Corporate chat under DLP–system controlling

The article describes the preparation process of software complex (package) consisting of secure corporate chat and DLP (Data Leak Prevention) system in the form of security monitor. Software development, project architecture, testing and other creation stage are demonstrated. The operation processes of security monitor are shown; the functionality of software package DLP–system is considered.


Introduction
At present, when most areas of people's lives, systems and industrial enterprises are computerized, the issue of ensuring the information security in such systems is actual. There are both external and internal threats, but for several decades, computer science and technologies has been developing rapidly and successfully precisely in the direction of creating antivirus systems and information protection systems from external intruders, not considering security incidents caused by internal violators (intruders) to be significant. According to Interstate Standard GOST R 53114-2008, information security incident is understood as any unforeseen or undesirable event that may disrupt the activity or information security [1][2][3]. Although the industrial enterprises use various software and hardware systems and complexes to protect information; programs for cryptographic transformation of stored data, which protects assets and other valuable information from hacker attacks, it is difficult to exclude the influence of the human factor. It can include unintentional mistakes of employees, operators and administrators, as well as deliberate conspiracies, transfer of information to competitors, and espionage. In this regard, the problem of information protection at the industrial enterprise or another company from the internal threats becomes extremely relevant.
The purpose of the article is implementation of the complex of software tools consisting of secure corporate chat and DLP (data leak prevention) system to protect the data from internal information leaks in any enterprise, especially in the small business.
This software package is corporate chat under control of DLP-system -is intended for use by employees inside the organization for the purpose of setting and performing their work tasks, as well as communicating within these tasks and exchanging files [4].
The role model of access control and DLP subsystem, the functionality of which is to detect the possible internal threats and to prevent them, ensures the security and safety of information inside the corporate chat.
The following functional requirements for software complex are defined: -Sending the messages and the files in the corporate chat and e-mail client; -Creation / deletion / edition of corporate chat objects (users, departments, tasks, roles); -Control of the employee correspondence in the corporate chat; -Tracking the distribution path of files transmitted in the chat and e-mail; -Threat detection in the automatic and the manual modes; -Saving of information into the database; -Saving system events to the log; -Alert the security officer about all incidents. Scheme of interaction between the software components is shown in the Fig. 1.

Mathematical model and solution method
Software operation requires the several components: the corporate chat, shared server, and DLP system represented by security monitor.
Corporate chat has client -server architecture based on the thin client principle, that is, most of the data processing will be computed on the server [5].
Within the framework of this software implementation, the development of the software tool is aimed at small business enterprises, so there is no need to process the data on users' personal computers to reduce the load on the server.
At the user authorization level, the role identifier ID must be defined, according to which, after successful login attempt, users will be divided into 2 non-equal groups: the administrators and the regular users. The scheme of the chat architecture based on the rolebased access control model is shown in the Fig. 2. Looking at the chat in more detail, the following main algorithms should be highlighted: user authentication in the software; creation / edition / deletion of the objects; and the sending of messages and files in the corporate chat and the e-mail client of the chat. The users' authorization scheme is shown in the Fig. 3.
The user enters his username and password. The system identifies them based on the data stored in the database, and if it is successful, the user logs in the program and the event is recorded in the system. If the user enters incorrect data three times, the account is blocked and incident report is sent to the security officer or administrator, who, in turn, investigates the incident and decides to unblock the account or no.
During authentication, the role IDs are checking in the system, and then the list of permissions is loaded. Depending on this data, the program interface appears -windows, menus, tabs. For example, if the user has the right to create the tasks, then the tasks menu will have the "Create" tab and vice versa [6].
The security monitor consists of algorithms for searching for prohibited phrases in the dictionary in the corporate chat, detecting the internal threats in automatic and manual modes, logging the events and notifying the administrator about violations.
Threat detection algorithm detects violations based on the following signatures: 1. If there is forbidden word or expression in the chat, threat with low priority is detected.
2. If employees of different departments start the dialogue or send files to each other without any reason -when there is no task assigned to perform between them -this situation means that there is high level of threat.
3. If employees send files or e-mails to external e-mail addresses that do not correspond to their corporate e-mail addresses -there is high level of threat.
4. The number of attempts to log users into the system is recorded, and if there are more than 3 of them, the account is blocked, and this situation has high level of threat. The dictionary of forbidden words or phrases can be quite extensive, with different contexts. However, if it finds such phrase, the security officer decides manually, since full automation of the system requires long and deep research, beyond the scope of this work, the text analyzing with connecting neural networks and sentiment analysis phrases.

Results of research
The core of software is CRM class, which is responsible for creating the lists of the system subjects and objects -roles, users, tasks, departments, and dialogs. This class is also responsible for graphical navigation through the application -dividing the viewport into the list and the detailed one, and for the server initializing and loading all the program components. CRM class contains methods such as loadTask() -for loading the current task list, updateDialogList () -for updating the dialogs list, PreInit () -for server initialization and loading of main windows available to user according to his privileges. Fig. 4 shows the code snippet responsible for initializing the main windows of the application. The current user is determined, then the ID of his role is defined, and if the user does not have privileges to create new user, task, user data, departments, etc., then these buttons are removed from his menu. Three key API classes are implemented for interacting with the server: API, TaskAPI, and UserAPI. The API class has the set of methods LoadTasks, LoadMsg, LoadDialog, and LoadDepartament for loading the objects of types Rules, Dialog, Department, and Event from the server and translating them into the objects of the specified type from the string in JSON format. Loading the data about departments and translating of the information from the database into JSON format is shown in Fig. 5.  The list of all server nodes is shown in the Fig. 6. This software implementation does not use the dedicated server, but virtual one, and the database is located locally on the same computer. HTTP and POST requests are used to interaction and communication with server [7]. The code snippet that demonstrates the formation of the POST request is shown in the Fig. 7. For sending the requests to the server, Update () method is also used, which uses API class methods such as POST () and GetParamsString () to form the queue of URL requests, as shown in the Fig. 8. Back to navigation in the application: its workspace is divided into 2 areas. On the left side, there is the list block, which is used to navigate through the system objects -this is where we need to use the CrmEntity interface, since it allows using one list template for the entire system, and it is represented by the ListItem class [8].
On the right side, there is the window for detailed overview of the elements. This block is used within CRM for objects reviewing and editing. To edit CRM objects, the special forms have been developed that use the methods of the API class to transfer operations to the server. There are also the number of windows that only allow viewing objects, without the ability to edit them [9].
DLP-system security monitor has Web-interface written in programming language JavaScript, and Angular framework was chosen [8,9]. This framework provides more opportunities to organize efficiently Web-projects and manage their logics and layout [10].
The method findIncident() checks the list of all system events and by certain signature detects the threat and determines its level.
The ChatComponents class loads the dialog between 2 users in the security monitor and displays messages using the methods ngOnInit(), getUser (), and toChat ().
The EventComponents class displays user groups by department on the page and displays the events of the EventDlp type on the page. The getUser() method outputs the user IDs. The getObj() method determines the type of event in the system (figure 9).
The IncidentComponent class determines incidents from the list of system events and puts them in the "incidents" tab. It contains the similar getObj () method that detects incidents such as "Password Brute force", "Unsubstantiated dialog", "Potentially dangerous phrases", "File output to external address" [12].
The layout of each page is written in HTML, includes the page for viewing dialogues, messages between users, the page for viewing of information about employees by department, and the page with events and incidents [13].
The developed software tool consists of 3 components: corporate chat, DLP-system security monitor, and server [14]. The interaction between the components takes place via HTTP protocols. The MySQL database is used as the storage subsystem. The software tool was developed using the C#, PHP, and JavaScript programming languages with the Angular framework. For the components of software complex, the algorithmic design was carried out with application of schemes, and the description of main classes and methods.

Discussion and conclusions
The article describes the implemented software complex consisting of secure corporate chat and DLP-system in the form of security monitor; defines the functional requirements, and performs the algorithmic and the software design [15]. Its advantages include speed performance, effectiveness, simplicity of using, controlling of the employees correspondence with the search of forbidden words and phrases in the dictionaries; the sufficient minimal functionality for tracking the events on the system and detecting the threats, the prevention of the information leakage; and low cost software [16,17].