CN108073821B - Data security processing method and device - Google Patents
Data security processing method and device Download PDFInfo
- Publication number
- CN108073821B CN108073821B CN201610987078.6A CN201610987078A CN108073821B CN 108073821 B CN108073821 B CN 108073821B CN 201610987078 A CN201610987078 A CN 201610987078A CN 108073821 B CN108073821 B CN 108073821B
- Authority
- CN
- China
- Prior art keywords
- data
- desensitization
- sensitive
- sensitive data
- failure
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
Landscapes
- Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Medical Informatics (AREA)
- Telephonic Communication Services (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention discloses a data security processing method and a device, wherein the method comprises the following steps: receiving a data request sent by a request terminal; analyzing the data request, and determining whether the requested data comprises sensitive data according to a desensitization rule; when the requested data comprises the sensitive data, acquiring a sensitive association rule of the sensitive data; determining whether the sensitive data is at risk of desensitization failure or desensitization weakening according to the sensitive association rule; and when the risk of desensitization failure or desensitization weakening of the sensitive data is determined, executing security defense operation. In the embodiment, defense processing is performed on desensitization failure or desensitization weakening of the sensitive data, information leakage or illegal stealing caused by leakage of the sensitive data due to desensitization failure or desensitization weakening is prevented, and the security of the sensitive information is improved.
Description
Technical Field
The present invention relates to the field of information technologies, and in particular, to a method and an apparatus for processing data safely.
Background
Data security processing is mainly to prevent data from being leaked or illegally acquired, and data needs to be securely processed. Data that requires secure processing may be referred to generally as sensitive data, and secure processing of data may be referred to as desensitization processing. Common desensitization processes can be divided into two types, one is recoverable desensitization process, for example, by encrypting original data, and recovery of data can be achieved by decrypting the original data. In another type, desensitization processing may be referred to as data hiding, e.g., directly fetching portions of data in sensitive data, which may be understood as non-recovery processing.
Even though there are many means for desensitizing the existing sensitive data, the sensitive data are still frequently leaked, so a data security processing method with higher security is provided, which is a problem to be solved urgently to ensure data security in the prior art.
Disclosure of Invention
In view of the above, embodiments of the present invention are directed to a method and an apparatus for processing data security, which at least partially alleviate the data security problem.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
a first aspect of an embodiment of the present invention provides a data security processing method, including:
receiving a data request sent by a request terminal;
analyzing the data request, and determining whether the requested data comprises sensitive data according to a desensitization rule;
when the requested data comprises the sensitive data, acquiring a sensitive association rule of the sensitive data;
determining whether the sensitive data is at risk of desensitization failure or desensitization weakening according to the sensitive association rule;
and when the risk of desensitization failure or desensitization weakening of the sensitive data is determined, executing security defense operation.
Based on the above scheme, the determining whether there is a risk of desensitization failure or desensitization reduction occurring to the sensitive data according to the sensitive association rule includes:
determining whether the requested data comprises predetermined data which cannot be requested simultaneously with the sensitive data according to the sensitive association rule;
when predetermined data that cannot be requested simultaneously with the sensitive data is included in the requested data, it is determined that there is a risk of causing desensitization failure or desensitization reduction of the sensitive data.
Based on the above scheme, the determining whether there is a risk of desensitization failure or desensitization reduction occurring in the sensitive data according to the desensitization rule and the sensitive association rule includes:
acquiring a data request record of the request terminal in first preset time;
determining whether the request terminal acquires the preset data which can not be requested simultaneously with the sensitive data within the first preset time or not according to the data request record;
and when the request terminal acquires the preset data which can not be requested simultaneously with the sensitive data in the first preset time, determining that the sensitive data has the risk of desensitization failure or desensitization weakening.
Based on the above scheme, the method further comprises:
selecting a desensitization rule according to the data characteristics of the sensitive data;
desensitizing the data by using the desensitization rule to form desensitization data;
performing preset processing on the desensitization data and the first data to form a processing result;
and if the processing result shows that the desensitization data are at least partially restored, generating a sensitive association principle of the sensitive data based on the first data.
Based on the above scheme, when it is determined that there is a risk of desensitization failure or desensitization reduction of the sensitive data, performing a security defense operation, including:
and when the desensitization failure or desensitization weakening risk of the sensitive data is determined, intercepting the data request and/or carrying out data security warning processing.
A second aspect of an embodiment of the present invention provides a data security apparatus, including:
the receiving unit is used for receiving a data request sent by a request terminal;
the analysis unit is used for analyzing the data request and determining whether the requested data comprises sensitive data according to a desensitization rule;
the acquiring unit is used for acquiring the sensitive association rule of the sensitive data when the requested data comprises the sensitive data;
a determining unit, configured to determine whether there is a risk of desensitization failure or desensitization reduction occurring in the sensitive data according to the sensitive association rule;
and the execution unit is used for executing security defense operation when the risk of desensitization failure or desensitization weakening of the sensitive data is determined.
Based on the above scheme, the determining unit is configured to determine whether the requested data includes predetermined data that cannot be requested simultaneously with the sensitive data according to the sensitive association rule; when predetermined data that cannot be requested simultaneously with the sensitive data is included in the requested data, it is determined that there is a risk of causing desensitization failure or desensitization reduction of the sensitive data.
Based on the scheme, the determining unit is configured to obtain a data request record of the requesting terminal within a first predetermined time; determining whether the request terminal acquires the preset data which can not be requested simultaneously with the sensitive data within the first preset time or not according to the data request record; and when the request terminal acquires the preset data which can not be requested simultaneously with the sensitive data in the first preset time, determining that the sensitive data has the risk of desensitization failure or desensitization weakening.
Based on the above scheme, the apparatus further comprises:
the selection unit is used for selecting a desensitization rule according to the data characteristics of the sensitive data;
the forming unit is used for desensitizing the data by using the desensitization rule to form desensitization data;
the processing unit is used for carrying out preset processing on the desensitization data and the first data and forming a processing result;
and the generating unit is used for generating a sensitive association principle of the sensitive data based on the first data if the processing result shows that the desensitization data is at least partially restored.
Based on the above scheme, the execution unit is specifically configured to intercept the data request and/or perform data security warning processing when it is determined that there is a risk of desensitization failure or desensitization reduction of the sensitive data.
The data security processing method and device provided by the embodiment of the invention can judge whether desensitization failure or desensitization weakening occurs to the requested sensitive data, and carry out defense processing when risks occur, so that information leakage or illegal stealing caused by sensitive data leakage due to desensitization failure or desensitization weakening is prevented, and the security of sensitive information is improved.
Drawings
Fig. 1 is a schematic flow chart illustrating a data security processing method according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of generating a sensitive association rule according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a data security processing apparatus according to an embodiment of the present invention;
FIG. 4 is a flowchart illustrating a rule training method according to an embodiment of the present invention;
fig. 5 is a schematic flowchart of a process of responding to a data request according to an embodiment of the present invention.
Detailed Description
The technical solution of the present invention is further described in detail with reference to the drawings and the specific embodiments of the specification.
As shown in fig. 1, the present embodiment provides a data security processing method, including:
step S110: receiving a data request sent by a request terminal;
step S120: analyzing the data request, and determining whether the requested data comprises sensitive data according to a desensitization rule;
step S130: when the requested data comprises the sensitive data, acquiring a sensitive association rule of the sensitive data;
step S140: determining whether the sensitive data is at risk of desensitization failure or desensitization weakening according to the sensitive association rule;
step S150: and when the risk of desensitization failure or desensitization weakening of the sensitive data is determined, executing security defense operation.
The data security processing method described in this embodiment may be a data gateway or a data security control server and other security control devices applied to a data processing platform. The safety control device such as the data gateway or the data safety control server is connected with or integrated in a database for storing data.
In this embodiment the data request will pass through the security control device.
After receiving the data request, the security control device parses the data request, for example, whether sensitive data is included in the data request. The sensitive rules may be rules that include specifying which types of data are sensitive data, or determining which characteristics of data are sensitive data. For example, the data requested in the data request includes the identification number of the user a, and obviously, the identification number is sensitive information related to personal property safety of the user. The identification number may be sensitive data specified in the sensitive rule. For another example, the bank card number of the user a, various network payment account numbers, and other information.
In step S120, the data characteristics of the data requested by the requesting terminal are extracted from the data request, and the data characteristics are compared with the sensitive rule to determine whether the data requested by the requesting terminal includes sensitive data.
In step S130, if it is determined that the data requested by the requesting terminal includes sensitive data, in this embodiment, a sensitive association rule corresponding to the sensitive data is obtained. Of course, some sensitive data have a sensitive association rule, and there may be more than one sensitive association rule associated with the sensitive data. Some sensitive data has no sensitive association rules. If the sensitive data has no sensitive association rule, obviously, the risk of desensitization failure or sensitivity weakening of the sensitive data is not considered to exist, so that the data request can be directly responded in the subsequent steps, and the sensitive data is directly sent to the request terminal after being subjected to desensitization processing.
If the sensitive data has the corresponding sensitive association rule, determining whether the sensitive data has the risk of desensitization failure or desensitization weakening by combining the sensitive association rule. In this embodiment, the desensitization failure may be considered that desensitization data formed after desensitization processing of sensitive data is completely restored to the sensitive data itself, or that a phenomenon that the sensitive data is partially leaked or used due to partial restoration is generated.
In step S140, it may be determined whether the requesting terminal has acquired or is about to acquire the sensitive data according to a sensitive association rule, so that the sensitive data may have a desensitization failure or risk of desensitization reduction.
For example, the terminal A simultaneously requests the identity card number and the birthday information of the user B; the identification number is sensitive data; desensitization processing is carried out on the identification number, and desensitization information which represents the birth year, month and day of the user B in the identification number is mainly hidden. In step S140, it is found that desensitization information of the birth year, month and day is hidden and is sent to the requesting terminal together with the birth date information, and when the two pieces of information are pieced together, it is obvious that the identity number of the user B is completely restored, which obviously causes a problem of desensitization failure.
For another example, after desensitization processing is performed on the identification number, formed desensitization data hides information representing the date and month of birth in the identification account number, and also hides the last 4 bits of the identification card, but the desensitization information and the date of birth information are combined to partially restore the identification number, which obviously causes desensitization weakening.
Once desensitization failure or desensitization is reduced, there is clearly a security risk of sensitive data. In order to prevent such a security risk in the present embodiment, when it is determined that there is a risk of desensitization failure or desensitization reduction as described above, a security defense operation is performed in step S150. In this embodiment, the performing of the security defense operation may include alerting the security management device, not responding to the data request, or partially responding to the data request; by performing the security defense operation, data security risks may be removed or probabilities of reducing the data security risks.
In some embodiments, the step S140 may include:
determining whether the requested data comprises predetermined data which cannot be requested simultaneously with the sensitive data according to the sensitive association rule;
when predetermined data that cannot be requested simultaneously with the sensitive data is included in the requested data, it is determined that there is a risk of causing desensitization failure or desensitization reduction of the sensitive data.
The predetermined data may be data that causes desensitization failure or desensitization reduction of desensitization data. For example, by performing data association and/or hashing on the predetermined data and desensitization data, the phenomenon of desensitization data can be at least partially restored, and then the data is considered as the predetermined data which cannot be requested simultaneously with the sensitive data; then the risk of desensitization failure or desensitization reduction is considered to be present at this point.
In some embodiments, the step S140 may include:
acquiring a data request record of the request terminal in first preset time;
determining whether the request terminal acquires the preset data which can not be requested simultaneously with the sensitive data within the first preset time or not according to the data request record;
and when the request terminal acquires the preset data which can not be requested simultaneously with the sensitive data in the first preset time, determining that the sensitive data has the risk of desensitization failure or desensitization weakening.
For example, the requesting terminal continuously requests data from the database for a plurality of times, the data requested this time includes sensitive data, and data desensitization failure or desensitization weakening may be caused by data splicing or associating with some data requested in previous times, and step S150 also needs to be performed, for example, the data request this time is not responded to.
The first predetermined time here may be any one of historical times or a period of historical times before the current time.
In the embodiment, whether the request terminal simultaneously requests the sensitive data and the preset data causing desensitization failure or desensitization weakening can be judged, and whether the data requested by the history time before the current time comprise the preset data can be extended, so that the safety of the data is obviously improved again. Of course, in a specific implementation process, the safety control device may also evaluate data available to the requesting terminal or data already obtained, and if the evaluating requesting terminal has obtained the predetermined data, it may also consider that there is a risk of desensitization failure or desensitization reduction, and need to perform step S150.
The method further comprises the step of pre-generating the sensitive association rule. As shown in fig. 2, the generating a sensitive association includes:
step S101: selecting a desensitization rule according to the data characteristics of the sensitive data;
step S102: desensitizing the data by using the desensitization rule to form desensitization data;
step S103: performing preset processing on the desensitization data and the first data to form a processing result;
step S104: and if the processing result shows that the desensitization data are at least partially restored, generating a sensitive association principle of the sensitive data based on the first data.
In this embodiment, the step S101 may include: and selecting a desensitization rule of the sensitive data according to data characteristics such as the format, the application scene and the application requirement of the sensitive data. In this embodiment, the desensitization rule may not only indicate corresponding sensitive data, but also include a desensitization policy, which may be used to perform desensitization processing on the sensitive data to form desensitization data. The desensitization strategy can comprise various desensitization algorithms for processing data, such as encryption algorithm and hiding algorithm, desensitization modes and the like.
Desensitization data is formed using desensitization rules in step S102. In order to verify the security of the desensitization data, in step S103, a preset process, such as a data hash process and a data association process, is performed on the desensitization data using other data (referred to as first data in this embodiment) to form a processing result. The results of the processing are examined to see if the results of the processing can fully or partially restore desensitized data to the sensitive data. If the desensitization data is the data which threatens desensitization failure or desensitization weakening of the desensitization data, the first data is recorded to generate the sensitive association principle, so that the problem of desensitization failure or desensitization weakening caused by sending the two data to the request terminal together is solved when the data request is filtered.
In some embodiments, the step S150 may include:
and when the desensitization failure or desensitization weakening risk of the sensitive data is determined, intercepting the data request and/or carrying out data security warning processing.
The data request is intercepted in step S150, so that the data request is not responded, and thus, sensitive data is not returned to the requesting terminal, thereby avoiding information leakage of data. In this embodiment, the data security alarm processing is performed, for example, an alarm is performed on the management device, the security problem that sensitive data may be leaked exists in the associated device is notified, the associated device makes a decision whether to release or intercept the data request, or data warning recording processing is performed. In summary, in the embodiment, a corresponding defense operation is performed in response to a data request which easily causes desensitization failure or desensitization weakening of data, so as to improve the security of sensitive data and reduce the possibility that the sensitive data is leaked or illegally stolen.
As shown in fig. 3, the present embodiment provides a data security apparatus, including:
a receiving unit 110, configured to receive a data request sent by a requesting terminal;
an analyzing unit 120, configured to analyze the data request, and determine whether the requested data includes sensitive data according to a desensitization rule;
an obtaining unit 130, configured to obtain a sensitive association rule of the sensitive data when the requested data includes the sensitive data;
a determining unit 140, configured to determine whether there is a risk of desensitization failure or desensitization reduction occurring in the sensitive data according to the sensitive association rule;
an execution unit 150, configured to execute a security defense operation when it is determined that there is a risk of desensitization failure or desensitization reduction resulting in the sensitive data.
The data security device provided by this embodiment may be used to implement any of the foregoing data security processing methods, and the device may be applied to a data gateway, and may also be used in any device connected to a database storing request data.
In this embodiment, the receiving unit 110 may include a communication interface, which may be used to receive a data request. The parsing unit 120, the obtaining unit 130, the determining unit 140 and the executing unit 150 may all correspond to a processor or a processing circuit, and the processor may be a central processing unit CPU, a microprocessor MCU, a digital signal processor DSP, a programmable array PLC or an application processor AP. The processing circuit may be an application specific integrated circuit ASIC. The processor or processing circuit may implement the functions of the above units through execution of the executable codes. The analyzing unit 120, the obtaining unit 130, the determining unit 140 and the executing unit 150 may correspond to the same processor or processing circuit, or may correspond to different processors.
In summary, the apparatus provided in this embodiment performs a defense operation on possible desensitization failure or desensitization reduction of the sensitive data, thereby reducing the problem of low security of desensitization failure or desensitization reduction after performing desensitization processing on the sensitive data.
In some embodiments, the determining unit 140 is configured to determine whether the requested data includes predetermined data that cannot be requested simultaneously with the sensitive data according to the sensitive association rule; when predetermined data that cannot be requested simultaneously with the sensitive data is included in the requested data, it is determined that there is a risk of causing desensitization failure or desensitization reduction of the sensitive data.
In this implementation, the sensitive association rule is utilized to directly determine the risk that desensitization failure or desensitization weakening may occur among multiple data requested in the same data request, and if such a situation exists, the execution unit 150 executes a defense operation, thereby improving the security of the data.
In this embodiment, the determining unit 140 is further configured to obtain a data request record of the requesting terminal in a first predetermined time; determining whether the request terminal acquires the preset data which can not be requested simultaneously with the sensitive data within the first preset time or not according to the data request record; and when the request terminal acquires the preset data which can not be requested simultaneously with the sensitive data in the first preset time, determining that the sensitive data has the risk of desensitization failure or desensitization weakening.
In this embodiment, the determining unit 140 may further record according to a data request, so as to prevent the requesting terminal from issuing a problem that may cause desensitization failure or desensitization weakening by multiple requests, and improve the security of data again.
Furthermore, the apparatus further comprises:
the selection unit is used for selecting a desensitization rule according to the data characteristics of the sensitive data;
the forming unit is used for desensitizing the data by using the desensitization rule to form desensitization data;
the processing unit is used for carrying out preset processing on the desensitization data and the first data and forming a processing result;
and the generating unit is used for generating a sensitive association principle of the sensitive data based on the first data if the processing result shows that the desensitization data is at least partially restored.
The selection unit, the forming unit, the processing unit and the generating unit may all correspond to a processor or a processing circuit in this implementation. The processor or processing circuit is described in detail with reference to the foregoing embodiments, and the sensitive association rule can be generated through data processing to prevent desensitization failure or desensitization reduction problems.
In some embodiments, the execution unit 150 is specifically configured to intercept the data request and/or perform data security warning processing when it is determined that there is a risk of desensitization failure or desensitization reduction of the sensitive data.
In this embodiment, the execution unit 150 may reduce the phenomenon of leakage or illegal theft of the sensitive data by performing operations such as interception or alarm, and thus improve the security of the sensitive data.
One specific example is provided below in connection with any of the embodiments described above.
The present example first proposes a sensitive data protection system; the sensitive number protection system comprises a safety rule base and safety control equipment.
The security rule base may be a relational database or a non-relational database or other storage system. The safety rule base at least comprises two sub rule bases which are a desensitization rule base and a sensitive association rule base respectively.
1) Sensitive data and the corresponding relation of the adopted desensitization rules are stored in a desensitization rule library;
2) in the sensitive association rule base, desensitization association rules which may cause the desensitization rules to be invalid or have weakened effects after associating certain desensitization data with other data according to certain rules and request processing measures (such as alarm or interception) to be adopted by the desensitization association rules are stored.
Secondly, this example also provides a rule training method. The purpose of the rule training is to obtain desensitization rules and sensitive association rules, add the rules into a security rule base in an automatic import or manual addition mode and the like,
as shown in fig. 4, the rule training method includes:
1) the confirming of the sensitive data and the sensitive rule may specifically include: and confirming the sensitive data in the big data platform, selecting a desensitization rule meeting the requirement according to the format, application scene and analysis requirement of the sensitive data, and adding the sensitive data and the desensitization rule adopted by the sensitive data to a desensitization rule base.
2) The method comprises the following steps of data preprocessing, statistical analysis and data mining, and the sensitive association rule is obtained through training, and specifically comprises the following steps: and performing association analysis and data reasoning on the sensitive data of the confirmed desensitization rule and other data in the big data platform through means of statistical analysis, data mining and the like according to the desensitization rule selected by the desensitization rule, and if a certain sensitive association rule exists, so that the desensitization rule is possibly invalid or weakened in a certain scene, adding the sensitive association rule into a sensitive association rule base.
Again, this example also provides a method for anti-desensitization failure or desensitization reduction using the rules in the aforementioned safety rule base. The method can be used for judging whether the requested data relates to sensitive data or sensitive association rules or not by matching the requested data with the rules in the security rule base when a user terminal sends a data request such as query and the like to the big data platform, and if the requested data relates to the sensitive data or the sensitive association rules, alarming or intercepting is carried out.
As shown in fig. 5, the method of anti-desensitization failure or desensitization reduction may include:
the first step is as follows: acquiring a data request, and performing syntax analysis and rule analysis on the request to obtain a data set related to the request and an association rule among requested data;
the second step is that: performing rule filtering may include: and matching the data related to the data request with the rules in the desensitization rule base, and if the sensitive data to be desensitized is related to, performing desensitization treatment by adopting the desensitization rule corresponding to the desensitization rule in the desensitization rule base. And meanwhile, matching the data rule in the request with the rule in the sensitive association rule base, and if the association rule which can cause the failure or weakening of the desensitization rule adopted in the last step exists in the data request, adopting a corresponding processing mode, such as alarming or intercepting, according to the configured request processing measures.
The third step: and sending a security request to the data source, wherein the security request is the data request which is filtered by the rule. For example, data requests remaining after portions of the data requests that may cause sensitive data leakage are filtered based on sensitive rules and sensitive association rules.
The first step, the second step and the third step are all performed by the security control device in the sensitive data protection system, where the security control device may be connected to the security rule base, or a device provided with the security rule base, and may be configured to perform rule filtering and send a secure data request to a data source.
The security rule base and the security control device are arranged in front of the data source in fig. 5 for processing the data request. In a specific implementation process, the security rule base and the security control device may also be integrated with the data source and disposed in the same platform, so that while the data source performs data search, the security control device performs data processing as described in fig. 1 or fig. 5 to perform defense against desensitization failure or desensitization weakening, and if a phenomenon of desensitization failure or desensitization weakening occurs, the data source may be prevented from transmitting defense operations such as sensitive data to the request terminal.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all the functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may be separately used as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a mobile storage device, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (8)
1. A data security processing method is characterized by comprising the following steps:
receiving a data request sent by a request terminal;
analyzing the data request, and determining whether the requested data comprises sensitive data according to a desensitization rule;
when the requested data comprises the sensitive data, acquiring a sensitive association rule of the sensitive data;
determining whether the sensitive data is at risk of desensitization failure or desensitization weakening according to the sensitive association rule;
when the risk of desensitization failure or desensitization weakening of the sensitive data is determined, executing security defense operation;
generating the sensitive association rule, including:
selecting a desensitization rule according to the data characteristics of the sensitive data;
desensitizing the data by using the desensitization rule to form desensitization data;
performing preset processing on the desensitization data and the first data to form a processing result;
and if the processing result shows that the desensitization data is at least partially restored, generating a sensitive association rule of the sensitive data based on the first data.
2. The method of claim 1,
the determining whether the sensitive data is at risk of desensitization failure or desensitization weakening according to the sensitive association rule comprises:
determining whether the requested data comprises predetermined data which cannot be requested simultaneously with the sensitive data according to the sensitive association rule;
when predetermined data that cannot be requested simultaneously with the sensitive data is included in the requested data, it is determined that there is a risk of causing desensitization failure or desensitization reduction of the sensitive data.
3. The method according to claim 1 or 2,
the determining whether the sensitive data is at risk of desensitization failure or desensitization weakening according to the sensitive association rule comprises:
acquiring a data request record of the request terminal in first preset time;
determining whether the request terminal acquires the preset data which can not be requested simultaneously with the sensitive data within the first preset time or not according to the data request record;
and when the request terminal acquires the preset data which can not be requested simultaneously with the sensitive data in the first preset time, determining that the sensitive data has the risk of desensitization failure or desensitization weakening.
4. The method of claim 1,
when it is determined that there is a risk of desensitization failure or desensitization reduction in the sensitive data, performing security defense operations, including:
and when the desensitization failure or desensitization weakening risk of the sensitive data is determined, intercepting the data request and/or carrying out data security warning processing.
5. A data security apparatus, comprising:
the receiving unit is used for receiving a data request sent by a request terminal;
the analysis unit is used for analyzing the data request and determining whether the requested data comprises sensitive data according to a desensitization rule;
the acquiring unit is used for acquiring the sensitive association rule of the sensitive data when the requested data comprises the sensitive data;
a determining unit, configured to determine whether there is a risk of desensitization failure or desensitization reduction occurring in the sensitive data according to the sensitive association rule;
the execution unit is used for executing security defense operation when the risk of desensitization failure or desensitization weakening of the sensitive data is determined;
the selection unit is used for selecting a desensitization rule according to the data characteristics of the sensitive data;
the forming unit is used for desensitizing the data by using the desensitization rule to form desensitization data;
the processing unit is used for carrying out preset processing on the desensitization data and the first data and forming a processing result;
and the generating unit is used for generating the sensitive association rule of the sensitive data based on the first data if the processing result shows that the desensitization data is at least partially restored.
6. The apparatus of claim 5,
the determining unit is used for determining whether the requested data comprises predetermined data which cannot be requested simultaneously with the sensitive data according to the sensitive association rule; when predetermined data that cannot be requested simultaneously with the sensitive data is included in the requested data, it is determined that there is a risk of causing desensitization failure or desensitization reduction of the sensitive data.
7. The apparatus of claim 5 or 6,
the determining unit is used for acquiring a data request record of the request terminal in a first preset time; determining whether the request terminal acquires the preset data which can not be requested simultaneously with the sensitive data within the first preset time or not according to the data request record; and when the request terminal acquires the preset data which can not be requested simultaneously with the sensitive data in the first preset time, determining that the sensitive data has the risk of desensitization failure or desensitization weakening.
8. The apparatus of claim 5,
the execution unit is specifically configured to intercept the data request and/or perform data security warning processing when it is determined that there is a risk of desensitization failure or desensitization reduction of the sensitive data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610987078.6A CN108073821B (en) | 2016-11-09 | 2016-11-09 | Data security processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610987078.6A CN108073821B (en) | 2016-11-09 | 2016-11-09 | Data security processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108073821A CN108073821A (en) | 2018-05-25 |
| CN108073821B true CN108073821B (en) | 2021-08-06 |
Family
ID=62153986
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610987078.6A Active CN108073821B (en) | 2016-11-09 | 2016-11-09 | Data security processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108073821B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109308258A (en) * | 2018-08-21 | 2019-02-05 | 中国平安人寿保险股份有限公司 | Building method, device, computer equipment and the storage medium of test data |
| CN109981619A (en) * | 2019-03-13 | 2019-07-05 | 泰康保险集团股份有限公司 | Data capture method, device, medium and electronic equipment |
| CN110046717A (en) * | 2019-03-14 | 2019-07-23 | 南京汽轮电力科技有限公司 | A kind of steam turbine cloud service and Diagnosing System for Oil Pump are health management system arranged |
| CN110188567B (en) * | 2019-05-23 | 2022-12-20 | 复旦大学 | Associated access control method for preventing sensitive data jigsaw |
| CN111737750B (en) * | 2020-06-30 | 2023-12-26 | 绿盟科技集团股份有限公司 | Data processing method and device, electronic equipment and storage medium |
| CN112541193B (en) * | 2020-12-10 | 2024-05-24 | 支付宝(杭州)信息技术有限公司 | Protection method and device for private data |
| CN112749408A (en) * | 2020-12-29 | 2021-05-04 | 拉卡拉支付股份有限公司 | Data acquisition method, data acquisition device, electronic equipment, storage medium and program product |
| CN112948877A (en) * | 2021-03-03 | 2021-06-11 | 北京中安星云软件技术有限公司 | Dynamic database desensitization method and system based on TCP (Transmission control protocol) proxy |
| CN115604019B (en) * | 2022-11-08 | 2023-03-21 | 国家工业信息安全发展研究中心 | Industrial data desensitization detecting system |
Family Cites Families (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9043250B2 (en) * | 2012-01-10 | 2015-05-26 | Telcordia Technologies, Inc. | Privacy-preserving aggregated data mining |
| CN102880837B (en) * | 2012-08-24 | 2016-05-04 | 腾讯科技(深圳)有限公司 | Improve method and the mobile terminal of security of mobile terminal |
| CN103106634A (en) * | 2012-12-26 | 2013-05-15 | 上海合合信息科技发展有限公司 | Method and system for protecting bank card individual information |
| EP3036678A1 (en) * | 2013-08-19 | 2016-06-29 | Thomson Licensing | Method and apparatus for utility-aware privacy preserving mapping in view of collusion and composition |
| CN103488948A (en) * | 2013-09-17 | 2014-01-01 | 北京思特奇信息技术股份有限公司 | Method and device for achieving data security of operation system |
| JP2015108807A (en) * | 2013-10-23 | 2015-06-11 | 株式会社インテック | Data secrecy type statistic processing system, statistic processing result providing server device, and data input device, and program and method for the same |
| CN103745161B (en) * | 2013-12-23 | 2016-08-24 | 东软集团股份有限公司 | Access method of controlling security and device |
| CN103778380A (en) * | 2013-12-31 | 2014-05-07 | 网秦(北京)科技有限公司 | Data desensitization method and device and data anti-desensitization method and device |
| CN105159919A (en) * | 2015-07-24 | 2015-12-16 | 福建师范大学 | Data multi-copy correlation method and system |
| CN105138927B (en) * | 2015-08-12 | 2018-05-01 | 中国联合网络通信集团有限公司 | Private data guard method and device |
| CN105405092A (en) * | 2015-11-26 | 2016-03-16 | 熊桂荣 | Secure digital image propagation method based on reversible watermark and mosaic technology |
| CN105653981B (en) * | 2015-12-31 | 2018-11-30 | 中国电子科技网络信息安全有限公司 | The sensitive data protection system and method for the data circulation and transaction of big data platform |
| CN105678185B (en) * | 2015-12-31 | 2019-10-15 | 深圳市科漫达智能管理科技有限公司 | A kind of data security protection method and intelligent terminal management system |
| CN105912951A (en) * | 2016-04-15 | 2016-08-31 | 北京小米移动软件有限公司 | Data migration method and device |
| CN105955978B (en) * | 2016-04-15 | 2019-07-02 | 宝利九章(北京)数据技术有限公司 | Method and system for leakage prevention |
| CN105975871B (en) * | 2016-05-23 | 2017-10-31 | 陕西师范大学 | A kind of protecting sensitive data method and system |
-
2016
- 2016-11-09 CN CN201610987078.6A patent/CN108073821B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN108073821A (en) | 2018-05-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108073821B (en) | Data security processing method and device | |
| CN110113167B (en) | Information protection method and system of intelligent terminal and readable storage medium | |
| CA2938754C (en) | Document tracking on a distributed ledger | |
| CN108199852A (en) | A kind of method for authenticating, right discriminating system and computer readable storage medium | |
| CN112417391B (en) | Information data security processing method, device, equipment and storage medium | |
| CN104346550B (en) | A kind of information processing method and a kind of electronic equipment | |
| CN112328558B (en) | Access log storage method and system of medical system based on block chain | |
| CN106548342A (en) | A kind of credible equipment determines method and device | |
| CN110598383A (en) | Method and device for removing account permission limitation | |
| CN109684878A (en) | One kind being based on block chain technology privacy information tamper resistant method and system | |
| CN111259382A (en) | Malicious behavior identification method, device and system and storage medium | |
| CN112364318A (en) | Operation and maintenance big data security management method, system, terminal and storage medium | |
| CN111222181B (en) | AI model supervision method, system, server and storage medium | |
| CN106844006A (en) | Based on data prevention method and system under virtualized environment | |
| KR20180054389A (en) | Client device and back-up method based on cloud, recording medium for performing the method | |
| CN114257404B (en) | Abnormal external connection statistical alarm method, device, computer equipment and storage medium | |
| CN110633585B (en) | Hard disk locking and unlocking method, device, equipment and readable storage medium | |
| CN110175475B (en) | Smart card data processing method and device and computer readable storage medium | |
| CN111259387B (en) | Method and device for detecting tampered application | |
| CN113987435A (en) | Illegal copyright detection method and device, electronic equipment and storage medium | |
| CN111143863A (en) | Data processing method, device, equipment and computer readable storage medium | |
| CN103971065A (en) | Method and device used for preventing data tampering | |
| CN117353893B (en) | Network information security verification method and system based on blockchain technology | |
| CN116798153B (en) | Access control authorization opening method and device | |
| CN114095175B (en) | Gray-check-capable data confidentiality method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |