CN111083135A - Method for processing data by gateway and security gateway - Google Patents

Method for processing data by gateway and security gateway Download PDF

Info

Publication number
CN111083135A
CN111083135A CN201911272313.1A CN201911272313A CN111083135A CN 111083135 A CN111083135 A CN 111083135A CN 201911272313 A CN201911272313 A CN 201911272313A CN 111083135 A CN111083135 A CN 111083135A
Authority
CN
China
Prior art keywords
information
data
desensitization
operation data
data request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911272313.1A
Other languages
Chinese (zh)
Inventor
陈友
王浩
黄林峰
邓双林
廖磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Tydic Information Technology Co ltd
Original Assignee
Shenzhen Tydic Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Tydic Information Technology Co ltd filed Critical Shenzhen Tydic Information Technology Co ltd
Priority to CN201911272313.1A priority Critical patent/CN111083135A/en
Publication of CN111083135A publication Critical patent/CN111083135A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Storage Device Security (AREA)

Abstract

The method for processing the data by the gateway specifically comprises the following steps: when a network data packet is obtained, extracting an operation data request; determining the related authority of the operation data request according to the operation data request; setting a desensitization strategy of the operation data according to the related authority of the operation data request; and desensitizing the network data and deriving desensitization information according to the desensitization strategy of the operation data. When the network data packet is acquired, the operation data request is extracted, so that the operation information is acquired more accurately, the information established aiming at the operation information is not single identity information any more, but composite information, and compared with the prior art, the method belongs to fine-grained information, a desensitization strategy made by the fine-grained information has better pertinence and confidentiality, and the desensitization treatment made by the strategy can limit the diffusion range of related information.

Description

Method for processing data by gateway and security gateway
Technical Field
The present invention relates to the field of communication control technologies, and in particular, to a method for processing data by a gateway and a security gateway.
Background
With the increasing demand of telecommunication and government big data application, data opening is underway, and data providers have data and open the data. They provide data services on a unified data platform by aggregating industry big data. Meanwhile, a large amount of data leakage security incidents frequently occur at home and abroad, and a large amount of confidential information is leaked. Data security becomes a key technical point of a data open platform. At home and abroad, two types of data opening related researches exist, firstly, trusted calculation based on homomorphism at home and abroad is carried out, but the technology is still in an experimental stage, whether a ciphertext operation result is equal to a plaintext operation result or not is not authenticated in a large area, and performance guarantee is not verified. And secondly, based on a coarse-grained identity authentication mechanism of the database, but the authority of a database account connected with an application system is large, the application system uniformly uses one account to connect with a real database, and a data control strategy of the granularity of a service system is lacked.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: how to perform desensitization processing on data carefully reduces the influence of leakage.
In order to solve the technical problems, the invention adopts the technical scheme that: the method for processing the data by the gateway specifically comprises the following steps:
when a network data packet is obtained, extracting an operation data request;
determining the related authority of the operation data request according to the operation data request;
setting a desensitization strategy of the operation data according to the related authority of the operation data request;
and desensitizing the network data and deriving desensitization information according to the desensitization strategy of the operation data.
Further, the acquiring the authority of the operation data request includes the following steps:
confirming that the first layer information aimed at by the operation data request has operation authority;
confirming that a specific part of second-layer information in the first-layer information aimed at by the operation data request has an operation authority;
and confirming that the sender of the operation data request has the operation authority.
Further, the setting of the desensitization strategy of the operation data comprises the following steps:
acquiring a sensitive field;
acquiring identity information of an issuer of the operation data request and environment information of the issuer of the operation data request;
and setting a desensitization strategy of the operation data according to the sensitive field, the identity information of the issuer of the operation data request and the environment information of the issuer of the operation data request.
Further, the deriving desensitization information includes the following steps:
confirming that the data to be exported is sensitive data;
carrying out privilege approval on the sensitive data to acquire permission for exporting the data;
desensitization information is derived based on permission to derive the data.
Further, after deriving desensitization information, the method comprises the steps of:
setting a password of an output main file of the operation data request of desensitization information;
and adding the relevant operation information of the operation data request to the desensitization information to obtain an output main file.
Further, after adding the relevant operation information of the operation data request to the desensitization information, when the output master file needs to be copied, the method further includes the following steps:
retransmitting a password of an output main file of the operation data request of the desensitization information;
retransmitting the relevant operation information of the operation data request of the main file;
and obtaining a score file according to the password of the output main file of the operation data request of the desensitization information and the related operation information of the operation data request, and adding the related operation information of the data operation requester when the output main file needs to be copied.
Further, when it is confirmed that the first layer information for which the operation data request is directed has no operation right, the method further includes the steps of:
outputting a specific value;
and recording the relevant operation information of the operation data request.
Further, when it is confirmed that the operation data request has no operation right for a specific part of the second layer information in the first layer information, the method further comprises the following steps:
and outputting the second layer information with the authority part in the first layer information.
In the above technical solution, the desensitization treatment includes the following steps:
acquiring and analyzing a data packet;
outputting a desensitization syntax tree according to the data packet;
processing the operation data according to the desensitization syntax tree to obtain a return data column;
and confirming that the returned data is sensitive data, and starting an outgoing mechanism of the data leakage protection system.
The application also provides a security gateway which comprises a transceiving module, a big data agent module and a data export encryption module;
the receiving and sending module is used for receiving and sending the operation data request;
the big data agent module is used for acquiring the authority of the operation data request according to the operation data request;
the big data agent module is also used for setting a desensitization strategy of the operation data according to the authority of the operation data request;
and the data export encryption module is used for carrying out desensitization treatment and exporting desensitization information according to the desensitization strategy of the operation data.
When the network data packet is acquired, the operation data request is extracted, so that the operation information is acquired more accurately, the information established aiming at the operation information is not single identity information any more but composite information, and compared with the prior art, the method belongs to fine-grained information, a desensitization strategy made by the fine-grained information has better pertinence and confidentiality, and the desensitization treatment made by the strategy can limit the diffusion range of related information.
Drawings
The detailed structure of the invention is described in detail below with reference to the accompanying drawings
Fig. 1 is a basic flowchart of a method for processing data by a gateway according to a first embodiment of the present invention;
fig. 2 is an authentication flow chart of a method for processing data by a gateway according to a second embodiment of the present invention;
fig. 3 is a flowchart of desensitization policy making by the gateway data processing method according to the third embodiment of the present invention;
fig. 4 is a flowchart of exporting sensitive data of a method for processing data by a gateway according to a fourth embodiment of the present invention;
fig. 5 is a flowchart of desensitization processing of a processing method of a gateway to data according to a fifth embodiment of the present invention;
fig. 6 is a structural view of a security gateway according to a sixth embodiment of the present invention.
Detailed Description
In order to explain technical contents, structural features, and objects and effects of the present invention in detail, the following detailed description is given with reference to the accompanying drawings in conjunction with the embodiments.
Referring to fig. 1, fig. 1 is a basic flowchart of a method for processing data by a gateway according to a first embodiment of the present invention.
A method for processing data by a gateway comprises the following steps:
step S1000, extracting an operation data request when a network data packet is obtained;
s2000, determining the related authority of the operation data request according to the operation data request;
step S3000, setting a desensitization strategy of the operation data according to the related authority of the operation data request;
and step S4000, desensitizing the network data and deriving desensitization information according to the desensitization strategy of the operation data.
When the network data packet is acquired, the operation data request is extracted, so that the operation information is acquired more accurately, the information established aiming at the operation information is not single identity information any more but composite information, and compared with the prior art, the method belongs to fine-grained information, a desensitization strategy made by the fine-grained information has better pertinence and confidentiality, and the desensitization treatment made by the strategy can limit the diffusion range of related information.
The invention is mainly applied to a business system to set a proper secret information gradient to ensure the whole information confidentiality. The gateway security technology overcomes the defect of overlarge data opening granularity caused by the traditional data right account authority, can control opening data with finer granularity of a service level, and can ensure that a user can only contact with too few service system data surfaces in a service scene, thereby reducing the influence of leakage. The invention uses a technical method of combining machine learning, data encryption, sensitivity identification and desensitization methods with a service scene of a service system, carries out real-time identification and desensitization on sensitive information related to a platform open user in a data use process, and carries out personalized desensitization and display through a use scene of a specific job number of the service system. Meanwhile, for the scene needing to use the sensitive data, the sensitive data needing to be downloaded is encrypted through the data gateway, and the sensitive data is protected from being diffused in a limited range.
In the specific implementation process of the present technical solution, before step S1000, the method further includes the following steps:
and step S0100, the client is connected with the gateway.
Specifically, step S0100 specifically includes the following steps:
s0110, allocating account authority by a data open platform;
and step S0120, connecting the gateway with a data open platform.
Specifically, step S0110 assigns data information and desensitization related information that can be viewed under the account and that is open to the platform. The data information comprises information such as a database, a table, a field and the like; desensitization related information includes the related information of tables, fields for desensitization viewing. The database information may be information transmitted by an external network received in real time, and may be related information of an internal network; the database information can be information transmitted or operated by a common user group, can be information transmitted or operated by a high-level user group, and can also be information transmitted or operated by an administrator. The desensitization related information may be dynamic information or static information.
Step S0120, the gateway is connected with a data open platform, in the step, the gateway platform uses a big data component agent to connect with a real environment of the database under the open platform, and is adapted to the network communication data packet protocol processing under the real environment. The big data component proxy supports the packet protocol forwarding of databases such as hbase, hive, mysql, oracle and the like. The process is as follows:
and S0121, forwarding an application layer communication protocol data packet through a uniform security gateway and a TCP server by an abstract hive, mysql, oracle and hbase protocol layer.
And step S0122, processing protocol data packet sticky package and sub package through the custom handler of netty.
Step S0123, abstracting the basic analysis class api of the data packet protocol, which is user authentication, sql statement extraction, return data extraction and protocol response.
Step S0124, extracting user authentication data, and obtaining the connected user name, IP address and port, database type, and tenant identification.
Step S0125, reassemble the data protocol packet, forward the protocol data through TCP customer end.
Referring to fig. 2, fig. 2 is an authentication flowchart of a method for processing data by a gateway according to a second embodiment of the present invention;
step S2000, determining the related authority of the operation data request according to the operation data request includes the following steps:
s2100, confirming that the first layer information aimed at by the operation data request has operation authority;
s2200, confirming that the specific part of the second layer information in the first layer information aimed at by the operation data request has operation authority;
s2300, confirming that the sender of the operation data request has the operation authority.
In the above technical solution, the operation authority of the first layer of information generally refers to the authority of a table in the database, the operation authority of the second layer of information generally refers to the related authority of an operation field under the table in the database, and the authority that the issuer of the operation data request has is generally the authority of an operator identity in the service system.
It should be noted that the operation right of the first layer information and the operation right of the second layer information may be operation rights of other data systems. For example, in a cloud data system, the operation right of the first layer information may be a limit right of the database, and at this time, the operation right of the second layer information may represent a right of a table in the database. In this case, the operation authority of the second layer information corresponds to the operation authority of the first layer information described above.
It can be understood that the information set by the first layer information and the second layer information in this application is relative information between two information layers under a certain specific condition, and when a third information layer, a fourth information layer, a fifth information layer, or even an nth information layer is arranged between two information layers (N is any positive integer greater than five), from the viewpoint of mathematical calculus, the first information layer and the second information layer are still between two adjacent information layers.
Based on this, when the operation authority of the first layer information is the authority of the set of the plurality of databases, and the operation authority of the second layer information represents the authority of the table in the database, the operation authority of the third layer information may be set to correspond to the authority of the data information at the field level under the operation authority of the second layer information. Based on the same principle, when the field level information is provided with a more detailed data right, a fourth information layer, a fifth information layer or even an nth information layer (N is any positive integer greater than five) may be provided.
By designing a plurality of information layers, information can be better classified. And the more information layers, the larger the fine-grained information of the information layers is, the stronger the desensitization pertinence is, and the better the gateway security is.
In this embodiment, in the above technical solution, the operation authority of the operation request issuer generally refers to an operation authority owned by a specific job number in the service system. The operation authority corresponds to one or more of the authority of an operation database, a data table and a field. Based on the same principle, the operation of the operation request sender in other operating systems can also be performed based on the corresponding specific job number.
Referring to fig. 3, fig. 3 is a flowchart of a method for processing data by a gateway according to a third embodiment of the present invention to make a desensitization policy.
Further, step S3000, setting a desensitization policy for the operation data according to the related authority requested by the operation data, includes the following steps:
step S3100, acquiring a sensitive field;
step S3200, acquiring identity information of an issuer of the operation data request and environment information of the issuer of the operation data request;
and S3300, setting a desensitization strategy of the operation data according to the sensitive field, the identity information of the issuer of the operation data request and the environment information of the issuer of the operation data request.
Specifically, step S3100, a sensitive field is acquired.
The sensitive fields specifically include personal sensitive information and collective sensitive information. Personal sensitive information refers to personal information that, once leaked, illegally provided, or abused, may jeopardize personal and property security, be highly likely to result in personal reputation, impaired physical and mental health, or discriminative treatment, etc. The collective sensitive information comprises decision information of enterprises, collective account information, personal sensitive information of members and the like.
Step S3200, obtain identity information of an issuer of the operation data request and environment information of the issuer of the operation data request. In practical applications, the identity information of the sender of the operation data request is generally represented as job number information, and the environment information of the sender of the operation data request is digitalized information of the scene of the behavior.
And S3300, setting a desensitization strategy of the operation data according to the sensitive field, the identity information of the issuer of the operation data request and the environment information of the issuer of the operation data request.
Specifically, the example of the telecommunication order acceptance includes two service scenarios, namely customer query and customer acceptance.
Under the client inquiry function, after a salesman job number logs in a business system, the client is inquired in a fuzzy mode according to the name of the client name, and a plurality of pieces of client data are found. By default, the details of the customer profile are desensitized.
Under the client acceptance function, a service person needs to verify some sensitive data of the client so as to check the information in the same way, and the service system decrypts and displays the sensitive data items through the gateway. The platform records the corresponding decryption operation, and the decrypted data is protected by watermark ground color.
It is understood that the system can be applied not only to business scenarios, but also to scenarios involving hierarchical sensitive information.
Referring to fig. 4, fig. 4 is a flowchart of exporting sensitive data according to a method for processing data by a gateway according to a fourth embodiment of the present invention;
in step S4000, the step of deriving desensitization information includes the steps of:
step S4100, confirming that the data to be exported is sensitive data.
And step S4200, performing privilege approval on the sensitive data and obtaining permission for deriving desensitization information.
And step S4300, desensitization information is derived according to permission of deriving desensitization information.
Specifically, in step S4100, the step of confirming that the data to be exported is sensitive data includes the following steps: step S4110, comparing the data to be exported with the sensitive fields;
step S4120, when the data to be exported contains the sensitive field, determining that the data to be exported is sensitive data.
Specifically, Huaye modelarts can be applied to perform comparison training on the derived data and the sensitive fields, so as to confirm that the data to be derived is sensitive data.
And step S4200, performing privilege approval on the sensitive data and obtaining permission for deriving desensitization information.
Specifically, the privilege approval has various forms, and may be approval of the sensitive data by a specific group, establishment of a data model by artificial intelligence, processing by a large operation cost, approval by another specific method, or combination of various other combination modes.
It is to be understood that the above-described privilege approval methods may be arbitrarily combined with each other by two methods, or may be arbitrarily combined by a plurality of methods. When a plurality of methods are combined randomly, the combination mode can adopt a tree structure, a streamline structure or a distributed structure. And priorities can be set among various approval methods.
The flow of the streamline structure can be as follows: manual approval-artificial intelligence approval;
the flow of the streamline structure can be as follows: manual approval by a first person-artificial intelligent approval-manual approval by a second person;
the flow of the streamline structure can be as follows: approval of the first specific approval method-artificial intelligence approval-manual approval by the first person.
The flow of the tree structure may be: and after the artificial intelligence approval, the sensitivity is distributed to the artificial approval or the approval of the first specific approval method according to the sensitivity degree.
And step S4300, desensitization information is derived according to permission of deriving desensitization information.
Further, after deriving desensitization information, the method comprises the steps of:
step S4400, setting the password of the output main file of the operation data request of the desensitization information;
step S4500, adding relevant operation information of the operation data request to the desensitization information to obtain an output main file.
Specifically, step S4400 sets the password of the output master file of the operation data request of the desensitization information. The password outputting the master file belongs to a specific user-level password which can only open the master file.
Step S4500, adding relevant operation information of the operation data request to the desensitization information to obtain an output main file. The relevant operation information of the operation data request comprises identity information of the user, time information of the operation, behavior information of the operation and the like. And by adopting the information, the specific identity and the specific behavior of the user can be helped to obtain fine-grained information. Therefore, after data leakage, the source of information leakage is better found out. In the above, the added information may be added to the host file by means of a watermark, or may be added to the host file by means of another method. The identity information can be job number information, fingerprint information or both to confirm whether the identity information is the job number information or the fingerprint information.
Further, after adding the relevant operation information of the operation data request to the desensitization information, when the output master file needs to be copied, the method further comprises the following steps:
step S4600, retransmitting the password of the main file of the operation data request of desensitization information;
step S4700, relevant operation information of the operation data request of the main file is retransmitted;
step S4800, according to the operation data request password of desensitization information and operation data request related operation information to obtain the score file, and add the output master file need copy data operation requester related operation information.
Specifically, step S4600, retransmit the password of the master file of the operation data request of desensitization information;
step S4700, relevant operation information of the operation data request of the main file is retransmitted;
thus, the identity information and the operation information of the operator of the main file are obtained. The sharer of the master document also needs to be credited with responsibility when the sub-document becomes a source of the disclosure of the information.
Step S4800, according to the operation data request password of desensitization information and operation data request related operation information to obtain the score file, and add the output master file need copy data operation requester related operation information.
The file sharing is generally completed by adopting an excel sharing technology, so that the protection effect can be better guaranteed, and the leakage of confidential information is avoided.
Further, when it is confirmed that the first layer information for which the operation data request is directed has no operation right, the method further includes the steps of:
step S2110, outputting a specific value;
and step S2120, recording relevant operation information of the operation data request.
Wherein, step S2110, outputting the specific value. The specific value output can be a character string, and can also be some integer type or floating point type. By outputting a specific character string, it is possible to notify the sender of the operation request for the first layer information to which the operation data request is directed, the layer information not being usable by the operator, thereby avoiding wasting time of the operator. When the integer type or the floating point type is output, it is beneficial to confuse an illegal intruder, and the operation information related to the operation data request can be better recorded in cooperation with the step S2120.
And step S2120, recording relevant operation information of the operation data request.
Therefore, certain operation information can be recorded, and when the other party attacks maliciously, the identity information of the other party can be recorded. And the safety of the whole system is facilitated.
Further, when it is confirmed that the operation data request has no operation right for a specific portion of the second layer information within the first layer information, the method further comprises the steps of:
step S2210, outputting the second layer information having the authority portion in the first layer information.
Referring to fig. 5, fig. 5 is a flowchart of desensitization processing of a method for processing data by a gateway according to a fifth embodiment of the present invention; in the above, the desensitization treatment comprises the steps of:
step S4010, obtaining and analyzing a data packet;
s4020, outputting a desensitization syntax tree according to the data packet;
step S4030, processing the operation data according to the desensitization syntax tree to obtain a return data column;
and S4040, confirming that the returned data column is sensitive data, and starting an outgoing mechanism of the data leakage protection system.
Specifically, step S4010 obtains and parses the data packet. In this embodiment, the user executes the SQL statement and accesses the gateway platform through the TCP communication layer.
And S4020, outputting the desensitization syntax tree according to the data packet. And the platform analyzes the data packet and extracts the SQL statement part. Including the common parts of SQL statements such as tables and fields, relationship keys, where conditions are operated by select.
Step S4030, processing the operation data according to the desensitization syntax tree to obtain a return data column;
and judging whether the operation authority of the table and the field exists in the user authority range according to the table related to the SQL and the acquired field, and acquiring a returned data column.
And S4040, if the returned data column is determined to be sensitive data, starting an outgoing mechanism of the data leakage protection system. The data leakage protection system outgoing mechanism is a third-party DLP network leakage protection system.
It is understood that in step S4030, the operation data is processed according to the desensitization syntax tree, and the return data column is obtained. If the returned data column is non-sensitive data, the plaintext is returned.
Referring to fig. 6, fig. 6 is a structural diagram of a security gateway according to a sixth embodiment of the present invention; the application also provides a security gateway which comprises a transceiving module, a big data agent module and a data export encryption module;
the receiving and sending module is used for receiving and sending the operation data request;
the big data agent module is used for acquiring the authority of the operation data request according to the operation data request;
the big data agent module is also used for setting a desensitization strategy of the operation data according to the authority of the operation data request;
and the data export encryption module is used for carrying out desensitization processing and exporting desensitization information according to the desensitization strategy of the operation data.
In summary, the method for processing data by the gateway provided by the present invention can be applied to a security gateway.
The invention is mainly applied to a business system to set a proper secret information gradient to ensure the whole information confidentiality. The gateway security technology overcomes the defect of overlarge data opening granularity caused by the traditional data right account authority, can control opening data with finer granularity of a service level, and can ensure that a user can only contact with too few service system data surfaces in a service scene, thereby reducing the influence of leakage. The invention uses a technical method of combining machine learning, data encryption, sensitivity identification and desensitization methods with a service scene of a service system, carries out real-time identification and desensitization on sensitive information related to a platform open user in a data use process, and carries out personalized desensitization and display through a use scene of a specific job number of the service system. Meanwhile, for the scene needing to use the sensitive data, the sensitive data needing to be downloaded is encrypted through the data gateway, and the sensitive data is protected from being diffused in a limited range.
The above description is only an embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes performed by the present specification and drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (10)

1. A method for processing data by a gateway is characterized by comprising the following steps:
when a network data packet is obtained, extracting an operation data request;
determining the related authority of the operation data request according to the operation data request;
setting a desensitization strategy of the operation data according to the related authority of the operation data request;
and desensitizing the network data and deriving desensitization information according to the desensitization strategy of the operation data.
2. The method for processing data by a gateway according to claim 1, wherein: the method for acquiring the authority of the operation data request comprises the following steps:
confirming that the first layer information aimed at by the operation data request has operation authority;
confirming that a specific part of second-layer information in the first-layer information aimed at by the operation data request has an operation authority;
and confirming that the sender of the operation data request has the operation authority.
3. The gateway data processing method of claim 2, wherein the setting of the desensitization policy for the operation data comprises the steps of:
acquiring a sensitive field;
acquiring identity information of an issuer of the operation data request and environment information of the issuer of the operation data request;
and setting a desensitization strategy of the operation data according to the sensitive field, the identity information of the issuer of the operation data request and the environment information of the issuer of the operation data request.
4. The gateway data processing method of claim 3, wherein said deriving desensitization information comprises the steps of:
confirming that the data to be exported is sensitive data;
carrying out privilege approval on the sensitive data to acquire permission for exporting the data;
desensitization information is derived based on permission to derive the data.
5. The method for processing data by a gateway of claim 4, wherein after deriving desensitization information, the method comprises the steps of:
setting a password of an output main file of the operation data request of desensitization information;
and adding the relevant operation information of the operation data request to the desensitization information to obtain an output main file.
6. The gateway data processing method according to claim 5, wherein when the output master file needs to be copied after adding the operation information related to the operation data request to the desensitization information, the method further comprises the following steps:
retransmitting a password of an output main file of the operation data request of the desensitization information;
retransmitting the relevant operation information of the operation data request of the main file;
and obtaining a score file according to the password of the output main file of the operation data request of the desensitization information and the related operation information of the operation data request, and adding the related operation information of the data operation requester when the output main file needs to be copied.
7. The method for processing data by the gateway according to claim 2, wherein when it is confirmed that the first layer information for which the operation data request is directed has no operation right, the method further comprises the steps of:
outputting a specific value;
and recording the relevant operation information of the operation data request.
8. The method for processing data by a gateway according to claim 2, wherein when it is confirmed that the operation data request has no operation right for a specific part of the second layer information in the first layer information, the method further comprises the steps of:
and outputting the second layer information with the authority part in the first layer information.
9. The gateway processing method according to any of claims 1 to 8, wherein the desensitization process comprises the steps of:
acquiring and analyzing a data packet;
outputting a desensitization syntax tree according to the data packet;
processing the operation data according to the desensitization syntax tree to obtain a return data column;
and confirming that the returned data is sensitive data, and starting an outgoing mechanism of the data leakage protection system.
10. A security gateway, characterized by: the system comprises a transceiving module, a big data agent module and a data export encryption module;
the receiving and sending module is used for receiving and sending the operation data request;
the big data agent module is used for acquiring the authority of the operation data request according to the operation data request;
the big data agent module is also used for setting a desensitization strategy of the operation data according to the authority of the operation data request;
and the data export encryption module is used for carrying out desensitization treatment and exporting desensitization information according to the desensitization strategy of the operation data.
CN201911272313.1A 2019-12-12 2019-12-12 Method for processing data by gateway and security gateway Pending CN111083135A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911272313.1A CN111083135A (en) 2019-12-12 2019-12-12 Method for processing data by gateway and security gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911272313.1A CN111083135A (en) 2019-12-12 2019-12-12 Method for processing data by gateway and security gateway

Publications (1)

Publication Number Publication Date
CN111083135A true CN111083135A (en) 2020-04-28

Family

ID=70314064

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911272313.1A Pending CN111083135A (en) 2019-12-12 2019-12-12 Method for processing data by gateway and security gateway

Country Status (1)

Country Link
CN (1) CN111083135A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111859448A (en) * 2020-07-02 2020-10-30 合肥森亿智能科技有限公司 Data export auditing method, system and terminal based on role authority setting
CN112417505A (en) * 2020-11-23 2021-02-26 平安普惠企业管理有限公司 Data processing method, device, equipment and medium
CN113761577A (en) * 2021-09-10 2021-12-07 平安科技(深圳)有限公司 Big data desensitization method and device, computer equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013101723A1 (en) * 2011-12-27 2013-07-04 Wellpoint, Inc. Method and system for data pattern matching, masking and removal of sensitive data
CN106407843A (en) * 2016-10-17 2017-02-15 深圳中兴网信科技有限公司 Data desensitization method and data desensitization device
CN109271807A (en) * 2018-08-20 2019-01-25 深圳萨摩耶互联网金融服务有限公司 The data safety processing method and system of database
CN109472159A (en) * 2018-11-15 2019-03-15 泰康保险集团股份有限公司 Access control method, device, medium and electronic equipment
CN110049021A (en) * 2019-03-27 2019-07-23 中国电力科学研究院有限公司 Data of information system safety protecting method and system
US10380368B1 (en) * 2015-03-27 2019-08-13 State Farm Mutual Automobile Insurance Company Data field masking and logging system and method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013101723A1 (en) * 2011-12-27 2013-07-04 Wellpoint, Inc. Method and system for data pattern matching, masking and removal of sensitive data
US10380368B1 (en) * 2015-03-27 2019-08-13 State Farm Mutual Automobile Insurance Company Data field masking and logging system and method
CN106407843A (en) * 2016-10-17 2017-02-15 深圳中兴网信科技有限公司 Data desensitization method and data desensitization device
CN109271807A (en) * 2018-08-20 2019-01-25 深圳萨摩耶互联网金融服务有限公司 The data safety processing method and system of database
CN109472159A (en) * 2018-11-15 2019-03-15 泰康保险集团股份有限公司 Access control method, device, medium and electronic equipment
CN110049021A (en) * 2019-03-27 2019-07-23 中国电力科学研究院有限公司 Data of information system safety protecting method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
朱玲玉: ""PDF文档解析与内容脱敏技术研究"", 《万方》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111859448A (en) * 2020-07-02 2020-10-30 合肥森亿智能科技有限公司 Data export auditing method, system and terminal based on role authority setting
CN112417505A (en) * 2020-11-23 2021-02-26 平安普惠企业管理有限公司 Data processing method, device, equipment and medium
CN113761577A (en) * 2021-09-10 2021-12-07 平安科技(深圳)有限公司 Big data desensitization method and device, computer equipment and storage medium
CN113761577B (en) * 2021-09-10 2024-05-31 平安科技(深圳)有限公司 Big data desensitization method, device, computer equipment and storage medium

Similar Documents

Publication Publication Date Title
US11212261B2 (en) Data computation in a multi-domain cloud environment
US11870816B1 (en) Trusted-code generated requests
US11750681B2 (en) Mapping between user interface fields and protocol information
US11429729B2 (en) Buckets with policy driven forced encryption
US10666684B2 (en) Security policies with probabilistic actions
US11431757B2 (en) Access control using impersonization
Gupta et al. Layer-based privacy and security architecture for cloud data sharing
US9519696B1 (en) Data transformation policies
US9137113B2 (en) System and method for dynamically allocating resources
CN111083135A (en) Method for processing data by gateway and security gateway
JP2008276756A (en) Web services intermediary
Preuveneers et al. TATIS: trustworthy APIs for threat intelligence sharing with UMA and CP-ABE
CN109033872A (en) A kind of secure operating environment building method of identity-based
Müller Security trade-offs in Cloud storage systems
US11983284B2 (en) Consent management methods
Zhang Cyberspace Security for Future Internet

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200428