Data security management method and system based on virtual disk

By using virtual disk and file redirection technologies, the data security management system can be easily embedded, solving the problem that data security management functions cannot be integrated into third-party applications in existing technologies, thus enhancing data security and application flexibility.

CN115495782BActive Publication Date: 2026-06-19IND BANK CO +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
IND BANK CO
Filing Date
2022-09-16
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing technologies cannot directly integrate data security control functions into third-party applications, limiting their use cases and secondary development capabilities.

Method used

By employing virtual disk, file filtering, and file redirection technologies, a data security management system that is easily embedded in third-party applications is implemented. This system includes loading dynamic libraries for third-party applications, installing virtual disk drivers, mounting virtual file disks, establishing kernel file filtering device communication, setting permissions, intercepting disk read/write requests for authentication, and transparently encrypting and decrypting data.

Benefits of technology

It enables easy embedding of the data security management system, solves the problem of difficult distribution of target programs, and enhances data security and application flexibility.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115495782B_ABST
    Figure CN115495782B_ABST
Patent Text Reader

Abstract

This invention provides a data security management method and system based on virtual disks, comprising: Step S1: A third-party application loads a dynamic library, calls the method provided by the dynamic library to install a virtual disk driver, and starts the service; Step S2: The third-party application calls the method provided by the dynamic library to check disk information and mount a virtual file disk; Step S3: The third-party application calls the method provided by the dynamic library to establish communication with a kernel file filtering device and set permissions; Step S4: The file filtering device intercepts disk read / write requests and performs authentication; Step S5: The file filtering device redirects files for the third-party application; Step S6: The virtual disk device key transparently encrypts and decrypts disk data. This invention, through virtual disks, file filtering, and file redirection technologies, implements a data security management system that is easily embedded in third-party applications.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of computing technology, and more specifically, to a data security management method and system based on virtual disks. Background Technology

[0002] Many current file encryption and decryption systems come with built-in client applications. While these clients integrate data security management functions, they cannot be directly integrated into the client's own applications, which greatly limits the application scenarios, scope, and secondary development capabilities of the client's own applications.

[0003] Patent document CN111290833A (application number: CN202010068753.1) discloses a cloud platform management method. This invention includes: virtual machines employing a fault-tolerant mechanism; for stateful critical business applications, two virtual machines (primary and backup) are formed when the business application starts. During normal operation, the primary virtual machine operates, and the backup virtual machine continuously synchronizes the memory data of the primary virtual machine. When the primary virtual machine fails, the backup virtual machine takes over all business operations of the primary virtual machine. Containers employ replication technology; for stateless service applications, multiple container replicas are created when the service application starts. If the current container is unavailable, another container replica is started, ensuring continuous service operation. However, this invention does not utilize technologies such as virtual disks, file filtering, and file redirection to achieve a data security management system easily embedded in third-party applications. Summary of the Invention

[0004] In view of the deficiencies in the prior art, the purpose of this invention is to provide a data security management method and system based on virtual disks.

[0005] A data security management method based on a virtual disk according to the present invention includes:

[0006] Step S1: The third-party application loads the dynamic library, calls the methods provided by the dynamic library to install the virtual disk driver and start the service;

[0007] Step S2: The third-party application calls the method provided by the dynamic library to check disk information and mount the virtual file disk;

[0008] Step S3: The third-party application calls the methods provided by the dynamic library to establish communication with the kernel file filtering device and set permissions;

[0009] Step S4: The file filtering device intercepts disk read / write requests and performs authentication;

[0010] Step S5: The file filtering device redirects files for third-party applications;

[0011] Step S6: The virtual disk device key is used to transparently encrypt and decrypt disk data.

[0012] Preferably, in step S1:

[0013] Step S1.1: Check if the driver file exists; if not, report an exception directly.

[0014] Step S1.2: Open the Service Manager with administrator privileges and create a driver service;

[0015] Step S1.3: Start the driver service and check if the service is started normally.

[0016] In step S2:

[0017] Step S2.1: Check if the default disk file exists. If it exists, input the parameters, including the file disk key and the mount partition, and perform the virtual disk mount operation.

[0018] Step S2.2: After receiving the IRP operation initiated by the third-party application, the virtual disk device determines whether the key is correct; if it is incorrect, it returns an error code to the third-party application; if it is correct, it opens the virtual disk file.

[0019] Step S2.3: If the virtual disk file does not exist, you will be prompted to set parameters, including disk size and key, and perform the virtual disk mounting operation. The newly created virtual disk will be automatically formatted as an empty disk according to the system's default file system.

[0020] Preferably, in step S3:

[0021] Step S3.1: The third-party application establishes a connection with the kernel driver file filtering device based on the communication port;

[0022] Step S3.2: The third-party application sends file filtering information to the kernel driver file filtering device, including the device application path, name, application signature, and access permissions;

[0023] Step S3.3: After receiving the information, the file filtering device stores it in the access control module;

[0024] Step S3.4: The third-party application disconnects from the kernel driver file filtering device.

[0025] Preferably, in step S4:

[0026] Step S4.1: The file filtering device intercepts application read / write requests;

[0027] Step S4.2: Read application information and call the access control module to determine whether it is the target program;

[0028] Step S4.3: If it is the target program, call the redirection module to perform the file redirection function;

[0029] Step S4.4: If the program is not the target program and is accessing a virtual disk, then deny the access and return an access denied error code to the upper-layer application.

[0030] Preferably, step S5 includes the following steps:

[0031] Step S5.1: If the target application initiates a file creation request, the file redirection module performs a query operation to check if the virtual disk directory exists; if it does not exist, the directory is created. After successful execution, the file creation IRP path is redirected to the virtual disk directory, and the file creation is completed.

[0032] Step S5.2: If the target application initiates a file read / write request, the file redirection module intercepts the IRP and first checks if the virtual disk kernel file exists; if it does not exist, the file read / write request is allowed; if it exists, the IRP is redirected.

[0033] Step S5.3: If the target application initiates a directory query operation, the file redirection module intercepts the IRP, performs two queries downwards, first querying the virtual disk, and then querying the disk where the path is located, and returns the combined results of the two queries to the upper-layer application;

[0034] Step S6 includes the following steps:

[0035] Step S6.1: The target application initiates a file read / write request;

[0036] Step S6.2: After being processed by the file filtering device, the virtual disk device receives the read / write request;

[0037] Step S6.3: Encrypt the data with AES according to the key, perform file read / write to disk and automatically encrypt / decrypt;

[0038] Step S6.4: Return the execution result to the upper-level application.

[0039] A data security management system based on a virtual disk, provided by the present invention, includes:

[0040] Module M1: Third-party applications load dynamic libraries, call the methods provided by the dynamic libraries to install virtual disk drivers and start services;

[0041] Module M2: Third-party applications call methods provided by the dynamic library to check disk information and mount virtual file disks;

[0042] Module M3: Third-party applications use methods provided by the dynamic library to establish communication with the kernel file filtering device and set permissions;

[0043] Module M4: A file filtering device that intercepts disk read / write requests and performs authentication.

[0044] Module M5: A file filtering device that redirects files for third-party applications;

[0045] Module M6: Virtual disk device keys enable transparent encryption and decryption of disk data.

[0046] Preferably, in module M1:

[0047] Module M1.1: Checks if the driver file exists; if it does not exist, it directly reports an exception.

[0048] Module M1.2: Open the Service Manager with administrator privileges and create a driver service;

[0049] Module M1.3: Starts the driver service and checks whether the service has started normally.

[0050] In module M2:

[0051] Module M2.1: Checks if the default disk file exists. If it exists, it inputs parameters, including the file disk key and the mount partition, and performs the virtual disk mount operation.

[0052] Module M2.2: After receiving an IRP operation initiated by a third-party application, the virtual disk device determines whether the key is correct; if it is incorrect, it returns an error code to the third-party application; if it is correct, it opens the virtual disk file.

[0053] Module M2.3: If the virtual disk file does not exist, it will prompt you to set parameters, including disk size and key, and perform virtual disk mounting operation, automatically formatting the newly created virtual disk as an empty disk according to the system default file system.

[0054] Preferably, in module M3:

[0055] Module M3.1: Third-party applications establish connections with kernel driver file filtering devices based on communication ports;

[0056] Module M3.2: Third-party applications send file filtering information to the kernel driver file filtering device, including the device application path, name, application signature, and access permissions;

[0057] Module M3.3: After receiving information, the file filtering device stores it in the access control module;

[0058] Module M3.4: Third-party applications disconnect from kernel driver file filtering devices.

[0059] Preferably, in module M4:

[0060] Module M4.1: A file filtering device that intercepts application read and write requests;

[0061] Module M4.2: Reads application information and calls the access control module to determine whether it is the target program;

[0062] Module M4.3: If it is the target program, it calls the redirection module to perform file redirection.

[0063] Module M4.4: If the program is not the target application and is accessing a virtual disk, then the access is denied and an access denied error code is returned to the upper-layer application.

[0064] Preferably, the module M5 includes the following steps:

[0065] Module M5.1: If the target application initiates a file creation request, the file redirection module performs a query operation to check if the virtual disk directory exists; if it does not exist, the directory is created. After successful execution, the file creation IRP path is redirected to the virtual disk directory, completing the file creation.

[0066] Module M5.2: If the target application initiates a file read / write request, the file redirection module intercepts the IRP and first checks if the virtual disk kernel file exists; if it does not exist, the file read / write request is allowed; if it exists, the IRP is redirected.

[0067] Module M5.3: If the target application initiates a directory query operation, the file redirection module intercepts the IRP, performs two queries downwards, first querying the virtual disk, and then querying the disk where the path is located, and returns the combined results of the two queries to the upper-layer application;

[0068] The module M6 includes the following steps:

[0069] Module M6.1: The target application initiates file read / write requests;

[0070] Module M6.2: After being processed by the file filtering device, the virtual disk device receives read / write requests;

[0071] Module M6.3: Encrypts data using AES based on the key, performs file read / write operations to disk, and automatically encrypts and decrypts data;

[0072] Module M6.4: Returns the execution result to the upper-level application.

[0073] Compared with the prior art, the present invention has the following beneficial effects:

[0074] 1. This invention implements a data security management system that is easily embedded into third-party applications through technologies such as virtual disks, file filtering, and file redirection;

[0075] 2. This invention solves the problem of difficulty in distributing the original data security management system along with the target program. Attached Figure Description

[0076] Other features, objects, and advantages of the present invention will become more apparent from the following detailed description of non-limiting embodiments with reference to the accompanying drawings:

[0077] Figure 1 This is a flowchart of the present invention. Detailed Implementation

[0078] The present invention will now be described in detail with reference to specific embodiments. These embodiments will help those skilled in the art to further understand the present invention, but do not limit the invention in any way. It should be noted that those skilled in the art can make several changes and improvements without departing from the concept of the present invention. These all fall within the protection scope of the present invention.

[0079] Example 1:

[0080] This invention encapsulates the relevant functions of the application layer of a data security management system into a dynamic library, and combines it with kernel-level functions such as file redirection, file filtering, and virtual encrypted disks, ultimately realizing a data security management system that can be integrated into third-party applications, such as... Figure 1 As shown.

[0081] Step 1: The third-party application loads the dynamic library;

[0082] Step 2: The third-party application calls the method provided by the dynamic library to install the virtual disk driver and start the relevant services;

[0083] Step 3: The third-party application calls the method provided by the dynamic library to check disk information and mount the virtual file disk;

[0084] Step 4: The third-party application calls the methods provided by the dynamic library to establish communication with the kernel file filtering device and sets application access permissions, etc.

[0085] Step 5: The file filtering device intercepts disk read / write requests and performs authentication;

[0086] Step 6: The file filtering device redirects files for third-party applications;

[0087] Step 7: Use the virtual disk device key to transparently encrypt and decrypt disk data.

[0088] Step 2 includes the following steps:

[0089] 1) Check if the driver file exists; if not, report an exception directly.

[0090] 2) Open the Service Manager with administrator privileges and create a driver service;

[0091] 3) Start the service and check if it starts normally.

[0092] Step 3 includes the following steps:

[0093] 1) Check if the default disk file exists (e.g., C:\Users\xxx.img). If it exists, enter the file disk key and mount partition parameters, and perform the virtual disk mount operation.

[0094] 2) After receiving the relevant IRP operation initiated by the third-party application, the virtual disk device determines whether the key is correct; if it is incorrect, it returns an error code to the third-party application; if it is correct, it opens the relevant virtual file.

[0095] 3) If the disk file does not exist, you will be prompted to set the disk size, key and other related parameters, and perform the virtual disk mounting operation. The newly created virtual disk will be automatically formatted as an empty disk according to the system's default file system.

[0096] Step 4 includes the following steps:

[0097] 1) Third-party applications establish connections with kernel driver file devices based on communication ports;

[0098] 2) Third-party applications send information such as application path, name, application signature, and access permissions to the file filtering device;

[0099] 3) After receiving relevant information, the file filtering device stores it in the access control module;

[0100] 4) The third-party application loses communication with the kernel driver file device.

[0101] Step 5 includes the following steps:

[0102] 1) File filtering devices intercept application read and write requests;

[0103] 2) Read application information and call the access control module to determine whether it is the target program;

[0104] 3) If it is the target program, then execute the file redirection function;

[0105] 4) If it is not the target program, and the access is to a virtual disk, then execute the upward application and return an access denied error code.

[0106] Step 6 includes the following steps:

[0107] 1) If the target application initiates a file creation request, such as the path C:\sammy\1.txt, the file redirection module performs a query operation to check if the virtual disk (e.g., disk A:) contains the directory A:\sammy. If it does not exist, the A:\sammy directory is created. After successful execution, the file creation IRP is modified to A:\sammy\1.txt;

[0108] 2) If the target application initiates a file read / write request, such as the path C:\sammy\1.txt, the file redirection module intercepts the IRP and first checks if A:\sammy\1.txt exists. If it does not exist, the file read / write request is allowed; if it exists, the IRP is redirected to A:\sammy\1.txt.

[0109] 3) If the target application initiates a directory query operation, such as the path C:\sammy, the file redirection module intercepts the IRP and performs two queries downwards: first querying the virtual disk F:\sammy, and then querying C:\sammy. The combined results of the two queries are then returned to the upper-layer application.

[0110] Step 7 includes the following steps:

[0111] 1) The target application initiates a file read / write request;

[0112] 2) After being processed by the file filtering device, the virtual disk device receives read / write requests;

[0113] 3) Encrypt the data using AES based on the key, perform file read / write operations on the disk, and automatically encrypt and decrypt;

[0114] 4) Return the execution result to the upper-level application.

[0115] Those skilled in the art will understand that, in addition to implementing the system, apparatus, and their modules provided by this invention in purely computer-readable program code, the same program can be implemented in the form of logic gates, switches, application-specific integrated circuits, programmable logic controllers, and embedded microcontrollers by logically programming the method steps. Therefore, the system, apparatus, and their modules provided by this invention can be considered a hardware component, and the modules included therein for implementing various programs can also be considered structures within the hardware component; alternatively, modules for implementing various functions can be considered both software programs implementing the method and structures within the hardware component.

[0116] Specific embodiments of the present invention have been described above. It should be understood that the present invention is not limited to the specific embodiments described above, and those skilled in the art can make various changes or modifications within the scope of the claims, which do not affect the essence of the present invention. Unless otherwise specified, the embodiments and features described in this application can be arbitrarily combined with each other.

Claims

1. A data security management method based on virtual disks, characterized in that, include: Step S1: The third-party application loads the dynamic library, calls the methods provided by the dynamic library to install the virtual disk driver and start the service; Step S2: The third-party application calls the method provided by the dynamic library to check disk information and mount the virtual file disk; Step S3: The third-party application calls the methods provided by the dynamic library to establish communication with the kernel file filtering device and set permissions; Step S4: The file filtering device intercepts disk read / write requests and performs authentication; Step S5: The file filtering device redirects files for third-party applications; Step S6: The virtual disk device key is used to transparently encrypt and decrypt disk data; In step S1: Step S1.1: Check if the driver file exists; if not, report an exception directly. Step S1.2: Open the Service Manager with administrator privileges and create a driver service; Step S1.3: Start the driver service and check if the service is started normally; In step S2: Step S2.1: Check if the default disk file exists. If it exists, input the parameters, including the file disk key and the mount partition, and perform the virtual disk mount operation. Step S2.2: After receiving the IRP operation initiated by the third-party application, the virtual disk device determines whether the key is correct; if it is incorrect, it returns an error code to the third-party application; if it is correct, it opens the virtual disk file. Step S2.3: If the virtual disk file does not exist, you will be prompted to set parameters, including disk size and key, and the virtual disk will be mounted. The newly created virtual disk will be automatically formatted as an empty disk according to the system's default file system. In step S3: Step S3.1: The third-party application establishes a connection with the kernel driver file filtering device based on the communication port; Step S3.2: The third-party application sends file filtering information to the kernel driver file filtering device, including the device application path, name, application signature, and access permissions; Step S3.3: After receiving the information, the file filtering device stores it in the access control module; Step S3.4: The third-party application disconnects from the kernel driver file filtering device.

2. The data security management method based on virtual disk according to claim 1, characterized in that, In step S4: Step S4.1: The file filtering device intercepts application read / write requests; Step S4.2: Read application information and call the access control module to determine whether it is the target program; Step S4.3: If it is the target program, call the file redirection module to perform the file redirection function; Step S4.4: If the program is not the target program, and the access is to a virtual disk, then deny the access and return an access denied error code to the upper-layer application.

3. The data security management method based on virtual disk according to claim 1, characterized in that: Step S5 includes the following steps: Step S5.1: If the target application initiates a file creation request, the file redirection module performs a query operation to check if the virtual disk directory exists; if it does not exist, the directory is created. After successful execution, the file creation IRP path is redirected to the virtual disk directory, and the file creation is completed. Step S5.2: If the target application initiates a file read / write request, the file redirection module intercepts the IRP and first checks if the virtual disk kernel file exists; if it does not exist, the file read / write request is allowed; if it exists, the IRP is redirected. Step S5.3: If the target application initiates a directory query operation, the file redirection module intercepts the IRP, performs two queries downwards, first querying the virtual disk, and then querying the disk where the path is located, and returns the combined results of the two queries to the upper-layer application; Step S6 includes the following steps: Step S6.1: The target application initiates a file read / write request; Step S6.2: After being processed by the file filtering device, the virtual disk device receives the read / write request; Step S6.3: Encrypt the data with AES according to the key, perform file read / write to disk and automatically encrypt / decrypt; Step S6.4: Return the execution result to the upper-level application.

4. A data security management and control system based on virtual disks, characterized in that, include: Module M1: Third-party applications load dynamic libraries, call the methods provided by the dynamic libraries to install virtual disk drivers and start services; Module M2: Third-party applications call methods provided by the dynamic library to check disk information and mount virtual file disks; Module M3: Third-party applications use methods provided by the dynamic library to establish communication with the kernel file filtering device and set permissions; Module M4: A file filtering device that intercepts disk read / write requests and performs authentication. Module M5: A file filtering device that redirects files for third-party applications; Module M6: Uses virtual disk device keys to transparently encrypt and decrypt disk data; In module M1: Module M1.1: Checks if the driver file exists; if it does not exist, it directly reports an exception. Module M1.2: Open the Service Manager with administrator privileges and create a driver service; Module M1.3: Starts the driver service and checks whether the service has started normally; In module M2: Module M2.1: Checks if the default disk file exists. If it exists, it inputs parameters, including the file disk key and the mount partition, and performs the virtual disk mount operation. Module M2.2: After receiving an IRP operation initiated by a third-party application, the virtual disk device determines whether the key is correct; if it is incorrect, it returns an error code to the third-party application; if it is correct, it opens the virtual disk file. Module M2.3: If the virtual disk file does not exist, it will prompt you to set parameters, including disk size and key, and perform virtual disk mounting operation, automatically formatting the newly created virtual disk as an empty disk according to the system default file system; In module M3: Module M3.1: Third-party applications establish connections with kernel driver file filtering devices based on communication ports; Module M3.2: Third-party applications send file filtering information to the kernel driver file filtering device, including the device application path, name, application signature, and access permissions; Module M3.3: After receiving information, the file filtering device stores it in the access control module; Module M3.4: Third-party applications disconnect from kernel driver file filtering devices.

5. The data security management and control system based on virtual disk according to claim 4, characterized in that, In module M4: Module M4.1: A file filtering device that intercepts application read and write requests; Module M4.2: Reads application information and calls the access control module to determine whether it is the target program; Module M4.3: If it is the target program, it calls the redirection module to perform file redirection. Module M4.4: If the program is not the target application and is accessing a virtual disk, then the access is denied and an access denied error code is returned to the upper-layer application.

6. The data security management and control system based on virtual disk according to claim 4, characterized in that: The module M5 includes the following steps: Module M5.1: If the target application initiates a file creation request, the file redirection module performs a query operation to check if the virtual disk directory exists; if it does not exist, the directory is created. After successful execution, the file creation IRP path is redirected to the virtual disk directory, completing the file creation. Module M5.2: If the target application initiates a file read / write request, the file redirection module intercepts the IRP and first checks if the virtual disk kernel file exists; if it does not exist, the file read / write request is allowed; if it exists, the IRP is redirected. Module M5.3: If the target application initiates a directory query operation, the file redirection module intercepts the IRP, performs two queries downwards, first querying the virtual disk, and then querying the disk where the path is located, and returns the combined results of the two queries to the upper-layer application; The module M6 includes the following steps: Module M6.1: The target application initiates file read / write requests; Module M6.2: After being processed by the file filtering device, the virtual disk device receives read / write requests; Module M6.3: Encrypts data using AES based on the key, performs file read / write operations to disk, and automatically encrypts and decrypts data; Module M6.4: Returns the execution result to the upper-level application.