policies quickly and easily using the mask format. The value (process name / file extension name) entered in the mask or process name is a user policy setting method that can be quickly applied at the driver side in addition to the existing encryption / blocking policy list or filtering policy by applying the condition operator respectively.

A computer-readable medium storing a computer-readable program that can perform the security device and method at an endpoint end according to an embodiment of the present invention may be provided within the scope of the present invention, (E.g., CD-R, DVD, etc.) and carrier waves (e.g., the Internet), as well as magnetic storage media (e.g., ROM, floppy disks, hard disks, Lt; / RTI > transmission).

It is to be understood that the invention is not limited to the disclosed embodiment, but is capable of many modifications and variations within the scope of the appended claims. It is self-evident.

The present invention relates to a device for automatically encrypting and decrypting a file for preventing leakage of internal information at an end point stage based on a Windows operating system (OS), and a method for transferring and copying files to and from a USB device. When the file is encrypted, the post-processing method is applied so that the file is not manipulated during the file I / O processing. When the file is decrypted, the index information of the encrypted file is registered in the registry to automatically call the related decryption module, And there is an effect that the possibility of file damage or error can be remarkably reduced during the encryption or decryption process.

100: RTM module 110: user input
120: table searching unit 130:
140: Logging module 150: Blocking module
200: Registry 310: Encryption module
320: Decryption module

Claims (17)

In a data security method at an endpoint stage in a Windows operating system environment,
Encrypting the file on the file driver of the window operating system;
And decrypting the encrypted file in a user mode implemented as a registry of the Windows operating system, the method comprising:
Wherein the encrypting step comprises:
This is done after the I / O events of the file have been processed:
Wherein the encrypting and decrypting steps are selectively performed according to a user policy established in a user mode of the window operating system,
The user policy includes:
A process name and an extension indicating the name of the drive program for the security object data file are registered and configured by being set by the user's input in the user mode of the window operating system,
Wherein the encrypting step comprises:
(A) the communication unit of the RTM detects a close event;
(B) comparing the file information where the close event received by the table search unit of the RTM received by the communication unit with the file information registered in the encryption policy / blocking policy list of the user policy;
(C) when the file in which the close event occurs is a file to be encrypted, as a result of the search in the table searching unit, the logging module of the RTM kernel area calls the encryption module;
(D) maintaining the time step while the logging module finishes processing the corresponding file I / O event;
(E) after the I / O event of the file is completed and storage of the file is completed, the encryption module encrypts the file to generate a modulation data file;
(F) storing the modulation data file; And
(G) deleting the file stored in the step (E). The data security method according to the user policy setting of the end point.
delete delete The method according to claim 1,
The modulation data file of the step (E)
And an index indicating that the file is an encrypted file is added to the endpoint.
5. The method of claim 4,
And recording the index information of the modulated data file to which the index is added in a hardware stage through a low-level driver in a kernel mode. How to secure your data according to your settings.
6. The method of claim 5,
Wherein the hardware unit comprises a removable disk. ≪ RTI ID = 0.0 > 11. < / RTI >
5. The method of claim 4,
The decoding step includes:
Before execution of an open event of the file in the file driver of the window operating system;
(a) determining whether the open event target file is a file in which index information is registered in a registry of a window operating system;
(b) when the open event target file is a file to be decrypted registered in the registry, the corresponding decryption module is driven by a window registry;
(c) deciphering the object file by the decryption module; And
(d) transferring the decrypted file information to the window file system filter driver, and completing the file processing at the hardware level.
In a data security method at an endpoint stage in a Windows operating system environment,
Receiving a move command of a data file through a user input unit;
Executing a command according to a security policy for movement of the file when the data file matches the security data file defined in the user policy received by the block module,
The user policy includes:
A process name and extension indicating the name of the drive program for the security target data file are registered and configured:
The user policy includes:
Wherein the specific content to be filtered further comprises a listed filtering policy:
The command according to the security policy includes:
(a2) scanning the data file contents using a filter library in a user area;
(b2) determining whether content of the data file is included in the filtering policy;
(c2) deleting or converting the content set in the filtering policy among the data files to generate a converted data file; And
and (d2) transmitting the transformed data file.
delete delete delete In a data security system at an endpoint stage in a Windows operating system environment,
A user input unit for establishing a user policy for an encryption target;
A communication unit that receives file information corresponding to a file in which a close event occurs, and communicates with the encryption module and the decryption module;
A table search unit for comparing the file information of the file in which the close event occurs and the user policy to determine whether the file is an object file to be encrypted;
And a logging module for calling the encryption module to encrypt the file if the file is an encryption target file,
The user policy includes:
Which is set by the user's input in the user mode of the window operating system,
A process name and extension indicating the name of the drive program for the security target data file are registered and configured:
Wherein the table searching unit compares the process name or extension of the file in which the close event occurred and the process name or extension set in the user policy to determine whether the file is an encryption target file,
Wherein the logging module comprises:
Wherein the file management module maintains a time step until completion of the close event of the file and encrypts the file through the encryption module after the completion of the closing event of the file and the storage of the file is completed to generate a modulated data file Data security system according to user policy setting at endpoint level.
delete delete 13. The method of claim 12,
In the modulation data file,
And an index indicating that the file is an encrypted file is added.
16. The method of claim 15,
Wherein the logging module comprises:
And the index information of the modulated data file to which the index is added is recorded on the Windows registry.
The method according to any one of claims 12, 15 or 16,
When a file open event occurs,
Windows registry,
Wherein the open event object file is decrypted by a decryption module when it is determined that the open event object file is a file in which index information is registered in the registry of the Windows operating system and decryption is performed by the decryption module.

Images