CN110661776B - Sensitive data tracing method, device, security gateway and system - Google Patents

Sensitive data tracing method, device, security gateway and system Download PDF

Info

Publication number
CN110661776B
CN110661776B CN201910687236.XA CN201910687236A CN110661776B CN 110661776 B CN110661776 B CN 110661776B CN 201910687236 A CN201910687236 A CN 201910687236A CN 110661776 B CN110661776 B CN 110661776B
Authority
CN
China
Prior art keywords
data
data set
account
sensitive
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910687236.XA
Other languages
Chinese (zh)
Other versions
CN110661776A (en
Inventor
王庆官
陈鑫
李伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd, Secworld Information Technology Beijing Co Ltd filed Critical Qianxin Technology Group Co Ltd
Priority to CN201910687236.XA priority Critical patent/CN110661776B/en
Publication of CN110661776A publication Critical patent/CN110661776A/en
Application granted granted Critical
Publication of CN110661776B publication Critical patent/CN110661776B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/302Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Technology Law (AREA)
  • Evolutionary Computation (AREA)
  • Information Transfer Between Computers (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a sensitive data tracing method, a sensitive data tracing device, a security gateway and a system. The sensitive data tracing method comprises the following steps: receiving and analyzing login flow to obtain a first data set; receiving and analyzing the service flow to obtain a second data set; in the case that the second data set comprises sensitive data, associating the first data set with the second data set based on common data elements in the first data set and the second data set, generating a third data set; and determining the associated information of the sensitive data based on the third data set, wherein the associated information traces back the circulation link of the sensitive information. The embodiment of the invention enables a manager to master the access and use conditions of the application sensitive data from the global perspective under the condition of not modifying the existing network architecture and service system.

Description

Sensitive data tracing method, device, security gateway and system
Technical Field
The invention relates to the technical field of network security, in particular to a sensitive data tracing method, a sensitive data tracing device, a security gateway and a system.
Background
With the development of the era, the advancement of technology, and the continuous change of business applications, data has become an important asset in production. In the current big data age, data assets continue to create value during the course of flow and use, and produce new data. With the evolution of IT architecture and the development of business application, data flow has become a normal state, and the situation of data static storage slowly becomes rare. The scope of data asset migration is expanding, changing from single business, data within a single system, to cross-business, cross-system, or even cross-organizational data migration in the past. In the face of this expanding range of asset circulation, the security challenges facing data assets are also increasing.
Referring to fig. 1, there is shown a major problem faced in the prior art in application data security.
Internal business personnel usually have legal authority to access sensitive data of an application system, and managers lack means to supervise whether users comply with the authority or not and whether business data are accessed for non-working reasons or not. The third-party partner in the organization is restricted by the management authority because the third-party partner accesses the sensitive data of the own application system in a business cooperation mode, the risk level of the third-party partner is higher than that of internal business personnel, and the behavior of illegally accessing the sensitive data from the application system is possible. With the development of services, a large number of data interfaces exist in an application system and can transmit sensitive data outwards, and behaviors of third-party application systems to pull data through the interfaces in a violation mode may exist. If the above conditions are not managed, data stealing/misuse/interception events are easy to occur, resulting in bad influence and loss.
After sensitive data is found in the system, how to determine an interface, an application program, an account, a server and the like associated with the sensitive data, and further, related information can be analyzed and evaluated, so that safety is provided, which is a problem that needs to be solved urgently by technical personnel in the field.
Disclosure of Invention
In view of the above, embodiments of the present invention provide a method, an apparatus, a security gateway and a system for tracing to a source of sensitive data, which at least partially solve the problems in the prior art.
In a first aspect, an embodiment of the present invention provides a sensitive data tracing method based on an application data gateway, which is used for identifying information associated with sensitive data, and includes:
receiving and analyzing login flow to obtain a first data set;
receiving and analyzing the service flow to obtain a second data set;
in the case that the second data set comprises sensitive data, associating the first data set with the second data set based on common data elements in the first data set and the second data set, generating a third data set;
and determining the associated information of the sensitive data based on the third data set, wherein the associated information traces back the circulation link of the sensitive information.
According to a specific implementation manner of the embodiment of the present invention, the receiving and analyzing the login traffic obtains, in the first data set: the login flow is obtained by respectively mirroring the flow from the browser and the flow from the application server during login operation; the flow of the browser comprises an account, a password, an account login certificate and a user request interface of a user login application system: the flow of the application server comprises a result of checking the flow of the browser.
According to a specific implementation manner of the embodiment of the present invention, the account login credentials in the traffic from the browser are obtained as follows: after a user opens a login page of the application system, the application system generates an account login certificate and sends the account login certificate to the browser.
According to a specific implementation manner of the embodiment of the present invention, the interface of the account, the password, and the user request of the user logging in the application system in the traffic from the browser is obtained as follows: inputting an account and a password in an opened application system by a user, and obtaining account and password information by a browser after clicking login; the browser determines the requested interface according to the application system.
According to a specific implementation manner of the embodiment of the invention, the first data set is stored in a memory by taking account credentials as keywords.
According to a specific implementation manner of the embodiment of the present invention, the receiving and analyzing the service traffic to obtain a second data set, where the service traffic is obtained by mirroring traffic from a browser and traffic from an application server when a user performs a service operation; the flow from the browser comprises a service parameter input by a user, an account login certificate and a requested interface; the flow from the application server comprises a result of checking the flow of the browser and a response returned according to the input service parameter.
According to a specific implementation manner of the embodiment of the present invention, the second data set includes an account credential, an application system name, an interface, a response field, and a request field.
According to a specific implementation manner of the embodiment of the present invention, the third data set is determined as follows: correlating the second data set with the first data set through account certificates, finding an account from the first data set, and merging the account with the second data set to obtain a third data set; the third set of data includes account credentials, an account, an application system, an interface, a response field, and a request field.
According to a specific implementation manner of the embodiment of the present invention, the method further includes: sensitive information is associated with the third data set and displayed.
According to a specific implementation manner of the embodiment of the present invention, the method further includes: and performing representation on a server associated with an interface, an application system, an account number or a response field in the third data set.
In a second aspect, an embodiment of the present invention provides a sensitive data tracing apparatus based on an application data gateway, configured to identify information associated with sensitive data, where the apparatus includes:
the first data set acquisition module is used for receiving and analyzing the login flow to acquire a first data set;
the first data set acquisition module is used for receiving and analyzing the service flow to acquire a second data set;
a third data set obtaining module, configured to, if the second data set includes sensitive data, associate the first data set with the second data set based on common data elements in the first data set and the second data set, and generate a third data set;
and the source tracing module is used for determining the associated information of the sensitive data based on the third data set, and the associated information traces back the circulation link of the sensitive information.
According to a specific implementation manner of the embodiment of the present invention, in the first data set obtaining module: the login flow is obtained by respectively mirroring the flow from the browser and the flow from the application server during login operation; the flow of the browser comprises an account, a password, an account login certificate and a user request interface of a user login application system: the flow of the application server comprises a result of checking the flow of the browser.
According to a specific implementation manner of the embodiment of the present invention, the account login credentials in the traffic from the browser are obtained as follows: after a user opens a login page of the application system, the application system generates an account login certificate and sends the account login certificate to the browser.
According to a specific implementation manner of the embodiment of the present invention, the interface of the account, the password, and the user request of the user logging in the application system in the traffic from the browser is obtained as follows: inputting an account and a password in an opened application system by a user, and obtaining account and password information by a browser after clicking login; the browser determines the requested interface according to the application system.
According to a specific implementation manner of the embodiment of the invention, the first data set is stored in a memory by taking account credentials as keywords.
According to a specific implementation manner of the embodiment of the present invention, in the second data set obtaining module, the service traffic is obtained by mirroring traffic from the browser and traffic from the application server respectively when a user performs a service operation; the flow from the browser comprises a service parameter input by a user, an account login certificate and a requested interface; the flow from the application server comprises a result of checking the flow of the browser and a response returned according to the input service parameter.
According to a specific implementation manner of the embodiment of the present invention, the second data set includes an account credential, an application system name, an interface, a response field, and a request field.
According to a specific implementation manner of the embodiment of the present invention, the third data set is determined as follows: correlating the second data set with the first data set through account certificates, finding an account from the first data set, and merging the account with the second data set to obtain a third data set; the third set of data includes account credentials, an account, an application system, an interface, a response field, and a request field.
According to a specific implementation manner of the embodiment of the present invention, the method further includes: and the display module is used for associating and displaying the sensitive information with the third data set.
According to a specific implementation manner of the embodiment of the present invention, the apparatus further includes: and the portrait module is used for portraying the server related to the interface, the application system, the account number or the response field in the third data set.
In a third aspect, an embodiment of the present invention further provides a security gateway, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the instructions being executable by the at least one processor to enable the at least one processor to perform any of the aforementioned sensitive data tracing methods based on the application data gateway.
In a fourth aspect, an embodiment of the present invention further provides an application data gateway system, including:
the data request terminal and the data center;
the data center comprises a switch, a security gateway and a plurality of application servers;
the data request terminal is connected with the application server through a switch;
the security gateway is used for mirroring application data from the switch and comprises at least one processing device and a memory which is in communication connection with the at least one processing device; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processing device to enable the at least one processing device to perform any one of the above sensitive data tracing methods based on an application data gateway.
In a fifth aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, where the non-transitory computer-readable storage medium stores computer instructions for causing the computer to execute any one of the foregoing sensitive data tracing methods based on an application data gateway.
In the embodiment of the invention, the application data security gateway obtains two data sets by analyzing the login flow and the service flow, associates the two data sets by identifying common elements in the two data sets, the associated set represents associated information related to sensitive data, and the circulation of the sensitive data can be monitored according to the associated information (such as account numbers, interfaces, applications and the like), that is, the embodiment of the invention sorts the internal information (such as account numbers, application systems and sensitive interfaces) related to the sensitive information by the reduction analysis of network flow, records the outflow of all sensitive data of the service system and can perform backtrack and audit, records the operation behavior of the service system and can perform audit, meets the requirements of a monitoring department on log record, and achieves the purposes of pre-administration, in-event monitoring and post-event backtrack, and the data leakage risk is reduced. Meanwhile, the security situation of the application data can be further conveniently displayed integrally, and the overall data states of current data flow, data use, data risk and the like can be displayed visually.
The embodiment of the invention enables a manager to master the access and use conditions of the application sensitive data from the global perspective under the condition of not modifying the existing network architecture and service system.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a diagram illustrating a topology in an application data flow system in the prior art;
FIG. 2 is a schematic topology diagram illustrating an embodiment of an application data gateway system of the present invention;
FIG. 3 is a flowchart illustrating steps of an embodiment of a sensitive data tracing method based on an application data gateway according to the present invention;
FIG. 4 is an interaction diagram illustrating that in the embodiment of the sensitive data tracing method based on the application data gateway, the application data security gateway obtains the sensitive data association information based on the login traffic;
fig. 5 is an interaction diagram illustrating that in the embodiment of the sensitive data tracing method based on the application data gateway, the application data security gateway obtains the sensitive data association information based on the traffic flow;
FIG. 6 is a flowchart illustrating steps of another embodiment of a sensitive data tracing method based on an application data gateway according to the present invention;
FIG. 7 is a block diagram illustrating an embodiment of a sensitive data tracing apparatus based on an application data gateway according to the present invention;
fig. 8 shows a block diagram of the structure of an embodiment of the security gateway of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
The embodiments of the present disclosure are described below with specific examples, and other advantages and effects of the present disclosure will be readily apparent to those skilled in the art from the disclosure in the specification. It is to be understood that the described embodiments are merely illustrative of some, and not restrictive, of the embodiments of the disclosure. The disclosure may be embodied or carried out in various other specific embodiments, and various modifications and changes may be made in the details within the description without departing from the spirit of the disclosure. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the appended claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the disclosure, one skilled in the art should appreciate that one aspect described herein may be implemented independently of any other aspects and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. Additionally, such an apparatus may be implemented and/or such a method may be practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
It should be noted that the drawings provided in the following embodiments are only for illustrating the basic idea of the present disclosure, and the drawings only show the components related to the present disclosure rather than the number, shape and size of the components in actual implementation, and the type, amount and ratio of the components in actual implementation may be changed arbitrarily, and the layout of the components may be more complicated.
In addition, in the following description, specific details are provided to facilitate a thorough understanding of the examples. However, it will be understood by those skilled in the art that the aspects may be practiced without these specific details.
As shown in fig. 1, the application data streaming system in the prior art includes an application data request end and a data center; the data center comprises a switch, a security gateway and a plurality of application servers; the application data request terminal is connected with the application server through the switch. The application data request terminal can be an internal business person, a third party partner or an interface server for providing through services to the outside. Of course, other forms of terminals with other functions are also possible. During data flow between the requesting end and the application server, the following data security problems may be latent:
firstly, internal service personnel use legal authority for accessing sensitive data of an application system to cause data stealing or data abuse phenomenon due to illegal operation;
the behavior that the second and third-party partners illegally access the sensitive data from the application system due to the fact that the business partners access the sensitive data of the own application system;
and thirdly, sensitive data are not desensitized when the interface providing services to the outside transmits the sensitive data, so that data security risks are caused.
However, in the prior art, the association matching between the sensitive data and the account is inflexible and weak, and the sensitive data is quickly associated with the account, which is very important for tracing the source of the sensitive data.
Referring to fig. 2, fig. 2 shows an embodiment of the application data gateway system of the present invention, which includes:
the data processing system comprises an application data request end and a data center. The data center comprises a switch, a security gateway and a plurality of application servers; and the application data request terminal is connected with the application server through a switch. As described above, the data request end may be an internal business person, a third-party partner, or an interface server for providing through services to the outside.
The security gateway is used for mirroring application data from the switch and comprises at least one processing device and a memory which is in communication connection with the at least one processing device; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processing device to enable the at least one processing device to perform an application data gateway based sensitive data tracing method.
Of course, the data center may also include a data security management and analysis system. And further analyzing, displaying, managing and the like the data acquired by the application data security gateway.
Next, a sensitive data tracing method based on the application data gateway is described.
Fig. 3 is a flowchart illustrating steps of an embodiment of a sensitive data tracing method based on an application data gateway, where the embodiment is used for identifying information associated with sensitive data, and includes:
s310, receiving and analyzing the login flow to obtain a first data set.
In this step, the login traffic is obtained by mirroring the traffic from the browser and from the application server, respectively, when performing the login operation, see fig. 2.
The flow of the browser comprises an account, a password, an account login credential and a user request interface of a user login application system. The traffic of the application server comprises the result of checking the traffic of the browser.
Account login credentials in traffic from a browser are obtained as follows: after a user opens a login page of the application system, the application system generates an account login certificate and sends the account login certificate to the browser.
The interface of the account number, the password and the user request of the user login application system in the flow from the browser is obtained by the following modes: inputting an account and a password in an opened application system by a user, and obtaining account and password information by a browser after clicking login; the browser determines the requested interface according to the application system. The first data set is stored in a memory by taking account credentials as keywords. The account credentials are key elements connecting the first data set and a second data set described below, and through the association of the account credentials, items related to the sensitive data can be associated together, so that the tracing of the sensitive data is realized. Therefore, the account credentials are simultaneously associated and stored as keywords while the first account set is stored,
s320, receiving and analyzing the service flow to obtain a second data set.
In the step, the service flow is obtained by respectively mirroring the flow from the browser and the flow from the application server when the user executes the service operation; the flow from the browser comprises a service parameter input by a user, an account login certificate and a requested interface; the flow from the application server comprises a result of checking the flow of the browser and a response returned according to the input service parameters.
The second set of data includes account credentials, an application system name, an interface, a response field, and a request field.
S330, under the condition that the second data set comprises sensitive data, the first data set and the second data set are associated based on common data elements in the first data set and the second data set, and a third data set is generated.
In this step, the third set of data is determined by: and associating the second data set with the first data set through account certificates, finding an account from the first data set, and merging the account and the second data set to obtain a third data set.
That is, the third set of data includes account credentials, an account, an application, an interface, a response field, and a request field.
And S340, determining the associated information of the sensitive data based on the third data set, and tracing the circulation link of the sensitive information based on the associated information.
In one embodiment, the association information of the sensitive information includes: an account associated with the sensitive information, an account credential, a related interface, an associated application, or a server providing the sensitive information, etc. The associated information may be one or more of the above information. Other related information selected according to actual conditions can also be selected. The invention is not limited in this regard.
For example, in one embodiment, after the sensitive information is found, after the associated information of the sensitive data is obtained, tracing can be performed through the following path:
sensitive information → account credentials → account → interface of request → associated application system. Referring to fig. 4, fig. 4 is an interaction diagram illustrating that in the embodiment of the sensitive data tracing method based on the application data gateway, the application data security gateway obtains the sensitive data association information based on the login traffic; the method specifically comprises the following interaction processes:
step a: the user A opens a login page of the application system, the application system generates an account login credential ID (such as token, sessionID, jsssesson, etc.),
step b: the application system logs in the ID of the certificate and sends the ID to the browser;
step c: and the user A inputs an input account number and a password and clicks to log in.
Step d: the browser sends the account number, the password, the login credential ID and the requested interface (URL) to an application server;
step e: the application server verifies the login credentials ID, verifies the ID, password,
step f: the application server returns success or failure to the browser
Step g: the browser displays the result returned by the server
Step h: and mirroring the flow by using the data security gateway to obtain the flow of the browser and the application server, analyzing a data set M comprising an account number, an account number certificate ID and a corresponding interface related to the application and the application, and storing the data set M in a memory by using the account number certificate ID as a keyword.
Referring to fig. 5, fig. 5 is an interaction diagram illustrating that in the embodiment of the sensitive data tracing method based on the application data gateway, the application data security gateway obtains the sensitive data association information based on the traffic flow. The flow chart takes the example of user A performing a business operation, such as, for example, submitting a leave form on an OA system
Step i: user behavior input business parameters (such as leave time, post, etc.), click submission
Step j: the browser sends the input parameters, the login credential ID and the requested interface (URL) to the application server;
step k: the application server checks the login certificate ID and executes response operation according to the requested interface (URL) and the input parameters;
step l: the application server returns the result to the browser;
step m: the browser displays the result returned by the server
Step n: and mirroring the traffic by the application data security gateway, acquiring the traffic of the browser and the application server, and analyzing a data set N comprising the account number voucher ID, an application system, an interface, a response field and a request field.
Step o: and the data sets N and M are associated through the account certificate ID, the account is found from M and written into N, and a data set D is generated and comprises the account certificate, the account, an application system, an interface, a response field and a request field.
Step p: marking each field with a sensitive label through scanning;
step q: and generating a data set E, which comprises an account certificate ID, an account, an application system, an interface, a response field and a sensitive label of each field, and a request field and a sensitive label of each field.
In the embodiment of the invention, the application data security gateway obtains two data sets by analyzing the login flow and the service flow, associates the two data sets by identifying common elements in the two data sets, the associated set represents associated information related to sensitive data, and the circulation of the sensitive data can be monitored according to the associated information (such as account numbers, interfaces, applications and the like), that is, the embodiment of the invention sorts the internal information (such as account numbers, application systems and sensitive interfaces) related to the sensitive information by the reduction analysis of network flow, records the outflow of all sensitive data of the service system and can perform backtrack and audit, records the operation behavior of the service system and can perform audit, meets the requirements of a monitoring department on log record, and achieves the purposes of pre-administration, in-event monitoring and post-event backtrack, and the data leakage risk is reduced. Meanwhile, the security situation of the application data can be further conveniently displayed integrally, and the overall data states of current data flow, data use, data risk and the like can be displayed visually.
The embodiment of the invention enables a manager to master the access and use conditions of the application sensitive data from the global perspective under the condition of not modifying the existing network architecture and service system.
Referring to fig. 6, fig. 6 is a flowchart illustrating steps of another embodiment of the sensitive data tracing method based on the application data gateway according to the present invention, including the following steps:
s610, receiving and analyzing the login flow to obtain a first data set.
S620, receiving and analyzing the service flow to obtain a second data set.
And S630, in the case that the second data set comprises sensitive data, associating the first data set with the second data set based on common data elements in the first data set and the second data set, and generating a third data set.
And S640, determining the associated information of the sensitive data based on the third data set, and tracing the circulation link of the sensitive information by the associated information.
In one embodiment, the association information of the sensitive information includes: an account associated with the sensitive information, an account credential, a related interface, an associated application, or a server providing the sensitive information, etc. The associated information may be one or more of the above information. Other related information selected according to actual conditions can also be selected. The invention is not limited in this regard.
For example, in one embodiment, after the sensitive information is found, after the associated information of the sensitive data is obtained, tracing can be performed through the following path:
sensitive information → account credentials → account → interface of request → associated application system.
And S650, associating and displaying the sensitive information and the third data set.
The security situation of the application data is integrally displayed, and the current global data states such as data flow, data use, data risk and the like are visually presented.
S660, representing is conducted for the server related to the interface, the application system, the account number or the response field in the third data set.
After the path is determined, the related account number, interface, application program and application server can be further analyzed. That is, the above-mentioned association information itself is further audited.
For example, for an interface related to sensitive information, information such as other application systems related to the interface, other account numbers requesting data through the interface, and an application server corresponding to the interface may be further queried to form a plurality of list lists, where the list lists indicate attributes of the interface related to the sensitive information and may also be referred to as images of the interface.
Similarly, for account numbers associated with sensitive information, portrayal may also be performed using the above-described method. For example, the account has access to which applications, which application systems, which interfaces are involved, which application servers, etc. And the potential safety hazard is discovered through further auditing the account number. This process may be used to render an account.
Similarly, application servers associated with sensitive data may also be rendered. Interfaces associated with application services involving sensitive data, application programs,
It can be seen from the above description that the embodiment has the capability of monitoring the flow direction of sensitive data, supports all-around auditing of key elements such as account numbers, interfaces, applications, and the like, and generates a statistical form through the acquired associated information, so that a manager can master access and use conditions of the sensitive data of the applications from a global perspective.
Moreover, the embodiment can also support portrayal of a single account, interface or application, and describe the access and use condition of each object.
According to the tracing result of the sensitive data or the further portrayal of the account number, the interface and the application, the subsequent management and control strategy can be conveniently formulated, and when the violation behavior is found, the subsequent response action can be executed, such as the forbidding of the use permission of the corresponding account number and the like. Subsequent response actions can be performed.
In a second aspect, an embodiment of the present invention provides a sensitive data tracing apparatus based on an application data gateway, where the apparatus is used for identifying information associated with sensitive data, and with reference to fig. 7, the apparatus includes: a first data set acquisition module 71, a second data set acquisition module 72, a third data set acquisition module 73, and a traceability module 74.
And the first data set acquisition module 71 is configured to receive and analyze the login traffic to obtain a first data set.
Preferably, in the first data set acquisition module: the login flow is obtained by respectively mirroring the flow from the browser and the flow from the application server during login operation; the flow of the browser comprises an account, a password, an account login certificate and a user request interface of a user login application system: the traffic of the application server comprises the result of checking the traffic of the browser.
Further, account login credentials in traffic from the browser may be obtained by: after a user opens a login page of the application system, the application system generates an account login certificate and sends the account login certificate to the browser.
Further, in one embodiment, the interface of the account, password and user request for the user to log in to the application system in the traffic from the browser is obtained by: inputting an account and a password in an opened application system by a user, and obtaining account and password information by a browser after clicking login; the browser determines the requested interface according to the application system. The first data set is stored in a memory by taking account credentials as keywords.
The first data set obtaining module 72 is configured to receive and analyze the service traffic to obtain a second data set.
In the second data set acquisition module, service traffic is acquired by respectively mirroring traffic from the browser and traffic from the application server when a user executes service operation; the flow from the browser comprises a service parameter input by a user, an account login certificate and a requested interface; the flow from the application server comprises a result of checking the flow of the browser and a response returned according to the input service parameters.
In addition, the second set of data includes account credentials, an application system name, an interface, a response field, and a request field.
And a third data set obtaining module 73, configured to, in a case that the second data set includes sensitive data, associate the first data set with the second data set based on common data elements in the first data set and the second data set, and generate a third data set.
In one embodiment, the third set of data is determined by: correlating the second data set with the first data set through account certificates, finding an account from the first data set, and merging the account with the second data set to obtain a third data set; the third set of data includes account credentials, an account, an application system, an interface, a response field, and a request field.
And a tracing module 74, configured to determine, based on the third data set, associated information of the sensitive data, where the associated information traces back a circulation link of the sensitive information.
In addition, the sensitive data tracing device based on the application data gateway provided by the embodiment of the invention further comprises a display module and a portrait module. The display module is used for associating and displaying the sensitive information with the third data set. And the portrait module is used for portraying the server related to the interface, the application system, the account number or the response field in the third data set.
It should be noted that the sensitive data tracing apparatus based on the application data gateway of the present invention has a similar principle to the sensitive data tracing method based on the application data gateway, and is not described herein again, and only needs to refer to the related description.
The embodiment of the invention also provides an embodiment of a security gateway, which comprises at least one processing device; and a memory communicatively coupled to the at least one processing device; the memory stores instructions executable by the at least one processing device, and the instructions are executed by the at least one processing device to enable the at least one processing device to execute the account number analysis method based on the application data security gateway.
Referring now to FIG. 8, a schematic diagram of a security gateway 80 suitable for use in implementing embodiments of the present disclosure is shown.
As shown in fig. 8, security gateway 80 may include a processing device 801 that may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)802 or a program loaded from a storage device 806 into a Random Access Memory (RAM) 803. In the RAM 803, various programs and data necessary for the operation of the security gateway 80 are also stored. The processing apparatus 801, the ROM 802, and the RAM 803 are connected to each other by a bus 804. Further, a communication device 807 is connected to the bus 804. The security gateway 80 stores instructions executable by the at least one processing device 801 that, when executed, enable the processing device to perform the aforementioned sensitive data tracing method based on the application data gateway.
Furthermore, the present invention provides a non-transitory computer-readable storage medium embodiment, which stores computer instructions for enabling the at least one processing device to execute any one of the aforementioned sensitive data tracing methods based on an application data gateway.
It should be noted that the computer readable medium in the present disclosure can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
The computer readable medium may be embodied in the security gateway; or may exist separately and not be incorporated into the security gateway.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software or hardware. Where the name of a unit does not in some cases constitute a limitation of the unit itself, for example, the first retrieving unit may also be described as a "unit for retrieving at least two internet protocol addresses".
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (21)

1. A sensitive data tracing method based on an application data gateway is used for identifying information associated with sensitive data, and is characterized in that the application data gateway comprises an application data request end and a data center, and the data center comprises a switch, a security gateway and an application server; the application data request terminal is connected with the application server through the switch; the security gateway is used for mirroring the application data from the switch; the sensitive data tracing method comprises the following steps:
receiving and analyzing login flow to obtain a first data set; the login flow is the flow from the browser and the flow from the application server which are respectively mirrored by the security gateway when a user performs login operation;
receiving and analyzing the service flow to obtain a second data set; the service traffic is traffic from a browser and traffic from an application server which are respectively mirrored by the security gateway when a user executes service operation;
in the case that the second data set comprises sensitive data, associating the first data set with the second data set based on common data elements in the first data set and the second data set, generating a third data set;
determining the associated information of the sensitive data based on the third data set, wherein the associated information traces back the circulation link of the sensitive information; the relevant information of the sensitive information comprises: the account, account certificate, related interface and associated application system are associated with the sensitive information, and the tracing path is sensitive information → account certificate → account → related interface → associated application system.
2. The sensitive data tracing method of claim 1, wherein the receiving and parsing of the login traffic obtains, in a first data set:
the flow of the browser comprises an account number, a password, an account number login certificate and a user request interface of a user login application system; the flow of the application server comprises a result of checking the flow of the browser.
3. The sensitive data tracing method of claim 2,
the account login credentials in the traffic from the browser are obtained by the following method:
after a user opens a login page of the application system, the application system generates an account login certificate and sends the account login certificate to the browser.
4. The sensitive data tracing method of claim 3,
the first data set takes account credentials as keywords to be stored in a memory.
5. The sensitive data tracing method of claim 4, wherein in the traffic flow:
the flow from the browser comprises input business parameters, generated account login credentials and a requested interface; the flow from the application server comprises a result of checking the flow of the browser and a response returned according to the input service parameters.
6. The sensitive data tracing method of claim 5,
the second set of data includes at least one or more of account credentials, an application system name, an interface, a response field, and a request field.
7. The sensitive data tracing method of claim 6, wherein the third set of data is determined by:
and associating the second data set with the first data set through account certificates, finding an account from the first data set, and merging the account and the second data set to obtain a third data set.
8. The sensitive data tracing method of claim 7, further comprising:
sensitive information is associated with the third data set and displayed.
9. The sensitive data tracing method of claim 7, wherein the method further comprises:
and carrying out representation on the interface, the application system and the account number in the third data set.
10. A sensitive data tracing device based on an application data gateway is used for identifying information associated with sensitive data, and is characterized in that the application data gateway comprises an application data request end and a data center, and the data center comprises a switch, a security gateway and an application server; the application data request terminal is connected with the application server through the switch; the security gateway is used for mirroring the application data from the switch; the sensitive data tracing device comprises:
the first data set acquisition module is used for receiving and analyzing the login flow to acquire a first data set; the login flow is the flow from the browser and the flow from the application server which are respectively mirrored by the security gateway when a user performs login operation;
the second data set acquisition module is used for receiving and analyzing the service flow to acquire a second data set; the service traffic is traffic from a browser and traffic from an application server which are respectively mirrored by the security gateway when a user executes service operation;
a third data set obtaining module, configured to, if the second data set includes sensitive data, associate the first data set with the second data set based on common data elements in the first data set and the second data set, and generate a third data set;
the source tracing module is used for determining the associated information of the sensitive data based on the third data set, and the associated information traces the circulation link of the sensitive information; the relevant information of the sensitive information comprises: the account, account certificate, related interface and associated application system are associated with the sensitive information, and the tracing path is sensitive information → account certificate → account → related interface → associated application system.
11. The sensitive data tracing apparatus according to claim 10, wherein the first data set obtaining module:
the flow of the browser comprises an account, a password, an account login certificate and a user request interface of a user login application system: the flow of the application server comprises a result of checking the flow of the browser.
12. The sensitive data tracing apparatus of claim 11,
the account login credentials in the traffic from the browser are obtained by the following method:
after a user opens a login page of the application system, the application system generates an account login certificate and sends the account login certificate to the browser.
13. The sensitive data tracing apparatus of claim 12,
the first data set is stored in a memory by taking account credentials as keywords.
14. The sensitive data tracing apparatus of claim 12,
in the service flow:
the flow from the browser comprises service parameters input by a user, account login credentials and a requested interface; the flow from the application server comprises a result of checking the flow of the browser and a response returned according to the service parameters input by the user.
15. The sensitive data tracing apparatus of claim 14,
the second set of data includes account credentials, an application system name, an interface, a response field, and a request field.
16. The sensitive data tracing apparatus of claim 15, wherein the third set of data is determined by:
and associating the second data set with the first data set through account certificates, finding an account from the first data set, and merging the account and the second data set to obtain a third data set.
17. The sensitive data tracing apparatus of claim 16, further comprising:
and the display module is used for associating and displaying the sensitive information with the third data set.
18. The sensitive data tracing apparatus of claim 16, wherein the apparatus further comprises:
and the portrait module is used for portraying the server related to the interface, the application system, the account number or the response field in the third data set.
19. A security gateway, comprising:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of application data gateway based sensitive data tracing of any preceding claim 1-9.
20. An application data gateway system, characterized in that it comprises a security gateway according to the preceding claim 19.
21. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method for tracing sensitive data based on an application data gateway according to any of claims 1 to 9.
CN201910687236.XA 2019-07-29 2019-07-29 Sensitive data tracing method, device, security gateway and system Active CN110661776B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910687236.XA CN110661776B (en) 2019-07-29 2019-07-29 Sensitive data tracing method, device, security gateway and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910687236.XA CN110661776B (en) 2019-07-29 2019-07-29 Sensitive data tracing method, device, security gateway and system

Publications (2)

Publication Number Publication Date
CN110661776A CN110661776A (en) 2020-01-07
CN110661776B true CN110661776B (en) 2021-12-24

Family

ID=69036385

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910687236.XA Active CN110661776B (en) 2019-07-29 2019-07-29 Sensitive data tracing method, device, security gateway and system

Country Status (1)

Country Link
CN (1) CN110661776B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111538786B (en) * 2020-04-24 2021-01-05 上海简苏网络科技有限公司 Block chain data desensitization and tracing storage method and device
CN111563103B (en) * 2020-04-28 2022-05-20 厦门市美亚柏科信息股份有限公司 Method and system for detecting data blood relationship
CN112653674B (en) * 2020-12-10 2023-01-10 奇安信网神信息技术(北京)股份有限公司 Interface security detection method and device, electronic equipment and storage medium
CN113297147A (en) * 2021-06-18 2021-08-24 中国信息安全测评中心 Risk detection method of application program interface, related device and storage medium
CN115086052B (en) * 2022-06-23 2023-07-18 全知科技(杭州)有限责任公司 Method for automatically analyzing account based on HTTP (hyper text transport protocol) traffic
CN115242486B (en) * 2022-07-19 2024-04-19 阿里巴巴(中国)有限公司 Data processing method, device and computer readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104462988A (en) * 2014-12-16 2015-03-25 国家电网公司 Walk-through test technique based information security audit implementation method and system
CN105681276A (en) * 2015-12-25 2016-06-15 亿阳安全技术有限公司 Sensitive information leakage active monitoring and responsibility confirmation method and device
CN109388642A (en) * 2018-10-23 2019-02-26 北京计算机技术及应用研究所 Sensitive data based on label tracks source tracing method
CN110020553A (en) * 2019-04-12 2019-07-16 山东浪潮云信息技术有限公司 A kind of method and system for protecting sensitive data
CN110035087A (en) * 2019-04-24 2019-07-19 全知科技(杭州)有限责任公司 A kind of method, apparatus, equipment and storage medium from flow reduction account information

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10594733B2 (en) * 2016-04-06 2020-03-17 Rapid7, Inc System and method for application software security and auditing

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104462988A (en) * 2014-12-16 2015-03-25 国家电网公司 Walk-through test technique based information security audit implementation method and system
CN105681276A (en) * 2015-12-25 2016-06-15 亿阳安全技术有限公司 Sensitive information leakage active monitoring and responsibility confirmation method and device
CN109388642A (en) * 2018-10-23 2019-02-26 北京计算机技术及应用研究所 Sensitive data based on label tracks source tracing method
CN110020553A (en) * 2019-04-12 2019-07-16 山东浪潮云信息技术有限公司 A kind of method and system for protecting sensitive data
CN110035087A (en) * 2019-04-24 2019-07-19 全知科技(杭州)有限责任公司 A kind of method, apparatus, equipment and storage medium from flow reduction account information

Also Published As

Publication number Publication date
CN110661776A (en) 2020-01-07

Similar Documents

Publication Publication Date Title
CN110661776B (en) Sensitive data tracing method, device, security gateway and system
US11113412B2 (en) System and method for monitoring and verifying software behavior
US10740411B2 (en) Determining repeat website users via browser uniqueness tracking
US9805209B2 (en) Systems and methodologies for managing document access permissions
US10560435B2 (en) Enforcing restrictions on third-party accounts
DE202014010889U1 (en) Priority static hosted web applications
US11429565B2 (en) Terms of service platform using blockchain
CN111416811A (en) Unauthorized vulnerability detection method, system, equipment and storage medium
US11765112B2 (en) Context driven dynamic actions embedded in messages
CN110636038A (en) Account number analysis method, account number analysis device, security gateway and system
CN111539775A (en) Application program management method and device
CN110933152B (en) Preheating method, device and system and electronic equipment
CN113569179A (en) Subsystem access method and device based on unified website
US9904662B2 (en) Real-time agreement analysis
CN109542743B (en) Log checking method and device, electronic equipment and computer readable storage medium
CN108965108B (en) Message pushing method and related equipment
CN106603567A (en) WEB administrator login management method and device
CN116244751A (en) Data desensitization method, device, electronic equipment, storage medium and program product
JP2023067815A (en) Method, system and computer program product for detecting changes of external content referenced by external links (content management system)
CN115203671A (en) Account login method, device, equipment and storage medium
CN111367898A (en) Data processing method, device, system, electronic equipment and storage medium
CN111639020B (en) Program bug reproduction method, system, device, electronic equipment and storage medium thereof
CN110780996B (en) Process optimization method and device, storage medium and computer equipment
US11363038B2 (en) Detection impersonation attempts social media messaging
CN115037557B (en) Temporary identity authentication method and device for user access application

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Patentee after: Qianxin Technology Group Co.,Ltd.

Patentee after: Qianxin Wangshen information technology (Beijing) Co.,Ltd.

Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Patentee before: Qianxin Technology Group Co.,Ltd.

Patentee before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc.