Patent Application
20230222249
The present disclosure relates to cyber security. Various embodiments include information leakage detection methods and/or apparatus.
Cyber security is increasingly important. Information leakage detection systems, as a type of security solution, can be used to detect accidental outflow of information, monitoring permissions, access status and unauthorized access identities. At present, common operation methods of information leakage detection systems include: using encryption methods to protect data, using software installed on the operating system to monitor access to files, etc. The implementation mechanisms of these information leakage detection systems are relatively complex, the software implementation involves the operating system, and most of them need to be implemented by processes running at the backend.
For example, the patent document titled “Information Leak Prevention Device, and Method and Program Thereof” with a publication number of CN101971186B uses encryption to protect data; while “Method and Apparatus for Preventing Information Leak” with a publication number of CN1300654C discloses a solution that utilizes software installed on the operating system to monitor access to files. At present, most information leakage detection systems need to be implemented by software running on the protected systems, which consumes a large amount of computer resources and may cause failure of the protected systems to run normally.
Embodiments of the teachings of the present disclosure include information leakage detection methods and apparatus, and a computer-readable medium, which can effectively detect information leakage and uses a smaller amount of computer resources. For example, some embodiments include an information leakage detection method (200), characterized by comprising: acquiring (S201) a data packet (30) sent from a protected system (100) to the outside; identifying (S202) signatures from the data packet (30), wherein a signature uniquely corresponds to a host (1000) in the protected system (100) and is stored in one or a plurality of files in the corresponding host (1000); and when a signature is identified, deciding (S203) that information in the host (1000) corresponding to the identified signature is leaked.
In some embodiments, identifying (S202) a signature from the data packet (30) comprises: using each pre-stored coded signature to match the data packet (30) to identify a signature; and/or using each pre-stored compressed signature to match the data packet (30) to identify a signature.
In some embodiments, the one or plurality of files start and end with the signature corresponding to the host where they are located.
In some embodiments, the one or plurality of files include at least one of the following information items: file description information; and information of the host (1000) where the file is located.
In some embodiments, a signature is stored in a plurality of files in the corresponding host (1000), and the plurality of files are located at different positions of the host (1000).
In some embodiments, each of the plurality of files includes storage location information of the file in the host (1000).
In some embodiments, a signature is generated based on an identifier of the corresponding host (1000); or a signature is generated based on a plurality of identifiers of the corresponding host (1000).
In some embodiments, a signature is computed based on a Hash algorithm, and the signatures corresponding to different hosts (1000) have the same length.
In some embodiments, the file name of the one or plurality of files includes the signature corresponding to the host where a file is located.
In some embodiments, the one or plurality of files are hidden files and/or static files.
As another example, some embodiments include an information leakage detection apparatus (10), characterized by comprising: a data packet acquiring module (201), configured to acquire a data packet (30) sent from a protected system (100) to the outside; a signature identification module (202), configured to identify signatures from the data packet (30), wherein a signature uniquely corresponds to a host (1000) in the protected system (100) and is stored in one or a plurality of files in the corresponding host (1000); and a deciding module (203), configured to, when a signature is identified, decide that information in the host (1000) corresponding to the identified signature is leaked.
In some embodiments, the data packet acquiring module (201) is specifically configured to: use each pre-stored coded signature to match the data packet (30) to identify a signature; and/or use each pre-stored compressed signature to match the data packet (30) to identify a signature.
As another example, some embodiments include an information leakage detection apparatus (10), characterized in that it comprises: at least one memory (101), configured to store computer-readable code; and at least one processor (102), configured to call the computer-readable code to execute one or more of the methods described herein.
As another example, some embodiments include a computer-readable medium, characterized in that the computer-readable medium stores a computer-readable instruction, which, when executed by a processor, causes the processor to execute one or more of the methods described herein.
Some embodiments of the teachings herein include an information leakage detection method comprising: acquiring a data packet sent from a protected system; identifying signatures from the data packet, wherein a signature uniquely corresponds to a host in the protected system and is stored in one or a plurality of files in the corresponding host; if a signature is identified, deciding that information in the host corresponding to the identified signature is leaked.
Some embodiments include an information leakage detection apparatus comprising: a data packet acquiring module, configured to acquire a data packet sent from a protected system; a signature identification module, configured to identify signatures from the data packet, wherein a signature uniquely corresponds to a host in the protected system and is stored in one or a plurality of files in the corresponding host; and a deciding module, configured to decide that information in the host corresponding to the identified signature is leaked if a signature is identified.
Some embodiments of the teachings herein include an information leakage detection apparatus comprising: at least one memory, configured to store a computer-readable code; at least one processor, configured to call the computer-readable code to perform the steps of one or more of the methods described herein.
Some embodiments of the teachings herein include a computer-readable medium which stores a computer-readable instruction that, when executed by a processor, causes the processor to perform the steps of one or more of the methods described herein.
In some embodiments, files comprising signatures are stored in a host of the protected system in advance. Because the signatures in these files are identifiable, it is possible for an attacker to transmit these files together when attempting to steal information from the protected system, and the signatures contained in these files will appear in the data packets sent from the protected system to the outside. Since a signature is unique to one host in the protected system, it is possible to determine from which host the information is leaked. The solution has the advantages of simple implementation and little impact on the protected system. It can be deployed on devices or systems with limited resources, can effectively detect information leakage, and can track the particulars of the information leaked, for example, the location of the leaked information in the protected system, etc.
In some embodiments, optionally, for identifying signatures from a data packet, each pre-stored encoded signature may be used to match the data packet to identify a signature. Optionally, for identifying signatures from a data packet, each pre-stored compressed signature may be used to match the data packet to identify a signature. When an attacker steals information, the information may be encoded, compressed, etc. Therefore, each signature may be processed in advance with different encoding methods and compression methods, and the processed signatures are stored. In this way, after a data packet is acquired, the processed signatures are directly used for matching easily and quickly. Once matching is successful, the decoding and decompression methods used by the attacker can also be determined. Based on this, the information stolen by the attacker can be further decoded and decompressed to determine what information is stolen from where in which host and when.
In some embodiments, the one or plurality of files start and end with the signature corresponding to the host where they are located. Such a special location facilitates signature extraction. In addition, with the signature as the start and end, the content in the middle of a file can be demarcated, so that the content in the middle of the file can be easily extracted.
In some embodiments, the one or plurality of files include at least one of the following information items: file description information; information of the host where a file is located. These information items may be used to analyze the attacker's behavior and may also be used to determine the information is stolen by the attacker from where in which host and when, which can provide basis for further emergency measures and evidence collection.
In some embodiments, a signature is stored in a plurality of files in the corresponding host, and the plurality of files are located at different positions of the host. A plurality of files at different locations can further increase the probability of detecting information leakage.
In some embodiments, each of the plurality of files includes storage location information of the file in the host. The obtained storage location information may be used to analyze the attacker's behavior.
In some embodiments, a signature is generated based on an identifier of the corresponding host. In some embodiments, a signature is generated based on a plurality of identifiers of the corresponding host. The advantage of this is that it can prevent the collision of signatures of different hosts after a certain algorithm is used to generate the signatures.
In some embodiments, a signature is computed based on a hash algorithm, and the signatures corresponding to different hosts have the same length. In this way, the signature lengths of different hosts are made the same, which is convenient for subsequent identification of signatures from data packets.
In some embodiments, the file name of the one or plurality of files includes the signature corresponding to the host where the file is located. The more times a signature appears, the more likely it is to be identified after it is packaged into a data packet.
In some embodiments, the one or plurality of files are hidden files and/or static files. It is safer to place static files in a protected system, which usually poses no additional risk. Setting files as hidden files can reduce the probability of attackers discovering the files and make it easier to detect information leakage.
The subject matter described herein will now be discussed by referring to exemplary embodiments. It should be understood that the discussion of these embodiments is only intended to enable those skilled in the art to better understand and realize the subject described herein, and is not intended to limit the scope, applicability, or examples set forth in the claims. The functions and arrangement of the discussed elements may be changed without departing from the scope of the present disclosure. Various processes or components may be deleted, replaced or added in each example as needed. For example, the method described herein may be executed in a sequence different from the described sequence, and various steps may be added, omitted, or combined. In addition, the features described in relation to some examples may also be combined in other examples.
As used herein, the term “comprise” and its variations is an open term that means “including but not limited to”. The term “based on” means “at least partially based on”. The term “one embodiment” or “an embodiment” means “at least one embodiment”. The term “another embodiment” means “at least one other embodiment”. The term “first”, “second”, etc. may refer to different or the same objects. Other definitions, either explicit or implicit, may be included below. Unless clearly indicated in the context, the definition of a term is consistent throughout the description.
The preset signature 40 may be stored in a signature library, which can be stored in at least one memory 101 of the information leakage detection apparatus 10, or may be stored in a separate computer, for example, a remote server. The information leakage detection apparatus 10 can acquire a data packet 30 sent from the protected system 100 through its communication module 103 and identify from the data packet 30 whether there is a signature 40 pre-stored in the signature library, or, when there is a signature 40, decide that the information in the host 1000 corresponding to the signature 40 is leaked.
The information leakage detection apparatus 10 may acquire the data packet 30 in a variety of optional methods. For example, the protected system 100 is connected to a network traffic distributor, which is used to copy or forward the data packet 30 sent from the protected system 100 to the outside. In implementation, the network traffic distributor may be a switch, a router, a firewall, or a gateway. The device may be part of the protected system 100 or part of the information leakage detection apparatus 10. The information leakage detection apparatus 10 acquires the data packet 30 through this device.
As mentioned previously, conventional information leakage detection methods require running software on the protected system, which consumes the processing and storage resources of the protected system. Conventional methods cannot be applied to systems with limited processing and storage resources. For example, for an upper computer in an industrial control system, its purpose is for industrial control, often with limited processing and storage resources, and thus conventional information leakage detection methods cannot be applied.
In some embodiments, files containing signatures are pre-stored in the host 1000 of the protected system 100, for example, in some folders that store key information. Because the signatures in these files are identifiable, it is possible for an attacker to transmit these files together when attempting to steal information from the protected system 100, and the signatures comprised in these files will appear in the data packets 30 sent from the protected system 100 to the outside. It should be noted that the data packets 30 may be packets conforming to any network protocol, and the information leakage detection apparatus 10 may acquire these data packets 30, analyze them according to the corresponding network protocol, acquire the payload transmitted in the data packets 30, and use pre-stored signatures 40 to match the contents of these payloads, to decide whether the data packets 30 include preset signatures 40. Since a signature 40 is unique to one host 1000 in the protected system 100, it is possible to determine from which host 1000 information is leaked.
In some embodiments, a file may start and end with its corresponding signature 40, and such a special position facilitates extraction of the signature 40. In addition, with the signature 40 as the start and end, the content in the middle of a file can be demarcated, so that the content in the middle of the file can be easily extracted. Optionally, the file name may also include the signature 40. The more times a signature 40 appears, the more likely it is to be identified after it is packaged into a data packet 30. In addition to the signature at the start and end of a file, the following information may also be included:
1) File description information
For example, the file creation time, file modification time, file creator, file processor, file storage location, etc.
2) Information of the host 1000
For example, the name of the host 1000, IP address of the host 1000, etc.
These information items may be used to analyze the attacker's behavior and may also be used to determine the information is stolen by the attacker from where in which host and when, which can provide basis for further emergency measures and evidence collection.
In some embodiments, a host 1000 may store a plurality of such files, and these files may be stored at different locations on the host 1000. In some embodiments, the file content may include the storage location information of the file in the host 1000. A plurality of files in different locations can further increase the probability of detecting information leakage; in addition, the obtained storage location information may also be used to analyze the behavior of an attacker.
In some embodiments, the signature 40 may be generated based on an identifier of the host 1000, for example, the ID of the host 1000, or the name of the host 1000. In some embodiments, a signature 40 may also be generated based on a plurality of identifiers of the host 1000. The advantage of this is that it can prevent the collision of signatures of different hosts 1000 after a certain algorithm is used to generate the signatures 40.
In some embodiments, a signature 40 may be generated based on a hash algorithm. In this way, the lengths of the signatures 40 of different hosts 10000 are made the same, which is convenient for subsequent identification of signatures 40 from data packets 30. The Hash algorithm may be the message digest algorithm (MD5), secure hash algorithm (SHA-1), etc.
When an attacker steals information, the information may be encoded, compressed, etc., for example, Base64 processing, Uniform Resource Locator (URL) encoding, tar packaging, etc. Therefore, the information leakage detection apparatus 10 can process each signature 40 in advance with different encoding methods and compression methods and store the processed signatures 40. In this way, after a data packet 30 is acquired, the processed signatures 40 are directly used for matching easily and quickly. Once matching is successful, the decoding and decompression methods used by the attacker can also be determined. Based on this, the information stolen by the attacker can be further decoded and decompressed to determine what information is stolen from where in which host and when.
In some embodiments, these files may be set as hidden files, for example, by prefixing the filename with a dot. This can reduce the probability of attackers discovering the files and make it easier to detect information leakage.
In some embodiments, these files may be static files, for example, .txt files. Compared with dynamic files, for example, executable files such as .exe files, it is safer to place these files in the protected system 100 without posing additional risk.
The implementation of the information leakage detection apparatus 10 will be described below with reference to
The at least one processor 102 may be a microprocessor, an application specific integrated circuit (ASIC), a digital signal processor (DSP), a central processing unit (CPU), a graphics processing unit (GPU), a state machine, etc. Examples of the computer-readable medium include, but are not limited to, a floppy disk, CD-ROM, magnetic disk, memory chip, ROM, RAM, ASIC, configured processor, all-optical medium, all magnetic tape or another magnetic medium, or any other medium from which a computer processor can read instructions. In addition, various other forms of computer-readable media can transmit or carry instructions to a computer, including routers, private or public networks, or other wired and wireless transmission devices or channels. The instructions may include code in any computer programming language, including C, C++, C language, Visual Basic, java, and JavaScript.
When executed by the at least one processor 102, the at least one memory 101 shown in
It should be mentioned that embodiments of teachings of the present disclosure may include apparatuses having different architectures than that shown in
In some embodiments, the above modules may also be regarded as functional modules implemented by hardware, which are used to implement various functions involved in the information leakage detection apparatus 10 when executing the information leakage detection method. For example, the control logics of the processes involved in the method are burnt into a chip such as a field-programmable gate array (FPGA) or a complex programmable logic device (CPLD), and these chips or devices perform the functions of the above modules. The specific implementation method can be determined according to the engineering practice.
As shown in
For other optional implementations of the method, reference may be made to the foregoing description, which will not be repeated here. In addition, the various embodiments of the present disclosure may include a computer-readable medium storing a computer-readable instruction, which, when executed by a processor, causes the processor to perform the information leakage detection method described above. Examples of the computer-readable medium include floppy disks, hard disks, magneto-optical disks, optical disks (such as CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, and DVD+RW), magnetic tapes, volatile memory cards and ROMs. In some embodiments, the computer-readable instruction may be downloaded from a server computer or a cloud via a communication network.
In some embodiments, there is an information leakage detection method and/or apparatus, and a computer-readable medium. They have the advantages of simple implementation and little impact on the protected system. It can be deployed on devices or systems with limited resources, can effectively detect information leakage, and can track the particulars of the information leaked, for example, the location of the leaked information in the protected system, etc.
It should be noted that not all steps and modules in the above processes and system structural diagrams are necessary, and some steps or modules may be ignored based on actual needs. The sequence of execution of the steps is not fixed and can be adjusted as needed. The system structure described in the above embodiments may be a physical structure or a logical structure, i.e., some modules may be implemented by the same physical entity, or some modules may be implemented by multiple physical entities or may be implemented by certain components in several independent devices working together.
This application is a U.S. National Stage Application of International Application No. PCT/CN2020/093047 filed May 28, 2020, which designates the United States of America, the contents of which are hereby incorporated by reference in their entirety.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/CN2020/093047 | 5/28/2020 | WO |
