CN112347497A - Data security processing method - Google Patents
Data security processing method Download PDFInfo
- Publication number
- CN112347497A CN112347497A CN202011331336.8A CN202011331336A CN112347497A CN 112347497 A CN112347497 A CN 112347497A CN 202011331336 A CN202011331336 A CN 202011331336A CN 112347497 A CN112347497 A CN 112347497A
- Authority
- CN
- China
- Prior art keywords
- unit
- data
- encryption
- error
- processing method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 16
- 238000001514 detection method Methods 0.000 claims description 25
- 238000011084 recovery Methods 0.000 claims description 9
- 238000002955 isolation Methods 0.000 claims description 8
- 238000011156 evaluation Methods 0.000 claims description 6
- 238000004891 communication Methods 0.000 claims description 5
- 239000011541 reaction mixture Substances 0.000 claims description 3
- 238000000034 method Methods 0.000 abstract description 6
- 230000008569 process Effects 0.000 abstract description 5
- 230000005540 biological transmission Effects 0.000 abstract description 4
- 238000012545 processing Methods 0.000 abstract description 4
- 230000008439 repair process Effects 0.000 description 14
- 230000002159 abnormal effect Effects 0.000 description 4
- 239000000306 component Substances 0.000 description 4
- 238000005457 optimization Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Abstract
The invention relates to the technical field of data processing methods, in particular to a data security processing method which processes data through an encryption authentication module and an internal tolerance module. The invention realizes data safety processing through the encryption authentication module and the internal tolerance module, realizes the encryption authentication function through the encryption unit, the decryption unit and the authentication unit of the encryption authentication module, ensures the integrity, the confidentiality and the safety of data, simultaneously ensures the legality and the authenticity of a data source, and realizes the external level intrusion tolerance of a database through the tolerance of the internal tolerance module to errors in the data transmission process.
Description
Technical Field
The invention relates to the technical field of data processing methods, in particular to a data security processing method.
Background
Nowadays, the application of world databases is more and more extensive and deeper, for example, the fields of management and control of enterprises, electronic commerce, bank systems and the like all require a large amount of confidential information stored in the databases. Database security has become an important and not negligible issue. Database security refers to the inability of any portion of any database to be accessed or modified by malicious acts or unauthorized persons. Its main connotation includes 4 aspects: confidentiality, integrity, validity, and legitimacy.
The database security technology adopted at present mainly comprises: multi-level security databases, access control, intrusion detection, authentication, encryption, etc. The introduction of the intrusion tolerance technology provides a new approach for database security. Intrusion tolerant systems are able to continuously provide timely service to intended users even in the face of an attack.
This mainly includes 3 levels of meaning: firstly, a system is admitted to have certain loopholes; secondly, the invasion of the sub-component can be admitted and can be successfully implemented; the safety and the availability of the whole system can be still ensured; this means that the intrusion tolerance system can detect information attacks that cannot be detected by attack avoidance and prevention means and take necessary measures to ensure that critical applications can continue to be correct. The previous intrusion tolerance database only provides an internal intrusion tolerance function, which is far from enough for the field with high confidentiality requirement.
An effective solution to the problems in the related art has not been proposed yet.
Disclosure of Invention
The invention provides a data security processing method, which overcomes the defects of the prior art, realizes data security processing through an encryption authentication module and an internal tolerance module, realizes an encryption authentication function through the encryption authentication module, ensures the integrity, confidentiality and security of data, simultaneously ensures the legality and authenticity of a data source, can tolerate errors in the data transmission process, and realizes the external level intrusion tolerance of a database.
The technical scheme of the invention is realized by the following measures: a data security processing method processes data through an encryption authentication module and an internal tolerance module, wherein the encryption authentication module comprises an encryption unit, a decryption unit and an authentication unit;
authenticating the data through an authentication unit, determining that each field of the i records is not modified, and determining the integrity and the validity of the data, wherein the authentication unit comprises:
j=1,2,…,n+2;
Encrypting data by an encryption unit, the encryption unit comprising:
defining the ith record of a table in the database as (x)i1,xi2,xi3,…,xin),
Selecting n modulus values, where Xi∈[0,M],
in the formula (2), M ═ M1m2…mn,
Denote the ith record as xi=CRT(xi1,xi2,xi3,…,xin),
Expanding the N modular values into N +2 modular values, and determining the other two modular values as:
xn+k>Mj (3),
in equation (3), j is 1,2.. n, and k is 1,2, and the extension fields of these two modulus values are represented as:
xin+1=Ximodmn+1,
xin+2=Ximodmn+2;
decrypting the data by a decryption unit, the decryption unit comprising:
the receive field is recorded as:
the decryption field is:
the following is further optimization or/and improvement of the technical scheme of the invention:
the internal tolerance module comprises an agent service unit, an error repair unit, an error isolation unit, an event management unit and an intrusion detection unit, wherein the agent service unit, the error repair unit, the error isolation unit and the intrusion detection unit are respectively in communication connection with the event management unit.
The proxy service unit comprises more than one heterogeneous proxy server.
The error recovery unit includes an error evaluation subcomponent and an error recovery subcomponent.
The invention realizes data safety processing through the encryption authentication module and the internal tolerance module, realizes the encryption authentication function through the encryption unit, the decryption unit and the authentication unit of the encryption authentication module, ensures the integrity, the confidentiality and the safety of data, simultaneously ensures the legality and the authenticity of a data source, and realizes the external level intrusion tolerance of a database through the tolerance of the internal tolerance module to errors in the data transmission process.
Drawings
FIG. 1 is a schematic block diagram of a data security processing method according to an embodiment of the present invention.
Fig. 2 is a schematic view of a scene application of the data security processing method according to the embodiment of the present invention.
Detailed Description
The present invention is not limited by the following examples, and specific embodiments may be determined according to the technical solutions and practical situations of the present invention.
The invention is further described below with reference to the following examples:
example 1: as shown in fig. 1, the data security processing method processes data through an encryption authentication module and an internal tolerance module, wherein the encryption authentication module comprises an encryption unit, a decryption unit and an authentication unit;
authenticating the data through an authentication unit, determining that each field of the i records is not modified, and determining the integrity and the validity of the data, wherein the authentication unit comprises:
j=1,2,…,n+2;
The data is encrypted by an encryption unit, as shown in fig. 2, the encryption unit includes:
defining the ith record of a table in the database as (x)i1,xi2,xi3,…,xin),
Select n modulus values (m)1m2…mn) Wherein X isi∈[0,M],
in the formula (2), M ═ M1m2…mn,
Record the ith as xi=CRT(xi1,xi2,xi3,…,xin),
Expanding the N modular values into N +2 modular values, and determining the other two modular values as:
xn+k>Mj (3),
in equation (3), j is 1,2.. n, and k is 1,2, and the extension fields of these two modulus values are represented as:
xin+1=Ximodmn+1,
xin+2=Ximodmn+2;
decrypting the data by a decryption unit, the decryption unit comprising:
the receive field is recorded as:
the decryption field is:
the invention realizes data safety processing through the encryption authentication module and the internal tolerance module, realizes the encryption authentication function through the encryption unit, the decryption unit and the authentication unit of the encryption authentication module, ensures the integrity, the confidentiality and the safety of data, simultaneously ensures the legality and the authenticity of a data source, and can tolerate errors in the data transmission process through the internal tolerance module to realize the external level intrusion tolerance of the database.
Example 2: as an optimization of the above embodiment, the internal tolerance module includes an agent service unit, an error repairing unit, an error isolating unit, an event management unit, and an intrusion detection unit, and the agent service unit, the error repairing unit, the error isolating unit, and the intrusion detection unit are respectively in communication connection with the event management unit.
Example 3: as an optimization of the above embodiment, the proxy service unit includes more than one heterogeneous proxy server.
Example 4: as an optimization of the above embodiment, the error repair unit includes an error evaluation subcomponent and an error repair subcomponent.
The proxy service unit comprises a plurality of heterogeneous proxy servers, and is used for filtering and purifying service requests of clients. Specifically, the first defense line for blocking intrusion by the internal tolerance module is a first barrier for realizing internal tolerance. Because the proxy server group is positioned at the outermost layer of the internal tolerance module and is easy to become one of the important targets of external attacks, a plurality of proxy servers are adopted, so that the system has certain tolerance capability.
And the error repairing unit is used for determining and repairing the damaged part and determining the integrity of the database. Specifically, after the database is invaded, the damaged part can be found out, and the damaged part can be repaired as soon as possible, so that the whole database can still be used even under the condition of facing attack. Thus, the error recovery unit is an indispensable component of the intrusion tolerant database. The biggest challenge for damage repair is malicious transactions, which may also directly or indirectly affect other normal transactions, so the error repair unit may set two subcomponents: an error evaluation subcomponent and an error repair subcomponent. The role of the error evaluation subcomponent is to find all transactions affected by this malicious transaction, and transaction tracking techniques can be employed to find a series of all subsequent transactions affected by the malicious transaction. The role of the error repair subcomponent is to restore the correctness of the database. All transactions affected by malicious transactions can be cleared by setting a specific clearing transaction. The simpler way to clean up the transaction is: the data of the affected transaction is restored to the original data that was not corrupted the last time.
The error isolation unit is used for calling the error repair unit and carrying out re-judgment on the suspicious transaction. Specifically, direct invocation of the damage repair module (error repair unit) requires the event manager (event management unit) to make a long time to re-determine the suspicious transaction. In the response time of the judgment, many normal programs may be executed after the malicious transaction and affected, so that the malicious program spreads to a wide range. We therefore introduce an error isolation unit to reduce the impact of malicious transactions on normal transactions.
First, the event manager sets two abnormal transaction limits. According to the report of an intrusion detection system (intrusion detection unit), directly judging, when the degree of non-normality of a certain abnormal transaction exceeds the limit of a first level, directly judging the abnormal transaction as a malicious transaction, and then directly calling a damage repair module to process the malicious transaction; and when the degree of abnormality of an abnormal transaction exceeds the limit of the second level, the transaction is defined as a suspicious transaction, and the transaction needs to be taken out of the main database and put into the virtual isolation database to perform the limiting operation on the suspicious transaction. The event manager then starts to re-check the suspicious transaction and determines in detail the nature of this transaction: when the event is judged to be a normal event, the transaction returns to the original main database to continue operation; and if the suspicious transaction is judged to be a malicious transaction, the damage repair module is called again to process the malicious transaction. This can greatly reduce the extent of the spread of malicious transactions.
The event management unit is used for connecting the internal database group and the external agent server group, and taking certain measures to control and manage other components (namely other units) on the basis of the detection result of the intrusion detection unit. Specifically, as a core component of the internal tolerance module, the internal tolerance module is responsible for connecting an internal database group and an external agent server group, plays a role of a central bridge, and is communicated with an intrusion detection unit, so that certain measures are taken to control and manage other components on the basis of an intrusion detection result. The agent server at the outmost layer is easy to be attacked, the event manager can continuously send detection signals to the intrusion detection unit, then detect the state of the agent server according to the response signals, judge the damage degree of the agent server according to the signals, then reduce the service priority of the agent, even stop the working capacity of the agent, and ensure the safety of internal systems (computer systems and the like). When an intrusion bypasses the proxy server group and enters the system, the intrusion detection system (intrusion detection unit) first detects the abnormal behavior of the proxy server and reports the detection result to the event manager, and the intrusion detection system cannot report errors 100% correctly. In order to reduce the false alarm rate of the intrusion detection system, the event manager analyzes the intrusion again and according to the analysis result: and (4) carrying out no treatment on the normal event, calling an error isolation unit for the suspicious event to isolate the event, and calling the error isolation unit for the malicious event to repair the event. In addition, the event manager is also a medium for the mutual communication of the distributed databases, a safe communication channel is provided, the overall safety of the transaction is enhanced, and meanwhile, the event manager is combined with an intrusion detection system to carry out detection control on the distributed databases.
The intrusion detection unit is used for collecting information of a plurality of key points and analyzing the information to determine whether behaviors violating the security policy and signs of attack exist. Specifically, it collects information from several key points in a computer network or computer system and analyzes it to find out whether there is a behavior violating security policy and a sign of attack in the network or system. An IDS (intrusion detection system) monitors the entire activity of tolerant databases, tolerant agents and systems. The IDS may run on a dedicated platform alone or may be embedded into a particular module of the system. Compared with an intrusion tolerance system, the intrusion detection system is developed more mature.
The technical characteristics form an embodiment of the invention, which has strong adaptability and implementation effect, and unnecessary technical characteristics can be increased or decreased according to actual needs to meet the requirements of different situations.
Claims (5)
1. A data security processing method is characterized in that data is processed through an encryption authentication module and an internal tolerance module, wherein the encryption authentication module comprises an encryption unit, a decryption unit and an authentication unit;
authenticating the data by an authentication unit, the authentication unit comprising:
j=1,2,…,n+2;
Encrypting data by an encryption unit, the encryption unit comprising:
defining the ith record of a table in the database as (x)i1,xi2,xi3,…,xin),
Selecting n modulus values, where Xi∈[0,M],
in the formula (2), M ═ M1m2…mn,
Denote the ith record as xi=CRT(xi1,xi2,xi3,…,xin),
Expanding the N modular values into N +2 modular values, and determining the other two modular values as:
xn+k>Mj (3),
in equation (3), j is 1,2.. n, and k is 1,2, and the extension fields of these two modulus values are represented as:
xin+1=Ximodmn+1,
xin+2=Ximodmn+2;
decrypting the data by a decryption unit, the decryption unit comprising:
the receive field is recorded as:
the decryption field is:
2. the data security processing method according to claim 1, wherein the internal tolerance module includes a proxy service unit, an error recovery unit, an error isolation unit, an event management unit, and an intrusion detection unit, and the proxy service unit, the error recovery unit, the error isolation unit, and the intrusion detection unit are respectively in communication connection with the event management unit.
3. The data security processing method according to claim 1 or 2, wherein the proxy service unit includes more than one heterogeneous proxy server.
4. The data security processing method according to claim 1 or 2, wherein the error recovery unit includes an error evaluation subcomponent and an error recovery subcomponent.
5. The data security processing method of claim 3, wherein the error recovery unit includes an error evaluation subcomponent and an error recovery subcomponent.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011331336.8A CN112347497A (en) | 2020-11-24 | 2020-11-24 | Data security processing method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011331336.8A CN112347497A (en) | 2020-11-24 | 2020-11-24 | Data security processing method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112347497A true CN112347497A (en) | 2021-02-09 |
Family
ID=74364740
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011331336.8A Pending CN112347497A (en) | 2020-11-24 | 2020-11-24 | Data security processing method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112347497A (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020188870A1 (en) * | 2001-06-11 | 2002-12-12 | Mcnc | Intrusion tolerant server system |
CN1819583A (en) * | 2005-10-20 | 2006-08-16 | 北京邮电大学 | Hierarchical tolerant invading scheme based on threshold |
CN101159003A (en) * | 2007-11-16 | 2008-04-09 | 中国科学院软件研究所 | Data-base malevolence transaction method and system thereof |
CN108197496A (en) * | 2018-01-18 | 2018-06-22 | 成都博睿德科技有限公司 | Data safety Enhancement Method under cloud computing environment |
CN109691016A (en) * | 2016-07-08 | 2019-04-26 | 卡列普顿国际有限公司 | Distributing real time system and Verification System |
-
2020
- 2020-11-24 CN CN202011331336.8A patent/CN112347497A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020188870A1 (en) * | 2001-06-11 | 2002-12-12 | Mcnc | Intrusion tolerant server system |
CN1819583A (en) * | 2005-10-20 | 2006-08-16 | 北京邮电大学 | Hierarchical tolerant invading scheme based on threshold |
CN101159003A (en) * | 2007-11-16 | 2008-04-09 | 中国科学院软件研究所 | Data-base malevolence transaction method and system thereof |
CN109691016A (en) * | 2016-07-08 | 2019-04-26 | 卡列普顿国际有限公司 | Distributing real time system and Verification System |
CN108197496A (en) * | 2018-01-18 | 2018-06-22 | 成都博睿德科技有限公司 | Data safety Enhancement Method under cloud computing environment |
Non-Patent Citations (1)
Title |
---|
李方涛等: "基于入侵容忍的集成数据库安全结构", 《计算机工程与设计》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20130086685A1 (en) | Secure integrated cyberspace security and situational awareness system | |
CN110233817B (en) | Container safety system based on cloud computing | |
WO2004061667A1 (en) | System and method to proactively detect software tampering | |
CN105516189B (en) | Network security enforcement system and method based on big data platform | |
CN109409087B (en) | Anti-privilege-raising detection method and device | |
WO2013049562A1 (en) | Secure integrated cyberspace security and situational awareness system | |
CN116708210A (en) | Operation and maintenance processing method and terminal equipment | |
CN116527299A (en) | Network-based safety protection method and dynamic defense system | |
Shulman et al. | Top ten database security threats | |
Yu | Encryption technology for computer network data security protection | |
CN112347497A (en) | Data security processing method | |
JP2008250728A (en) | Information leakage monitoring system and information leakage monitoring method | |
CN112000953A (en) | Big data terminal safety protection system | |
JP2004005377A (en) | Method for preventing recurrence of multiplex system outage | |
Yang et al. | Analysis of Computer Network Security and Prevention Technology | |
Abbas et al. | A state of the art security taxonomy of internet security: threats and countermeasures | |
KR20190140314A (en) | System and method for real time prevention and post recovery for malicious software | |
JP6987406B2 (en) | Penetration test monitoring server and system | |
CN116032660B (en) | AD domain threat identification method, device, electronic equipment and storage medium | |
CN117439823B (en) | Cloud data intelligent authority authentication safety protection method and system | |
US20040250121A1 (en) | Assessing security of information technology | |
Kornecki et al. | Availability assessment of embedded systems with security vulnerabilities | |
Liu | Data Security Threats of Log Aggregation | |
MOSTAFA et al. | FALSE ALARM REDUCTION SCHEME FOR DATABASE INTRUSION DETECTION SYSTEM. | |
KR20100049470A (en) | Method and apparatur for detecting distributed denial of service attack |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210209 |