CN112000984A - Data leakage detection method, device, equipment and readable storage medium - Google Patents
Data leakage detection method, device, equipment and readable storage medium Download PDFInfo
- Publication number
- CN112000984A CN112000984A CN202010856953.3A CN202010856953A CN112000984A CN 112000984 A CN112000984 A CN 112000984A CN 202010856953 A CN202010856953 A CN 202010856953A CN 112000984 A CN112000984 A CN 112000984A
- Authority
- CN
- China
- Prior art keywords
- request command
- data
- response data
- sensitive data
- sensitive
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 45
- 230000004044 response Effects 0.000 claims abstract description 106
- 238000000034 method Methods 0.000 claims abstract description 47
- 230000008569 process Effects 0.000 claims abstract description 22
- 238000004590 computer program Methods 0.000 claims description 9
- 238000012550 audit Methods 0.000 abstract description 14
- 238000012423 maintenance Methods 0.000 abstract description 11
- 238000010586 diagram Methods 0.000 description 6
- 230000006399 behavior Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 3
- 238000004088 simulation Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004883 computer application Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000012954 risk control Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
- G06F21/6263—Protecting personal data, e.g. for financial or medical purposes during internet communication, e.g. revealing personal data from cookies
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Medical Informatics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a data leakage detection method, a device, equipment and a readable storage medium, wherein the method comprises the following steps: acquiring a request command sent by a client, and sending the request command to a server; acquiring response data returned after the server processes the request command; judging whether the response data comprises sensitive data or not; if yes, the request command is marked with a suspected compromise and recorded. According to the method, the request command with the suspected secret leakage can be detected and recorded. Therefore, the administrator can know the behavior of operation and maintenance personnel or related personnel on the database, which may cause the leakage of sensitive data of the database, only by looking up the recorded request command with the suspected mark of disclosure, and the database session audit is facilitated.
Description
Technical Field
The present invention relates to the field of security technologies, and in particular, to a data leakage detection method, apparatus, device, and readable storage medium.
Background
The operation and maintenance auditing system is a uniform operation and maintenance entry of user assets (a database, a server, network equipment, storage equipment and the like), and achieves the purpose of risk control through identity authentication, authority control and operation auditing. The operation and maintenance auditing system has the core function of auditing, and the main types of the operation and maintenance auditing system are character type session auditing, graphic session auditing and database session auditing. The administrator can know which risk operations the operation and maintenance personnel do by checking the audit records, and the purposes of risk estimation and accountability after the fact can be achieved.
The mature operation and maintenance auditing product can achieve the degree of quickly providing effective information for an administrator in the aspects of character type session auditing and graphic session auditing, but has more defects in the aspect of database session auditing. Currently, 2 techniques are mainly adopted for database session auditing: RemoteAPP graphic audit and protocol agent SQL audit. The remoteAPP mode is graph audit, only operation pictures can be viewed, and an administrator cannot inquire SQL statements and return values executed by an operation and maintenance person. And protocol agent SQL audit has a plurality of machine interactive statements, the audit result has a plurality of junk information for an administrator, and the administrator cannot quickly position manual operation and cannot check whether the returned information has sensitive data.
In summary, how to effectively solve the problems of database session audit and the like is a technical problem which needs to be solved urgently by technical personnel in the field at present.
Disclosure of Invention
The invention aims to provide a data leakage detection method, a data leakage detection device, data leakage detection equipment and a readable storage medium, which can record the conversation related to sensitive data in database conversation and facilitate auditing.
In order to solve the technical problems, the invention provides the following technical scheme:
a data leak detection method, comprising:
acquiring a request command sent by a client, and sending the request command to a server;
acquiring response data returned after the server processes the request command;
judging whether the response data comprises sensitive data or not;
if yes, marking the request command as suspected to be divulged and recording the request command.
Preferably, after obtaining the response data returned after the server processes the request command, the method further includes:
judging whether the request command has the suspicion of dragging the library by using the response data;
if yes, marking the request command as suspected to be dragged and recording the request command.
Preferably, the determining, by using the response data, whether the request command has a suspicion of dragging the library includes:
judging whether the line number of the response data is larger than a line number threshold value or not;
if so, determining that the request command has a drag library suspicion;
if not, determining that the request command has no dragging library suspicion.
Preferably, after obtaining the response data returned after the server processes the request command, the method further includes:
intercepting the response data if the request command has a suspected compromise and/or a suspected dragging library.
Preferably, after obtaining the request command sent by the client, the method further includes:
judging whether a command field in the request command is matched with a query key field;
if yes, marking the request command as a query command, and recording the request command.
Preferably, the determining whether the response data includes sensitive data includes:
judging whether the response data is matched with the sensitive data characteristics;
if so, determining that the response data includes the sensitive data;
if not, determining that the response data does not contain the sensitive data.
Preferably, the determining whether the response data and the sensitive data feature match includes:
judging whether the fields in the response data are matched with the fields corresponding to the sensitive data features or not by using a regular expression or a wildcard;
if so, determining that the response data matches the sensitive data characteristics;
if not, it is determined that the response data does not match the sensitive data characteristic.
A data leak detection apparatus comprising:
the request command forwarding module is used for acquiring a request command sent by a client and sending the request command to a server;
the response data acquisition module is used for acquiring response data returned after the server processes the request command;
the sensitive data detection module is used for judging whether the response data comprises sensitive data or not;
and the secret leakage recording module is used for marking that the request command has the suspicion of secret leakage and recording the request command if the response data comprises the sensitive data.
A data leak detection apparatus comprising:
a memory for storing a computer program;
and the processor is used for realizing the steps of the data leakage detection method when executing the computer program.
A readable storage medium having stored thereon a computer program which, when executed by a processor, carries out the steps of the above-mentioned data leakage detection method.
By applying the method provided by the embodiment of the invention, the request command sent by the client is obtained and sent to the server; acquiring response data returned after the server processes the request command; judging whether the response data comprises sensitive data or not; if yes, the request command is marked with a suspected compromise and recorded.
In the method, proxy is performed between a client and a server. Specifically, as for the client, the simulation server simulates a server, namely presents the server in a virtual server role, and can acquire a request command sent by the client; compared with the client, the method simulates the client, namely presents the client in a virtual client role, can send the request command to the client, and can acquire the response data fed back after the server processes the request command. And after the response data are obtained, judging whether the response data comprise sensitive data, if so, marking that the request command has the suspicion of disclosure, and recording. Therefore, the administrator can know the behavior of operation and maintenance personnel or related personnel on the database, which may cause the leakage of sensitive data of the database, only by looking up the recorded request command with the suspected mark of disclosure, and the database session audit is facilitated.
Accordingly, embodiments of the present invention further provide a data leakage detection apparatus, a device, and a readable storage medium corresponding to the data leakage detection method, which have the above technical effects and are not described herein again.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow chart of an implementation of a data leakage detection method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an audit agent architecture in an embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a data leakage detection apparatus according to an embodiment of the present invention;
FIG. 4 is a schematic structural diagram of a data leakage detection apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a data leakage detection device according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the disclosure, the invention will be described in further detail with reference to the accompanying drawings and specific embodiments. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, fig. 1 is a flowchart of a data leakage detection method in an embodiment of the present invention, where the method may be applied to a proxy module between a client and a server, and the method includes the following steps:
s101, acquiring a request command sent by a client, and sending the request command to a server.
Referring to fig. 2, fig. 2 is a schematic diagram of an architecture of an audit agent according to an embodiment of the present invention. As can be seen from fig. 2, the proxy module acts as a server with respect to the client; the proxy module acts as a client with respect to the server.
The agent module can obtain the request command sent by the client. It should be noted that the request command may specifically be a data query command, a data modification command, a data addition command, a data deletion command, and other common database operation commands.
After the request command is obtained, the agent module can forward the request command to the server.
Preferably, it is considered that in practical applications, the query command is a command which is relatively easy to cause data leakage in the respective request commands. Therefore, in the embodiment of the present invention, after the request command is obtained, it may be further determined whether the request command is an inquiry command, and if the request command is an inquiry command, the inquiry command is recorded so as to perform subsequent auditing or data leakage event tracing. Specifically, after the request command sent by the client is obtained, the following steps may also be performed:
step one, judging whether a command field in a request command is matched with a query key field;
and step two, if so, marking the request command as an inquiry command, and recording the request command.
It should be noted that, the first step and the second step can be executed only after the request command is obtained. That is, the request command may be executed immediately after the request command is acquired, or may be executed after the request command is acquired for a certain period of time.
In the embodiment of the invention, the query key field related to the query command can be set preferentially. For example, query key fields (i.e., query operation SQL keyword libraries) including, but not limited to, the following may be set:
a general query statement: selecting;
MySQL database: mysqldump;
oracle database: exp;
SqlServer database: bcp;
DB2 database: an export;
informix database: dbexp;
PostgreSQL database: pg _ dump;
MongoDB database: mongooxport, find ();
redis database: get, mget, hget, hmget, hgetall, lrange, smembers, zrange, redis-dump, etc.;
HBase database: get, scan, export.
In the case that the request command is detected to include the one or more query key fields, the request command can be determined to be a query command. Specifically, the request command can be analyzed by using a transmission protocol, and then matching judgment is performed according to an analysis result. The transmission protocol may specifically be an SSH (Secure Shell) protocol. If the request command is determined to be a query command, the request command may be marked as a query command. Specifically, the tag information corresponding to the query instruction may be directly added to the request command, or the request command may be written into the record file corresponding to the query instruction, so as to perform a query.
For example, using a command line to access mysql and query, the content on the match can be stored to the request field of the database by/(. Thus, the request command is determined to be a query command.
And S102, acquiring response data returned after the server processes the request command.
And after receiving the request command, the server processes the request command according to the processing flow and feeds back response data to the client.
Since there is a proxy module between the client and the server. Thus, the reply data is first retrieved by the agent module.
S103, judging whether the response data comprises sensitive data.
The sensitive data may be related data such as user name, password, identification card, telephone, mailbox, personal finance, and biometric information.
If sensitive data is included in the answer data, the current session may be recorded. Therefore, in the embodiment of the present invention, whether the data of the response data includes sensitive data is detected and determined.
Specifically, the judging process includes:
step one, judging whether response data are matched with the characteristics of sensitive data;
step two, if yes, determining that the response data comprises sensitive data;
and step three, if not, determining that no sensitive data exists in the response data.
For convenience of description, the above three steps will be described in combination.
In the embodiment of the invention, the sensitive data characteristics can be preset, and after the response data is obtained, whether the response data comprises the sensitive data can be determined by judging whether the response data is matched with the sensitive data characteristics.
Wherein, the first step may specifically include:
step 1.1, judging whether fields in response data are matched with fields corresponding to sensitive data features by using a regular expression or a wildcard;
step 1.2, if yes, determining that the response data is matched with the sensitive data characteristics;
and 1.3, if not, determining that the response data is not matched with the sensitive data characteristics.
That is, when determining whether the response data matches the sensitive data feature, a regular expression or a wildcard manner may be adopted to detect whether the field in the response data matches the field corresponding to the sensitive data feature.
The fields corresponding to the sensitive data features (or the sensitive features in the sensitive data feature library) include, but are not limited to, the following:
user name: user, username, userid, user name;
password & Key: passwords, keys, private keys, privatekeys, publickeys, passswerd, pwd, passswd, pass, key;
identity card information: identity card number, IDcard, credit;
telephone number: contact, cell phone, telephone, tel, phone number, phone;
mail box: mailbox, email;
of course, other sensitive information corresponding characteristic fields may also be included, such as personal property information, biometric information, personal identification information, network identification information, and other characteristics, which are not listed here.
It should be noted that matching a field in the response data with a field in the sensitive data feature in this document refers to matching a field in the response data with one or more fields in the sensitive data feature. That is, the response data is determined to have sensitive data as long as there is a field in the response data that matches a field in the sensitive data feature.
After determining whether the response data has sensitive data, subsequent processing operations may be determined according to the determination result. Specifically, if the determination result is yes, the operation of step S104 is executed; if the judgment result is no, the operation of step S105 is performed.
S104, marking the request command with the suspected secret leakage and recording the request command.
Upon determining that the response data has sensitive data therein, the request command may be determined to have a suspicion of disclosure. Thus, the request command may be tagged such that the request command is made clear of a suspected compromise based on the tag.
Specifically, the tag information corresponding to the suspected compromise may be directly added to the request command, or the request command may be written into a record file corresponding to the suspected compromise for query.
And S105, sending the response data to the client.
In the event that no sensitive data is determined to be in the responsive data, the responsive data may be sent to the client.
By applying the method provided by the embodiment of the invention, the request command sent by the client is obtained and sent to the server; acquiring response data returned after the server processes the request command; judging whether the response data comprises sensitive data or not; if yes, the request command is marked with a suspected compromise and recorded.
In the method, proxy is performed between a client and a server. Specifically, as for the client, the simulation server simulates a server, namely presents the server in a virtual server role, and can acquire a request command sent by the client; compared with the client, the method simulates the client, namely presents the client in a virtual client role, can send the request command to the client, and can acquire the response data fed back after the server processes the request command. And after the response data are obtained, judging whether the response data comprise sensitive data, if so, marking that the request command has the suspicion of disclosure, and recording. Therefore, the administrator can know the behavior of operation and maintenance personnel or related personnel on the database, which may cause the leakage of sensitive data of the database, only by looking up the recorded request command with the suspected mark of disclosure, and the database session audit is facilitated.
It should be noted that, based on the above embodiments, the embodiments of the present invention also provide corresponding improvements. In the preferred/improved embodiment, the same steps as those in the above embodiment or corresponding steps may be referred to each other, and corresponding advantageous effects may also be referred to each other, which are not described in detail in the preferred/improved embodiment herein.
Considering that dragging a library can cause data to be leaked and stolen. Fraud, library drag refers to the derivation of data from a database. Based on the embodiment, the detection can be performed on the library dragging behavior so as to facilitate auditing. The specific implementation process specifically includes that response data returned after the server processes the request command is acquired, and the following steps are executed:
step one, judging whether a request command has suspicion of dragging a library by using response data;
and step two, if yes, marking the request command with the suspicion of dragging and recording the request command.
Wherein, the first step may specifically include:
step one, judging whether the number of lines of the response data is larger than a line number threshold value;
step two, if yes, determining that the request command has the suspicion of dragging the library;
and step three, if not, determining that the request command has no dragging library suspicion.
That is, after the response data is taken, its corresponding number of rows may be determined. To illustrate how to obtain the number of return rows from the response data by mysql, the matching can be performed by/(. If the row number exceeds the row number threshold value, the request command has a suspicion of dragging the library; otherwise, determining that the request command has no dragging library suspicion.
The request command may be tagged where the response data is determined to have a drag library suspicion. Specifically, the request command can be directly marked with a label corresponding to the dragging library suspicion and stored; of course, the request command can also be directly stored into the record file corresponding to the dragging library suspicion.
Preferably, in order to avoid data leakage, the response data can be intercepted. Specifically, after response data returned after the server processes the request command is acquired, if the request command has a suspected disclosure and/or a suspected library-dragging, the response data is intercepted. That is to say, once the response data has sensitive data or the data volume of the response data is greater than a preset value, the response data can be intercepted, and data leakage is avoided.
Corresponding to the above method embodiment, the embodiment of the present invention further provides a data leakage detecting apparatus, and the data leakage detecting apparatus described below and the data leakage detecting method described above may be referred to in correspondence with each other.
Referring to fig. 3, the apparatus includes the following modules:
a request command forwarding module 101, configured to obtain a request command sent by a client, and send the request command to a server;
a response data obtaining module 102, configured to obtain response data returned after the server processes the request command;
the sensitive data detection module 103 is configured to determine whether the response data includes sensitive data;
and the secret leakage recording module 104 is configured to mark the request command as suspicious of secret leakage and record the request command if the response data includes sensitive data.
By applying the device provided by the embodiment of the invention, the request command sent by the client is obtained and sent to the server; acquiring response data returned after the server processes the request command; judging whether the response data comprises sensitive data or not; if yes, the request command is marked with a suspected compromise and recorded.
In the present apparatus, proxy is performed between a client and a server. Specifically, as for the client, the simulation server simulates a server, namely presents the server in a virtual server role, and can acquire a request command sent by the client; compared with the client, the method simulates the client, namely presents the client in a virtual client role, can send the request command to the client, and can acquire the response data fed back after the server processes the request command. And after the response data are obtained, judging whether the response data comprise sensitive data, if so, marking that the request command has the suspicion of disclosure, and recording. Therefore, the administrator can know the behavior of operation and maintenance personnel or related personnel on the database, which may cause the leakage of sensitive data of the database, only by looking up the recorded request command with the suspected mark of disclosure, and the database session audit is facilitated.
In one embodiment of the present invention, the method further comprises:
the database dragging auditing module is used for judging whether the request command has the suspicion of dragging the database by utilizing the response data after the response data returned after the request command is processed by the server is obtained; if so, the request command is marked with a drag library suspicion and the request command is recorded.
In a specific embodiment of the present invention, the library dragging audit module is specifically configured to determine whether the number of lines of the response data is greater than a line number threshold; if so, determining that the request command has a drag library suspicion;
if not, it is determined that the request command is not under suspicion of dragging.
In one embodiment of the present invention, the method further comprises:
and the response data intercepting module is used for intercepting response data if the request command has a secret leakage suspicion and/or a library dragging suspicion after the response data returned after the request command is processed by the server is obtained.
In one embodiment of the present invention, the method further comprises:
the query recording module is used for judging whether a command field in a request command is matched with a query key field after the request command sent by the client is acquired; if so, marking the request command as a query command and recording the request command.
In a specific embodiment of the present invention, the sensitive data detection module 103 is specifically configured to determine whether the response data is matched with the sensitive data characteristics; if so, determining that the response data comprises sensitive data; if not, determining that no sensitive data exists in the response data.
In a specific embodiment of the present invention, the sensitive data detection module 103 is specifically configured to determine whether a field in the response data matches a field corresponding to the sensitive data feature by using a regular expression or a wildcard; if yes, determining that the response data is matched with the sensitive data characteristics; if not, it is determined that the responsive data does not match the sensitive data characteristic.
Corresponding to the above method embodiment, the embodiment of the present invention further provides a data leakage detection device, and a data leakage detection device described below and a data leakage detection method described above may be referred to in a corresponding manner.
Referring to fig. 4, the data leakage detecting apparatus includes:
a memory 332 for storing a computer program;
Specifically, referring to fig. 5, fig. 5 is a schematic diagram of a specific structure of a data leakage detecting apparatus provided in this embodiment, which may generate relatively large differences due to different configurations or performances, and may include one or more processors (CPUs) 322 (e.g., one or more processors) and a memory 332, where the memory 332 stores one or more computer applications 342 or data 344. Memory 332 may be, among other things, transient or persistent storage. The program stored in memory 332 may include one or more modules (not shown), each of which may include a sequence of instructions operating on a data processing device. Still further, central processor 322 may be configured to communicate with memory 332 to execute a series of instructional operations on data leak detection device 301 within memory 332.
Data leak detection apparatus 301 may also include one or more power supplies 326, one or more wired or wireless network interfaces 350, one or more input-output interfaces 358, and/or one or more operating systems 341.
The steps in the data leak detection method described above may be implemented by the structure of the data leak detection apparatus.
Corresponding to the above method embodiment, the embodiment of the present invention further provides a readable storage medium, and a readable storage medium described below and a data leakage detection method described above may be referred to in correspondence with each other.
A readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the data leak detection method of the above-mentioned method embodiment.
The readable storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and various other readable storage media capable of storing program codes.
Those of skill would further appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
Claims (10)
1. A method for detecting data leakage, comprising:
acquiring a request command sent by a client, and sending the request command to a server;
acquiring response data returned after the server processes the request command;
judging whether the response data comprises sensitive data or not;
if yes, marking the request command as suspected to be divulged and recording the request command.
2. The data leakage detection method according to claim 1, further comprising, after obtaining response data returned after the server processes the request command:
judging whether the request command has the suspicion of dragging the library by using the response data;
if yes, marking the request command as suspected to be dragged and recording the request command.
3. The data leakage detection method according to claim 2, wherein the determining, by using the response data, whether the request command has a dragging suspicion comprises:
judging whether the line number of the response data is larger than a line number threshold value or not;
if so, determining that the request command has a drag library suspicion;
if not, determining that the request command has no dragging library suspicion.
4. The data leakage detection method according to claim 2 or 3, further comprising, after obtaining the response data returned after the server processes the request command:
intercepting the response data if the request command has a suspected compromise and/or a suspected dragging library.
5. The data leakage detection method according to claim 1, further comprising, after the obtaining the request command sent by the client:
judging whether a command field in the request command is matched with a query key field;
if yes, marking the request command as a query command, and recording the request command.
6. The data leakage detection method according to claim 1, wherein determining whether the response data includes sensitive data includes:
judging whether the response data is matched with the sensitive data characteristics;
if so, determining that the response data includes the sensitive data;
if not, determining that the response data does not contain the sensitive data.
7. The data leak detection method of claim 6, wherein determining whether the response data matches the sensitive data characteristics comprises:
judging whether the fields in the response data are matched with the fields corresponding to the sensitive data features or not by using a regular expression or a wildcard;
if so, determining that the response data matches the sensitive data characteristics;
if not, it is determined that the response data does not match the sensitive data characteristic.
8. A data leak detection apparatus, characterized by comprising:
the request command forwarding module is used for acquiring a request command sent by a client and sending the request command to a server;
the response data acquisition module is used for acquiring response data returned after the server processes the request command;
the sensitive data detection module is used for judging whether the response data comprises sensitive data or not;
and the secret leakage recording module is used for marking that the request command has the suspicion of secret leakage and recording the request command if the response data comprises the sensitive data.
9. A data leak detection apparatus characterized by comprising:
a memory for storing a computer program;
a processor for implementing the steps of the data leak detection method according to any one of claims 1 to 7 when executing the computer program.
10. A readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the data leak detection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010856953.3A CN112000984A (en) | 2020-08-24 | 2020-08-24 | Data leakage detection method, device, equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010856953.3A CN112000984A (en) | 2020-08-24 | 2020-08-24 | Data leakage detection method, device, equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112000984A true CN112000984A (en) | 2020-11-27 |
Family
ID=73470385
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010856953.3A Pending CN112000984A (en) | 2020-08-24 | 2020-08-24 | Data leakage detection method, device, equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112000984A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112532734A (en) * | 2020-12-02 | 2021-03-19 | 建信金融科技有限责任公司 | Message sensitive information detection method and device |
| CN114006776A (en) * | 2021-12-31 | 2022-02-01 | 北京微步在线科技有限公司 | Sensitive information leakage detection method and device |
| CN114640530A (en) * | 2022-03-24 | 2022-06-17 | 深信服科技股份有限公司 | Data leakage detection method and device, electronic equipment and readable storage medium |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106407836A (en) * | 2016-08-29 | 2017-02-15 | 北京农业信息技术研究中心 | Method and device for automatically detecting illegal data modification behavior |
| US20170213041A1 (en) * | 2016-01-22 | 2017-07-27 | Google Inc. | Systems and methods for detecting sensitive information leakage while preserving privacy |
| CN107169361A (en) * | 2017-06-15 | 2017-09-15 | 深信服科技股份有限公司 | The detection method and system of a kind of leaking data |
| CN107392016A (en) * | 2017-07-07 | 2017-11-24 | 四川大学 | A kind of web data storehouse attack detecting system based on agency |
| CN107392051A (en) * | 2017-07-28 | 2017-11-24 | 北京明朝万达科技股份有限公司 | A kind of big data processing method and system |
| CN107403108A (en) * | 2017-08-07 | 2017-11-28 | 上海上讯信息技术股份有限公司 | A kind of method and system of data processing |
| CN107563197A (en) * | 2017-08-30 | 2018-01-09 | 杭州安恒信息技术有限公司 | It is a kind of to drag storehouse to hit storehouse attack defense method for database layer |
| CN107908959A (en) * | 2017-11-10 | 2018-04-13 | 北京知道创宇信息技术有限公司 | Site information detection method, device, electronic equipment and storage medium |
| CN108667840A (en) * | 2018-05-11 | 2018-10-16 | 腾讯科技(深圳)有限公司 | Injection loophole detection method and device |
| CN108959967A (en) * | 2018-07-16 | 2018-12-07 | 杭州安恒信息技术股份有限公司 | A kind of method and system of anti-database sensitive data leakage |
| CN109784081A (en) * | 2019-02-18 | 2019-05-21 | 成都卫士通信息产业股份有限公司 | A kind of database transparent encryption method, device, electronic equipment and storage medium |
| US20200097676A1 (en) * | 2018-09-25 | 2020-03-26 | Imperva, Inc. | Data based web application firewall |
-
2020
- 2020-08-24 CN CN202010856953.3A patent/CN112000984A/en active Pending
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170213041A1 (en) * | 2016-01-22 | 2017-07-27 | Google Inc. | Systems and methods for detecting sensitive information leakage while preserving privacy |
| CN106407836A (en) * | 2016-08-29 | 2017-02-15 | 北京农业信息技术研究中心 | Method and device for automatically detecting illegal data modification behavior |
| CN107169361A (en) * | 2017-06-15 | 2017-09-15 | 深信服科技股份有限公司 | The detection method and system of a kind of leaking data |
| CN107392016A (en) * | 2017-07-07 | 2017-11-24 | 四川大学 | A kind of web data storehouse attack detecting system based on agency |
| CN107392051A (en) * | 2017-07-28 | 2017-11-24 | 北京明朝万达科技股份有限公司 | A kind of big data processing method and system |
| CN107403108A (en) * | 2017-08-07 | 2017-11-28 | 上海上讯信息技术股份有限公司 | A kind of method and system of data processing |
| CN107563197A (en) * | 2017-08-30 | 2018-01-09 | 杭州安恒信息技术有限公司 | It is a kind of to drag storehouse to hit storehouse attack defense method for database layer |
| CN107908959A (en) * | 2017-11-10 | 2018-04-13 | 北京知道创宇信息技术有限公司 | Site information detection method, device, electronic equipment and storage medium |
| CN108667840A (en) * | 2018-05-11 | 2018-10-16 | 腾讯科技(深圳)有限公司 | Injection loophole detection method and device |
| CN108959967A (en) * | 2018-07-16 | 2018-12-07 | 杭州安恒信息技术股份有限公司 | A kind of method and system of anti-database sensitive data leakage |
| US20200097676A1 (en) * | 2018-09-25 | 2020-03-26 | Imperva, Inc. | Data based web application firewall |
| CN109784081A (en) * | 2019-02-18 | 2019-05-21 | 成都卫士通信息产业股份有限公司 | A kind of database transparent encryption method, device, electronic equipment and storage medium |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112532734A (en) * | 2020-12-02 | 2021-03-19 | 建信金融科技有限责任公司 | Message sensitive information detection method and device |
| CN112532734B (en) * | 2020-12-02 | 2023-11-21 | 建信金融科技有限责任公司 | Method and device for detecting message sensitive information |
| CN114006776A (en) * | 2021-12-31 | 2022-02-01 | 北京微步在线科技有限公司 | Sensitive information leakage detection method and device |
| CN114640530A (en) * | 2022-03-24 | 2022-06-17 | 深信服科技股份有限公司 | Data leakage detection method and device, electronic equipment and readable storage medium |
| CN114640530B (en) * | 2022-03-24 | 2023-12-29 | 深信服科技股份有限公司 | Data leakage detection method and device, electronic equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110324310B (en) | Network asset fingerprint identification method, system and equipment | |
| CN112000984A (en) | Data leakage detection method, device, equipment and readable storage medium | |
| US10659482B2 (en) | Robotic process automation resource insulation system | |
| CN107169361A (en) | The detection method and system of a kind of leaking data | |
| US20130081065A1 (en) | Dynamic Multidimensional Schemas for Event Monitoring | |
| US8818906B1 (en) | Systems and methods for performing authentication of a customer interacting with a banking platform | |
| CN112364318B (en) | Operation and maintenance big data security management method, system, terminal and storage medium | |
| CN113032793A (en) | Intelligent reinforcement system and method for data security | |
| CN113553583A (en) | Information system asset security risk assessment method and device | |
| CN110837646A (en) | Risk investigation device of unstructured database | |
| CN107645474A (en) | Log in the method for open platform and log in the device of open platform | |
| CN110061981A (en) | A kind of attack detection method and device | |
| CN108418809A (en) | Chat data processing method, device, computer equipment and storage medium | |
| CN111931240A (en) | Database desensitization method for protecting sensitive private data | |
| CN117040804A (en) | Network attack detection method, device, equipment, medium and program product for website | |
| CN110958236A (en) | Dynamic authorization method of operation and maintenance auditing system based on risk factor insight | |
| US20210209067A1 (en) | Network activity identification and characterization based on characteristic active directory (ad) event segments | |
| CN114024730A (en) | Enterprise portal management system | |
| CN108134781B (en) | Important information data secrecy monitoring system | |
| CN110110511A (en) | A kind of enterprise database secure access device | |
| CN116795304B (en) | User information protection method for intelligent cloud service | |
| CN109740369A (en) | A kind of detection method and device of information steganography | |
| CN112528330B (en) | Log scanning method, device and equipment | |
| CN117195183B (en) | Data security compliance risk assessment system | |
| CN117150453B (en) | Network application detection method, device, equipment, storage medium and program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201127 |