CN106295388A - A kind of data desensitization method and device - Google Patents
A kind of data desensitization method and device Download PDFInfo
- Publication number
- CN106295388A CN106295388A CN201510303954.4A CN201510303954A CN106295388A CN 106295388 A CN106295388 A CN 106295388A CN 201510303954 A CN201510303954 A CN 201510303954A CN 106295388 A CN106295388 A CN 106295388A
- Authority
- CN
- China
- Prior art keywords
- data
- sensitive data
- sql
- user
- instruction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
- G06F21/6254—Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification
Landscapes
- Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Medical Informatics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of data desensitization method and device, in order to solve the inefficient of data desensitization present in prior art, and the inflexible problem of management and control.The method includes: receive the SQL SQL instruction that user sends;When judging that the data that described SQL instruction is to be accessed comprise sensitive data, and described user is when being not allowed access to described sensitive data, changing described SQL instruction according to the desensitization transformational rule pre-set, the sensitive data making the instruction of the SQL after conversion have access to is desensitization data.
Description
Technical field
The present invention relates to field of information security technology, particularly relate to a kind of data desensitization method and device.
Background technology
Along with market grows and business development, in enterprise database, the customer data of storage gets more and more, once
Reveal, it will enterprise is brought huge trust crisis and economic loss.For this each enterprise all to data
Safety gives great attention, by many management such as tertiary-structure network, fire wall construction and security audits or
Technological means stops generation the energy track of events source of data leak event.Wherein sensitive data is taken off
Quick (or claiming obfuscation) process is positive, the effective means of prevention data leakage.
So-called data desensitization, refers to be carried out sensitive data by desensitization rule the deformation of data, it is achieved to quick
The reliably protecting of sense data, in order to safety in exploitation, test and other nonproductive environment and Outsourcing Environment
Ground uses the truthful data collection (or claim desensitization data) after desensitization and unlikely leakage of information.
Main by following several technology to data desensitization at present:
1, by the Update statement for updating legacy data in table that carries in data base to sensitive data
Change.The method is to login data base after database synchronization completes, and uses Update statement, root
According to the desensitization rule specified, sensitive data is changed, submit to after having operated and come into force.
2, based on technical tool, sensitive data is carried out desensitization operation in data migration process.This mode can
Individually the sensitive data table derived is encrypted operation, makes sensitive data show with the form of desensitization data,
When desensitization data being reverted to initial data after obtaining encrypted ones.
In above two desensitization technology, the first desensitization technology uses the desensitization operation that Update statement is carried out
Possessing irreversibility, when sensitive data is conducted interviews by needs, need re-synchronization data base, motility is relatively
Difference, it is impossible to meet service needed.Owing to needing the sensitive data to data volume is bigger to carry out in desensitization
Amendment, therefore desensitization is inefficient, is not suitable for data promptness is required higher scene.And second
Although kind of a desensitization technology can say that after obtaining encrypted ones desensitization data revert to initial data, i.e. possessing can
Inverse property, but owing to also implementing the amendment to sensitive data during deriving importing, therefore there is also
The problem that desensitization is inefficient, is not suitable for data promptness is required higher scene.It addition, encryption
Password is fixed, it is impossible to change flexibly, once makes user obtain Crypted password, just cannot reclaim this user to quick
The access rights of sense data, are not easy to manage control.
In actual production environment, because of safety and system resource, restriction need to internally statistician or the personnel of checking carry
For independent of produce statistics with check data environment.Under this scene, the promptness to data requires higher,
So data syn-chronization and desensitization operation must periodically be completed in the time window of regulation.Simultaneously because of client
The propelling of the work such as data system of real name, need to support that the personnel of checking irregularly access in the range of security clearance original
The demand of data.In such cases, above-mentioned technology all cannot meet requirement.
Summary of the invention
The embodiment of the present invention provides a kind of data desensitization method and device, in order to solve present in prior art
It is inefficient that data desensitize, and the inflexible problem of management and control.
The embodiment of the present invention is by the following technical solutions:
First aspect provides a kind of data desensitization method, including:
Receive the SQL SQL instruction that user sends;
When judging to comprise sensitive data in the data that described SQL instruction is to be accessed, and described user is not
When being allowed access to described sensitive data, described SQL is instructed by the desensitization transformational rule according to pre-setting
Changing, the sensitive data making the instruction of the SQL after conversion have access to is desensitization data.
Optionally, described SQL instruction data to be accessed comprise sensitive data, and institute when judging
State user when being not allowed access to described sensitive data, according to the desensitization transformational rule pre-set to described
SQL instruction is changed, and the sensitive data making the instruction of the SQL after conversion have access to is desensitization data, tool
Body includes:
Judge whether the data that described SQL instruction is to be accessed comprise sensitive data;
When judging the data that described SQL instruction is to be accessed comprise sensitive data, continue to judge institute
State whether user is allowed access to described sensitive data;
When judging that described user is not allowed access to described sensitive data, the desensitization according to pre-setting turns
Changing rule to change described SQL instruction, the sensitive data making the instruction of the SQL after conversion have access to is
Desensitization data.
Optionally, receive the SQL instruction that user sends, specifically include:
Receive the SQL instruction that user sends in the very first time;Then
Judge whether described user is allowed access to described sensitive data, specifically include:
According to the list of authorized users prestored, it is judged that whether described user is authorized user;
When judging described user for authorized user, continue to judge the described very first time awards described in whether being in
In the access time range that power user is corresponding, and judge the sensitive data that described SQL instruction is to be accessed
It is whether that mandate corresponding to described authorized user accesses object;
When judging that described user is not authorized user, or judge that the described very first time is not in described visit
In asking time range, or judge that described SQL instruction sensitive data to be accessed is not described mandate
When accessing object, determine that described user is not allowed access to described sensitive data;
When judging that described user is authorized user, the described very first time is in described access time range,
And when described SQL instruction sensitive data to be accessed is described mandate access object, determine described use
Family is allowed access to described sensitive data.
Optionally, it is judged that whether the data that described SQL instruction is to be accessed comprise sensitive data, specifically
Including:
Described SQL instruction is scanned, when analyzing, described SQL instruction comprises inquiry select language
Sentence, and tables of data to be inquired about in described select statement comprises the sensitive data table pre-set, and
When the data row that the sensitive data table that comprises is to be inquired about comprise again the sensitive data row pre-set, determine
The data that described SQL instruction is to be accessed comprise sensitive data;Otherwise determine that described SQL instruction is wanted
The data accessed do not comprise sensitive data.
Optionally, described desensitization transformational rule includes:
The statement being used for access sensitive data in being instructed by described SQL replaces with default transfer function, described
Preset transfer function special for be converted to the character that specific bit in described sensitive data is put to pre-set
Character;Wherein, described sensitive data at least includes: in ID (identity number) card No., telephone number, name and address
Any one data.
Second aspect provides a kind of data desensitization device, including:
SQL command reception module, for receiving the SQL SQL instruction that user sends;
SQL instructs modular converter, for when judging that the SQL that described SQL command reception module receives refers to
Make and data to be accessed comprise sensitive data, and described user is not allowed access to described sensitive data
Time, according to the desensitization transformational rule pre-set, described SQL instruction is changed, make the SQL after conversion
The sensitive data that instruction has access to is desensitization data.
Optionally, described SQL instructs modular converter, specifically includes:
First judging unit, for judging whether comprise sensitivity in the data that described SQL instruction is to be accessed
Data;
When described first judging unit, second judging unit, for judging that described SQL instruction to access
Data in when comprising sensitive data, continue to judge whether described user is allowed access to described sensitive data;
Converting unit, for when described second judging unit, to judge that described user is not allowed access to described quick
During sense data, according to the desensitization transformational rule pre-set, described SQL instruction is changed, make conversion
After the SQL sensitive data that has access to of instruction be desensitization data.
Optionally, described SQL command reception module, specifically include:
Receive the SQL instruction that user sends in the very first time;Then
Described second judging unit, specifically for:
According to the list of authorized users prestored, it is judged that whether described user is authorized user;When judging
When described user is authorized user, continue to judge whether the described very first time is in described authorized user corresponding
In access time range, and judge that described SQL instruction sensitive data to be accessed is awarded described in being whether
The mandate access object that power user is corresponding;When judging that described user is not authorized user, or judge institute
Stating the very first time is not in described access time range, or judges that described SQL instruction to access
Sensitive data be not described to authorize when accessing object, determine that described user is not allowed access to described sensitive number
According to;When judging that described user is authorized user, the described very first time is in described access time range,
And when described SQL instruction sensitive data to be accessed is described mandate access object, determine described use
Family is allowed access to described sensitive data.
Optionally, described first judging unit, specifically for:
Described SQL instruction is scanned, when analyzing, described SQL instruction comprises inquiry select language
Sentence, and tables of data to be inquired about in described select statement comprises the sensitive data table pre-set, and
When the data row that the sensitive data table that comprises is to be inquired about comprise again the sensitive data row pre-set, determine
The data that described SQL instruction is to be accessed comprise sensitive data;Otherwise determine that described SQL instruction is wanted
The data accessed do not comprise sensitive data
Optionally, described desensitization transformational rule includes:
The statement being used for access sensitive data in being instructed by described SQL replaces with default transfer function, described
Preset transfer function special for be converted to the character that specific bit in described sensitive data is put to pre-set
Character;Wherein, described sensitive data at least includes: in ID (identity number) card No., telephone number, name and address
Any one data.
Having the beneficial effect that of the embodiment of the present invention:
In the embodiment of the present invention, receive the SQL instruction that user sends, judging that SQL instruction to be visited
The data asked comprise sensitive data, and when this user is not allowed access to sensitive data, according to pre-setting
Desensitization transformational rule SQL instruction is changed, make the SQL after conversion instruct the sensitive number that has access to
According to for desensitization data.Compared with prior art, sensitive data is not modified in data desensitization,
But the mode taking the SQL instruction sending user to change determines data display mode, thus reach
To the effect of data desensitization, the very big efficiency that improve data desensitization.It addition, data display mode is no longer
Controlled by Crypted password, but come certainly by the judged result that whether user is allowed access to sensitive data
Fixed, thus realize flexible management and control.
Other features and advantages of the present invention will illustrate in the following description, and, partly from explanation
Book becomes apparent, or understands by implementing the present invention.The purpose of the present invention and other advantages can
Realize by structure specifically noted in the description write, claims and accompanying drawing and obtain
?.
Accompanying drawing explanation
Accompanying drawing described herein is used for providing a further understanding of the present invention, constitutes of the present invention
Point, the schematic description and description of the present invention is used for explaining the present invention, is not intended that to the present invention not
Work as restriction.In the accompanying drawings:
The flowchart of a kind of data desensitization method that Fig. 1 provides for the embodiment of the present invention;
The data desensitization method that Fig. 2 provides for the embodiment of the present invention application scenarios signal when concrete application
Figure;
Fig. 3 is the particular flow sheet of the data desensitization method under this application scenarios;
Fig. 4 be judge SQL instruction in whether have extract sensitive data content implement flow chart;
The structural representation of a kind of data desensitization device that Fig. 5 provides for the embodiment of the present invention.
Detailed description of the invention
In order to solve the inefficient of data desensitization present in prior art, and management and control is inflexible asks
Topic, embodiments provides a kind of data desensitisation regimens.In this technical scheme, receive what user sent
SQL instructs, and comprises sensitive data, and this user is not in judging the data that SQL instruction is to be accessed
When being allowed access to sensitive data, according to the desensitization transformational rule pre-set, SQL instruction is changed,
The sensitive data making the instruction of the SQL after conversion have access to is desensitization data.Compared with prior art, counting
Sensitive data is not modified according in desensitization, but takes the SQL instruction that user is sent to carry out
The mode of conversion determines data display mode, thus reaches the effect of data desensitization, very big improves data
The efficiency of desensitization.It addition, data display mode is no longer controlled by Crypted password, but by user being
The no judged result being allowed access to sensitive data determines, thus realizes flexible management and control.
Below in conjunction with Figure of description, embodiments of the invention are illustrated, it will be appreciated that described herein
Embodiment be merely to illustrate and explain the present invention, be not limited to the present invention.And in the feelings do not conflicted
Under condition, embodiment and the feature of embodiment in the present invention can be combined with each other.
Embodiments provide a kind of data desensitization method, as it is shown in figure 1, be the realization stream of the method
Cheng Tu, specifically includes following step:
Step 11, receives the SQL instruction that user sends;
Step 12, when judging to comprise sensitive data, and this use in the data that this SQL instruction is to be accessed
When family is not allowed access to sensitive data, according to the desensitization transformational rule pre-set this SQL instructed into
Row conversion, the sensitive data making the instruction of the SQL after conversion have access to is desensitization data.
Wherein, this step 12 can be, but not limited to realize as follows:
First determine whether whether the data that this SQL instruction is to be accessed comprise sensitive data;
Concrete, this SQL instruction is scanned, when analyzing, SQL instruction comprises inquiry select
Tables of data to be inquired about in statement, and select statement comprises the sensitive data table pre-set, and bag
When the data row that the sensitive data table that contains is to be inquired about comprise again the sensitive data row pre-set, determine this
The data that SQL instruction is to be accessed comprise sensitive data;Otherwise determine that this SQL instruction is to be accessed
Data do not comprise sensitive data.
When judging the data that this SQL instruction is to be accessed comprise sensitive data, continue to judge this use
Whether family is allowed access to sensitive data;
SQL instruction in a step 11 is user in the case of the very first time sends, the embodiment of the present invention
In can be, but not limited to judge as follows whether this user is allowed access to sensitive data:
According to the list of authorized users prestored, it is judged that whether this user is authorized user;
When judging this user for authorized user, continue to judge whether this very first time is in authorized user couple
In the access time range answered, and judge whether the sensitive data that SQL instruction is to be accessed is to authorize to use
The mandate access object that family is corresponding;
When judging that user is authorized user, the very first time is in access time range, and SQL refers to
When making sensitive data to be accessed access object for authorizing, determine that user is allowed access to sensitive data;
When judging that user is not authorized user, or judge that the very first time is not in accessing time range
In, or judge, when the sensitive data that SQL instruction is to be accessed is not to authorize access object, to determine use
Family is not allowed access to sensitive data.
When judging that this user is not allowed access to sensitive data, according to the desensitization transformational rule pre-set
Changing this SQL instruction, the sensitive data making the instruction of the SQL after conversion have access to is desensitization data.
Wherein, this desensitization transformational rule can be, but not limited to for:
The statement being used for access sensitive data in being instructed by SQL replaces with default transfer function;Wherein preset
Transfer function is converted to the spcial character pre-set for character specific bit in sensitive data put;Its
In, sensitive data at least includes: any one item number in ID (identity number) card No., telephone number, name and address
According to.
Sensitive data compared with prior art, is not carried out more in data desensitization by the embodiment of the present invention
Change, but the mode taking the SQL instruction sending user to change determines data display mode, from
And reach the effect of data desensitization, the very big efficiency that improve data desensitization.It addition, data display mode
No longer controlled by Crypted password, but by whether user being allowed access to the judged result of sensitive data
Determine, thus realize flexible management and control.
In order to be better understood from the embodiment of the present invention, implement the tool to the embodiment of the present invention below in conjunction with concrete
Body implementation process illustrates.
The above-mentioned data desensitization method that the embodiment of the present invention provides can be by increasing data when concrete application
Desensitization server and authority examination & approval server realize.As in figure 2 it is shown, for the embodiment of the present invention provide upper
State the data desensitization method application scenarios schematic diagram when concrete application.
Authority examination & approval server is responsible for subscription authentication, and (user is white to provide interface to data desensitization server
List, mandate time window, mandate access object etc.).
Wherein, user's white list: i.e. list of authorized users, the user in this list of authorized users is allowed to visit
Ask sensitive data;
Authorize time window: i.e. user in list of authorized users is allowed access to the access time of sensitive data
Scope.
Authorize and access object: database object that i.e. user in list of authorized users is allowed access to (such as:
Table, view or of the same name etc.).
When user is when there being the demand of access sensitive data, initiate application, application to this authority examination & approval server
In comprise applicant's information, access the information such as object, access time, Access Reason.This application passes through authority
Examination & approval server is submitted at leading body at a higher level carry out manual examination and verification, after being confirmed to be Lawful access, by this Shen
Applicant's information in please joins in user's white list, and the access time is then converted to authorize time window, visits
Ask that object is then converted to authorize access object.
Data desensitization server is responsible for the record desensitization transformational rule to sensitive data, and to user's transmission
SQL instruction judges, if it find that the SQL that user sends instructs content to be accessed relates to sensitivity
During data (such as: identification card number, telephone number, name, address etc.), continue according to authority examination & approval service
The interface that device provides judges when whether this user is illegal authorized user (being i.e. not allowed access to sensitive data),
During if it find that this user is illegal authorized user, user is submitted to by the transformational rule of application desensitization the most immediately
SQL instruction is changed, and making the data presented in front of the user is desensitization data;If it find that user sends
SQL instruct content to be accessed and be not related to sensitive data, or find that the SQL that user sends instructs
Content to be accessed relates to sensitive data, when this user is legitimate authorized user simultaneously, then carries this user
The SQL instruction handed over does not processes, and is directly distributed to background data base and performs.
When recording the desensitization transformational rule to sensitive data in data desensitization server, in addition it is also necessary to record following
Information:
The configuration information of all database instances being connected with data desensitization server, including performing sensitive number
According to the database instance title desensitized, IP address, listening port etc.;
Database user pattern: include the account information of sensitive data table under record concrete database example.
Sensitive data table: deposit the tables of data of sensitive data, view or of the same name.
Sensitive data arranges: deposit the data of sensitive information to as the row name of (table, view or of the same name).
The desensitization transformational rule of record in data desensitization server, when i.e. carrying out desensitization conversion to sensitive data row
The rule used, generally uses data base's built-in function and writes, and these functions are for specifying in sensitive data
The character of position is converted to the spcial character pre-set.
Include as a example by ID (identity number) card No., telephone number, name and address by sensitive data:
Desensitization to ID (identity number) card No.: identity card (being assumed to be CERITID) is specified position character or
Directly all character spcial characters (such as: ' * ') of whole ID (identity number) card No. are substituted as required.
As latter three are desensitized, then specified function be SUBSTR (CERITID, 1,
LENGTH(CERITID)-3)||’***’。
Desensitization for telephone number: analyzed by Number pattern, it is judged that front 3-5 position be whether area code or
Extra number (such as: 021,12580,17951 etc.), intercepts out significant number, and then as required to phase
The numeral answering position carries out Fuzzy processing, or directly uses all characters of whole telephone number as required
Spcial character (such as: ' * ') substitutes.As fixed line need to obscure latter 4, then specified function is: SUBSTR
(phone, 1, LENGTH (phone)-4) | | ' * * * * '.
Desensitization to name: judge whether that after surname, the word of optional position chosen in character containing user's surname
Symbol spcial character (such as: ' * ') is replaced, or directly uses all characters of whole name as required
Spcial character substitutes.
Desensitization to address: judge whether containing " city ", " district ", " town ", " township ", " village ", " street ", " number ",
Keywords such as " buildings ", is replaced at random to the character in addition to these spcial characters, or the most direct
All character spcial characters (such as: ' * ') in whole address are replaced.
After increasing a desensitization transformational rule, data desensitization server is by automatic for the information according to above-mentioned offer
Scan database dictionary, finds out all data object titles and the row name quoting sensitive data, and iteration is updated to
In above-mentioned rule set.
As it is shown on figure 3, be the particular flow sheet of the data desensitization method under this application scenarios.Specifically include
Following steps:
Step 31, user is connected to the database instance specified, and submits to SQL to instruct by any means.
Step 32, the SQL of the data desensitization database instance that selects according to user of server and submission instructs,
Determine whether to extract the content of sensitive data.As the most then performed step 37, if any then continuing executing with step
33。
Step 33, the user's white list provided according to authority examination & approval server, check whether this user is mandate
User.If then do not performed step 36 in user's white list, as then continued executing with step in user's white list
34。
Step 34, the mandate time window provided according to authority examination & approval server and current time, it is judged that current
Whether the time is in mandate time window, if not being then to perform step 36, the most then continues executing with step
35。
Step 35, the mandate provided according to authority examination & approval server accesses object and SQL instruction is to be fetched
Sensitive data, it is judged that whether the SQL to be fetched sensitive data of instruction is to authorize to access object, if not
It is then to perform step 36, the most then performs step 37.
Step 36, the SQL instruction to submitting to processes according to desensitization transformational rule, makes the SQL after conversion refer to
The sensitive data that order has access to is desensitization data.
Step 37, is forwarded in background data base perform and feedback result.
As shown in Figure 4, for judging whether SQL has implementing of the content of extraction sensitive data in instructing
Flow chart.Specifically include following steps:
Step 41, whether the SQL instruction submitting user to is scanned, it is judged that comprise in SQL instruction
SELECT statement (includes the increase of the inquiry containing SELECT, deletes and revise statement.As the most then
Determine the content not extracting sensitive data in SQL instruction, if any, then continue executing with step 42.
Step 42, intercepts the table name used in SELECT statement, and detects whether containing sensitive data table,
If without, determine the content not extracting sensitive data in SQL instruction, if any, then continue executing with step
Rapid 43.
Step 43, the row name used when checking and inquire about for sensitive data table in SQL statement, it may be judged whether
Use sensitive data row, without using, it is determined that the interior of sensitive data is not extracted in SQL instruction
Hold, if any, it is determined that SQL instruction there is the content extracting sensitive data.
And then in above-mentioned steps 36, SQL instruction is changed.
If it should be noted that SELECT statement is used ' * ' printed words, the most directly replacing with sensitivity
All row names of tables of data, and sensitive data is arranged change according to transformational rule.
Sensitive data compared with prior art, is not carried out more in data desensitization by the embodiment of the present invention
Change, but the mode taking the SQL instruction sending user to change determines data display mode, from
And reach the effect of data desensitization, the very big efficiency that improve data desensitization.It addition, data display mode
No longer controlled by Crypted password, but by whether user being allowed access to the judged result of sensitive data
Determine, thus realize flexible management and control.
Based on same inventive concept, the embodiment of the present invention additionally provides a kind of data desensitization device, due to upper
The principle stating device solution problem is similar to data desensitization method, the therefore enforcement side of may refer to of said apparatus
The enforcement of method, repeats no more in place of repetition.
As it is shown in figure 5, the structural representation of the data desensitization device provided for the embodiment of the present invention, including:
SQL command reception module 51, for receiving the SQL SQL instruction that user sends;
SQL instructs modular converter 52, for when judging the SQL that described SQL command reception module receives
Instruct and data to be accessed comprise sensitive data, and described user is not allowed access to described sensitive data
Time, according to the desensitization transformational rule pre-set, described SQL instruction is changed, make the SQL after conversion
The sensitive data that instruction has access to is desensitization data.
Optionally, described SQL instructs modular converter 52, specifically includes:
First judging unit 521, quick for judging whether described SQL instruction data to be accessed comprise
Sense data;
When described first judging unit 521, second judging unit 522, for judging that described SQL instructs institute
When data to be accessed comprise sensitive data, continue to judge whether described user is allowed access to described sensitivity
Data;
When described second judging unit 522, converting unit 523, for judging that described user is not allowed to visit
When asking described sensitive data, according to the desensitization transformational rule pre-set, described SQL instruction is changed,
The sensitive data making the instruction of the SQL after conversion have access to is desensitization data.
Optionally, described SQL command reception module 51, specifically include:
Receive the SQL instruction that user sends in the very first time;Then
Described second judging unit 522, specifically for:
According to the list of authorized users prestored, it is judged that whether described user is authorized user;When judging
When described user is authorized user, continue to judge whether the described very first time is in described authorized user corresponding
In access time range, and judge that described SQL instruction sensitive data to be accessed is awarded described in being whether
The mandate access object that power user is corresponding;When judging that described user is not authorized user, or judge institute
Stating the very first time is not in described access time range, or judges that described SQL instruction to access
Sensitive data be not described to authorize when accessing object, determine that described user is not allowed access to described sensitive number
According to;When judging that described user is authorized user, the described very first time is in described access time range,
And when described SQL instruction sensitive data to be accessed is described mandate access object, determine described use
Family is allowed access to described sensitive data.
Optionally, described first judging unit 521, specifically for:
Described SQL instruction is scanned, when analyzing, described SQL instruction comprises inquiry select language
Sentence, and tables of data to be inquired about in described select statement comprises the sensitive data table pre-set, and
When the data row that the sensitive data table that comprises is to be inquired about comprise again the sensitive data row pre-set, determine
The data that described SQL instruction is to be accessed comprise sensitive data;Otherwise determine that described SQL instruction is wanted
The data accessed do not comprise sensitive data
Optionally, described desensitization transformational rule includes:
The statement being used for access sensitive data in being instructed by described SQL replaces with default transfer function, described
Preset transfer function special for be converted to the character that specific bit in described sensitive data is put to pre-set
Character;Wherein, described sensitive data at least includes: in ID (identity number) card No., telephone number, name and address
Any one data.
For convenience of description, above each several part is divided by function and is respectively described for each module (or unit).
Certainly, when implementing the present invention can the function of each module (or unit) at same or multiple softwares or
Hardware realizes.
Those skilled in the art are it should be appreciated that embodiments of the invention can be provided as method, system or meter
Calculation machine program product.Therefore, the present invention can use complete hardware embodiment, complete software implementation or knot
The form of the embodiment in terms of conjunction software and hardware.And, the present invention can use and wherein wrap one or more
Computer-usable storage medium containing computer usable program code (include but not limited to disk memory,
CD-ROM, optical memory etc.) form of the upper computer program implemented.
The present invention is with reference to method, equipment (system) and computer program product according to embodiments of the present invention
The flow chart of product and/or block diagram describe.It should be understood that can by computer program instructions flowchart and
/ or block diagram in each flow process and/or flow process in square frame and flow chart and/or block diagram and/
Or the combination of square frame.These computer program instructions can be provided to general purpose computer, special-purpose computer, embedding
The processor of formula datatron or other programmable data processing device is to produce a machine so that by calculating
The instruction that the processor of machine or other programmable data processing device performs produces for realizing at flow chart one
The device of the function specified in individual flow process or multiple flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions may be alternatively stored in and computer or the process of other programmable datas can be guided to set
In the standby computer-readable memory worked in a specific way so that be stored in this computer-readable memory
Instruction produce and include the manufacture of command device, this command device realizes in one flow process or multiple of flow chart
The function specified in flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions also can be loaded in computer or other programmable data processing device, makes
Sequence of operations step must be performed to produce computer implemented place on computer or other programmable devices
Reason, thus the instruction performed on computer or other programmable devices provides for realizing flow chart one
The step of the function specified in flow process or multiple flow process and/or one square frame of block diagram or multiple square frame.
Although preferred embodiments of the present invention have been described, but those skilled in the art once know base
This creativeness concept, then can make other change and amendment to these embodiments.So, appended right is wanted
Ask and be intended to be construed to include preferred embodiment and fall into all changes and the amendment of the scope of the invention.
Obviously, those skilled in the art can carry out various change and modification without deviating from this to the present invention
Bright spirit and scope.So, if the present invention these amendment and modification belong to the claims in the present invention and
Within the scope of its equivalent technologies, then the present invention is also intended to comprise these change and modification.
Claims (10)
1. a data desensitization method, it is characterised in that including:
Receive the SQL SQL instruction that user sends;
When judging to comprise sensitive data in the data that described SQL instruction is to be accessed, and described user is not
When being allowed access to described sensitive data, described SQL is instructed by the desensitization transformational rule according to pre-setting
Changing, the sensitive data making the instruction of the SQL after conversion have access to is desensitization data.
2. the method for claim 1, it is characterised in that when judging that described SQL instruction is wanted
The data accessed comprise sensitive data, and when described user is not allowed access to described sensitive data, according to
Described SQL instruction is changed by the desensitization transformational rule pre-set, and makes the instruction of the SQL after conversion visit
The sensitive data asked is desensitization data, specifically includes:
Judge whether the data that described SQL instruction is to be accessed comprise sensitive data;
When judging the data that described SQL instruction is to be accessed comprise sensitive data, continue to judge institute
State whether user is allowed access to described sensitive data;
When judging that described user is not allowed access to described sensitive data, the desensitization according to pre-setting turns
Changing rule to change described SQL instruction, the sensitive data making the instruction of the SQL after conversion have access to is
Desensitization data.
3. method as claimed in claim 2, it is characterised in that receive the SQL instruction that user sends,
Specifically include:
Receive the SQL instruction that user sends in the very first time;Then
Judge whether described user is allowed access to described sensitive data, specifically include:
According to the list of authorized users prestored, it is judged that whether described user is authorized user;
When judging described user for authorized user, continue to judge the described very first time awards described in whether being in
In the access time range that power user is corresponding, and judge the sensitive data that described SQL instruction is to be accessed
It is whether that mandate corresponding to described authorized user accesses object;
When judging that described user is not authorized user, or judge that the described very first time is not in described visit
In asking time range, or judge that described SQL instruction sensitive data to be accessed is not described mandate
When accessing object, determine that described user is not allowed access to described sensitive data;
When judging that described user is authorized user, the described very first time is in described access time range,
And when described SQL instruction sensitive data to be accessed is described mandate access object, determine described use
Family is allowed access to described sensitive data.
4. method as claimed in claim 2, it is characterised in that judge that described SQL instruction to access
Data in whether comprise sensitive data, specifically include:
Described SQL instruction is scanned, when analyzing, described SQL instruction comprises inquiry select language
Sentence, and tables of data to be inquired about in described select statement comprises the sensitive data table pre-set, and
When the data row that the sensitive data table that comprises is to be inquired about comprise again the sensitive data row pre-set, determine
The data that described SQL instruction is to be accessed comprise sensitive data;Otherwise determine that described SQL instruction is wanted
The data accessed do not comprise sensitive data.
5. the method for claim 1, it is characterised in that described desensitization transformational rule includes:
The statement being used for access sensitive data in being instructed by described SQL replaces with default transfer function, described
Preset transfer function special for be converted to the character that specific bit in described sensitive data is put to pre-set
Character;Wherein, described sensitive data at least includes: in ID (identity number) card No., telephone number, name and address
Any one data.
6. a data desensitization device, it is characterised in that including:
SQL command reception module, for receiving the SQL SQL instruction that user sends;
SQL instructs modular converter, for when judging that the SQL that described SQL command reception module receives refers to
Make and data to be accessed comprise sensitive data, and described user is not allowed access to described sensitive data
Time, according to the desensitization transformational rule pre-set, described SQL instruction is changed, make the SQL after conversion
The sensitive data that instruction has access to is desensitization data.
7. device as claimed in claim 6, it is characterised in that described SQL instructs modular converter, tool
Body includes:
First judging unit, for judging whether comprise sensitivity in the data that described SQL instruction is to be accessed
Data;
When described first judging unit, second judging unit, for judging that described SQL instruction to access
Data in when comprising sensitive data, continue to judge whether described user is allowed access to described sensitive data;
Converting unit, for when described second judging unit, to judge that described user is not allowed access to described quick
During sense data, according to the desensitization transformational rule pre-set, described SQL instruction is changed, make conversion
After the SQL sensitive data that has access to of instruction be desensitization data.
8. device as claimed in claim 7, it is characterised in that described SQL command reception module, tool
Body includes:
Receive the SQL instruction that user sends in the very first time;Then
Described second judging unit, specifically for:
According to the list of authorized users prestored, it is judged that whether described user is authorized user;When judging
When described user is authorized user, continue to judge whether the described very first time is in described authorized user corresponding
In access time range, and judge that described SQL instruction sensitive data to be accessed is awarded described in being whether
The mandate access object that power user is corresponding;When judging that described user is not authorized user, or judge institute
Stating the very first time is not in described access time range, or judges that described SQL instruction to access
Sensitive data be not described to authorize when accessing object, determine that described user is not allowed access to described sensitive number
According to;When judging that described user is authorized user, the described very first time is in described access time range,
And when described SQL instruction sensitive data to be accessed is described mandate access object, determine described use
Family is allowed access to described sensitive data.
9. device as claimed in claim 7, it is characterised in that described first judging unit, specifically uses
In:
Described SQL instruction is scanned, when analyzing, described SQL instruction comprises inquiry select language
Sentence, and tables of data to be inquired about in described select statement comprises the sensitive data table pre-set, and
When the data row that the sensitive data table that comprises is to be inquired about comprise again the sensitive data row pre-set, determine
The data that described SQL instruction is to be accessed comprise sensitive data;Otherwise determine that described SQL instruction is wanted
The data accessed do not comprise sensitive data.
10. device as claimed in claim 6, it is characterised in that described desensitization transformational rule includes:
The statement being used for access sensitive data in being instructed by described SQL replaces with default transfer function, described
Preset transfer function special for be converted to the character that specific bit in described sensitive data is put to pre-set
Character;Wherein, described sensitive data at least includes: in ID (identity number) card No., telephone number, name and address
Any one data.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510303954.4A CN106295388B (en) | 2015-06-04 | 2015-06-04 | A kind of data desensitization method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510303954.4A CN106295388B (en) | 2015-06-04 | 2015-06-04 | A kind of data desensitization method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106295388A true CN106295388A (en) | 2017-01-04 |
CN106295388B CN106295388B (en) | 2019-09-10 |
Family
ID=57659048
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510303954.4A Active CN106295388B (en) | 2015-06-04 | 2015-06-04 | A kind of data desensitization method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106295388B (en) |
Cited By (27)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106991337A (en) * | 2017-04-06 | 2017-07-28 | 北京数聚世界信息技术有限公司 | The desensitization method and device of a kind of date of birth data |
CN107122678A (en) * | 2017-04-28 | 2017-09-01 | 上海与德科技有限公司 | Protect the method and device of product parameters |
CN107194270A (en) * | 2017-04-07 | 2017-09-22 | 广东精点数据科技股份有限公司 | A kind of system and method for realizing data desensitization |
CN107194276A (en) * | 2017-05-03 | 2017-09-22 | 上海上讯信息技术股份有限公司 | Database Dynamic desensitization method and equipment |
CN107273763A (en) * | 2017-06-23 | 2017-10-20 | 上海艺赛旗软件股份有限公司 | A kind of SQL driving layers sensitive data obscures replacement method and system |
CN107392051A (en) * | 2017-07-28 | 2017-11-24 | 北京明朝万达科技股份有限公司 | A kind of big data processing method and system |
CN107403108A (en) * | 2017-08-07 | 2017-11-28 | 上海上讯信息技术股份有限公司 | A kind of method and system of data processing |
CN108288492A (en) * | 2017-12-29 | 2018-07-17 | 安徽方正医疗信息技术有限公司 | The method for freely converting approval process according to the querying condition of login user establishment |
CN108304704A (en) * | 2018-02-07 | 2018-07-20 | 平安普惠企业管理有限公司 | Authority control method, device, computer equipment and storage medium |
CN108512807A (en) * | 2017-02-24 | 2018-09-07 | 中国移动通信集团公司 | Data desensitization method and data in a kind of data transmission desensitize server |
CN109271807A (en) * | 2018-08-20 | 2019-01-25 | 深圳萨摩耶互联网金融服务有限公司 | The data safety processing method and system of database |
CN109299616A (en) * | 2018-09-07 | 2019-02-01 | 北明软件有限公司 | A kind of data safety managing and control system and method based on connection pool |
CN109409121A (en) * | 2018-09-07 | 2019-03-01 | 阿里巴巴集团控股有限公司 | Desensitization process method, apparatus and server |
CN109711189A (en) * | 2018-12-19 | 2019-05-03 | 上海晶赞融宣科技有限公司 | Data desensitization method and device, storage medium, terminal |
CN109871708A (en) * | 2018-12-15 | 2019-06-11 | 平安科技(深圳)有限公司 | Data transmission method, device, electronic equipment and storage medium |
CN110019377A (en) * | 2017-12-14 | 2019-07-16 | 中国移动通信集团山西有限公司 | Dynamic desensitization method, device, equipment and medium |
CN110210703A (en) * | 2019-04-25 | 2019-09-06 | 深圳壹账通智能科技有限公司 | A kind of method, apparatus, storage medium and computer equipment that financing is recommended |
CN110245505A (en) * | 2019-05-20 | 2019-09-17 | 中国平安人寿保险股份有限公司 | Tables of data access method, device, computer equipment and storage medium |
CN110781515A (en) * | 2019-10-25 | 2020-02-11 | 上海凯馨信息科技有限公司 | Static data desensitization method and desensitization device |
CN111083292A (en) * | 2019-11-18 | 2020-04-28 | 集奥聚合(北京)人工智能科技有限公司 | Corpus processing method and system for intelligent voice outbound system |
CN111159754A (en) * | 2019-12-12 | 2020-05-15 | 浙江华云信息科技有限公司 | Data desensitization method and device for reverse analysis |
CN111191276A (en) * | 2019-12-05 | 2020-05-22 | 平安银行股份有限公司 | Data desensitization method and device, storage medium and computer equipment |
CN111429640A (en) * | 2020-03-16 | 2020-07-17 | 北京安迅伟业科技有限公司 | Method and system for controlling gateway under cloud platform management |
CN111767300A (en) * | 2020-05-11 | 2020-10-13 | 全球能源互联网研究院有限公司 | Dynamic desensitization method and device for penetration of internal and external networks of electric power data |
CN112765658A (en) * | 2021-01-15 | 2021-05-07 | 杭州数梦工场科技有限公司 | Data desensitization method and device, electronic equipment and storage medium |
CN112800474A (en) * | 2021-03-19 | 2021-05-14 | 北京安华金和科技有限公司 | Data desensitization method and device, storage medium and electronic device |
CN115080987A (en) * | 2021-03-11 | 2022-09-20 | 中国移动通信集团山东有限公司 | Password management method, device, system, storage medium and computer equipment |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102844756A (en) * | 2010-03-15 | 2012-12-26 | 迪纳米科普斯公司 | Computer relational database method and system having role based access control |
CN103778380A (en) * | 2013-12-31 | 2014-05-07 | 网秦(北京)科技有限公司 | Data desensitization method and device and data anti-desensitization method and device |
US20140164405A1 (en) * | 2012-12-12 | 2014-06-12 | Institute For Information Industry | Dynamic data masking method and database system |
CN103870480A (en) * | 2012-12-12 | 2014-06-18 | 财团法人资讯工业策进会 | Dynamic data masking method and database system |
CN104239823A (en) * | 2013-06-07 | 2014-12-24 | 腾讯科技(深圳)有限公司 | Interface content display control method and device |
-
2015
- 2015-06-04 CN CN201510303954.4A patent/CN106295388B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102844756A (en) * | 2010-03-15 | 2012-12-26 | 迪纳米科普斯公司 | Computer relational database method and system having role based access control |
US20140164405A1 (en) * | 2012-12-12 | 2014-06-12 | Institute For Information Industry | Dynamic data masking method and database system |
CN103870480A (en) * | 2012-12-12 | 2014-06-18 | 财团法人资讯工业策进会 | Dynamic data masking method and database system |
CN104239823A (en) * | 2013-06-07 | 2014-12-24 | 腾讯科技(深圳)有限公司 | Interface content display control method and device |
CN103778380A (en) * | 2013-12-31 | 2014-05-07 | 网秦(北京)科技有限公司 | Data desensitization method and device and data anti-desensitization method and device |
Cited By (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108512807B (en) * | 2017-02-24 | 2020-08-04 | 中国移动通信集团公司 | Data desensitization method and data desensitization server in data transmission |
CN108512807A (en) * | 2017-02-24 | 2018-09-07 | 中国移动通信集团公司 | Data desensitization method and data in a kind of data transmission desensitize server |
CN106991337A (en) * | 2017-04-06 | 2017-07-28 | 北京数聚世界信息技术有限公司 | The desensitization method and device of a kind of date of birth data |
CN106991337B (en) * | 2017-04-06 | 2019-10-22 | 北京数聚世界信息技术有限公司 | A kind of desensitization method and device of date of birth data |
CN107194270A (en) * | 2017-04-07 | 2017-09-22 | 广东精点数据科技股份有限公司 | A kind of system and method for realizing data desensitization |
CN107122678A (en) * | 2017-04-28 | 2017-09-01 | 上海与德科技有限公司 | Protect the method and device of product parameters |
CN107194276A (en) * | 2017-05-03 | 2017-09-22 | 上海上讯信息技术股份有限公司 | Database Dynamic desensitization method and equipment |
CN107273763B (en) * | 2017-06-23 | 2020-12-04 | 上海艺赛旗软件股份有限公司 | Fuzzy replacement method and system for SQL (structured query language) driver layer sensitive data |
CN107273763A (en) * | 2017-06-23 | 2017-10-20 | 上海艺赛旗软件股份有限公司 | A kind of SQL driving layers sensitive data obscures replacement method and system |
CN107392051A (en) * | 2017-07-28 | 2017-11-24 | 北京明朝万达科技股份有限公司 | A kind of big data processing method and system |
CN107403108A (en) * | 2017-08-07 | 2017-11-28 | 上海上讯信息技术股份有限公司 | A kind of method and system of data processing |
CN110019377A (en) * | 2017-12-14 | 2019-07-16 | 中国移动通信集团山西有限公司 | Dynamic desensitization method, device, equipment and medium |
CN108288492A (en) * | 2017-12-29 | 2018-07-17 | 安徽方正医疗信息技术有限公司 | The method for freely converting approval process according to the querying condition of login user establishment |
CN108304704A (en) * | 2018-02-07 | 2018-07-20 | 平安普惠企业管理有限公司 | Authority control method, device, computer equipment and storage medium |
CN108304704B (en) * | 2018-02-07 | 2021-02-09 | 平安普惠企业管理有限公司 | Authority control method and device, computer equipment and storage medium |
CN109271807A (en) * | 2018-08-20 | 2019-01-25 | 深圳萨摩耶互联网金融服务有限公司 | The data safety processing method and system of database |
CN109299616A (en) * | 2018-09-07 | 2019-02-01 | 北明软件有限公司 | A kind of data safety managing and control system and method based on connection pool |
CN109409121A (en) * | 2018-09-07 | 2019-03-01 | 阿里巴巴集团控股有限公司 | Desensitization process method, apparatus and server |
CN109409121B (en) * | 2018-09-07 | 2022-10-11 | 创新先进技术有限公司 | Desensitization processing method and device and server |
CN109871708A (en) * | 2018-12-15 | 2019-06-11 | 平安科技(深圳)有限公司 | Data transmission method, device, electronic equipment and storage medium |
CN109711189A (en) * | 2018-12-19 | 2019-05-03 | 上海晶赞融宣科技有限公司 | Data desensitization method and device, storage medium, terminal |
CN110210703A (en) * | 2019-04-25 | 2019-09-06 | 深圳壹账通智能科技有限公司 | A kind of method, apparatus, storage medium and computer equipment that financing is recommended |
CN110245505A (en) * | 2019-05-20 | 2019-09-17 | 中国平安人寿保险股份有限公司 | Tables of data access method, device, computer equipment and storage medium |
CN110781515A (en) * | 2019-10-25 | 2020-02-11 | 上海凯馨信息科技有限公司 | Static data desensitization method and desensitization device |
CN110781515B (en) * | 2019-10-25 | 2023-09-26 | 上海凯馨信息科技有限公司 | Static data desensitizing method and device |
CN111083292A (en) * | 2019-11-18 | 2020-04-28 | 集奥聚合(北京)人工智能科技有限公司 | Corpus processing method and system for intelligent voice outbound system |
CN111191276A (en) * | 2019-12-05 | 2020-05-22 | 平安银行股份有限公司 | Data desensitization method and device, storage medium and computer equipment |
CN111191276B (en) * | 2019-12-05 | 2023-09-19 | 平安银行股份有限公司 | Data desensitization method, device, storage medium and computer equipment |
CN111159754A (en) * | 2019-12-12 | 2020-05-15 | 浙江华云信息科技有限公司 | Data desensitization method and device for reverse analysis |
CN111429640A (en) * | 2020-03-16 | 2020-07-17 | 北京安迅伟业科技有限公司 | Method and system for controlling gateway under cloud platform management |
CN111767300A (en) * | 2020-05-11 | 2020-10-13 | 全球能源互联网研究院有限公司 | Dynamic desensitization method and device for penetration of internal and external networks of electric power data |
CN112765658A (en) * | 2021-01-15 | 2021-05-07 | 杭州数梦工场科技有限公司 | Data desensitization method and device, electronic equipment and storage medium |
CN115080987A (en) * | 2021-03-11 | 2022-09-20 | 中国移动通信集团山东有限公司 | Password management method, device, system, storage medium and computer equipment |
CN112800474A (en) * | 2021-03-19 | 2021-05-14 | 北京安华金和科技有限公司 | Data desensitization method and device, storage medium and electronic device |
Also Published As
Publication number | Publication date |
---|---|
CN106295388B (en) | 2019-09-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106295388A (en) | A kind of data desensitization method and device | |
JP5591232B2 (en) | Information transmission using virtual input layout | |
US20240045877A1 (en) | Facilitating queries of encrypted sensitive data via encrypted variant data objects | |
US8353002B2 (en) | Chaining information card selectors | |
JP2022000757A5 (en) | ||
CN104364790B (en) | System and method for implementing dual factor anthentication | |
CN108475312A (en) | Single-point logging method for equipment safety shell | |
CN109922030B (en) | Global network access control method based on Android equipment | |
JP2003186764A (en) | Communication network with controlled access to web resources | |
CN101764808A (en) | Authentication processing method and system for automatic login as well as server | |
US20210014216A1 (en) | Administration portal for simulated single sign-on | |
CN107040520A (en) | A kind of cloud computing data-sharing systems and method | |
US7376709B1 (en) | Method for creating durable web-enabled uniform resource locator links | |
WO2019054044A1 (en) | Information processing device, information processing method, and program | |
JP2009003549A (en) | Data management device, data management method, data management program, and data management program storage medium | |
CN106355108A (en) | Document handover method, device and system and computer readable medium | |
CN106304022A (en) | Mobile terminal and the processing method to log-on message thereof | |
CN107222495B (en) | School user system authentication method and system | |
CN110008186A (en) | For file management method, device, terminal and the medium of more ftp data sources | |
CN106022726B (en) | A kind of the deployment emulation mode and device of Workflow system | |
JP2009146198A (en) | Information management system | |
KR100864182B1 (en) | Method and system for online authentication using pseudorandom table | |
CN107155185A (en) | A kind of access WLAN authentication method, apparatus and system | |
CN106936845B (en) | Intelligent access system, method and device for keyboard and online webpage platform | |
KR101304452B1 (en) | A cloud system for document management using location |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |