Method and apparatus for protecting data using a virtual environment

US 8,782,798 B2
Filed: 08/10/2010
Issued: 07/15/2014
Est. Priority Date: 08/11/2009
Status: Active Grant

First Claim

Patent Images

1. A data protection method comprising:

constructing a virtual environment having therein resources that support execution of an application program in a computer;

when a process generated based on the application program corresponds with a preset condition, driving the process within the virtual environment; and

processing data within the virtual environment in response to a data input request or a data output request generated by the process,wherein said driving the process includes;

monitoring generation of the process;

determining whether the process is allowed to access the virtual environment based on a result obtained by comparing the monitored process and the preset condition; and

when the process is determined to be allowed to access the virtual environment, driving the process within the virtual environment, and when the process is determined not to be allowed to access the virtual environment, driving the process outside the virtual environment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to a method and apparatus for protecting data using a virtual environment, which creates a safe virtual environment that supports the execution of application programs being operated on a computer and which enables important data to be inputted or outputted only within the virtual environment, such that access to the important data is prevented in a general local environment. According to the present invention, data leakage is initially prevented to protect data, and convenience is provided in that a user may use the computer in a general manner while performing desired work.

Citations

19 Claims

1. A data protection method comprising:
- constructing a virtual environment having therein resources that support execution of an application program in a computer;
  
  when a process generated based on the application program corresponds with a preset condition, driving the process within the virtual environment; and
  
  processing data within the virtual environment in response to a data input request or a data output request generated by the process,wherein said driving the process includes;
  
  monitoring generation of the process;
  
  determining whether the process is allowed to access the virtual environment based on a result obtained by comparing the monitored process and the preset condition; and
  
  when the process is determined to be allowed to access the virtual environment, driving the process within the virtual environment, and when the process is determined not to be allowed to access the virtual environment, driving the process outside the virtual environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein said constructing a virtual environment includes generating a virtual data storage unit as one of the resources within the virtual environment, the virtual data storage unit being accessible by a process driven within the virtual environment but not being accessible by a process driven outside the virtual environment.
  - 3. The method of claim 2, wherein the virtual data storage unit includes at least any one of a virtual image file existing in a local disk of the computer, an external storage device connected to the computer, a file server connected to the computer through a network, a web hard accessible by the computer, and a file transfer protocol (FTP) host accessible by the computer.
  - 4. The method of claim 2, wherein the data processed in response to the data input request or the data output request is processed by using the virtual data storage unit.
  - 5. The method of claim 4, wherein when status information of the local disk is displayed on a user interface of the application program, the virtual data storage unit is mapped to the local disk to display the status information of the local disk by merging the same with status information of the virtual data storage unit.
  - 6. The method of claim 4, wherein, in response to the data output request, the data is subjected to an encryption process based on a predefined security rule and then stored in the virtual data storage unit.
  - 7. The method of claim 4, wherein when, in response to the data input request, the data is subjected to a decryption process based on a predefined security rule and then read from the virtual data storage unit.
  - 8. The method of claim 1, further comprising:
    - when there is a data transmission request for transmitting data from the virtual environment to a local environment, encrypting the data based on a predefined security rule and storing the encrypted data in a local disk of the local environment.
  - 9. The method of claim 1, further comprising:
    - when there is a data fetch request for fetching data from the local environment to the virtual environment, decrypting the data based on a predefined security rule and reading decrypted data.

10. A data protection apparatus comprising:
- a process monitoring unit configured to monitor a process which is generated by based on an application program in a computer;
  
  a virtualization driving unit configured to construct a virtual environment having therein resources that support execution of the application program, and, when the process corresponds with a preset condition, driving drive the process within the virtual environment; and
  
  a data processing unit configured to process data within the virtual environment in response to a data input request or an output request, which is generated by the process,wherein said driving the process includes;
  
  monitoring generation of the process;
  
  determining whether the process is allowed to access the virtual environment based on a result obtained by comparing the monitored process and the preset condition; and
  
  when the process is determined to be allowed to access the virtual environment, driving the process within the virtual environment, and when the process is determined not to be allowed to access the virtual environment, driving the process outside the virtual environment.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The apparatus of claim 10, wherein the virtualization driving unit generates a virtual data storage unit as one of the resources, which is accessible by a process driven within the virtual environment but is not accessible by a process driven outside the virtual environment, within the virtual environment.
  - 12. The apparatus of claim 11, wherein the virtual data storage unit includes at least any one of a virtual image file existing in a local disk of the computer, an external storage device connected to the computer, a file server connected to the computer through a network, a web hard accessible by the computer, and a file transfer protocol (FTP) host accessible by the computer.
  - 13. The apparatus of claim 11, wherein the virtualization driving unit generates a virtualization component configured to support execution of the application program in the virtual environment.
  - 14. The apparatus of claim 11, wherein the data processing unit processes the data in response to the data input request or the data output request by using the virtual data storage unit.
  - 15. The apparatus of claim 11, wherein when status information of the local disk is displayed on a user interface of the application program, the data processing unit maps the virtual data storage unit to the local disk to display the status information of the local disk by merging the same with status information of the virtual data storage unit.
  - 16. The apparatus of claim 14, wherein, in response to the data output request, the data is subjected to an encryption process based on a predefined security rule and then stored in the virtual data storage unit.
  - 17. The apparatus of claim 14, wherein, in response to the data input request, the data is subjected to a decryption process based on a predefined security rule and then read from the virtual data storage unit.
  - 18. The apparatus of claim 10, wherein when there is a data transmission request for transmitting data from the virtual environment to a local environment, the data processing unit encrypts the data based on a predefined security rule and stores the encrypted data in a local disk of the local environment.
  - 19. The apparatus of claim 10, wherein when there is a data fetch request for fetching data from the local environment to the virtual environment, the data processing unit decrypts the data based on a predefined security rule and reads decrypted data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ahnlab Incorporated
Original Assignee
Ahnlab Incorporated
Inventors
Kang, Kyung Wan, Kim, Kwang Tae, Park, Heean
Primary Examiner(s)
Truong, Thanhnga B
Assistant Examiner(s)
LANE, GREGORY A

Application Number

US13/389,883
Publication Number

US 20120144500A1
Time in Patent Office

1,435 Days
Field of Search

726/4, 726/26, 365/195
US Class Current

726/26
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

Method and apparatus for protecting data using a virtual environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for protecting data using a virtual environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links