CN107273763B - Fuzzy replacement method and system for SQL (structured query language) driver layer sensitive data - Google Patents
Fuzzy replacement method and system for SQL (structured query language) driver layer sensitive data Download PDFInfo
- Publication number
- CN107273763B CN107273763B CN201710487647.5A CN201710487647A CN107273763B CN 107273763 B CN107273763 B CN 107273763B CN 201710487647 A CN201710487647 A CN 201710487647A CN 107273763 B CN107273763 B CN 107273763B
- Authority
- CN
- China
- Prior art keywords
- sql
- sensitive data
- data
- statement
- fuzzy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/17—Details of further file system functions
- G06F16/1734—Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Databases & Information Systems (AREA)
- Data Mining & Analysis (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a fuzzy replacement method for sensitive data of an SQL (structured query language) driving layer, which comprises the following steps: 1) loading Hook hooks from an SQL driver layer, and intercepting and capturing all data contents related to a current computer query database in front of the Hook hooks; 2) and finding out the key identification field name corresponding to the sensitive data item, and completing the fuzzy replacement processing process of the sensitive data item in a white and black list mode. The invention also provides a sensitive data fuzzy replacement system, which comprises a data acquisition module, a fuzzy replacement module and a fuzzy replacement module, wherein the data acquisition module is used for loading Hook hooks from the SQL driver layer and intercepting all data contents related to the current computer query database in front; and the fuzzy replacement module is used for searching the key identification field name corresponding to the sensitive data item and finishing the fuzzy replacement processing of the sensitive data item in a white and black list mode. The invention fuzzifies the sensitive data at the source, thereby increasing the safety and reducing the workload.
Description
Technical Field
The invention relates to a sensitive data fuzzification processing method and system, and belongs to the technical field of data fuzzification processing.
Background
There is a lot of data in an enterprise that includes information about the privacy of the individual customers or the business value of the enterprise, called sensitive data. With the progress of enterprise informatization, the information is stored in each server of the enterprise, and can be greatly inquired and used in various service systems and information management systems, and if the control and management are not added, the risk and hidden trouble caused by sensitive data leakage exist. It is therefore an urgent need to try to minimize the risks and hazards of sensitive data leakage. The traditional way of obfuscating sensitive data is on top of each client. Sensitive data (such as identification numbers and the like) are stored on a client computer in a log mode, and the risk of disclosure exists. How to control and manage these sensitive data downstream from the server is a very important issue faced in enterprise information management.
The invention patent application with publication number 105610818A discloses a sensitive data fuzzification device as an auxiliary accessory for a data demand application of a client side which can access a server where the sensitive data is located, comprising: the data acquisition module is used for acquiring return data which is requested to be accessed from the server by a data demander or a data demanding application; the data analysis module is used for making and managing a sensitive data characteristic matching strategy, matching the data transmitted from the data acquisition module according to the sensitive data characteristic matching strategy and finding out the sensitive data which accord with the characteristics; the data processing module is used for making and managing a sensitive data fuzzification strategy which is suitable for the sensitive data feature matching strategy made by the data analysis module, and fuzzifying the sensitive data transmitted from the data analysis module according to the sensitive data fuzzification strategy to obtain fuzzified non-sensitive data; and the data response module returns the fuzzified non-sensitive data to the data demander or the data demanding application.
However, the above technical solution has a drawback in that each time a new client accesses the database, the process of complete relevant sensitive data obfuscation is required to be repeated, thereby increasing the workload by multiple times virtually.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: aiming at the defects in the background technology, a fuzzy replacement method for the sensitive data of the SQL drive layer is provided, the sensitive data is fuzzified at the source, the safety is increased, and the workload is reduced.
The invention adopts the following technical scheme for solving the technical problems:
a fuzzy replacement method for sensitive data of an SQL driver layer comprises the following steps:
1) loading a Hook from an SQL driver layer and intercepting all data contents related to a current computer query database in front of the Hook;
2) and analyzing the initial query SQL statement command, finding the key identification field name corresponding to the sensitive data item, filtering the sensitive data, and then forwarding to the communication sending channel.
Further, the fuzzy replacement method for the SQL driver layer sensitive data, provided by the invention, comprises the step 1) of using a Windows API to install hooks by using a SetWindowsHookEx function aiming at an SQL driver layer command packaging communication layer interface.
Further, according to the fuzzy replacement method for the sensitive data of the SQL driver layer, the data content in the step 1) comprises the following steps: the SQL statement complete content, data and length information.
Further, the fuzzy replacement method for the sensitive data of the SQL drive layer, provided by the invention, comprises the step 2) of analyzing the request SQL command, taking the SQL statement syntax model as a syntax basis for analysis, and obtaining a field list item to be inquired by reversely analyzing the SQL syntax to search whether a sensitive field name exists.
Further, in the method for fuzzy replacement of the sensitive data of the SQL driver layer, step 2) of filtering the sensitive data refers to fuzzifying the relevant field items according to the fuzzy replacement policy configuration items configured by the user.
Furthermore, the SQL drive layer sensitive data fuzzy replacement method provided by the invention is used for analyzing and processing the stored procedure SQL sentences separately from the common SQL query sentences.
Furthermore, according to the fuzzy replacement method for the sensitive data of the SQL driver layer, if a plurality of SQL driver modules are loaded and operated in the current system, all currently installed SQL driver modules are summarized in a traversing recognition characteristic mode and are injected into Hook one by one.
Furthermore, in the SQL statement parsing process, different types of environments are not distinguished, and fuzzification processing is carried out as long as field name retrieval strategy items are met.
The invention also provides a sensitive data fuzzy replacement system, which comprises:
the data acquisition module is used for loading Hook hooks from the SQL driver layer and intercepting all data contents related to the current computer query database in front;
and the fuzzy replacement module is used for finding the key identification field name corresponding to the sensitive data item by analyzing the initial query SQL statement command, and completing the fuzzy replacement processing of the sensitive data item in a white and black list mode.
Furthermore, in the sensitive data fuzzy replacement system provided by the invention, the data acquisition module is a setwindows hookex function installation hook by using a Windows API aiming at an SQL driver layer command packaging communication layer interface.
Compared with the prior art, the invention adopting the technical scheme has the following technical effects:
according to the method, Hook injected by an SQL drive module intercepts and captures the complete content, data, length and other information of the SQL sentences, the data interface obtained here is the drive layer global, namely all the SQL sentences of the drive module are sent and received by the interface, other interfaces for missing communication and processing the SQL sentences do not exist, and sensitive data information does not exist in a network channel and a local log. The invention obscures the sensitive data from the source, so that any information displayed is obscured.
Drawings
FIG. 1 is a schematic diagram of the SQL driver layer.
FIG. 2 is a diagram of an example JDBC driver layer.
FIG. 3 is a schematic diagram of a database query result before fuzzy replacement.
FIG. 4 is a diagram illustrating fuzzy substitution of database query results.
Detailed Description
The technical solution of the present invention is further described in detail below with reference to the accompanying drawings. It will be understood by those skilled in the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
The method intercepts the change of the request command on the SQL drive module through the system global Hooks, analyzes the SQL statement, identifies the field item, replaces the specified data field item into the fuzzy character string through the sensitivity replacement strategy configuration item, and thereby fuzzifies the sensitive data at the source.
The invention provides a Hooks injection, sensitive data extraction and fuzzy replacement method for an SQL drive module, which comprises the following steps:
first, as shown in FIG. 2, it is a diagram of an example of a JDBC driver layer; some current SQL driver layers are generally of large companies or third parties, are codeless, have absolutely no ready-made data interfaces, and can acquire effective data and complete data while ensuring stability, and can be solved only by adopting hook skills.
Meanwhile, the sensitive data (such as account number, password, name and the like) only exist in a character string mode, if the sensitive data exist in an isolated mode, whether the sensitive data exist is difficult to determine, but the key identification field name corresponding to the data item can be easily found from an SQL (Windows system bottom program), and the key identification field name is almost the unique identification, so that the fuzzy replacement processing process of the sensitive data item can be easily completed in a white and black list mode.
Referring to fig. 2, Hook prefix is loaded from the SQL driver layer (Windows system bottom program) (after the Windows system is run, the daemon module finds the position of the SQL driver layer module installation and running path in the system). All data contents about the current computer query database are intercepted through a Hook.
More specifically, the invention uses Windows API to install hooks by using SetWindowsHookEx function aiming at SQL drive layer command packaging communication layer interface, so that before SQL statements are sent, the hooks are processed by the fuzzy analysis module and then submitted to the previous communication sending channel.
FIG. 1 is a schematic diagram of an SQL driver layer; the SQL request command is analyzed, whether a sensitive field name exists or not, whether the current character string is a common character string or a field name or not is searched, and the problem needs to be solved from the SQL statement syntax analysis. Taking the SQL statement syntax model as a syntax basis for analysis, and performing reverse analysis on the SQL syntax to obtain a field list item to be queried:
column_name1、column_name2、column_name3、column_name4...... column_nameN。
the SQL statement grammar model is used as a grammar basis for analysis:
the SQL statement types are divided into 2 types of common SQL statement commands and storage procedures, and the storage procedure statements and common SQL query statements are analyzed and processed separately.
-storing a process basic syntax prototype-storing
CREATE PROC [ EDURE ] procedure_name [ ; number ]
[ { @parameter data_type }
[ VARYING ] [ = default ] [ OUTPUT ]
] [ ,...n ]
[ WITH
{ RECOMPILE | ENCRYPTION | RECOMPILE , ENCRYPTION } ]
[ FOR REPLICATION ]
AS sql_statement [ ...n ]
According to the method, Hook injected by the SQL drive module intercepts and captures the complete content, data, length and other information of the SQL sentences, the data interface obtained here is the drive layer global, namely all the SQL sentences of the drive module are sent and received by the interface, and other interfaces for missing communication and processing the SQL sentences do not exist.
Further, according to the fuzzy replacement strategy configuration items configured by the user, relevant field items are fuzzified respectively.
For example: policyconfig
[ColumnItem]
Pno=******
Did=000000
After the identification process according to policyconfig. ini policy configuration item, the relevant pno field is obfuscated into the string data instead of the previous identification number, and the Did character is obfuscated into the 000000 string data instead of the previous bank card number, as shown in fig. 3 and 4.
If a plurality of SQL driver modules are loaded and operated in the current system, all the currently installed SQL driver modules are summarized by the daemon in a mode of traversing and identifying features, and are injected into Hook one by one.
In the SQL statement parsing process, different types of environments such as table lookup, view and temporary table are not distinguished, and only the field name retrieval strategy item is met, the field name retrieval strategy item is fuzzified.
The foregoing is only a partial embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (1)
1. A fuzzy replacement method for sensitive data of an SQL driver layer is characterized by comprising the following steps:
1) loading a Hook from an SQL driver layer and intercepting all data contents related to a current computer query database in front, specifically, aiming at an SQL driver layer command packaging communication layer interface, using a Windows API and installing a Hook by using a SetWindowsHookEx function, wherein the intercepted data contents comprise: the complete content, data and length information of the SQL statement;
2) analyzing the initial query SQL statement command, finding out the key identification field name corresponding to the sensitive data item, filtering the sensitive data, and submitting the filtered sensitive data to a communication sending channel;
the method comprises the steps of analyzing an initial query SQL statement command, wherein the step of analyzing the initial query SQL statement command is to take an initial query SQL statement syntax model as an analyzed syntax basis, and obtain whether a sensitive field name exists in a related field list item to be queried or not by reversely analyzing an SQL syntax; the sensitive data filtering refers to fuzzifying the relevant field items according to fuzzy replacement strategy configuration items configured by a user;
for the stored procedure SQL-like statement, the stored procedure SQL-like statement needs to be analyzed and processed separately from the ordinary SQL query statement;
if a plurality of SQL driver modules are loaded and operated in the current system, summarizing all currently installed SQL driver modules in a traversing and identifying characteristic mode, and injecting the SQL driver modules into Hook one by one;
in the SQL statement parsing process, different types of environments are not distinguished, and fuzzification processing is carried out as long as field name retrieval strategy items are met.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710487647.5A CN107273763B (en) | 2017-06-23 | 2017-06-23 | Fuzzy replacement method and system for SQL (structured query language) driver layer sensitive data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710487647.5A CN107273763B (en) | 2017-06-23 | 2017-06-23 | Fuzzy replacement method and system for SQL (structured query language) driver layer sensitive data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107273763A CN107273763A (en) | 2017-10-20 |
| CN107273763B true CN107273763B (en) | 2020-12-04 |
Family
ID=60069231
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710487647.5A Active CN107273763B (en) | 2017-06-23 | 2017-06-23 | Fuzzy replacement method and system for SQL (structured query language) driver layer sensitive data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107273763B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11074363B2 (en) * | 2018-12-05 | 2021-07-27 | Oracle International Corporation | Selective and total query redaction |
| CN109784089A (en) * | 2018-12-19 | 2019-05-21 | 平安普惠企业管理有限公司 | Guard method, device, storage medium and the electronic equipment of customer information |
| CN113660292B (en) * | 2021-10-19 | 2022-01-11 | 北京安华金和科技有限公司 | Method and device for acquiring information of calling client main body |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105610818A (en) * | 2015-12-25 | 2016-05-25 | 亿阳安全技术有限公司 | Fuzzification device and method of sensitive data |
| CN106295388A (en) * | 2015-06-04 | 2017-01-04 | 中国移动通信集团山东有限公司 | A kind of data desensitization method and device |
-
2017
- 2017-06-23 CN CN201710487647.5A patent/CN107273763B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106295388A (en) * | 2015-06-04 | 2017-01-04 | 中国移动通信集团山东有限公司 | A kind of data desensitization method and device |
| CN105610818A (en) * | 2015-12-25 | 2016-05-25 | 亿阳安全技术有限公司 | Fuzzification device and method of sensitive data |
Non-Patent Citations (1)
| Title |
|---|
| Windows中基于目标线程的远程钩子技术及应用;石熙;《重庆教育学院学报》;20081130;第21卷(第6期);第77页-79页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107273763A (en) | 2017-10-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8826370B2 (en) | System and method for data masking | |
| US9965644B2 (en) | Record level data security | |
| US9135315B2 (en) | Data masking | |
| US8504844B2 (en) | System, method, and computer-readable medium for cryptographic key rotation in a database system | |
| US8219544B2 (en) | Method and a computer program product for indexing files and searching files | |
| US10783271B1 (en) | Secure view-based data joins in a multiple tenant database system | |
| US11227068B2 (en) | System and method for sensitive data retirement | |
| US9336407B2 (en) | Dynamic data masking system and method | |
| US11303651B1 (en) | Security appliance to monitor networked computing environment | |
| US9779172B2 (en) | Personalized search result summary | |
| US20050114661A1 (en) | Object-based access control | |
| US20090271360A1 (en) | Assigning Plan Volatility Scores to Control Reoptimization Frequency and Number of Stored Reoptimization Plans | |
| WO2010053739A2 (en) | Method and system for restricting file access in a computer system | |
| CN107273763B (en) | Fuzzy replacement method and system for SQL (structured query language) driver layer sensitive data | |
| EP3173951A1 (en) | Integrated framework for secured data provisioning and management | |
| US20230350870A1 (en) | Online determination of result set sensitivity | |
| US20150081616A1 (en) | Database insert with deferred materialization | |
| CN114424191A (en) | Fine-grained access control to a process language of a database based on accessed resources | |
| US20060190476A1 (en) | Database storage system and associated method | |
| US20040139141A1 (en) | Integration of virtual data within a host operating environment | |
| KR101083425B1 (en) | Database detecting system and detecting method using the same | |
| US20020188774A1 (en) | Virtualizing external data as native data | |
| CN115952207B (en) | Threat mail storage method and system based on Starblocks database | |
| US20060235819A1 (en) | Apparatus and method for reducing data returned for a database query using select list processing | |
| US10691689B2 (en) | Automatic API façade generation in dynamic multi-tenant environments |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |