Existing electronic information security field have three sub-fields including the system security, data security and device security.
In the field of the data security, there are nowadays three techniques to keep data safe: (1) data content security technique including data encryption-decryption technique and end-to-end data encryption technique, which is used to guarantee that data content is not accessed illegally during the storage and transmission process; (2) data security transfer technique including techniques to prevent unauthorized copying, printing or other output action, which is used to guarantee that data content is safe during the use and transmission process; (3) network isolation technique, which includes techniques such as network physical isolation and setting up network security barrier.
However, since the above techniques are not capable of fully addressing the problems such as computer OS kernel viruses, Trojan horses, operating system loophole or vulnerability, system back door and divulging secrets, malicious codes may exist on a computing device such as a computer. According to analysis from AV-Test lab, total effective detection rate for hazardous behavior in computers is 50% at most. Once malicious codes enter a terminal system, the above encryption technique, anti-copy technique and network blocking technique are of no help or ineffective. Further, existing hacker techniques can penetrate or break above security techniques and implant malicious codes using operating system loophole and system back door, and steal user data by the malicious code. And the above techniques cannot prevent secret-related personnel from divulging secrets actively or passively, for example, an employee can use portable storage equipment to download information or data from an internal network or terminal to cause a secret leak.
As illustrated in FIG. 1, there shows a schematic diagram of an existing computer terminal system which includes a user interface layer 101, an application layer 102, an operating system (OS) kernel layer 103, a hardware mapping layer 104 and a hardware layer 105. Users of such terminal system operate the computer terminal system and have graphical or non-graphical feedback through the user interface of user interface layer 101. Taking the operation of saving data as an example:                (1) the user selects the function of “save” on the user interface of an application program;        (2) application layer 102 invokes or calls the corresponding code, which transforms the “save” instruction into one or more interface functions provided by the operating system, that is to say, the “save” operation becomes a call to a series of interface functions provided by the operating system;        (3) the OS kernel layer 103 receives the above call to the interface functions of operating system, and transforms each of the interface functions of operating system to one or more interface functions provided by the hardware mapping layer 104, that is to say, the “save” operation becomes a call to a series of interface functions provided by the hardware mapping layer 104;        (4) each of the interface functions provided by the hardware mapping layer 104 is transformed into one or more hardware instruction calls in the hardware mapping layer 104;        (5) hardware of the hardware layer 105 such as CPU receives the hardware instruction calls and executes hardware instructions.        
When the above computer terminal is invaded by malicious codes, the malicious codes can access data in the system; after stealing data, the behavior pattern of malicious codes includes (1) storage action: to save the target data to certain storage location; and (2) transmission action: to transmit directly the stolen data or target data to a specified destination address through internet. In addition, the behavior pattern of divulging secrets by secret-related personnel who use the above computing device or information equipment includes: (1) divulging secrets actively: secret-related personnel get confidential information directly by ways like active copy, using malicious tools to penetrate security system, implant Trojan horses etc.; (2) divulging secrets passively: computers or storage mediums used by secret-related personnel are improperly used or lost which causes secrets leaks, e.g., the secret leaks caused by a secret-related device being connected directly to the Internet.
Therefore, a computer terminal system applying the above data security techniques still faces the following problems: (1) anti-copy technique based on equipment filtering cannot prevent the confidential information at the terminal from being illegally stored; (2) techniques based on network filtering cannot guarantee that confidential information is fully under control; (3) secret-related personnel divulge secrets through malicious codes or malicious tools; and (4) secret-related personnel divulge secrets because secret-related devices or storage mediums are lost.
In conclusion, there is a need for a method which can guarantee data security even after a terminal system is invaded by a malicious code.