CN106295388A - A kind of data desensitization method and device - Google Patents

A kind of data desensitization method and device Download PDF

Info

Publication number
CN106295388A
CN106295388A CN201510303954.4A CN201510303954A CN106295388A CN 106295388 A CN106295388 A CN 106295388A CN 201510303954 A CN201510303954 A CN 201510303954A CN 106295388 A CN106295388 A CN 106295388A
Authority
CN
China
Prior art keywords
data
sensitive data
sql
user
instruction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510303954.4A
Other languages
Chinese (zh)
Other versions
CN106295388B (en
Inventor
田力
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Group Shandong Co Ltd
Original Assignee
China Mobile Group Shandong Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Group Shandong Co Ltd filed Critical China Mobile Group Shandong Co Ltd
Priority to CN201510303954.4A priority Critical patent/CN106295388B/en
Publication of CN106295388A publication Critical patent/CN106295388A/en
Application granted granted Critical
Publication of CN106295388B publication Critical patent/CN106295388B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6254Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification

Landscapes

  • Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of data desensitization method and device, in order to solve the inefficient of data desensitization present in prior art, and the inflexible problem of management and control.The method includes: receive the SQL SQL instruction that user sends;When judging that the data that described SQL instruction is to be accessed comprise sensitive data, and described user is when being not allowed access to described sensitive data, changing described SQL instruction according to the desensitization transformational rule pre-set, the sensitive data making the instruction of the SQL after conversion have access to is desensitization data.

Description

A kind of data desensitization method and device
Technical field
The present invention relates to field of information security technology, particularly relate to a kind of data desensitization method and device.
Background technology
Along with market grows and business development, in enterprise database, the customer data of storage gets more and more, once Reveal, it will enterprise is brought huge trust crisis and economic loss.For this each enterprise all to data Safety gives great attention, by many management such as tertiary-structure network, fire wall construction and security audits or Technological means stops generation the energy track of events source of data leak event.Wherein sensitive data is taken off Quick (or claiming obfuscation) process is positive, the effective means of prevention data leakage.
So-called data desensitization, refers to be carried out sensitive data by desensitization rule the deformation of data, it is achieved to quick The reliably protecting of sense data, in order to safety in exploitation, test and other nonproductive environment and Outsourcing Environment Ground uses the truthful data collection (or claim desensitization data) after desensitization and unlikely leakage of information.
Main by following several technology to data desensitization at present:
1, by the Update statement for updating legacy data in table that carries in data base to sensitive data Change.The method is to login data base after database synchronization completes, and uses Update statement, root According to the desensitization rule specified, sensitive data is changed, submit to after having operated and come into force.
2, based on technical tool, sensitive data is carried out desensitization operation in data migration process.This mode can Individually the sensitive data table derived is encrypted operation, makes sensitive data show with the form of desensitization data, When desensitization data being reverted to initial data after obtaining encrypted ones.
In above two desensitization technology, the first desensitization technology uses the desensitization operation that Update statement is carried out Possessing irreversibility, when sensitive data is conducted interviews by needs, need re-synchronization data base, motility is relatively Difference, it is impossible to meet service needed.Owing to needing the sensitive data to data volume is bigger to carry out in desensitization Amendment, therefore desensitization is inefficient, is not suitable for data promptness is required higher scene.And second Although kind of a desensitization technology can say that after obtaining encrypted ones desensitization data revert to initial data, i.e. possessing can Inverse property, but owing to also implementing the amendment to sensitive data during deriving importing, therefore there is also The problem that desensitization is inefficient, is not suitable for data promptness is required higher scene.It addition, encryption Password is fixed, it is impossible to change flexibly, once makes user obtain Crypted password, just cannot reclaim this user to quick The access rights of sense data, are not easy to manage control.
In actual production environment, because of safety and system resource, restriction need to internally statistician or the personnel of checking carry For independent of produce statistics with check data environment.Under this scene, the promptness to data requires higher, So data syn-chronization and desensitization operation must periodically be completed in the time window of regulation.Simultaneously because of client The propelling of the work such as data system of real name, need to support that the personnel of checking irregularly access in the range of security clearance original The demand of data.In such cases, above-mentioned technology all cannot meet requirement.
Summary of the invention
The embodiment of the present invention provides a kind of data desensitization method and device, in order to solve present in prior art It is inefficient that data desensitize, and the inflexible problem of management and control.
The embodiment of the present invention is by the following technical solutions:
First aspect provides a kind of data desensitization method, including:
Receive the SQL SQL instruction that user sends;
When judging to comprise sensitive data in the data that described SQL instruction is to be accessed, and described user is not When being allowed access to described sensitive data, described SQL is instructed by the desensitization transformational rule according to pre-setting Changing, the sensitive data making the instruction of the SQL after conversion have access to is desensitization data.
Optionally, described SQL instruction data to be accessed comprise sensitive data, and institute when judging State user when being not allowed access to described sensitive data, according to the desensitization transformational rule pre-set to described SQL instruction is changed, and the sensitive data making the instruction of the SQL after conversion have access to is desensitization data, tool Body includes:
Judge whether the data that described SQL instruction is to be accessed comprise sensitive data;
When judging the data that described SQL instruction is to be accessed comprise sensitive data, continue to judge institute State whether user is allowed access to described sensitive data;
When judging that described user is not allowed access to described sensitive data, the desensitization according to pre-setting turns Changing rule to change described SQL instruction, the sensitive data making the instruction of the SQL after conversion have access to is Desensitization data.
Optionally, receive the SQL instruction that user sends, specifically include:
Receive the SQL instruction that user sends in the very first time;Then
Judge whether described user is allowed access to described sensitive data, specifically include:
According to the list of authorized users prestored, it is judged that whether described user is authorized user;
When judging described user for authorized user, continue to judge the described very first time awards described in whether being in In the access time range that power user is corresponding, and judge the sensitive data that described SQL instruction is to be accessed It is whether that mandate corresponding to described authorized user accesses object;
When judging that described user is not authorized user, or judge that the described very first time is not in described visit In asking time range, or judge that described SQL instruction sensitive data to be accessed is not described mandate When accessing object, determine that described user is not allowed access to described sensitive data;
When judging that described user is authorized user, the described very first time is in described access time range, And when described SQL instruction sensitive data to be accessed is described mandate access object, determine described use Family is allowed access to described sensitive data.
Optionally, it is judged that whether the data that described SQL instruction is to be accessed comprise sensitive data, specifically Including:
Described SQL instruction is scanned, when analyzing, described SQL instruction comprises inquiry select language Sentence, and tables of data to be inquired about in described select statement comprises the sensitive data table pre-set, and When the data row that the sensitive data table that comprises is to be inquired about comprise again the sensitive data row pre-set, determine The data that described SQL instruction is to be accessed comprise sensitive data;Otherwise determine that described SQL instruction is wanted The data accessed do not comprise sensitive data.
Optionally, described desensitization transformational rule includes:
The statement being used for access sensitive data in being instructed by described SQL replaces with default transfer function, described Preset transfer function special for be converted to the character that specific bit in described sensitive data is put to pre-set Character;Wherein, described sensitive data at least includes: in ID (identity number) card No., telephone number, name and address Any one data.
Second aspect provides a kind of data desensitization device, including:
SQL command reception module, for receiving the SQL SQL instruction that user sends;
SQL instructs modular converter, for when judging that the SQL that described SQL command reception module receives refers to Make and data to be accessed comprise sensitive data, and described user is not allowed access to described sensitive data Time, according to the desensitization transformational rule pre-set, described SQL instruction is changed, make the SQL after conversion The sensitive data that instruction has access to is desensitization data.
Optionally, described SQL instructs modular converter, specifically includes:
First judging unit, for judging whether comprise sensitivity in the data that described SQL instruction is to be accessed Data;
When described first judging unit, second judging unit, for judging that described SQL instruction to access Data in when comprising sensitive data, continue to judge whether described user is allowed access to described sensitive data;
Converting unit, for when described second judging unit, to judge that described user is not allowed access to described quick During sense data, according to the desensitization transformational rule pre-set, described SQL instruction is changed, make conversion After the SQL sensitive data that has access to of instruction be desensitization data.
Optionally, described SQL command reception module, specifically include:
Receive the SQL instruction that user sends in the very first time;Then
Described second judging unit, specifically for:
According to the list of authorized users prestored, it is judged that whether described user is authorized user;When judging When described user is authorized user, continue to judge whether the described very first time is in described authorized user corresponding In access time range, and judge that described SQL instruction sensitive data to be accessed is awarded described in being whether The mandate access object that power user is corresponding;When judging that described user is not authorized user, or judge institute Stating the very first time is not in described access time range, or judges that described SQL instruction to access Sensitive data be not described to authorize when accessing object, determine that described user is not allowed access to described sensitive number According to;When judging that described user is authorized user, the described very first time is in described access time range, And when described SQL instruction sensitive data to be accessed is described mandate access object, determine described use Family is allowed access to described sensitive data.
Optionally, described first judging unit, specifically for:
Described SQL instruction is scanned, when analyzing, described SQL instruction comprises inquiry select language Sentence, and tables of data to be inquired about in described select statement comprises the sensitive data table pre-set, and When the data row that the sensitive data table that comprises is to be inquired about comprise again the sensitive data row pre-set, determine The data that described SQL instruction is to be accessed comprise sensitive data;Otherwise determine that described SQL instruction is wanted The data accessed do not comprise sensitive data
Optionally, described desensitization transformational rule includes:
The statement being used for access sensitive data in being instructed by described SQL replaces with default transfer function, described Preset transfer function special for be converted to the character that specific bit in described sensitive data is put to pre-set Character;Wherein, described sensitive data at least includes: in ID (identity number) card No., telephone number, name and address Any one data.
Having the beneficial effect that of the embodiment of the present invention:
In the embodiment of the present invention, receive the SQL instruction that user sends, judging that SQL instruction to be visited The data asked comprise sensitive data, and when this user is not allowed access to sensitive data, according to pre-setting Desensitization transformational rule SQL instruction is changed, make the SQL after conversion instruct the sensitive number that has access to According to for desensitization data.Compared with prior art, sensitive data is not modified in data desensitization, But the mode taking the SQL instruction sending user to change determines data display mode, thus reach To the effect of data desensitization, the very big efficiency that improve data desensitization.It addition, data display mode is no longer Controlled by Crypted password, but come certainly by the judged result that whether user is allowed access to sensitive data Fixed, thus realize flexible management and control.
Other features and advantages of the present invention will illustrate in the following description, and, partly from explanation Book becomes apparent, or understands by implementing the present invention.The purpose of the present invention and other advantages can Realize by structure specifically noted in the description write, claims and accompanying drawing and obtain ?.
Accompanying drawing explanation
Accompanying drawing described herein is used for providing a further understanding of the present invention, constitutes of the present invention Point, the schematic description and description of the present invention is used for explaining the present invention, is not intended that to the present invention not Work as restriction.In the accompanying drawings:
The flowchart of a kind of data desensitization method that Fig. 1 provides for the embodiment of the present invention;
The data desensitization method that Fig. 2 provides for the embodiment of the present invention application scenarios signal when concrete application Figure;
Fig. 3 is the particular flow sheet of the data desensitization method under this application scenarios;
Fig. 4 be judge SQL instruction in whether have extract sensitive data content implement flow chart;
The structural representation of a kind of data desensitization device that Fig. 5 provides for the embodiment of the present invention.
Detailed description of the invention
In order to solve the inefficient of data desensitization present in prior art, and management and control is inflexible asks Topic, embodiments provides a kind of data desensitisation regimens.In this technical scheme, receive what user sent SQL instructs, and comprises sensitive data, and this user is not in judging the data that SQL instruction is to be accessed When being allowed access to sensitive data, according to the desensitization transformational rule pre-set, SQL instruction is changed, The sensitive data making the instruction of the SQL after conversion have access to is desensitization data.Compared with prior art, counting Sensitive data is not modified according in desensitization, but takes the SQL instruction that user is sent to carry out The mode of conversion determines data display mode, thus reaches the effect of data desensitization, very big improves data The efficiency of desensitization.It addition, data display mode is no longer controlled by Crypted password, but by user being The no judged result being allowed access to sensitive data determines, thus realizes flexible management and control.
Below in conjunction with Figure of description, embodiments of the invention are illustrated, it will be appreciated that described herein Embodiment be merely to illustrate and explain the present invention, be not limited to the present invention.And in the feelings do not conflicted Under condition, embodiment and the feature of embodiment in the present invention can be combined with each other.
Embodiments provide a kind of data desensitization method, as it is shown in figure 1, be the realization stream of the method Cheng Tu, specifically includes following step:
Step 11, receives the SQL instruction that user sends;
Step 12, when judging to comprise sensitive data, and this use in the data that this SQL instruction is to be accessed When family is not allowed access to sensitive data, according to the desensitization transformational rule pre-set this SQL instructed into Row conversion, the sensitive data making the instruction of the SQL after conversion have access to is desensitization data.
Wherein, this step 12 can be, but not limited to realize as follows:
First determine whether whether the data that this SQL instruction is to be accessed comprise sensitive data;
Concrete, this SQL instruction is scanned, when analyzing, SQL instruction comprises inquiry select Tables of data to be inquired about in statement, and select statement comprises the sensitive data table pre-set, and bag When the data row that the sensitive data table that contains is to be inquired about comprise again the sensitive data row pre-set, determine this The data that SQL instruction is to be accessed comprise sensitive data;Otherwise determine that this SQL instruction is to be accessed Data do not comprise sensitive data.
When judging the data that this SQL instruction is to be accessed comprise sensitive data, continue to judge this use Whether family is allowed access to sensitive data;
SQL instruction in a step 11 is user in the case of the very first time sends, the embodiment of the present invention In can be, but not limited to judge as follows whether this user is allowed access to sensitive data:
According to the list of authorized users prestored, it is judged that whether this user is authorized user;
When judging this user for authorized user, continue to judge whether this very first time is in authorized user couple In the access time range answered, and judge whether the sensitive data that SQL instruction is to be accessed is to authorize to use The mandate access object that family is corresponding;
When judging that user is authorized user, the very first time is in access time range, and SQL refers to When making sensitive data to be accessed access object for authorizing, determine that user is allowed access to sensitive data;
When judging that user is not authorized user, or judge that the very first time is not in accessing time range In, or judge, when the sensitive data that SQL instruction is to be accessed is not to authorize access object, to determine use Family is not allowed access to sensitive data.
When judging that this user is not allowed access to sensitive data, according to the desensitization transformational rule pre-set Changing this SQL instruction, the sensitive data making the instruction of the SQL after conversion have access to is desensitization data.
Wherein, this desensitization transformational rule can be, but not limited to for:
The statement being used for access sensitive data in being instructed by SQL replaces with default transfer function;Wherein preset Transfer function is converted to the spcial character pre-set for character specific bit in sensitive data put;Its In, sensitive data at least includes: any one item number in ID (identity number) card No., telephone number, name and address According to.
Sensitive data compared with prior art, is not carried out more in data desensitization by the embodiment of the present invention Change, but the mode taking the SQL instruction sending user to change determines data display mode, from And reach the effect of data desensitization, the very big efficiency that improve data desensitization.It addition, data display mode No longer controlled by Crypted password, but by whether user being allowed access to the judged result of sensitive data Determine, thus realize flexible management and control.
In order to be better understood from the embodiment of the present invention, implement the tool to the embodiment of the present invention below in conjunction with concrete Body implementation process illustrates.
The above-mentioned data desensitization method that the embodiment of the present invention provides can be by increasing data when concrete application Desensitization server and authority examination & approval server realize.As in figure 2 it is shown, for the embodiment of the present invention provide upper State the data desensitization method application scenarios schematic diagram when concrete application.
Authority examination & approval server is responsible for subscription authentication, and (user is white to provide interface to data desensitization server List, mandate time window, mandate access object etc.).
Wherein, user's white list: i.e. list of authorized users, the user in this list of authorized users is allowed to visit Ask sensitive data;
Authorize time window: i.e. user in list of authorized users is allowed access to the access time of sensitive data Scope.
Authorize and access object: database object that i.e. user in list of authorized users is allowed access to (such as: Table, view or of the same name etc.).
When user is when there being the demand of access sensitive data, initiate application, application to this authority examination & approval server In comprise applicant's information, access the information such as object, access time, Access Reason.This application passes through authority Examination & approval server is submitted at leading body at a higher level carry out manual examination and verification, after being confirmed to be Lawful access, by this Shen Applicant's information in please joins in user's white list, and the access time is then converted to authorize time window, visits Ask that object is then converted to authorize access object.
Data desensitization server is responsible for the record desensitization transformational rule to sensitive data, and to user's transmission SQL instruction judges, if it find that the SQL that user sends instructs content to be accessed relates to sensitivity During data (such as: identification card number, telephone number, name, address etc.), continue according to authority examination & approval service The interface that device provides judges when whether this user is illegal authorized user (being i.e. not allowed access to sensitive data), During if it find that this user is illegal authorized user, user is submitted to by the transformational rule of application desensitization the most immediately SQL instruction is changed, and making the data presented in front of the user is desensitization data;If it find that user sends SQL instruct content to be accessed and be not related to sensitive data, or find that the SQL that user sends instructs Content to be accessed relates to sensitive data, when this user is legitimate authorized user simultaneously, then carries this user The SQL instruction handed over does not processes, and is directly distributed to background data base and performs.
When recording the desensitization transformational rule to sensitive data in data desensitization server, in addition it is also necessary to record following Information:
The configuration information of all database instances being connected with data desensitization server, including performing sensitive number According to the database instance title desensitized, IP address, listening port etc.;
Database user pattern: include the account information of sensitive data table under record concrete database example.
Sensitive data table: deposit the tables of data of sensitive data, view or of the same name.
Sensitive data arranges: deposit the data of sensitive information to as the row name of (table, view or of the same name).
The desensitization transformational rule of record in data desensitization server, when i.e. carrying out desensitization conversion to sensitive data row The rule used, generally uses data base's built-in function and writes, and these functions are for specifying in sensitive data The character of position is converted to the spcial character pre-set.
Include as a example by ID (identity number) card No., telephone number, name and address by sensitive data:
Desensitization to ID (identity number) card No.: identity card (being assumed to be CERITID) is specified position character or Directly all character spcial characters (such as: ' * ') of whole ID (identity number) card No. are substituted as required. As latter three are desensitized, then specified function be SUBSTR (CERITID, 1, LENGTH(CERITID)-3)||’***’。
Desensitization for telephone number: analyzed by Number pattern, it is judged that front 3-5 position be whether area code or Extra number (such as: 021,12580,17951 etc.), intercepts out significant number, and then as required to phase The numeral answering position carries out Fuzzy processing, or directly uses all characters of whole telephone number as required Spcial character (such as: ' * ') substitutes.As fixed line need to obscure latter 4, then specified function is: SUBSTR (phone, 1, LENGTH (phone)-4) | | ' * * * * '.
Desensitization to name: judge whether that after surname, the word of optional position chosen in character containing user's surname Symbol spcial character (such as: ' * ') is replaced, or directly uses all characters of whole name as required Spcial character substitutes.
Desensitization to address: judge whether containing " city ", " district ", " town ", " township ", " village ", " street ", " number ", Keywords such as " buildings ", is replaced at random to the character in addition to these spcial characters, or the most direct All character spcial characters (such as: ' * ') in whole address are replaced.
After increasing a desensitization transformational rule, data desensitization server is by automatic for the information according to above-mentioned offer Scan database dictionary, finds out all data object titles and the row name quoting sensitive data, and iteration is updated to In above-mentioned rule set.
As it is shown on figure 3, be the particular flow sheet of the data desensitization method under this application scenarios.Specifically include Following steps:
Step 31, user is connected to the database instance specified, and submits to SQL to instruct by any means.
Step 32, the SQL of the data desensitization database instance that selects according to user of server and submission instructs, Determine whether to extract the content of sensitive data.As the most then performed step 37, if any then continuing executing with step 33。
Step 33, the user's white list provided according to authority examination & approval server, check whether this user is mandate User.If then do not performed step 36 in user's white list, as then continued executing with step in user's white list 34。
Step 34, the mandate time window provided according to authority examination & approval server and current time, it is judged that current Whether the time is in mandate time window, if not being then to perform step 36, the most then continues executing with step 35。
Step 35, the mandate provided according to authority examination & approval server accesses object and SQL instruction is to be fetched Sensitive data, it is judged that whether the SQL to be fetched sensitive data of instruction is to authorize to access object, if not It is then to perform step 36, the most then performs step 37.
Step 36, the SQL instruction to submitting to processes according to desensitization transformational rule, makes the SQL after conversion refer to The sensitive data that order has access to is desensitization data.
Step 37, is forwarded in background data base perform and feedback result.
As shown in Figure 4, for judging whether SQL has implementing of the content of extraction sensitive data in instructing Flow chart.Specifically include following steps:
Step 41, whether the SQL instruction submitting user to is scanned, it is judged that comprise in SQL instruction SELECT statement (includes the increase of the inquiry containing SELECT, deletes and revise statement.As the most then Determine the content not extracting sensitive data in SQL instruction, if any, then continue executing with step 42.
Step 42, intercepts the table name used in SELECT statement, and detects whether containing sensitive data table, If without, determine the content not extracting sensitive data in SQL instruction, if any, then continue executing with step Rapid 43.
Step 43, the row name used when checking and inquire about for sensitive data table in SQL statement, it may be judged whether Use sensitive data row, without using, it is determined that the interior of sensitive data is not extracted in SQL instruction Hold, if any, it is determined that SQL instruction there is the content extracting sensitive data.
And then in above-mentioned steps 36, SQL instruction is changed.
If it should be noted that SELECT statement is used ' * ' printed words, the most directly replacing with sensitivity All row names of tables of data, and sensitive data is arranged change according to transformational rule.
Sensitive data compared with prior art, is not carried out more in data desensitization by the embodiment of the present invention Change, but the mode taking the SQL instruction sending user to change determines data display mode, from And reach the effect of data desensitization, the very big efficiency that improve data desensitization.It addition, data display mode No longer controlled by Crypted password, but by whether user being allowed access to the judged result of sensitive data Determine, thus realize flexible management and control.
Based on same inventive concept, the embodiment of the present invention additionally provides a kind of data desensitization device, due to upper The principle stating device solution problem is similar to data desensitization method, the therefore enforcement side of may refer to of said apparatus The enforcement of method, repeats no more in place of repetition.
As it is shown in figure 5, the structural representation of the data desensitization device provided for the embodiment of the present invention, including:
SQL command reception module 51, for receiving the SQL SQL instruction that user sends;
SQL instructs modular converter 52, for when judging the SQL that described SQL command reception module receives Instruct and data to be accessed comprise sensitive data, and described user is not allowed access to described sensitive data Time, according to the desensitization transformational rule pre-set, described SQL instruction is changed, make the SQL after conversion The sensitive data that instruction has access to is desensitization data.
Optionally, described SQL instructs modular converter 52, specifically includes:
First judging unit 521, quick for judging whether described SQL instruction data to be accessed comprise Sense data;
When described first judging unit 521, second judging unit 522, for judging that described SQL instructs institute When data to be accessed comprise sensitive data, continue to judge whether described user is allowed access to described sensitivity Data;
When described second judging unit 522, converting unit 523, for judging that described user is not allowed to visit When asking described sensitive data, according to the desensitization transformational rule pre-set, described SQL instruction is changed, The sensitive data making the instruction of the SQL after conversion have access to is desensitization data.
Optionally, described SQL command reception module 51, specifically include:
Receive the SQL instruction that user sends in the very first time;Then
Described second judging unit 522, specifically for:
According to the list of authorized users prestored, it is judged that whether described user is authorized user;When judging When described user is authorized user, continue to judge whether the described very first time is in described authorized user corresponding In access time range, and judge that described SQL instruction sensitive data to be accessed is awarded described in being whether The mandate access object that power user is corresponding;When judging that described user is not authorized user, or judge institute Stating the very first time is not in described access time range, or judges that described SQL instruction to access Sensitive data be not described to authorize when accessing object, determine that described user is not allowed access to described sensitive number According to;When judging that described user is authorized user, the described very first time is in described access time range, And when described SQL instruction sensitive data to be accessed is described mandate access object, determine described use Family is allowed access to described sensitive data.
Optionally, described first judging unit 521, specifically for:
Described SQL instruction is scanned, when analyzing, described SQL instruction comprises inquiry select language Sentence, and tables of data to be inquired about in described select statement comprises the sensitive data table pre-set, and When the data row that the sensitive data table that comprises is to be inquired about comprise again the sensitive data row pre-set, determine The data that described SQL instruction is to be accessed comprise sensitive data;Otherwise determine that described SQL instruction is wanted The data accessed do not comprise sensitive data
Optionally, described desensitization transformational rule includes:
The statement being used for access sensitive data in being instructed by described SQL replaces with default transfer function, described Preset transfer function special for be converted to the character that specific bit in described sensitive data is put to pre-set Character;Wherein, described sensitive data at least includes: in ID (identity number) card No., telephone number, name and address Any one data.
For convenience of description, above each several part is divided by function and is respectively described for each module (or unit). Certainly, when implementing the present invention can the function of each module (or unit) at same or multiple softwares or Hardware realizes.
Those skilled in the art are it should be appreciated that embodiments of the invention can be provided as method, system or meter Calculation machine program product.Therefore, the present invention can use complete hardware embodiment, complete software implementation or knot The form of the embodiment in terms of conjunction software and hardware.And, the present invention can use and wherein wrap one or more Computer-usable storage medium containing computer usable program code (include but not limited to disk memory, CD-ROM, optical memory etc.) form of the upper computer program implemented.
The present invention is with reference to method, equipment (system) and computer program product according to embodiments of the present invention The flow chart of product and/or block diagram describe.It should be understood that can by computer program instructions flowchart and / or block diagram in each flow process and/or flow process in square frame and flow chart and/or block diagram and/ Or the combination of square frame.These computer program instructions can be provided to general purpose computer, special-purpose computer, embedding The processor of formula datatron or other programmable data processing device is to produce a machine so that by calculating The instruction that the processor of machine or other programmable data processing device performs produces for realizing at flow chart one The device of the function specified in individual flow process or multiple flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions may be alternatively stored in and computer or the process of other programmable datas can be guided to set In the standby computer-readable memory worked in a specific way so that be stored in this computer-readable memory Instruction produce and include the manufacture of command device, this command device realizes in one flow process or multiple of flow chart The function specified in flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions also can be loaded in computer or other programmable data processing device, makes Sequence of operations step must be performed to produce computer implemented place on computer or other programmable devices Reason, thus the instruction performed on computer or other programmable devices provides for realizing flow chart one The step of the function specified in flow process or multiple flow process and/or one square frame of block diagram or multiple square frame.
Although preferred embodiments of the present invention have been described, but those skilled in the art once know base This creativeness concept, then can make other change and amendment to these embodiments.So, appended right is wanted Ask and be intended to be construed to include preferred embodiment and fall into all changes and the amendment of the scope of the invention.
Obviously, those skilled in the art can carry out various change and modification without deviating from this to the present invention Bright spirit and scope.So, if the present invention these amendment and modification belong to the claims in the present invention and Within the scope of its equivalent technologies, then the present invention is also intended to comprise these change and modification.

Claims (10)

1. a data desensitization method, it is characterised in that including:
Receive the SQL SQL instruction that user sends;
When judging to comprise sensitive data in the data that described SQL instruction is to be accessed, and described user is not When being allowed access to described sensitive data, described SQL is instructed by the desensitization transformational rule according to pre-setting Changing, the sensitive data making the instruction of the SQL after conversion have access to is desensitization data.
2. the method for claim 1, it is characterised in that when judging that described SQL instruction is wanted The data accessed comprise sensitive data, and when described user is not allowed access to described sensitive data, according to Described SQL instruction is changed by the desensitization transformational rule pre-set, and makes the instruction of the SQL after conversion visit The sensitive data asked is desensitization data, specifically includes:
Judge whether the data that described SQL instruction is to be accessed comprise sensitive data;
When judging the data that described SQL instruction is to be accessed comprise sensitive data, continue to judge institute State whether user is allowed access to described sensitive data;
When judging that described user is not allowed access to described sensitive data, the desensitization according to pre-setting turns Changing rule to change described SQL instruction, the sensitive data making the instruction of the SQL after conversion have access to is Desensitization data.
3. method as claimed in claim 2, it is characterised in that receive the SQL instruction that user sends, Specifically include:
Receive the SQL instruction that user sends in the very first time;Then
Judge whether described user is allowed access to described sensitive data, specifically include:
According to the list of authorized users prestored, it is judged that whether described user is authorized user;
When judging described user for authorized user, continue to judge the described very first time awards described in whether being in In the access time range that power user is corresponding, and judge the sensitive data that described SQL instruction is to be accessed It is whether that mandate corresponding to described authorized user accesses object;
When judging that described user is not authorized user, or judge that the described very first time is not in described visit In asking time range, or judge that described SQL instruction sensitive data to be accessed is not described mandate When accessing object, determine that described user is not allowed access to described sensitive data;
When judging that described user is authorized user, the described very first time is in described access time range, And when described SQL instruction sensitive data to be accessed is described mandate access object, determine described use Family is allowed access to described sensitive data.
4. method as claimed in claim 2, it is characterised in that judge that described SQL instruction to access Data in whether comprise sensitive data, specifically include:
Described SQL instruction is scanned, when analyzing, described SQL instruction comprises inquiry select language Sentence, and tables of data to be inquired about in described select statement comprises the sensitive data table pre-set, and When the data row that the sensitive data table that comprises is to be inquired about comprise again the sensitive data row pre-set, determine The data that described SQL instruction is to be accessed comprise sensitive data;Otherwise determine that described SQL instruction is wanted The data accessed do not comprise sensitive data.
5. the method for claim 1, it is characterised in that described desensitization transformational rule includes:
The statement being used for access sensitive data in being instructed by described SQL replaces with default transfer function, described Preset transfer function special for be converted to the character that specific bit in described sensitive data is put to pre-set Character;Wherein, described sensitive data at least includes: in ID (identity number) card No., telephone number, name and address Any one data.
6. a data desensitization device, it is characterised in that including:
SQL command reception module, for receiving the SQL SQL instruction that user sends;
SQL instructs modular converter, for when judging that the SQL that described SQL command reception module receives refers to Make and data to be accessed comprise sensitive data, and described user is not allowed access to described sensitive data Time, according to the desensitization transformational rule pre-set, described SQL instruction is changed, make the SQL after conversion The sensitive data that instruction has access to is desensitization data.
7. device as claimed in claim 6, it is characterised in that described SQL instructs modular converter, tool Body includes:
First judging unit, for judging whether comprise sensitivity in the data that described SQL instruction is to be accessed Data;
When described first judging unit, second judging unit, for judging that described SQL instruction to access Data in when comprising sensitive data, continue to judge whether described user is allowed access to described sensitive data;
Converting unit, for when described second judging unit, to judge that described user is not allowed access to described quick During sense data, according to the desensitization transformational rule pre-set, described SQL instruction is changed, make conversion After the SQL sensitive data that has access to of instruction be desensitization data.
8. device as claimed in claim 7, it is characterised in that described SQL command reception module, tool Body includes:
Receive the SQL instruction that user sends in the very first time;Then
Described second judging unit, specifically for:
According to the list of authorized users prestored, it is judged that whether described user is authorized user;When judging When described user is authorized user, continue to judge whether the described very first time is in described authorized user corresponding In access time range, and judge that described SQL instruction sensitive data to be accessed is awarded described in being whether The mandate access object that power user is corresponding;When judging that described user is not authorized user, or judge institute Stating the very first time is not in described access time range, or judges that described SQL instruction to access Sensitive data be not described to authorize when accessing object, determine that described user is not allowed access to described sensitive number According to;When judging that described user is authorized user, the described very first time is in described access time range, And when described SQL instruction sensitive data to be accessed is described mandate access object, determine described use Family is allowed access to described sensitive data.
9. device as claimed in claim 7, it is characterised in that described first judging unit, specifically uses In:
Described SQL instruction is scanned, when analyzing, described SQL instruction comprises inquiry select language Sentence, and tables of data to be inquired about in described select statement comprises the sensitive data table pre-set, and When the data row that the sensitive data table that comprises is to be inquired about comprise again the sensitive data row pre-set, determine The data that described SQL instruction is to be accessed comprise sensitive data;Otherwise determine that described SQL instruction is wanted The data accessed do not comprise sensitive data.
10. device as claimed in claim 6, it is characterised in that described desensitization transformational rule includes:
The statement being used for access sensitive data in being instructed by described SQL replaces with default transfer function, described Preset transfer function special for be converted to the character that specific bit in described sensitive data is put to pre-set Character;Wherein, described sensitive data at least includes: in ID (identity number) card No., telephone number, name and address Any one data.
CN201510303954.4A 2015-06-04 2015-06-04 A kind of data desensitization method and device Active CN106295388B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510303954.4A CN106295388B (en) 2015-06-04 2015-06-04 A kind of data desensitization method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510303954.4A CN106295388B (en) 2015-06-04 2015-06-04 A kind of data desensitization method and device

Publications (2)

Publication Number Publication Date
CN106295388A true CN106295388A (en) 2017-01-04
CN106295388B CN106295388B (en) 2019-09-10

Family

ID=57659048

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510303954.4A Active CN106295388B (en) 2015-06-04 2015-06-04 A kind of data desensitization method and device

Country Status (1)

Country Link
CN (1) CN106295388B (en)

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106991337A (en) * 2017-04-06 2017-07-28 北京数聚世界信息技术有限公司 The desensitization method and device of a kind of date of birth data
CN107122678A (en) * 2017-04-28 2017-09-01 上海与德科技有限公司 Protect the method and device of product parameters
CN107194270A (en) * 2017-04-07 2017-09-22 广东精点数据科技股份有限公司 A kind of system and method for realizing data desensitization
CN107194276A (en) * 2017-05-03 2017-09-22 上海上讯信息技术股份有限公司 Database Dynamic desensitization method and equipment
CN107273763A (en) * 2017-06-23 2017-10-20 上海艺赛旗软件股份有限公司 A kind of SQL driving layers sensitive data obscures replacement method and system
CN107392051A (en) * 2017-07-28 2017-11-24 北京明朝万达科技股份有限公司 A kind of big data processing method and system
CN107403108A (en) * 2017-08-07 2017-11-28 上海上讯信息技术股份有限公司 A kind of method and system of data processing
CN108288492A (en) * 2017-12-29 2018-07-17 安徽方正医疗信息技术有限公司 The method for freely converting approval process according to the querying condition of login user establishment
CN108304704A (en) * 2018-02-07 2018-07-20 平安普惠企业管理有限公司 Authority control method, device, computer equipment and storage medium
CN108512807A (en) * 2017-02-24 2018-09-07 中国移动通信集团公司 Data desensitization method and data in a kind of data transmission desensitize server
CN109271807A (en) * 2018-08-20 2019-01-25 深圳萨摩耶互联网金融服务有限公司 The data safety processing method and system of database
CN109299616A (en) * 2018-09-07 2019-02-01 北明软件有限公司 A kind of data safety managing and control system and method based on connection pool
CN109409121A (en) * 2018-09-07 2019-03-01 阿里巴巴集团控股有限公司 Desensitization process method, apparatus and server
CN109711189A (en) * 2018-12-19 2019-05-03 上海晶赞融宣科技有限公司 Data desensitization method and device, storage medium, terminal
CN109871708A (en) * 2018-12-15 2019-06-11 平安科技(深圳)有限公司 Data transmission method, device, electronic equipment and storage medium
CN110019377A (en) * 2017-12-14 2019-07-16 中国移动通信集团山西有限公司 Dynamic desensitization method, device, equipment and medium
CN110210703A (en) * 2019-04-25 2019-09-06 深圳壹账通智能科技有限公司 A kind of method, apparatus, storage medium and computer equipment that financing is recommended
CN110245505A (en) * 2019-05-20 2019-09-17 中国平安人寿保险股份有限公司 Tables of data access method, device, computer equipment and storage medium
CN110781515A (en) * 2019-10-25 2020-02-11 上海凯馨信息科技有限公司 Static data desensitization method and desensitization device
CN111083292A (en) * 2019-11-18 2020-04-28 集奥聚合(北京)人工智能科技有限公司 Corpus processing method and system for intelligent voice outbound system
CN111159754A (en) * 2019-12-12 2020-05-15 浙江华云信息科技有限公司 Data desensitization method and device for reverse analysis
CN111191276A (en) * 2019-12-05 2020-05-22 平安银行股份有限公司 Data desensitization method and device, storage medium and computer equipment
CN111429640A (en) * 2020-03-16 2020-07-17 北京安迅伟业科技有限公司 Method and system for controlling gateway under cloud platform management
CN111767300A (en) * 2020-05-11 2020-10-13 全球能源互联网研究院有限公司 Dynamic desensitization method and device for penetration of internal and external networks of electric power data
CN112765658A (en) * 2021-01-15 2021-05-07 杭州数梦工场科技有限公司 Data desensitization method and device, electronic equipment and storage medium
CN112800474A (en) * 2021-03-19 2021-05-14 北京安华金和科技有限公司 Data desensitization method and device, storage medium and electronic device
CN115080987A (en) * 2021-03-11 2022-09-20 中国移动通信集团山东有限公司 Password management method, device, system, storage medium and computer equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102844756A (en) * 2010-03-15 2012-12-26 迪纳米科普斯公司 Computer relational database method and system having role based access control
CN103778380A (en) * 2013-12-31 2014-05-07 网秦(北京)科技有限公司 Data desensitization method and device and data anti-desensitization method and device
US20140164405A1 (en) * 2012-12-12 2014-06-12 Institute For Information Industry Dynamic data masking method and database system
CN103870480A (en) * 2012-12-12 2014-06-18 财团法人资讯工业策进会 Dynamic data masking method and database system
CN104239823A (en) * 2013-06-07 2014-12-24 腾讯科技(深圳)有限公司 Interface content display control method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102844756A (en) * 2010-03-15 2012-12-26 迪纳米科普斯公司 Computer relational database method and system having role based access control
US20140164405A1 (en) * 2012-12-12 2014-06-12 Institute For Information Industry Dynamic data masking method and database system
CN103870480A (en) * 2012-12-12 2014-06-18 财团法人资讯工业策进会 Dynamic data masking method and database system
CN104239823A (en) * 2013-06-07 2014-12-24 腾讯科技(深圳)有限公司 Interface content display control method and device
CN103778380A (en) * 2013-12-31 2014-05-07 网秦(北京)科技有限公司 Data desensitization method and device and data anti-desensitization method and device

Cited By (34)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108512807B (en) * 2017-02-24 2020-08-04 中国移动通信集团公司 Data desensitization method and data desensitization server in data transmission
CN108512807A (en) * 2017-02-24 2018-09-07 中国移动通信集团公司 Data desensitization method and data in a kind of data transmission desensitize server
CN106991337A (en) * 2017-04-06 2017-07-28 北京数聚世界信息技术有限公司 The desensitization method and device of a kind of date of birth data
CN106991337B (en) * 2017-04-06 2019-10-22 北京数聚世界信息技术有限公司 A kind of desensitization method and device of date of birth data
CN107194270A (en) * 2017-04-07 2017-09-22 广东精点数据科技股份有限公司 A kind of system and method for realizing data desensitization
CN107122678A (en) * 2017-04-28 2017-09-01 上海与德科技有限公司 Protect the method and device of product parameters
CN107194276A (en) * 2017-05-03 2017-09-22 上海上讯信息技术股份有限公司 Database Dynamic desensitization method and equipment
CN107273763B (en) * 2017-06-23 2020-12-04 上海艺赛旗软件股份有限公司 Fuzzy replacement method and system for SQL (structured query language) driver layer sensitive data
CN107273763A (en) * 2017-06-23 2017-10-20 上海艺赛旗软件股份有限公司 A kind of SQL driving layers sensitive data obscures replacement method and system
CN107392051A (en) * 2017-07-28 2017-11-24 北京明朝万达科技股份有限公司 A kind of big data processing method and system
CN107403108A (en) * 2017-08-07 2017-11-28 上海上讯信息技术股份有限公司 A kind of method and system of data processing
CN110019377A (en) * 2017-12-14 2019-07-16 中国移动通信集团山西有限公司 Dynamic desensitization method, device, equipment and medium
CN108288492A (en) * 2017-12-29 2018-07-17 安徽方正医疗信息技术有限公司 The method for freely converting approval process according to the querying condition of login user establishment
CN108304704A (en) * 2018-02-07 2018-07-20 平安普惠企业管理有限公司 Authority control method, device, computer equipment and storage medium
CN108304704B (en) * 2018-02-07 2021-02-09 平安普惠企业管理有限公司 Authority control method and device, computer equipment and storage medium
CN109271807A (en) * 2018-08-20 2019-01-25 深圳萨摩耶互联网金融服务有限公司 The data safety processing method and system of database
CN109299616A (en) * 2018-09-07 2019-02-01 北明软件有限公司 A kind of data safety managing and control system and method based on connection pool
CN109409121A (en) * 2018-09-07 2019-03-01 阿里巴巴集团控股有限公司 Desensitization process method, apparatus and server
CN109409121B (en) * 2018-09-07 2022-10-11 创新先进技术有限公司 Desensitization processing method and device and server
CN109871708A (en) * 2018-12-15 2019-06-11 平安科技(深圳)有限公司 Data transmission method, device, electronic equipment and storage medium
CN109711189A (en) * 2018-12-19 2019-05-03 上海晶赞融宣科技有限公司 Data desensitization method and device, storage medium, terminal
CN110210703A (en) * 2019-04-25 2019-09-06 深圳壹账通智能科技有限公司 A kind of method, apparatus, storage medium and computer equipment that financing is recommended
CN110245505A (en) * 2019-05-20 2019-09-17 中国平安人寿保险股份有限公司 Tables of data access method, device, computer equipment and storage medium
CN110781515A (en) * 2019-10-25 2020-02-11 上海凯馨信息科技有限公司 Static data desensitization method and desensitization device
CN110781515B (en) * 2019-10-25 2023-09-26 上海凯馨信息科技有限公司 Static data desensitizing method and device
CN111083292A (en) * 2019-11-18 2020-04-28 集奥聚合(北京)人工智能科技有限公司 Corpus processing method and system for intelligent voice outbound system
CN111191276A (en) * 2019-12-05 2020-05-22 平安银行股份有限公司 Data desensitization method and device, storage medium and computer equipment
CN111191276B (en) * 2019-12-05 2023-09-19 平安银行股份有限公司 Data desensitization method, device, storage medium and computer equipment
CN111159754A (en) * 2019-12-12 2020-05-15 浙江华云信息科技有限公司 Data desensitization method and device for reverse analysis
CN111429640A (en) * 2020-03-16 2020-07-17 北京安迅伟业科技有限公司 Method and system for controlling gateway under cloud platform management
CN111767300A (en) * 2020-05-11 2020-10-13 全球能源互联网研究院有限公司 Dynamic desensitization method and device for penetration of internal and external networks of electric power data
CN112765658A (en) * 2021-01-15 2021-05-07 杭州数梦工场科技有限公司 Data desensitization method and device, electronic equipment and storage medium
CN115080987A (en) * 2021-03-11 2022-09-20 中国移动通信集团山东有限公司 Password management method, device, system, storage medium and computer equipment
CN112800474A (en) * 2021-03-19 2021-05-14 北京安华金和科技有限公司 Data desensitization method and device, storage medium and electronic device

Also Published As

Publication number Publication date
CN106295388B (en) 2019-09-10

Similar Documents

Publication Publication Date Title
CN106295388A (en) A kind of data desensitization method and device
JP5591232B2 (en) Information transmission using virtual input layout
US20240045877A1 (en) Facilitating queries of encrypted sensitive data via encrypted variant data objects
US8353002B2 (en) Chaining information card selectors
JP2022000757A5 (en)
CN104364790B (en) System and method for implementing dual factor anthentication
CN108475312A (en) Single-point logging method for equipment safety shell
CN109922030B (en) Global network access control method based on Android equipment
JP2003186764A (en) Communication network with controlled access to web resources
CN101764808A (en) Authentication processing method and system for automatic login as well as server
US20210014216A1 (en) Administration portal for simulated single sign-on
CN107040520A (en) A kind of cloud computing data-sharing systems and method
US7376709B1 (en) Method for creating durable web-enabled uniform resource locator links
WO2019054044A1 (en) Information processing device, information processing method, and program
JP2009003549A (en) Data management device, data management method, data management program, and data management program storage medium
CN106355108A (en) Document handover method, device and system and computer readable medium
CN106304022A (en) Mobile terminal and the processing method to log-on message thereof
CN107222495B (en) School user system authentication method and system
CN110008186A (en) For file management method, device, terminal and the medium of more ftp data sources
CN106022726B (en) A kind of the deployment emulation mode and device of Workflow system
JP2009146198A (en) Information management system
KR100864182B1 (en) Method and system for online authentication using pseudorandom table
CN107155185A (en) A kind of access WLAN authentication method, apparatus and system
CN106936845B (en) Intelligent access system, method and device for keyboard and online webpage platform
KR101304452B1 (en) A cloud system for document management using location

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant