CN107992771A - A kind of data desensitization method and device - Google Patents
A kind of data desensitization method and device Download PDFInfo
- Publication number
- CN107992771A CN107992771A CN201711387119.9A CN201711387119A CN107992771A CN 107992771 A CN107992771 A CN 107992771A CN 201711387119 A CN201711387119 A CN 201711387119A CN 107992771 A CN107992771 A CN 107992771A
- Authority
- CN
- China
- Prior art keywords
- data
- target
- tns
- desensitization
- packets
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
- G06F16/24568—Data stream processing; Continuous queries
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of data desensitization method and device, this method to include:The data access request of applications client is received, the target data in target oracle database and the action type to target data are determined according to data access request;The target data in target oracle database is operated according to action type, obtains the TNS data flows of target oracle database return;According to the default pack arrangement of TNS data packets, the data portion in the TNS data packets of corresponding data type in TNS data flows and the TNS data packets of data type is determined;Extracted according to default desensitization rule from TNS data flows there are the target TNS data packets of sensitive data in data portion, and desensitization process is carried out to the sensitive data in target TNS data packets according to default desensitization rule, obtain target TNS desensitization data packets;Target TNS data packets in TNS data flows are replaced with into target TNS desensitization data packets, and the TNS data flows after desensitization are back to applications client.The present invention can be to oracle database transmission data carry out desensitization process.
Description
Technical field
The present invention relates to technical field of data security, more particularly to a kind of data desensitization method and device.
Background technology
The database broker mode of traditional oracle database, is not related to the maintenance work of sensitive data.This gives system
Safety cause certain threat, some important data can be directly exposed in face of terminal user, final not up to protect
The effect of data.With the development of information technology, data circulation becomes the means and approach of release data bonus and value, sensitive
Data lack effective management and control in circulation, in excessive risk state.So sensitive data, which is once revealed, will give financial institution and political affairs
The public credibility of the authoritative institutions such as mansion department causes damage, and can more destroy social credit system, so as to influence related industry and society
Healthy harmonious development.
The content of the invention
The present invention provides a kind of data desensitization method and device, is acted on behalf of with solving oracle database of the prior art
The problem of server can only carry out the data of access not realizing data desensitization for biography.
To solve the above-mentioned problems, according to an aspect of the present invention, should the invention discloses a kind of data desensitization method
For the database broker server of oracle database, the described method includes:
The data access request of applications client is received, target oracle database is determined according to the data access request
In target data and the action type to the target data;
The target data in the target oracle database is operated according to the action type, obtains institute
State the TNS data flows of target oracle database return;
According to the default pack arrangement of TNS data packets, the TNS data packets of corresponding data type in the TNS data flows are determined
And the data portion in the TNS data packets of the data type;
Extract in the data portion from the TNS data flows that there are the target of sensitive data according to default desensitization rule
TNS data packets, and desensitization process is carried out to the sensitive data in the target TNS data packets according to the default desensitization rule,
Obtain target TNS desensitization data packets;
Target TNS data packets in the TNS data flows are replaced with into the target TNS desensitizations data packet, and will desensitization
The TNS data flows afterwards are back to the applications client.
According to another aspect of the present invention, the invention also discloses a kind of data desensitization device, applied to Oracle data
The database broker server in storehouse, described device include:
Receiving module, for receiving the data access request of applications client, mesh is determined according to the data access request
Mark the target data in oracle database and the action type to the target data;
Operation module, for according to the action type to the target data in the target oracle database into
Row operation, obtains the TNS data flows that the target oracle database returns;
First determining module, for the default pack arrangement according to TNS data packets, determines to correspond to number in the TNS data flows
According to the data portion in the TNS data packets of type and the TNS data packets of the data type;
Desensitize module, exists for being extracted according to default desensitization rule from the TNS data flows in the data portion
The target TNS data packets of sensitive data, and according to the default desensitization rule to the sensitive data in the target TNS data packets
Desensitization process is carried out, obtains target TNS desensitization data packets;
Replace and return to module, taken off for the target TNS data packets in the TNS data flows to be replaced with the target TNS
Quick data packet, and the TNS data flows after desensitization are back to the applications client.
Compared with prior art, the present invention includes advantages below:
The present invention is by the way that desensitization process scheme is erected in the transmitting procedure of TNS data flows, without to applications client
And oracle database carries out any system development, it is possible to while the data access to oracle database is realized,
Realize the desensitization process to the sensitive data of transmission, reduce the destruction risk to existing system, realize zero to existing system
Develop again, comprehensively realize the desensitization of sensitive data.
Brief description of the drawings
Fig. 1 is a kind of step flow chart of data desensitization method embodiment of the present invention;
Fig. 2 is a kind of structure diagram of data desensitization device embodiment of the present invention.
Embodiment
In order to make the foregoing objectives, features and advantages of the present invention clearer and more comprehensible, it is below in conjunction with the accompanying drawings and specific real
Applying mode, the present invention is described in further detail.
Reference Fig. 1, shows a kind of step flow chart of data desensitization method embodiment of the present invention, applied to Oracle
Wide area information server proxy server, specifically may include steps of:
Step 101, the data access request of applications client is received, target is determined according to the data access request
Target data in oracle database and the action type to the target data;
Wherein, the intermediary of the database broker server between applications client and oracle database, application client
Data communication between end and oracle database is realized by the database broker server.
In addition, TNS agreements are Oracle server-sides and the agreement of user client communication.The transmission of TNS agreements can use TCP/
IP agreement, transmitted using the ICP/IP protocol, name pipeline and IPC agreements of SSL, wherein, ICP/IP protocol transmission is using bright
Text transmission.That is, the request data or returned data between applications client and oracle database are all TNS data
The form of bag.
Wherein, database broker server is receiving data access request of the applications client to oracle database
Afterwards, wherein, which is also a TNS data packet, and the method for the embodiment of the present invention can analyze the data access
The pack arrangement of request, so as to extract the requested parameter of applications client from the data access request (such as to some
Which kind of operation is data in some table of oracle database carry out), then can be with according to these database servers
The parameter of identification determines that applications client actually wants to which of the database server side Oracle data that request accesses
Which of storehouse (that is, target oracle database) data (that is, target data), and which kind of operation is carried out to the target data
(i.e. action type, including increase, delete, change, inquire about).
Alternatively, before step 102 is performed, can also include according to the method for the embodiment of the present invention:
The Account Logon information of the applications client is determined according to the data access request;
According to the Account Logon information, and default oracle database or tables of data and answering with access rights
With the correspondence of client, determine whether the applications client has the target data in the target oracle database
There are access rights;
Wherein, the applications client can also be carried to Oracle data in the data access request that applications client is sent
The Account Logon information in storehouse, wherein, the embodiment of the present invention can distribute it to Oracle to different applications clients in advance
The access rights of tables of data in database or oracle database, so as to generate above-mentioned correspondence.To distribute Oracle numbers
According to being illustrated exemplified by the access rights in storehouse:Such as the method for the embodiment of the present invention using customer end A in advance to being assigned with pair
The access rights of oracle database B, i.e. the database account letter of applications client A is assigned with to oracle database B
Breath.So in the present embodiment, such as target data belongs in oracle database B, then the method for the embodiment of the present invention is not only
Need to carry out login authentication to the Account Logon information of the applications client A in data access request (whether just user name, password
Really), after being verified, it is also necessary to be in the account information for judging to correspond to oracle database B in the default correspondence
The no Account Logon information there are in the data access request, if it is present illustrating that applications client A has to this
The access rights of target data in oracle database B, otherwise, without access rights.
Similarly, for the correspondence of tables of data and the applications client with access rights, then only need to judge that this is right
It should be related to whether the tables of data belonging to middle target data is corresponding with the account information of applications client A.
If the applications client does not have access rights to the target data in the target oracle database, count
The TNS data packets of denied access request can be directly returned to applications client according to storehouse proxy server.
If the applications client has access rights to the target data in the target oracle database, perform
Step 102.
In this way, the embodiment of the present invention is by allocating different applications clients in advance its addressable Oracle data
Storehouse, tables of data, it is achieved thereby that access the authorities of the data in oracle database, ensure the data of different safety class by
The applications client of different rights accesses, and avoids the danger that significant data is compromised.
Step 102, the target data in the target oracle database is grasped according to the action type
Make, obtain the TNS data flows that the target oracle database returns;
Wherein, the parameter in the data access request received due to database broker server is only database generation
Reason server can identify, and oracle database and the None- identified parameter, to know which data user desires access to,
And which kind of operation is carried out, so, the database broker server of the embodiment of the present invention is also needed to according to the above-mentioned mesh extracted
The target data in oracle database and the action type to the target data are marked, can be assembled into oracle database
With the required parameter of the data access request of identification, then, by assembled data access request (and the TNS data packets again
Form) send to the target oracle database in database server and ask the operating result to target data.Specifically
For, then it is according to the parameter in again assembled data access request, according to the operation when asking the operating result
Type operates the target data in the target oracle database, so as to obtain the target Oracle
The TNS data flows (i.e. operating result) that database returns, wherein, which is based on the TNS numbers on ICP/IP protocol
According to.The TNS data flows are made of one or more NTS data packets.
Step 103, according to the default pack arrangement of TNS data packets, corresponding data type in the TNS data flows is determined
Data portion in the TNS data packets of TNS data packets and the data type;
Wherein, the default pack arrangement of TNS data packets includes a general packet header and data portion.Wherein, packet header includes
Bag verification, the information such as packet length and Packet type.Different types of data packet realizes the data transfer of difference in functionality.And for usual
The inquiry operation of meaning generally uses the TNS data packets of Data (data) type, and may when there are mistake or other situations
Use other kinds of TNS data packets.
Wherein, table 1 shows the various Packet types of TNS data packets.Specifically, the place of oracle database is typically set up
The process of reason connection can be related to Connect, Resend, Accept, the TNS data packets of Refute types, and database has connected
Cheng Hou, then generally uses the TNS data packets of Data types when carrying out data interaction;In addition, inquiry error can use Marker classes
The TNS data packets of type;Applications client fails (as there is no service ID) to database server request, database server meeting
Send the TNS data packets of Refute types;Applications client logs in the data packet that can send Connect types, and database takes
Business device can return to the data packet of a REDIRECT type;Applications client then reappears transmission after the completion of reorientation port connection
The data packet of Connect types, database server return to the data packet of ACCEPT types, then being capable of normal communication.
Table 1
The structural analysis of data packet in TNS data transmission procedures above, when in oracle database to mesh
Mark data are when being operated, the oracle database always feedback operation result in the form of data packet.Wherein, shown in table 1
Go out different types of TNS data packets (14 kinds of data packets), and the pack arrangement of TNS data packets has also illustrated, therefore, the present invention
The method of embodiment can travel through TNS data flows according to the above-mentioned pack arrangement of TNS data packets, so that from TNS data
The TNS data packets of data type are determined in stream, and determine data portion (wherein, the TNS in the TNS data packets of the data type
Data packet includes header part and data portion, only determines data portion here).
Step 104, extracted according to default desensitization rule from the TNS data flows in the data portion and there is sensitive number
According to target TNS data packets, and according to it is described it is default desensitization rule the sensitive data in the target TNS data packets is taken off
Quick processing, obtains target TNS desensitization data packets;
Wherein, data portion is the place paid close attention in TNS data packets, because it contains all operating results
(such as the query result for passing through query statement).But the data portion of each TNS data packets in the TNS data flows is not it
All include the sensitive data that the embodiment of the present invention thinks, therefore, in this step, in order to avoid being extracted not from TNS data flows
Necessary TNS data packets, here can be according to default desensitization rule, come only extraction data portion includes from the TNS data flows
The target TNS data packets for the sensitive data that the embodiment of the present invention thinks.Then, using the default desensitization rule come to the target
Sensitive data in TNS data packets in data portion carries out desensitization process, so as to obtain the target TNS desensitization numbers after data desensitization
According to bag.
In one embodiment, TNS data flows as described herein are binary data;In addition, what the present invention pre-defined
It can include the correspondence of sensitive data and desensitization strategy in default desensitization rule.That is, the side of the embodiment of the present invention
Which data defined in desensitization rule are sensitive data to method in advance, and desensitization strategy to every kind of sensitive data.
Wherein, desensitization strategy includes but not limited to:Ortho states, identity card, telephone number, mailbox, postcode, replacement, covering, with
Machine is replaced, random covering, length processing, empty with it is out of order etc..
Wherein, ortho states:To sensitive data without any processing, ortho states output;
Identity card:Sensitive data is replaced with a random effective identity card;
Telephone number:Sensitive data is replaced with a random effective telephone number;
Mailbox:Sensitive data is replaced with a random mailbox;
Postcode:One random postcode of sensitive data is replaced;
Replace:Sensitive data is replaced with the character specified, such as the character specified can be asterisk " * ";
Covering:The sensitive data of designated position is replaced with the character specified, such as by the sensitivity of the 2nd~the 5th position
Data are substituted for " * " number;
Random replacement:Sensitive data is replaced with the character of one new (the different characters with the sensitive data) at random;
Random covering:By the random word with one new (the different characters with the sensitive data) of the sensitive data of designated position
Symbol is replaced;
Length is administered:Sensitive data is intercepted into specified full-length;
Empty:Sensitive data is emptied;
It is out of order:Sensitive data is upset into putting in order for data.
Wherein, the sensitive data described in desensitization strategy is the sensitive data defined in desensitization rule in advance, wherein, it is quick
The particular content of sense data can flexibly be set according to the safety requirements of real data, and the present invention does not limit this.Separately
Outside, the form of the sensitive data can include but is not limited to character string, Chinese character, numeral, symbol etc..
In the present embodiment, when performing step 104, can be realized by following sub-step:
S11, by the data portion in the TNS data packets of data type described in the TNS data flows from binary data
Be converted to text data;
For example, such as operating result only includes a character string " This is a in target oracle database
Test ", the corresponding TNS data packets of the character string return to database broker server in a manner of binary data.Wherein,
" This is a test ", such data in TNS transmitting procedures can be transmitted with such binary form " 14,
116,104,105,115,32,105,115,32,97,32,116,101,115,116 " (it should be noted that TNS data packets
Header part not only includes packet length, further includes the information such as bag verification and Packet type, and in shown here binary data,
Since the bag verification of header part, Packet type are unrelated with the position of definite sensitive data, shown here binary data
Not shown in other guide in header part), by the pack arrangements of above-described TNS data packets it was determined that this two into
Digital " 14 " are represented in ensuing TNS data flows in data processed, have 14 be TNS data packets data portion, that is to say, that
" 116,104,105,115,32,105,115,32,97,32,116,101,115,116 " this burst of data stream is then TNS data
The data portion of a TNS data packet in stream.And due to the form of the sensitive data defined in default desensitization rule be not two into
The data of system, therefore, need exist for by the data portion in the TNS data packets of all data types in TNS data flows from two into
Data processed are converted to text data (wherein, text data include but not limited to character string, Chinese character, numeral, symbol etc.).
Here, i.e., by binary data " 116,104,105,115,32,105,115,32,97,32,116,101,115,
116 " are converted to character string " This is a test ".
Wherein, this step can be by the data portion of the TNS data packets of all data types in TNS data flows from binary number
According to being converted to text data, and it is not restricted to above-mentioned character string " This is a test ".
The purpose of this step is each TNS data packets being converted to text data, consequently facilitating sub-step S12 comes to text
Sensitive data in notebook data is searched, so that it is determined that needing to which TNS data packet (target TNS data packets i.e. hereafter)
Carry out desensitization process.
S12, determines to include the target text data of the sensitive data in the default desensitization rule, and determines the mesh
Mark the corresponding target TNS data packets of text data;
Wherein it is possible to according to the default sensitive data to desensitize defined in rule come the text to each TNS data packets in S11
Notebook data carries out the lookup of predefined sensitive data, so as to be found from TNS data flows comprising predefined sensitive data
Target text data, and determine the TNS data flows in the corresponding TNS data packets of the target text data.
So this step is assured that in TNS data flows which TNS data packet includes sensitive data, and the sensitivity number
According to corresponding text data.
S13, according to the corresponding desensitization strategy of sensitive data in the default desensitization rule, in the target text data
Sensitive data carry out desensitization process, obtain target desensitization data;
Such as predefined sensitive data includes " This is a test ", also, the corresponding desensitization of the sensitive data
Strategy is by " This is a test " replace with " welcome to Oracle ".The method of so embodiment of the present invention just needs
Will " This is a test " desensitizations be into " welcome to Oracle " to some target text data.And for other bags
Target text data containing sensitive data, then carry out desensitization process, so as to obtain each mesh also according to the default desensitization rule
Mark the target desensitization data (and form of textual data) after the corresponding desensitization of text data.
It should be noted that in other embodiments, if target text data for " This is a test,
Not only include sensitive data in thanks ", i.e. target text data, further include nonsensitive data, then to the target
After sensitive data in text data carries out desensitization process, obtain target desensitization data be then " welcome to Oracl,
Thanks ", that is to say, that desensitization process is without any processing to nonsensitive data, continues to retain.
Target desensitization data are converted to binary data by S14;
And the target desensitization data of each target TNS data packets due to being obtained after desensitization carry out Binary Conversion.
Here it is possible to target desensitization data " the welcome to by the character string forms of some target TNS data packets
Oracle " be converted to binary data " 119,101,108,99,111,109,101,32,116,111,32,79,114,97,
99,108,101”。
S15, according to the pack arrangement of the target TNS data packets, the binary data of target desensitization data is assembled
Into target TNS desensitization data packets.
Wherein, the pack arrangement of each target TNS data packets is as described above including header part and data portion, wherein,
Header part includes packet length again, and the desensitization data " binary data that welcome to Oracle " are converted into " 119,
101,108,99,111,109,101,32,116,111,32,79,114,97,99,108,101 " data length is 17, because
This, when re-assemblying TNS data packets (that is, target TNS desensitize data packet) to desensitization data, it is necessary to be converted to above-mentioned
It is additional " 17 " before binary data so that TNS data packets after the desensitization after re-assemblying for " 17,119,101,108,99,
111,109,101,32,116,111,32,79,114,97,99,108,101 " (it should be noted that the packet header of TNS data packets
Part not only includes packet length, further includes the information such as bag verification and Packet type, and in shown here binary data, due to
The bag verification of header part, Packet type are unrelated with sensitive data, therefore, packet header not shown in shown here binary data
Other guide in point).
And then equally operated as above for others target TNS data packets, which is not described herein again.
In this way, the embodiment of the present invention by by the data portion of the TNS data packets of data type in TNS data flows from two into
Data processed are converted to text data, and determine that there are the target text of sensitive data in text data according to default desensitization rule
Data, and then determine the target TNS data packets of corresponding target text data, then, according to the default desensitization rule come to target
Text data carries out desensitization process, so as to obtain target desensitization data, then, further according to TNS data packets pack arrangement by mesh
Mark desensitization data are reassembled into data and complete the TNS data packets after desensitization, and sensitive number can be completed in data transmission procedure
According to desensitization, have no effect on the quick transmission of data, avoid the desensitization process institute band that data are carried out from oracle database side
The destruction problem to existing system come, it is possible to achieve develop to the zero of existing system, comprehensively realize to current transmission again
Sensitive data desensitization, not only save the safety that cost also assures that sensitive data.
Wherein, in one embodiment, when performing sub-step S15, can realize in the following way:
Calculate the target data length of the binary data of the target desensitization data;
According to the pack arrangement of the target TNS data packets, the data length in the target TNS data packets is arranged to institute
Target data length is stated, the data binary data of target desensitization data being arranged in the target TNS data packets
Part, obtains target TNS desensitization data packets.
Wherein, it is as described above, such as desensitization data " binary system that welcome to Oracle " are converted into can be calculated
The data length of data is 17, then according to the default pack arrangement of TNS data packets come by the desensitization data " welcome to
Data length in the corresponding target TNS data packets of Oracle " is arranged to 17, and incite somebody to action " 119,101,108,99,111,109,
101,32,116,111,32,79,114,97,99,108,101 " are arranged to the data portion of target TNS data packets, so that
To target TNS desensitization data packet " 17,119,101,108,99,111,109,101,32,116,111,32,79,114,97,99,
108,101 ", it should be noted that the header part of TNS data packets not merely includes packet length, further include Packet type (such as
The Packet type numerical value that Data types are corresponded in table 1 is " 6 ") etc., and each putting in order for data is known technology in packet header,
Which is not described herein again, is also not shown, but does not influence protection scope of the present invention.
In this way, the embodiment of the present invention can carry out TNS data packets according to the pack arrangement of TNS data packets to desensitization data
Re-assembly, consequently facilitating transmission of the TNS data packets in TNS data flows after desensitization.
Step 105, the target TNS data packets in the TNS data flows are replaced with into the target TNS desensitizations data packet,
And the TNS data flows after desensitization are back to the applications client.
Wherein, in one embodiment, when performing step 105, can be accomplished by the following way:
Determine the position of the target TNS data packets in the TNS data flows;
Wherein, have been presented for determining the step of target TNS data packets in the step of above-described embodiment from TNS data flows
Suddenly, therefore, it can determine that each the target TNS data packets comprising sensitive data exist in the TNS data flows by means of the step
Specific location in TNS data flows.
Target TNS desensitizations data packet is inserted into the position in the TNS data flows, and by the position
The target TNS data packets are deleted;
Wherein, since the header part of TNS data packets carries the information such as data length, it can be directly targeted to
The positioning of each target NTS data packets in TNS data flows, so that the target TNS data packets not desensitized are deleted, and in the position
Place replaces with the target TNS data packets after desensitization, i.e. target TNS desensitization data packets.
It should be noted that can include in the TNS data flows of the corresponding return of same data access request one or
Multiple target TNS data packets, therefore, when the TNS not desensitized data packets to be replaced with to the TNS data packets of desensitization, be still by
It is replaced according to original position, the position without TNS data packets 1 replaces with the TNS after the desensitization of TNS data packets 2
The problem of data packet.
By the TNS queues packets in the TNS data flows after the target TNS data packets in the target
After TNS desensitization data packets.
Wherein, due to the data portion before the data length of the data portion after desensitization and desensitization data length and differ
It is fixed consistent, such as " data length of the corresponding binary data of This is a test " is for data portion before above-mentioned desensitization
14, and obtained after desensitizing " data length of the corresponding binary data of welcome to Oracle " is then 17, therefore,
" when the binary data of the corresponding TNS data packets of welcome to Oracle " is inserted into TNS data flows, being originally located at should
" binary data after the TNS data packets of This is a test " will be moved rearwards 3, after causing desensitization
" binary data of the corresponding TNS data packets of welcome to Oracle " can be completely inserted into TNS data flows.Pin
It is to the inserted mode of the target TNS desensitization data packets of other target TNS data packets in the TNS data flows, then similar
The example above, which is not described herein again.
So far, the work of data desensitization is completed, and the complete TNS data flows after desensitization are returned to applications client.It is logical
After crossing such processing, in applications client, the operating result of the return that user sees no longer be " This is a test ", and
Be desensitization after " welcome to Oracle ", realize to applications client, oracle database zero exploitation under conditions of
Complete the desensitization to sensitive data.
By means of the technical solution of the above embodiment of the present invention, the present invention by desensitization process scheme by being erected at TNS numbers
According in the transmitting procedure of stream, without carrying out any system development to applications client and oracle database, it is possible in reality
While now to the data access of oracle database, realize the desensitization process to the sensitive data of transmission, reduce to existing
The destruction risk of system, realizes and is developed again to the zero of existing system, comprehensively realize the desensitization of sensitive data.
It should be noted that for embodiment of the method, in order to be briefly described, therefore it is all expressed as to a series of action group
Close, but those skilled in the art should know, the embodiment of the present invention and from the limitation of described sequence of movement, because according to
According to the embodiment of the present invention, some steps can use other orders or be carried out at the same time.Secondly, those skilled in the art also should
Know, embodiment described in this description belongs to preferred embodiment, and the involved action not necessarily present invention is implemented
Necessary to example.
It is corresponding with the method that the embodiments of the present invention are provided, with reference to Fig. 2, show a kind of data desensitization of the present invention
The structure diagram of device embodiment, applied to the database broker server of oracle database, can specifically include such as lower die
Block:
Receiving module 21, for receiving the data access request of applications client, determines according to the data access request
Target data in target oracle database and the action type to the target data;
Operation module 22, for according to the action type to the target data in the target oracle database
Operated, obtain the TNS data flows that the target oracle database returns;
First determining module 23, for the default pack arrangement according to TNS data packets, determines corresponding in the TNS data flows
Data portion in the TNS data packets of data type and the TNS data packets of the data type;
Desensitize module 24, is deposited for being extracted according to default desensitization rule from the TNS data flows in the data portion
In the target TNS data packets of sensitive data, and according to the default desensitization rule to the sensitive number in the target TNS data packets
According to desensitization process is carried out, target TNS desensitization data packets are obtained;
Replace and return to module 25, for the target TNS data packets in the TNS data flows to be replaced with the target TNS
Desensitize data packet, and the TNS data flows after desensitization are back to the applications client.
Alternatively, the TNS data flows are binary data, and the default desensitization rule includes sensitive data and desensitization plan
Correspondence slightly,
The desensitization module 24 includes:
First transform subblock, for by the data portion in the TNS data packets of data type described in the TNS data flows
Divide from binary data and be converted to text data;
First determination sub-module, for the target text number for determining to include the sensitive data in the default desensitization rule
According to, and determine the corresponding target TNS data packets of the target text data;
Desensitize submodule, for tactful according to the corresponding desensitization of sensitive data in the default desensitization rule, to the mesh
The sensitive data marked in text data carries out desensitization process, obtains target desensitization data;
Second transform subblock, for target desensitization data to be converted to binary data;
Assemble submodule, for the pack arrangement according to the target TNS data packets, by the two of target desensitization data into
Data assembling processed into target TNS desensitize data packet.
Alternatively, the assembling submodule includes:
Computing unit, the target data length of the binary data for calculating the target desensitization data;
Setting unit, for the pack arrangement according to the target TNS data packets, by the number in the target TNS data packets
The target data length is arranged to according to length, the binary data of target desensitization data is arranged to the target TNS
Data portion in data packet, obtains target TNS desensitization data packets.
Alternatively, the return module 25 of replacing includes:
Second determination sub-module, for determining the position of the target TNS data packets in the TNS data flows;
Submodule is inserted into, for institute's rheme target TNS desensitizations data packet being inserted into the TNS data flows
Put, and the target TNS data packets of the position are deleted;
Arrange submodule, for by the TNS data flows be located at the target TNS data packets after TNS data packets
It is arranged in after the target TNS desensitizations data packet.
Alternatively, described device further includes:
Second determining module, the Account Logon for determining the applications client according to the data access request are believed
Breath;
3rd determining module, for according to the Account Logon information, and default oracle database or tables of data
With the correspondence of the applications client with access rights, determine the applications client whether to the target Oracle numbers
There are access rights according to the target data in storehouse;
Alternatively, the operation module 22 includes:
Submodule is operated, if determining the applications client to the target Oracle numbers for the 3rd determining module
There are access rights according to the target data in storehouse, then according to the action type to described in the target oracle database
Target data is operated, and obtains the TNS data flows that the target oracle database returns.
For device embodiment, since it is substantially similar to embodiment of the method, so description is fairly simple, it is related
Part illustrates referring to the part of embodiment of the method.
Each embodiment in this specification is described by the way of progressive, what each embodiment stressed be with
The difference of other embodiment, between each embodiment identical similar part mutually referring to.
It should be understood by those skilled in the art that, the embodiment of the embodiment of the present invention can be provided as method, apparatus or calculate
Machine program product.Therefore, the embodiment of the present invention can use complete hardware embodiment, complete software embodiment or combine software and
The form of the embodiment of hardware aspect.Moreover, the embodiment of the present invention can use one or more wherein include computer can
With in the computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) of program code
The form of the computer program product of implementation.
The embodiment of the present invention be with reference to according to the method for the embodiment of the present invention, terminal device (system) and computer program
The flowchart and/or the block diagram of product describes.It should be understood that it can realize flowchart and/or the block diagram by computer program instructions
In each flow and/or block and flowchart and/or the block diagram in flow and/or square frame combination.These can be provided
Computer program instructions are set to all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing terminals
Standby processor is to produce a machine so that is held by the processor of computer or other programmable data processing terminal equipments
Capable instruction is produced and is used for realization in one flow of flow chart or multiple flows and/or one square frame of block diagram or multiple square frames
The device for the function of specifying.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing terminal equipments
In the computer-readable memory to work in a specific way so that the instruction being stored in the computer-readable memory produces bag
The manufacture of command device is included, which realizes in one flow of flow chart or multiple flows and/or one side of block diagram
The function of being specified in frame or multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing terminal equipments so that
Series of operation steps is performed on computer or other programmable terminal equipments to produce computer implemented processing, so that
The instruction performed on computer or other programmable terminal equipments is provided and is used for realization in one flow of flow chart or multiple flows
And/or specified in one square frame of block diagram or multiple square frames function the step of.
Although having been described for the preferred embodiment of the embodiment of the present invention, those skilled in the art once know base
This creative concept, then can make these embodiments other change and modification.So appended claims are intended to be construed to
Including preferred embodiment and fall into all change and modification of range of embodiment of the invention.
Finally, it is to be noted that, herein, relational terms such as first and second and the like be used merely to by
One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation
Between there are any actual relationship or order.Moreover, term " comprising ", "comprising" or its any other variant meaning
Covering non-exclusive inclusion, so that process, method, article or terminal device including a series of elements are not only wrapped
Those key elements are included, but also including other elements that are not explicitly listed, or further include as this process, method, article
Or the key element that terminal device is intrinsic.In the absence of more restrictions, wanted by what sentence "including a ..." limited
Element, it is not excluded that also there are other identical element in the process including the key element, method, article or terminal device.
Above desensitize a kind of data desensitization method provided by the present invention and a kind of data device, has carried out detailed Jie
Continue, specific case used herein is set forth the principle of the present invention and embodiment, and the explanation of above example is only
It is the method and its core concept for being used to help understand the present invention;Meanwhile for those of ordinary skill in the art, according to this hair
Bright thought, there will be changes in specific embodiments and applications, in conclusion this specification content should not manage
Solve as limitation of the present invention.
Claims (10)
1. a kind of data desensitization method, it is characterised in that applied to the database broker server of oracle database, the side
Method includes:
The data access request of applications client is received, is determined according to the data access request in target oracle database
Target data and the action type to the target data;
The target data in the target oracle database is operated according to the action type, obtains the mesh
Mark the TNS data flows that oracle database returns;
According to the default pack arrangement of TNS data packets, determine in the TNS data flows TNS data packets of corresponding data type and
Data portion in the TNS data packets of the data type;
Extract in the data portion from the TNS data flows that there are the target TNS of sensitive data according to default desensitization rule
Data packet, and desensitization process is carried out to the sensitive data in the target TNS data packets according to the default desensitization rule, obtain
Target TNS desensitization data packets;
Target TNS data packets in the TNS data flows are replaced with into the target TNS desensitizations data packet, and by after desensitization
The TNS data flows are back to the applications client.
2. according to the method described in claim 1, it is characterized in that, the TNS data flows are binary data, described preset takes off
Quick rule includes the correspondence of sensitive data and desensitization strategy,
The basis presets desensitization rule and extracts in the data portion that there are the target of sensitive data from the TNS data flows
TNS data packets, and desensitization process is carried out to the sensitive data in the target TNS data packets according to the default desensitization rule,
Target TNS desensitization data packets are obtained, including:
Data portion in the TNS data packets of data type described in the TNS data flows is converted into text from binary data
Notebook data;
Determine the target text data for including the sensitive data in the default desensitization rule, and determine the target text number
According to corresponding target TNS data packets;
According to the corresponding desensitization strategy of sensitive data in the default desensitization rule, to the sensitive number in the target text data
According to desensitization process is carried out, target desensitization data are obtained;
Target desensitization data are converted into binary data;
According to the pack arrangement of the target TNS data packets, the binary data of target desensitization data is assembled into target TNS
Desensitize data packet.
3. according to the method described in claim 1, it is characterized in that, the pack arrangement according to the target TNS data packets, is incited somebody to action
The binary data of the target desensitization data is assembled into target TNS desensitization data packets, including:
Calculate the target data length of the binary data of the target desensitization data;
According to the pack arrangement of the target TNS data packets, the data length in the target TNS data packets is arranged to the mesh
Data length is marked, the data portion binary data of target desensitization data being arranged in the target TNS data packets,
Obtain target TNS desensitization data packets.
4. the according to the method described in claim 3, it is characterized in that, target TNS data packets by the TNS data flows
The target TNS desensitizations data packet is replaced with, including:
Determine the position of the target TNS data packets in the TNS data flows;
Position target TNS desensitizations data packet being inserted into the TNS data flows, and by described in the position
Target TNS data packets are deleted;
TNS queues packets in the TNS data flows after the target TNS data packets are taken off in the target TNS
After quick data packet.
5. according to the method described in claim 1, it is characterized in that, it is described according to the action type to the target Oracle
The target data in database is operated, before obtaining the TNS data flows that the target oracle database returns, institute
The method of stating further includes:
The Account Logon information of the applications client is determined according to the data access request;
According to the Account Logon information, and default oracle database or tables of data and the application visitor with access rights
The correspondence at family end, determines whether the applications client has the target data in the target oracle database and visits
Ask authority;
It is described that the target data in the target oracle database is operated according to the action type, obtain institute
The TNS data flows of target oracle database return are stated, including:
If the applications client has access rights to the target data in the target oracle database, according to described
Action type operates the target data in the target oracle database, obtains the target Oracle data
The TNS data flows that storehouse returns.
The device 6. a kind of data desensitize, it is characterised in that applied to the database broker server of oracle database, the number
Include according to desensitization device:
Receiving module, for receiving the data access request of applications client, target is determined according to the data access request
Target data in oracle database and the action type to the target data;
Operation module, for being grasped according to the action type to the target data in the target oracle database
Make, obtain the TNS data flows that the target oracle database returns;
First determining module, for the default pack arrangement according to TNS data packets, determines corresponding data class in the TNS data flows
Data portion in the TNS data packets of type and the TNS data packets of the data type;
Desensitize module, there is sensitivity in the data portion for being extracted according to default desensitization rule from the TNS data flows
The target TNS data packets of data, and the sensitive data in the target TNS data packets is carried out according to the default desensitization rule
Desensitization process, obtains target TNS desensitization data packets;
Replace and return to module, for the target TNS data packets in the TNS data flows to be replaced with the target TNS desensitizations number
The applications client is back to according to bag, and by the TNS data flows after desensitization.
7. device according to claim 6, it is characterised in that the TNS data flows are binary data, described default de-
Quick rule includes the correspondence of sensitive data and desensitization strategy,
The desensitization module includes:
First transform subblock, for by the data portion in the TNS data packets of data type described in the TNS data flows from
Binary data is converted to text data;
First determination sub-module, for determining the target text data of the sensitive data comprising the default desensitization in regular, with
And determine the corresponding target TNS data packets of the target text data;
Desensitize submodule, for tactful according to the corresponding desensitization of sensitive data in the default desensitization rule, to target text
Sensitive data in notebook data carries out desensitization process, obtains target desensitization data;
Second transform subblock, for target desensitization data to be converted to binary data;
Submodule is assembled, for the pack arrangement according to the target TNS data packets, by the binary number of target desensitization data
According to be assembled into target TNS desensitization data packet.
8. device according to claim 6, it is characterised in that the assembling submodule includes:
Computing unit, the target data length of the binary data for calculating the target desensitization data;
Setting unit, for the pack arrangement according to the target TNS data packets, the data in the target TNS data packets are grown
Degree is arranged to the target data length, and the binary data of target desensitization data is arranged to the target TNS data
Data portion in bag, obtains target TNS desensitization data packets.
9. device according to claim 8, it is characterised in that the return module of replacing includes:
Second determination sub-module, for determining the position of the target TNS data packets in the TNS data flows;
Submodule is inserted into, for the position being inserted into target TNS desensitizations data packet in the TNS data flows, and
The target TNS data packets of the position are deleted;
Arrange submodule, for by the TNS data flows be located at the target TNS data packets after TNS queues packets
After the target TNS desensitizes data packet.
10. device according to claim 6, it is characterised in that described device further includes:
Second determining module, for determining the Account Logon information of the applications client according to the data access request;
3rd determining module, for according to the Account Logon information, and default oracle database or tables of data and tool
There is the correspondence of the applications client of access rights, determine the applications client whether to the target oracle database
In target data there are access rights;
The operation module includes:
Submodule is operated, if determining the applications client to the target oracle database for the 3rd determining module
In target data there are access rights, then according to the action type to the target in the target oracle database
Data are operated, and obtain the TNS data flows that the target oracle database returns.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711387119.9A CN107992771B (en) | 2017-12-20 | 2017-12-20 | A kind of data desensitization method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711387119.9A CN107992771B (en) | 2017-12-20 | 2017-12-20 | A kind of data desensitization method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107992771A true CN107992771A (en) | 2018-05-04 |
CN107992771B CN107992771B (en) | 2019-01-22 |
Family
ID=62038029
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711387119.9A Active CN107992771B (en) | 2017-12-20 | 2017-12-20 | A kind of data desensitization method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107992771B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108776762A (en) * | 2018-06-08 | 2018-11-09 | 北京中电普华信息技术有限公司 | A kind of processing method and processing device of data desensitization |
CN109063511A (en) * | 2018-08-16 | 2018-12-21 | 深圳云安宝科技有限公司 | Data access control method, device, proxy server and medium based on Web API |
CN110472434A (en) * | 2019-07-12 | 2019-11-19 | 北京字节跳动网络技术有限公司 | Data desensitization method, system, medium and electronic equipment |
CN111400762A (en) * | 2020-03-18 | 2020-07-10 | 上海凯馨信息科技有限公司 | Dynamic desensitization method for oracle database |
CN113032388A (en) * | 2019-12-25 | 2021-06-25 | 航天信息股份有限公司 | Information processing method, related device, equipment and storage medium |
CN113992345A (en) * | 2021-09-13 | 2022-01-28 | 百度在线网络技术(北京)有限公司 | Method and device for encrypting and decrypting webpage sensitive data, electronic equipment and storage medium |
CN115098877A (en) * | 2022-08-25 | 2022-09-23 | 北京前沿信安科技股份有限公司 | File encryption and decryption method and device, electronic equipment and medium |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102722667A (en) * | 2012-03-07 | 2012-10-10 | 甘肃省电力公司信息通信公司 | Database security protection system and method based on virtual databases and virtual patches |
CN106548085A (en) * | 2015-09-17 | 2017-03-29 | 中国移动通信集团甘肃有限公司 | A kind of processing method and processing device of data |
-
2017
- 2017-12-20 CN CN201711387119.9A patent/CN107992771B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102722667A (en) * | 2012-03-07 | 2012-10-10 | 甘肃省电力公司信息通信公司 | Database security protection system and method based on virtual databases and virtual patches |
CN106548085A (en) * | 2015-09-17 | 2017-03-29 | 中国移动通信集团甘肃有限公司 | A kind of processing method and processing device of data |
Non-Patent Citations (2)
Title |
---|
李敏: "oracle数据库安全加固研究", 《华北电力技术》 * |
杨磊: "数据库安全审计检测系统的设计与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108776762A (en) * | 2018-06-08 | 2018-11-09 | 北京中电普华信息技术有限公司 | A kind of processing method and processing device of data desensitization |
CN108776762B (en) * | 2018-06-08 | 2022-01-28 | 北京中电普华信息技术有限公司 | Data desensitization processing method and device |
CN109063511A (en) * | 2018-08-16 | 2018-12-21 | 深圳云安宝科技有限公司 | Data access control method, device, proxy server and medium based on Web API |
CN110472434A (en) * | 2019-07-12 | 2019-11-19 | 北京字节跳动网络技术有限公司 | Data desensitization method, system, medium and electronic equipment |
CN110472434B (en) * | 2019-07-12 | 2021-09-14 | 北京字节跳动网络技术有限公司 | Data desensitization method, system, medium, and electronic device |
CN113032388A (en) * | 2019-12-25 | 2021-06-25 | 航天信息股份有限公司 | Information processing method, related device, equipment and storage medium |
CN111400762A (en) * | 2020-03-18 | 2020-07-10 | 上海凯馨信息科技有限公司 | Dynamic desensitization method for oracle database |
CN113992345A (en) * | 2021-09-13 | 2022-01-28 | 百度在线网络技术(北京)有限公司 | Method and device for encrypting and decrypting webpage sensitive data, electronic equipment and storage medium |
CN113992345B (en) * | 2021-09-13 | 2024-05-28 | 百度在线网络技术(北京)有限公司 | Webpage sensitive data encryption and decryption method and device, electronic equipment and storage medium |
CN115098877A (en) * | 2022-08-25 | 2022-09-23 | 北京前沿信安科技股份有限公司 | File encryption and decryption method and device, electronic equipment and medium |
Also Published As
Publication number | Publication date |
---|---|
CN107992771B (en) | 2019-01-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107992771B (en) | A kind of data desensitization method and device | |
JP6835999B2 (en) | Virtual service provider zone | |
US8341104B2 (en) | Method and apparatus for rule-based masking of data | |
Eassa et al. | NoSQL injection attack detection in web applications using RESTful service | |
CN105007280B (en) | A kind of application login method and device | |
EP2144420B1 (en) | Web application security filtering | |
EP3180885B1 (en) | Mapping between user interface fields and protocol information | |
CN112468520B (en) | Data detection method, device and equipment and readable storage medium | |
US20120260315A1 (en) | Firewalls for providing security in http networks and applications | |
US20050063377A1 (en) | System and method for monitoring network traffic | |
US8356332B2 (en) | Extensible protocol validation | |
US20060272008A1 (en) | Method and security system for indentifying and blocking web attacks by enforcing read-only parameters | |
CN109688105A (en) | A kind of threat warning message generation method and system | |
US10282461B2 (en) | Structure-based entity analysis | |
US8832779B2 (en) | Generalized identity mediation and propagation | |
US10192262B2 (en) | System for periodically updating backings for resource requests | |
US20210200595A1 (en) | Autonomous Determination of Characteristic(s) and/or Configuration(s) of a Remote Computing Resource to Inform Operation of an Autonomous System Used to Evaluate Preparedness of an Organization to Attacks or Reconnaissance Effort by Antagonistic Third Parties | |
CN116324766A (en) | Optimizing crawling requests by browsing profiles | |
US10013237B2 (en) | Automated approval | |
CN107493250A (en) | A kind of method that web-page requests are authenticated, client and server | |
CN113596014A (en) | Access vulnerability detection method and device and electronic equipment | |
US20160171613A1 (en) | Backing management | |
US11438375B2 (en) | Method and system for preventing medium access control (MAC) spoofing attacks in a communication network | |
US11750568B1 (en) | Secure proxy service | |
KR102657163B1 (en) | Data management device, data management method and a computer-readable storage medium for storing data management program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |