1. Field of the Invention
The present invention relates to a method for recognizing information flow and detecting information leakage by analyzing user's behaviors, and more particularly, to a method for recognizing information flow and detecting information leakage by analyzing user's behaviors, in which user's behaviors are monitored in view of information flow and systematically represented, and behavior analysis is performed to determine whether information leakage is generated from user's behaviors.
2. Description of the Related Art
As one of information flow related technologies, Dorothy E. Denning proposed a lattice model which guarantees secure information flow in 1976. The lattice model suggests a mathematical model for secure information flow when information flow is generated by access to an object having a predetermined security level. The lattice model is widely used in a variety of information security fields, for example, an access control. Such a model is a model for guaranteeing the secure information flow (that is, the flowing of information in an intended direction) and merely mathematically defines problems such as information leakage that information does not flow in an intended direction, but it has a limitation in suggesting systematic solutions.
In 2006, Xuxian Jiang et al proposed a process coloring approach, which is a behavior analysis method based on the lattice model. The process coloring approach assigns different colors to processor (or services) providing remote services and diffuses the colors with respect to resources accessed by a specific processor. When such a color diffusion model is applied to information leakage protection, a specific color is assigned to an object to be protected, and a corresponding color is diffused according to the access of the processes. When the color is diffused to a location where information leakage is possible, it is detected as the information leakage. However, since this method is focused on detecting and protecting the information leakage, it has a limitation in systematically representing user's behaviors.
Furthermore, commercial solutions for information leakage protection are designed to control unauthorized storage medium, or encrypt a file in order to prevent information from being written through a leakage point of USB, IEEE1394 port, or the like. Furthermore, when an attempt to leak out a file is detected, it is determined if the corresponding file is a confidential document that should be protected. In this case, since a moving path of the corresponding file is not detected exactly, information leakage may not be effectively detected when complicated and various information flows occur.