CN112347497A - Data security processing method - Google Patents

Data security processing method Download PDF

Info

Publication number
CN112347497A
CN112347497A CN202011331336.8A CN202011331336A CN112347497A CN 112347497 A CN112347497 A CN 112347497A CN 202011331336 A CN202011331336 A CN 202011331336A CN 112347497 A CN112347497 A CN 112347497A
Authority
CN
China
Prior art keywords
unit
data
encryption
error
processing method
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011331336.8A
Other languages
Chinese (zh)
Inventor
杨恒翔
王燕军
杨大伟
杨柳
胡美慧
温刚
李凯
何伟
刘昆
孙若寒
向志威
马斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
Information and Telecommunication Branch of State Grid Xinjiang Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
Information and Telecommunication Branch of State Grid Xinjiang Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, Information and Telecommunication Branch of State Grid Xinjiang Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202011331336.8A priority Critical patent/CN112347497A/en
Publication of CN112347497A publication Critical patent/CN112347497A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Abstract

The invention relates to the technical field of data processing methods, in particular to a data security processing method which processes data through an encryption authentication module and an internal tolerance module. The invention realizes data safety processing through the encryption authentication module and the internal tolerance module, realizes the encryption authentication function through the encryption unit, the decryption unit and the authentication unit of the encryption authentication module, ensures the integrity, the confidentiality and the safety of data, simultaneously ensures the legality and the authenticity of a data source, and realizes the external level intrusion tolerance of a database through the tolerance of the internal tolerance module to errors in the data transmission process.

Description

Data security processing method
Technical Field
The invention relates to the technical field of data processing methods, in particular to a data security processing method.
Background
Nowadays, the application of world databases is more and more extensive and deeper, for example, the fields of management and control of enterprises, electronic commerce, bank systems and the like all require a large amount of confidential information stored in the databases. Database security has become an important and not negligible issue. Database security refers to the inability of any portion of any database to be accessed or modified by malicious acts or unauthorized persons. Its main connotation includes 4 aspects: confidentiality, integrity, validity, and legitimacy.
The database security technology adopted at present mainly comprises: multi-level security databases, access control, intrusion detection, authentication, encryption, etc. The introduction of the intrusion tolerance technology provides a new approach for database security. Intrusion tolerant systems are able to continuously provide timely service to intended users even in the face of an attack.
This mainly includes 3 levels of meaning: firstly, a system is admitted to have certain loopholes; secondly, the invasion of the sub-component can be admitted and can be successfully implemented; the safety and the availability of the whole system can be still ensured; this means that the intrusion tolerance system can detect information attacks that cannot be detected by attack avoidance and prevention means and take necessary measures to ensure that critical applications can continue to be correct. The previous intrusion tolerance database only provides an internal intrusion tolerance function, which is far from enough for the field with high confidentiality requirement.
An effective solution to the problems in the related art has not been proposed yet.
Disclosure of Invention
The invention provides a data security processing method, which overcomes the defects of the prior art, realizes data security processing through an encryption authentication module and an internal tolerance module, realizes an encryption authentication function through the encryption authentication module, ensures the integrity, confidentiality and security of data, simultaneously ensures the legality and authenticity of a data source, can tolerate errors in the data transmission process, and realizes the external level intrusion tolerance of a database.
The technical scheme of the invention is realized by the following measures: a data security processing method processes data through an encryption authentication module and an internal tolerance module, wherein the encryption authentication module comprises an encryption unit, a decryption unit and an authentication unit;
authenticating the data through an authentication unit, determining that each field of the i records is not modified, and determining the integrity and the validity of the data, wherein the authentication unit comprises:
structure XiThe value:
Figure BDA0002795913090000011
in the formula (1), the reaction mixture is,
Figure BDA0002795913090000012
satisfy the requirement of
Figure BDA0002795913090000013
j=1,2,…,n+2;
Encrypting data by an encryption unit, the encryption unit comprising:
defining the ith record of a table in the database as (x)i1,xi2,xi3,…,xin),
Selecting n modulus values, where Xi∈[0,M],
XiExpressed as:
Figure BDA0002795913090000021
in the formula (2), M ═ M1m2…mn
Figure BDA0002795913090000022
xij<mj,
Denote the ith record as xi=CRT(xi1,xi2,xi3,…,xin),
Expanding the N modular values into N +2 modular values, and determining the other two modular values as:
xn+k>Mj (3),
in equation (3), j is 1,2.. n, and k is 1,2, and the extension fields of these two modulus values are represented as:
xin+1=Ximodmn+1
xin+2=Ximodmn+2
decrypting the data by a decryption unit, the decryption unit comprising:
the receive field is recorded as:
Figure BDA0002795913090000023
the decryption field is:
Figure BDA0002795913090000024
in the formulae (4) to (5),
Figure BDA0002795913090000025
Figure BDA0002795913090000026
1≤j≤n+1,1≤i≤p。
the following is further optimization or/and improvement of the technical scheme of the invention:
the internal tolerance module comprises an agent service unit, an error repair unit, an error isolation unit, an event management unit and an intrusion detection unit, wherein the agent service unit, the error repair unit, the error isolation unit and the intrusion detection unit are respectively in communication connection with the event management unit.
The proxy service unit comprises more than one heterogeneous proxy server.
The error recovery unit includes an error evaluation subcomponent and an error recovery subcomponent.
The invention realizes data safety processing through the encryption authentication module and the internal tolerance module, realizes the encryption authentication function through the encryption unit, the decryption unit and the authentication unit of the encryption authentication module, ensures the integrity, the confidentiality and the safety of data, simultaneously ensures the legality and the authenticity of a data source, and realizes the external level intrusion tolerance of a database through the tolerance of the internal tolerance module to errors in the data transmission process.
Drawings
FIG. 1 is a schematic block diagram of a data security processing method according to an embodiment of the present invention.
Fig. 2 is a schematic view of a scene application of the data security processing method according to the embodiment of the present invention.
Detailed Description
The present invention is not limited by the following examples, and specific embodiments may be determined according to the technical solutions and practical situations of the present invention.
The invention is further described below with reference to the following examples:
example 1: as shown in fig. 1, the data security processing method processes data through an encryption authentication module and an internal tolerance module, wherein the encryption authentication module comprises an encryption unit, a decryption unit and an authentication unit;
authenticating the data through an authentication unit, determining that each field of the i records is not modified, and determining the integrity and the validity of the data, wherein the authentication unit comprises:
structure XiThe value:
Figure BDA0002795913090000031
in the formula (1), the reaction mixture is,
Figure BDA0002795913090000032
satisfy the requirement of
Figure BDA0002795913090000033
j=1,2,…,n+2;
The data is encrypted by an encryption unit, as shown in fig. 2, the encryption unit includes:
defining the ith record of a table in the database as (x)i1,xi2,xi3,…,xin),
Select n modulus values (m)1m2…mn) Wherein X isi∈[0,M],
XiExpressed as:
Figure BDA0002795913090000034
in the formula (2), M ═ M1m2…mn
Figure BDA0002795913090000035
xij<mj,
Record the ith as xi=CRT(xi1,xi2,xi3,…,xin),
Expanding the N modular values into N +2 modular values, and determining the other two modular values as:
xn+k>Mj (3),
in equation (3), j is 1,2.. n, and k is 1,2, and the extension fields of these two modulus values are represented as:
xin+1=Ximodmn+1
xin+2=Ximodmn+2
decrypting the data by a decryption unit, the decryption unit comprising:
the receive field is recorded as:
Figure BDA0002795913090000041
the decryption field is:
Figure BDA0002795913090000042
in the formulae (4) to (5),
Figure BDA0002795913090000043
Figure BDA0002795913090000044
1≤j≤n+1,1≤i≤p。
the invention realizes data safety processing through the encryption authentication module and the internal tolerance module, realizes the encryption authentication function through the encryption unit, the decryption unit and the authentication unit of the encryption authentication module, ensures the integrity, the confidentiality and the safety of data, simultaneously ensures the legality and the authenticity of a data source, and can tolerate errors in the data transmission process through the internal tolerance module to realize the external level intrusion tolerance of the database.
Example 2: as an optimization of the above embodiment, the internal tolerance module includes an agent service unit, an error repairing unit, an error isolating unit, an event management unit, and an intrusion detection unit, and the agent service unit, the error repairing unit, the error isolating unit, and the intrusion detection unit are respectively in communication connection with the event management unit.
Example 3: as an optimization of the above embodiment, the proxy service unit includes more than one heterogeneous proxy server.
Example 4: as an optimization of the above embodiment, the error repair unit includes an error evaluation subcomponent and an error repair subcomponent.
The proxy service unit comprises a plurality of heterogeneous proxy servers, and is used for filtering and purifying service requests of clients. Specifically, the first defense line for blocking intrusion by the internal tolerance module is a first barrier for realizing internal tolerance. Because the proxy server group is positioned at the outermost layer of the internal tolerance module and is easy to become one of the important targets of external attacks, a plurality of proxy servers are adopted, so that the system has certain tolerance capability.
And the error repairing unit is used for determining and repairing the damaged part and determining the integrity of the database. Specifically, after the database is invaded, the damaged part can be found out, and the damaged part can be repaired as soon as possible, so that the whole database can still be used even under the condition of facing attack. Thus, the error recovery unit is an indispensable component of the intrusion tolerant database. The biggest challenge for damage repair is malicious transactions, which may also directly or indirectly affect other normal transactions, so the error repair unit may set two subcomponents: an error evaluation subcomponent and an error repair subcomponent. The role of the error evaluation subcomponent is to find all transactions affected by this malicious transaction, and transaction tracking techniques can be employed to find a series of all subsequent transactions affected by the malicious transaction. The role of the error repair subcomponent is to restore the correctness of the database. All transactions affected by malicious transactions can be cleared by setting a specific clearing transaction. The simpler way to clean up the transaction is: the data of the affected transaction is restored to the original data that was not corrupted the last time.
The error isolation unit is used for calling the error repair unit and carrying out re-judgment on the suspicious transaction. Specifically, direct invocation of the damage repair module (error repair unit) requires the event manager (event management unit) to make a long time to re-determine the suspicious transaction. In the response time of the judgment, many normal programs may be executed after the malicious transaction and affected, so that the malicious program spreads to a wide range. We therefore introduce an error isolation unit to reduce the impact of malicious transactions on normal transactions.
First, the event manager sets two abnormal transaction limits. According to the report of an intrusion detection system (intrusion detection unit), directly judging, when the degree of non-normality of a certain abnormal transaction exceeds the limit of a first level, directly judging the abnormal transaction as a malicious transaction, and then directly calling a damage repair module to process the malicious transaction; and when the degree of abnormality of an abnormal transaction exceeds the limit of the second level, the transaction is defined as a suspicious transaction, and the transaction needs to be taken out of the main database and put into the virtual isolation database to perform the limiting operation on the suspicious transaction. The event manager then starts to re-check the suspicious transaction and determines in detail the nature of this transaction: when the event is judged to be a normal event, the transaction returns to the original main database to continue operation; and if the suspicious transaction is judged to be a malicious transaction, the damage repair module is called again to process the malicious transaction. This can greatly reduce the extent of the spread of malicious transactions.
The event management unit is used for connecting the internal database group and the external agent server group, and taking certain measures to control and manage other components (namely other units) on the basis of the detection result of the intrusion detection unit. Specifically, as a core component of the internal tolerance module, the internal tolerance module is responsible for connecting an internal database group and an external agent server group, plays a role of a central bridge, and is communicated with an intrusion detection unit, so that certain measures are taken to control and manage other components on the basis of an intrusion detection result. The agent server at the outmost layer is easy to be attacked, the event manager can continuously send detection signals to the intrusion detection unit, then detect the state of the agent server according to the response signals, judge the damage degree of the agent server according to the signals, then reduce the service priority of the agent, even stop the working capacity of the agent, and ensure the safety of internal systems (computer systems and the like). When an intrusion bypasses the proxy server group and enters the system, the intrusion detection system (intrusion detection unit) first detects the abnormal behavior of the proxy server and reports the detection result to the event manager, and the intrusion detection system cannot report errors 100% correctly. In order to reduce the false alarm rate of the intrusion detection system, the event manager analyzes the intrusion again and according to the analysis result: and (4) carrying out no treatment on the normal event, calling an error isolation unit for the suspicious event to isolate the event, and calling the error isolation unit for the malicious event to repair the event. In addition, the event manager is also a medium for the mutual communication of the distributed databases, a safe communication channel is provided, the overall safety of the transaction is enhanced, and meanwhile, the event manager is combined with an intrusion detection system to carry out detection control on the distributed databases.
The intrusion detection unit is used for collecting information of a plurality of key points and analyzing the information to determine whether behaviors violating the security policy and signs of attack exist. Specifically, it collects information from several key points in a computer network or computer system and analyzes it to find out whether there is a behavior violating security policy and a sign of attack in the network or system. An IDS (intrusion detection system) monitors the entire activity of tolerant databases, tolerant agents and systems. The IDS may run on a dedicated platform alone or may be embedded into a particular module of the system. Compared with an intrusion tolerance system, the intrusion detection system is developed more mature.
The technical characteristics form an embodiment of the invention, which has strong adaptability and implementation effect, and unnecessary technical characteristics can be increased or decreased according to actual needs to meet the requirements of different situations.

Claims (5)

1. A data security processing method is characterized in that data is processed through an encryption authentication module and an internal tolerance module, wherein the encryption authentication module comprises an encryption unit, a decryption unit and an authentication unit;
authenticating the data by an authentication unit, the authentication unit comprising:
structure XiThe value:
Figure FDA0002795913080000011
in the formula (1), the reaction mixture is,
Figure FDA0002795913080000012
satisfy the requirement of
Figure FDA0002795913080000013
j=1,2,…,n+2;
Encrypting data by an encryption unit, the encryption unit comprising:
defining the ith record of a table in the database as (x)i1,xi2,xi3,…,xin),
Selecting n modulus values, where Xi∈[0,M],
XiExpressed as:
Figure FDA0002795913080000014
in the formula (2), M ═ M1m2…mn
Figure FDA0002795913080000015
xij<mj,
Denote the ith record as xi=CRT(xi1,xi2,xi3,…,xin),
Expanding the N modular values into N +2 modular values, and determining the other two modular values as:
xn+k>Mj (3),
in equation (3), j is 1,2.. n, and k is 1,2, and the extension fields of these two modulus values are represented as:
xin+1=Ximodmn+1
xin+2=Ximodmn+2
decrypting the data by a decryption unit, the decryption unit comprising:
the receive field is recorded as:
Figure FDA0002795913080000016
the decryption field is:
Figure FDA0002795913080000017
in the formulae (4) to (5),
Figure FDA0002795913080000018
Figure FDA0002795913080000021
1≤j≤n+1,1≤i≤p。
2. the data security processing method according to claim 1, wherein the internal tolerance module includes a proxy service unit, an error recovery unit, an error isolation unit, an event management unit, and an intrusion detection unit, and the proxy service unit, the error recovery unit, the error isolation unit, and the intrusion detection unit are respectively in communication connection with the event management unit.
3. The data security processing method according to claim 1 or 2, wherein the proxy service unit includes more than one heterogeneous proxy server.
4. The data security processing method according to claim 1 or 2, wherein the error recovery unit includes an error evaluation subcomponent and an error recovery subcomponent.
5. The data security processing method of claim 3, wherein the error recovery unit includes an error evaluation subcomponent and an error recovery subcomponent.
CN202011331336.8A 2020-11-24 2020-11-24 Data security processing method Pending CN112347497A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011331336.8A CN112347497A (en) 2020-11-24 2020-11-24 Data security processing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011331336.8A CN112347497A (en) 2020-11-24 2020-11-24 Data security processing method

Publications (1)

Publication Number Publication Date
CN112347497A true CN112347497A (en) 2021-02-09

Family

ID=74364740

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011331336.8A Pending CN112347497A (en) 2020-11-24 2020-11-24 Data security processing method

Country Status (1)

Country Link
CN (1) CN112347497A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020188870A1 (en) * 2001-06-11 2002-12-12 Mcnc Intrusion tolerant server system
CN1819583A (en) * 2005-10-20 2006-08-16 北京邮电大学 Hierarchical tolerant invading scheme based on threshold
CN101159003A (en) * 2007-11-16 2008-04-09 中国科学院软件研究所 Data-base malevolence transaction method and system thereof
CN108197496A (en) * 2018-01-18 2018-06-22 成都博睿德科技有限公司 Data safety Enhancement Method under cloud computing environment
CN109691016A (en) * 2016-07-08 2019-04-26 卡列普顿国际有限公司 Distributing real time system and Verification System

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020188870A1 (en) * 2001-06-11 2002-12-12 Mcnc Intrusion tolerant server system
CN1819583A (en) * 2005-10-20 2006-08-16 北京邮电大学 Hierarchical tolerant invading scheme based on threshold
CN101159003A (en) * 2007-11-16 2008-04-09 中国科学院软件研究所 Data-base malevolence transaction method and system thereof
CN109691016A (en) * 2016-07-08 2019-04-26 卡列普顿国际有限公司 Distributing real time system and Verification System
CN108197496A (en) * 2018-01-18 2018-06-22 成都博睿德科技有限公司 Data safety Enhancement Method under cloud computing environment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李方涛等: "基于入侵容忍的集成数据库安全结构", 《计算机工程与设计》 *

Similar Documents

Publication Publication Date Title
US20130086685A1 (en) Secure integrated cyberspace security and situational awareness system
CN110233817B (en) Container safety system based on cloud computing
WO2004061667A1 (en) System and method to proactively detect software tampering
CN105516189B (en) Network security enforcement system and method based on big data platform
CN109409087B (en) Anti-privilege-raising detection method and device
WO2013049562A1 (en) Secure integrated cyberspace security and situational awareness system
CN116708210A (en) Operation and maintenance processing method and terminal equipment
CN116527299A (en) Network-based safety protection method and dynamic defense system
Shulman et al. Top ten database security threats
Yu Encryption technology for computer network data security protection
CN112347497A (en) Data security processing method
JP2008250728A (en) Information leakage monitoring system and information leakage monitoring method
CN112000953A (en) Big data terminal safety protection system
JP2004005377A (en) Method for preventing recurrence of multiplex system outage
Yang et al. Analysis of Computer Network Security and Prevention Technology
Abbas et al. A state of the art security taxonomy of internet security: threats and countermeasures
KR20190140314A (en) System and method for real time prevention and post recovery for malicious software
JP6987406B2 (en) Penetration test monitoring server and system
CN116032660B (en) AD domain threat identification method, device, electronic equipment and storage medium
CN117439823B (en) Cloud data intelligent authority authentication safety protection method and system
US20040250121A1 (en) Assessing security of information technology
Kornecki et al. Availability assessment of embedded systems with security vulnerabilities
Liu Data Security Threats of Log Aggregation
MOSTAFA et al. FALSE ALARM REDUCTION SCHEME FOR DATABASE INTRUSION DETECTION SYSTEM.
KR20100049470A (en) Method and apparatur for detecting distributed denial of service attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210209