CN107979595A - Private data guard method and gateway system - Google Patents
Private data guard method and gateway system Download PDFInfo
- Publication number
- CN107979595A CN107979595A CN201711180128.0A CN201711180128A CN107979595A CN 107979595 A CN107979595 A CN 107979595A CN 201711180128 A CN201711180128 A CN 201711180128A CN 107979595 A CN107979595 A CN 107979595A
- Authority
- CN
- China
- Prior art keywords
- data
- cloud service
- private
- request
- markers
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 28
- 230000004044 response Effects 0.000 claims abstract description 53
- 238000013499 data model Methods 0.000 claims abstract description 45
- 238000004458 analytical method Methods 0.000 claims abstract description 44
- 238000007634 remodeling Methods 0.000 claims abstract description 8
- 238000013507 mapping Methods 0.000 claims description 17
- 238000012545 processing Methods 0.000 claims description 15
- 230000004048 modification Effects 0.000 claims description 11
- 238000012986 modification Methods 0.000 claims description 11
- 230000002427 irreversible effect Effects 0.000 claims description 10
- 230000002441 reversible effect Effects 0.000 claims description 8
- 230000008859 change Effects 0.000 claims description 4
- 230000008569 process Effects 0.000 claims description 4
- 230000000717 retained effect Effects 0.000 claims description 4
- 238000006243 chemical reaction Methods 0.000 claims description 3
- 238000013501 data transformation Methods 0.000 claims description 3
- 230000014759 maintenance of location Effects 0.000 claims description 2
- 230000004224 protection Effects 0.000 abstract description 16
- 230000000295 complement effect Effects 0.000 description 2
- 238000007405 data analysis Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 235000013399 edible fruits Nutrition 0.000 description 2
- 230000000739 chaotic effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 238000000547 structure data Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Theoretical Computer Science (AREA)
- Medical Informatics (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The present invention proposes a kind of private data guard method and gateway system, and gateway system intercepts and captures the request data that user applies cloud service, identifies requested cloud service application, determine data model;Logical analysis request data is analyzed according to carrier, obtains the data markers structure of request data;Private data and the corresponding safeguard rule in private data safeguard rule storehouse are inquired about according to data model, and changes the data in the data markers structure of request data accordingly;According to amended data markers structural remodeling request data, and send to corresponding cloud service application;Receive the response data of cloud service application;Logic is analyzed according to carrier to parse response data, the data markers structure for the data that meet with a response;The data of the data markers structure of response data are handled according to corresponding private data and its safeguard rule so that corresponding data reduces.While protection user's private data can be achieved, the various applications that user uses cloud service are not influenced.
Description
Technical field
The present invention relates to computer information safety technique field, more particularly to a kind of private data guard method and net
Relation is united.
Background technology
With the development of internet and cloud, personal and enterprise customer more and more utilizes and relies on public cloud meter
The service provided is provided.From the storage of data to processing, cloud computing provides revolutionary availability and convenience.At the same time,
A significant challenge for hindering cloud popularization is the private data protection problem of user or enterprise customer.Such as crucial finance
Information, individual privacy etc..
At present public cloud product the protected mode of user data is relied primarily on high in the clouds encryption, but the generation of key, point
Hair and management are still provided by high in the clouds, its security is fully established on the trust to cloud service provider.User pacifies for data
Full worry is not resolved actually.
Some users then simply use the encrypted method of client.Only simple binary data store, and otherwise encrypt
Data afterwards are likely to destroy cloud service application logic completely, such as search for, Macro or mass analysis, then original application will no longer
It can use.More and more cloud service applications are built upon on user information basis, such as are counted, and are sorted, search, classification pipe
Reason etc..But the encrypted purpose of available data is the confusion degree of the increase information of maximum possible to reach protection cleartext information
Purpose, it is clear that the logic of this and the cloud application based on information deviates from.
For example, cloud application usually can all check email forms, if email is not inconsistent necessarily after simple encryption
The reference format of email is closed, such as cloud application is gmail or 163, user can be to wrap in searchable all email titles
The email of " Chinese sound " is included, if user's simple encryption title is to achieve the purpose that protection, then this function is with regard to unavailable.
Because " Shanghai Chinese sound ", " Han Sheng companies ", or " Chinese sound ", encrypting the result come will be unrelated, and user cannot use encryption
" Chinese sound " afterwards finds relevant mail.The application for example having again needs to carry out initial sequence to name, then encryption
Order afterwards is necessarily with original different.This will hinder the popularization of cloud service significantly.
The content of the invention
The technical problems to be solved by the invention are to provide a kind of private data guard method and gateway system, it can be achieved that protecting
While protecting user's private data, the various applications that user uses cloud service are not influenced.
To solve the above problems, the present invention proposes a kind of private data guard method, the gateway between user and high in the clouds
Performed in system, this method comprises the following steps:
S1:The request data that user applies cloud service is intercepted and captured, identifies requested cloud service application, determines the cloud clothes
The data model of business application;
S2:The request data according to carrier analyzes logical analysis, obtains the data markers structure of the request data, institute
The data markers structure for stating request data is stored with the data of tape label;
S3:Private data in the data model inquiry private data safeguard rule storehouse applied according to the cloud service identified
And corresponding safeguard rule, and the data in the data markers structure of the request data are changed accordingly;
S4:According to amended data markers structural remodeling request data, and send to corresponding cloud service application, wait
Response;
S5:Receive the response data of cloud service application;
S6:Response data is parsed according to the corresponding carrier analysis logic, the data mark for the data that meet with a response
Remember structure;
S7:According to corresponding private data and its safeguard rule to the data of the data markers structure of response data at
Reason so that corresponding data reduces.
According to one embodiment of present invention, the private data safeguard rule storehouse includes the mark of the corresponding private data of storage
The safeguard rule storehouse of the master database of knowledge and the safeguard rule of the corresponding private data of storage;
In the step S3, according to the data model of the cloud service application identified, inquire about in the master database
The private data of modification needed for corresponding, and the safeguard rule storehouse is inquired about to determine the safeguard rule corresponding to the private data,
The data of respective markers in the data markers structure of the request data are changed according to the private data and safeguard rule.
According to one embodiment of present invention, the private data safeguard rule storehouse is User Defined, by configuring
Master database is stated to define the private data that need to be changed, private data is repaiied to define by configuring the safeguard rule storehouse
Change mode.
According to one embodiment of present invention, the safeguard rule for private data to the mapping relations of encryption data, reflect
It is reversible or irreversible to penetrate relation;
In the step S3, to data be revised as private data is transformed to encryption data according to mapping relations;
In the step S7, carrying out processing to data is, if the mapping relations in step S3 are reversible, is closed according to mapping
Cryptographic data transformations are private data by system, if the mapping relations in step S3 are irreversible, do not do conversion process.
According to one embodiment of present invention, in the safeguard rule, retained according to the processing feature that cloud service is applied
The part statistical property of data, so that cloud service application can carry out statistical disposition according to the part statistical nature retained.
According to one embodiment of present invention, step S11 is further included before the step S1:To each cloud service apply into
Row analysis, determines the data model of each cloud service application, builds a data model libraries;User can to the data model libraries into
Row data model is changed, increased newly, deleting.
According to one embodiment of present invention, original character string is converted to tree structure by the carrier analysis logic, its
In, the data of the tape label of the leaf node storage of tree structure are minimum accessible data slots in original character string, from
The branch of root node to leaf node is data structure that is complete and progressively decomposing.
According to one embodiment of present invention, the accessible data slot of minimum is mapped in limited classification,
The mark of the data of the entitled leaf node of classification.
According to one embodiment of present invention, in the step S1, the cloud service application identified is marked;It is described
In step S2, the carrier analysis logic for the label lookup correspondence markings applied according to cloud service parses request data;Institute
State in step S6, respective markers are determined according to the cloud service of identification application, so as to be patrolled according to the analysis of the carrier of correspondence markings
Collect and response data is parsed.
The present invention also provides a kind of private data to protect gateway system, including:
Data acquisition identification module:Perform and intercept and capture the request data that user applies cloud service, identify requested cloud clothes
Business application, determines the data model of the cloud service application;
Request analysis module:The request data according to carrier analyzes logical analysis is performed, obtains the request data
Data markers structure, the data markers structure of the request data are stored with the data of tape label;
Data modification module:Perform the data model applied according to the cloud service identified and inquire about private data safeguard rule
Private data and corresponding safeguard rule in storehouse, and the data in the data markers structure of the request data are changed accordingly;
Rebuild sending module:Perform according to amended data markers structural remodeling request data, and send to corresponding
Cloud service application, wait-for-response;
Respond receiving module:Perform the response data for receiving cloud service application;
Respond parsing module:Perform and response data is parsed according to the corresponding carrier analysis logic, rung
Answer the data markers structure of data;
Data restoring module:According to corresponding private data and its safeguard rule to the data markers structure of response data
Data are handled so that corresponding data reduces.
After adopting the above technical scheme, the present invention has the advantages that compared with prior art:
In the present invention, relative to the scheme protected beyond the clouds, since gateway deployment is in user terminal, thus user's logarithm
According to possessing absolute control;Private data can be just protected before public network is entered, and by private data
Being protected for selection corresponding suitable safeguard rule, can not destroy the logic of cloud service application, ensure cloud service just
Often operation;
Can define private data in the present invention as needed by user, cloud service obtain be user's selection processed knot
Fruit;Cloud service provider or third party can edit carrier analysis logic and be used to end user, and user is based only on mark to determine
Adopted private data, the carrier analysis logic based on cloud service facilitate user and provide expansible platform at the same time.
Brief description of the drawings
Fig. 1 is the flow diagram of the private data guard method of one embodiment of the invention;
Fig. 2 is the workflow diagrams of the private data guard method of one embodiment of the invention.
Embodiment
In order to make the foregoing objectives, features and advantages of the present invention clearer and more comprehensible, below in conjunction with the accompanying drawings to the present invention
Embodiment be described in detail.
Many details are elaborated in the following description in order to fully understand the present invention.But the present invention can be with
Much implement different from other manner described here, those skilled in the art can be in the situation without prejudice to intension of the present invention
Under do similar popularization, therefore the present invention is not limited to the specific embodiments disclosed below.
Referring to Fig. 1 and Fig. 2, in one embodiment, private data guard method is in user 1 (user terminal) and high in the clouds
Performed in gateway system 2 between 3, thus the protection of the embodiment of the present invention is realized in gateway system 2, rather than beyond the clouds 3
Realize.Request data is sent to gateway system 2 by user 1, and gateway system 2 protects private data therein by processing
Afterwards, the request data after protection is submitted into high in the clouds 3, cloud service is applied to response data being returned to after request data response processing
To gateway system 2, gateway system 2 carries out solution protection to the private data in response data, and the response data solved after protecting is returned
Back to user, data flow is followed successively by the a1-a8 shown in Fig. 2.
Referring to Fig. 1, which comprises the following steps:
S1:The request data that user applies cloud service is intercepted and captured, identifies requested cloud service application, determines the cloud clothes
The data model of business application;
S2:The request data according to carrier analyzes logical analysis, obtains the data markers structure of the request data, institute
The data markers structure for stating request data is stored with the data of tape label;
S3:Private data in the data model inquiry private data safeguard rule storehouse applied according to the cloud service identified
And corresponding safeguard rule, and the data in the data markers structure of the request data are changed accordingly;
S4:According to amended data markers structural remodeling request data, and send to corresponding cloud service application, wait
Response;
S5:Receive the response data of cloud service application;
S6:Response data is parsed according to the corresponding carrier analysis logic, the data mark for the data that meet with a response
Remember structure, the data markers structure of the response data is corresponding with the data of the data markers structure of the request data;
S7:According to corresponding private data and its safeguard rule to the data of the data markers structure of response data at
Reason so that corresponding data reduces.
The private data guard method to the embodiment of the present invention is more particularly described below, but should not be in this, as limit
System.
In step S1, when user sends request data to cloud service application, gateway system can be by the number of request of user
According to intercepting and capturing, the feature in request data can identify requested cloud service application.Cloud service application refers to arbitrarily
High in the clouds provide application program, identification the result is that specific cloud service program.For example, GMail be google provide
Mailer in high in the clouds, Baidu's cloud disk be beyond the clouds in storage service program, QQ be beyond the clouds in instant messaging program
Etc..Different application programs has different features, thus can identify each cloud service application.
After identifying requested cloud service application, the data model of the cloud service application can be determined.Data model
The types of data, form, length in being applied including cloud service, using elements such as logics.Refer to cloud service application using logic
To the processing mode of data.In subsequent step, corresponding safeguard rule is usually determined according to these yuan.
Preferably, in the case where the data model of cloud service application has not determined, step is further included before step S1
S11:Each cloud service application is analyzed, the data model of each cloud service application is determined, builds a data model libraries.It is right
The analysis of cloud service application includes forming one to the type of its data, form, length, the analysis using logic etc., analysis result
Data model, and the data model that each cloud service is applied is stored together and is configured to a data model libraries.
As cloud service application is increasingly enriched, many cloud service applications additionally provide Data expansion function, such as self-defined
Data etc..In this case, advance data model analysis may not provide complete data model, will at this time need to use
Family complementary definition data model, and be added in data model libraries, because user is the author and supplier of self-defining data.Example
Such as, analysis in advance can only know that certain field is the word string of regular length, user should complementary definition its be used as telephone number, then
With regard to can be handled in subsequent step using the safeguard rule of phone number format.Thus, it is preferable to, user can be to the data
Model library carries out changing, increase newly, deleting for data model.
Then step S2 is performed, the request data according to carrier analyzes logical analysis, obtains the number of the request data
According to mark structure, the data for being stored with tape label of the data markers structure of the request data.Carrier analyzes logic in data
Mark structure is corresponding, it is necessary to which what kind of data markers structure just analyzes logic to be carried out to request data with corresponding carrier
Analysis, as long as data analysis can will be handled out in request data.
Preferably, original character string is converted to tree structure by carrier analysis logic, that is, original character string is exactly to ask
Data, analyze logic by carrier and convert it to data markers tree.Wherein, the tape label of the leaf node storage of tree structure
Data be minimum accessible data slot in original character string, the branch from root node to leaf node be it is complete and by
Walk the data structure decomposed.
More preferably, minimum accessible data slot is mapped in limited classification, the entitled leaf of classification
The mark of the data of node.Similar data slot can be marked with same mark for classification, so as to according to mark
Remember to carry out data protection using same safeguard rule.
Any type of raw bytes string can be changed into tree structure by carrier analysis logic, and the leaf of tree is minimum
Accessible data slot, each branch of tree is complete representation.Such as root node is XML structure, therein one
A branch is an element of XML, but the value of this element is a string of JSON word strings, then can be to JSON word strings into traveling
One step parses, if subsequent node is accessible data slot, then the node reforms into the leaf node of tree structure, no
Decomposable process can then be continued until navigating to accessible data.In step s 2, the input of carrier analysis logic is request
Data, output are the data markers trees on request data.
Certainly, the data structure of request data can be any structural data, in addition to XML structure, can also be
Customized structure is applied in JSON or CSV (separated by commas word string), x-www-form-urlencoded and cloud service
Deng specific unlimited.
Then step S3 is performed, the data model inquiry private data safeguard rule storehouse applied according to the cloud service identified
In private data and corresponding safeguard rule, and change the data in the data markers structure of the request data accordingly.Root
The data model applied according to cloud service can determine the types of data, form, length, using logic etc., therefore, it is possible to determine it
Middle need private data to be protected, while find corresponding most suitable safeguard rule and come to the corresponding private data in request data
Protected.
For example, the data model applied by analyzing certain cloud service, asking the request data of specific webpage includes identity
Number is demonstrate,proved, and cloud service application is to match search to whole section of identity card using logic, then according to point of data type
Analysis, the Encryption Algorithm that safeguard rule can use FPE forms to retain handles the data segment, so as to not destroy cloud
The logic being served by.For another example, data are described including making a summary to the request data of certain cloud service application, and cloud service application
It is the search to keyword of making a summary using logic, then according to the analysis of data model, safeguard rule should be first by request data
Word segmentation processing is done, then changes each word using modes such as encryptions, is submitted after finally collecting.Thus, according to different clouds
The analysis for the data model being served by, finds corresponding most suitable safeguard rule to carry out protection processing to request data, can
With on the basis of security is ensured, normal use cloud service application.
Preferably, private data safeguard rule storehouse includes master database and the storage of the mark of the corresponding private data of storage
The safeguard rule storehouse of the safeguard rule of corresponding private data.Mark for example can be class indication.It can be found according to mark
Corresponding private data in data markers structure, and the private data is carried out at protection according to corresponding safeguard rule
Reason.
Preferably, private data safeguard rule storehouse is User Defined, is needed by configuring the master database to define
The private data of modification, the modification mode to private data is defined by configuring the safeguard rule storehouse.
Master database includes such as name, address, phone, ID card No. etc. data, in certain cloud service application
Data model in accordingly can be there are at least one of data, thus it can be said that the master database is taken according to cloud application
Private data in business counts definite.User, which need to be specified in master database, needs the corresponding safeguard rule of data to be protected,
These safeguard rules are corresponded to and are stored in safeguard rule storehouse, the protection rule of selected protection data just can be corresponded in selected data
Then.Certainly, master database and safeguard rule storehouse can be extended by user.
Preferably, in the step S3, according to the data model of the cloud service application identified, the master data is inquired about
The private data of modification needed for correspondence in storehouse, and the safeguard rule storehouse is inquired about to determine the protection corresponding to the private data
Rule, the number of respective markers in the data markers structure of the request data is changed according to the private data and safeguard rule
According to.
Preferably, in safeguard rule, the part statistical property of retention data according to the processing feature that cloud service is applied, with
Cloud service application is set to carry out statistical disposition according to the part statistical nature retained.Such as according to analysis it is known that cloud clothes
Initial sequence has been done name in business application, as long as safeguard rule can guarantee that initial ranking results with consistent before, name
Other parts can be encrypted, and initial can do simple transformation, can ensure the normal processing of cloud service application
Logic is not chaotic.
Then step S4 is performed, according to amended data markers structural remodeling request data, and is sent to corresponding cloud
It is served by, wait-for-response.Due to simply have modified the data content of leaf node, the structure of whole data structure is not changed
Make, thus request data can be rebuild by data markers structure, due to gateway system will protect processing and rebuild after please
Ask data to submit to high in the clouds, and the response in high in the clouds is waited after submitting.
Then step S5 is performed, gateway system is receiving the response data of cloud service application.Cloud service is applied to request
Response data can be generated after data progress normal response processing and returns to gateway system, and it is laggard that gateway system receives response data
Enter step S6.
Then step S6 is performed, response data is parsed according to the corresponding carrier analysis logic, is met with a response
The data markers structure of data.Request data and response data are usually identical in data structure or have an interlinking
, thus response data can be parsed with same carrier analysis logic, resolving is identical with request data,
So as to the data markers structure for the data that meet with a response, likewise, on the leaf node of the data markers structure of response data
It is final accessible data, wherein including protected private data.
Then step S7 is performed, the data markers structure according to corresponding private data and its safeguard rule to response data
Data handled so that corresponding data reduce.
Preferably, safeguard rule is the mapping relations of private data to encryption data, and mapping relations are reversible or irreversible.
In the step S3, to data be revised as private data is transformed to encryption data according to mapping relations.In the step
In S7, carrying out processing to data is, if the mapping relations in step S3 to be reversible, according to mapping relations by cryptographic data transformations
For private data, if the mapping relations in step S3 are irreversible, conversion process is not done.
Reversible rule is such as encrypted, and is then decrypted in the step s 7.If Ri is irreversible rule, then step
Any change can not be made in rapid S7.Irreversible situation is such as deleted, then cloud service application is not seen at all to be protected
The data of shield, the corresponding data of result of return avoid the need for handling.Irreversible rule can also be that mosaic etc. is unlimited.Separately
Outside, it is to describe herein, it is reversible it is irreversible need user according to application the characteristics of suitably selected.Some data are to having
A little clients are private some need protections, are probably disclosed to other client.
In one embodiment, in step S1, the cloud service application identified is marked, as being identified as Si in Fig. 2;
In the step S2, the carrier analysis logic Pi for the label lookup correspondence markings applied according to cloud service solves request data
Analysis;In the step S6, respective markers Si is determined according to the cloud service of identification application, so that the carrier according to correspondence markings
Analysis logic Pi parses response data.Since gateway system is the real submitter of request data, it is thus possible to determine
Cloud service application is identified as Si.
In the present invention, relative to the scheme protected beyond the clouds, since gateway deployment is in user terminal, thus user's logarithm
According to possessing absolute control;Private data can be just protected before public network is entered, and by private data
Being protected for selection corresponding suitable safeguard rule, can not destroy the logic of cloud service application, ensure cloud service just
Often operation;
Can define private data in the present invention as needed by user, cloud service obtain be user's selection processed knot
Fruit;Cloud service provider or third party can edit carrier analysis logic and be used to end user, and user is based only on mark to determine
Adopted private data, the carrier analysis logic based on cloud service facilitate user and provide expansible platform at the same time.
The present invention also provides a kind of private data to protect gateway system, including:
Data acquisition identification module:Perform and intercept and capture the request data that user applies cloud service, identify requested cloud clothes
Business application, determines the data model of the cloud service application;
Request analysis module:The request data according to carrier analyzes logical analysis is performed, obtains the request data
Data markers structure, the data markers structure of the request data are stored with the data of tape label;
Data modification module:Perform the data model applied according to the cloud service identified and inquire about private data safeguard rule
Private data and corresponding safeguard rule in storehouse, and the data in the data markers structure of the request data are changed accordingly;
Rebuild sending module:Perform according to amended data markers structural remodeling request data, and send to corresponding
Cloud service application, wait-for-response;
Respond receiving module:Perform the response data for receiving cloud service application;
Respond parsing module:Perform and response data is parsed according to the corresponding carrier analysis logic, rung
Answer the data markers structure of data;
Data restoring module:According to corresponding private data and its safeguard rule to the data markers structure of response data
Data are handled so that corresponding data reduces.
Particular content on the private data protection gateway system of the present invention may refer to privately owned in previous embodiment
The description content of data guard method, details are not described herein.
Although the present invention is disclosed as above with preferred embodiment, it is not for limiting claim, any this area
Technical staff without departing from the spirit and scope of the present invention, can make possible variation and modification, therefore the present invention
Protection domain should be subject to the scope that the claims in the present invention are defined.
Claims (10)
1. a kind of private data guard method, it is characterised in that performed in the gateway system between user and high in the clouds, this method
Comprise the following steps:
S1:The request data that user applies cloud service is intercepted and captured, identifies requested cloud service application, determines that the cloud service should
Data model;
S2:The request data according to carrier analyzes logical analysis, obtains the data markers structure of the request data, described to ask
The data markers structure of data is asked to be stored with the data of tape label;
S3:Private data in the data model inquiry private data safeguard rule storehouse applied according to the cloud service that is identified and right
The safeguard rule answered, and the data in the data markers structure of the request data are changed accordingly;
S4:According to amended data markers structural remodeling request data, and send to corresponding cloud service application, wait and ringing
Should;
S5:Receive the response data of cloud service application;
S6:Response data is parsed according to the corresponding carrier analysis logic, the data markers knot for the data that meet with a response
Structure;
S7:The data of the data markers structure of response data are handled according to corresponding private data and its safeguard rule,
So that corresponding data reduces.
2. private data guard method as claimed in claim 1, it is characterised in that the private data safeguard rule storehouse includes
The master database of mark of the corresponding private data of storage and the safeguard rule storehouse for the safeguard rule for storing corresponding private data;
In the step S3, according to the data model of the cloud service application identified, the correspondence in the master database is inquired about
The private data of required modification, and the safeguard rule storehouse is inquired about to determine the safeguard rule corresponding to the private data, according to
The data of respective markers in the data markers structure of private data and the safeguard rule modification request data.
3. private data guard method as claimed in claim 2, it is characterised in that the private data safeguard rule storehouse is use
Family is self-defined, and the private data that need to be changed is defined by configuring the master database, by configuring the safeguard rule storehouse
To define the modification mode to private data.
4. private data guard method as claimed in claim 1, it is characterised in that the safeguard rule for private data to add
The mapping relations of ciphertext data, mapping relations are reversible or irreversible;
In the step S3, to data be revised as private data is transformed to encryption data according to mapping relations;
In the step S7, carrying out processing to data is, will according to mapping relations if the mapping relations in step S3 are reversible
Cryptographic data transformations are private data, if the mapping relations in step S3 are irreversible, do not do conversion process.
5. private data guard method as claimed in claim 1, it is characterised in that in the safeguard rule, according to cloud service
The processing feature of application and the part statistical property of retention data, so that cloud service application can count special according to the part retained
Levy to carry out statistical disposition.
6. private data guard method as claimed in claim 1, it is characterised in that further include step before the step S1
S11:Each cloud service application is analyzed, the data model of each cloud service application is determined, builds a data model libraries;With
Family can carry out the data model libraries changing, increase newly, deleting for data model.
7. private data guard method as claimed in claim 1, it is characterised in that the carrier analyzes logic by original character
String is converted to tree structure, wherein, the data of the tape label of the leaf node storage of tree structure are minimum in original character string
Accessible data slot, the branch from root node to leaf node are data structures that is complete and progressively decomposing.
8. private data guard method as claimed in claim 7, it is characterised in that the accessible data slot quilt of minimum
It is mapped in limited classification, the mark of the data of the entitled leaf node of classification.
9. private data guard method as claimed in claim 1, it is characterised in that in the step S1, to the cloud identified
It is served by being marked;In the step S2, the carrier for the label lookup correspondence markings applied according to cloud service analyzes logic
Request data is parsed;In the step S6, respective markers are determined according to the cloud service of identification application, so that according to correspondence
The carrier analysis logic of mark parses response data.
10. a kind of private data protects gateway system, it is characterised in that including:
Data acquisition identification module:Perform and intercept and capture the request data that user applies cloud service, identify that requested cloud service should
With determining the data model of cloud service application;
Request analysis module:The request data according to carrier analyzes logical analysis is performed, obtains the data of the request data
Mark structure, the data markers structure of the request data are stored with the data of tape label;
Data modification module:Perform in the data model inquiry private data safeguard rule storehouse applied according to the cloud service identified
Private data and corresponding safeguard rule, and change the data in the data markers structure of the request data accordingly;
Rebuild sending module:Perform according to amended data markers structural remodeling request data, and send to corresponding cloud and take
Business application, wait-for-response;
Respond receiving module:Perform the response data for receiving cloud service application;
Respond parsing module:Perform and response data is parsed according to the corresponding carrier analysis logic, meet with a response number
According to data markers structure, the data pair of the data markers structure of the response data and the data markers structure of the request data
Should;
Data restoring module:Data according to corresponding private data and its safeguard rule to the data markers structure of response data
Handled so that corresponding data reduces.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711180128.0A CN107979595B (en) | 2017-11-23 | 2017-11-23 | Private data protection method and gateway system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711180128.0A CN107979595B (en) | 2017-11-23 | 2017-11-23 | Private data protection method and gateway system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107979595A true CN107979595A (en) | 2018-05-01 |
| CN107979595B CN107979595B (en) | 2020-11-13 |
Family
ID=62011201
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711180128.0A Expired - Fee Related CN107979595B (en) | 2017-11-23 | 2017-11-23 | Private data protection method and gateway system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107979595B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110210246A (en) * | 2019-05-31 | 2019-09-06 | 阿里巴巴集团控股有限公司 | A kind of personal data method of servicing and system based on safety calculating |
| WO2021164161A1 (en) * | 2020-02-17 | 2021-08-26 | 平安国际智慧城市科技股份有限公司 | Image data labeling method and apparatus, and computer device and storage medium |
| US11120160B2 (en) | 2019-05-31 | 2021-09-14 | Advanced New Technologies Co., Ltd. | Distributed personal data storage and encrypted personal data service based on secure computation |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103916456A (en) * | 2013-01-09 | 2014-07-09 | 国际商业机器公司 | Transparent Encryption/decryption Gateway For Cloud Storage Services |
| CN104065651A (en) * | 2014-06-09 | 2014-09-24 | 上海交通大学 | Information flow dependability guarantee mechanism for cloud computation |
| CN105637523A (en) * | 2013-10-16 | 2016-06-01 | 思杰系统有限公司 | Secure client drive mapping and file storage system for mobile device management type security |
| CN106101113A (en) * | 2016-06-24 | 2016-11-09 | 中国科学院计算技术研究所 | A kind of cloud computing data security annotation management method and system |
| US20170155634A1 (en) * | 2015-11-30 | 2017-06-01 | International Business Machines Corporation | Password-based management of encrypted files |
-
2017
- 2017-11-23 CN CN201711180128.0A patent/CN107979595B/en not_active Expired - Fee Related
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103916456A (en) * | 2013-01-09 | 2014-07-09 | 国际商业机器公司 | Transparent Encryption/decryption Gateway For Cloud Storage Services |
| US20150271151A1 (en) * | 2013-01-09 | 2015-09-24 | International Business Machines Corporation | Transparent Encryption/Decryption Gateway for Cloud Storage Services |
| CN105637523A (en) * | 2013-10-16 | 2016-06-01 | 思杰系统有限公司 | Secure client drive mapping and file storage system for mobile device management type security |
| CN104065651A (en) * | 2014-06-09 | 2014-09-24 | 上海交通大学 | Information flow dependability guarantee mechanism for cloud computation |
| US20170155634A1 (en) * | 2015-11-30 | 2017-06-01 | International Business Machines Corporation | Password-based management of encrypted files |
| CN106101113A (en) * | 2016-06-24 | 2016-11-09 | 中国科学院计算技术研究所 | A kind of cloud computing data security annotation management method and system |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110210246A (en) * | 2019-05-31 | 2019-09-06 | 阿里巴巴集团控股有限公司 | A kind of personal data method of servicing and system based on safety calculating |
| US11120160B2 (en) | 2019-05-31 | 2021-09-14 | Advanced New Technologies Co., Ltd. | Distributed personal data storage and encrypted personal data service based on secure computation |
| CN110210246B (en) * | 2019-05-31 | 2022-01-07 | 创新先进技术有限公司 | Personal data service method and system based on safety calculation |
| WO2021164161A1 (en) * | 2020-02-17 | 2021-08-26 | 平安国际智慧城市科技股份有限公司 | Image data labeling method and apparatus, and computer device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107979595B (en) | 2020-11-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6626095B2 (en) | Confidential information processing method, apparatus, server, and security determination system | |
| US9313232B2 (en) | System and method for data mining and security policy management | |
| JP6180177B2 (en) | Encrypted data inquiry method and system capable of protecting privacy | |
| US9059851B2 (en) | Method and computer program product for order preserving symbol based encryption | |
| US8473442B1 (en) | System and method for intelligent state management | |
| US8706709B2 (en) | System and method for intelligent term grouping | |
| CN109791594A (en) | Data are segmented in order to persistently be stored in multiple immutable data structures | |
| CN109977690A (en) | A kind of data processing method, device and medium | |
| US20210349988A1 (en) | Systems and methods for decentralized recovery of identity attributes | |
| CN107979595A (en) | Private data guard method and gateway system | |
| CN108287901A (en) | Method and apparatus for generating information | |
| KR101476039B1 (en) | Method for encrypting database and method for real-time search thereof | |
| Thang | Improving efficiency of web application firewall to detect code injection attacks with random forest method and analysis attributes HTTP request | |
| US9344407B1 (en) | Centrally managed use case-specific entity identifiers | |
| US10897483B2 (en) | Intrusion detection system for automated determination of IP addresses | |
| CN107317814A (en) | With applying transparent cipher text searching method, gateway apparatus, gateway device and system | |
| JP2015090993A (en) | Encryption control device, encryption control method and program | |
| CN106874379B (en) | Ciphertext cloud storage-oriented multi-dimensional interval retrieval method and system | |
| CN110968881A (en) | System authentication and data encryption method based on artificial intelligence | |
| Shanmukhi et al. | Big data: Query processing | |
| Chen et al. | Email visualization correlation analysis forensics research | |
| CN111030930B (en) | Decentralized network data fragment transmission method, device, equipment and medium | |
| Kozik et al. | The http content segmentation method combined with adaboost classifier for web-layer anomaly detection system | |
| Patel et al. | An approach to analyze data corruption and identify misbehaving server | |
| KR102193330B1 (en) | System and Method for Protecting Personal Information using High Speed Serching, Sanitization and Symbolic Link Based on File System |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20201113 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |