JP2014194621A - Information concealing device, and information concealing method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an information concealing device that securely and rapidly conceals identification information.SOLUTION: An information concealing device comprises: a first randomizer that receives input of data including identification information and outputs the input data in random order; and a token generation section that replaces the identification information in the data output from the first randomizer with a token. A token management device comprises a token generation unit and a restoration unit. The identification information is key information (field) for identifying a record managed in a database system and includes personally identifiable information such as user's personal information and ID. Therefore, information is analyzed by an external analysis system and the identification information is replaced and transmitted to the analysis system.

Description

  The present invention relates to an information concealment device and an information concealment method.

  With the development of cloud computing, data including identification information accumulated in a database is transmitted to an external information processing service via a network to request analysis and the like. The identification information may contain personally identifiable information such as personal information and ID of the user. Therefore, to prevent information leakage, the identification information is concealed when data is transmitted to the outside. It was.

  On the other hand, depending on the specifications of the database system, there are many that have a specific appearance pattern based on the specifications of the database, such as outputting the accumulated data in the order of the recorded date, for example, simply by concealing the identification information, In some cases, the user can be identified from the order of the data.

  For example, when analyzing patient data with a specific disease on a monthly basis, even if the patient identification information is concealed, if the data is output in the registration order in the database, a certain amount of patient In some cases, it could be identified.

  Therefore, in a conventional database system, for example, a method of sorting and outputting accumulated data at random using a command such as (SELECT * FROM table ORDER BY RAND ()) has been used.

  In addition, there is a method of managing user identification information with a token for managing user identification information. Furthermore, as a purpose of improving the data storage rate in the storage area in the database, there has been a method of handling a set of simultaneously handled data as one unit (for example, see Patent Documents 1-3).

JP 2005-284679 A JP 2011-211593 A JP 2008-276336 A

  However, in the above prior art, the randomization processing using sorting has a problem that the processing time is cumulatively delayed as the number of data records increases.

  Accordingly, an object of one aspect is to provide an information concealment device that conceals identification information safely and at high speed.

  In one plan, the information concealment device receives data including identification information, outputs the input data in a random order, and outputs the data from the first randomization device. A tokenizing unit that replaces the identification information of the generated data with a token.

  According to one aspect, it is possible to provide an information concealment device that conceals identification information safely and at high speed.

Overall system configuration diagram Configuration diagram of tokenization unit Operation flowchart of tokenizer Data input flowchart of order randomizer Data output flowchart of order randomizer Process flow chart of order randomizer Identifier number correspondence table Initial processing flowchart of the order randomizing device in the first embodiment Pool saving flowchart of the order randomizing device in the first embodiment Pool take-out flowchart of the sequence randomizer in the first embodiment Virtual array image diagram in the first embodiment The figure explaining the outline | summary in 2nd Embodiment The figure explaining the pool arrangement | sequence in 2nd Embodiment Initial Processing Flowchart of Order Randomizing Device in Second Embodiment Flow chart of storing operation of order randomizing device in second embodiment Pool take-out operation flowchart of the order randomizing device in the second embodiment The figure explaining the outline | summary in 3rd Embodiment Initial Processing Flowchart of Order Randomizing Device in Third Embodiment Operation flow chart of order randomizing apparatus in third embodiment Overall system configuration diagram in the fourth embodiment Hardware configuration of token management device

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  FIG. 1 is an overall configuration diagram illustrating an example of an overall configuration of a system for performing information analysis.

  In FIG. 1, the analyst operates the analyst terminal 20. The analyst terminal 20 is connected to the database system 21 and collects data to be analyzed from the database system 21. The analyst terminal 20 is connected to the analysis system 22 via the tokenizing device 1, transmits information to be analyzed to the analysis system 22, and receives an analysis result.

  The database system 21 includes a database management system 211 and a storage unit 212. The database management system 211 is a system that manages and operates a database using database management software. As the data model, a relational database (RDB), an object relation database, or the like is used, and a database having a data structure corresponding to the database management software is constructed. In the present embodiment, an RDB that is a data structure in which a plurality of information items (fields) form one record will be mainly described.

  The token management device 1 includes a tokenization device 10 and a restoration device 11. Here, the “token” is information in which identification information is concealed, and refers to information that can have a one-to-one correspondence with the identification information. The identification information is key information (field) that identifies a record managed by the database system 21, and may include information that can identify an individual, such as a user's personal information or ID. For this reason, when information is analyzed by an external analysis system, the identification information is replaced with a token and transmitted to the analysis system 22. Further, tokenization refers to a process of replacing identification information with a token. Tokenization is a process of replacing a character string such as an ID with a specific character string (token), for example. The tokenization device 10 tokenizes the identification information in the data transmitted to the analysis system 22 as an “information concealment device”, and stores the correspondence so that each token can correspond to unique identification information. Manage. The restoration device 11 restores the token included in the result analyzed by the analysis system 22 to the original identification information. The token is managed by the tokenizing apparatus 10 and restored by a unique correspondence between the token and the identification information.

  The token management device 1 is implemented by, for example, a device connected to the analyst terminal via a LAN. Although the token management device 1 can be configured as an independent device, for example, the tokenization device and the restoration device may be independent of each other. Moreover, you may comprise as a system by several apparatus. Further, it may be configured as a virtual device such as a Web service on a network. Further, it may be implemented as software executed on the analyst terminal 20.

  The analysis system 22 is a system for analyzing information, for example, a business consignee outside the analyst. When an analysis requester builds an analysis system by himself, the construction and maintenance of the system will be very expensive. For this reason, when the frequency of use of the analysis system is low and the operation rate is expected to be low, it is better to use an external analysis system from the viewpoint of effective use of computer resources. At this time, if the information to be analyzed is stored in an external system as it is, there is a risk of information leakage. Therefore, the analysis requester needs the minimum information necessary for information analysis from the data collected from the database system 21. In addition, in order to reduce damage even if information leakage occurs, data in which the identification information is concealed is transmitted to the analysis system 22.

Next, the outline of the outsourcing process of data analysis in this system will be described as two procedures of analysis data collection and analysis request. The numbers in parentheses in the sentence correspond to the steps in FIG.
(Analysis data collection)

The database management system 211 of the database system 21 performs a search of data stored in the storage unit 212 in response to a query (inquiry) such as SQL (Structured Query Language) or XQuery from the analyst terminal 20 (1). Perform database operations. The database management system 211 returns search results and the like to the analyst terminal 20 as a response to the query (2) (2). By this series of operations, the analyst terminal 20 collects data to be analyzed.
(Analysis request)

  Based on the data collected from the database system 21, the analyst terminal 20 transmits data to be analyzed to be transmitted to the analysis system 22 to the token management apparatus 1 (3). Even if the analyst terminal 20 selects information that deletes records or fields unnecessary for analysis or changes age information to age information (20s, 30s, etc.) in the collected data. good. This selection of information may be performed by the tokenizing apparatus 10.

  The token management device 1 tokenizes the identification information included in the transmitted analysis target data, conceals it, and transmits it to the analysis system 22 (4). The analysis system 22 analyzes information included in the transmitted data, and transmits the analysis result to the token management device 1 (5). The token management device 1 restores the token part to the original identification information in the analysis result transmitted from the analysis system 22, and transmits the analysis result to the analyst terminal 20 (6). Outsourcing of information analysis is implemented by the above procedure.

  Next, the configuration of the tokenizing device 10 of the token management device 1 will be described with reference to FIG. FIG. 2 is a configuration diagram illustrating an example of the configuration of the tokenizing device.

  In FIG. 2, the tokenizer 10 includes an order randomizer 101 (shuffling of input data), a token management unit 102, an identifier numbering correspondence table 103, an order randomizer 104 (token randomization), and a token generator. 105.

  The order randomizing device 101 performs shuffling of input data. In this embodiment, it is assumed that information to be kept secret in the input data is “ID” as identification information and “age” as personal information. ID and age are associated with each other to form one record (data set).

  The order randomizing device 101 includes a storage unit 1011 and a random number generation unit 1012. The storage unit 1011 has a “pool” which is an internal storage area, and stores input data in the pool. The storage unit 1011 stores a predetermined storage number (record number) of input data in a pool storage location. The pool is a virtual array (table) that stores records.

  The random number generation unit 1012 generates a random number corresponding to the number of pools stored. For example, the random number generation unit 1012 generates random numbers in a range of n from 0 to (n−1) corresponding to the case where the number of storage is n.

  The order randomizing device 101 takes out the records sequentially stored in the pool of the storage unit 1011 in an arbitrary order (random) using the random numbers generated by the random number generation unit 1012. As a result, the regularity of the data output order depending on the specifications of the database system 21 can be destroyed, so that randomization processing at the time of data output in the database system 21 is not required, and the database system 21 can be operated at high speed. Data can be output. In FIG. 2, data is input in ascending order of IDs 950001, 950002, 950003,..., But the data output from the input data order randomizing unit 101 has IDs of 950003, 950073, 950029. Are output in random order from the pooled data.

  The token management unit 102 includes a tokenization unit 1021 and a token registration unit 1022. The token registration unit 1022 inquires the identifier number correspondence table 103 as to whether or not the ID of the input data has already been registered. In the identifier number correspondence table 103, IDs and already numbered tokens are registered in association with each other. When the inquired ID has already been registered, the identifier number correspondence table 103 returns the token value of the ID to the token registration unit 1022 as a response (1). On the other hand, when there is no registration of the inquired ID, an ID unregistered response is returned. Upon receiving the response with no ID registration, the token registration unit 1022 makes a token numbering request to the order randomizing device 104 (2).

  The order randomizing device 104 includes a storage unit 1041 and a random number generation unit 1042. The storage unit 1041 and the random number generation unit 1042 have the same configuration as the storage unit 1011 and the random number generation unit 1012 of the order randomizing device 101, and description thereof will be omitted.

  Upon receiving a numbering request from the token management unit 102, the order randomizing device 104 puts the tokens numbered by the token generator 105 into the pool of the storage unit 1041 like the order randomizing device 101, The random numbers generated by the random number generator 1042 are used for shuffling to extract tokens in a random order.

  The token generator 105 issues tokens as serial numbers such as 00001, 00002, and 00003, for example. By generating the serial number, the token generator 105 does not need to perform a unique (duplicate) check of the issued token, and the processing speed is increased. Further, since the token generator 105 does not need to record the number of the issued token, the processing load on the token generator 105 can be reduced. Note that, for example, a specific function may be applied to the serial number and the token issued by the token generator 105 may be used as a token.

  The issued tokens are arranged in a random order such as 00395, 00153, and 00196 by the order randomizer 104, and transmitted to the token management unit 102 (3). Since the tokens issued by the order randomizing device 104 are randomized, it is not necessary to generate random numbers when issuing tokens generated by the token generator 105, so that the numbering can be speeded up. Become.

  The tokenization unit 1021 of the token management unit 102 replaces the ID with a token. Further, the token registration unit 1022 registers the transmitted token value in the identifier number correspondence table 103 in association with the ID (4). The token management unit 102 sets the token and age as a data set and outputs the data as output data.

  Next, details of the identifier number correspondence table 103 will be described with reference to FIG. FIG. 7 is an example of an identifier issue number correspondence table.

  In FIG. 7, the identifier number correspondence table 103 stores an identifier (ID) and a token value in association with each other. Here, the identifier (ID) and the token value are uniquely associated. Therefore, it is possible to restore the identifier from the token value. Note that the identifier number correspondence table 103 is intended to restore the token value to the identifier. For example, the token generator 105 and the identifier number correspondence table 103 are cleared when the restoration is not necessary. Thus, the token before clearing and the token after clearing may be registered with the same number.

  Next, the operation of the tokenizing apparatus 10 described in FIG. 2 will be described using the flowchart in FIG. FIG. 3 is a flowchart for explaining an example of the operation of the tokenizing apparatus 10.

  In FIG. 3, data including information to be concealed is input to the tokenizing apparatus 10 from the analyst terminal 20 (S100). The order randomizing apparatus 101 inputs information to the pool (S101). The token management unit 102 retrieves data in record units from the order randomizing device 101 (S102). The extracted records are randomized (shuffled) by the order randomizing apparatus 101. Details of the operation of the randomizing device 101 in steps S101 and S102 will be described in Embodiments 1 to 3 described later together with details of the operation of the randomizing device 104.

  Next, it is checked whether or not there is data in the pool of the storage unit 1011 (S103). If all the data has been processed (NO in S103), the processing in this flowchart is terminated, and the data is stored in the pool. (YES in S103), it is checked whether the ID part already exists in the identifier number correspondence table 103 (S104).

  When the ID part already exists (YES in S104), the identifier number correspondence table 103 returns a token value for the inquired ID, and the tokenizing unit 1021 replaces the ID part with the token value (S105). The record unit information is output (S106).

  On the other hand, when the ID part is not in the identifier number correspondence table 103 (NO in S104), the token registration unit 1022 requests a token value from the order randomizing device 104 (S107). The token generator 105 generates tokens in advance, and a randomized token that is input to the order randomizer is prepared (S108). The token registration unit 1022 associates the ID with the token and generates an identifier. It registers in the number correspondence table 103 (S109). The tokenizing unit 1021 then replaces the ID part with the token value (S105), and outputs information in units of records (S106). The above processing is looped until there is no more data in the storage unit 1011 of the order randomizing device 101 (S103).

  Next, details of the information input process in step S101 in FIG. 3 will be described with reference to FIG. FIG. 4 is a flowchart for explaining an example of data input of the order randomizing device 101 and the order randomizing device 104. In the following description, components common to the order randomizing device 101 and the order randomizing device 104 are omitted from the description like “order randomizing device”.

  In FIG. 4, when the information is input (S1011), the order randomizer checks whether there is a vacancy in the pool (S1012). If there is no vacancy in the pool (NO in S1012), information storage is waited until the vacancy is available. As a result, the pool always uses all of the reserved pool until the input information is completed.

  If there is a vacancy in the pool (YES in S1012), the information is stored in the pool (S1013).

  Next, details of the information output processing in step S102 in FIG. 3 will be described with reference to FIG. FIG. 5 is a flowchart for explaining an example of data output of the order randomizing device.

  In FIG. 5, the token management unit 102 in FIG. 2 makes an information request to the order randomizing device (S1021). Next, the order randomizer extracts one piece of information from the pool at random (S1022), and outputs the information to the token management unit 102 (S1023).

  Next, details of the processing in step 108 described in FIG. 3 will be described with reference to FIG. FIG. 6 is a flowchart for explaining an example of processing of the order randomizing device 104.

  In FIG. 6, the order randomizer 104 requests the token generator 105 to generate a token value and generates a token value (S1081). The token generator 105 generates a token value and inputs the generated token value to the order randomizer 104 (S1082). If there is a vacancy in the pool of the order randomizing device 104 (YES in S1083), the sequence randomizing device 104 continues generating token values in the token generator 105 until the pool is full (NO in S1083). ) Repeat the process. That is, the order randomizing device 104 prepares token values in the pool in advance before a numbering request is issued from the token management unit 102. As a result, compared with the case where the token value is issued after the numbering request is issued, the overhead from the token value numbering to the storage in the pool is eliminated, and the processing speed can be increased.

  Next, the pool management algorithm described in step S101 and step S102 of FIG. 3 will be described in detail in the first to third embodiments.

The size and management method of the pool in the order randomizer greatly affects randomization performance. In the first to third embodiments, the data input / output processing method is different for each pool management algorithm. The randomizing device 101 and the randomizing device 104 may be implemented in any of the following embodiments. For example, the randomizing device 101 and the randomizing device 104 may be implemented in the same embodiment. These may be implemented in different embodiments.
[First embodiment]

  The first embodiment prepares a pool of storage number n, inputs the input data for the storage number, and uses random numbers that can issue up to the storage number, so that data is stored in a random order from the storage location. Output. The storage location where the data is output is empty. The empty storage location is replenished while being overwritten by, for example, the next input data. In addition, the storage locations that are vacant may be sequentially padded with the subsequent data. Random numbers are generated within the range of the number of stored items and are not randomized in the database system, so the processing can be speeded up.

  The first embodiment will be described with reference to FIGS. FIG. 8 is a flowchart for explaining an example of the initial process of the order randomizing device according to the first embodiment. FIG. 9 is a flowchart for explaining an example of pool storage of the order randomizing device according to the first embodiment. FIG. 10 is a flowchart for explaining an example of extraction from the pool of the order randomizing device according to the first embodiment. Furthermore, FIG. 11 is an image diagram for explaining an example of a virtual array in the first embodiment.

  In FIG. 8, the initial processing of the order randomizer is the initial processing in step S1011 in FIG. The initial process is performed once when new input data is input from the database system 21. The order randomizer secures a pool (virtual array) according to the data size. In the present embodiment, n pools of 0 to (n-1) are secured (S10111). Next, the “storage number” of the reserved pool is set to 0 (S10112), and the initialization process is terminated. The stored number is a counter that counts the number of pools in which information is actually input, and input data is sequentially input so as to keep this value as many as the stored number.

  In FIG. 9, the pooling of input data of the order randomizer describes the details of the processing in step 1013 in FIG. 4. The order randomizing device stores the input data in an empty storage location of the pool (S10131). Next, 1 is added to the stored number and the counter is incremented, and the process is terminated (S10132).

  In FIG. 10, the pool removal of the order randomizer describes details of step S <b> 1022 in FIG. 5. The random generator 105 in FIG. 2 randomly generates an integer r, which is a virtual array number that specifies a storage location to be extracted, using a random number that generates an integer r between 0 and (the number of stored values-1). (S10221). Next, the data stored in the rth of the pool is extracted, and the extracted storage locations are filled with numbers (S10222) so that there are no missing virtual array numbers. Next, −1 is added to the number of stored items, the counter is decremented, and the process ends (S10223).

  FIG. 11 is an image diagram illustrating a virtual array of storage locations used in the pool. The pool stores data corresponding to the virtual array numbers 0 to n. The virtual array is a virtual array in which the same data type is considered to be continuously in contact with the memory, and the length of the array can be designated by a specific programming operator. In FIG. 11, n is designated, and the case of n + 1 data arrays is shown. The length of the array corresponds to the generated random number.

In the first embodiment described above, since the next input data is stored immediately when the storage location is empty, the input data is only loaded on the pool. Randomization of input data has a higher shuffle effect in which the order of input data is rearranged randomly as the number of stored pools is larger (the virtual array is longer). However, using large pools requires large memory resources. For this reason, the number of pools to be secured by initialization is appropriately adjusted according to the input data size and the necessity of information concealment.
[Second Embodiment]

  In the first embodiment, since data once stored in the pool is extracted from the pool with the same probability, the probability that the data stored earlier becomes higher as the data is stored earlier. In other words, the order of data to be extracted depends on the input order. Therefore, in the second embodiment, the problem of the first embodiment is improved by the structure of the pool.

  The outline of the second embodiment will be described with reference to FIGS. FIG. 12 is a diagram for explaining an example of the outline of pool management in the second embodiment. FIG. 13 is a diagram illustrating an example of a pool arrangement in the second embodiment.

  In FIG. 12, the order randomizing device has pool management information in the storage unit. In the pool management information, the number of elements in the pool array (L), the random number end value, the element number to add information (0 to L-1), the counter to add information, the number to add information to one element, and the pool management information are stored in the pool. A number (L or less) is recorded. Details of one element of the pool array set to the number L of elements are virtual arrays that store weights, random number access start points, random number access end points, and records.

  In the initial setting of pool management information, the number of elements in the pool array (L), the number of information added to one array, the number stored in the pool, and the weight of each element are set. The initial values of other items are 0 or NULL It is.

  In FIG. 13, the pool array L is 4 in this embodiment. That is, five elements of 0 to 4 are provided, and the above “number to be stored in the pool” is set to 4 from the total number of data, and the last one element is empty. For example, array number 0 is set as a virtual array (48 elements) for storing data with weight: 1, stored number: 48, random access start point: 0,. Further, SEQ ID NOs: 1 to 3 are also set as shown in FIG.

  Here, the “weight” is the number of random numbers assigned to one record with respect to the number stored between the arrays. For example, in array number 0, the weight is 1, and one random number is assigned to one record, while in array number 3, the weight is 8, and a random number of 8 is assigned to one record. Therefore, 48 × 1 = 48 random numbers are assigned in array number 0, 32 × 2 = 64 in array number 1, 21 × 4 = 84 in array 2, 8 × 9 = 72 in array 3 A random number is assigned. In other words, when the weight is low, the number of records to be stored is increased to narrow the range of random numbers assigned to one record, while when the weight is high, the number of records to be stored is decreased to 1 record. The range of random numbers assigned to is widened.

  In this embodiment, the element with the array element number is set to have a higher weight than the element with the array element number before. With this pool management method, the probability that the stored information is retrieved can be adjusted to increase the shuffle effect.

  In this embodiment, since the number of random numbers to be generated is 48 + 64 + 84 + 72 = 268 as described above, the width of the random numbers is 0 to 267. For example, if the random number is 153, the record taken out of the pool is the virtual array 10 with the array number 2. When one record is extracted, the records after the extracted record are sequentially padded. Therefore, the number of elements of array number 3 is subtracted from 9 to 8, and when the next record is added, the number of elements returns to 9 again.

  Next, the operation in the second embodiment will be described with reference to the flowcharts of FIGS. FIG. 14 is a flowchart illustrating an example of an initial process of the order randomizing device according to the second embodiment. FIG. 15 is a flowchart for explaining an example of the storing operation of the order randomizing device according to the second embodiment. FIG. 16 is a flowchart for explaining an example of the pool take-out operation of the order randomizing device unit in the second embodiment.

  In FIG. 14, first, the number stored in the pool (virtual array) is provisionally determined (S211). Based on the provisionally determined storage number, the division number L of the pool is determined (S212). This number of divisions becomes the “number of elements (L) in the pool array” described in FIG.

  Next, the number stored in the pool (virtual array) is determined (S213). This number determines the number actually used after determining the division number L, and can be arbitrarily set below L.

  Next, the pool management information described with reference to FIG. 12 is initialized (S214). Specifically, the random number end value, the element number for adding information, and the counter for adding information are set to 0.

  Next, the pool array is secured and initialized (S215). Specifically, 0 is set to the “random number access start point” and the “random number access end point”. The “virtual array for storing data” prepares as many virtual arrays as information is added to one element. Further, the “weight” is set to a larger value as the order of the pool arrangement increases. In FIG. 13, 1, 2, 4, 8, 16. This completes the initial process.

  In FIG. 15, in the storing operation of the order randomizing device, first, when information is input (S200), an element of a pool array for storing data is obtained from “element number for adding information” (S201).

  Next, the data is stored in the “information adding counter” position of the “virtual array storing element data” of the element, and the following operation is performed (S202). Increment "counter to add information" (++). A weight is added and substituted for “end point for random access” (+ = weight). Add and assign a weight to “random end value” (+ = weight).

  Next, it is determined whether or not the “information adding counter” has reached “the number of information to be added to one element” (S203). If NO, the operation of this flowchart is terminated.

  If YES in step S203, it is determined whether the element to which information is added is an element of the Lth pool array (S204). If NO, the “element number to which information is added” is incremented, The counter to be added is 0, and the values of the “random number access start point” and “random number access end point” of the next pool array element are obtained and set (S205). On the other hand, in the case of YES in step S204, the first in the pool array is merged with the 0th, the first is emptied, the first is vacant, and one is left-justified, and the Lth is To be in the state.

  In FIG. 16, in the pool fetching operation of the order randomizer, first, an integer r between 0 and the random number end value is randomly generated (S221). The integer r can be obtained, for example, by an integer random number generation function that specifies the maximum value of the programming language to be used. Random numbers that determine the integer r are sequentially generated at the extraction timing. However, for example, a random number may be prepared asynchronously with the extraction timing and applied to the integer r at the extraction timing. In particular, when it takes a long time to calculate a random number, the processing can be speeded up by advance preparation.

  Next, an element of the pool array corresponding to the integer r is obtained from the “random number access start point” and “random number access end point” of the pool array (S222). As described with reference to FIGS. 12 and 13, the corresponding array is uniquely determined by the integer r.

  Next, the storage location of the virtual array for storing the data of the record corresponding to r is obtained from the elements of the pool array and extracted, and the extracted storage location is left-justified by the subsequent record (S223). The timing of justifying is performed immediately after taking out the record. However, for example, a predetermined number of records may be read and a predetermined number of times may be left-aligned at a time. In that case, re-designation of the integer r when an empty record is designated for the integer r used for reading is considered. As a result, the storage and reading processes can be performed asynchronously.

Next, the “random number access start point”, “random number access end point”, and “random number end value” after the elements of the pool array are maintained (S224). When the record is left-justified, the setting values are also changed according to the front-justification. However, as described in step S223, the maintenance timing varies depending on the front-packing timing. This completes the pool removal operation of the order randomizer.
[Third Embodiment]

  In the first embodiment and the second embodiment, the input data is shuffled by the pool arrangement. For example, the number of records in the database is large, and the data is input in the order of record registration date and update date. On the other hand, the local shuffling in the first or second embodiment may be insufficient. Therefore, in the third embodiment, a higher shuffling effect can be obtained by randomizing the entire data.

  A third embodiment will be described with reference to FIGS. FIG. 17 is a diagram for explaining an overview in the third embodiment. FIG. 18 is a flowchart for explaining an example of initial processing of the order randomizing device in the third embodiment. FIG. 19 is a flowchart for explaining an example of the operation of the order randomizing device in the third embodiment.

  In FIG. 17, the pool of order randomizers is connected to a secondary storage device having n tables. All input data input to the pool is randomly distributed and stored in n tables. The data stored in each table is specified and read at random for each table and becomes output data.

  In FIG. 18, in the initial processing of the order randomizer, first, the inside of the pool is divided into a plurality of numbers, and the number of table caches that can be created is set to n (S310). Since the pool is only used for data cache with secondary storage, the capacity may be sufficient as a cache. Each cache is used as an input / output cache for secondary storage.

  Next, a table for managing n sets is created on the secondary storage (S311).

  Next, while reading the input data one by one, random numbers 1 to n are generated and stored in the table cache created in the pool corresponding to the generated random numbers. Retreat to the table (S312).

  Next, for each table, the first reading position and reading order (front to back, back to front) are determined and set randomly (S313). The reading table is set to 1.

  In FIG. 19, in order to take out the sequence randomizer from the pool, it is first determined whether or not there is a read table (S300). If there is no reading table, the flow chat operation is terminated (YES in S300). If there is a read table (NO in S300), data is extracted from the read table (S301).

  Next, it is determined whether or not the scan of the reading table has been completed (S302). If the scan is completed (YES in S302), it is excluded from the read table (S303).

  Next, it is determined whether or not there is a read table (S304). If there is a read table (NO in S304), or if the scan of the read table is not completed (NO in S302), the read table is recommended next (S305).

When all the tables have been read (YES in S304), the process of taking out the pool of the order randomizing device is finished.
[Fourth Embodiment]

  In the first to third embodiments, the order randomizing device of the token management device 1 is an embodiment. However, a similar order randomizing device can be constructed in the database system. By constructing the order randomizing device in the database system, the regularity of the search results can be eliminated, and the data characteristics due to the order of the output data can be prevented from leaking outside the database system.

  A fourth embodiment will be described with reference to FIG. FIG. 20 is a configuration diagram illustrating an example of the overall system configuration according to the fourth embodiment.

  In FIG. 20, the database system 31 includes a database management system 311 and a storage unit 312. The database management system 3111 includes a command processing unit 3111 and an order randomizing device 3112. In FIG. 20, devices other than the database system 31 are denoted by the same reference numerals as those in the first to third embodiments already described, and description thereof is omitted. The command processing unit 3111 is connected to the storage unit 312 via the order randomizing device 3112, and the data is randomized by the order randomizing device 3112 when data is read from the storage unit 312. The method for managing the pool inside the randomizing device is the same as that in the first to third embodiments.

  In the fourth embodiment, a high-speed output separated from the internal structure of the database is possible by putting a pool in the output stage of the database. As a result, the internal structure of the database cannot be seen from the outside of the database system 31. Further, an access restriction is provided for the order randomizing device 3112, data can be output without being aware of the presence of the order randomizing device 3112, and the data output characteristics of the database system can be concealed.

  Further, the fourth embodiment can be used in combination with the first to third embodiments. By using both in combination, the effect of shuffling can be enhanced. When the order randomizing device 3112 is accessible, the randomizing load can be distributed by the respective order randomizing devices.

  FIG. 21 is a block diagram illustrating an example of a computer system of the token management device 1. The token management device 1 shown in FIG. 21 has a configuration in which a CPU 12, a storage unit 13, an interface (I / F) 14, an input device 15, and a display unit 16 are connected by a bus 17. The connection between the CPU 12, the storage unit 13, the I / F 14, the input device 15, and the display unit 16 is not limited to the bus connection shown in FIG.

  In FIG. 21, the CPU 12 controls the entire token management device 1 by executing a program stored in the storage unit 13. The storage unit 13 can be formed by a computer-readable storage medium such as a semiconductor storage device, a magnetic recording medium, an optical recording medium, or a magneto-optical recording medium, and stores the above programs and various data and is executed by the CPU 12. It also functions as a temporary memory that temporarily stores intermediate results of operations, calculation results, and the like. The storage unit 13 also functions as a storage unit of the identifier number correspondence table 103 illustrated in FIG. The I / F 14 is an interface that communicates with the analyst terminal 20 and the analysis system 20 via a network (not shown). The input device 15 can be formed by a keyboard or the like. The display unit 16 can be formed by a display or the like. The input device 15 and the display unit 16 may be formed of an input / output device having functions of both the input device and the display unit, such as a touch panel.

  The CPU 12 causes the computer system to function as the token management device 1 by executing a program stored in the storage unit 13. That is, the order randomizers 101 and 104, the token management unit 102, and the identifier number assignment correspondence table 103 of the tokenizing device 10 described in FIG. 2 are mounted in the storage area of the storage unit 13 as a program function, Can be executed.

  As mentioned above, although the form for implementing this invention was explained in full detail, this invention is not limited to such specific embodiment, In the range of the summary of this invention described in the claim, Various modifications and changes are possible.

The present invention may have the following configurations as described below.
(Appendix 1)
A first randomizing device that receives data including identification information and outputs the input data in a random order;
An information concealment device comprising: a tokenizing unit that replaces the identification information of the data output from the first randomizing device with a token.
(Appendix 2)
The first randomizing device includes:
A first storage unit that has a predetermined number of storage locations and sequentially stores the input data in the storage locations;
A first random number generation unit that generates a first random number according to the number stored in the first storage unit,
The information concealment device according to appendix 2, wherein the data stored from the storage location of the first storage unit that is randomly specified by the first random number is extracted and output.
(Appendix 3)
The information concealment device according to appendix 1 or 2, wherein the storage location of the first storage unit preferentially extracts input data with a slow input order with respect to input data with a fast input order.
(Appendix 4)
A token generator for generating the token;
The token generator generated by the token generator is input, and a second randomizing device that outputs the input tokens in a random order, and further includes any one of appendix 1 to 3, further comprising: Information concealment device.
(Appendix 5)
The second randomizing device includes:
A second storage unit having a predetermined number of storage locations and sequentially storing the input tokens in the storage location;
A second random number generation unit that generates a second random number according to the number stored in the second storage unit,
The information concealment device according to appendix 4, wherein the token stored from the storage location of the second storage unit specified at random by the second random number is extracted and output.
(Appendix 6)
The information concealment device according to appendix 4 or 5, wherein the storage location of the second storage unit preferentially extracts input data whose input order is late with respect to input data whose input order is early.
(Appendix 7)
A first randomization process in which data including identification information is input, and the input data is output in a random order;
An information concealment method for identification information, wherein a tokenization process for replacing the identification information of the data output in the first randomization process with a token is executed by a computer.
(Appendix 8)
The first randomizing process includes:
A first storage process that has a predetermined number of storage locations and sequentially stores the input data in the storage locations;
A first random number generation process for generating a first random number corresponding to the number stored in the first storage process,
The information concealment of identification information according to appendix 7, wherein the computer executes a process of extracting and outputting the data stored from the storage location stored in the first storage process that is randomly specified by the first random number Method.
(Appendix 9)
9. The information concealment method according to appendix 7 or 8, wherein the first storage processing preferentially extracts input data with a slow input order with respect to input data with a fast input order.
(Appendix 10)
A token generation process for generating the token;
The second randomization process in which the token generated in the token generation process is input and the input tokens are output in a random order. Information concealment method.
(Appendix 11)
The second randomizing process includes:
A second storage process having a predetermined number of storage locations and sequentially storing the input tokens in the storage locations;
A second random number generation process for generating a second random number according to the number stored in the second storage process,
The information concealment method according to appendix 10, wherein the token is extracted from the storage location stored in the second storage process that is randomly specified by the second random number and output.
(Appendix 12)
6. The information concealment method according to appendix 4 or 5, wherein the second storage processing preferentially extracts input data with a slow input order with respect to input data with a fast input order.
(Appendix 13)
A command processing unit for receiving a query;
A storage unit that outputs data stored in accordance with an instruction from the command processing unit;
A database system comprising a randomizing device,
The randomizer is
A storage unit having a predetermined number of storage locations, and sequentially storing the data output from the storage unit in the storage location;
A database system comprising: a random number generation unit that generates a random number according to the number of storages in the storage unit.

1 Token Management Device 10 Tokenization Device 101, 104 Order Randomization Device 1011, 1041 Storage Unit 1012, 1042 Random Number Generation Unit 102 Token Management Unit 1021 Tokenization Unit 1022 Token Registration Unit 103 Identifier Number Correspondence Table 105 Token Generator 11 Restoration Device 12 CPU
13 Storage Unit 14 Interface 15 Input Device 16 Display Unit 17 Bus 20 Analyst Terminal 21, 31 Database System 211, 311 Database Management System 212, 312 Storage Unit 22 Analysis System 3111 Command Processing Unit 3112 Order Randomizer

Claims (9)

A first randomizing device that receives data including identification information and outputs the input data in a random order;
An information concealment device comprising: a tokenizing unit that replaces the identification information of the data output from the first randomizing device with a token. The first randomizing device includes:
A first storage unit that has a predetermined number of storage locations and sequentially stores the input data in the storage locations;
A first random number generation unit that generates a first random number according to the number stored in the first storage unit,
The information concealment apparatus according to claim 2, wherein the data stored from the storage location of the first storage unit that is randomly specified by the first random number is extracted and output.   3. The information concealment device according to claim 1, wherein the storage location of the first storage unit preferentially extracts input data with a slow input order with respect to input data with a fast input order. A token generator for generating the token;
4. The second randomization device according to claim 1, further comprising: a second randomization device that receives the token generated by the token generator and outputs the input token in a random order. 5. The information concealment device described. The second randomizing device includes:
A second storage unit having a predetermined number of storage locations and sequentially storing the input tokens in the storage location;
A second random number generation unit that generates a second random number according to the number stored in the second storage unit,
The information concealment device according to claim 4, wherein the token stored from the storage location of the second storage unit that is randomly specified by the second random number is extracted and output.   The information concealment device according to claim 4 or 5, wherein the storage location of the second storage unit preferentially picks up input data with a slow input order with respect to input data with a fast input order. A first randomization process in which data including identification information is input, and the input data is output in a random order;
An information concealment method for identification information, wherein a tokenization process for replacing the identification information of the data output in the first randomization process with a token is executed by a computer. A tokenizer that replaces the identification information contained in the data with a token;
An information concealment device for identification information, comprising: a first randomization device that receives data output from the tokenization unit and outputs the input data in a random order. Tokenization processing for replacing identification information included in data with a token;
An information concealment method for identification information, wherein the computer executes a first randomization process in which the data output in the tokenization process is input and the input data is output in a random order.

Images