CN108512807A - Data desensitization method and data in a kind of data transmission desensitize server - Google Patents
Data desensitization method and data in a kind of data transmission desensitize server Download PDFInfo
- Publication number
- CN108512807A CN108512807A CN201710103860.1A CN201710103860A CN108512807A CN 108512807 A CN108512807 A CN 108512807A CN 201710103860 A CN201710103860 A CN 201710103860A CN 108512807 A CN108512807 A CN 108512807A
- Authority
- CN
- China
- Prior art keywords
- data
- request
- desensitization
- downloaded
- sensitive
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000586 desensitisation Methods 0.000 title claims abstract description 183
- 238000000034 method Methods 0.000 title claims abstract description 90
- 230000005540 biological transmission Effects 0.000 title claims abstract description 81
- 238000012545 processing Methods 0.000 claims abstract description 74
- 206010068052 Mosaicism Diseases 0.000 abstract 1
- 230000002441 reversible effect Effects 0.000 abstract 1
- 210000003765 sex chromosome Anatomy 0.000 abstract 1
- 238000004458 analytical method Methods 0.000 description 13
- 238000010586 diagram Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 6
- 238000004590 computer program Methods 0.000 description 5
- 238000003860 storage Methods 0.000 description 5
- 238000003672 processing method Methods 0.000 description 3
- 238000011217 control strategy Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012946 outsourcing Methods 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The embodiment provides the data desensitization methods and data desensitization server in a kind of data transmission, method therein puies forward the type of the data transfer request comprising sensitive data by judging user terminal transmission, if confirming, the type of data transfer request is data download request, and the corresponding total amount of data to be downloaded of data download request is greater than or equal to first threshold, then carries out data desensitization process to the data base querying instruction in data download request;And corresponding data to be downloaded are obtained in target database according to the data base querying instruction after data desensitization process, and data to be downloaded are sent to corresponding user terminal.The present invention uses different desensitization methods for the quantity of user's access sensitive data, improve the speed of data processing, not only solve the reversible sex chromosome mosaicism of sensitive data, and solve the problems, such as that system performance is consumed when a large amount of sensitive data processing, has effectively ensured the safety of sensitive data, integrality and availability in big data.
Description
Technical Field
The invention relates to the technical field of data security management in a big data system, in particular to a data desensitization method and a data desensitization server in data transmission.
Background
With the development of operator services, the application of big data is more and more extensive, and the security protection based on the big data is more and more important, so that the desensitization protection of the data becomes the central importance of the current security work, and the data desensitization processing refers to the data deformation of certain sensitive information through desensitization rules, so that the reliable protection of sensitive private data is realized. At present, the method mainly comprises two modes of 'sensitive information data replacement' and 'sensitive information encryption protection'.
The existing data desensitization processing method has poor reversibility, two common data desensitization processing modes of 'sensitive information data replacement' and 'sensitive information encryption protection' need to process the stored data (data fuzzification or encryption), and the method is not enough in the aspects of flexibility and efficiency, cannot meet the safety requirements of strengthening data safety control while ensuring smooth operation of the current service, and cannot achieve both system efficiency and data safety.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a data desensitization method and a data desensitization server in data transmission, which adopt different desensitization methods according to the number of sensitive data accessed by users, improve the data processing speed, solve the reversibility problem of the sensitive data, solve the problem of system performance loss during processing of a large amount of sensitive data, and effectively ensure the safety, integrity and availability of the sensitive data in big data.
In order to solve the technical problems, the invention provides the following technical scheme:
in one aspect, the present invention provides a method of data desensitization in data transmission, the method comprising:
judging the type of a data transmission request containing sensitive data sent by a user terminal, wherein the type of the data transmission request comprises: the method comprises the steps that a data downloading request and a data uploading request are carried out, and the data downloading request comprises a database query instruction of a target database;
if the type of the data transmission request is determined to be a data downloading request, and the total amount of data to be downloaded corresponding to the data downloading request is greater than or equal to a first threshold value, performing data desensitization processing on a database query instruction in the data downloading request;
and acquiring corresponding data to be downloaded in the target database according to the database query instruction subjected to data desensitization processing, and sending the data to be downloaded to a corresponding user terminal.
Further, after the determining the type of the data transmission request containing the sensitive data sent by the user terminal, the method further includes:
if the type of the data transmission request is determined to be a data downloading request and the total amount of data to be downloaded corresponding to the data downloading request is smaller than a first threshold value, acquiring corresponding data to be downloaded in the target database according to a database query instruction in the data downloading request;
carrying out data desensitization processing on the data to be downloaded;
and sending the desensitized data to be downloaded to the corresponding user terminal.
Further, the performing data desensitization processing on the data to be downloaded includes:
comparing the total data amount of the data to be downloaded acquired from the target database with a second threshold value;
and if the total data amount of the data to be downloaded is smaller than a second threshold value, performing data desensitization processing on the data to be downloaded.
Further, the comparing the total amount of the data to be downloaded acquired from the target database with a second threshold value further includes:
if the total data amount of the data to be downloaded is larger than or equal to a second threshold value, performing data desensitization processing on a database query instruction in the data downloading request;
and according to the database query instruction subjected to data desensitization, re-acquiring the corresponding data to be downloaded in the target database, and sending the data to be downloaded to the corresponding user terminal.
Further, the performing data desensitization processing on the database query instruction in the data download request includes:
sensitive data prompt information is sent to the user terminal, so that the user terminal selectively sends out a desensitization downloading instruction or a clear text downloading instruction according to the sensitive data prompt information;
and if receiving a desensitization downloading instruction sent by the user terminal, performing data desensitization processing on the database query instruction in the data downloading request.
Further, the method further comprises:
if receiving a plaintext downloading instruction sent by the user terminal, sending a plaintext downloading request to a management terminal of a target database, so that the management terminal of the target database selects whether to send the downloading instruction according to the plaintext downloading request;
and after receiving a downloading instruction sent by a management terminal of the target database, acquiring corresponding data to be downloaded in the target database according to a database query instruction in the data downloading request, and sending the data to be downloaded to a corresponding user terminal.
Further, the determining the type of the data transmission request containing the sensitive data sent by the user terminal further includes:
if the type of the data transmission request is confirmed to be a data uploading request, sensitive data prompt information is sent to the user terminal, so that the user terminal selectively sends a desensitization uploading instruction or a plaintext uploading instruction according to the sensitive data prompt information;
when a desensitization uploading instruction sent by the user terminal is received, performing data desensitization processing on data to be uploaded in the data uploading request, wherein the data uploading request comprises an address of a target database and the data to be uploaded;
and sending the data to be uploaded after data desensitization processing to the target database according to the address of the target database in the data uploading request, and caching the data to be uploaded.
Further, the method further comprises:
when receiving a plaintext uploading instruction sent by the user terminal, sending a plaintext uploading request to a management terminal of a target database, so that the management terminal of the target database selects whether to send the uploading instruction according to the plaintext uploading request;
and after receiving an uploading instruction sent by a management terminal of the target database, sending the data to be uploaded in the data uploading request to the target database.
Further, the determining the type of the data transmission request containing the sensitive data sent by the user terminal includes:
receiving a data transmission request sent by the user terminal, wherein the data transmission request comprises an address of a target database and data to be transmitted;
acquiring a sensitive data list corresponding to the target database, and judging whether the data to be transmitted in the data transmission request comprises sensitive data according to the sensitive data list;
and if the data to be transmitted comprises sensitive data, judging that the data transmission request comprises the sensitive data.
In another aspect, the present invention further provides a data desensitization server, including:
a data transmission request type determining unit, configured to determine a type of a data transmission request that includes sensitive data and is sent by a user terminal, where the type of the data transmission request includes: the method comprises the steps that a data downloading request and a data uploading request are carried out, and the data downloading request comprises a database query instruction of a target database;
the data desensitization processing unit is used for performing data desensitization processing on a database query instruction in the data downloading request when the type of the data transmission request is determined to be a data downloading request and the total amount of data to be downloaded corresponding to the data downloading request is greater than or equal to a first threshold value;
and the data to be downloaded acquiring unit is used for acquiring corresponding data to be downloaded in the target database according to the database query instruction subjected to data desensitization processing, and sending the data to be downloaded to a corresponding user terminal.
According to the technical scheme, the data desensitization method and the data desensitization server in data transmission are characterized in that the method judges the type of a data transmission request containing sensitive data sent by a user terminal, and if the type of the data transmission request is confirmed to be a data downloading request and the total amount of data to be downloaded corresponding to the data downloading request is greater than or equal to a first threshold value, data desensitization processing is carried out on a database query instruction in the data downloading request; and acquiring corresponding data to be downloaded in the target database according to the database query instruction subjected to data desensitization processing, and sending the data to be downloaded to the corresponding user terminal. The invention adopts different desensitization methods according to the number of the user accessing the sensitive data, improves the data processing speed, solves the reversibility problem of the sensitive data, solves the problem of system performance loss during processing of a large amount of sensitive data, and effectively ensures the safety, integrity and usability of the sensitive data in the big data.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic flow chart of a first specific implementation of a data desensitization method in data transmission according to a first embodiment of the present invention;
FIG. 2 is a schematic flow chart diagram of a second embodiment of the data desensitization method according to the second embodiment of the present invention;
FIG. 3 is a schematic flow chart diagram illustrating one embodiment of step 300A of the data desensitization method according to the third embodiment of the present invention;
FIG. 4 is a flowchart illustrating an embodiment of step 200 of the data desensitization method according to the fourth embodiment of the present invention;
FIG. 5 is a schematic flow chart diagram illustrating a third embodiment of a data desensitization method according to a fifth embodiment of the present invention;
FIG. 6 is a schematic flow chart diagram illustrating one embodiment of steps 001 through 003 before step 100 in the data desensitization method according to example six of the present invention;
fig. 7 is a schematic flow chart of a data desensitization method in data transmission according to an embodiment of the present invention;
FIG. 8 is a schematic diagram of the specific business logic of the first step in the data desensitization method in a specific application example of the present invention;
fig. 9 is a schematic diagram of a specific service flow of plaintext access in a data desensitization method according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of a specific implementation of a data desensitization server in a seventh embodiment of the present invention;
fig. 11 is a schematic structural diagram of a data desensitization apparatus in data transmission according to an eighth embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
An embodiment of the present invention provides a first specific implementation manner of a data desensitization method in data transmission, and referring to fig. 1, the data desensitization method specifically includes the following steps:
step 100: judging the type of a data transmission request containing sensitive data sent by a user terminal, and entering step 200 if the type of the data transmission request is confirmed to be a data downloading request.
In step 100, a user terminal sends a data transmission request to a data desensitization server, and the data desensitization server receives the data transmission request and determines whether the data transmission request contains sensitive data, and if so, determines the type of the data transmission request containing the sensitive data sent by the user terminal, where the type of the data transmission request includes: the method comprises a data downloading request and a data uploading request, wherein the data downloading request comprises a database query instruction of a target database, and the database query instruction can be an SQL statement.
Step 200: and if the type of the data transmission request is determined to be a data downloading request and the total amount of the data to be downloaded corresponding to the data downloading request is greater than or equal to a first threshold value, performing data desensitization processing on a database query instruction in the data downloading request.
In step 200, if the data desensitization server determines that the type of the data transmission request is a data download request, and determines a total amount of data to be downloaded corresponding to the data download request and a first threshold, where the first threshold is preset according to an actual situation, the total amount of data to be downloaded smaller than the first threshold is determined as a small amount of data, the total amount of data to be downloaded larger than or equal to the first threshold is determined as a large amount of data, and when the total amount of data to be downloaded corresponding to the data download request is larger than or equal to the first threshold, the data desensitization server performs data desensitization on a database query instruction in the data download request, where the data desensitization refers to performing data deformation on some sensitive information through a desensitization rule, so as to implement reliable protection of sensitive private data. This allows for safe use of the desensitized real data set in development, testing and other non-production environments as well as outsourcing environments.
Step 300: and acquiring corresponding data to be downloaded in the target database according to the database query instruction subjected to data desensitization processing, and sending the data to be downloaded to a corresponding user terminal.
In step 300, the data desensitization server obtains the corresponding data to be downloaded from the target database according to the database query instruction after the data desensitization processing, and the data desensitization server sends the data to be downloaded to the corresponding user terminal.
It can be known from the above description that the embodiments of the present invention adopt different desensitization methods for the number of the user accessing sensitive data, perform data desensitization processing on a sensitive data field in an output link for desensitization of a small amount of data, and perform processing in a database query instruction parsing link for desensitization of a large amount of data, thereby increasing the speed of data processing.
The second embodiment of the present invention provides a second specific implementation manner of the data desensitization method, and referring to fig. 2, the following is specifically included after the step 100 described above:
step 200A: and if the type of the data transmission request is determined to be a data downloading request and the total amount of the data to be downloaded corresponding to the data downloading request is smaller than a first threshold value, acquiring the corresponding data to be downloaded in the target database according to a database query instruction in the data downloading request.
In step 200A, if the data desensitization server determines that the type of the data transmission request is a data download request, and determines that the total amount of data to be downloaded corresponding to the data download request is smaller than a first threshold, the data desensitization server determines that the current data to be downloaded is a small amount of data when the total amount of data to be downloaded corresponding to the data download request is smaller than the first threshold, and the data desensitization server obtains the corresponding data to be downloaded from the target database according to a database query instruction in the data download request.
Step 300A: and carrying out data desensitization treatment on the data to be downloaded.
Step 400A: and sending the desensitized data to be downloaded to the corresponding user terminal.
In steps 300A and 400A, the data desensitization server performs data desensitization on the data to be downloaded acquired from the target database, and then the data desensitization server transmits the desensitized data to be downloaded to the corresponding user terminal.
It can be known from the above description that the embodiment of the present invention adopts different desensitization methods according to the number of the user accessing the sensitive data, and performs data desensitization processing on the sensitive data field in the output link according to desensitization of a small amount of data, so as to improve the speed of data processing.
An embodiment three of the present invention provides a specific implementation manner of the step 300A in the data desensitization method, and referring to fig. 3, the step 300A specifically includes the following contents:
step 300A-1: comparing the total data amount of the corresponding data to be downloaded acquired from the target database with a second threshold value; if the total amount of the data to be downloaded is smaller than the second threshold, step 300A-2 is performed, and if the total amount of the data to be downloaded is greater than or equal to the second threshold, step 300A-3 is performed.
Step 300A-2: and carrying out data desensitization treatment on the data to be downloaded.
Step 300A-3: and performing data desensitization processing on the database query instruction in the data downloading request, and entering the step 300A-4.
Step 300A-4: and according to the database query instruction subjected to data desensitization, re-acquiring the corresponding data to be downloaded in the target database, and sending the data to be downloaded to the corresponding user terminal.
In the above steps 300A-1 to 300A-4, the data desensitization server compares the total amount of data of the corresponding data to be downloaded acquired in the target database with a second threshold; if the total amount of the data to be downloaded is smaller than the second threshold, step 300A-2 is performed, and if the total amount of the data to be downloaded is greater than or equal to the second threshold, step 300A-3 is performed.
Step 300A-2: and carrying out data desensitization treatment on the data to be downloaded.
Step 300A-3: and performing data desensitization processing on the database query instruction in the data downloading request, and entering the step 300A-4.
Step 300A-4: and according to the database query instruction subjected to data desensitization, re-acquiring the corresponding data to be downloaded in the target database, and sending the data to be downloaded to the corresponding user terminal.
From the above description, the embodiment of the present invention provides an implementation manner of desensitization for a small amount of data, and effectively guarantees the security, integrity and availability of sensitive data in large data.
The fourth embodiment of the present invention provides a specific implementation manner of step 200 in the data desensitization method, and referring to fig. 4, the step 200 specifically includes the following steps:
step 201: sensitive data prompt information is sent to the user terminal, so that the user terminal selectively sends out a desensitization downloading instruction or a clear text downloading instruction according to the sensitive data prompt information; if receiving a desensitization download instruction sent by the user terminal, step 202 is entered, and if receiving a plaintext download instruction sent by the user terminal, step 203 is entered.
Step 202: and carrying out data desensitization processing on the database query instruction in the data downloading request.
Step 203: sending a plaintext download request to a management terminal of a target database, so that the management terminal of the target database selects whether to send a download instruction according to the plaintext download request, and entering step 204.
Step 204: and after receiving a downloading instruction sent by a management terminal of the target database, acquiring corresponding data to be downloaded in the target database according to a database query instruction in the data downloading request, and sending the data to be downloaded to a corresponding user terminal.
As can be seen from the above description, the embodiment of the present invention provides a specific implementation manner for performing data desensitization processing on the database query instruction in the data download request, which not only solves the problem of reversibility of sensitive data, but also solves the problem of system performance loss during processing of a large amount of sensitive data.
The fifth embodiment of the present invention provides a third specific implementation manner of the data desensitization method, and referring to fig. 5, the following is specifically included after the step 100 described above:
step 200B: if the type of the data transmission request is confirmed to be a data uploading request, sensitive data prompt information is sent to the user terminal, so that the user terminal selectively sends a desensitization uploading instruction or a plaintext uploading instruction according to the sensitive data prompt information; entering step 300B when a desensitization uploading instruction sent by the user terminal is received; proceed to step 500B.
Step 300B: and performing data desensitization processing on the data to be uploaded in the data uploading request, wherein the data uploading request comprises the address of the target database and the data to be uploaded, and entering the step 400B.
Step 400B: and sending the data to be uploaded after data desensitization treatment to the target database according to the address of the target database in the data uploading request, and caching the data to be uploaded.
Step 500B: sending a plaintext upload request to a management terminal of a target database, so that the management terminal of the target database selects whether to send an upload instruction according to the plaintext upload request, and entering step 600B.
Step 600B: and after an uploading instruction sent by a management terminal of the target database is received, sending the data to be uploaded in the data uploading request to the target database.
As can be seen from the above description, the embodiment of the present invention provides a desensitization data processing method when the type of the data transmission request is a data upload request, and ensures integrity and reliability of data desensitization.
Example six of the present invention provides a specific implementation of steps 001 to 003 before step 100 in the above data desensitization method, and referring to fig. 6, the steps 001 to 003 specifically include the following:
step 001: and receiving a data transmission request sent by the user terminal, wherein the data transmission request comprises the address of a target database and data to be transmitted.
Step 002: and acquiring a sensitive data list corresponding to the target database, and judging whether the data to be transmitted in the data transmission request comprises sensitive data according to the sensitive data list.
Step 003: and if the data to be transmitted comprises sensitive data, judging that the data transmission request comprises the sensitive data.
As can be seen from the above description, the embodiment of the present invention provides a specific implementation manner for determining whether the data to be transmitted includes sensitive data, so as to ensure integrity and reliability of data desensitization.
For further illustration of the present solution, the present invention further provides a specific application example of a data desensitization method in data transmission, referring to fig. 7, the data desensitization method specifically includes the following contents:
the data desensitization processing refers to the data deformation of certain sensitive information through desensitization rules, so that the reliable protection of sensitive private data is realized. At present, the data desensitization processing method mainly includes two modes of "sensitive information data replacement" and "sensitive information encryption protection", and the details thereof are as follows:
1) sensitive information data replacement refers to the replacement of sensitive information data according to a certain fuzzification rule (for example: replacing some fields with similar characters, replacing characters with masked characters (e.g., 'x'), replacing real surnames with virtual surnames, etc.) replaces sensitive information in the stored data, and then data accessed by users with any authority, whether through foreground programs or direct background connection, is desensitized data. Due to poor reversibility, the method is generally used in the aspect of safety protection of test data.
2) The sensitive information encryption protection is to encrypt a file or a database table containing sensitive information in stored data in an encryption mode, and the sensitive data accessed by a user are encrypted data under normal conditions. If the non-encrypted data needs to be checked under special conditions, the key needs to be called to decrypt the encrypted data. Since the encryption and decryption operations in the method have a greater dependence on the performance of the device, the method is generally used in terms of security protection of core data with a smaller data volume.
The invention discloses a desensitization control method only in the data output link under the condition of not changing source data, which analyzes the sensitive data existing in the access by analyzing the uplink SQL statement of the data access and analyzing the analysis result, then desensitizes the accessed sensitive data information according to a certain rule in the data output process, and performs differentiated desensitization control according to the number of the sensitive data accessed by a user.
The first step is as follows: the user accesses the big data through the unified access portal, and the data desensitization server does not temporarily perform issuing operation of an access instruction after receiving the user access request, but analyzes and processes the access SQL statement at the first time. In the step, deep analysis of the uplink SQL sentences is realized, the SQL grammar is converted into a specific business algorithm of a program, and the base tables and the fields accessed at this time are extracted, so that the step not only supports the data operation analysis of a single table, but also realizes the analysis of complex SQL sentences with multiple tables and multiple fields, and the actual business requirements of a large data system are greatly met; the specific business logic is shown in fig. 8.
The business logic realizes deep analysis of the uplink SQL statement, and converts the SQL grammar into a specific business algorithm of a program, such as a query statement, as follows:
SELECT e.last_name AS name,
e.commission_pct comm,
e.salary*12"Annual Salary"
FROM scott.employees AS e
WHERE e.salary>1000
ORDER BY
e.first_name,
e.last_name;
after passing through the analysis component of the service, the service is converted into the following information:
the second step is that: and analyzing and comparing the analysis result of the first step with a preset sensitive data asset list, and analyzing whether the current access operation relates to sensitive data. If the current access operation relates to sensitive data, performing the third step of operation, if the current access operation does not relate to the sensitive data, issuing the instruction of the current access, and directly displaying the feedback result to the user without any processing;
the third step: and a pop-up prompt box reminds a user that the current access operation relates to sensitive data, and enables the user to select whether the plaintext access or desensitization access is performed at the time. If the user selects plaintext access, an approval process is triggered, the data desensitization server automatically sends the plaintext access request of the user to a related responsible person (supporting an electronic process and a short message), after the person to be responsible approves, the data desensitization server side issues an instruction of the access, and a feedback result is directly displayed to the user without any processing. If the user selects desensitization access, performing a fourth operation; the specific business flow of its plaintext access is shown in fig. 9.
The fourth step: after the user selects desensitization access, the data desensitization server issues an access instruction mentioned by the user and caches the fed-back uplink data;
the fifth step: and the data desensitization server performs desensitization processing on the cached uplink data, and performs desensitization processing on sensitive contents in the uplink data according to the analysis result of the second step, wherein the supported desensitization modes comprise replacing some fields with similar characters, replacing characters with shielding characters (for example, 'x'), user self-defining and the like. Controlling for sensitive content, wherein HADOOP resources can be expanded to the level of a file, HBASE resources can be expanded to the level of a column, HIVE resources can be expanded to the level of a column, and SOLR resources can be expanded to the level of a field;
and a sixth step: different desensitization methods are adopted according to the number of the sensitive data accessed by the user, and data desensitization processing is carried out on a sensitive data field in an output link according to desensitization of a small amount of data; for desensitization of a large amount of data, processing in an SQL statement analysis link;
the seventh step: and outputting the desensitized data to a user and finishing the access operation.
The invention discloses a sensitive data desensitization control method without changing source data, which has the advantages of two data desensitization processing modes of traditional 'sensitive information data replacement' and 'sensitive information encryption protection', improves the flexibility of desensitization control while ensuring the efficiency, and meets the requirement of safety management and control of big data to the greatest extent.
The key points of the invention are mainly expressed in three aspects of 'no change of source data', 'flexible realization of control of clear text access and desensitization access', 'realization of differentiated management and control of different amounts of sensitive data'.
(1) Secure access to sensitive data without changing source data
The invention discloses a desensitization control method only in the data output link under the condition of not changing source data, which ensures the integrity of a big data file by analyzing an uplink SQL statement, analyzing the sensitive data existing in the access according to the analysis result, and then desensitizing the accessed sensitive data according to a certain rule only in the data output process.
(2) Flexible operation, clear text access and desensitization access of sensitive data
In the process that a user requests sensitive data of a big data resource, joint judgment can be carried out through a set sensitive data access control strategy and a result of searching corresponding sensitive data from a proxy to a Solr. An access control policy may have multiple constraints, AND using each policy by AND OR combination requires defining a control mode: permission or denial, whether desensitization is allowed under conditions, whether clear access is available, whether warning information is sent, etc. If the Solr does not have corresponding sensitive data information, the resource file is not processed; if the sensitive data information exists, desensitizing plaintext access is carried out on the appointed position in the strategy according to the setting joint judgment of the sensitive data position and the sensitive data access control strategy, and early warning is not required; in addition, the access of the vault needs to be triggered when the plaintext is accessed, and the sensitive data can be accessed after the plaintext is authorized, so that the security of the big data file is effectively guaranteed.
(3) Quickly judging and realizing the differential management and control of different amounts of sensitive data
According to the invention, the data access operation of a user is rapidly analyzed, and data desensitization processing is carried out by adopting an alternative mode aiming at desensitization control of a small amount of data; for desensitization of a large amount of data, processing is carried out in an SQL statement analysis link, quick access control of a user is realized, the use of other applications on big data is not influenced, the system performance is prevented from being excessively occupied, and the usability of the big data is effectively guaranteed.
The invention not only realizes the safety control of sensitive data in the big data, but also solves the problem that a large amount of system resources are occupied when a large amount of sensitive data is desensitized. The security control of the big data is improved, and meanwhile, the security, integrity and usability of the big data system are guaranteed.
The technical advantages are as follows:
1) the invention only carries out desensitization control in the data output process and does not involve any processing operation on source data, thereby ensuring the safety and the availability of production data in a big data system. The desensitization control of the accessed sensitive data information is realized by analyzing the uplink SQL statement, analyzing the sensitive data existing in the access according to the analysis result, and desensitizing the accessed sensitive data according to a certain rule in the data output process.
2) The invention flexibly realizes the control switching of the plaintext access and the desensitization access, supports the user to select whether the operation is the plaintext access or the desensitization access by himself, triggers an approval process when the user selects the plaintext access, automatically sends the plaintext access request of the user to a related responsible person (supports two modes of an electronic process and a short message), and sends the access instruction to the responsible person after the person to be responsible approves, and directly displays the feedback result to the user without any processing.
3) The method is used for rapidly analyzing the number of the sensitive data accessed by the user, and carrying out data desensitization treatment on a small amount of sensitive data accessed by the user in an output link in a replacement mode; the system processes the access of a large amount of sensitive data in the SQL statement analysis link, realizes the quick access control of the user, avoids the overlarge occupation of the system performance while not influencing the use of other applications on the big data, and effectively ensures the usability of the big data.
From the above description, it can be seen that the specific application example of the present invention realizes a method of desensitizing control only in the output link of sensitive data without changing source data, and gives consideration to the advantages of two data desensitization processing modes of traditional "sensitive information data replacement" and "sensitive information encryption protection", so that not only flexible control of desensitizing big data is achieved, but also availability of sensitive data in the big data is effectively ensured.
An embodiment of the present invention provides a specific implementation manner of a data desensitization server capable of implementing the data desensitization method, and referring to fig. 10, the data desensitization server specifically includes the following contents:
a data transmission request type determining unit 10, configured to determine a type of a data transmission request containing sensitive data sent by a user terminal, where the type of the data transmission request includes: the method comprises a data downloading request and a data uploading request, wherein the data downloading request comprises a database query instruction of a target database.
And the data desensitization processing unit 20 is configured to perform data desensitization processing on a database query instruction in the data download request when it is determined that the type of the data transmission request is a data download request and the total amount of data to be downloaded corresponding to the data download request is greater than or equal to a first threshold.
And the data to be downloaded acquiring unit 30 is configured to acquire corresponding data to be downloaded from the target database according to the database query instruction subjected to data desensitization, and send the data to be downloaded to a corresponding user terminal.
It can be known from the above description that the embodiments of the present invention adopt different desensitization methods for the number of the user accessing sensitive data, perform data desensitization processing on a sensitive data field in an output link for desensitization of a small amount of data, and perform processing in a database query instruction parsing link for desensitization of a large amount of data, thereby increasing the speed of data processing.
An eighth embodiment of the present invention provides a data desensitization device in data transmission, and referring to fig. 11, the device is specifically as follows:
a processor (processor)801, a memory (memory)802, a communication interface (communications interface)803, and a bus 804;
wherein,
the processor 801, the memory 802 and the communication interface 803 complete mutual communication through the bus 804;
the communication interface 803 is used for information transmission between the automatic put-through device and a communication device of the charging system;
the processor 801 is configured to call program instructions in the memory 802 to perform the methods provided by the above-described method embodiments, including for example: judging the type of a data transmission request containing sensitive data sent by a user terminal, wherein the type of the data transmission request comprises: the method comprises the steps that a data downloading request and a data uploading request are carried out, and the data downloading request comprises a database query instruction of a target database; if the type of the data transmission request is determined to be a data downloading request, and the total amount of data to be downloaded corresponding to the data downloading request is greater than or equal to a first threshold value, performing data desensitization processing on a database query instruction in the data downloading request; and acquiring corresponding data to be downloaded in the target database according to the database query instruction subjected to data desensitization processing, and sending the data to be downloaded to a corresponding user terminal.
An embodiment of the present invention provides a computer program product, and this embodiment discloses a computer program product, where the computer program product includes a computer program stored on a non-transitory computer-readable storage medium, and the computer program includes program instructions, and when the program instructions are executed by a computer, the computer can execute the method provided by the above-mentioned method embodiments, for example, including: judging the type of a data transmission request containing sensitive data sent by a user terminal, wherein the type of the data transmission request comprises: the method comprises the steps that a data downloading request and a data uploading request are carried out, and the data downloading request comprises a database query instruction of a target database; if the type of the data transmission request is determined to be a data downloading request, and the total amount of data to be downloaded corresponding to the data downloading request is greater than or equal to a first threshold value, performing data desensitization processing on a database query instruction in the data downloading request; and acquiring corresponding data to be downloaded in the target database according to the database query instruction subjected to data desensitization processing, and sending the data to be downloaded to a corresponding user terminal.
An embodiment of the present invention provides a non-transitory computer-readable storage medium, where the non-transitory computer-readable storage medium stores computer instructions, where the computer instructions cause the computer to perform the method provided by the foregoing method embodiments, for example, the method includes: judging the type of a data transmission request containing sensitive data sent by a user terminal, wherein the type of the data transmission request comprises: the method comprises the steps that a data downloading request and a data uploading request are carried out, and the data downloading request comprises a database query instruction of a target database; if the type of the data transmission request is determined to be a data downloading request, and the total amount of data to be downloaded corresponding to the data downloading request is greater than or equal to a first threshold value, performing data desensitization processing on a database query instruction in the data downloading request; and acquiring corresponding data to be downloaded in the target database according to the database query instruction subjected to data desensitization processing, and sending the data to be downloaded to a corresponding user terminal.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
The above-described embodiments of data desensitization devices and the like in data transmission are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the embodiments of the present invention, and are not limited thereto; although embodiments of the present invention have been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. A method of data desensitization in data transmission, the method comprising:
judging the type of a data transmission request containing sensitive data sent by a user terminal, wherein the type of the data transmission request comprises: the method comprises the steps that a data downloading request and a data uploading request are carried out, and the data downloading request comprises a database query instruction of a target database;
if the type of the data transmission request is determined to be a data downloading request, and the total amount of data to be downloaded corresponding to the data downloading request is greater than or equal to a first threshold value, performing data desensitization processing on a database query instruction in the data downloading request;
and acquiring corresponding data to be downloaded in the target database according to the database query instruction subjected to data desensitization processing, and sending the data to be downloaded to a corresponding user terminal.
2. The method of claim 1, wherein determining the type of the data transmission request containing sensitive data sent by the ue further comprises:
if the type of the data transmission request is determined to be a data downloading request and the total amount of data to be downloaded corresponding to the data downloading request is smaller than a first threshold value, acquiring corresponding data to be downloaded in the target database according to a database query instruction in the data downloading request;
carrying out data desensitization processing on the data to be downloaded;
and sending the desensitized data to be downloaded to the corresponding user terminal.
3. The method according to claim 2, wherein the performing data desensitization processing on the data to be downloaded comprises:
comparing the total data amount of the data to be downloaded acquired from the target database with a second threshold value;
and if the total data amount of the data to be downloaded is smaller than a second threshold value, performing data desensitization processing on the data to be downloaded.
4. The method according to claim 3, wherein the comparing the total amount of data of the data to be downloaded acquired from the target database with the second threshold value further comprises:
if the total data amount of the data to be downloaded is larger than or equal to a second threshold value, performing data desensitization processing on a database query instruction in the data downloading request;
and according to the database query instruction subjected to data desensitization, re-acquiring the corresponding data to be downloaded in the target database, and sending the data to be downloaded to the corresponding user terminal.
5. The method of claim 1, wherein performing data desensitization processing on the database query instructions in the data download request comprises:
sensitive data prompt information is sent to the user terminal, so that the user terminal selectively sends out a desensitization downloading instruction or a clear text downloading instruction according to the sensitive data prompt information;
and if receiving a desensitization downloading instruction sent by the user terminal, performing data desensitization processing on the database query instruction in the data downloading request.
6. The method of claim 5, further comprising:
if receiving a plaintext downloading instruction sent by the user terminal, sending a plaintext downloading request to a management terminal of a target database, so that the management terminal of the target database selects whether to send the downloading instruction according to the plaintext downloading request;
and after receiving a downloading instruction sent by a management terminal of the target database, acquiring corresponding data to be downloaded in the target database according to a database query instruction in the data downloading request, and sending the data to be downloaded to a corresponding user terminal.
7. The method of claim 1, wherein the determining the type of the data transmission request containing sensitive data sent by the ue further comprises:
if the type of the data transmission request is confirmed to be a data uploading request, sensitive data prompt information is sent to the user terminal, so that the user terminal selectively sends a desensitization uploading instruction or a plaintext uploading instruction according to the sensitive data prompt information;
when a desensitization uploading instruction sent by the user terminal is received, performing data desensitization processing on data to be uploaded in the data uploading request, wherein the data uploading request comprises an address of a target database and the data to be uploaded;
and sending the data to be uploaded after data desensitization processing to the target database according to the address of the target database in the data uploading request, and caching the data to be uploaded.
8. The method of claim 7, further comprising:
when receiving a plaintext uploading instruction sent by the user terminal, sending a plaintext uploading request to a management terminal of a target database, so that the management terminal of the target database selects whether to send the uploading instruction according to the plaintext uploading request;
and after receiving an uploading instruction sent by a management terminal of the target database, sending the data to be uploaded in the data uploading request to the target database.
9. The method of claim 1, wherein the determining the type of the data transmission request containing sensitive data sent by the ue comprises:
receiving a data transmission request sent by the user terminal, wherein the data transmission request comprises an address of a target database and data to be transmitted;
acquiring a sensitive data list corresponding to the target database, and judging whether the data to be transmitted in the data transmission request comprises sensitive data according to the sensitive data list;
and if the data to be transmitted comprises sensitive data, judging that the data transmission request comprises the sensitive data.
10. A data desensitization server, characterized in that the data desensitization server comprises:
a data transmission request type determining unit, configured to determine a type of a data transmission request that includes sensitive data and is sent by a user terminal, where the type of the data transmission request includes: the method comprises the steps that a data downloading request and a data uploading request are carried out, and the data downloading request comprises a database query instruction of a target database;
the data desensitization processing unit is used for performing data desensitization processing on a database query instruction in the data downloading request when the type of the data transmission request is determined to be a data downloading request and the total amount of data to be downloaded corresponding to the data downloading request is greater than or equal to a first threshold value;
and the data to be downloaded acquiring unit is used for acquiring corresponding data to be downloaded in the target database according to the database query instruction subjected to data desensitization processing, and sending the data to be downloaded to a corresponding user terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710103860.1A CN108512807B (en) | 2017-02-24 | 2017-02-24 | Data desensitization method and data desensitization server in data transmission |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710103860.1A CN108512807B (en) | 2017-02-24 | 2017-02-24 | Data desensitization method and data desensitization server in data transmission |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108512807A true CN108512807A (en) | 2018-09-07 |
| CN108512807B CN108512807B (en) | 2020-08-04 |
Family
ID=63373708
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710103860.1A Active CN108512807B (en) | 2017-02-24 | 2017-02-24 | Data desensitization method and data desensitization server in data transmission |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108512807B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110188571A (en) * | 2019-06-05 | 2019-08-30 | 深圳市优网科技有限公司 | Desensitization method and system based on sensitive data |
| CN110532797A (en) * | 2019-07-24 | 2019-12-03 | 方盈金泰科技(北京)有限公司 | The desensitization method and system of big data |
| CN112699403A (en) * | 2020-12-28 | 2021-04-23 | 深圳前海微众银行股份有限公司 | Data processing method, apparatus, medium, device, and program product |
| CN113268768A (en) * | 2021-05-24 | 2021-08-17 | 平安普惠企业管理有限公司 | Desensitization method, apparatus, device and medium for sensitive data |
| CN113591150A (en) * | 2021-08-03 | 2021-11-02 | 浙江图盛输变电工程有限公司温州科技分公司 | Desensitization processing method for sensitive data |
| CN115880826A (en) * | 2023-02-22 | 2023-03-31 | 肯特智能技术(深圳)股份有限公司 | Park access method and system based on access data |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140164405A1 (en) * | 2012-12-12 | 2014-06-12 | Institute For Information Industry | Dynamic data masking method and database system |
| CN103870480A (en) * | 2012-12-12 | 2014-06-18 | 财团法人资讯工业策进会 | Dynamic data masking method and database system |
| CN105653981A (en) * | 2015-12-31 | 2016-06-08 | 中国电子科技网络信息安全有限公司 | Sensitive data protection system and method of data circulation and transaction of big data platform |
| CN105740445A (en) * | 2016-02-02 | 2016-07-06 | 贵州大学 | Database query method and device |
| CN106203170A (en) * | 2016-07-19 | 2016-12-07 | 北京同余科技有限公司 | The Database Dynamic desensitization method of servicing of based role and system |
| CN106295388A (en) * | 2015-06-04 | 2017-01-04 | 中国移动通信集团山东有限公司 | A kind of data desensitization method and device |
-
2017
- 2017-02-24 CN CN201710103860.1A patent/CN108512807B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140164405A1 (en) * | 2012-12-12 | 2014-06-12 | Institute For Information Industry | Dynamic data masking method and database system |
| CN103870480A (en) * | 2012-12-12 | 2014-06-18 | 财团法人资讯工业策进会 | Dynamic data masking method and database system |
| CN106295388A (en) * | 2015-06-04 | 2017-01-04 | 中国移动通信集团山东有限公司 | A kind of data desensitization method and device |
| CN105653981A (en) * | 2015-12-31 | 2016-06-08 | 中国电子科技网络信息安全有限公司 | Sensitive data protection system and method of data circulation and transaction of big data platform |
| CN105740445A (en) * | 2016-02-02 | 2016-07-06 | 贵州大学 | Database query method and device |
| CN106203170A (en) * | 2016-07-19 | 2016-12-07 | 北京同余科技有限公司 | The Database Dynamic desensitization method of servicing of based role and system |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110188571A (en) * | 2019-06-05 | 2019-08-30 | 深圳市优网科技有限公司 | Desensitization method and system based on sensitive data |
| CN110532797A (en) * | 2019-07-24 | 2019-12-03 | 方盈金泰科技(北京)有限公司 | The desensitization method and system of big data |
| CN112699403A (en) * | 2020-12-28 | 2021-04-23 | 深圳前海微众银行股份有限公司 | Data processing method, apparatus, medium, device, and program product |
| CN113268768A (en) * | 2021-05-24 | 2021-08-17 | 平安普惠企业管理有限公司 | Desensitization method, apparatus, device and medium for sensitive data |
| CN113268768B (en) * | 2021-05-24 | 2024-04-16 | 重庆颂车网络科技有限公司 | Desensitization method, device, equipment and medium for sensitive data |
| CN113591150A (en) * | 2021-08-03 | 2021-11-02 | 浙江图盛输变电工程有限公司温州科技分公司 | Desensitization processing method for sensitive data |
| CN113591150B (en) * | 2021-08-03 | 2024-04-26 | 浙江图盛输变电工程有限公司温州科技分公司 | Desensitization processing method for sensitive data |
| CN115880826A (en) * | 2023-02-22 | 2023-03-31 | 肯特智能技术(深圳)股份有限公司 | Park access method and system based on access data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108512807B (en) | 2020-08-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108512807B (en) | Data desensitization method and data desensitization server in data transmission | |
| CN109639652B (en) | Method and system for accessing internetwork data based on security isolation | |
| US9635041B1 (en) | Distributed split browser content inspection and analysis | |
| US8819768B1 (en) | Split password vault | |
| CN110598442A (en) | Sensitive data self-adaptive desensitization method and system | |
| US8918837B2 (en) | Web application container for client-level runtime control | |
| US9098707B2 (en) | Mobile device application interaction reputation risk assessment | |
| CN111382421A (en) | Service access control method, system, electronic device and storage medium | |
| CN109818937A (en) | For the control method of Android permission, device and storage medium, electronic device | |
| WO2022012669A1 (en) | Data access method and device, and storage medium and electronic device | |
| WO2015051017A1 (en) | Method and apparatus for managing access to electronic content | |
| CN109672657A (en) | Data managing method, device, equipment and storage medium | |
| US11848965B2 (en) | Secure software defined storage | |
| CN111177672A (en) | Page access control method and device and electronic equipment | |
| TWI706359B (en) | Data processing method and device, computing equipment and storage medium | |
| KR20120102972A (en) | Data encryption processing apparatus and method in a cloud environment | |
| CN109154968A (en) | The system and method for the safety in organizing and efficiently communicated | |
| JP2022094938A (en) | Method for monitoring and controlling data access, computer program, and security system agent equipment | |
| CN114598520B (en) | Method, device, equipment and storage medium for controlling resource access | |
| EP2738709A1 (en) | An improved method and device for enforcing privacy policies | |
| CN108259456B (en) | Method, device, equipment and computer storage medium for realizing user login-free | |
| CN113726673B (en) | Service gateway flow control method, device, equipment and storage medium | |
| CN108092946B (en) | Method and system for safely accessing network | |
| CN112528339A (en) | Data desensitization method based on Cach é database and electronic equipment | |
| CN102156646B (en) | Feature library upgrading method and device thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100032 No. 29, Finance Street, Beijing, Xicheng District Patentee after: CHINA MOBILE COMMUNICATIONS GROUP Co.,Ltd. Patentee after: China Mobile Communications Group Hunan Co., Ltd Address before: 100032 No. 29, Finance Street, Beijing, Xicheng District Patentee before: CHINA MOBILE COMMUNICATIONS Corp. Patentee before: China Mobile Communications Group Hunan Co., Ltd |
|
| CP01 | Change in the name or title of a patent holder |