CN110084053A - Data desensitization method, device, electronic equipment and storage medium - Google Patents

Data desensitization method, device, electronic equipment and storage medium Download PDF

Info

Publication number
CN110084053A
CN110084053A CN201910375356.6A CN201910375356A CN110084053A CN 110084053 A CN110084053 A CN 110084053A CN 201910375356 A CN201910375356 A CN 201910375356A CN 110084053 A CN110084053 A CN 110084053A
Authority
CN
China
Prior art keywords
data
desensitization
regular expression
report
sensitive
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201910375356.6A
Other languages
Chinese (zh)
Inventor
朱卫东
谢敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Manyun Software Technology Co Ltd
Original Assignee
Jiangsu Manyun Software Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Manyun Software Technology Co Ltd filed Critical Jiangsu Manyun Software Technology Co Ltd
Priority to CN201910375356.6A priority Critical patent/CN110084053A/en
Publication of CN110084053A publication Critical patent/CN110084053A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries

Abstract

The invention discloses a kind of data desensitization method, device, electronic equipment and storage mediums.This method comprises: obtaining the first data according to inquiry request;The second data are determined according to candidate sensitive data regular expression and the first data;Desensitization regular expression is determined according to the corresponding sensitive data regular expression of the second data;The second data, the third data to be desensitized are handled according to desensitization regular expression.The second data can be accurately filtered out by the candidate sensitive data regular expression of setting, is desensitized using desensitization regular expression to the second data, be can be realized and desensitization degree is controlled according to use demand, realize that data desensitize automatically.Received inquiry request can be issued by other systems, and then improve system compatibility, and realization is docked with other systems, improve data desensitization ease for use.

Description

Data desensitization method, device, electronic equipment and storage medium
Technical field
The present embodiments relate to Technology On Data Encryption more particularly to a kind of data desensitization method, device, electronic equipment and Storage medium.
Background technique
With the arrival of information age, no matter enterprise or government unit, all consciously or unconsciously is collecting, depositing daily Storage, shared data, and scale is increasing.Processing Various types of data is known as the only way which must be passed of modern enterprise growth, but sensitive number It is also growing day by day according to the risk of leakage.
Data desensitization refers to the deformation that certain sensitive informations are carried out with data by desensitization rule, realizes privacy-sensitive data Reliably protecting.Having the desensitization product of various business at present, each enterprise is also researching and developing respective data desensitization tool or system, To protect the data safety of enterprise itself, can not be used cooperatively with other systems, ease for use is poor.
Summary of the invention
The present invention provides a kind of data desensitization method, device, electronic equipment and storage medium, to realize that data take off automatically It is quick, while can be docked with other systems, improve data desensitization ease for use.
In a first aspect, the embodiment of the invention provides a kind of data desensitization methods, comprising:
The first data are obtained according to inquiry request;
The second data are determined according to candidate sensitive data regular expression and the first data;
Desensitization regular expression is determined according to the corresponding sensitive data regular expression of the second data;
The second data, the third data to be desensitized are handled according to desensitization regular expression.
Second aspect, the embodiment of the invention also provides a kind of data desensitization devices, comprising:
First data acquisition module, for obtaining the first data according to inquiry request;
Second data determining module, for being obtained according to candidate sensitive data regular expression and the first data acquisition module The first data determine the second data;
Desensitize expression formula determining module, for determining desensitization just according to the corresponding sensitive data regular expression of the second data Then expression formula;
Desensitize module, and the desensitization regular expression for being determined according to desensitization expression formula determining module handles the second data, The third data to be desensitized.
The third aspect the embodiment of the invention also provides a kind of electronic equipment, including memory, processor and is stored in On memory and the computer program that can run on a processor, processor are realized several such as first aspect shown in when executing program According to desensitization method.
The third aspect, the embodiment of the invention also provides a kind of computer readable storage mediums, are stored thereon with computer Program realizes the data desensitization method as shown in first aspect when the program is executed by processor.
Data desensitization method, device, electronic equipment and storage medium provided in an embodiment of the present invention, are obtained according to inquiry request Take the first data;The second data are determined according to candidate sensitive data regular expression and the first data;It is corresponding according to the second data Sensitive data regular expression determine desensitization regular expression;The second data are handled according to desensitization regular expression, are taken off Quick third data.The second data can be accurately filtered out by the candidate sensitive data regular expression of setting, using de- Quick regular expression desensitizes to the second data, can be realized and controls desensitization degree according to use demand, realizes that data are automatic Desensitization.Received inquiry request can be issued by other systems, and then improve system compatibility, and realization is docked with other systems, Improve data desensitization ease for use.
Detailed description of the invention
Fig. 1 is the applicable system architecture schematic diagram of the embodiment of the present invention;
Fig. 2 is the flow chart of a data desensitization method in the embodiment of the present invention;
Fig. 3 is the flow chart of another data desensitization method in the embodiment of the present invention;
Fig. 4 is the flow chart of the data desensitization method in a usage scenario in the embodiment of the present invention;
Fig. 5 is the flow chart of another data desensitization method in the embodiment of the present invention;
Fig. 6 is the flow chart of another data desensitization method in the embodiment of the present invention;
Fig. 7 is the structural schematic diagram of the data desensitization device in the embodiment of the present invention;
Fig. 8 is the structural schematic diagram of another data desensitization device in the embodiment of the present invention;
Fig. 9 is the structural schematic diagram of an electronic equipment in the embodiment of the present invention.
Specific embodiment
The present invention is described in further detail with reference to the accompanying drawings and examples.It is understood that this place is retouched The specific embodiment stated is used only for explaining the present invention rather than limiting the invention.It also should be noted that in order to just Only the parts related to the present invention are shown in description, attached drawing rather than entire infrastructure.
With the arrival of information age, no matter enterprise or government unit, all consciously or unconsciously is collecting, depositing daily Storage, shared data, and scale is increasing.Processing Various types of data is known as the only way which must be passed of modern enterprise growth, but sensitive number It is also growing day by day according to the risk of leakage.The deformation that data desensitization carries out data for certain sensitive informations to be passed through with the rule that desensitizes, Realize the reliably protecting of privacy-sensitive data.Has the desensitization product of various business at present, each enterprise is also researching and developing respective number According to desensitization tool or system, to protect the data safety of enterprise itself, but can not be used cooperatively with other systems, ease for use is poor.
Fig. 1 provides applicable data processing system configuration diagram for the embodiment of the present invention, comprising: derivative module 001 is examined Criticize module 002, data extraction module 003 and desensitization module 004.Wherein, derivative module 001: data consumer is in datagram Table platform request for data inquiry/download permission is committed to the audit examination & approval that approval module 002 carries out permission.Derivative module can be with Data magic square and BI Report Forms Service are provided for user.User can initiate to inquire or download request by derivative module.
Approval module 002: this functions of modules is mainly data used in data consumer's request for data inquiry/download permission Examination & approval need to examine by data user departmental manager, data Owner, abide by data usage rights minimize it is former Then, audit examination & approval are by that can use.Approval module examination & approval initiate whether inquiry or the user of downloading request have corresponding authority. After approval module is checked and approved, user can carry out desensitization downloading or download in plain text.OA approval module in approval module is for executing User right authentication.The message that passes through of examination & approval is sent to processing platform by approval module, from processing platform to data extraction module Send data retrieval request.
Data extraction module 003: source of this module as data, after data consumer has applied for inquiry/download permission, Inquiry, the download permission of data could be opened on this report platform for it, the data after downloading are sent to desensitization module 004 and carry out Data desensitization.The data magic square report platform that data extraction module 003 provides may be used to provide data magic square report.Data mention The data analysis-decision system platform that modulus block 003 provides can provide Data Analysis Platform for user.Data extraction module 003 is connecing After receiving data retrieval request, corresponding data file is transmitted to desensitization module 004.
Desensitization module 004: desensitization module 004 obtains the file sent by data sheet platform, automatic according to desensitization strategy Change the data in identification file, if the feature with data matches with the rule in desensitization strategy, desensitizes to data Processing, is sent to data consumer for data file after the completion of desensitization.Rule in desensitization strategy can pass through regular expression Agreement.Desensitization module receives the data file that data lift module transmission by file server, and desensitization administrative unit passes through text File data is read in part server, and carries out desensitization management, after the completion of desensitization, by the result return value processing platform that desensitizes.It removes Platform will desensitize data or clear data feeds back to user.Desensitization module is for being also used to realize data discovery, differentiated control And Mission Monitor.Wherein data discovery is for file where finding sensitive information.Differentiated control be used for different data table into The surface sweeping of row sensitive data and mark are identified for indicating security level.
Fig. 2 be data desensitization method provided in an embodiment of the present invention flow chart, the present embodiment be applicable to data into The case where row desensitization, this method can be executed by electronic equipment, can be used as in electronic equipment system architecture shown in Fig. 1 de- Quick module operation, desensitization module can be executed by PC, tablet computer, tablet computer or smart mobile phone, and this method is specific Include the following steps:
Step 110 obtains the first data according to inquiry request.
Inquiry request is initiated by user by derivative module 001, which can be located in terminal workable for user.It looks into Ask the request that request includes the request or downloading data for inquiring data.No matter being used for inquiring data or downloading data Family can specify the content for needing selection.The content can be user according to storage location specified data, or user According to the data of the name request of data sheet.Data extraction module 003 extracts the first data according to inquiry request, and by first Data are sent to desensitization module 004.First data are that inquiry request is directed toward the data being stored in data magic square (or database).
Step 120 determines the second data according to candidate sensitive data regular expression and the first data.
It can be that sensitive data configures sensitive data regular expression by engineer before executing step 110.According to quick Different candidate sensitive data regular expressions can be set with accurately from the first data in the data characteristics for feeling data itself Identify the second data.Second data are sensitive data.The form of first data can have multiple, including but not limited to datagram Table, data monomer or data acquisition system etc..
In one implementation, the first data are data sheet;At this point, step 120, according to candidate sensitive data canonical Expression formula and the first data determine the second data, can be implemented by following manner:
Firstly, obtaining the list item data in data sheet in each list item;Then, judge the first sensitive data regular expressions Whether formula matches with the first list item data.If the first sensitive data regular expression and the first list item Data Matching, by One list item data are determined as the second data, and the first sensitive data regular expression is in candidate sensitive data regular expression set Any one candidate sensitive data regular expression, the first list item data are any one list item data in data sheet.
Data sheet includes multiple list item data.The list item data being successively read in data sheet use candidate sensitive number Compare according to each expression formula in regular expression set respectively at current entry data, judges whether the two matches.If Match, then using current entry data as the second data.
It should be noted that can be according to certain sequence by current entry data and candidate sensitive data regular expression collection Multiple expression formulas in conjunction successively compare, and when encountering matched sensitive data regular expression, then exit current entry data Judgement.Read next list item data of current entry data, and judge in candidate sensitive data regular expression set whether There is the matched sensitive data regular expression of the list item data of reading.And so on, whole list items in scan data report Data.When reading list item data, can have according to line number it is small to big, when line number is identical according to row number have it is small to big sequence according to Secondary reading list item data.
By by the candidate sensitive data in the list item data of data sheet and candidate sensitive data regular expression set Regular expression is matched, and the second data can be determined from data sheet.
Further, the security level of the first list item data is determined according to the first sensitive data regular expression;According to number According to the security level for the list item data that report includes, the security level of data sheet is determined.
When configuring the first sensitive data regular expression, for corresponding safety of the first sensitive data regular expression configuration etc. Grade.When recognizing the first sensitive data regular expression matched with the first list item data, the first sensitive data canonical is read The security level of the first sensitive data regular expression is determined as the safety of the first list item data by the security level of expression formula Grade.
As the sensitivity of sensitive data is different, the degree that sensitive data desensitizes also is not quite similar.Sensitivity Higher, desensitization degree is higher.For example, whole digits of user password are required to desensitize, and the phone number of user can To show epilog portion field.It can be second to allow users to the sensitivity of more intuitive understanding current data Data carry out mark, to identify the sensitivity of the second data.
The evaluation criteria of security level is as shown in table 1, is divided into driver from low to high, respectively external open (L1), interior Portion uses (L2), secret (L3), top-secret (L4).
Table 1
Wherein, L4 top secret data be data confidentiality grade it is highest and, such data are once leaked, destroy or change Damage very serious can be caused to enterprise or employee.Such data would generally provide rival great help, right Company causes serious finance, reputation to influence.Such data must only limit a few peoples and use in intra-company's strict protection.
Company and employee's data claimed from the levels such as legal requirement, social duty when L3 confidential data. Such data can only be carried out in the specific user group of intra-company using.Such data are once leaked, destroy or change meeting More serious influence is caused to enterprise or employee.
Referred to using data due to technology or commercial requirement inside L2, is limited to interior employee or certain partners use Data.Such data are only limited to be used in intra-company, will not be to enterprise, client or partner once being leaked, destroying or changing It causes to seriously affect.
Public data is the data for going through to publish outside L1, and leakage, destruction or the change of such data will not be right Enterprise or employee cause significantly to influence.
In above-mentioned implementation, when the first data be data sheet when, it includes multiple second data there may be Different security levels.For example, the second data in data sheet containing L1 rank and L4 rank.At this point, from data sheet packet In multiple second data contained, highest security level is searched, the security level as data sheet.
Step 130 determines desensitization regular expression according to the corresponding sensitive data regular expression of the second data.
Sensitive data regular expression and corresponding desensitization regular expression can be pre-configured with.In step 130 It is middle to determine desensitization regular expression according to according to the corresponding sensitive data regular expression of the second data.The regular expression that desensitizes is used It is shielded in by the sensitive information in the second data, replaces with preset characters, realize desensitization.
Step 140 handles the second data, the third data to be desensitized according to desensitization regular expression.
The definition lattice of desensitization regular expression are then identical with sensitive data regular expression, patrolled using identical formulas solutions Volume, it may be determined that the specific field in the second data is replaced.
In one implementation, according to the corresponding desensitization regular expression of the second data, byte quantity to be shielded is determined And location information;According to byte quantity to be shielded and location information, respective symbols in the second data are replaced with into preset characters, are obtained To third data.
Preset function can be constructed and execute desensitization operation, the input parameter of preset function is desensitization regular expression, desensitization Regular expression includes the location information and substitute character of byte to be desensitized.It is used in subsequent embodiment A title of the value.replaceAll as preset function.
Further, before step 110, according to inquiry request the first data of acquisition, further includes:
Sensitive data regular expression is determined respectively according to the character feature of default list item, and presetting list item is cell-phone number, body Part card number, mailbox, address or fixed-line telephone;Desensitization regular expression is determined according to byte quantity to be shielded and position.
Engineer can design sensitive data regular expression according to the data characteristics of data to be desensitized itself.For mobile phone Number, it can desensitize to part field therein.Title can retain the surname of user, desensitize to name, or to name In segment word desensitize.Identification card number can desensitize to the field for corresponding to user's birthday in identification card number.User Title can retain the first character of user's name, desensitize to remaining character.Password can carry out password full text Desensitization.Address information can retain the other field of provincial, and municipal level, and to district, once field desensitizes.
Can illustratively, desensitization regular expression be with are as follows: cell-phone number: (+d+)? 1 [3456759] d { 9 } $
Identification card number:
(^[1-9]\d{5}(18|19|([23]\d))\d{2}((0[1-9])|(10|11|12))(([0-2][1-9])| 10|20|30|31)\d{3}[0-9Xx]$)|(^[1-9]\d{5}\d{2}((0[1-9])|(10|11|12))(([0-2][1- 9])|10|20|30|31)\d{2}$)
Mailbox:
^[\w-.\u4e00-\u9fa5]+@[\w&&[^_]][\w-&&[^_]]+(\.[\w-&&[^_]]+[\w&& [^_]])+$
Address: ^ ([u4E00- u9FA5A-Za-z0-9_]+(and save | city | area | county | road | road | street | number)) { 2, } [ w\W]*$
Fixed-line telephone: (d { 3,4 } -) d { 7,8 } $
Correspondingly, corresponding above-described embodiment, corresponding desensitization rule-based algorithm are as follows:
Cell-phone number: value.replaceAll (" (d { 3 }) d { 4 } (d { 4 }) ", " $ 1**** $ 2 ")
Identification card number: value.replaceAll (" (?≤ w { 4 }) w (?=w { 3 }) ", " * ")
Mailbox:
value.replaceAll("(^[\\w-.\\u4e00-\\u9fa5]{1,2})[\\w-.\\u4e00-\\ u9fa5]+(@[\\w&&[^_]][\\w-&&[^_]]+(\\.[\\w-&&[^_]]+[\\w&&[^_]])+\$)","\$1****\ $2")
Address: value.replaceAll (" (^ ([and u4E00- u9FA5A-Za-z0-9_]+(save | city | area | County | road | road | street | number)) { 2, }) [ w W] * $ ", " $ 1**** ")
Fixed-line telephone: value.replaceAll (" (d { 3,4 }-d { 1 }) d { 4 } (d { 2 }) ", " $ 1****\$2")
After applicant derived from request for data selects desensitization to download on derivative module, the file of downloading will be automatically transmitted to Data processing platform (DPP), data processing platform (DPP) are regular according to the desensitization of definition: cell-phone number, mailbox, address, is consolidated identification card number Determine phone, desensitization rule carries out the matching of rule by regular expression, the data regular to hit desensitization in data sheet into Row desensitization.Data derived record and right list by the data Download History for recording all data users and corresponding permission, Follow-up auditing is carried out convenient for the circulation afterwards to downloading data.
Data desensitization method provided in an embodiment of the present invention obtains the first data according to inquiry request;According to candidate sensitive Data regular expression and the first data determine the second data;It is determined according to the corresponding sensitive data regular expression of the second data Desensitize regular expression;The second data, the third data to be desensitized are handled according to desensitization regular expression.Pass through the time of setting It selects sensitive data regular expression that can accurately filter out the second data, the second data is carried out using desensitization regular expression Desensitization can be realized and control desensitization degree according to use demand, realize that data desensitize automatically.Received inquiry request can be by it He issues system, and then improves system compatibility, and realization is docked with other systems, improves data desensitization ease for use.
Data desensitize under conditions of retaining data primitive character, carry out data by desensitization rule to certain sensitive informations Deformation, realize privacy-sensitive data reliably protecting.Under the conditions of not violating system convention, truthful data is transformed simultaneously It provides to survey and use, such as identification card number, cell-phone number, telephone number, mailbox personal information require to carry out data desensitization.Only award The administrator or user of power can just access the true value of data in the case where that must know by specific program and tool, from And reduce risk of significant data when shared, mobile.With the help of data desensitization system, unit enterprise can be according to data Using target, by defining accurate, flexible desensitization strategy, according to the Permission Levels of user, for different classes of data with Rapid, consistency the access limitation across tool, application program and environment is realized in different modes desensitization.
Fig. 3 is a kind of flow chart of data desensitization method provided in an embodiment of the present invention, as to above-described embodiment into One step explanation, this method specifically comprise the following steps:
Step 201 receives the authority application information that user is sent by data center.
Data center can be data magic square, oneself account and password login data magic square, user can be used in user After logging on to data magic square, authority application is initiated.Authority application information is sent data processing platform (DPP) by data magic square.Permission Shen Please information include user identifier and request Data Identification.
Step 202, according to authority application information to subscription authentication.
Data processing platform (DPP) judges whether user identifier has inquiry or downloading data mark after receiving application information The permission of corresponding data.If authenticated successfully, if thening follow the steps 203. failed authentications, feedback information is sent to user.
If step 203 authenticates the inquiry request for successfully receiving user's transmission.
As shown in figure 4, if authenticated successfully, authority application synchronizing information is sent to work order in a usage scenario System.WorkForm System runs on data extraction module.After WorkForm System receives authentication successful information, user can log on to work order System carries out data query.WorkForm System provides a variety of inquiry modes, can be according to role inquiry report, can also be according to keywords Inquire report.After query result is sent to data processing platform (DPP) by WorkForm System, data processing platform (DPP) carries out the data of inquiry Desensitization.Report under BI report query role or according to keyword query report.Meanwhile data processing platform (DPP) will be after desensitization Data are sent to WorkForm System, and WorkForm System is by the data feedback after desensitization to user.Further, data processing platform (DPP) can be with Data interaction, synchronous application information and subscription authentication result are carried out with WorkForm System.Further, data processing platform (DPP) can incite somebody to action Subscription authentication result is synchronized to data magic square, and data magic square opens the corresponding authority of user according to authenticating result.Alternatively, at data Platform obtains the authority information for authenticating under line, and the authority information is sent to data magic square, by data magic square side work It is authenticated under journey Shi Jinhang line.After authenticating under line, authenticating result is sent to data processing platform (DPP) by data magic square.
Step 204 obtains the first data according to inquiry request.
Step 205 determines the second data according to candidate sensitive data regular expression and the first data.
Step 206 determines desensitization regular expression according to the corresponding sensitive data regular expression of the second data.
Step 207 handles the second data, the third data to be desensitized according to desensitization regular expression.
User's default is data query, the download permission of no operation system, needs to submit number by authority application entrance According to report query, download permission application process, business platform meeting (i.e. data magic square) sending permission application information to security platform (i.e. data processing platform (DPP)), by security platform by synchronizing informations such as the permission type to be applied, report name, security levels To WorkForm System, examine on line, examines and open corresponding authority by operation system administrator after passing through for user.
The embodiment of the present invention provides more data desensitization methods and can authenticate to Client-initiated inquiry request, passes through The mode for opening permission under line is audited on line, machine processing and manual examination and verification can be combined, not only be improved response speed The accuracy of audit can also be improved.
Fig. 5 is a kind of flow chart of data desensitization method provided in an embodiment of the present invention, as to above-described embodiment into One step explanation, this method specifically comprise the following steps:
Step 301 receives the 4th data, and the 4th data are the report sample number of newly-built report sample data or update According to.
Before being desensitized, programmer can be sent newly-built report sample data or the report sample data of update To data processing system.In one implementation, user can define the level to report, at this point, user logs on to data evil spirit Report that is newly-built or updating is submitted to data magic square by Fang Hou.Data magic square is by newly-built report sample data or the report of update Table sample notebook data is sent to data processing platform (DPP), report sample of the data processing platform (DPP) to newly-built report sample data or update Data are defined the level.
Step 302, the security level that the 4th data are determined according to the content of the 4th data.
It is referred to the security level that 1 content of table determines the 4th data.
Step 303, the sensitive data regular expression and desensitization regular expressions of fourth data determining according to security level Formula.
Step 304 obtains the first data according to inquiry request.
Step 305 determines the second data according to candidate sensitive data regular expression and the first data.
Step 306 determines desensitization regular expression according to the corresponding sensitive data regular expression of the second data.
Step 307 handles the second data, the third data to be desensitized according to desensitization regular expression.
Optionally, sample data can be pushed to data processing when creating, updating certain report by data report system Platform, platform defines the level to this report according to sample data at data, and security level is adjusted back to data report system, from Dynamic that data sheet is defined the level, for the omission for preventing data sheet from defining the level, security platform can also carry out weekly sweeping for full report It retouches, finds non-gradation data, the rank of data sheet is updated and carries out security level mark.
Data desensitization method provided in an embodiment of the present invention, can be in newly-built or update report, by data sheet sample It is sent to data processing platform (DPP), and then establishes corresponding sensitive data regular expression for the second data in data sheet sample Determine desensitization regular expression.
Fig. 6 is a kind of flow chart of data desensitization method provided in an embodiment of the present invention, as to above-described embodiment into One step explanation, this method further includes following steps:
Step 401 obtains whole report datas according to default monitoring cycle.
During the realization of above-described embodiment, in fact it could happen that data form is failed to report.Periodically inspection is needed based on this Survey total data report.
Step 402, according to the security level of whole report datas and report data, determine and omit report data, omit Report data is the report data of not set security level.
Optionally, the renewal time of each data sheet is obtained, security level is corresponding to be preset if renewal time is greater than Renewal time, or discovery lack corresponding report, it is determined that fail to report report data, obtain the sample data of data sheet at this time.
Step 403 determines the security level for omitting report data according to omission report data.
According to the omission report data of acquisition, security level is set to report data is omitted.
Step 404, according to security level, determine the sensitive data regular expression for omitting report data and desensitization canonical table Up to formula.
Further, the accessible data magic square of user, periodically subscription report data.When the report for needing to download attribute When table data, data magic square sends data download information to data processing platform (DPP), and data processing platform (DPP) is according to the datagram of downloading The security level of table desensitizes, by the data feedback after desensitization to user.
Above-mentioned steps can execute prior to step 110, can also execute after step 110.
Data desensitization method provided in an embodiment of the present invention, can periodically detect whether report data has accordingly Security level guarantees data stability.In enterprises, the use of data is very frequent, especially the security management and control of sensitive data It is even more important.The embodiment of the present invention can be based on desensitization algorithm model by the desensitization in enterprise's sensitive data use process, Realize the desensitization of automation, supervision and audit to data in advance, in thing, subsequent.It realizes and enterprise's big data platform (such as data Magic square etc.) docking, user carries out desensitization process, and regular logarithm when carrying out business datum downloading, with regard to the data downloaded Sensitive data scanning is carried out in storehouse, is identified the data not identified, is realized the classified and graded management of data.Platform realizes the quick of desensitization Feeling data includes: cell-phone number, fixed-line telephone, certificate number, mailbox, address etc..And in use to desensitization data into Row monitor audit reduces the risk that data leak to guarantee the safety of data.
Fig. 7 is a kind of structural schematic diagram of data desensitization device provided in an embodiment of the present invention, which can be located at electricity In sub- equipment, electronic equipment includes personal computer, laptop, tablet computer, smart phone etc., which includes first Data acquisition module 51, the second data determining module 52, desensitization expression formula determining module 53 and desensitization module 54.
First data acquisition module 51, for obtaining the first data according to inquiry request;
Second data determining module 52, for according to candidate sensitive data regular expression and the first data acquisition module 51 The first data obtained determine the second data;
Desensitize expression formula determining module 53, for determining desensitization according to the corresponding sensitive data regular expression of the second data Regular expression;
Desensitize module 54, the second number of desensitization regular expression processing for being determined according to desensitization expression formula determining module 53 According to the third data to be desensitized.
Further, as shown in figure 8, further including authentication module 55, sample report form processing module 56, omitting report form processing mould Block 57, account security grade processing module 58 and expression formula determining module 59.
Authentication module 55 is used for: receiving the authority application information that user is sent by data center;
According to authority application information to subscription authentication;
If authenticating the inquiry request for successfully receiving user's transmission.
Further, sample report form processing module 56 is used for:
The 4th data are received, the 4th data are the report sample data of newly-built report sample data or update;
The security level of the 4th data is determined according to the content of the 4th data;
It is determined according to security level, the sensitive data regular expression and desensitization regular expression of the 4th data.
Further, report form processing module 57 is omitted to be used for:
Whole report datas are obtained according to default monitoring cycle;
It according to the security level of whole report datas and report data, determines and omits report data, omit report data For the report data of not set security level;
According to the security level for omitting the determining omission report data of report data;
According to security level, the sensitive data regular expression for omitting report data and desensitization regular expression are determined.
Further, the first data are data sheet;Correspondingly, the second data determining module 52 is used for: obtaining datagram List item data in table in each list item;
If the first sensitive data regular expression and the first list item Data Matching, the first list item data are determined as Two data, the first sensitive data regular expression are any one candidate sensitivity in candidate sensitive data regular expression set Data regular expression, the first list item data are any one list item data in data sheet.
Further, account security grade processing module 58 is used for:
The security level of the first list item data is determined according to the first sensitive data regular expression;
According to the security level for the list item data that data sheet includes, the security level of data sheet is determined.
Further, expression formula determining module 59 is used for:
Sensitive data regular expression is determined respectively according to the character feature of default list item, and presetting list item is cell-phone number, body Part card number, mailbox, address or fixed-line telephone;
Desensitization regular expression is determined according to byte quantity to be shielded and position.
Further, desensitization module 54 is used for:
According to the corresponding desensitization regular expression of the second data, byte quantity to be shielded and location information are determined;
According to byte quantity to be shielded and location information, respective symbols in the second data are replaced with into preset characters, are obtained Third data.
Data desensitization device provided in an embodiment of the present invention, the first data acquisition module 51 obtain first according to inquiry request Data;Second data determining module 52 obtained according to candidate sensitive data regular expression and the first data acquisition module 51 the One data determine the second data;The expression formula determining module 53 that desensitizes is true according to the corresponding sensitive data regular expression of the second data Surely desensitize regular expression;The desensitization regular expression processing that the module 54 that desensitizes is determined according to desensitization expression formula determining module 53 Two data, the third data to be desensitized.Can be accurately filtered out by the candidate sensitive data regular expression of setting Two data desensitize to the second data using desensitization regular expression, can be realized and control desensitization degree according to use demand, Realize that data desensitize automatically.Received inquiry request can be issued by other systems, so improve system compatibility, realize and its His system docking improves data and desensitizes ease for use.
Method provided by the executable aforementioned all embodiments of the present invention of above-mentioned apparatus, it is corresponding to have the execution above method Functional module and beneficial effect.The not technical detail of detailed description in the present embodiment, reference can be made to the aforementioned all implementations of the present invention Method provided by example.
Fig. 9 is the structural schematic diagram of a kind of electronic equipment provided in an embodiment of the present invention.Fig. 9, which is shown, to be suitable for being used to realizing The block diagram of the electronic equipment 312 of embodiment of the present invention.The electronic equipment 312 that Fig. 9 is shown is only an example, should not be to this The function and use scope of inventive embodiments bring any restrictions.Equipment 312 is typically the individual for carrying out data desensitization Computer, tablet computer, tablet computer or smart mobile phone.
As shown in figure 9, electronic equipment 312 is showed in the form of universal computing device.The component of electronic equipment 312 can wrap Include but be not limited to: one or more processor 316, storage device 328 connect different system components (including storage device 328 With processor 316) bus 318.
Bus 318 indicates one of a few class bus structures or a variety of, including memory bus or Memory Controller, Peripheral bus, graphics acceleration port, processor or the local bus using any bus structures in a variety of bus structures.It lifts For example, these architectures include but is not limited to industry standard architecture (Industry Standard Architecture, ISA) bus, microchannel architecture (Micro Channel Architecture, MCA) bus, enhancing Type isa bus, electronic multimedia Standard Association (Video Electronics Standards Association, VESA) office Domain bus and peripheral component interconnection (Peripheral Component Interconnect, PCI) bus.
Electronic equipment 312 typically comprises a variety of computer system readable media.These media can be it is any can be by The usable medium that electronic equipment 312 accesses, including volatile and non-volatile media, moveable and immovable medium.
Storage device 328 may include the computer system readable media of form of volatile memory, such as arbitrary access Memory (Random Access Memory, RAM) 330 and/or cache memory 332.Electronic equipment 312 can be into one Step includes other removable/nonremovable, volatile/non-volatile computer system storage mediums.Only as an example, it stores System 334 can be used for reading and writing immovable, non-volatile magnetic media (Fig. 9 do not show, commonly referred to as " hard disk drive "). Although being not shown in Fig. 9, the disc driver for reading and writing to removable non-volatile magnetic disk (such as " floppy disk ") can be provided, And to removable anonvolatile optical disk (such as CD-ROM (Compact Disc-Read Only Memory, CD-ROM), Digital video disk (Digital Video Disc-Read Only Memory, DVD-ROM) or other optical mediums) read-write light Disk drive.In these cases, each driver can pass through one or more data media interfaces and 318 phase of bus Even.Storage device 328 may include at least one program product, which has one group of (for example, at least one) program mould Block, these program modules are configured to perform the function of various embodiments of the present invention.
Program 336 with one group of (at least one) program module 326, can store in such as storage device 328, this The program module 326 of sample includes but is not limited to operating system, one or more application program, other program modules and program It may include the realization of network environment in data, each of these examples or certain combination.Program module 326 usually executes Function and/or method in embodiment described in the invention.
Electronic equipment 312 can also be (such as keyboard, sensing equipment, camera, aobvious with one or more external equipments 314 Show device 324 etc.) communication, the equipment interacted with the electronic equipment 312 can be also enabled a user to one or more to be communicated, and/ Or (such as network interface card is adjusted with any equipment for enabling the electronic equipment 312 to be communicated with one or more of the other calculating equipment Modulator-demodulator etc.) communication.This communication can be carried out by input/output (I/O) interface 322.Also, electronic equipment 312 Can also by network adapter 320 and one or more network (such as local area network (Local Area Network, LAN), Wide area network Wide Area Network, WAN) and/or public network, such as internet) communication.As shown, network adapter 320 are communicated by bus 318 with other modules of electronic equipment 312.It should be understood that although not shown in the drawings, can be in conjunction with electricity Sub- equipment 312 uses other hardware and/or software module, including but not limited to: microcode, device driver, redundancy processing are single Member, external disk drive array, disk array (Redundant Arrays of Independent Disks, RAID) system, Tape drive and data backup storage system etc..
The program that processor 316 is stored in storage device 328 by operation, thereby executing various function application and number According to processing, such as realize data desensitization method provided by the above embodiment of the present invention.
The embodiment of the invention also provides a kind of computer readable storage mediums, are stored thereon with computer program, the journey The data desensitization method as provided by the embodiment of the present invention is realized when sequence is executed by processor.
Certainly, a kind of computer readable storage medium provided by the embodiment of the present invention, the computer program stored thereon It is not limited to method operation as shown above, the phase in data desensitization method provided by any embodiment of the invention can also be performed Close operation.
The computer storage medium of the embodiment of the present invention, can be using any of one or more computer-readable media Combination.Computer-readable medium can be computer-readable signal media or computer readable storage medium.It is computer-readable Storage medium for example may be-but not limited to-the system of electricity, magnetic, optical, electromagnetic, infrared ray or semiconductor, device or Device, or any above combination.The more specific example (non exhaustive list) of computer readable storage medium includes: tool There are electrical connection, the portable computer diskette, hard disk, random access memory (RAM), read-only memory of one or more conducting wires (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact disc read-only memory (CD- ROM), light storage device, magnetic memory device or above-mentioned any appropriate combination.In this document, computer-readable storage Medium can be any tangible medium for including or store program, which can be commanded execution system, device or device Using or it is in connection.
Computer-readable signal media may include in a base band or as carrier wave a part propagate data-signal, Wherein carry computer-readable program code.The data-signal of this propagation can take various forms, including but unlimited In electromagnetic signal, optical signal or above-mentioned any appropriate combination.Computer-readable signal media can also be that computer can Any computer-readable medium other than storage medium is read, which can send, propagates or transmit and be used for By the use of instruction execution system, device or device or program in connection.
The program code for including on computer-readable medium can transmit with any suitable medium, including --- but it is unlimited In wireless, electric wire, optical cable, RF etc. or above-mentioned any appropriate combination.
The computer for executing operation of the present invention can be write with one or more programming languages or combinations thereof Program code, described program design language include object oriented program language-such as Java, Smalltalk, C++, It further include conventional procedural programming language-such as " C " language or similar programming language.Program code can be with It fully executes, partly execute on the user computer on the user computer, being executed as an independent software package, portion Divide and partially executes or executed on a remote computer or server completely on the remote computer on the user computer.? Be related in the situation of remote computer, remote computer can pass through the network of any kind --- including local area network (LAN) or Wide area network (WAN)-be connected to subscriber computer, or, it may be connected to outer computer (such as mentioned using Internet service It is connected for quotient by internet).
Note that the above is only a better embodiment of the present invention and the applied technical principle.It will be appreciated by those skilled in the art that The invention is not limited to the specific embodiments described herein, be able to carry out for a person skilled in the art it is various it is apparent variation, It readjusts and substitutes without departing from protection scope of the present invention.Therefore, although being carried out by above embodiments to the present invention It is described in further detail, but the present invention is not limited to the above embodiments only, without departing from the inventive concept, also It may include more other equivalent embodiments, and the scope of the invention is determined by the scope of the appended claims.

Claims (11)

1. a kind of data desensitization method characterized by comprising
The first data are obtained according to inquiry request;
The second data are determined according to candidate sensitive data regular expression and first data;
Desensitization regular expression is determined according to the corresponding sensitive data regular expression of second data;
Second data, the third data to be desensitized are handled according to the desensitization regular expression.
2. data desensitization method according to claim 1, which is characterized in that according to inquiry request obtain the first data it Before, comprising:
Receive the authority application information that user is sent by data center;
According to the authority application information to the subscription authentication;
If authenticating and successfully receiving the inquiry request that the user sends.
3. data desensitization method according to claim 1, which is characterized in that according to inquiry request obtain the first data it Before, comprising:
The 4th data are received, the 4th data are the report sample data of newly-built report sample data or update;
The security level of the 4th data is determined according to the content of the 4th data;
It is determined according to the security level, the sensitive data regular expression and desensitization regular expression of the 4th data.
4. data desensitization method according to claim 3, which is characterized in that further include:
Whole report datas are obtained according to default monitoring cycle;
According to the security level of whole report datas and report data, determines and omit report data, the omission report Data are the report data of not set security level;
The security level for omitting report data is determined according to the omission report data;
According to the security level, the sensitive data regular expression for omitting report data and desensitization regular expressions are determined Formula.
5. data desensitization method according to claim 1, which is characterized in that first data are data sheet;Accordingly , it is described that second data are determined according to candidate sensitive data regular expression and first data, comprising:
Obtain the list item data in data sheet in each list item;
If the first sensitive data regular expression and the first list item Data Matching, the first list item data are determined as Two data, the first sensitive data regular expression are any one candidate in candidate sensitive data regular expression set Sensitive data regular expression, the first list item data are any one list item data in the data sheet.
6. data desensitization method according to claim 5, which is characterized in that if in the first sensitive data regular expression With the first list item Data Matching, then the first list item data are determined as after the second data, further includes:
The security level of the first list item data is determined according to the first sensitive data regular expression;
According to the security level for the list item data that the data sheet includes, the security level of the data sheet is determined.
7. data desensitization method according to claim 1, which is characterized in that according to inquiry request obtain the first data it Before, further includes:
Determine that sensitive data regular expression, the default list item are cell-phone number, body respectively according to the character feature of default list item Part card number, mailbox, address or fixed-line telephone;
Desensitization regular expression is determined according to byte quantity to be shielded and position.
8. data desensitization method described in any one of -7 according to claim 1, which is characterized in that described to be desensitized just according to described Then the second data described in expression processing, the third data to be desensitized, comprising:
According to the corresponding desensitization regular expression of second data, byte quantity to be shielded and location information are determined;
According to the byte quantity to be shielded and location information, respective symbols in the second data are replaced with into preset characters, are obtained Third data.
The device 9. a kind of data desensitize characterized by comprising
First data acquisition module, for obtaining the first data according to inquiry request;
Second data determining module, for being obtained according to candidate sensitive data regular expression and first data acquisition module First data determine the second data;
Desensitize expression formula determining module, for determining desensitization just according to the corresponding sensitive data regular expression of second data Then expression formula;
Desensitize module, the desensitization regular expression processing described for being determined according to the desensitization expression formula determining module Two data, the third data to be desensitized.
10. a kind of electronic equipment including memory, processor and stores the meter that can be run on a memory and on a processor Calculation machine program, which is characterized in that the processor realizes such as data described in any one of claims 1-8 when executing described program Desensitization method.
11. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is by processor Such as data desensitization method described in any one of claims 1-8 is realized when execution.
CN201910375356.6A 2019-05-07 2019-05-07 Data desensitization method, device, electronic equipment and storage medium Withdrawn CN110084053A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910375356.6A CN110084053A (en) 2019-05-07 2019-05-07 Data desensitization method, device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910375356.6A CN110084053A (en) 2019-05-07 2019-05-07 Data desensitization method, device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN110084053A true CN110084053A (en) 2019-08-02

Family

ID=67419024

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910375356.6A Withdrawn CN110084053A (en) 2019-05-07 2019-05-07 Data desensitization method, device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN110084053A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110851864A (en) * 2019-11-08 2020-02-28 国网浙江省电力有限公司信息通信分公司 Sensitive data automatic identification and processing method and system
CN110889134A (en) * 2019-11-11 2020-03-17 北京中电飞华通信股份有限公司 Data desensitization method and device and electronic equipment
CN111008377A (en) * 2019-10-12 2020-04-14 中国平安财产保险股份有限公司 Account monitoring method and device, computer equipment and storage medium
CN112100664A (en) * 2020-09-21 2020-12-18 国网辽宁省电力有限公司电力科学研究院 Power user information static data desensitization method based on regular expression verification
WO2021051612A1 (en) * 2019-09-19 2021-03-25 平安科技(深圳)有限公司 Automatic data authorization desensitization method, system, device, and storage medium
CN112613069A (en) * 2020-12-23 2021-04-06 国家电网有限公司大数据中心 Automatic desensitization method based on negative list data resources
CN112667657A (en) * 2020-12-24 2021-04-16 国泰君安证券股份有限公司 System, method and device for realizing data desensitization based on computer software, processor and storage medium thereof
CN113127929A (en) * 2021-04-30 2021-07-16 平安普惠企业管理有限公司 Data desensitization method, desensitization rule processing method, device, equipment and storage medium

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021051612A1 (en) * 2019-09-19 2021-03-25 平安科技(深圳)有限公司 Automatic data authorization desensitization method, system, device, and storage medium
CN111008377A (en) * 2019-10-12 2020-04-14 中国平安财产保险股份有限公司 Account monitoring method and device, computer equipment and storage medium
CN110851864A (en) * 2019-11-08 2020-02-28 国网浙江省电力有限公司信息通信分公司 Sensitive data automatic identification and processing method and system
CN110889134A (en) * 2019-11-11 2020-03-17 北京中电飞华通信股份有限公司 Data desensitization method and device and electronic equipment
CN110889134B (en) * 2019-11-11 2024-01-23 北京中电飞华通信股份有限公司 Data desensitizing method and device and electronic equipment
CN112100664A (en) * 2020-09-21 2020-12-18 国网辽宁省电力有限公司电力科学研究院 Power user information static data desensitization method based on regular expression verification
CN112613069A (en) * 2020-12-23 2021-04-06 国家电网有限公司大数据中心 Automatic desensitization method based on negative list data resources
CN112667657A (en) * 2020-12-24 2021-04-16 国泰君安证券股份有限公司 System, method and device for realizing data desensitization based on computer software, processor and storage medium thereof
CN113127929A (en) * 2021-04-30 2021-07-16 平安普惠企业管理有限公司 Data desensitization method, desensitization rule processing method, device, equipment and storage medium
CN113127929B (en) * 2021-04-30 2024-03-01 天翼安全科技有限公司 Data desensitizing method, desensitizing rule processing method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN110084053A (en) Data desensitization method, device, electronic equipment and storage medium
EP3788533B1 (en) Protecting personally identifiable information (pii) using tagging and persistence of pii
US11729198B2 (en) Mapping a vulnerability to a stage of an attack chain taxonomy
US20180285879A1 (en) Blockchain-based identity and transaction platform
US7509497B2 (en) System and method for providing security to an application
US11038862B1 (en) Systems and methods for enhanced security based on user vulnerability
US11165793B2 (en) Method and system for detecting credential stealing attacks
US11256825B2 (en) Systems and methods for securing data in electronic communications
WO2020182005A1 (en) Method for information processing in digital asset certificate inheritance transfer, and related device
WO2016138612A1 (en) Proxy service for uploading data from a source to a destination
US11720718B2 (en) Security certificate identity analysis
US10474836B1 (en) Systems and methods for a generated fraud sandbox
US10445514B1 (en) Request processing in a compromised account
CN114021184A (en) Data management method and device, electronic equipment and storage medium
US20200233907A1 (en) Location-based file recommendations for managed devices
US11824850B2 (en) Systems and methods for securing login access
JP2022027416A (en) Data protection query interface
US9430625B1 (en) Method and system for voice match based data access authorization
US20200210565A1 (en) System and method of changing the password of an account record under a threat of unlawful access to user data
US11748515B2 (en) System and method for secure linking of anonymized data
CN114915453A (en) Access response method and device
CN114626084A (en) Secure smart container for controlling access to data
US11418500B2 (en) User authentication based on cognitive profiling
CN113037743A (en) Encryption method and system for cloud server file
CN114598509B (en) Method and device for determining vulnerability result

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20190802