CN107992771A - A kind of data desensitization method and device - Google Patents

A kind of data desensitization method and device Download PDF

Info

Publication number
CN107992771A
CN107992771A CN201711387119.9A CN201711387119A CN107992771A CN 107992771 A CN107992771 A CN 107992771A CN 201711387119 A CN201711387119 A CN 201711387119A CN 107992771 A CN107992771 A CN 107992771A
Authority
CN
China
Prior art keywords
data
target
tns
desensitization
packets
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711387119.9A
Other languages
Chinese (zh)
Other versions
CN107992771B (en
Inventor
李林
喻波
王志海
董爱华
安鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Wondersoft Technology Co Ltd
Original Assignee
Beijing Wondersoft Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Wondersoft Technology Co Ltd filed Critical Beijing Wondersoft Technology Co Ltd
Priority to CN201711387119.9A priority Critical patent/CN107992771B/en
Publication of CN107992771A publication Critical patent/CN107992771A/en
Application granted granted Critical
Publication of CN107992771B publication Critical patent/CN107992771B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • G06F16/24568Data stream processing; Continuous queries

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of data desensitization method and device, this method to include:The data access request of applications client is received, the target data in target oracle database and the action type to target data are determined according to data access request;The target data in target oracle database is operated according to action type, obtains the TNS data flows of target oracle database return;According to the default pack arrangement of TNS data packets, the data portion in the TNS data packets of corresponding data type in TNS data flows and the TNS data packets of data type is determined;Extracted according to default desensitization rule from TNS data flows there are the target TNS data packets of sensitive data in data portion, and desensitization process is carried out to the sensitive data in target TNS data packets according to default desensitization rule, obtain target TNS desensitization data packets;Target TNS data packets in TNS data flows are replaced with into target TNS desensitization data packets, and the TNS data flows after desensitization are back to applications client.The present invention can be to oracle database transmission data carry out desensitization process.

Description

A kind of data desensitization method and device
Technical field
The present invention relates to technical field of data security, more particularly to a kind of data desensitization method and device.
Background technology
The database broker mode of traditional oracle database, is not related to the maintenance work of sensitive data.This gives system Safety cause certain threat, some important data can be directly exposed in face of terminal user, final not up to protect The effect of data.With the development of information technology, data circulation becomes the means and approach of release data bonus and value, sensitive Data lack effective management and control in circulation, in excessive risk state.So sensitive data, which is once revealed, will give financial institution and political affairs The public credibility of the authoritative institutions such as mansion department causes damage, and can more destroy social credit system, so as to influence related industry and society Healthy harmonious development.
The content of the invention
The present invention provides a kind of data desensitization method and device, is acted on behalf of with solving oracle database of the prior art The problem of server can only carry out the data of access not realizing data desensitization for biography.
To solve the above-mentioned problems, according to an aspect of the present invention, should the invention discloses a kind of data desensitization method For the database broker server of oracle database, the described method includes:
The data access request of applications client is received, target oracle database is determined according to the data access request In target data and the action type to the target data;
The target data in the target oracle database is operated according to the action type, obtains institute State the TNS data flows of target oracle database return;
According to the default pack arrangement of TNS data packets, the TNS data packets of corresponding data type in the TNS data flows are determined And the data portion in the TNS data packets of the data type;
Extract in the data portion from the TNS data flows that there are the target of sensitive data according to default desensitization rule TNS data packets, and desensitization process is carried out to the sensitive data in the target TNS data packets according to the default desensitization rule, Obtain target TNS desensitization data packets;
Target TNS data packets in the TNS data flows are replaced with into the target TNS desensitizations data packet, and will desensitization The TNS data flows afterwards are back to the applications client.
According to another aspect of the present invention, the invention also discloses a kind of data desensitization device, applied to Oracle data The database broker server in storehouse, described device include:
Receiving module, for receiving the data access request of applications client, mesh is determined according to the data access request Mark the target data in oracle database and the action type to the target data;
Operation module, for according to the action type to the target data in the target oracle database into Row operation, obtains the TNS data flows that the target oracle database returns;
First determining module, for the default pack arrangement according to TNS data packets, determines to correspond to number in the TNS data flows According to the data portion in the TNS data packets of type and the TNS data packets of the data type;
Desensitize module, exists for being extracted according to default desensitization rule from the TNS data flows in the data portion The target TNS data packets of sensitive data, and according to the default desensitization rule to the sensitive data in the target TNS data packets Desensitization process is carried out, obtains target TNS desensitization data packets;
Replace and return to module, taken off for the target TNS data packets in the TNS data flows to be replaced with the target TNS Quick data packet, and the TNS data flows after desensitization are back to the applications client.
Compared with prior art, the present invention includes advantages below:
The present invention is by the way that desensitization process scheme is erected in the transmitting procedure of TNS data flows, without to applications client And oracle database carries out any system development, it is possible to while the data access to oracle database is realized, Realize the desensitization process to the sensitive data of transmission, reduce the destruction risk to existing system, realize zero to existing system Develop again, comprehensively realize the desensitization of sensitive data.
Brief description of the drawings
Fig. 1 is a kind of step flow chart of data desensitization method embodiment of the present invention;
Fig. 2 is a kind of structure diagram of data desensitization device embodiment of the present invention.
Embodiment
In order to make the foregoing objectives, features and advantages of the present invention clearer and more comprehensible, it is below in conjunction with the accompanying drawings and specific real Applying mode, the present invention is described in further detail.
Reference Fig. 1, shows a kind of step flow chart of data desensitization method embodiment of the present invention, applied to Oracle Wide area information server proxy server, specifically may include steps of:
Step 101, the data access request of applications client is received, target is determined according to the data access request Target data in oracle database and the action type to the target data;
Wherein, the intermediary of the database broker server between applications client and oracle database, application client Data communication between end and oracle database is realized by the database broker server.
In addition, TNS agreements are Oracle server-sides and the agreement of user client communication.The transmission of TNS agreements can use TCP/ IP agreement, transmitted using the ICP/IP protocol, name pipeline and IPC agreements of SSL, wherein, ICP/IP protocol transmission is using bright Text transmission.That is, the request data or returned data between applications client and oracle database are all TNS data The form of bag.
Wherein, database broker server is receiving data access request of the applications client to oracle database Afterwards, wherein, which is also a TNS data packet, and the method for the embodiment of the present invention can analyze the data access The pack arrangement of request, so as to extract the requested parameter of applications client from the data access request (such as to some Which kind of operation is data in some table of oracle database carry out), then can be with according to these database servers The parameter of identification determines that applications client actually wants to which of the database server side Oracle data that request accesses Which of storehouse (that is, target oracle database) data (that is, target data), and which kind of operation is carried out to the target data (i.e. action type, including increase, delete, change, inquire about).
Alternatively, before step 102 is performed, can also include according to the method for the embodiment of the present invention:
The Account Logon information of the applications client is determined according to the data access request;
According to the Account Logon information, and default oracle database or tables of data and answering with access rights With the correspondence of client, determine whether the applications client has the target data in the target oracle database There are access rights;
Wherein, the applications client can also be carried to Oracle data in the data access request that applications client is sent The Account Logon information in storehouse, wherein, the embodiment of the present invention can distribute it to Oracle to different applications clients in advance The access rights of tables of data in database or oracle database, so as to generate above-mentioned correspondence.To distribute Oracle numbers According to being illustrated exemplified by the access rights in storehouse:Such as the method for the embodiment of the present invention using customer end A in advance to being assigned with pair The access rights of oracle database B, i.e. the database account letter of applications client A is assigned with to oracle database B Breath.So in the present embodiment, such as target data belongs in oracle database B, then the method for the embodiment of the present invention is not only Need to carry out login authentication to the Account Logon information of the applications client A in data access request (whether just user name, password Really), after being verified, it is also necessary to be in the account information for judging to correspond to oracle database B in the default correspondence The no Account Logon information there are in the data access request, if it is present illustrating that applications client A has to this The access rights of target data in oracle database B, otherwise, without access rights.
Similarly, for the correspondence of tables of data and the applications client with access rights, then only need to judge that this is right It should be related to whether the tables of data belonging to middle target data is corresponding with the account information of applications client A.
If the applications client does not have access rights to the target data in the target oracle database, count The TNS data packets of denied access request can be directly returned to applications client according to storehouse proxy server.
If the applications client has access rights to the target data in the target oracle database, perform Step 102.
In this way, the embodiment of the present invention is by allocating different applications clients in advance its addressable Oracle data Storehouse, tables of data, it is achieved thereby that access the authorities of the data in oracle database, ensure the data of different safety class by The applications client of different rights accesses, and avoids the danger that significant data is compromised.
Step 102, the target data in the target oracle database is grasped according to the action type Make, obtain the TNS data flows that the target oracle database returns;
Wherein, the parameter in the data access request received due to database broker server is only database generation Reason server can identify, and oracle database and the None- identified parameter, to know which data user desires access to, And which kind of operation is carried out, so, the database broker server of the embodiment of the present invention is also needed to according to the above-mentioned mesh extracted The target data in oracle database and the action type to the target data are marked, can be assembled into oracle database With the required parameter of the data access request of identification, then, by assembled data access request (and the TNS data packets again Form) send to the target oracle database in database server and ask the operating result to target data.Specifically For, then it is according to the parameter in again assembled data access request, according to the operation when asking the operating result Type operates the target data in the target oracle database, so as to obtain the target Oracle The TNS data flows (i.e. operating result) that database returns, wherein, which is based on the TNS numbers on ICP/IP protocol According to.The TNS data flows are made of one or more NTS data packets.
Step 103, according to the default pack arrangement of TNS data packets, corresponding data type in the TNS data flows is determined Data portion in the TNS data packets of TNS data packets and the data type;
Wherein, the default pack arrangement of TNS data packets includes a general packet header and data portion.Wherein, packet header includes Bag verification, the information such as packet length and Packet type.Different types of data packet realizes the data transfer of difference in functionality.And for usual The inquiry operation of meaning generally uses the TNS data packets of Data (data) type, and may when there are mistake or other situations Use other kinds of TNS data packets.
Wherein, table 1 shows the various Packet types of TNS data packets.Specifically, the place of oracle database is typically set up The process of reason connection can be related to Connect, Resend, Accept, the TNS data packets of Refute types, and database has connected Cheng Hou, then generally uses the TNS data packets of Data types when carrying out data interaction;In addition, inquiry error can use Marker classes The TNS data packets of type;Applications client fails (as there is no service ID) to database server request, database server meeting Send the TNS data packets of Refute types;Applications client logs in the data packet that can send Connect types, and database takes Business device can return to the data packet of a REDIRECT type;Applications client then reappears transmission after the completion of reorientation port connection The data packet of Connect types, database server return to the data packet of ACCEPT types, then being capable of normal communication.
Table 1
The structural analysis of data packet in TNS data transmission procedures above, when in oracle database to mesh Mark data are when being operated, the oracle database always feedback operation result in the form of data packet.Wherein, shown in table 1 Go out different types of TNS data packets (14 kinds of data packets), and the pack arrangement of TNS data packets has also illustrated, therefore, the present invention The method of embodiment can travel through TNS data flows according to the above-mentioned pack arrangement of TNS data packets, so that from TNS data The TNS data packets of data type are determined in stream, and determine data portion (wherein, the TNS in the TNS data packets of the data type Data packet includes header part and data portion, only determines data portion here).
Step 104, extracted according to default desensitization rule from the TNS data flows in the data portion and there is sensitive number According to target TNS data packets, and according to it is described it is default desensitization rule the sensitive data in the target TNS data packets is taken off Quick processing, obtains target TNS desensitization data packets;
Wherein, data portion is the place paid close attention in TNS data packets, because it contains all operating results (such as the query result for passing through query statement).But the data portion of each TNS data packets in the TNS data flows is not it All include the sensitive data that the embodiment of the present invention thinks, therefore, in this step, in order to avoid being extracted not from TNS data flows Necessary TNS data packets, here can be according to default desensitization rule, come only extraction data portion includes from the TNS data flows The target TNS data packets for the sensitive data that the embodiment of the present invention thinks.Then, using the default desensitization rule come to the target Sensitive data in TNS data packets in data portion carries out desensitization process, so as to obtain the target TNS desensitization numbers after data desensitization According to bag.
In one embodiment, TNS data flows as described herein are binary data;In addition, what the present invention pre-defined It can include the correspondence of sensitive data and desensitization strategy in default desensitization rule.That is, the side of the embodiment of the present invention Which data defined in desensitization rule are sensitive data to method in advance, and desensitization strategy to every kind of sensitive data.
Wherein, desensitization strategy includes but not limited to:Ortho states, identity card, telephone number, mailbox, postcode, replacement, covering, with Machine is replaced, random covering, length processing, empty with it is out of order etc..
Wherein, ortho states:To sensitive data without any processing, ortho states output;
Identity card:Sensitive data is replaced with a random effective identity card;
Telephone number:Sensitive data is replaced with a random effective telephone number;
Mailbox:Sensitive data is replaced with a random mailbox;
Postcode:One random postcode of sensitive data is replaced;
Replace:Sensitive data is replaced with the character specified, such as the character specified can be asterisk " * ";
Covering:The sensitive data of designated position is replaced with the character specified, such as by the sensitivity of the 2nd~the 5th position Data are substituted for " * " number;
Random replacement:Sensitive data is replaced with the character of one new (the different characters with the sensitive data) at random;
Random covering:By the random word with one new (the different characters with the sensitive data) of the sensitive data of designated position Symbol is replaced;
Length is administered:Sensitive data is intercepted into specified full-length;
Empty:Sensitive data is emptied;
It is out of order:Sensitive data is upset into putting in order for data.
Wherein, the sensitive data described in desensitization strategy is the sensitive data defined in desensitization rule in advance, wherein, it is quick The particular content of sense data can flexibly be set according to the safety requirements of real data, and the present invention does not limit this.Separately Outside, the form of the sensitive data can include but is not limited to character string, Chinese character, numeral, symbol etc..
In the present embodiment, when performing step 104, can be realized by following sub-step:
S11, by the data portion in the TNS data packets of data type described in the TNS data flows from binary data Be converted to text data;
For example, such as operating result only includes a character string " This is a in target oracle database Test ", the corresponding TNS data packets of the character string return to database broker server in a manner of binary data.Wherein, " This is a test ", such data in TNS transmitting procedures can be transmitted with such binary form " 14, 116,104,105,115,32,105,115,32,97,32,116,101,115,116 " (it should be noted that TNS data packets Header part not only includes packet length, further includes the information such as bag verification and Packet type, and in shown here binary data, Since the bag verification of header part, Packet type are unrelated with the position of definite sensitive data, shown here binary data Not shown in other guide in header part), by the pack arrangements of above-described TNS data packets it was determined that this two into Digital " 14 " are represented in ensuing TNS data flows in data processed, have 14 be TNS data packets data portion, that is to say, that " 116,104,105,115,32,105,115,32,97,32,116,101,115,116 " this burst of data stream is then TNS data The data portion of a TNS data packet in stream.And due to the form of the sensitive data defined in default desensitization rule be not two into The data of system, therefore, need exist for by the data portion in the TNS data packets of all data types in TNS data flows from two into Data processed are converted to text data (wherein, text data include but not limited to character string, Chinese character, numeral, symbol etc.).
Here, i.e., by binary data " 116,104,105,115,32,105,115,32,97,32,116,101,115, 116 " are converted to character string " This is a test ".
Wherein, this step can be by the data portion of the TNS data packets of all data types in TNS data flows from binary number According to being converted to text data, and it is not restricted to above-mentioned character string " This is a test ".
The purpose of this step is each TNS data packets being converted to text data, consequently facilitating sub-step S12 comes to text Sensitive data in notebook data is searched, so that it is determined that needing to which TNS data packet (target TNS data packets i.e. hereafter) Carry out desensitization process.
S12, determines to include the target text data of the sensitive data in the default desensitization rule, and determines the mesh Mark the corresponding target TNS data packets of text data;
Wherein it is possible to according to the default sensitive data to desensitize defined in rule come the text to each TNS data packets in S11 Notebook data carries out the lookup of predefined sensitive data, so as to be found from TNS data flows comprising predefined sensitive data Target text data, and determine the TNS data flows in the corresponding TNS data packets of the target text data.
So this step is assured that in TNS data flows which TNS data packet includes sensitive data, and the sensitivity number According to corresponding text data.
S13, according to the corresponding desensitization strategy of sensitive data in the default desensitization rule, in the target text data Sensitive data carry out desensitization process, obtain target desensitization data;
Such as predefined sensitive data includes " This is a test ", also, the corresponding desensitization of the sensitive data Strategy is by " This is a test " replace with " welcome to Oracle ".The method of so embodiment of the present invention just needs Will " This is a test " desensitizations be into " welcome to Oracle " to some target text data.And for other bags Target text data containing sensitive data, then carry out desensitization process, so as to obtain each mesh also according to the default desensitization rule Mark the target desensitization data (and form of textual data) after the corresponding desensitization of text data.
It should be noted that in other embodiments, if target text data for " This is a test, Not only include sensitive data in thanks ", i.e. target text data, further include nonsensitive data, then to the target After sensitive data in text data carries out desensitization process, obtain target desensitization data be then " welcome to Oracl, Thanks ", that is to say, that desensitization process is without any processing to nonsensitive data, continues to retain.
Target desensitization data are converted to binary data by S14;
And the target desensitization data of each target TNS data packets due to being obtained after desensitization carry out Binary Conversion.
Here it is possible to target desensitization data " the welcome to by the character string forms of some target TNS data packets Oracle " be converted to binary data " 119,101,108,99,111,109,101,32,116,111,32,79,114,97, 99,108,101”。
S15, according to the pack arrangement of the target TNS data packets, the binary data of target desensitization data is assembled Into target TNS desensitization data packets.
Wherein, the pack arrangement of each target TNS data packets is as described above including header part and data portion, wherein, Header part includes packet length again, and the desensitization data " binary data that welcome to Oracle " are converted into " 119, 101,108,99,111,109,101,32,116,111,32,79,114,97,99,108,101 " data length is 17, because This, when re-assemblying TNS data packets (that is, target TNS desensitize data packet) to desensitization data, it is necessary to be converted to above-mentioned It is additional " 17 " before binary data so that TNS data packets after the desensitization after re-assemblying for " 17,119,101,108,99, 111,109,101,32,116,111,32,79,114,97,99,108,101 " (it should be noted that the packet header of TNS data packets Part not only includes packet length, further includes the information such as bag verification and Packet type, and in shown here binary data, due to The bag verification of header part, Packet type are unrelated with sensitive data, therefore, packet header not shown in shown here binary data Other guide in point).
And then equally operated as above for others target TNS data packets, which is not described herein again.
In this way, the embodiment of the present invention by by the data portion of the TNS data packets of data type in TNS data flows from two into Data processed are converted to text data, and determine that there are the target text of sensitive data in text data according to default desensitization rule Data, and then determine the target TNS data packets of corresponding target text data, then, according to the default desensitization rule come to target Text data carries out desensitization process, so as to obtain target desensitization data, then, further according to TNS data packets pack arrangement by mesh Mark desensitization data are reassembled into data and complete the TNS data packets after desensitization, and sensitive number can be completed in data transmission procedure According to desensitization, have no effect on the quick transmission of data, avoid the desensitization process institute band that data are carried out from oracle database side The destruction problem to existing system come, it is possible to achieve develop to the zero of existing system, comprehensively realize to current transmission again Sensitive data desensitization, not only save the safety that cost also assures that sensitive data.
Wherein, in one embodiment, when performing sub-step S15, can realize in the following way:
Calculate the target data length of the binary data of the target desensitization data;
According to the pack arrangement of the target TNS data packets, the data length in the target TNS data packets is arranged to institute Target data length is stated, the data binary data of target desensitization data being arranged in the target TNS data packets Part, obtains target TNS desensitization data packets.
Wherein, it is as described above, such as desensitization data " binary system that welcome to Oracle " are converted into can be calculated The data length of data is 17, then according to the default pack arrangement of TNS data packets come by the desensitization data " welcome to Data length in the corresponding target TNS data packets of Oracle " is arranged to 17, and incite somebody to action " 119,101,108,99,111,109, 101,32,116,111,32,79,114,97,99,108,101 " are arranged to the data portion of target TNS data packets, so that To target TNS desensitization data packet " 17,119,101,108,99,111,109,101,32,116,111,32,79,114,97,99, 108,101 ", it should be noted that the header part of TNS data packets not merely includes packet length, further include Packet type (such as The Packet type numerical value that Data types are corresponded in table 1 is " 6 ") etc., and each putting in order for data is known technology in packet header, Which is not described herein again, is also not shown, but does not influence protection scope of the present invention.
In this way, the embodiment of the present invention can carry out TNS data packets according to the pack arrangement of TNS data packets to desensitization data Re-assembly, consequently facilitating transmission of the TNS data packets in TNS data flows after desensitization.
Step 105, the target TNS data packets in the TNS data flows are replaced with into the target TNS desensitizations data packet, And the TNS data flows after desensitization are back to the applications client.
Wherein, in one embodiment, when performing step 105, can be accomplished by the following way:
Determine the position of the target TNS data packets in the TNS data flows;
Wherein, have been presented for determining the step of target TNS data packets in the step of above-described embodiment from TNS data flows Suddenly, therefore, it can determine that each the target TNS data packets comprising sensitive data exist in the TNS data flows by means of the step Specific location in TNS data flows.
Target TNS desensitizations data packet is inserted into the position in the TNS data flows, and by the position The target TNS data packets are deleted;
Wherein, since the header part of TNS data packets carries the information such as data length, it can be directly targeted to The positioning of each target NTS data packets in TNS data flows, so that the target TNS data packets not desensitized are deleted, and in the position Place replaces with the target TNS data packets after desensitization, i.e. target TNS desensitization data packets.
It should be noted that can include in the TNS data flows of the corresponding return of same data access request one or Multiple target TNS data packets, therefore, when the TNS not desensitized data packets to be replaced with to the TNS data packets of desensitization, be still by It is replaced according to original position, the position without TNS data packets 1 replaces with the TNS after the desensitization of TNS data packets 2 The problem of data packet.
By the TNS queues packets in the TNS data flows after the target TNS data packets in the target After TNS desensitization data packets.
Wherein, due to the data portion before the data length of the data portion after desensitization and desensitization data length and differ It is fixed consistent, such as " data length of the corresponding binary data of This is a test " is for data portion before above-mentioned desensitization 14, and obtained after desensitizing " data length of the corresponding binary data of welcome to Oracle " is then 17, therefore, " when the binary data of the corresponding TNS data packets of welcome to Oracle " is inserted into TNS data flows, being originally located at should " binary data after the TNS data packets of This is a test " will be moved rearwards 3, after causing desensitization " binary data of the corresponding TNS data packets of welcome to Oracle " can be completely inserted into TNS data flows.Pin It is to the inserted mode of the target TNS desensitization data packets of other target TNS data packets in the TNS data flows, then similar The example above, which is not described herein again.
So far, the work of data desensitization is completed, and the complete TNS data flows after desensitization are returned to applications client.It is logical After crossing such processing, in applications client, the operating result of the return that user sees no longer be " This is a test ", and Be desensitization after " welcome to Oracle ", realize to applications client, oracle database zero exploitation under conditions of Complete the desensitization to sensitive data.
By means of the technical solution of the above embodiment of the present invention, the present invention by desensitization process scheme by being erected at TNS numbers According in the transmitting procedure of stream, without carrying out any system development to applications client and oracle database, it is possible in reality While now to the data access of oracle database, realize the desensitization process to the sensitive data of transmission, reduce to existing The destruction risk of system, realizes and is developed again to the zero of existing system, comprehensively realize the desensitization of sensitive data.
It should be noted that for embodiment of the method, in order to be briefly described, therefore it is all expressed as to a series of action group Close, but those skilled in the art should know, the embodiment of the present invention and from the limitation of described sequence of movement, because according to According to the embodiment of the present invention, some steps can use other orders or be carried out at the same time.Secondly, those skilled in the art also should Know, embodiment described in this description belongs to preferred embodiment, and the involved action not necessarily present invention is implemented Necessary to example.
It is corresponding with the method that the embodiments of the present invention are provided, with reference to Fig. 2, show a kind of data desensitization of the present invention The structure diagram of device embodiment, applied to the database broker server of oracle database, can specifically include such as lower die Block:
Receiving module 21, for receiving the data access request of applications client, determines according to the data access request Target data in target oracle database and the action type to the target data;
Operation module 22, for according to the action type to the target data in the target oracle database Operated, obtain the TNS data flows that the target oracle database returns;
First determining module 23, for the default pack arrangement according to TNS data packets, determines corresponding in the TNS data flows Data portion in the TNS data packets of data type and the TNS data packets of the data type;
Desensitize module 24, is deposited for being extracted according to default desensitization rule from the TNS data flows in the data portion In the target TNS data packets of sensitive data, and according to the default desensitization rule to the sensitive number in the target TNS data packets According to desensitization process is carried out, target TNS desensitization data packets are obtained;
Replace and return to module 25, for the target TNS data packets in the TNS data flows to be replaced with the target TNS Desensitize data packet, and the TNS data flows after desensitization are back to the applications client.
Alternatively, the TNS data flows are binary data, and the default desensitization rule includes sensitive data and desensitization plan Correspondence slightly,
The desensitization module 24 includes:
First transform subblock, for by the data portion in the TNS data packets of data type described in the TNS data flows Divide from binary data and be converted to text data;
First determination sub-module, for the target text number for determining to include the sensitive data in the default desensitization rule According to, and determine the corresponding target TNS data packets of the target text data;
Desensitize submodule, for tactful according to the corresponding desensitization of sensitive data in the default desensitization rule, to the mesh The sensitive data marked in text data carries out desensitization process, obtains target desensitization data;
Second transform subblock, for target desensitization data to be converted to binary data;
Assemble submodule, for the pack arrangement according to the target TNS data packets, by the two of target desensitization data into Data assembling processed into target TNS desensitize data packet.
Alternatively, the assembling submodule includes:
Computing unit, the target data length of the binary data for calculating the target desensitization data;
Setting unit, for the pack arrangement according to the target TNS data packets, by the number in the target TNS data packets The target data length is arranged to according to length, the binary data of target desensitization data is arranged to the target TNS Data portion in data packet, obtains target TNS desensitization data packets.
Alternatively, the return module 25 of replacing includes:
Second determination sub-module, for determining the position of the target TNS data packets in the TNS data flows;
Submodule is inserted into, for institute's rheme target TNS desensitizations data packet being inserted into the TNS data flows Put, and the target TNS data packets of the position are deleted;
Arrange submodule, for by the TNS data flows be located at the target TNS data packets after TNS data packets It is arranged in after the target TNS desensitizations data packet.
Alternatively, described device further includes:
Second determining module, the Account Logon for determining the applications client according to the data access request are believed Breath;
3rd determining module, for according to the Account Logon information, and default oracle database or tables of data With the correspondence of the applications client with access rights, determine the applications client whether to the target Oracle numbers There are access rights according to the target data in storehouse;
Alternatively, the operation module 22 includes:
Submodule is operated, if determining the applications client to the target Oracle numbers for the 3rd determining module There are access rights according to the target data in storehouse, then according to the action type to described in the target oracle database Target data is operated, and obtains the TNS data flows that the target oracle database returns.
For device embodiment, since it is substantially similar to embodiment of the method, so description is fairly simple, it is related Part illustrates referring to the part of embodiment of the method.
Each embodiment in this specification is described by the way of progressive, what each embodiment stressed be with The difference of other embodiment, between each embodiment identical similar part mutually referring to.
It should be understood by those skilled in the art that, the embodiment of the embodiment of the present invention can be provided as method, apparatus or calculate Machine program product.Therefore, the embodiment of the present invention can use complete hardware embodiment, complete software embodiment or combine software and The form of the embodiment of hardware aspect.Moreover, the embodiment of the present invention can use one or more wherein include computer can With in the computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) of program code The form of the computer program product of implementation.
The embodiment of the present invention be with reference to according to the method for the embodiment of the present invention, terminal device (system) and computer program The flowchart and/or the block diagram of product describes.It should be understood that it can realize flowchart and/or the block diagram by computer program instructions In each flow and/or block and flowchart and/or the block diagram in flow and/or square frame combination.These can be provided Computer program instructions are set to all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing terminals Standby processor is to produce a machine so that is held by the processor of computer or other programmable data processing terminal equipments Capable instruction is produced and is used for realization in one flow of flow chart or multiple flows and/or one square frame of block diagram or multiple square frames The device for the function of specifying.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing terminal equipments In the computer-readable memory to work in a specific way so that the instruction being stored in the computer-readable memory produces bag The manufacture of command device is included, which realizes in one flow of flow chart or multiple flows and/or one side of block diagram The function of being specified in frame or multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing terminal equipments so that Series of operation steps is performed on computer or other programmable terminal equipments to produce computer implemented processing, so that The instruction performed on computer or other programmable terminal equipments is provided and is used for realization in one flow of flow chart or multiple flows And/or specified in one square frame of block diagram or multiple square frames function the step of.
Although having been described for the preferred embodiment of the embodiment of the present invention, those skilled in the art once know base This creative concept, then can make these embodiments other change and modification.So appended claims are intended to be construed to Including preferred embodiment and fall into all change and modification of range of embodiment of the invention.
Finally, it is to be noted that, herein, relational terms such as first and second and the like be used merely to by One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation Between there are any actual relationship or order.Moreover, term " comprising ", "comprising" or its any other variant meaning Covering non-exclusive inclusion, so that process, method, article or terminal device including a series of elements are not only wrapped Those key elements are included, but also including other elements that are not explicitly listed, or further include as this process, method, article Or the key element that terminal device is intrinsic.In the absence of more restrictions, wanted by what sentence "including a ..." limited Element, it is not excluded that also there are other identical element in the process including the key element, method, article or terminal device.
Above desensitize a kind of data desensitization method provided by the present invention and a kind of data device, has carried out detailed Jie Continue, specific case used herein is set forth the principle of the present invention and embodiment, and the explanation of above example is only It is the method and its core concept for being used to help understand the present invention;Meanwhile for those of ordinary skill in the art, according to this hair Bright thought, there will be changes in specific embodiments and applications, in conclusion this specification content should not manage Solve as limitation of the present invention.

Claims (10)

1. a kind of data desensitization method, it is characterised in that applied to the database broker server of oracle database, the side Method includes:
The data access request of applications client is received, is determined according to the data access request in target oracle database Target data and the action type to the target data;
The target data in the target oracle database is operated according to the action type, obtains the mesh Mark the TNS data flows that oracle database returns;
According to the default pack arrangement of TNS data packets, determine in the TNS data flows TNS data packets of corresponding data type and Data portion in the TNS data packets of the data type;
Extract in the data portion from the TNS data flows that there are the target TNS of sensitive data according to default desensitization rule Data packet, and desensitization process is carried out to the sensitive data in the target TNS data packets according to the default desensitization rule, obtain Target TNS desensitization data packets;
Target TNS data packets in the TNS data flows are replaced with into the target TNS desensitizations data packet, and by after desensitization The TNS data flows are back to the applications client.
2. according to the method described in claim 1, it is characterized in that, the TNS data flows are binary data, described preset takes off Quick rule includes the correspondence of sensitive data and desensitization strategy,
The basis presets desensitization rule and extracts in the data portion that there are the target of sensitive data from the TNS data flows TNS data packets, and desensitization process is carried out to the sensitive data in the target TNS data packets according to the default desensitization rule, Target TNS desensitization data packets are obtained, including:
Data portion in the TNS data packets of data type described in the TNS data flows is converted into text from binary data Notebook data;
Determine the target text data for including the sensitive data in the default desensitization rule, and determine the target text number According to corresponding target TNS data packets;
According to the corresponding desensitization strategy of sensitive data in the default desensitization rule, to the sensitive number in the target text data According to desensitization process is carried out, target desensitization data are obtained;
Target desensitization data are converted into binary data;
According to the pack arrangement of the target TNS data packets, the binary data of target desensitization data is assembled into target TNS Desensitize data packet.
3. according to the method described in claim 1, it is characterized in that, the pack arrangement according to the target TNS data packets, is incited somebody to action The binary data of the target desensitization data is assembled into target TNS desensitization data packets, including:
Calculate the target data length of the binary data of the target desensitization data;
According to the pack arrangement of the target TNS data packets, the data length in the target TNS data packets is arranged to the mesh Data length is marked, the data portion binary data of target desensitization data being arranged in the target TNS data packets, Obtain target TNS desensitization data packets.
4. the according to the method described in claim 3, it is characterized in that, target TNS data packets by the TNS data flows The target TNS desensitizations data packet is replaced with, including:
Determine the position of the target TNS data packets in the TNS data flows;
Position target TNS desensitizations data packet being inserted into the TNS data flows, and by described in the position Target TNS data packets are deleted;
TNS queues packets in the TNS data flows after the target TNS data packets are taken off in the target TNS After quick data packet.
5. according to the method described in claim 1, it is characterized in that, it is described according to the action type to the target Oracle The target data in database is operated, before obtaining the TNS data flows that the target oracle database returns, institute The method of stating further includes:
The Account Logon information of the applications client is determined according to the data access request;
According to the Account Logon information, and default oracle database or tables of data and the application visitor with access rights The correspondence at family end, determines whether the applications client has the target data in the target oracle database and visits Ask authority;
It is described that the target data in the target oracle database is operated according to the action type, obtain institute The TNS data flows of target oracle database return are stated, including:
If the applications client has access rights to the target data in the target oracle database, according to described Action type operates the target data in the target oracle database, obtains the target Oracle data The TNS data flows that storehouse returns.
The device 6. a kind of data desensitize, it is characterised in that applied to the database broker server of oracle database, the number Include according to desensitization device:
Receiving module, for receiving the data access request of applications client, target is determined according to the data access request Target data in oracle database and the action type to the target data;
Operation module, for being grasped according to the action type to the target data in the target oracle database Make, obtain the TNS data flows that the target oracle database returns;
First determining module, for the default pack arrangement according to TNS data packets, determines corresponding data class in the TNS data flows Data portion in the TNS data packets of type and the TNS data packets of the data type;
Desensitize module, there is sensitivity in the data portion for being extracted according to default desensitization rule from the TNS data flows The target TNS data packets of data, and the sensitive data in the target TNS data packets is carried out according to the default desensitization rule Desensitization process, obtains target TNS desensitization data packets;
Replace and return to module, for the target TNS data packets in the TNS data flows to be replaced with the target TNS desensitizations number The applications client is back to according to bag, and by the TNS data flows after desensitization.
7. device according to claim 6, it is characterised in that the TNS data flows are binary data, described default de- Quick rule includes the correspondence of sensitive data and desensitization strategy,
The desensitization module includes:
First transform subblock, for by the data portion in the TNS data packets of data type described in the TNS data flows from Binary data is converted to text data;
First determination sub-module, for determining the target text data of the sensitive data comprising the default desensitization in regular, with And determine the corresponding target TNS data packets of the target text data;
Desensitize submodule, for tactful according to the corresponding desensitization of sensitive data in the default desensitization rule, to target text Sensitive data in notebook data carries out desensitization process, obtains target desensitization data;
Second transform subblock, for target desensitization data to be converted to binary data;
Submodule is assembled, for the pack arrangement according to the target TNS data packets, by the binary number of target desensitization data According to be assembled into target TNS desensitization data packet.
8. device according to claim 6, it is characterised in that the assembling submodule includes:
Computing unit, the target data length of the binary data for calculating the target desensitization data;
Setting unit, for the pack arrangement according to the target TNS data packets, the data in the target TNS data packets are grown Degree is arranged to the target data length, and the binary data of target desensitization data is arranged to the target TNS data Data portion in bag, obtains target TNS desensitization data packets.
9. device according to claim 8, it is characterised in that the return module of replacing includes:
Second determination sub-module, for determining the position of the target TNS data packets in the TNS data flows;
Submodule is inserted into, for the position being inserted into target TNS desensitizations data packet in the TNS data flows, and The target TNS data packets of the position are deleted;
Arrange submodule, for by the TNS data flows be located at the target TNS data packets after TNS queues packets After the target TNS desensitizes data packet.
10. device according to claim 6, it is characterised in that described device further includes:
Second determining module, for determining the Account Logon information of the applications client according to the data access request;
3rd determining module, for according to the Account Logon information, and default oracle database or tables of data and tool There is the correspondence of the applications client of access rights, determine the applications client whether to the target oracle database In target data there are access rights;
The operation module includes:
Submodule is operated, if determining the applications client to the target oracle database for the 3rd determining module In target data there are access rights, then according to the action type to the target in the target oracle database Data are operated, and obtain the TNS data flows that the target oracle database returns.
CN201711387119.9A 2017-12-20 2017-12-20 A kind of data desensitization method and device Active CN107992771B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711387119.9A CN107992771B (en) 2017-12-20 2017-12-20 A kind of data desensitization method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711387119.9A CN107992771B (en) 2017-12-20 2017-12-20 A kind of data desensitization method and device

Publications (2)

Publication Number Publication Date
CN107992771A true CN107992771A (en) 2018-05-04
CN107992771B CN107992771B (en) 2019-01-22

Family

ID=62038029

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711387119.9A Active CN107992771B (en) 2017-12-20 2017-12-20 A kind of data desensitization method and device

Country Status (1)

Country Link
CN (1) CN107992771B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108776762A (en) * 2018-06-08 2018-11-09 北京中电普华信息技术有限公司 A kind of processing method and processing device of data desensitization
CN109063511A (en) * 2018-08-16 2018-12-21 深圳云安宝科技有限公司 Data access control method, device, proxy server and medium based on Web API
CN110472434A (en) * 2019-07-12 2019-11-19 北京字节跳动网络技术有限公司 Data desensitization method, system, medium and electronic equipment
CN111400762A (en) * 2020-03-18 2020-07-10 上海凯馨信息科技有限公司 Dynamic desensitization method for oracle database
CN113032388A (en) * 2019-12-25 2021-06-25 航天信息股份有限公司 Information processing method, related device, equipment and storage medium
CN113992345A (en) * 2021-09-13 2022-01-28 百度在线网络技术(北京)有限公司 Method and device for encrypting and decrypting webpage sensitive data, electronic equipment and storage medium
CN115098877A (en) * 2022-08-25 2022-09-23 北京前沿信安科技股份有限公司 File encryption and decryption method and device, electronic equipment and medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102722667A (en) * 2012-03-07 2012-10-10 甘肃省电力公司信息通信公司 Database security protection system and method based on virtual databases and virtual patches
CN106548085A (en) * 2015-09-17 2017-03-29 中国移动通信集团甘肃有限公司 A kind of processing method and processing device of data

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102722667A (en) * 2012-03-07 2012-10-10 甘肃省电力公司信息通信公司 Database security protection system and method based on virtual databases and virtual patches
CN106548085A (en) * 2015-09-17 2017-03-29 中国移动通信集团甘肃有限公司 A kind of processing method and processing device of data

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
李敏: "oracle数据库安全加固研究", 《华北电力技术》 *
杨磊: "数据库安全审计检测系统的设计与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108776762A (en) * 2018-06-08 2018-11-09 北京中电普华信息技术有限公司 A kind of processing method and processing device of data desensitization
CN108776762B (en) * 2018-06-08 2022-01-28 北京中电普华信息技术有限公司 Data desensitization processing method and device
CN109063511A (en) * 2018-08-16 2018-12-21 深圳云安宝科技有限公司 Data access control method, device, proxy server and medium based on Web API
CN110472434A (en) * 2019-07-12 2019-11-19 北京字节跳动网络技术有限公司 Data desensitization method, system, medium and electronic equipment
CN110472434B (en) * 2019-07-12 2021-09-14 北京字节跳动网络技术有限公司 Data desensitization method, system, medium, and electronic device
CN113032388A (en) * 2019-12-25 2021-06-25 航天信息股份有限公司 Information processing method, related device, equipment and storage medium
CN111400762A (en) * 2020-03-18 2020-07-10 上海凯馨信息科技有限公司 Dynamic desensitization method for oracle database
CN113992345A (en) * 2021-09-13 2022-01-28 百度在线网络技术(北京)有限公司 Method and device for encrypting and decrypting webpage sensitive data, electronic equipment and storage medium
CN113992345B (en) * 2021-09-13 2024-05-28 百度在线网络技术(北京)有限公司 Webpage sensitive data encryption and decryption method and device, electronic equipment and storage medium
CN115098877A (en) * 2022-08-25 2022-09-23 北京前沿信安科技股份有限公司 File encryption and decryption method and device, electronic equipment and medium

Also Published As

Publication number Publication date
CN107992771B (en) 2019-01-22

Similar Documents

Publication Publication Date Title
CN107992771B (en) A kind of data desensitization method and device
JP6835999B2 (en) Virtual service provider zone
US8341104B2 (en) Method and apparatus for rule-based masking of data
Eassa et al. NoSQL injection attack detection in web applications using RESTful service
CN105007280B (en) A kind of application login method and device
EP2144420B1 (en) Web application security filtering
EP3180885B1 (en) Mapping between user interface fields and protocol information
CN112468520B (en) Data detection method, device and equipment and readable storage medium
US20120260315A1 (en) Firewalls for providing security in http networks and applications
US20050063377A1 (en) System and method for monitoring network traffic
US8356332B2 (en) Extensible protocol validation
US20060272008A1 (en) Method and security system for indentifying and blocking web attacks by enforcing read-only parameters
CN109688105A (en) A kind of threat warning message generation method and system
US10282461B2 (en) Structure-based entity analysis
US8832779B2 (en) Generalized identity mediation and propagation
US10192262B2 (en) System for periodically updating backings for resource requests
US20210200595A1 (en) Autonomous Determination of Characteristic(s) and/or Configuration(s) of a Remote Computing Resource to Inform Operation of an Autonomous System Used to Evaluate Preparedness of an Organization to Attacks or Reconnaissance Effort by Antagonistic Third Parties
CN116324766A (en) Optimizing crawling requests by browsing profiles
US10013237B2 (en) Automated approval
CN107493250A (en) A kind of method that web-page requests are authenticated, client and server
CN113596014A (en) Access vulnerability detection method and device and electronic equipment
US20160171613A1 (en) Backing management
US11438375B2 (en) Method and system for preventing medium access control (MAC) spoofing attacks in a communication network
US11750568B1 (en) Secure proxy service
KR102657163B1 (en) Data management device, data management method and a computer-readable storage medium for storing data management program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant