CN105844166B - A kind of sensitive data recognition methods and device - Google Patents
A kind of sensitive data recognition methods and device Download PDFInfo
- Publication number
- CN105844166B CN105844166B CN201510015353.3A CN201510015353A CN105844166B CN 105844166 B CN105844166 B CN 105844166B CN 201510015353 A CN201510015353 A CN 201510015353A CN 105844166 B CN105844166 B CN 105844166B
- Authority
- CN
- China
- Prior art keywords
- data
- sensitive data
- operation object
- operand
- encoded
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- User Interface Of Digital Computer (AREA)
Abstract
The present embodiments relate to information security field more particularly to a kind of sensitive data recognition methods and devices, to efficient identification sensitive data.In the embodiment of the present invention, data manipulation instruction is received, data manipulation instruction is used to indicate generates second operand according to the first operation object;Obtain the first position information of the sensitive data in the first operation object;According to the data structure of second operand and first position information, the second position information of the sensitive data in second operand is determined.Since second operand is generated by the first operation object, to be traceable to corresponding position information of the data in the first operation object in second operand;It further as the first position information obtained in the first operation object, therefore can determine that the corresponding second position information in second operand of the sensitive data in the first operation object, further improve the efficiency of identification sensitive data.
Description
Technical field
The present embodiments relate to information security field more particularly to a kind of sensitive data recognition methods and devices.
Background technology
Sensitive data refers generally to the privacy information of user, and telecom operators possess the privacy information of a large number of users, and difference is used
When family operates sensitive data, often cause the leakage of sensitive data, this not only to the vital strategic secrets of operator itself,
Competitiveness of the same trade and market standing cause serious influence, also cause different journeys to the privacy of user and personal information security
The harm of degree.Therefore, in entire data life period, sensitive data is identified, to carry out Fuzzy processing to sensitive data
As the most important thing.
It is directed to database data at present and carries out sensitive identification, content characteristic matching way, i.e. basis is mainly used to set in advance
The keyword set matches data to be identified, identify after sensitive data to sensitive data be encrypted or blurring at
Reason, to prevent the leakage of sensitive data.
In specific implementation process, tables of data is in often accessed state, and can be often based on the generation of data with existing table
New data table, when generating new tables of data based on data with existing table, when carrying out sensitive data identification to newly generated tables of data,
It is still required for keyword matching the data content in newly generated tables of data one by one;If generating hundreds of simultaneously newly
Tables of data, then identify that the mode of sensitive data is less efficient in such a way that the content characteristic of the prior art is matched.
In conclusion there is an urgent need for a kind of sensitive data recognition methods and devices, to efficient identification sensitive data.
Invention content
A kind of sensitive data recognition methods of offer of the embodiment of the present invention and device, to efficient identification sensitive data.
A kind of sensitive data recognition methods that end side provided in an embodiment of the present invention is realized, includes the following steps:
Data manipulation instruction is received, data manipulation instruction is used to indicate generates the second operation pair according to the first operation object
As;
Obtain the first position information of the sensitive data in the first operation object;
It executes data manipulation instruction and obtains second operand, and according to the data structure of second operand and first
Location information determines the second position information of the sensitive data in second operand;
According to second position information, the data of corresponding position in second operand are determined as sensitive data.
Preferably, first position information is the position encoded of the sensitive data position in the first operation object;
The first position information for obtaining the sensitive data in the first operation object, specifically includes:
The position of all data in first operation object is converted to by preset rules corresponding position encoded;
Inquire pre-set sensitive data table;Wherein, the identification information of the first operation object is included in sensitive data table
And first N number of sensitive data position in operation object is N number of position encoded, it is N number of position encoded according to preset rules
It is converted to as the position where N number of sensitive data, N is the integer more than or equal to 1;
Judge it is transformed it is position encoded in the presence or absence of position corresponding with the first operation object in sensitive data table compile
Code it is matched position encoded, if so, by with sensitive data table it is matched it is position encoded be determined as it is quick in the first operation object
Feel the position encoded of data position.
Preferably, it is matched position encoded with sensitive data table, refer to:
First position information it is corresponding it is position encoded exactly matched with the position encoded of sensitive data table, alternatively, first
Confidence ceases corresponding position encoded matched with the position encoded part of sensitive data table.
Preferably, for the N number of of N number of sensitive data position in the first operation object for including in sensitive data table
It is position encoded, further include each position encoded corresponding multiple operation codes in sensitive data table;
According to the data structure of second operand and first position information, the sensitive number in second operand is determined
According to second position information, specifically include:
According to the operation code of the identification information and operational order of the first operation object in data manipulation instruction, sensitive number is inquired
According to table;
Judge the position encoded corresponding operation code in sensitive data table with first position information matches according to query result
In with the presence or absence of the operation code for including in data manipulation instruction;
If so, according to the data structure of second operand and first position information, determine in second operand
Sensitive data second position information.
Preferably, according to second position information, the data of corresponding position in second operand are determined as sensitive data
Later, further include:
The operation code corresponding to the information of first position is inquired in sensitive data table;
The identification information of second operand, second position information are added in sensitive data table, and the inquired
Operation code corresponding to one location information, and establish the correspondence of three.
Preferably, the first operation object is the first tables of data, second operand is the second tables of data;
Data manipulation instruction is one kind in following items:
First tables of data is copied as into the second tables of data;
First tables of data is cut into the second tables of data;
First tables of data is saved as into the second tables of data.
The second operation pair is generated according to the first operation object since data manipulation instruction is used to indicate in the embodiment of the present invention
As, therefore second operand is generated by the first operation object, to be traceable to the data in the first operation object second
Corresponding position information in operation object;Further as the first position letter for obtaining the sensitive data in the first operation object
Breath, therefore combine corresponding position information of the data in second operand in the first operation object tracked, it may be determined that
Go out the corresponding position in second operand of the sensitive data in the first operation object, which is second operand
In sensitive data second position information, it is seen then that newly-generated can be quickly recognized by the matched mode of position feature
Sensitive data in two operation objects further improves the efficiency of identification sensitive data.
The embodiment of the present invention provides a kind of sensitive data identification device, including receiving unit, processing unit:
Receiving unit, for receiving data manipulation instruction, data manipulation instruction is used to indicate gives birth to according to the first operation object
At second operand;
Processing unit, the first position information for obtaining the sensitive data in the first operation object;Execute data manipulation
Instruction obtains second operand, and according to the data structure of second operand and first position information, determines the second behaviour
Make the second position information of the sensitive data in object;According to second position information, by corresponding position in second operand
Data are determined as sensitive data.
Preferably, first position information is the position encoded of the sensitive data position in the first operation object;
Processing unit is specifically used for:
The position of all data in first operation object is converted to by preset rules corresponding position encoded;
Inquire pre-set sensitive data table;Wherein, the identification information of the first operation object is included in sensitive data table
And first N number of sensitive data position in operation object is N number of position encoded, it is N number of position encoded according to preset rules
It is converted to as the position where N number of sensitive data, N is the integer more than or equal to 1;
Judge it is transformed it is position encoded in the presence or absence of position corresponding with the first operation object in sensitive data table compile
Code it is matched position encoded, if so, by with sensitive data table it is matched it is position encoded be determined as it is quick in the first operation object
Feel the position encoded of data position.
Preferably, it is matched position encoded with sensitive data table, refer to:
First position information it is corresponding it is position encoded exactly matched with the position encoded of sensitive data table, alternatively, first
Confidence ceases corresponding position encoded matched with the position encoded part of sensitive data table.
Preferably, for the N number of of N number of sensitive data position in the first operation object for including in sensitive data table
It is position encoded, further include each position encoded corresponding multiple operation codes in sensitive data table;
Processing unit is specifically used for:
According to the operation code of the identification information and operational order of the first operation object in data manipulation instruction, sensitive number is inquired
According to table;
Judge the position encoded corresponding operation code in sensitive data table with first position information matches according to query result
In with the presence or absence of the operation code for including in data manipulation instruction;
If so, according to the data structure of second operand and first position information, determine in second operand
Sensitive data second position information.
Preferably, processing unit, is additionally operable to:
The operation code corresponding to the information of first position is inquired in sensitive data table;
The identification information of second operand, second position information are added in sensitive data table, and the inquired
Operation code corresponding to one location information, and establish the correspondence of three.
Preferably, the first operation object is the first tables of data, second operand is the second tables of data;
Data manipulation instruction is one kind in following items:
First tables of data is copied as into the second tables of data;
First tables of data is cut into the second tables of data;
First tables of data is saved as into the second tables of data.
In the embodiment of the present invention, data manipulation instruction is received, data manipulation instruction is used to indicate according to the first operation object
Generate second operand;Obtain the first position information of the sensitive data in the first operation object;Execute data manipulation instruction
Second operand is obtained, and according to the data structure of second operand and first position information, determines the second operation pair
The second position information of sensitive data as in;According to second position information, by the data of corresponding position in second operand
It is determined as sensitive data.
Second operand, the second operation are generated according to the first operation object since data manipulation instruction is used to indicate
Object is generated by the first operation object, corresponding in second operand to be traceable to the data in the first operation object
Location information;Further as the first position information of the sensitive data obtained in the first operation object, therefore combine tracking
To the first operation object in corresponding position information of the data in second operand, it may be determined that go out in the first operation object
Sensitive data in second operand corresponding position, the position be of the sensitive data in second operand
Two location informations, it is seen then that can be quickly recognized by the matched mode of position feature quick in newly-generated second operand
Feel data, further improves the efficiency of identification sensitive data.
Description of the drawings
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly introduced, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this
For the those of ordinary skill in field, without having to pay creative labor, it can also be obtained according to these attached drawings
His attached drawing.
Fig. 1 is a kind of sensitive data recognition methods flow diagram provided in an embodiment of the present invention;
Fig. 2 is a kind of structural schematic diagram of sensitive data identification device provided in an embodiment of the present invention.
Specific implementation mode
In order to make the purpose of the present invention, technical solution and advantageous effect be more clearly understood, below in conjunction with attached drawing and implementation
Example, the present invention will be described in further detail.It should be appreciated that specific embodiment described herein is only used to explain this hair
It is bright, it is not intended to limit the present invention.
The application scenarios that the embodiment of the present invention is applicable in can be a variety of, and the embodiment of the present invention is not limited.The present invention is implemented
It is introduced for following application scenarios in example, second operand, i.e., the first operation pair is such as generated according to the first operation object
Data as in are needed to migrate or be migrated into second operand after changing.Preferably, the number in the first operation object
It is migrated later into second operand according to can partly or entirely migrate or change.
It is introduced with following premises that are assumed to be in the embodiment of the present invention, skilled person will appreciate that, it is without being limited thereto.
" multiple " in the embodiment of the present invention can be one or more.
Preferably, sensitive data table is set based on whole data with existing in current database in the embodiment of the present invention, this
Data table memory in database is assumed in inventive embodiments, it is known that the position of the sensitive data in all tables of data in each tables of data
Confidence ceases, and the operation code corresponding to each sensitive data by artificial judgment in each tables of data, i.e., in the tables of data
Which data under which corresponding operation code just be sensitive data.At this point, the sensitive data table is arranged based on this information, it should
Sensitive data table includes multiple operated object marks, which corresponds to different tables of data, each operation pair
As the location information of the sensitive data in the corresponding multiple operation objects of mark, and each of corresponding to each operated object mark
Sensitive data in the operation object corresponds to multiple operation codes.
For example, example one, it is assumed that database includes three tables of data, it is known that corresponds to first row in tables of data 1
" identification card number " information under the action of " duplication " operation code be sensitive data, indicate table 1 in " identification card number " information into
It is important when row " duplication " operation, or it is easy to happen leakage, therefore need to operate " identification card number " information in correspondence " duplication "
It is set as sensitive data when code, in order to which the later stage to table 1 when carrying out " duplication " operation, sensitive data " identification card number " is identified
Out, and by the sensitive data it is encrypted or Fuzzy processing, to improve the safety of the data.
Likewise, assuming to correspond to " telephone number " information of secondary series in " duplication " and " shearing " operation code in tables of data 1
Under the action of be sensitive data;Corresponding two row " name " information is quick under the action of " saving as " operation code in tables of data 2
Feel data;In tables of data 3 second row of corresponding first row to fifth line " address " information " saving as " operation code work
With lower for sensitive data.
Sensitive data table in the example one is listed in table 1, it is as follows:
Sensitive data table in 1 example one of table
Based on the above, Fig. 1 shows a kind of sensitive data identification realized end side provided in an embodiment of the present invention
Method includes the following steps:
Step 101, data manipulation instruction is received, data manipulation instruction is used to indicate generates second according to the first operation object
Operation object;
Step 102, the first position information of the sensitive data in the first operation object is obtained;
Step 103, it executes data manipulation instruction and obtains second operand, and according to the data structure of second operand
And first position information, determine the second position information of the sensitive data in second operand;
Step 104, according to second position information, the data of corresponding position in second operand are determined as sensitive number
According to.
Preferably, the first position information of the sensitive data in the embodiment of the present invention in the first operation object is the first operation
Sensitive data position in object it is position encoded, this is position encoded by by the position of all data in the first operation object
It sets and is converted to by the preset rules.Likewise, second of sensitive data in the embodiment of the present invention in second operand
Location information is the position encoded of the sensitive data position in second operand, this is position encoded by being operated second
The position of all data is converted to by the preset rules in object.Based on foregoing teachings it is found that being stored in sensitive data
For the corresponding location information of sensitive data, which is that the position where the sensitive data is converted by the preset rules
That arrives is position encoded.
Preferably, according to the specific location of data in the embodiment of the present invention, its position is converted into position encoded " preset
Rule " should be consistent, and by any data according to " preset rules " be converted to the data it is position encoded after, this is position encoded
The position of the data should be able to be uniquely determined out.The embodiment of the present invention is not limited the particular content of " preset rules ".
It gives one example, introduces in the embodiment of the present invention and data corresponding position information is converted into position according to " preset rules "
Set the process of coding.
Assuming that preset rules are the position defined by one 20 integers where some sensitive data, points four sections, the
One segment table shows that the domain where the sensitive data, second segment indicate that the library where the sensitive data, third segment table show the sensitive data
The table at place, the 4th segment table show the specific location in the table where the sensitive data.
Such as:The sensitive data is located at the first row of Customer tables in the libraries crm system CRMDB11,
During preset rules are, crm system is indicated with 10001, and the libraries CRDB11 are indicated with 9273,89 tables of Customer tables
Show, first row is indicated with 1, then the sensitive data can be used to down the position encoded position for uniquely specifying the sensitive data:
10001*103*5+9273*102*5+89*101*5+1*100*5=10001092730008900001
Describe the position that data are converted to the corresponding data of the data according to preset rules in detail by above-mentioned example.
Preferably, first position information is the position encoded of the sensitive data position in the first operation object.By
The position of all data is converted to corresponding position encoded by preset rules in one operation object;Inquire pre-set sensitive number
According to table;Wherein, the identification information comprising the first operation object and N number of sensitive number in the first operation object in sensitive data table
It is N number of position encoded to be converted as the position where N number of sensitive data according to preset rules according to the N number of position encoded of position
It arrives, N is the integer more than or equal to 1;Judge it is transformed it is position encoded in whether there is and in sensitive data table first operation pair
As corresponding position encoded matched position encoded, if so, will with sensitive data table is matched position encoded is determined as first
Sensitive data position in operation object it is position encoded.
It specifically, can be according to pre-setting when obtaining the first position information of the sensitive data in the first operation object
Sensitive data table obtain.The corresponding location information of sensitive data of the first operation object in the embodiment of the present invention has been preset
In sensitive data table, i.e., the identification information comprising the first operation object and the N in the first operation object in sensitive data table
A sensitive data position it is N number of position encoded, it is N number of it is position encoded according to preset rules as the position where N number of sensitive data
It sets and is converted to, N is the integer more than or equal to 1.
The position of all data in the first operation object is converted to by preset rules first corresponding position encoded, this is pre-
If rule is same rule with the preset rules mentioned in sensitive data table.After inquiring and judging the conversion of the first operation object
It is position encoded in the presence or absence of corresponding with the first operation object in sensitive data table position encoded matched position encoded, i.e.,
Judge whether to define certain positions of the first operation object in sensitive data table for the position where sensitive data.If so,
It will be position encoded with the matched position encoded sensitive data position being determined as in the first operation object of sensitive data table.
Since data are during frequent access, content characteristic may be changed, such as a certain sensitive data is often interviewed
It asks, therefore the content of the sensitive data is reorganized, which may be encrypted, but the position of the sensitive data is not
It changes, if at this point, the sensitive data is identified using the mode of content matching in the prior art, due to the sensitivity number
It has changed, therefore cannot recognize that according to content.But it can be identified rapidly using the method that the embodiment of the present invention is provided
Even if the changed sensitive data of content.
It gives one example, is sensitive field due to having pre-set certain field in the embodiment of the present invention, and in sensitivity
The corresponding location information of sensitivity field is stored in tables of data, when subsequently accessing to the sensitive data, due to
The position of the sensitive data does not change, therefore can inquire sensitive data table, thus where quickly determining the sensitive data
Position is the corresponding position of sensitive data of defined mistake, therefore the corresponding data in the position are determined as sensitive data.As it can be seen that
Sensitive data is matched according to the position feature of sensitive data in the embodiment of the present invention, even if the content of sensitive data occurs
Change, the embodiment of the present invention also can efficient identification sensitive data.
By above-mentioned example as it can be seen that the embodiment of the present invention is also applied for another situation, i.e., only to the first operation object into
Some operations of row, and second operand is generated not according to the first operation object, it can also inquire at this time in sensitive data table in advance
The corresponding location information of the sensitive data of setting, and according to pre-set sensitive data in sensitive data table, determine first
It whether there is sensitive data in operation object.Some operations only are carried out to the first operation object, and not according to the first operation object
The operation for generating second operand has very much, such as:Inquiry, modification, deletion etc..
Preferably, the first operation object is the first tables of data, second operand is the second tables of data.Preferably, this hair
The sensitive data of the first operation object defined in bright embodiment can be a certain row in the first tables of data, or be the first tables of data
In several row, several row several rows, a few rows, or be certain several field of a few row in the first tables of data, likewise, the present invention is implemented
The sensitive data of second operand defined in example can be a certain row in the second tables of data, or be several in the second tables of data
Row, several rows of several row, a few rows, or certain several field for a few row in the second tables of data.
Preferably, the data manipulation instruction in the embodiment of the present invention is one kind in following items:First tables of data is answered
It is made as the second tables of data;First tables of data is cut into the second tables of data;First tables of data is saved as into the second tables of data.This hair
Second operand in bright embodiment is obtained to the first operation object execution data manipulation instruction.
Preferably, it is matched position encoded with sensitive data table, refer to:First position information it is corresponding it is position encoded with it is quick
Sense the position encoded of tables of data exactly matches, alternatively, the corresponding position encoded position with sensitive data table of first position information
Coded portion matches.
Specifically, the position encoded coding for segmentation in the embodiment of the present invention, different sections represent different data
Context level, in order to expand search range, it may be determined that go out the first position information and sensitive data exterior portion in the first operation object
Divide matched data, and this and the matched data of sensitive data exterior portion point are determined as sensitive data.
It gives one example, it is assumed that first position information is first of the Customer tables in the libraries crm system CRMDB11
Row, crm system indicate that the libraries CRDB11 are indicated with 9273 with 10001, and Customer tables indicate that first row is indicated with 1 with 89, then
The first position information can be used to down the position encoded position for uniquely specifying the sensitive data:10001 09273 00089
00001.The sensitive data for needing the Customer tables in all libraries in inquiry crm system at this time, at this time by 10,001 09273
9273 that library is represented in 00089 00001 are ignored, for example, can be masked out by 9273 by mask, the CRM in sensitive data table at this time
The position code of the first row of Customer tables is 10,001 00,000 00,089 00001 in all libraries of system, and all libraries 00000 are
Indicate that the library in the position code of the sensitive data does not limit, the position code 10,001 00,000 00,089 00001 can be used at this time
In the sensitive data of the first row for the Customer tables for matching all libraries in crm system.
As it can be seen that first position information is corresponding position encoded when being matched with the position encoded part of sensitive data table, can expand
Big search range, preferably, the sensitive data in can determining the tables of data of same data structure rapidly.First position information corresponds to
It is position encoded exactly matched with the position encoded of sensitive data table, then matching precision can be improved.
Be previously mentioned in the embodiment of the present invention with mask mode will be position encoded in a certain section it is masked out, be the prior art,
It makes brief of the introduction herein.Mask is a certain section encoded using the identical character replacement original position of a section number, such as will be in situ
A certain section of character for setting the representative library in coding is changed to mask, then in the matching process, can ignore and be represented in character to be matched
That section of character in library.For example, in above-mentioned example in sensitive data table position encoded 10,001 00,000 00,089 00001 can be with
The position encoded of data to be matched is 10,001 02,101 00,089 00001 matchings, determines 10,001 02,101 00089 at this time
Data corresponding to 00001 are sensitive data.
Preferably, for the N number of of N number of sensitive data position in the first operation object for including in sensitive data table
It is position encoded, further include each position encoded corresponding multiple operation codes in sensitive data table;
According to the data structure of second operand and first position information, the sensitive number in second operand is determined
According to second position information, detailed process is as follows:
According to the operation code of the identification information and operational order of the first operation object in data manipulation instruction, sensitive number is inquired
According to table;Judged according to query result be with the position encoded corresponding operation code of first position information matches in sensitive data table
It is no that there are the operation codes for including in data manipulation instruction;If so, according to the data structure of second operand and first
Confidence ceases, and determines the second position information of the sensitive data in second operand.
Specifically, N number of sensitive data in the first operation object for including in sensitive data table in the embodiment of the present invention
Position it is N number of position encoded, further include each position encoded corresponding multiple operation codes in sensitive data table, it is specific come
It says, multiple operation codes can be one or more.
Preferably, being judged according to query result position encoded corresponding with first position information matches in sensitive data table
With the presence or absence of the operation code for including in data manipulation instruction in operation code, can also come according to the relevant parameter of other operational orders into
Row auxiliary judgement.For example, the relevant parameter of other operational orders can be data manipulation instruction main body, operation code parameter, data behaviour
Make the treatment channel instructed, the time in data manipulation instruction residing for the forward-backward correlation, data manipulation instruction of multiple operation codes,
Operation behavior duration corresponding to data manipulation instruction etc..
It can help more accurately to judge that data manipulation instruction institute is right by the relevant parameter of these other operational orders
The operation code answered can increase preferably, being the position encoded when being correspondingly arranged operation code of sensitive data in advance in sensitive data
Add the relevant secondary parameter information of the operation code.
Preferably, the identification information of the operation object in the embodiment of the present invention is being performed pair in data manipulation instruction
The mark of elephant, such as Customer tables in the libraries crm system CRMDB11 are operated in data manipulation instruction, then crm system
Customer tables are the identification information of operation object in the libraries CRMDB11, further true according to the identification information of the operation object
Determine the position encoded of operation object sensitive data information corresponding in sensitive data table.
Preferably, can be by the corresponding identification number of each data manipulation instruction and the data manipulation in the embodiment of the present invention
Real-time activity is recorded in position encoded and corresponding operation code of data manipulation example of the corresponding sensitive data of instruction
In table, by real-time activity table can real-time management grasp the data manipulation instruction that is currently executing and the data manipulation
The sensitive data paid close attention to is needed in the implementation procedure of instruction, at the end of user executes the data manipulation instruction, by the secondary data
Operational order is deleted from real-time activity table.
Real-time activity table is as shown in table 2.
2 real-time activity of table indicates example
Preferably, after generating second operand according to the first operation object, determine quick in second operand
Feel data positions it is corresponding it is position encoded after, the operation corresponding to the information of first position is inquired in sensitive data table
Code;Identification information, the second position information of second operand are added in sensitive data table, and the first position inquired
Operation code corresponding to information, and establish the correspondence of three.
Specifically, since second operand is newly-increased data, preferably, being added to sensitive data table
In, the identification information and the corresponding second confidence of second operand of second operand are added in sensitive data table
Breath, the i.e. corresponding sensitive data position of second operand are corresponding position encoded.Further as second operand
In sensitive data be in the first operation object sensitive data transfer, therefore in the first operation object with second operate pair
The second position information of elephant operation code corresponding to matched first position information equally also correspond in second operand
Second position information, it is therefore, corresponding to configure the operation code correspondence corresponding to the information of first position in sensitive data table
Operation code corresponding to the information of the second position.
A specific embodiment is named to illustrate the above process:
Assuming that data manipulation instruction is that the first operation object is copied as second operand, the first operation object is the 1st
The tables of data 1 in the 2nd library in domain, second operand are the tables of data 2 in the 2nd library in the 1st domain.Operation code in data manipulation instruction
For " duplication ".Assuming that the first row " name " in the first operation object is sensitive data, i.e., the first operation object is in sensitive data
In position be " 1 first row of tables of data in the 2nd library in the 1st domain ", coding be assumed to be 00,001 00,002 00,001 00001.
Specific identification process is to receive data manipulation instruction, determines object " the first operation pair of the data manipulation instruction
As ", it is position encoded by the position corresponding conversion of the data in first operation object, determines the first operation in sensitive data table
Object identity be the 1st domain the 2nd library tables of data 1 it is position encoded, as 00,001 00,002 00,001 00000, according to this
First operated object mark determines the position encoded of the sensitive data corresponding to first operated object mark.According to above-mentioned vacation
If determining in sensitive data table, the position encoded of the corresponding sensitive data of the first operation object is 00,001 00,002 00001
00001。
By the position of data in the first operation object by preset rules transformed location coding and in sensitive data table first
Position encoded being matched of the corresponding sensitive data of operation object, will be position encoded in the first operation object of successful match
00001 00,002 00,001 00001 determine;
It further determines that and changes the position encoded corresponding of the corresponding sensitive data of the first operation object in sensitive data table
Operation code is " duplication ", and the operation code in notebook data operational order is also " duplication ".
Therefore, in the first operation object of successful match position encoded 00,001 00,002 00,001 00001 are determined as
First position information;
It executes the data manipulation instruction and obtains second operand, i.e., the first operation object is copied as into the second operation pair
As, it is traceable to the data of each position in the first operation object corresponding position in second operand in the process,
For example, the first row in the first operation object corresponds to the first row for copying to second operand.
It is now migrated to the second of second operand according to first position information 00,001 00,002 00,001 00001 at this time
Location information, second position information are the first row of second operand, and therefore, second position information is corresponding position encoded
It is position encoded the 00001 00,002 00,002 00001 of " 2 first row of tables of data in the 2nd library in the 1st domain ", further by second
Data corresponding to location information 00,001 00,002 00,002 00001 are determined as sensitive data.
Newborn second operand is added in sensitive database later, second operand is identified " the 1st domain
The tables of data 2 " in the 2nd library is added to sensitive data table, and corresponds in second operand mark configuration second operand
The corresponding second position information of sensitive data position encoded 00,001 00,002 00,002 00001, not second confidence
Operation code " duplication " corresponding to the corresponding configuration first position information of breath.
In conclusion generating the according to the first operation object since data manipulation instruction is used to indicate in the embodiment of the present invention
Two operation objects, therefore second operand is generated by the first operation object, to the number being traceable in the first operation object
According to the corresponding position information in second operand;Further as the of the sensitive data obtained in the first operation object
One location information, therefore combine corresponding positions confidence of the data in second operand in the first operation object tracked
Breath, it may be determined that go out the corresponding position in second operand of the sensitive data in the first operation object, which is the
The second position information of sensitive data in two operation objects, it is seen then that can be quickly recognized by the matched mode of position feature
Sensitive data in newly-generated second operand further improves the efficiency of identification sensitive data.
Based on same idea, as shown in Fig. 2, the embodiment of the present invention provides a kind of sensitive data identification device, including receive
Unit 201, processing unit 202:
Receiving unit 201, for receiving data manipulation instruction, data manipulation instruction is used to indicate according to the first operation object
Generate second operand;
Processing unit 202, the first position information for obtaining the sensitive data in the first operation object;Execute data behaviour
Make instruction and obtain second operand, and according to the data structure of second operand and first position information, determines second
The second position information of sensitive data in operation object;According to second position information, by corresponding position in second operand
Data be determined as sensitive data.
Preferably, first position information is the position encoded of the sensitive data position in the first operation object;
Processing unit 202, is specifically used for:
The position of all data in first operation object is converted to by preset rules corresponding position encoded;
Inquire pre-set sensitive data table;Wherein, the identification information of the first operation object is included in sensitive data table
And first N number of sensitive data position in operation object is N number of position encoded, it is N number of position encoded according to preset rules
It is converted to as the position where N number of sensitive data, N is the integer more than or equal to 1;
Judge it is transformed it is position encoded in the presence or absence of position corresponding with the first operation object in sensitive data table compile
Code it is matched position encoded, if so, by with sensitive data table it is matched it is position encoded be determined as it is quick in the first operation object
Feel the position encoded of data position.
Preferably, it is matched position encoded with sensitive data table, refer to:
First position information it is corresponding it is position encoded exactly matched with the position encoded of sensitive data table, alternatively, first
Confidence ceases corresponding position encoded matched with the position encoded part of sensitive data table.
Preferably, for the N number of of N number of sensitive data position in the first operation object for including in sensitive data table
It is position encoded, further include each position encoded corresponding multiple operation codes in sensitive data table;
Processing unit 202, is specifically used for:
According to the operation code of the identification information and operational order of the first operation object in data manipulation instruction, sensitive number is inquired
According to table;
Judge the position encoded corresponding operation code in sensitive data table with first position information matches according to query result
In with the presence or absence of the operation code for including in data manipulation instruction;
If so, according to the data structure of second operand and first position information, determine in second operand
Sensitive data second position information.
Preferably, processing unit 202, is additionally operable to:
The operation code corresponding to the information of first position is inquired in sensitive data table;
The identification information of second operand, second position information are added in sensitive data table, and the inquired
Operation code corresponding to one location information, and establish the correspondence of three.
Preferably, the first operation object is the first tables of data, second operand is the second tables of data;
Data manipulation instruction is one kind in following items:
First tables of data is copied as into the second tables of data;
First tables of data is cut into the second tables of data;
First tables of data is saved as into the second tables of data.
It can be seen from the above:Since data manipulation instruction is used to indicate according to the first operation in the embodiment of the present invention
Object generates second operand, therefore second operand is generated by the first operation object, to be traceable to the first operation
Corresponding position information of the data in second operand in object;It is quick in the first operation object further as obtaining
Feel the first position information of data, therefore combines phase of the data in second operand in the first operation object tracked
Answer location information, it may be determined that go out the corresponding position in second operand of the sensitive data in the first operation object, the position
Set the second position information of the sensitive data in second operand, it is seen then that can be fast by the matched mode of position feature
Speed identifies the sensitive data in newly-generated second operand, further improves the efficiency of identification sensitive data.
It should be understood by those skilled in the art that, the embodiment of the present invention can be provided as method or computer program product.
Therefore, complete hardware embodiment, complete software embodiment or embodiment combining software and hardware aspects can be used in the present invention
Form.It is deposited moreover, the present invention can be used to can be used in the computer that one or more wherein includes computer usable program code
The shape for the computer program product implemented on storage media (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
Formula.
The present invention be with reference to according to the method for the embodiment of the present invention, the flow of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that can be realized by computer program instructions every first-class in flowchart and/or the block diagram
The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided
Instruct the processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine so that the instruction executed by computer or the processor of other programmable data processing devices is generated for real
The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to
Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device so that count
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, in computer or
The instruction executed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic
Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as
It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
God and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (12)
1. a kind of sensitive data recognition methods, which is characterized in that include the following steps:
Data manipulation instruction is received, the data manipulation instruction is used to indicate generates the second operation pair according to the first operation object
As;
Obtain the first position information of the sensitive data in first operation object;
Execute the data manipulation instruction and obtain second operand, and according to the data structure of the second operand and
The first position information determines the second position information of the sensitive data in the second operand;
According to the second position information, the data of corresponding position in the second operand are determined as sensitive data.
2. the method as described in claim 1, which is characterized in that the first position information is the sensitivity in the first operation object
Data position it is position encoded;
The first position information for obtaining the sensitive data in first operation object, specifically includes:
The position of all data in first operation object is converted to by preset rules corresponding position encoded;
Inquire pre-set sensitive data table;Wherein, the mark of first operation object is included in the sensitive data table
N number of sensitive data position in information and first operation object it is N number of position encoded, it is described N number of position encoded
It is converted to as the position where N number of sensitive data according to preset rules, N is the integer more than or equal to 1;
Judge it is transformed it is position encoded in whether there is position corresponding with the first operation object described in the sensitive data table
The position encoded of codes match is set, if so, position corresponding with the first operation object described in the sensitive data table is compiled
The matched position encoded sensitive data position being determined as in first operation object of code it is position encoded.
3. method as claimed in claim 2, which is characterized in that it is described matched position encoded with the sensitive data table, be
Refer to:
The corresponding position encoded position corresponding with the first operation object described in the sensitive data table of the first position information
Coding is set to exactly match, alternatively, the first position information it is corresponding it is position encoded with the sensitive data table described in first
The corresponding position encoded part matching of operation object.
4. method as claimed in claim 2, which is characterized in that for first operation for including in the sensitive data table
N number of sensitive data position in object it is N number of position encoded, further include each position encoded institute in the sensitive data table
Corresponding multiple operation codes;
The data structure according to the second operand and the first position information determine second operation pair
The second position information of the sensitive data as in, specifically includes:
According to the operation code of the identification information and operational order of the first operation object described in the data manipulation instruction, institute is inquired
State sensitive data table;
Judge the position encoded corresponding behaviour in the sensitive data table with the first position information matches according to query result
Make in code with the presence or absence of the operation code for including in the data manipulation instruction;
If so, according to the data structure of the second operand and the first position information, second behaviour is determined
Make the second position information of the sensitive data in object.
5. method as claimed in claim 4, which is characterized in that it is described according to the second position information, described second is grasped
The data for making corresponding position in object are determined as after sensitive data, further include:
The operation code corresponding to the information of first position is inquired in sensitive data table;
The identification information of the second operand, the second position information, Yi Jicha are added in the sensitive data table
The operation code corresponding to the information of first position ask, and establish the correspondence of three.
6. the method as described in any one of claim 1 to 5, which is characterized in that first operation object is the first data
Table, the second operand are the second tables of data;
The data manipulation instruction is one kind in following items:
First tables of data is copied as into the second tables of data;
First tables of data is cut into the second tables of data;
First tables of data is saved as into the second tables of data.
7. a kind of sensitive data identification device, which is characterized in that including:
Receiving unit, for receiving data manipulation instruction, the data manipulation instruction is used to indicate gives birth to according to the first operation object
At second operand;
Processing unit, the first position information for obtaining the sensitive data in first operation object;Execute the data
Operational order obtains second operand, and is believed according to the data structure of the second operand and the first position
Breath, determines the second position information of the sensitive data in the second operand;It, will according to the second position information
The data of corresponding position are determined as sensitive data in the second operand.
8. device as claimed in claim 7, which is characterized in that the first position information is the sensitivity in the first operation object
Data position it is position encoded;
The processing unit, is specifically used for:
The position of all data in first operation object is converted to by preset rules corresponding position encoded;
Inquire pre-set sensitive data table;Wherein, the mark of first operation object is included in the sensitive data table
N number of sensitive data position in information and first operation object it is N number of position encoded, it is described N number of position encoded
It is converted to as the position where N number of sensitive data according to preset rules, N is the integer more than or equal to 1;
Judge it is transformed it is position encoded in whether there is position corresponding with the first operation object described in the sensitive data table
The position encoded of codes match is set, if so, position corresponding with the first operation object described in the sensitive data table is compiled
The matched position encoded sensitive data position being determined as in first operation object of code it is position encoded.
9. device as claimed in claim 8, which is characterized in that it is described matched position encoded with the sensitive data table, be
Refer to:
The corresponding position encoded position corresponding with the first operation object described in the sensitive data table of the first position information
Coding is set to exactly match, alternatively, the first position information it is corresponding it is position encoded with the sensitive data table described in first
The corresponding position encoded part matching of operation object.
10. device as claimed in claim 8, which is characterized in that for first behaviour for including in the sensitive data table
Make the N number of position encoded of N number of sensitive data position in object, further includes each position encoded in the sensitive data table
Corresponding multiple operation codes;
The processing unit, is specifically used for:
According to the operation code of the identification information and operational order of the first operation object described in the data manipulation instruction, institute is inquired
State sensitive data table;
Judge the position encoded corresponding behaviour in the sensitive data table with the first position information matches according to query result
Make in code with the presence or absence of the operation code for including in the data manipulation instruction;
If so, according to the data structure of the second operand and the first position information, second behaviour is determined
Make the second position information of the sensitive data in object.
11. device as claimed in claim 10, which is characterized in that the processing unit is additionally operable to:
The operation code corresponding to the information of first position is inquired in sensitive data table;
The identification information of the second operand, the second position information, Yi Jicha are added in the sensitive data table
The operation code corresponding to the information of first position ask, and establish the correspondence of three.
12. the device as described in any one of claim 7 to 11, which is characterized in that first operation object is the first number
According to table, the second operand is the second tables of data;
The data manipulation instruction is one kind in following items:
First tables of data is copied as into the second tables of data;
First tables of data is cut into the second tables of data;
First tables of data is saved as into the second tables of data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510015353.3A CN105844166B (en) | 2015-01-12 | 2015-01-12 | A kind of sensitive data recognition methods and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510015353.3A CN105844166B (en) | 2015-01-12 | 2015-01-12 | A kind of sensitive data recognition methods and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105844166A CN105844166A (en) | 2016-08-10 |
| CN105844166B true CN105844166B (en) | 2018-11-02 |
Family
ID=57178007
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510015353.3A Active CN105844166B (en) | 2015-01-12 | 2015-01-12 | A kind of sensitive data recognition methods and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105844166B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106254226B (en) * | 2016-09-14 | 2019-10-25 | Oppo广东移动通信有限公司 | A kind of information synchronization method and device |
| CN111291044A (en) * | 2020-01-14 | 2020-06-16 | 中移(杭州)信息技术有限公司 | Sensitive data identification method and device, electronic equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1246008A (en) * | 1998-08-26 | 2000-03-01 | 英业达股份有限公司 | Privacy method for multimedium data |
| CN101183415A (en) * | 2007-12-19 | 2008-05-21 | 腾讯科技(深圳)有限公司 | Method and device for preventing sensitive information from leakage |
| CN101779436A (en) * | 2007-08-15 | 2010-07-14 | 国际商业机器公司 | Tracking the origins of data and controlling data transmission |
| CN104254858A (en) * | 2011-10-31 | 2014-12-31 | 国际商业机器公司 | Protecting sensitive data in a transmission |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8719233B2 (en) * | 2008-06-24 | 2014-05-06 | Emc Corporation | Generic method and apparatus for database sanitizing |
-
2015
- 2015-01-12 CN CN201510015353.3A patent/CN105844166B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1246008A (en) * | 1998-08-26 | 2000-03-01 | 英业达股份有限公司 | Privacy method for multimedium data |
| CN101779436A (en) * | 2007-08-15 | 2010-07-14 | 国际商业机器公司 | Tracking the origins of data and controlling data transmission |
| CN101183415A (en) * | 2007-12-19 | 2008-05-21 | 腾讯科技(深圳)有限公司 | Method and device for preventing sensitive information from leakage |
| CN104254858A (en) * | 2011-10-31 | 2014-12-31 | 国际商业机器公司 | Protecting sensitive data in a transmission |
Non-Patent Citations (1)
| Title |
|---|
| "云环境下的敏感数据保护技术研究";刘明辉等;《电信科学》;20141130;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105844166A (en) | 2016-08-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11422814B2 (en) | Automation of sequences of actions | |
| CN102193810B (en) | Cross-module inlining candidate identification | |
| CN103809854A (en) | Data processing method and electronic equipment | |
| CN109787957B (en) | Configuration method of configuration file and related device | |
| CN111144132B (en) | Semantic recognition method and device | |
| CN103310315A (en) | Automatic process approval tool based on workflows | |
| CN111124917A (en) | Public test case management and control method, device, equipment and storage medium | |
| CN111221518A (en) | Script generation method, device, equipment and computer storage medium | |
| CN105844166B (en) | A kind of sensitive data recognition methods and device | |
| CN106777036A (en) | A kind of data rendering method and data render system | |
| CN111400681A (en) | Data permission processing method, device and equipment | |
| CN115238247A (en) | Data processing method based on zero trust data access control system | |
| CN106294530A (en) | The method and system of rule match | |
| CN113342647A (en) | Test data generation method and device | |
| CN109799776B (en) | Data configuration method and device | |
| CN109040089B (en) | Network policy auditing method, equipment and computer readable storage medium | |
| CN106155513B (en) | A kind of control method and device projecting touch screen | |
| CN109146395B (en) | Data processing method, device and equipment | |
| JP2006244177A (en) | Database device | |
| CN115543428A (en) | Simulated data generation method and device based on strategy template | |
| CN106933509A (en) | The processing method and electronic equipment of a kind of disk number | |
| CN114595455A (en) | Block chain-based method and system for automatically generating inter-microservice access control strategy | |
| CN107423209A (en) | Method for testing software and device | |
| CN111027307A (en) | Method and device for judging content influencing judgment result in judgment document | |
| EP4224310A1 (en) | Methods and systems for reidentification in a user interface |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |