Patent Application
20230164144
The teachings in accordance with exemplary and non-limiting embodiments of this invention relate generally to a data protection system, and more particularly to a data protection system configured to prevent information leak, loss and breach from data files that do not meet acceptance criteria according to pre-specified data protection rules based on security policy.
The traditional data protection for data protection has been realized by utilizing software vaccines in an endpoint device (e.g., user PC, etc.) or realized by a firewall at a network stage, which has resulted in disadvantages that require a large computing power and that have a decreased security accuracy.
As a method unlike the said endpoint protection or network protection, a data protection technology to minimize a computing power consumed for data protection and to enhance a security accuracy by protecting data at a storage that stores the data is referred to as ‘storage protection’.
The said storage protection technology may be utilized in various data protections including, but not limited to, protection of data loss (i.e., data loss prevention) caused by malware (an abbreviation of malicious software) such as ransomware, prevention of data from being stolen through phishing, etc. (i.e., data breach prevention) and prevention of data leak by insiders (i.e., data leak prevention).
Therefore, a new storage protection technology is required that enables to improve the security accuracy in the data protection and to minimize a computing power while integrally coping with the data loss, the data breach and the data leak.
The present invention is devised to solve the aforementioned disadvantages and it is an object of the present invention to provide a data protection system configured to prevent information leak, loss and breach from data files that do not meet acceptance (permit) condition according to pre-specified data protection rules based on security policy while being network-connected with a host device (e.g., a user terminal or a service server) but physically including an independent separate data protection storage.
In one aspect of the present invention, there may be provided a data protection system comprising:
a data protection storage device; and
an agent program disposed on a user terminal or a service server to perform an interlocking operation with the data protection storage device through network, wherein the data protection system may determine whether an ‘open request’ meets an acceptance condition according to a prespecified data protection rule when there is the ‘open request’ from a host device on a file stored in the data protection storage device, and may return a fake file, which is not an original source file of the ‘open-requested file’, to the host device when the ‘open request’ does not meet the acceptance condition.
The data protection system according to an exemplary embodiment of the present invention has advantageous effects in that information leak, loss and breach can be prevented from data files that do not meet acceptance condition according to the prespecified data protection rules based on security policy while being network-connected with a host device (e.g., a user terminal or a service server) but physically including an independent separate data protection storage.
The present invention may be applied with various changes and have several exemplary embodiments, where particular exemplary embodiments will be exemplified in the drawings and described in detail through the detailed description of the present invention.
However, it should be understood that the present invention is not limited to particular embodiments, but encompasses all changes, modifications, equivalents and substitutes included within the ideas and technical scopes of the present invention.
In describing the present invention, detailed descriptions of well-known technologies are omitted for brevity and clarity so as not to obscure the description of the present invention with unnecessary detail. It will be understood that, although the numerical terms (e.g., first, second, etc.) may be used herein to describe various elements, these elements should not be limited by these terms. These terms are simply identification symbols only for use to distinguish one element from another.
Furthermore, it should be interpreted across the entire specification that, although when an element is referred to as being “connected to” or “coupled to” another element, it may be directly connected or coupled to the other element, intervening elements may be present therebetween unless otherwise specially mentioned. Furthermore, it should be further understood across the entire specification that the terms “comprises,” “comprising,” “including,” and “having,” are inclusive and therefore specify the presence of other elements, but do not preclude the presence or addition of one or more other elements, unless the context clearly indicates otherwise.
A data protection system according to the present invention may comprise: a data protection storage device; and an agent program disposed on a host device corresponding to a user terminal or a service server to perform an interlocking operation with the data protection storage device via network.
At this time, the data protection system may determine whether an ‘open request’ meets an acceptance condition according to a prespecified data protection rule when there is the ‘open request’ from a host device on a file stored in the data protection storage device, and may return a fake file, which is not an original source file of the ‘open-requested’ file, to the host device when the ‘open request’ does not meet the acceptance condition.
Here, the fake file refers to a file filled with a null value or a meaningless value in a file body, albeit an original source file of the ‘open-requested file’ being the same in terms of file capacity.
Hereinafter, a variety of exemplary embodiments of the data protection system according to the present invention will be described in detail with referenced to the accompanying drawings.
Here,
Each exemplary embodiment to be hereinafter described exemplifies a case where data protection rules are respectively and differently applied based on security policy. However, it should be apparent that two or more data protection rules may be simultaneously applied for each exemplary embodiment to be hereinafter described, based on system design method or security policy.
Although it will be clearly understood through explanations to be described hereinafter, the said data protection rules may be set (established) by any one acceptance condition or a group of more than two acceptance conditions among an acceptance condition that allows only a file access by a preregistered executable program (a case of
At this time, the said setting of the data protection rules may require an additional authentication {e.g., an OTP (One Time Password) authentication, a user identity authentication, such as biometric authentication} through a certifier as to whether a setting-registered user corresponds to a user having a setting authority of the data protection rules.
[Description of
The data protection rule in the data protection system according to an exemplary embodiment of
The agent program may be connected to the data protection storage device via network to allow a file archive area of the data protection storage device to be mounted on a host device such as a user PC in a network drive shape (the explanation of which is also the same for the following
Thereafter, when there is an ‘open(ing) request’ of a file stored in data protection storage device from the host device, the agent program may transmit, to the data protection storage device, the information of executable program that accesses to the said ‘open-requested file’.
At this time, the data protection storage device or software (hereinafter simply and integrally referred to as ‘device’) may perform verification on the received information of executable program, and when the request is an ‘open request’ through a program other than the preregistered executable program, the device may return a fake file, which is not an original file of the ‘open-requested file’, to the host device, and when the request is an ‘open(ing) request’ through the preregistered executable program, the device may return the original file of the ‘open-requested file’ to the host device.
Here, as the information of the preregistered executable program (hereinafter referred to as ‘identification information’ or ‘identification value’), any one information of full path route information on storage location of executable program driven by the relevant host device, binary hash information on relevant executable program, and process ID information of executable program (executable program information) assigned by the relevant agent program-executed host device, a combination of at least two information, or a value or hash value generated by using at least two combinations may be utilized.
For example, when the full path route information or binary hash information are used as the information of executable program (i.e., executable program information), the data protection storage device may perform verification on whether the full path route information or the binary hash information based on the executable program information received from the agent program matches the full path route information or binary hash information based on self-registered designation program, and if matched, the ‘open-requested original file’ is returned to the host device and if not matched, a fake file, which is not an original file of the ‘open-requested file’, is returned.
[Description of
The data protection rule in the data protection system according to an exemplary embodiment of
The agent program may transmit, to the data protection storage device, the ‘open-requested file’ information and the executable program information that accesses to the ‘open-requested file’ when there is an ‘open(ing) request’ from the host device on the file stored in the data protection storage device.
At this time, the data protection storage device may perform the verification on the received executable program information to return, to the host device, the fake file, which is not an original source file of the ‘open-requested file’, when the request is an ‘open request’ through a program other than the preregistered executable program specified for each file, and to return, to the host device, the original file of the ‘open-requested file’ when the request is an ‘open request’ through the preregistered executable program specified for each file.
Here, as the information of the preregistered executable program (hereinafter referred to as ‘identification information’ or ‘identification value’), any one information of full path route information (route information of full path) on storage location of executable program driven by the relevant host device, binary hash information on relevant executable program, and process ID information of executable program (executable program information) assigned by the relevant agent program-executed host device, a combination of at least two information, or a value or hash value generated by using at least two combinations may be utilized, the explanation of which is the same as that of what was described in
At this time, the identification information or identification value for identifying a relevant file may also use any one information from the full path route information on storage location of executable program driven by the relevant host device and the binary hash information of relevant file, a combination of two information or a hash value generated by using the said two combinations.
The data protection method according to the abovementioned exemplary embodiment of
Furthermore, at this time, in case of a regular file of no protection object file, a fake file may not be returned, but a relevant file may be also provided in a read only mode instead of returning a fake file (that is, ‘read’ is allowed on a relevant file, but provided in a state of not allowing changes such as write, correction and deletion). The said explanation may be equally applied to the aforementioned exemplary embodiment of
[Description of
The data protection rule in the data protection system according to an exemplary embodiment of
The agent program may transmit, to the data protection storage device, the open-requested file information and the user information of the ‘file open request’ when there is an ‘open request’ from the host device on the file stored in the data protection storage device.
At this time, the data protection storage device may perform the verification on the received user information to return, to the host device, the fake file, which is not an original source file of the ‘open-requested file’, when the request is an ‘open request’ by a user other than a legitimate accessible user specified for each file, and to return, to the host device, the original file of the ‘open-requested file’ when the request is an ‘open request’ by the legitimate accessible user specified for each file,
Furthermore, the data protection storage device may additionally set a security level for each user according to the need, just like the aforementioned protection object file grade, compare the security grade level of the received open request object file with a security level of a relevant user, and return a fake file to the host device when the user's security level is lower than the security level of the object file.
[Description of
The data protection rule in the data protection system according to an exemplary embodiment of
The edit mode selection may correspond to a data protection processing method with an intent that allows permission of a free file manipulation behavior by a relevant user, if a situation is the one, where a user manipulation (that is, a clear file manipulation behavior by a man, which is not a malware pretending to be a human act or which is not a ‘file open(ing)’ attempt by a machine) clearly distinguishable from a ‘file open(ing)’ attempt by malware, is recognized.
For example, as illustrated in
Toward this end, the agent program may provide, to the host device, selection information (see “edit mode open”, “edit mode switch” menu of
Although the foregoing description has exemplified a case where only a condition is applied that permits a ‘file open’ based on the edit mode selection, data security may be further strengthened by the following processing procedures, albeit being of an edit mode selection, depending on system implementation method.
That is, even if an ‘edit mode open(ing)’ on a specific file is selected by a user, the data protection storage device may return a fake file, which is not an original source file of prior requested file, when the stored location of relevant file corresponds to the data protection storage device, and when the executable program attempting to access to a relevant file based on the relevant file open request is another executable program, which is not a prior registered security program.
[Description of
The data protection rule in the data protection system according to an exemplary embodiment of
The agent program in the case of
For example, when it is assumed that the data protection rule corresponds to a case applicable by an acceptance condition permitting only a file access by the preregistered executable program specified for each file, the agent program may register in advance an identification value of executable program accessible to a relevant data file value with the data management register, and may transmit an access program identification value that allows providing a real file to the data protection storage device only when an executable program, which accesses whenever an access to a relevant file is implemented, is registered as an access object program of the specified file. If otherwise, a fake file having a same file capacity as that of the original source file of the relevant file may be generated and returned to the host device.
The aforementioned data protection system of each exemplary embodiment according to the present invention is a technology of providing files to a host device that makes it impossible to leak, lose and breach a relevant file after generation of the files, albeit file generation by the host device being free within a network drive, by including a data protection storage device that is network-connected to a host device (e.g., a user terminal or service server) but that is physically and independently separated, where essential data files are not stored in the storage of host device but stored in a data protection storage device (e.g., an independent network file server mounted on an outside of the host device) mounted with storage protection function, whereby the data files within the data protection storage device can be protected.
The aforementioned data protection system of each exemplary embodiment according to the present invention has an advantageous effect in that leak, loss and breach of data files stored in the data protection storage device can be prevented, even if a host device is completely dominated or taken over by hackers or malware (malignant code) and the like, by providing a data file to the host device through application of data protection rules that ascertain whether the data file is a legitimate program accessible to the relevant file or a legitimate user when accessed to the file stored in the data protection storage device having the storage protection function.
While the present invention has been described with reference to the particular illustrative embodiments, it is not to be restricted by the embodiments but only by the appended claims. It should be apparent to those skilled in the art that embodiments can be variably changed or modified without departing from the scope and spirit of the present invention.
| Number | Date | Country | Kind |
|---|---|---|---|
| 10-2021-0016570 | Feb 2021 | KR | national |
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/KR2021/002051 | 2/18/2021 | WO |
