MA Zhaofeng. CPSec DLP: Kernel-Level Content Protection Security System of Data Leakage Prevention[J]. Chinese Journal of Electronics, 2017, 26(4): 827-836. doi: 10.1049/cje.2017.05.002
Citation: MA Zhaofeng. CPSec DLP: Kernel-Level Content Protection Security System of Data Leakage Prevention[J]. Chinese Journal of Electronics, 2017, 26(4): 827-836. doi: 10.1049/cje.2017.05.002

CPSec DLP: Kernel-Level Content Protection Security System of Data Leakage Prevention

doi: 10.1049/cje.2017.05.002
Funds:  This work is supported by the National Natural Science Foundation of China (No.61272519, No.61170297, No.61572080, No.61472258).
  • Received Date: 2017-01-12
  • Rev Recd Date: 2017-02-23
  • Publish Date: 2017-07-10
  • Data leakage prevention (DLP) is very important for sensitive or unauthorized data protection, however, most current DLP technologies are based on content monitor, detection and filtering, which can be easily bypassed or cheated. We propose a thorough and highlevel Content protection secure scheme of DLP (CPSec DLP) based on kernel-level mandatory encryption, in which we proposed mutual authentication and key agreement method between client and server, and we adopted SM2 algorithm for session key management; and we propose kernel-level mandatory secure middleware for unstructured data protection, in which the secure middleware works in File system driver (FSD) layer supporting for “write-encryption, open-decryption” operation, once the data is written to storage space either in hard-disk or USB disk the data is mandatorily encrypted, while when the data is open the mandatory secure middleware decrypts the data to plain in system memory. Moreover we propose data share and delivery among domain internal users and external customers. In the CPSec DLP scheme, the encryption algorithms, security policy and rules can be dynamically parameterized when necessary, while in the lifecycle the data management can only be used according to its usage control rules, such as read-only, write, save, print, export, backup rights. Upon the proposed CPSec DLP, we implemented the CPSec DLP system in kernel-level driver layer based on FSD, which supports parameterized process and document format for unstructured data leakage protection. Large amount of experiments manifest the proposed scheme is secure, reliable, extendible and efficient for kinds of format unstructured data leakage protection.
  • loading
  • G. Lawton, “New technology prevents data leakage”, Computer, Vol.41, No.9, pp.14-17, 2008.
    P. Papadimitriou and H. Garciamolina, “Data leakage detection”, IEEE Transactions on Knowledge & Data Engineering, Vol.23, No.1, pp.51-63, 2011.
    A. Shabtai, Y. Elovici and L. Rokach, “Data leakage detection/prevention solutions”, IEEE Transactions on Visualization & Computer Graphics, Vol.18, No.12, pp.2198-2207, 2012.
    Sultan Alneyadi, ElankayerSithirasenan and Vallipuram-Muthukkumarasamy, “A survey on data leakage prevention systems”, Journal of Network and Computer Applications, Vol.62, No.C, pp.137-152, 2016.
    Kamran Morovati, Sanjay Kadam and Ali Ghorbani, “A network based document management model to prevent data extrusion”, Computers & Security, Vol.59, No.C, pp.71-91, 2016.
    Xuyun Zhang, Chang Liu, Surya Nepal, et al., “A privacy leakage upper bound constraint-based approach for cost-effective privacy preserving of intermediate data sets in cloud”, IEEE Transactions on Parallel and Distributed Systems, Vol.24, No.6, pp.1192-1202, 2013.
    G. Katz, Y. Elovici and B. Shapira, “CoBAn: A context based model for data leakage prevention”, Information Sciences, Vol.262, No.3, pp.137-158, 2014.
    J. Chavan and P. Desai, “Relational data leakage detection using fake object and allocation strategies”, International Journal of Computer Applications, Vol.80, pp.975-8887, 2014.
    Charles Perez, Babiga Birregah and Marc Lemercier, “The multi-layer imbrication for data leakage prevention from mobile devices”, IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp.813-819, 2012.
    M. Hart, P. Manadhata and R. Johnson, “Text classification for data loss prevention”, Lecture Notes in Computer Science, Vol.6794, pp.18-37, 2011.
    A. Kumar, A. Goyal, A. Kumar, et al., “Comparative evaluation of algorithms for effective data leakage detection”, 2013 IEEE Conference on Information & Communication Technologies (ICT), pp.177-182, 2013.
    McAfee, Inc., “McAfee total protection for data loss prevention”,, 2017-03-23.
    Symantec Corporation, “Symantec data loss prevention”,, 2017-03-01.
    Websense, websense content gateway, http://www.websense. com, 2017-03-01.
    VRV,, 2017-03-01.
    Esafenet,, 2017-03-01.
    N. Koblitz, “Elliptic curve cryptosystems”, Mathematics of Computation. Vol.48, pp.203-209, 1987.
    V.S. Miller, “Use of elliptic curve in cryptography”, Advances in Cryptology-CRYPTO'85, Lecture Notes in Computer Science, Spring-Verlag, Vol.218, pp.417-426, 1986.
    ANSI X9.62: 1999, Public Key Cryptography for the Finacial Service Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA).
    IEEE P1363: 2000, Standard Specifications for Public-Key Cryptography.
    Digital Signature Standard, “Federal Information Processing Standards Publication”, FIPS 186-2,, 2010-03-14.
    B. Schneier, Applied Cryptography-Protocols, Algorithm and Source Code in C, New York: John Wiley & Sons Inc., 1996.
    A. Menezes, P. van Oorschot and S. Vanstone, Handbook of Applied Cryptography, CRC Press, Boca Raton, 1997.
    SM2/SM3/SM4, “China Cryptography Specification, State Cryptography Administration”,, 2010-04-13.
    DDK, “Windows Driver Kit Version 7.1.0”, com/en-us/download/details.aspx?id=11800, 2012-10-13.
    CPSec Manager, “CPSec electronic document management”,, 2017-03-07.
  • 加载中


    通讯作者: 陈斌,
    • 1. 

      沈阳化工大学材料科学与工程学院 沈阳 110142

    1. 本站搜索
    2. 百度学术搜索
    3. 万方数据库搜索
    4. CNKI搜索

    Article Metrics

    Article views (200) PDF downloads(1167) Cited by()
    Proportional views


    DownLoad:  Full-Size Img  PowerPoint