CN107979595B - Private data protection method and gateway system - Google Patents

Private data protection method and gateway system Download PDF

Info

Publication number
CN107979595B
CN107979595B CN201711180128.0A CN201711180128A CN107979595B CN 107979595 B CN107979595 B CN 107979595B CN 201711180128 A CN201711180128 A CN 201711180128A CN 107979595 B CN107979595 B CN 107979595B
Authority
CN
China
Prior art keywords
data
cloud service
service application
private
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201711180128.0A
Other languages
Chinese (zh)
Other versions
CN107979595A (en
Inventor
陈阳贵
储明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201711180128.0A priority Critical patent/CN107979595B/en
Publication of CN107979595A publication Critical patent/CN107979595A/en
Application granted granted Critical
Publication of CN107979595B publication Critical patent/CN107979595B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Medical Informatics (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a private data protection method and a gateway system, wherein the gateway system intercepts request data of a user for cloud service application, identifies the requested cloud service application and determines a data model; analyzing the request data according to the carrier analysis logic to obtain a data mark structure of the request data; inquiring the private data in the private data protection rule base and the corresponding protection rule according to the data model, and modifying the data in the data marking structure of the request data according to the private data and the corresponding protection rule; reconstructing request data according to the modified data mark structure, and sending the request data to corresponding cloud service application; receiving response data of the cloud service application; analyzing the response data according to the carrier analysis logic to obtain a data mark structure of the response data; and processing the data of the data mark structure of the response data according to the corresponding private data and the protection rule thereof so as to restore the corresponding data. The method and the device can protect the private data of the user without influencing various applications of the cloud service used by the user.

Description

Private data protection method and gateway system
Technical Field
The invention relates to the technical field of computer information security, in particular to a private data protection method and a gateway system.
Background
With the development of the internet and cloud technologies, personal and enterprise users increasingly utilize and rely on services provided by public cloud computing. Cloud computing provides revolutionary availability and convenience from storage to processing of data. Meanwhile, one of the major challenges that hinder the popularization of cloud technology is the private data protection problem of users or enterprise users. Such as key financial information, personal privacy, etc.
At present, a protection mode of a public cloud product for user data mainly depends on cloud encryption, but the generation, distribution and management of a secret key are still provided by the cloud, and the security of the secret key is completely built on the trust of a cloud service provider. User concerns about data security are not practically addressed.
Some users simply adopt a client encryption method. Unless simple binary data storage is adopted, the encrypted data is likely to completely destroy cloud service application logic, such as searching and summary analysis, and the original application is no longer available. More and more cloud service applications are based on user information, such as statistics, ranking, searching, category management, and the like. However, the purpose of the existing data encryption is to increase the confusion degree of information to the greatest extent possible to achieve the purpose of protecting plaintext information, which obviously deviates from the logic of the information-based cloud application.
For example, the cloud application usually checks the email format, and if the email is simply encrypted and does not necessarily conform to the standard format of the email, for example, if the cloud application is gmail or 163, the user can easily search all emails including "chinese sound" in the email header, and if the user simply encrypts the header for protection, this function is not available. Because "Shanghai Han-zi", "Han-zi company", or "Han-zi", the encrypted results will be irrelevant, and the user cannot use the encrypted "Han-zi" to find the related mail. For another example, some applications require initials of names, and the order after encryption is necessarily different from the original order. This would greatly hinder the popularity of cloud services.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a private data protection method and a gateway system, which can protect the private data of a user and simultaneously do not influence various applications of the user using cloud services.
In order to solve the above problem, the present invention provides a private data protection method, which is executed in a gateway system between a user and a cloud, and the method includes the following steps:
s1: intercepting request data of a user for cloud service application, identifying the requested cloud service application, and determining a data model of the cloud service application;
s2: analyzing the request data according to a carrier analysis logic to obtain a data marking structure of the request data, wherein the data marking structure of the request data stores marked data;
s3: querying private data in a private data protection rule base and corresponding protection rules according to the identified data model of the cloud service application, and modifying data in a data mark structure of the request data according to the private data and the corresponding protection rules;
s4: reconstructing request data according to the modified data mark structure, sending the request data to corresponding cloud service application, and waiting for response;
s5: receiving response data of the cloud service application;
s6: analyzing the response data according to the corresponding carrier analysis logic to obtain a data mark structure of the response data;
s7: and processing the data of the data mark structure of the response data according to the corresponding private data and the protection rule thereof so as to restore the corresponding data.
According to one embodiment of the present invention, the private data protection rule base includes a basic database storing the identifier of the corresponding private data and a protection rule base storing the protection rule of the corresponding private data;
in step S3, according to the identified data model of the cloud service application, querying the private data corresponding to the modification requirement in the basic database, querying the protection rule base to determine the protection rule corresponding to the private data, and modifying the correspondingly marked data in the data mark structure of the requested data according to the private data and the protection rule.
According to one embodiment of the invention, the private data protection rule base is user-defined, the private data to be modified is defined by configuring the basic database, and the modification mode of the private data is defined by configuring the protection rule base.
According to one embodiment of the invention, the protection rule is a mapping relationship from private data to encrypted data, and the mapping relationship is reversible or irreversible;
in the step S3, modifying the data to convert the private data into encrypted data according to the mapping relationship;
in step S7, the data is processed such that if the mapping relationship in step S3 is reversible, the encrypted data is converted into private data according to the mapping relationship, and if the mapping relationship in step S3 is irreversible, the conversion process is not performed.
According to one embodiment of the invention, in the protection rule, partial statistical characteristics of data are reserved according to processing characteristics of the cloud service application, so that the cloud service application can perform statistical processing according to the reserved partial statistical characteristics.
According to an embodiment of the present invention, the step S1 is preceded by a step S11: analyzing each cloud service application, determining a data model of each cloud service application, and constructing a data model base; and the user can modify, newly add and delete the data model to the data model base.
According to one embodiment of the invention, the carrier analysis logic converts the original character string into a tree structure, wherein the labeled data stored in the leaf nodes of the tree structure is the smallest processable data segment in the original character string, and the branches from the root node to the leaf nodes are all complete and gradually decomposed data structures.
According to one embodiment of the invention, the smallest processable data fragment is mapped into a limited classification, the name of which is a label of the data of the leaf node.
According to an embodiment of the present invention, in the step S1, the identified cloud service application is marked; in step S2, the carrier analysis logic corresponding to the tag is searched for according to the tag of the cloud service application to analyze the request data; in step S6, the corresponding tag is determined according to the identified cloud service application, so that the response data is parsed according to the carrier analysis logic of the corresponding tag.
The invention also provides a private data protection gateway system, comprising:
a data interception identification module: intercepting request data of a user to a cloud service application, identifying the requested cloud service application, and determining a data model of the cloud service application;
a request analysis module: analyzing the request data according to a carrier analysis logic to obtain a data mark structure of the request data, wherein the data mark structure of the request data stores marked data;
a data modification module: executing private data and corresponding protection rules in a private data protection rule base according to the identified data model of the cloud service application, and modifying data in a data mark structure of the request data according to the private data and the corresponding protection rules;
a reestablishment sending module: executing reconstruction request data according to the modified data mark structure, sending the reconstruction request data to the corresponding cloud service application, and waiting for response;
the response receiving module: executing the response data of the cloud service application;
a response analysis module: analyzing the response data according to the corresponding carrier analysis logic to obtain a data marking structure of the response data;
the data recovery module: and processing the data of the data mark structure of the response data according to the corresponding private data and the protection rule thereof so as to restore the corresponding data.
After the technical scheme is adopted, compared with the prior art, the invention has the following beneficial effects:
compared with the scheme of protecting at the cloud, the method has the advantages that the gateway is arranged at the user side, so that the user has absolute control right on data; the private data can be protected before entering a public network, and the private data is protected by selecting a corresponding proper protection rule, so that the logic of cloud service application can not be damaged, and the normal operation of the cloud service is ensured;
in the invention, private data can be defined by a user according to needs, and the cloud service obtains a processed result selected by the user; the cloud service provider or a third party can edit the carrier analysis logic for the end user to use, the user only defines the private data based on the mark, and the carrier analysis logic based on the cloud service facilitates the user and provides an extensible platform.
Drawings
Fig. 1 is a flowchart illustrating a private data protection method according to an embodiment of the present invention;
fig. 2 is a schematic workflow diagram of a private data protection method according to an embodiment of the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in detail below.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein, but rather construed as limited to the embodiments set forth herein.
Referring to fig. 1 and 2, in one embodiment, the private data protection method is performed in the gateway system 2 between the user 1 (user terminal) and the cloud 3, and thus the protection of the embodiment of the present invention is implemented in the gateway system 2, not in the cloud 3. The user 1 sends the request data to the gateway system 2, the gateway system 2 processes the request data to protect the private data therein, and then submits the protected request data to the cloud 3, the cloud service application responds to the request data and then returns the response data to the gateway system 2, the gateway system 2 unprotects the private data in the response data, and returns the unprotected response data to the user, and the data flow is a1-a8 shown in fig. 2 in sequence.
Referring to fig. 1, the private data protection method includes the steps of:
s1: intercepting request data of a user for cloud service application, identifying the requested cloud service application, and determining a data model of the cloud service application;
s2: analyzing the request data according to a carrier analysis logic to obtain a data marking structure of the request data, wherein the data marking structure of the request data stores marked data;
s3: querying private data in a private data protection rule base and corresponding protection rules according to the identified data model of the cloud service application, and modifying data in a data mark structure of the request data according to the private data and the corresponding protection rules;
s4: reconstructing request data according to the modified data mark structure, sending the request data to corresponding cloud service application, and waiting for response;
s5: receiving response data of the cloud service application;
s6: analyzing the response data according to the corresponding carrier analysis logic to obtain a data mark structure of the response data, wherein the data mark structure of the response data corresponds to the data of the data mark structure of the request data;
s7: and processing the data of the data mark structure of the response data according to the corresponding private data and the protection rule thereof so as to restore the corresponding data.
The private data protection method according to the embodiment of the present invention is described in more detail below, but should not be construed as being limited thereto.
In step S1, each time the user sends a request data to the cloud service application, the gateway system intercepts the request data of the user, and can identify the requested cloud service application according to the characteristics in the request data. The cloud service application refers to any application program provided by the cloud, and the identification result is a specific cloud service program. For example, GMail is a mail program in the cloud provided by google, a hundredth cloud disk is a storage service program in the cloud, QQ is an instant messenger program in the cloud, and so on. Different applications have different characteristics, and thus, respective cloud service applications can be identified.
Upon identifying the requested cloud service application, a data model of the cloud service application may be determined. The data model comprises elements such as types, formats, lengths, application logic and the like of data in the cloud service application. The application logic refers to a processing mode of the cloud service application on data. In a subsequent step, the corresponding protection rules are determined from these elements.
Preferably, in a case that the data model of the cloud service application is not determined, step S1 is preceded by step S11: and analyzing each cloud service application, determining a data model of each cloud service application, and constructing a data model library. The analysis of the cloud service application comprises the analysis of the type, format, length, application logic and the like of data of the cloud service application, the analysis result forms a data model, and the data models of the cloud service applications are stored together to form a data model base.
As cloud service applications are becoming more abundant, many cloud service applications also provide data expansion functions, such as custom data. In such a case, prior data model analysis may not provide a complete data model, at which time the user would be required to supplement the defined data model and add it to the database of data models, since the user is the author and provider of the custom data. For example, if the pre-analysis only knows that a field is a fixed-length string, and the user should additionally define that it is used as a phone number, then it can be handled in the following steps using the protection rules of the phone number format. Therefore, the user can preferably modify, add or delete the data model to the database of data models.
Step S2 is executed to parse the request data according to the carrier analysis logic to obtain the data tag structure of the request data, where the data tag structure of the request data stores the data with tags. The carrier analysis logic is corresponding to the data mark structure, and what kind of data mark structure is needed is to analyze the request data by using the corresponding carrier analysis logic, as long as the processable data in the request data can be analyzed.
Preferably, the bearer analysis logic converts the original string into a tree structure, i.e. the original string is the request data, which is converted into a data label tree by the bearer analysis logic. The marked data stored by the leaf nodes of the tree structure are the minimum processable data segments in the original character string, and the branches from the root node to the leaf nodes are all complete and gradually decomposed data structures.
Preferably, the smallest processable data fragment is mapped into a limited class, the name of which is a label of the data of the leaf node. The classification can mark data fragments of the same type with the same mark, so that the data protection can be performed by adopting the same protection rule according to the mark.
The carrier analysis logic may translate any form of raw string of bytes into a tree structure, the leaves of which are the smallest manageable piece of data, and each branch of which is a complete structural representation. For example, if the root node is an XML structure, where one branch is an element of XML, but the value of this element is a string of JSON strings, then the JSON strings may be further parsed, and if the subsequent node is a processable data fragment, then the node becomes a leaf node of the tree structure, otherwise the decomposition process may continue until processable data is located. In step S2, the input to the carrier analysis logic is the requested data and the output is a data tag tree for the requested data.
Of course, the data structure of the request data may be any structured data, and besides the XML structure, the data structure may also be JSON, CSV (comma separated string), x-www-form-url, and cloud service application-defined structure, and the like, and is not limited in particular.
Then, step S3 is executed, the private data in the private data protection rule base and the corresponding protection rule are queried according to the identified data model of the cloud service application, and the data in the data tag structure of the requested data is modified accordingly. The type, format, length, application logic and the like of the data can be determined according to a data model of the cloud service application, so that private data needing to be protected can be determined, and meanwhile, the corresponding most appropriate protection rule is found to protect the corresponding private data in the request data.
For example, by analyzing a data model of a certain cloud service application, the request data for requesting a specific page includes an identity card number, and the application logic of the cloud service application is matching search of the whole segment of the identity card, then according to the analysis of the data type, the protection rule can process the data segment by adopting an encryption algorithm reserved in an FPE format, so that the logic of the cloud service application can not be damaged. For another example, the request data for a certain cloud service application includes summary description data, and the application logic of the cloud service application is to search for summary keywords, so according to the analysis of the data model, the protection rule should perform word segmentation on the request data, then convert each word by means of encryption and the like, and finally submit the words after summarizing. Therefore, according to the analysis of the data models of different cloud service applications, the most appropriate protection rule is found to protect the request data, and the cloud service applications can be normally used on the basis of ensuring the safety.
Preferably, the private data protection rule base includes a basic database storing the identification of the corresponding private data and a protection rule base storing the protection rule of the corresponding private data. The identification may be, for example, a classification identification. Corresponding private data in the data tag structure can be found according to the identification, and protection processing is performed on the private data according to a corresponding protection rule.
Preferably, the private data protection rule base is user-defined, the private data to be modified is defined by configuring the basic database, and the modification mode of the private data is defined by configuring the protection rule base.
The basic database includes data such as name, address, telephone, identification number, etc., and at least one of the data correspondingly exists in the data model in the cloud service application, so it can be said that the basic database is statistically determined according to the private data in the cloud application service. The user needs to specify the protection rules corresponding to the data to be protected in the basic database, and correspondingly store the protection rules in the protection rule base, so that the protection rules of the selected protection data can be correspondingly selected when the data is selected. Of course, the primary database and the protection rule base may be extended by the user.
Preferably, in step S3, according to the identified data model of the cloud service application, the private data corresponding to the modification requirement in the basic database is queried, the protection rule base is queried to determine the protection rule corresponding to the private data, and the correspondingly marked data in the data mark structure of the requested data is modified according to the private data and the protection rule.
Preferably, in the protection rule, a part of statistical characteristics of the data is reserved according to the processing characteristics of the cloud service application, so that the cloud service application can perform statistical processing according to the reserved part of statistical characteristics. For example, it can be known from analysis that the cloud service application performs initial ordering on the name, as long as the protection rule can ensure that the initial ordering result is consistent with the previous result, other parts of the name can be encrypted, and the initial can be simply transformed, so that the normal processing logic of the cloud service application can be ensured not to be confused.
And step S4 is executed, the request data is reconstructed according to the modified data tag structure and sent to the corresponding cloud service application, and a response is waited. Because only the data content of the leaf nodes is modified and the structure of the whole data structure is not changed, the request data can be reconstructed through the data marking structure, the protection processing and reconstructed request data are submitted to the cloud end by the gateway system, and the response of the cloud end is waited after the protection processing and the reconstruction of the request data are submitted.
Next, step S5 is executed, and the gateway system receives response data of the cloud service application. The cloud service application generates response data after performing normal response processing on the request data and returns the response data to the gateway system, and the gateway system enters step S6 after receiving the response data.
And then, executing step S6, analyzing the response data according to the corresponding carrier analysis logic, and obtaining a data tag structure of the response data. The request data and the response data are generally the same in data structure or have intercommunity, so that the response data can be analyzed by the same carrier analysis logic, the analysis process is the same as that of the request data, and the data mark structure of the response data can be obtained, and similarly, the leaf node of the data mark structure of the response data is finally processable data which contains protected private data.
Then, step S7 is executed to process the data of the data tag structure of the response data according to the corresponding private data and the protection rule thereof, so that the corresponding data is restored.
Preferably, the protection rule is a mapping relationship from private data to encrypted data, and the mapping relationship is reversible or irreversible. In the step S3, the modification to the data is to transform the private data into the encrypted data according to the mapping relationship. In step S7, the data is processed such that if the mapping relationship in step S3 is reversible, the encrypted data is converted into private data according to the mapping relationship, and if the mapping relationship in step S3 is irreversible, the conversion process is not performed.
Reversible rules such as encryption, and then decryption in step S7. If Ri is an irreversible rule, then no change may be made in step S7. And in case of irreversible conditions such as deletion, the cloud service application does not see the protected data at all, and the data corresponding to the returned result does not need to be processed. The irreversible rule may also be mosaic, etc. In addition, it is to be noted here that the reversible/irreversible function requires a user to select appropriately according to the characteristics of the application. Some data is private to some clients and needs to be protected and may be public to other clients.
In one embodiment, in step S1, the identified cloud service application is marked, as identified as Si in fig. 2; in step S2, according to the label of the cloud service application, the carrier analysis logic Pi corresponding to the label is searched for analyzing the request data; in step S6, the corresponding tag Si is determined according to the identified cloud service application, so that the response data is parsed according to the carrier analysis logic Pi of the corresponding tag. Since the gateway system is the actual presenter of the requested data, it can be determined that the identity of the cloud service application is Si.
Compared with the scheme of protecting at the cloud, the method has the advantages that the gateway is arranged at the user side, so that the user has absolute control right on data; the private data can be protected before entering a public network, and the private data is protected by selecting a corresponding proper protection rule, so that the logic of cloud service application can not be damaged, and the normal operation of the cloud service is ensured;
in the invention, private data can be defined by a user according to needs, and the cloud service obtains a processed result selected by the user; the cloud service provider or a third party can edit the carrier analysis logic for the end user to use, the user only defines the private data based on the mark, and the carrier analysis logic based on the cloud service facilitates the user and provides an extensible platform.
The invention also provides a private data protection gateway system, comprising:
a data interception identification module: intercepting request data of a user to a cloud service application, identifying the requested cloud service application, and determining a data model of the cloud service application;
a request analysis module: analyzing the request data according to a carrier analysis logic to obtain a data mark structure of the request data, wherein the data mark structure of the request data stores marked data;
a data modification module: executing private data and corresponding protection rules in a private data protection rule base according to the identified data model of the cloud service application, and modifying data in a data mark structure of the request data according to the private data and the corresponding protection rules;
a reestablishment sending module: executing reconstruction request data according to the modified data mark structure, sending the reconstruction request data to the corresponding cloud service application, and waiting for response;
the response receiving module: executing the response data of the cloud service application;
a response analysis module: analyzing the response data according to the corresponding carrier analysis logic to obtain a data marking structure of the response data;
the data recovery module: and processing the data of the data mark structure of the response data according to the corresponding private data and the protection rule thereof so as to restore the corresponding data.
For details of the private data protection gateway system of the present invention, reference may be made to the description of the private data protection method in the foregoing embodiments, and details are not described herein again.
Although the present invention has been described with reference to the preferred embodiments, it is not intended to limit the scope of the claims, and those skilled in the art can make various changes and modifications without departing from the spirit and scope of the invention.

Claims (9)

1. A private data protection method, performed in a gateway system between a user and a cloud, the method comprising:
s1: intercepting request data of a user for cloud service application, identifying the requested cloud service application, and determining a data model of the cloud service application;
s2: analyzing the request data according to a carrier analysis logic to obtain a data marking structure of the request data, wherein the data marking structure of the request data stores marked data;
the carrier analysis logic converts the request data of the original character string into a tree structure, wherein the marked data stored in the leaf node of the tree structure is the minimum processable data segment in the original character string, and the branches from the root node to the leaf node are all complete and gradually decomposed data structures;
s3: querying private data in a private data protection rule base and corresponding protection rules according to the identified data model of the cloud service application, and modifying data in a data mark structure of the request data according to the private data and the corresponding protection rules;
s4: reconstructing request data according to the modified data mark structure, sending the request data to corresponding cloud service application, and waiting for response;
s5: receiving response data of the cloud service application;
s6: analyzing the response data according to the corresponding carrier analysis logic to obtain a data mark structure of the response data;
s7: and processing the data of the data mark structure of the response data according to the corresponding private data and the protection rule thereof so as to restore the corresponding data.
2. The private data protection method according to claim 1, wherein the private data protection rule base includes a basic database storing an identification of the corresponding private data and a protection rule base storing a protection rule of the corresponding private data;
in step S3, according to the identified data model of the cloud service application, querying the private data corresponding to the modification requirement in the basic database, querying the protection rule base to determine the protection rule corresponding to the private data, and modifying the correspondingly marked data in the data mark structure of the requested data according to the private data and the protection rule.
3. The private data protection method of claim 2, wherein the private data protection rule base is user-defined, the private data to be modified is defined by configuring the primary database, and the modification manner of the private data is defined by configuring the protection rule base.
4. The private data protection method according to claim 1, wherein the protection rule is a mapping relationship of private data to encrypted data, the mapping relationship being reversible or irreversible;
in the step S3, modifying the data to convert the private data into encrypted data according to the mapping relationship;
in step S7, the data is processed such that if the mapping relationship in step S3 is reversible, the encrypted data is converted into private data according to the mapping relationship, and if the mapping relationship in step S3 is irreversible, the conversion process is not performed.
5. The private data protection method of claim 1, wherein a portion of statistical properties of the data are retained in the protection rule according to processing characteristics of the cloud service application, such that the cloud service application can perform statistical processing according to the retained portion of statistical properties.
6. The private data protection method of claim 1, wherein the step S1 is preceded by the step S11 of: analyzing each cloud service application, determining a data model of each cloud service application, and constructing a data model base; and the user can modify, newly add and delete the data model to the data model base.
7. The private data protection method of claim 1, wherein the smallest processable data fragment is mapped into a limited classification, the name of the classification being a label of the data of the leaf node.
8. The private data protection method of claim 1, wherein in step S1, the identified cloud service application is flagged; in step S2, the carrier analysis logic corresponding to the tag is searched for according to the tag of the cloud service application to analyze the request data; in step S6, the corresponding tag is determined according to the identified cloud service application, so that the response data is parsed according to the carrier analysis logic of the corresponding tag.
9. A private data protection gateway system, comprising:
a data interception identification module: intercepting request data of a user to a cloud service application, identifying the requested cloud service application, and determining a data model of the cloud service application;
a request analysis module: analyzing the request data according to a carrier analysis logic to obtain a data mark structure of the request data, wherein the data mark structure of the request data stores marked data; the carrier analysis logic converts the request data of the original character string into a tree structure, wherein the marked data stored in the leaf node of the tree structure is the minimum processable data segment in the original character string, and the branches from the root node to the leaf node are all complete and gradually decomposed data structures; a data modification module: executing private data and corresponding protection rules in a private data protection rule base according to the identified data model of the cloud service application, and modifying data in a data mark structure of the request data according to the private data and the corresponding protection rules;
a reestablishment sending module: executing reconstruction request data according to the modified data mark structure, sending the reconstruction request data to the corresponding cloud service application, and waiting for response;
the response receiving module: executing the response data of the cloud service application;
a response analysis module: analyzing the response data according to the corresponding carrier analysis logic to obtain a data mark structure of the response data, wherein the data mark structure of the response data corresponds to the data of the data mark structure of the request data;
the data recovery module: and processing the data of the data mark structure of the response data according to the corresponding private data and the protection rule thereof so as to restore the corresponding data.
CN201711180128.0A 2017-11-23 2017-11-23 Private data protection method and gateway system Expired - Fee Related CN107979595B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711180128.0A CN107979595B (en) 2017-11-23 2017-11-23 Private data protection method and gateway system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711180128.0A CN107979595B (en) 2017-11-23 2017-11-23 Private data protection method and gateway system

Publications (2)

Publication Number Publication Date
CN107979595A CN107979595A (en) 2018-05-01
CN107979595B true CN107979595B (en) 2020-11-13

Family

ID=62011201

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711180128.0A Expired - Fee Related CN107979595B (en) 2017-11-23 2017-11-23 Private data protection method and gateway system

Country Status (1)

Country Link
CN (1) CN107979595B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110210246B (en) * 2019-05-31 2022-01-07 创新先进技术有限公司 Personal data service method and system based on safety calculation
US11120160B2 (en) 2019-05-31 2021-09-14 Advanced New Technologies Co., Ltd. Distributed personal data storage and encrypted personal data service based on secure computation
CN111324905A (en) * 2020-02-17 2020-06-23 平安国际智慧城市科技股份有限公司 Image data labeling method and device, computer equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103916456A (en) * 2013-01-09 2014-07-09 国际商业机器公司 Transparent Encryption/decryption Gateway For Cloud Storage Services
CN104065651A (en) * 2014-06-09 2014-09-24 上海交通大学 Information flow dependability guarantee mechanism for cloud computation
CN105637523A (en) * 2013-10-16 2016-06-01 思杰系统有限公司 Secure client drive mapping and file storage system for mobile device management type security
CN106101113A (en) * 2016-06-24 2016-11-09 中国科学院计算技术研究所 A kind of cloud computing data security annotation management method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9813414B2 (en) * 2015-11-30 2017-11-07 International Business Machines Corporation Password-based management of encrypted files

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103916456A (en) * 2013-01-09 2014-07-09 国际商业机器公司 Transparent Encryption/decryption Gateway For Cloud Storage Services
CN105637523A (en) * 2013-10-16 2016-06-01 思杰系统有限公司 Secure client drive mapping and file storage system for mobile device management type security
CN104065651A (en) * 2014-06-09 2014-09-24 上海交通大学 Information flow dependability guarantee mechanism for cloud computation
CN106101113A (en) * 2016-06-24 2016-11-09 中国科学院计算技术研究所 A kind of cloud computing data security annotation management method and system

Also Published As

Publication number Publication date
CN107979595A (en) 2018-05-01

Similar Documents

Publication Publication Date Title
US11620392B2 (en) Sargable evaluation of queries submitted to an encrypted database
US8344916B2 (en) System and method for simplifying transmission in parallel computing system
WO2019095416A1 (en) Information pushing method and apparatus, and terminal device and storage medium
US20180285596A1 (en) System and method for managing sensitive data
CN111683066B (en) Heterogeneous system integration method, heterogeneous system integration device, computer equipment and storage medium
US10042875B2 (en) Bloom filter index for device discovery
CN109725980B (en) Method, apparatus and computer readable medium for generating mirror image tags
CN107979595B (en) Private data protection method and gateway system
CN105359155B (en) Use compression failure password attack
US10298401B1 (en) Network content search system and method
JP2012164031A (en) Data processor, data storage device, data processing method, data storage method and program
US10936753B2 (en) Securely transferring data over a computer network
US10615965B1 (en) Protected search index
CN115017107A (en) Data retrieval method and device based on privacy protection, computer equipment and medium
CN107844488B (en) Data query method and device
CN112328486A (en) Interface automation test method and device, computer equipment and storage medium
CN112784595A (en) System and method for training and evaluating machine learning models with generalized vocabulary tokens
JP2024522983A (en) Data distribution and security in a multi-tier storage infrastructure
US20220391529A1 (en) Searching, matching, and masking of composite formats
CN112784596A (en) Method and device for identifying sensitive words
CN116340366A (en) Block chain-based data sharing storage method, device, equipment and medium
CN110674383A (en) Public opinion query method, device and equipment
US10949617B1 (en) System for differentiating encoding of text fields between networked services
CN113961600A (en) Data query method and device, computer equipment and storage medium
CN116472694A (en) System and method for generating, protecting and maintaining digital tokens of emoticon sequence

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20201113