CN106295388B - A kind of data desensitization method and device - Google Patents
A kind of data desensitization method and device Download PDFInfo
- Publication number
- CN106295388B CN106295388B CN201510303954.4A CN201510303954A CN106295388B CN 106295388 B CN106295388 B CN 106295388B CN 201510303954 A CN201510303954 A CN 201510303954A CN 106295388 B CN106295388 B CN 106295388B
- Authority
- CN
- China
- Prior art keywords
- data
- sensitive data
- user
- sql
- accessed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
- G06F21/6254—Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification
Abstract
The invention discloses a kind of data desensitization method and devices, and the efficiency to solve data desensitization existing in the prior art is lower, and manages inflexible problem.This method comprises: receiving the structured query language SQL instruction that user sends;It include sensitive data in the data to be accessed when judging that the SQL is instructed, and the user is not when being allowed access to the sensitive data, SQL instruction is converted according to pre-set desensitization transformation rule, the sensitive data desensitization data that the SQL instruction after making conversion is accessed.
Description
Technical field
The present invention relates to field of information security technology more particularly to a kind of data desensitization methods and device.
Background technique
With market growth and business development, the customer data stored in enterprise database is more and more, once it lets out
Dew, it will huge trust crisis and economic loss are brought to enterprise.Each enterprise gives height weight to data safety thus
Depending on preventing data leak event by many management such as tertiary-structure network, firewall construction and security audit or technological means
Occurring simultaneously can track of events source.It is wherein the product of prevention data leakage for the desensitization of sensitive data (or blurring) processing
Pole, effective means.
So-called data desensitization refers to the deformation for carrying out data by desensitization rule to sensitive data, realizes to sensitive data
Reliably protecting, so as in exploitation, test and other nonproductive environment and Outsourcing Environment safely using desensitization after it is true
Real data collection (or desensitization data) and unlikely leakage of information.
Following several technologies are mainly passed through to data desensitization at present:
1, sensitive data is turned by the Update sentence for updating legacy data in table carried in database
It changes.This method is to login database after the completion of database synchronization, using Update sentence, according to specified desensitization rule to quick
Sense data are converted, and are submitted and are come into force after the completion of operation.
2, desensitization operation is carried out to sensitive data in data migration process based on technical tool.This mode can be individually to leading
Sensitive data sheet out carries out cryptographic operation, shows sensitive data in the form of the data that desensitize, when after obtaining encrypted ones
Desensitization data can be reverted into initial data.
In above two desensitization technology, the desensitization operation that the first desensitization technology is carried out using Update sentence has can not
Inverse property needs re-synchronization database when needing to access to sensitive data, and flexibility is poor, is not able to satisfy business needs.
Due to needing to modify in desensitization to the biggish sensitive data of data volume, desensitization efficiency is lower, uncomfortable
Close the scene more demanding to data timeliness.Although and second of desensitization technology can say desensitization number after obtaining encrypted ones
According to initial data is reverted to, that is, have invertibity, but due to also implementing during exporting and importing to sensitive data
Modification, therefore the problem lower there is also desensitization efficiency are not suitable for the scene more demanding to data timeliness.In addition,
Crypted password is fixed, and cannot flexibly be changed, once user is made to obtain Crypted password, just can not recycle the user to sensitive data
Access authority is not easy to management control.
In actual production environment, because safety and system resource limitation need internally statistician or to check that personnel provide independent
In production statistics and check and use data environment.It is more demanding to the timeliness of data under the scene, so must be periodically
Data are completed in defined time window to synchronize and desensitization operation.Simultaneously because of the propulsion of the work such as customer data system of real name, need
Support checks that personnel irregularly access the demand of initial data within the scope of security clearance.In such cases, the equal nothing of above-mentioned technology
Method is met the requirements.
Summary of the invention
The embodiment of the present invention provides a kind of data desensitization method and device, de- to solve data existing in the prior art
Quick efficiency is lower, and manages inflexible problem.
The embodiment of the present invention uses following technical scheme:
First aspect provides a kind of data desensitization method, comprising:
Receive the structured query language SQL instruction that user sends;
It include sensitive data when judging that the SQL is instructed in the data to be accessed, and the user is not allowed to visit
When asking the sensitive data, SQL instruction is converted according to pre-set desensitization transformation rule, after making conversion
The sensitive data that SQL instruction is accessed is desensitization data.
Optionally, when judging to include sensitive data in the SQL instruction data to be accessed, and the user not by
When allowing to access the sensitive data, SQL instruction is converted according to pre-set desensitization transformation rule, makes to convert
The sensitive data that SQL instruction afterwards is accessed is desensitization data, is specifically included:
Whether judge in the SQL instruction data to be accessed comprising sensitive data;
When judging in the SQL instruction data to be accessed comprising sensitive data, continue to judge that the user is
It is no to be allowed access to the sensitive data;
When judging that the user is not allowed access to the sensitive data, according to pre-set desensitization transformation rule
SQL instruction is converted, the sensitive data desensitization data that the SQL instruction after making conversion is accessed.
Optionally, the SQL instruction that user sends is received, is specifically included:
Receive the SQL instruction that user sends in first time;Then
Judge whether the user is allowed access to the sensitive data, specifically include:
List of authorized users according to the pre-stored data judges whether the user is authorized user;
When judging the user is authorized user, continue to judge whether the first time is in the authorized user
Within the scope of corresponding access time, and judge whether the SQL instruction sensitive data to be accessed is the authorized user
Corresponding authorization accesses object;
When judging that the user is not authorized user, or judge that the first time is not in the access time
In range, or when judging that the SQL instruction sensitive data to be accessed is not that the authorization accesses object, described in determination
User is not allowed access to the sensitive data;
When judging that the user is authorized user, the first time was within the scope of the access time, and institute
State SQL instruction the sensitive data to be accessed be the authorization access object when, it is described quick to determine that the user is allowed access to
Feel data.
Optionally, judge to specifically include in the SQL instruction data to be accessed whether comprising sensitive data:
SQL instruction is scanned, includes inquiry select sentence when analyzing in the SQL instruction, and described
It include pre-set sensitive data sheet in the tables of data to be inquired in select sentence, and the sensitive data sheet for including is wanted
When again including pre-set sensitive data column in the data column of inquiry, determines and wrapped in the SQL instruction data to be accessed
Containing sensitive data;Otherwise it determines in the SQL instruction data to be accessed and does not include sensitive data.
Optionally, the desensitization transformation rule includes:
The sentence that access sensitive data is used in SQL instruction is replaced with into default transfer function, the default conversion
Function is used to the character of designated position in the sensitive data being converted to pre-set spcial character;Wherein, the sensitivity
Data include at least: any one data in ID card No., telephone number, name and address.
Second aspect provides a kind of data desensitization device, comprising:
SQL command reception module, for receiving the structured query language SQL instruction of user's transmission;
SQL instructs conversion module, judges that the received SQL instruction of the SQL command reception module to be accessed for working as
Data in include sensitive data, and when the user is not allowed access to the sensitive data, according to pre-set desensitization
Transformation rule converts SQL instruction, the sensitive data desensitization data that the SQL instruction after making conversion is accessed.
Optionally, the SQL instructs conversion module, specifically includes:
First judging unit, for whether judging in the SQL instruction data to be accessed comprising sensitive data;
Second judgment unit, for judging in the SQL instruction data to be accessed when first judging unit
When comprising sensitive data, continue to judge whether the user is allowed access to the sensitive data;
Converting unit, for judging that the user is not allowed access to the sensitive data when the second judgment unit
When, SQL instruction is converted according to pre-set desensitization transformation rule, what the SQL instruction after making conversion was accessed
Sensitive data is desensitization data.
Optionally, the SQL command reception module, specifically includes:
Receive the SQL instruction that user sends in first time;Then
The second judgment unit, is specifically used for:
List of authorized users according to the pre-stored data judges whether the user is authorized user;When judging the use
When family is authorized user, continue to judge whether the first time was within the scope of the authorized user corresponding access time,
And judge whether the SQL instruction sensitive data to be accessed is the corresponding authorization access object of the authorized user;When
Judge that the user is not authorized user, or judges that the first time was not within the scope of the access time, or
When person judges that the SQL instruction sensitive data to be accessed is not that the authorization accesses object, determine the user not by
Allow to access the sensitive data;When judging that the user is authorized user, the first time is in the access time
In range, and the SQL instruction sensitive data to be accessed be the authorization access object when, determine that the user is permitted
Perhaps the sensitive data is accessed.
Optionally, first judging unit, is specifically used for:
SQL instruction is scanned, includes inquiry select sentence when analyzing in the SQL instruction, and described
It include pre-set sensitive data sheet in the tables of data to be inquired in select sentence, and the sensitive data sheet for including is wanted
When again including pre-set sensitive data column in the data column of inquiry, determines and wrapped in the SQL instruction data to be accessed
Containing sensitive data;Otherwise it determines in the SQL instruction data to be accessed and does not include sensitive data
Optionally, the desensitization transformation rule includes:
The sentence that access sensitive data is used in SQL instruction is replaced with into default transfer function, the default conversion
Function is used to the character of designated position in the sensitive data being converted to pre-set spcial character;Wherein, the sensitivity
Data include at least: any one data in ID card No., telephone number, name and address.
The embodiment of the present invention has the beneficial effect that:
In the embodiment of the present invention, the SQL instruction that user sends is received, in judging the SQL instruction data to be accessed
Comprising sensitive data, and when the user is not allowed access to sensitive data, SQL is referred to according to pre-set desensitization transformation rule
Order is converted, the sensitive data desensitization data that the SQL instruction after making conversion is accessed.Compared with prior art, in data
Sensitive data is not modified in desensitization, but the mode converted to the SQL instruction that user sends is taken to determine
Data exhibition method, thus achieve the effect that data desensitize, the very big efficiency for improving data desensitization.In addition, data are shown
Mode is no longer controlled by Crypted password, but judging result by whether being allowed access to sensitive data to user is determined
It is fixed, to realize flexibly control.
Other features and advantages of the present invention will be illustrated in the following description, also, partly becomes from specification
It obtains it is clear that understand through the implementation of the invention.The objectives and other advantages of the invention can be by written explanation
Specifically noted structure is achieved and obtained in book, claims and attached drawing.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes a part of the invention, this hair
Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is a kind of implementation flow chart of data desensitization method provided in an embodiment of the present invention;
Fig. 2 is the application scenarios schematic diagram of data desensitization method provided in an embodiment of the present invention in specific application;
Fig. 3 is the specific flow chart of the data desensitization method under the application scenarios;
Fig. 4 is the specific implementation flow chart for judging whether to have in SQL instruction the content for extracting sensitive data;
Fig. 5 is a kind of structural schematic diagram of data desensitization device provided in an embodiment of the present invention.
Specific embodiment
In order to which the efficiency for solving data desensitization existing in the prior art is lower, and manage inflexible problem, this hair
Bright embodiment provides a kind of data desensitisation regimens.In the technical solution, the SQL instruction that user sends is received, is judging SQL
It instructs in the data to be accessed comprising sensitive data, and when the user is not allowed access to sensitive data, according to presetting
Desensitization transformation rule SQL instruction is converted, the sensitive data that is accessed of SQL instruction after making conversion desensitizes data.
Compared with prior art, sensitive data is not modified in data desensitization, but the SQL sent to user is taken to refer to
The mode converted is enabled to determine data exhibition method, it is very big to improve data desensitization to achieve the effect that data desensitize
Efficiency.In addition, data exhibition method is no longer controlled by Crypted password, but by whether being allowed access to sensitivity to user
The judging results of data determines, to realize flexibly control.
The embodiment of the present invention is illustrated below in conjunction with Figure of description, it should be understood that implementation described herein
Example is merely to illustrate and explain the present invention, and is not intended to restrict the invention.And in the absence of conflict, the reality in the present invention
The feature for applying example and embodiment can be combined with each other.
The embodiment of the invention provides a kind of data desensitization methods, as shown in Figure 1, being the implementation flow chart of this method, tool
Body includes the following steps:
Step 11, the SQL instruction that user sends is received;
It step 12, include sensitive data when judging that the SQL is instructed in the data to be accessed, and the user is not allowed to
When access sensitive data, SQL instruction is converted according to pre-set desensitization transformation rule, the SQL after making conversion refers to
Enabling the sensitive data being accessed is desensitization data.
Wherein, which can be, but not limited to realize as follows:
It whether first determines whether in the SQL instruction data to be accessed comprising sensitive data;
It include inquiry select sentence in SQL instruction when analyzing specifically, being scanned to SQL instruction, and
It include pre-set sensitive data sheet in the tables of data to be inquired in select sentence, and the sensitive data sheet for including is wanted
When again including pre-set sensitive data column in the data column of inquiry, determining that the SQL is instructed in the data to be accessed includes
Sensitive data;Otherwise it determines in the SQL instruction data to be accessed and does not include sensitive data.
When judging to include sensitive data in the SQL instruction data to be accessed, continue to judge the user whether by
Allow access sensitive data;
SQL instruction in a step 11 is user in the case where sending first time, in the embodiment of the present invention can with but
It is not limited to judge whether the user is allowed access to sensitive data as follows:
List of authorized users according to the pre-stored data judges whether the user is authorized user;
When judging the user is authorized user, continue to judge the first time whether in the corresponding visit of authorized user
It asks in time range, and judges whether the SQL instruction sensitive data to be accessed is the corresponding authorization access pair of authorized user
As;
When judging that user is authorized user, at the first time within access time, and SQL instruction to be accessed
Sensitive data be authorization access object when, determine that user is allowed access to sensitive data;
When judging that user is not authorized user, perhaps judge at the first time be not within the scope of access time or
When judging that the SQL instruction sensitive data to be accessed is not authorization access object, determine that user is not allowed access to sensitive number
According to.
When judging that the user is not allowed access to sensitive data, according to pre-set desensitization transformation rule to this
SQL instruction is converted, the sensitive data desensitization data that the SQL instruction after making conversion is accessed.
Wherein, which can be, but not limited to are as follows:
By SQL instruct in be used for the sentence of access sensitive data and replace with default transfer function;Wherein preset transfer function
For the character of designated position in sensitive data to be converted to pre-set spcial character;Wherein, sensitive data includes at least:
Any one data in ID card No., telephone number, name and address.
The embodiment of the present invention compared with prior art, is not modified sensitive data in data desensitization, but
The mode converted to the SQL instruction that user sends is taken to determine data exhibition method, thus achieve the effect that data desensitize,
Greatly improve the efficiency of data desensitization.In addition, data exhibition method is no longer controlled by Crypted password, but by with
Whether family is allowed access to the judging result of sensitive data to determine, to realize flexibly control.
Embodiment in order to better understand the present invention, below in conjunction with the specific specific implementation implemented to the embodiment of the present invention
Process is illustrated.
Above-mentioned data desensitization method provided in an embodiment of the present invention in specific application can be by increasing data desensitization clothes
Business device and permission examine server to realize.As shown in Fig. 2, having for above-mentioned data desensitization method provided in an embodiment of the present invention
Application scenarios schematic diagram when body is applied.
Permission is examined server and is responsible for subscription authentication, and (user's white list is awarded to data desensitization server offer interface
Weigh time window, authorization access object etc.).
Wherein, user's white list: i.e. list of authorized users, the user in the list of authorized users are allowed access to sensitive number
According to;
Authorize time window: the user i.e. in list of authorized users is allowed access to the access time range of sensitive data.
Authorization access object: the database object that the user i.e. in list of authorized users is allowed access to is (such as: table, view
Or of the same name etc.).
When user is in the demand for having access sensitive data, to permission examination & approval server initiation application, include in application
The information such as applicant's information, access object, access time, Access Reason.This application is examined server by permission and is submitted to
Manual examination and verification are carried out at grade leader, and it is white that applicant's information in this application is added to user after being confirmed to be Lawful access
In list, access time is then converted to authorization time window, and access object is then converted to authorization access object.
Data desensitization server is responsible for recording the desensitization transformation rule to sensitive data, and the SQL sent to user refers to
Order is judged, if it find that the SQL instruction content to be accessed that user sends is related to sensitive data (such as: identification card number, connection
It is phone, name, address etc.) when, the interface for continuing to examine server offer according to permission judges whether the user is illegally to award
When weighing user's (not being allowed access to sensitive data), if it find that then application is de- immediately when the user is illegal authorized user
Quick transformation rule converts the SQL instruction that user submits, and makes to present data desensitization data in front of the user;If hair
The SQL instruction content to be accessed that current family is sent is not related to sensitive data, or the SQL instruction that discovery user sends is wanted
The content of access is related to sensitive data, while when the user is legitimate authorized user, then not doing to the SQL instruction that the user submits
Processing is directly distributed to background data base execution.
When recording the desensitization transformation rule to sensitive data in data desensitization server, it is also necessary to record following information:
The configuration information of all database instances being connect with data desensitization server, including sensitive data desensitization need to be executed
Database instance title, IP address, listening port etc.;
Database user mode: including the account information of sensitive data sheet under record concrete database example.
Sensitive data sheet: tables of data, the view or of the same name of sensitive data are stored.
Sensitive data column: the data of sensitive information are stored to the column name as (table, view or of the same name).
The desensitization transformation rule recorded in data desensitization server, i.e., use when carrying out to sensitive data column and desensitize and convert
Rule is generally write using database built-in function, these functions are for being converted to the character of designated position in sensitive data
Pre-set spcial character.
By taking sensitive data includes ID card No., telephone number, name and address as an example:
Desensitization to ID card No.: the character or as needed to the designated position of identity card (being assumed to be CERITID)
Directly all characters of entire ID card No. are substituted with spcial character (such as: ' * ').Such as desensitize to latter three,
Then specified function is SUBSTR (CERITID, 1, LENGTH (CERITID) -3) | | ' * * * '.
Desensitization for telephone number: being analyzed by Number pattern, and whether 3-5 be area code or extra number before judgement
(such as: 021,12580,17951), intercepting out significant number, and then the number of corresponding position is blurred as needed
Processing, or directly all characters of entire telephone number are substituted with spcial character (such as: ' * ') as needed.Such as to solid
4 are talked about after need to obscuring, then specified function are as follows: SUBSTR (phone, 1, LENGTH (phone) -4) | | ' * * * * '.
Desensitization to name: judging whether containing user's surname, and character chooses the character spy of any position after surname
Different character (such as: ' * ') is replaced, or is directly substituted as needed to all characters of entire name with spcial character.
Desensitization to address: judge whether to close containing " city ", " area ", " town ", " township ", " village ", " street ", " number ", " building " etc.
Key word is replaced the character in addition to these spcial characters at random, or all words directly to entire address as needed
Symbol is replaced with spcial character (such as: ' * ').
After increasing a desensitization transformation rule, data desensitize server will be according to the above-mentioned information automatically scanning number provided
According to library dictionary, all data object titles and column name, iteration for finding out reference sensitive data are updated in above-mentioned rule set.
As shown in figure 3, for the specific flow chart of the data desensitization method under the application scenarios.Specifically include following step
It is rapid:
Step 31, user is connected to specified data library example by any means, and SQL is submitted to instruct.
Step 32, data desensitization server is instructed according to user's database instance selected and the SQL of submission, is judged whether
There is the content for extracting sensitive data.As do not thened follow the steps 37, if any then continuing to execute step 33.
Step 33, user's white list that server provides is examined according to permission, checks whether the user is authorized user.Such as
36 are not thened follow the steps in user's white list, continues to execute step 34 if in user's white list.
Step 34, the authorization time window and current time that server provides are examined according to permission, judges that current time is
It is no to be in authorization time window, if not being to then follow the steps 36, step 35 is then continued to execute in this way.
Step 35, the authorization access object and the SQL instruction sensitive number to be extracted that server provides are examined according to permission
According to, judge SQL instruction the sensitive data to be extracted whether be authorization access object, if not being to then follow the steps 36, in this way then
Execute step 37.
Step 36, to the SQL instruction of submission according to desensitization transformation rule processing, what the SQL instruction after making conversion was accessed
Sensitive data is desensitization data.
Step 37, it is forwarded in background data base and executes simultaneously feedback result.
As shown in figure 4, to judge the specific implementation flow chart for whether having the content for extracting sensitive data in SQL instruction.Tool
Body includes the following steps:
Step 41, the SQL instruction that user submits is scanned, whether is judged in SQL instruction comprising SELECT statement (packet
Include the increase, deletion and modification sentence of the inquiry containing SELECT.As determined without if in SQL instruction without extracting sensitive data
Content, if any then continuing to execute step 42.
Step 42, the table name used in SELECT statement is intercepted, and is detected whether containing sensitive data sheet, if being free of
Determining does not have to extract the content of sensitive data in SQL instruction, if any then continuing to execute step 43.
Step 43, the column name used when checking in SQL statement for sensitive data sheet inquiry, judges whether to use sensitive number
According to column, if do not used, it is determined that do not have to extract the content of sensitive data in SQL instruction, if any, it is determined that in SQL instruction
There is the content for extracting sensitive data.
And then SQL instruction is converted in above-mentioned steps 36.
It should be noted that directly replacing with all of sensitive data sheet if using ' * ' printed words in SELECT statement
Column name, and sensitive data is arranged and is converted according to transformation rule.
The embodiment of the present invention compared with prior art, is not modified sensitive data in data desensitization, but
The mode converted to the SQL instruction that user sends is taken to determine data exhibition method, thus achieve the effect that data desensitize,
Greatly improve the efficiency of data desensitization.In addition, data exhibition method is no longer controlled by Crypted password, but by with
Whether family is allowed access to the judging result of sensitive data to determine, to realize flexibly control.
Based on the same inventive concept, a kind of data desensitization device is additionally provided in the embodiment of the present invention, due to above-mentioned apparatus
The principle solved the problems, such as is similar to data desensitization method, therefore the implementation of above-mentioned apparatus may refer to the implementation of method, repetition
Place repeats no more.
As shown in figure 5, for the structural schematic diagram of data provided in an embodiment of the present invention desensitization device, comprising:
SQL command reception module 51, for receiving the structured query language SQL instruction of user's transmission;
SQL instructs conversion module 52, judges that the received SQL instruction of the SQL command reception module to be visited for working as
It include sensitive data in the data asked, and when the user is not allowed access to the sensitive data, according to pre-set de-
Quick transformation rule converts SQL instruction, the sensitive data desensitization data that the SQL instruction after making conversion is accessed.
Optionally, the SQL instructs conversion module 52, specifically includes:
First judging unit 521, for whether judging in the SQL instruction data to be accessed comprising sensitive data;
Second judgment unit 522, for judging what the SQL instruction to be accessed when first judging unit 521
When in data including sensitive data, continue to judge whether the user is allowed access to the sensitive data;
Converting unit 523, for judge that the user is not allowed access to described quick when the second judgment unit 522
When feeling data, SQL instruction is converted according to pre-set desensitization transformation rule, the SQL instruction after making conversion is visited
The sensitive data asked is desensitization data.
Optionally, the SQL command reception module 51, specifically includes:
Receive the SQL instruction that user sends in first time;Then
The second judgment unit 522, is specifically used for:
List of authorized users according to the pre-stored data judges whether the user is authorized user;When judging the use
When family is authorized user, continue to judge whether the first time was within the scope of the authorized user corresponding access time,
And judge whether the SQL instruction sensitive data to be accessed is the corresponding authorization access object of the authorized user;When
Judge that the user is not authorized user, or judges that the first time was not within the scope of the access time, or
When person judges that the SQL instruction sensitive data to be accessed is not that the authorization accesses object, determine the user not by
Allow to access the sensitive data;When judging that the user is authorized user, the first time is in the access time
In range, and the SQL instruction sensitive data to be accessed be the authorization access object when, determine that the user is permitted
Perhaps the sensitive data is accessed.
Optionally, first judging unit 521, is specifically used for:
SQL instruction is scanned, includes inquiry select sentence when analyzing in the SQL instruction, and described
It include pre-set sensitive data sheet in the tables of data to be inquired in select sentence, and the sensitive data sheet for including is wanted
When again including pre-set sensitive data column in the data column of inquiry, determines and wrapped in the SQL instruction data to be accessed
Containing sensitive data;Otherwise it determines in the SQL instruction data to be accessed and does not include sensitive data
Optionally, the desensitization transformation rule includes:
The sentence that access sensitive data is used in SQL instruction is replaced with into default transfer function, the default conversion
Function is used to the character of designated position in the sensitive data being converted to pre-set spcial character;Wherein, the sensitivity
Data include at least: any one data in ID card No., telephone number, name and address.
For convenience of description, above each section is divided by function describes respectively for each module (or unit).Certainly, exist
Implement to realize the function of each module (or unit) in same or multiple softwares or hardware when the present invention.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the present invention, which can be used in one or more,
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces
The form of product.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic
Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as
It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (8)
1. a kind of data desensitization method characterized by comprising
Receive the structured query language SQL instruction that user sends;
It include sensitive data when judging that the SQL is instructed in the data to be accessed, and the user is not allowed access to institute
When stating sensitive data, SQL instruction is converted according to pre-set desensitization transformation rule, the SQL after making conversion refers to
Enabling the sensitive data being accessed is desensitization data;
The desensitization transformation rule includes: that the sentence that access sensitive data is used in SQL instruction is replaced with default conversion
Function, the default transfer function are used to the character of designated position in the sensitive data being converted to pre-set special word
Symbol;Wherein, the sensitive data includes at least: any one data in ID card No., telephone number, name and address.
2. the method as described in claim 1, which is characterized in that wrapped when judging that the SQL is instructed in the data to be accessed
Containing sensitive data, and when the user is not allowed access to the sensitive data, according to pre-set desensitization transformation rule pair
The SQL instruction is converted, and the sensitive data desensitization data that the SQL instruction after making conversion is accessed specifically include:
Whether judge in the SQL instruction data to be accessed comprising sensitive data;
When judging to include sensitive data in the SQL instruction data to be accessed, continue to judge the user whether by
Allow to access the sensitive data;
When judging that the user is not allowed access to the sensitive data, according to pre-set desensitization transformation rule to institute
It states SQL instruction to be converted, the sensitive data desensitization data that the SQL instruction after making conversion is accessed.
3. method according to claim 2, which is characterized in that receive the SQL instruction that user sends, specifically include:
Receive the SQL instruction that user sends in first time;Then
Judge whether the user is allowed access to the sensitive data, specifically include:
List of authorized users according to the pre-stored data judges whether the user is authorized user;
When judging the user is authorized user, continue to judge whether the first time is in the authorized user and corresponds to
Access time within the scope of, and judge whether the SQL instruction sensitive data to be accessed is authorized user's correspondence
Authorization access object;
When judging that the user is not authorized user, or judge that the first time is not in the access time range
It is interior, or when judging that the SQL instruction sensitive data to be accessed is not that the authorization accesses object, determine the user
It is not allowed access to the sensitive data;
When judging that the user is authorized user, the first time was within the scope of the access time, and the SQL
When the sensitive data to be accessed being instructed to access object for the authorization, determine that the user is allowed access to the sensitive number
According to.
4. method according to claim 2, which is characterized in that judge whether wrap in the SQL instruction data to be accessed
Containing sensitive data, specifically include:
SQL instruction is scanned, includes inquiry select sentence when analyzing in the SQL instruction, and described
It include pre-set sensitive data sheet in the tables of data to be inquired in select sentence, and the sensitive data sheet for including is wanted
When again including pre-set sensitive data column in the data column of inquiry, determines and wrapped in the SQL instruction data to be accessed
Containing sensitive data;Otherwise it determines in the SQL instruction data to be accessed and does not include sensitive data.
The device 5. a kind of data desensitize characterized by comprising
SQL command reception module, for receiving the structured query language SQL instruction of user's transmission;
SQL instructs conversion module, judges the received SQL instruction number to be accessed of the SQL command reception module for working as
It include sensitive data in, and when the user is not allowed access to the sensitive data, according to pre-set desensitization conversion
Rule converts SQL instruction, the sensitive data desensitization data that the SQL instruction after making conversion is accessed;
The desensitization transformation rule includes: that the sentence that access sensitive data is used in SQL instruction is replaced with default conversion
Function, the default transfer function are used to the character of designated position in the sensitive data being converted to pre-set special word
Symbol;Wherein, the sensitive data includes at least: any one data in ID card No., telephone number, name and address.
6. device as claimed in claim 5, which is characterized in that the SQL instructs conversion module, specifically includes:
First judging unit, for whether judging in the SQL instruction data to be accessed comprising sensitive data;
Second judgment unit, for when first judging unit judge include in the SQL instruction data to be accessed
When sensitive data, continue to judge whether the user is allowed access to the sensitive data;
Converting unit, for when the second judgment unit judges that the user is not allowed access to the sensitive data,
SQL instruction is converted according to pre-set desensitization transformation rule, the SQL after making conversion instructs the sensitivity being accessed
Data are desensitization data.
7. device as claimed in claim 6, which is characterized in that the SQL command reception module specifically includes:
Receive the SQL instruction that user sends in first time;Then
The second judgment unit, is specifically used for:
List of authorized users according to the pre-stored data judges whether the user is authorized user;When judging that the user is
When authorized user, continue to judge whether the first time was within the scope of the authorized user corresponding access time, and
Judge whether the SQL instruction sensitive data to be accessed is the corresponding authorization access object of the authorized user;Work as judgement
The user is not authorized user out, perhaps judges that the first time is not within the scope of the access time or sentences
When the disconnected SQL instruction sensitive data to be accessed described out is not the authorization access object, determine that the user is not allowed to
Access the sensitive data;When judging that the user is authorized user, the first time is in the access time range
It is interior, and the SQL instruction sensitive data to be accessed be the authorization access object when, determine that the user is allowed to visit
Ask the sensitive data.
8. device as claimed in claim 6, which is characterized in that first judging unit is specifically used for:
SQL instruction is scanned, includes inquiry select sentence when analyzing in the SQL instruction, and described
It include pre-set sensitive data sheet in the tables of data to be inquired in select sentence, and the sensitive data sheet for including is wanted
When again including pre-set sensitive data column in the data column of inquiry, determines and wrapped in the SQL instruction data to be accessed
Containing sensitive data;Otherwise it determines in the SQL instruction data to be accessed and does not include sensitive data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510303954.4A CN106295388B (en) | 2015-06-04 | 2015-06-04 | A kind of data desensitization method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510303954.4A CN106295388B (en) | 2015-06-04 | 2015-06-04 | A kind of data desensitization method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106295388A CN106295388A (en) | 2017-01-04 |
| CN106295388B true CN106295388B (en) | 2019-09-10 |
Family
ID=57659048
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510303954.4A Active CN106295388B (en) | 2015-06-04 | 2015-06-04 | A kind of data desensitization method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106295388B (en) |
Families Citing this family (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108512807B (en) * | 2017-02-24 | 2020-08-04 | 中国移动通信集团公司 | Data desensitization method and data desensitization server in data transmission |
| CN106991337B (en) * | 2017-04-06 | 2019-10-22 | 北京数聚世界信息技术有限公司 | A kind of desensitization method and device of date of birth data |
| CN107194270A (en) * | 2017-04-07 | 2017-09-22 | 广东精点数据科技股份有限公司 | A kind of system and method for realizing data desensitization |
| CN107122678A (en) * | 2017-04-28 | 2017-09-01 | 上海与德科技有限公司 | Protect the method and device of product parameters |
| CN107194276A (en) * | 2017-05-03 | 2017-09-22 | 上海上讯信息技术股份有限公司 | Database Dynamic desensitization method and equipment |
| CN107273763B (en) * | 2017-06-23 | 2020-12-04 | 上海艺赛旗软件股份有限公司 | Fuzzy replacement method and system for SQL (structured query language) driver layer sensitive data |
| CN107392051A (en) * | 2017-07-28 | 2017-11-24 | 北京明朝万达科技股份有限公司 | A kind of big data processing method and system |
| CN107403108A (en) * | 2017-08-07 | 2017-11-28 | 上海上讯信息技术股份有限公司 | A kind of method and system of data processing |
| CN110019377B (en) * | 2017-12-14 | 2021-10-26 | 中国移动通信集团山西有限公司 | Dynamic desensitization method, device, equipment and medium |
| CN108288492A (en) * | 2017-12-29 | 2018-07-17 | 安徽方正医疗信息技术有限公司 | The method for freely converting approval process according to the querying condition of login user establishment |
| CN108304704B (en) * | 2018-02-07 | 2021-02-09 | 平安普惠企业管理有限公司 | Authority control method and device, computer equipment and storage medium |
| CN109271807A (en) * | 2018-08-20 | 2019-01-25 | 深圳萨摩耶互联网金融服务有限公司 | The data safety processing method and system of database |
| CN109409121B (en) * | 2018-09-07 | 2022-10-11 | 创新先进技术有限公司 | Desensitization processing method and device and server |
| CN109299616A (en) * | 2018-09-07 | 2019-02-01 | 北明软件有限公司 | A kind of data safety managing and control system and method based on connection pool |
| CN109871708A (en) * | 2018-12-15 | 2019-06-11 | 平安科技(深圳)有限公司 | Data transmission method, device, electronic equipment and storage medium |
| CN109711189B (en) * | 2018-12-19 | 2021-09-03 | 上海晶赞融宣科技有限公司 | Data desensitization method and device, storage medium and terminal |
| CN110210703A (en) * | 2019-04-25 | 2019-09-06 | 深圳壹账通智能科技有限公司 | A kind of method, apparatus, storage medium and computer equipment that financing is recommended |
| CN110245505A (en) * | 2019-05-20 | 2019-09-17 | 中国平安人寿保险股份有限公司 | Tables of data access method, device, computer equipment and storage medium |
| CN110781515B (en) * | 2019-10-25 | 2023-09-26 | 上海凯馨信息科技有限公司 | Static data desensitizing method and device |
| CN111083292A (en) * | 2019-11-18 | 2020-04-28 | 集奥聚合(北京)人工智能科技有限公司 | Corpus processing method and system for intelligent voice outbound system |
| CN111191276B (en) * | 2019-12-05 | 2023-09-19 | 平安银行股份有限公司 | Data desensitization method, device, storage medium and computer equipment |
| CN111159754A (en) * | 2019-12-12 | 2020-05-15 | 浙江华云信息科技有限公司 | Data desensitization method and device for reverse analysis |
| CN111429640A (en) * | 2020-03-16 | 2020-07-17 | 北京安迅伟业科技有限公司 | Method and system for controlling gateway under cloud platform management |
| CN111767300B (en) * | 2020-05-11 | 2022-06-07 | 全球能源互联网研究院有限公司 | Dynamic desensitization method and device for penetration of internal and external networks of electric power data |
| CN112765658A (en) * | 2021-01-15 | 2021-05-07 | 杭州数梦工场科技有限公司 | Data desensitization method and device, electronic equipment and storage medium |
| CN112800474B (en) * | 2021-03-19 | 2021-08-10 | 北京安华金和科技有限公司 | Data desensitization method and device, storage medium and electronic device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102844756A (en) * | 2010-03-15 | 2012-12-26 | 迪纳米科普斯公司 | Computer relational database method and system having role based access control |
| CN103778380A (en) * | 2013-12-31 | 2014-05-07 | 网秦(北京)科技有限公司 | Data desensitization method and device and data anti-desensitization method and device |
| CN103870480A (en) * | 2012-12-12 | 2014-06-18 | 财团法人资讯工业策进会 | Dynamic data masking method and database system |
| CN104239823A (en) * | 2013-06-07 | 2014-12-24 | 腾讯科技(深圳)有限公司 | Interface content display control method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI616762B (en) * | 2012-12-12 | 2018-03-01 | 財團法人資訊工業策進會 | Dynamic data masking method and data library system |
-
2015
- 2015-06-04 CN CN201510303954.4A patent/CN106295388B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102844756A (en) * | 2010-03-15 | 2012-12-26 | 迪纳米科普斯公司 | Computer relational database method and system having role based access control |
| CN103870480A (en) * | 2012-12-12 | 2014-06-18 | 财团法人资讯工业策进会 | Dynamic data masking method and database system |
| CN104239823A (en) * | 2013-06-07 | 2014-12-24 | 腾讯科技(深圳)有限公司 | Interface content display control method and device |
| CN103778380A (en) * | 2013-12-31 | 2014-05-07 | 网秦(北京)科技有限公司 | Data desensitization method and device and data anti-desensitization method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106295388A (en) | 2017-01-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106295388B (en) | A kind of data desensitization method and device | |
| CN104216907B (en) | It is a kind of for providing the method, apparatus and system of Access and control strategy of database | |
| CN105378744B (en) | User and device authentication in business system | |
| CN105100034B (en) | The method and apparatus of access function in a kind of network application | |
| US20140108755A1 (en) | Mobile data loss prevention system and method using file system virtualization | |
| CN116049785A (en) | Identity authentication method and system | |
| JP2003186764A (en) | Communication network with controlled access to web resources | |
| CN101953113A (en) | Secure and usable protection of a roamable credentials store | |
| CN103377332A (en) | Application program accessing method and device | |
| JP5707250B2 (en) | Database access management system, method, and program | |
| CN106911770A (en) | A kind of data sharing method and system based on many cloud storages | |
| US20140101784A1 (en) | Analysis and specification creation for web documents | |
| CN106302606B (en) | Across the application access method and device of one kind | |
| CN113612740A (en) | Authority management method and device, computer readable medium and electronic equipment | |
| JP3698851B2 (en) | Database security management method and system | |
| CN107040520A (en) | A kind of cloud computing data-sharing systems and method | |
| CN103971059B (en) | Cookie local storage and usage method | |
| CN110086813A (en) | Access right control method and device | |
| CN112287326A (en) | Security authentication method and device, electronic equipment and storage medium | |
| CN108093031A (en) | A kind of page data processing method and device | |
| JP6729013B2 (en) | Information processing system, information processing apparatus, and program | |
| CN117375986A (en) | Application access method, device and server | |
| CN107276966B (en) | Control method and login system of distributed system | |
| CN107395577A (en) | A kind of large-scale power Enterprise Salary security system | |
| CN112187725A (en) | Cloud computing resource access method and device, service line service and gateway |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |