CN112035871A - Dynamic desensitization method and system based on database driven proxy - Google Patents
Dynamic desensitization method and system based on database driven proxy Download PDFInfo
- Publication number
- CN112035871A CN112035871A CN202010712492.2A CN202010712492A CN112035871A CN 112035871 A CN112035871 A CN 112035871A CN 202010712492 A CN202010712492 A CN 202010712492A CN 112035871 A CN112035871 A CN 112035871A
- Authority
- CN
- China
- Prior art keywords
- database
- user
- desensitization
- name
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000586 desensitisation Methods 0.000 title claims abstract description 195
- 238000000034 method Methods 0.000 title claims abstract description 37
- 238000005215 recombination Methods 0.000 claims description 12
- 230000006798 recombination Effects 0.000 claims description 12
- 230000004048 modification Effects 0.000 claims description 9
- 238000012986 modification Methods 0.000 claims description 9
- 238000004458 analytical method Methods 0.000 claims description 7
- 230000008521 reorganization Effects 0.000 claims description 6
- 230000000694 effects Effects 0.000 abstract description 16
- 230000008569 process Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
Landscapes
- Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Medical Informatics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a dynamic desensitization method based on a database driven agent, which comprises the following steps: acquiring a SQL request of a user; acquiring a WEB user name, a user IP and a corresponding database name according to an SQL request of a user; acquiring SQL content in a corresponding database according to the WEB user name, the user IP and the corresponding database IP and database name; analyzing SQL contents to obtain tables and fields; setting a desensitization rule; and according to the desensitization rule, recombining the WEB user name, the user IP, the database name, the table and the field, and generating and sending a new SQL statement. The invention also discloses a dynamic desensitization system based on the database driven agent. On the premise of ensuring that the user uses the transparent data bank, the invention can achieve the effects of desensitizing the user of the data bank and the user of the application program according to different configuration desensitization rules without adding additional equipment.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a dynamic desensitization method and a dynamic desensitization system based on a database driven agent.
Background
With the widespread use of large data, personal information protection also presents an unprecedented challenge. How personal privacy information is protected is the key to the problem to be solved for desensitization of the database. The database desensitization technology is a technology for performing data deformation on certain sensitive information according to desensitization rules to realize reliable protection of sensitive private data. Dynamic desensitization can perform real-time desensitization processing on data returned by the production library, so that the returned data is available and safe. The existing dynamic desensitization system needs to be deployed on a single device, cannot acquire a user name of an application program, cannot achieve three-layer association desensitization, and has a poor resolving effect on a private protocol.
Disclosure of Invention
In order to overcome the above problems or at least partially solve the above problems, embodiments of the present invention provide a dynamic desensitization method and system based on a database-driven agent, which can achieve the effects of database user desensitization and application user desensitization according to different configuration desensitization rules without adding additional devices on the premise of ensuring transparent use of users.
In order to achieve the above purpose, the embodiments of the present application employ the following technical solutions:
in a first aspect, an embodiment of the present application provides a dynamic desensitization method based on a database-driven agent, including the following steps:
acquiring a SQL request of a user;
acquiring a WEB user name, a user IP and a corresponding database name according to an SQL request of a user;
acquiring SQL content in a corresponding database according to the WEB user name, the user IP and the corresponding database IP and database name;
analyzing SQL contents to obtain tables and fields;
setting a desensitization rule;
and according to the desensitization rule, recombining the WEB user name, the user IP, the database name, the table and the field, and generating and sending a new SQL statement.
A driving agent db _ proxy.jar package is added in a WEB application program, an SQL request is proxied, SQL is dynamically modified according to strategy configuration and then is sent to a database, and three-layer desensitization of data is realized based on the driving agent db _ proxy.jar package. When a user requests SQL, DB _ PROXY firstly acquires an SQL request of the user, then acquires target information such as a WEB user name, a user IP, a corresponding database IP and a database name according to the SQL request of the user, queries the corresponding target database according to the WEB user name, the user IP, the corresponding database IP and the database name, acquires target SQL content in the corresponding target database, analyzes the acquired target SQL content to acquire tables and fields of SQL statement content, configures the tables and the fields of the database, and configures related desensitization rules for different fields, such as desensitization of a mobile phone number and a format: 11 digits, 3 digits on the number segment + 4 digits on the home number + 4 digits on the serial number, desensitization rule: the first 3 and last 3 bits are reserved, the rest are replaced by x, example: 13811547561 is desensitized to 138 x 561, relevant desensitization rule information is returned, WEB user names, user IPs, database names, tables and fields are recombined according to desensitization rules, new SQL statements are generated and sent to the database, on the premise that the users are transparent, no additional equipment is needed to be added, database user desensitization and application program user desensitization effects can be achieved according to different configuration desensitization rules, three-layer desensitization is achieved, namely different desensitization effects can be achieved for different database users, and different desensitization effects can be achieved for different users of an application program accessing the database.
Based on the first aspect, in some embodiments of the present invention, a dynamic desensitization method based on database-driven agents, the method for setting desensitization rules includes the following steps:
acquiring tables and fields in a database;
a plurality of desensitization rules are set according to tables and fields in the database.
Based on the first aspect, in some embodiments of the present invention, a method for dynamic desensitization based on database-driven agents, the method for setting desensitization rules further includes the following steps:
acquiring desensitization requirements of users;
and modifying the desensitization rule according to the desensitization requirement of the user.
Based on the first aspect, in some embodiments of the present invention, a dynamic desensitization method based on a database-driven agent, according to desensitization rules, a method for reorganizing a WEB user name, a user IP, a database name, a table, and a field includes the following steps:
acquiring a corresponding desensitization rule according to the WEB user name, the user IP, the database name, the table and the field;
and recombining the WEB user name, the user IP, the database name, the table and the field according to the corresponding desensitization rule.
Based on the first aspect, in some embodiments of the present invention, a dynamic desensitization method based on a database-driven agent further includes the following steps:
judging whether the SQL request of the user completely contains a WEB user name, a user IP and corresponding database IPs and database names, if so, acquiring the WEB user name, the user IP and the corresponding database IPs and database names; and if not, the SQL request of the user is acquired again.
In a second aspect, an embodiment of the present application provides a dynamic desensitization system based on a database-driven agent, including a request obtaining module, a target obtaining module, a content parsing module, a rule setting module, and a statement reassembling module, where:
the request acquisition module is used for acquiring the SQL request of the user;
the target acquisition module is used for acquiring a WEB user name, a user IP and a corresponding database name according to the SQL request of the user;
the content acquisition module is used for acquiring SQL contents in the corresponding database according to the WEB user name, the user IP and the corresponding database IP and database name;
the content analysis module is used for analyzing the SQL content to obtain a table and a field;
the rule setting module is used for setting desensitization rules;
and the statement recombination module is used for recombining the WEB user name, the user IP, the database name, the table and the field according to the desensitization rule, and generating and sending a new SQL statement.
A driving agent db _ proxy.jar package is added in a WEB application program, an SQL request is proxied, SQL is dynamically modified according to strategy configuration and then is sent to a database, and three-layer desensitization of data is realized based on the driving agent db _ proxy.jar package. When a user requests SQL, DB _ PROXY firstly acquires an SQL request of the user through a request acquisition module, then the target acquisition module acquires target information such as a WEB user name, a user IP, a corresponding database IP and a database name according to the SQL request of the user, the content acquisition module inquires the corresponding target database according to the WEB user name, the user IP, the corresponding database IP and the database name and acquires target SQL content in the corresponding target database, the content analysis module analyzes the acquired target SQL content to acquire a table and a field of SQL statement content, the rule setting module configures the table and the field of the database, different fields configure related desensitization rules and returns related desensitization rule information, and the statement recombination module recombines the WEB user name, the user IP, the database name, the table and the field according to the desensitization rules, the method has the advantages that the new SQL statements are generated and sent to the database, on the premise that the use transparency of users is guaranteed, no extra equipment is needed to be added, the effects of desensitization of database users and application program users can be achieved according to different configuration desensitization rules, three-layer desensitization is achieved, and the three-layer desensitization means that different desensitization effects can be achieved for different database users and different desensitization effects can be achieved for different users accessing the application programs of the database.
Based on the second aspect, in some embodiments of the present invention, a dynamic desensitization system based on database driven agents, the rule setting module includes a field obtaining sub-module and a setting sub-module, wherein:
the field acquisition submodule is used for acquiring tables and fields in the database;
and the setting submodule is used for setting a plurality of desensitization rules according to the tables and the fields in the database.
Based on the second aspect, in some embodiments of the present invention, in a dynamic desensitization system based on a database-driven agent, the rule setting module further includes a requirement obtaining sub-module and a modification sub-module, wherein:
the requirement acquisition submodule is used for acquiring desensitization requirements of the user;
and the modification submodule is used for modifying the desensitization rule according to the desensitization requirement of the user.
Based on the second aspect, in some embodiments of the present invention, a dynamic desensitization system based on database-driven agents, the statement reorganization module includes a rule obtaining sub-module and a reorganization sub-module, wherein:
the rule acquisition submodule is used for acquiring a corresponding desensitization rule according to the WEB user name, the user IP, the database name, the table and the field;
and the recombination submodule is used for recombining the WEB user name, the user IP, the database name, the table and the field according to the corresponding desensitization rule.
Based on the second aspect, in some embodiments of the present invention, a dynamic desensitization system based on a database driver agent further includes a determining module, configured to determine whether all SQL requests of a user include a WEB user name, a user IP, and a corresponding database IP and database name, and if yes, the target obtaining sub-module works; and if not, requesting the acquisition module to work.
The embodiment of the invention at least has the following advantages or beneficial effects:
the embodiment of the invention provides a dynamic desensitization method based on a database driving agent, which is characterized in that a driving agent db _ proxy.jar package is added in a WEB application program, an SQL request is acted, SQL is dynamically modified according to strategy configuration and then is sent to a database, and three-layer desensitization of data is realized based on the driving agent db _ proxy.jar package. When a user requests SQL, DB _ PROXY firstly acquires a SQL request of the user, then acquires target information such as a WEB user name, a user IP and a corresponding database IP and a database name according to the SQL request of the user, queries the corresponding target database according to the WEB user name, the user IP and the corresponding database IP and the database name, acquires target SQL content in the corresponding target database, analyzes the acquired target SQL content to acquire tables and fields of SQL sentence content, configures the tables and the fields of the database, configures related desensitization rules for different fields, returns related desensitization rule information, recombines the WEB user name, the user IP, the database name, the tables and the fields according to the desensitization rules, generates and sends a new SQL sentence to the database, and does not need to add additional equipment on the premise of ensuring that the user uses transparency, according to different configuration desensitization rules, the effects of database user desensitization and application program user desensitization can be achieved, and three-layer desensitization is achieved.
The embodiment of the invention also provides a dynamic desensitization system based on the database driving agent, which is characterized in that a driving agent db _ proxy.jar packet is added in the WEB application program, an SQL request is acted, the SQL is dynamically modified according to strategy configuration and then is sent to the database, and three-layer desensitization of data is realized based on the driving agent db _ proxy.jar packet. When a user requests SQL, DB _ PROXY firstly acquires an SQL request of the user through a request acquisition module, then the target acquisition module acquires target information such as a WEB user name, a user IP, a corresponding database IP and a database name according to the SQL request of the user, the content acquisition module inquires the corresponding target database according to the WEB user name, the user IP, the corresponding database IP and the database name and acquires target SQL content in the corresponding target database, the content analysis module analyzes the acquired target SQL content to acquire a table and a field of SQL statement content, the rule setting module configures the table and the field of the database, different fields configure related desensitization rules and returns related desensitization rule information, and the statement recombination module recombines the WEB user name, the user IP, the database name, the table and the field according to the desensitization rules, and a new SQL statement is generated and sent to the database, so that on the premise of ensuring transparent use of the user, no additional equipment is required to be added, the effects of desensitization of the database user and desensitization of the application program user can be achieved according to different configuration desensitization rules, and three-layer desensitization is realized.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
FIG. 1 is a flowchart of a dynamic desensitization method based on database-driven agents according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a dynamic desensitization system based on a database-driven agent according to an embodiment of the present invention.
Icon: 100-request acquisition module; 200-a target acquisition module; 300-a content acquisition module; 400-a content parsing module; 500-rule setting module; 501-field obtaining submodule; 502-setting submodule; 503-a requirement acquisition submodule; 504-modify submodule; 600-sentence recombination module; 601-a rule acquisition submodule; 602-a reassembly sub-module; 700-judging module.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Examples
As shown in fig. 1, the present embodiment provides a dynamic desensitization method based on a database-driven agent, including the following steps:
s1, acquiring the SQL request of the user;
s2, acquiring a WEB user name, a user IP and a corresponding database name according to the SQL request of the user;
s3, acquiring SQL content in the corresponding database according to the WEB user name, the user IP and the corresponding database IP and database name;
s4, analyzing the SQL content to obtain a table and a field;
s5, setting a desensitization rule;
and S6, recombining the WEB user name, the user IP, the database name, the table and the field according to the desensitization rule, generating and sending a new SQL statement.
A driving agent db _ proxy.jar package is added in a WEB application program, an SQL request is proxied, SQL is dynamically modified according to strategy configuration and then is sent to a database, and three-layer desensitization of data is realized based on the driving agent db _ proxy.jar package. When a user requests SQL, DB _ PROXY firstly acquires a SQL request of the user, then acquires target information such as a WEB user name, a user IP and a corresponding database IP and a database name according to the SQL request of the user, queries the corresponding target database according to the WEB user name, the user IP and the corresponding database IP and the database name, acquires target SQL content in the corresponding target database, analyzes the acquired target SQL content to acquire tables and fields of SQL sentence content, configures the tables and the fields of the database, configures related desensitization rules for different fields, returns related desensitization rule information, recombines the WEB user name, the user IP, the database name, the tables and the fields according to the desensitization rules, generates and sends a new SQL sentence to the database, and does not need to add additional equipment on the premise of ensuring that the user uses transparency, the effects of desensitization of database users and application program users can be achieved according to different configuration desensitization rules, and three-layer desensitization is achieved.
In one embodiment, the method for setting desensitization rules comprises the following steps:
acquiring tables and fields in a database;
a plurality of desensitization rules are set according to tables and fields in the database.
When desensitization rules are set, firstly, tables and fields of statements in a database are obtained, relevant desensitization rules are configured for different fields, and relevant desensitization rule information is returned so as to carry out statement recombination subsequently.
In one embodiment, the method for setting desensitization rules further comprises the steps of:
acquiring desensitization requirements of users;
and modifying the desensitization rule according to the desensitization requirement of the user.
The desensitization rule can be flexibly set, the desensitization requirement of the user is obtained, and then the corresponding desensitization rule is added and modified according to the desensitization requirement of the user, so that the requirement of the user is met.
In one embodiment, the method for recombining the WEB user name, the user IP, the database name, the table and the field according to the desensitization rule comprises the following steps:
acquiring a corresponding desensitization rule according to the WEB user name, the user IP, the database name, the table and the field;
and recombining the WEB user name, the user IP, the database name, the table and the field according to the corresponding desensitization rule.
And searching for preset corresponding desensitization rules according to the 6 tuples of < database IP, database name, table, field, user IP and WEB user name >, dynamically modifying SQL according to the corresponding desensitization rules, and recombining the WEB user name, the user IP, the database name, the table and the field to generate a new SQL statement.
In one embodiment, the dynamic desensitization method based on the database-driven agent further comprises the following steps:
judging whether the SQL request of the user completely contains a WEB user name, a user IP and corresponding database IPs and database names, if so, acquiring the WEB user name, the user IP and the corresponding database IPs and database names; and if not, the SQL request of the user is acquired again.
After an SQL request of a user is obtained, judging the SQL request of the user, judging whether the SQL request of the user contains all complete information such as a WEB user name, a user IP, a corresponding database IP and a database name, and if the SQL request of the user contains all complete information, obtaining the corresponding WEB user name, the user IP and the corresponding database name; if not, the SQL request of the user is obtained again, the judgment is carried out again, the corresponding WEB user name, the user IP, the corresponding database IP and the corresponding database name are obtained again, and the accuracy of subsequent data processing is ensured.
As shown in fig. 2, the present embodiment further provides a dynamic desensitization system based on database-driven agent, which includes a request obtaining module 100, a target obtaining module 200, a content obtaining module 300, a content parsing module 400, a rule setting module 500, and a statement reassembling module 600, where:
a request obtaining module 100, configured to obtain an SQL request of a user;
the target acquisition module 200 is configured to acquire a WEB user name, a user IP, and a corresponding database IP and a corresponding database name according to an SQL request of a user;
the content acquiring module 300 is configured to acquire SQL content in a corresponding database according to the WEB user name, the user IP, and the corresponding database IP and database name;
a content analysis module 400, configured to analyze the SQL content to obtain tables and fields;
a rule setting module 500 for setting desensitization rules;
and the statement restructuring module 600 is configured to restructure the WEB user name, the user IP, the database name, the table and the field according to the desensitization rule, and generate and send a new SQL statement.
A driving agent db _ proxy.jar package is added in a WEB application program, an SQL request is proxied, SQL is dynamically modified according to strategy configuration and then is sent to a database, and three-layer desensitization of data is realized based on the driving agent db _ proxy.jar package. When a user requests SQL, DB _ PROXY firstly acquires a user SQL request through the request acquisition module 100, then the target acquisition module 200 acquires a WEB user name, a user IP and corresponding target information such as a database IP and a database name according to the user SQL request, the content acquisition module 300 queries the corresponding target database according to the WEB user name, the user IP and the corresponding database IP and database name and acquires target SQL content in the corresponding target database, the content analysis module 400 analyzes the acquired target SQL content to acquire a table and a field of SQL statement content, the rule setting module 500 configures the table and the field of the database, configures related desensitization rules for different fields and returns related desensitization rule information, and the statement recombination module 600 configures the WEB user name, the user IP, the database IP and the database name according to the desensitization rules, Tables and fields are recombined, new SQL statements are generated and sent to the database, additional equipment is not needed to be added on the premise that the use transparency of users is guaranteed, the effects of desensitization of database users and application program users can be achieved according to different desensitization configuration rules, three-layer desensitization is achieved, the three-layer desensitization means that different desensitization effects can be achieved for different database users, and different desensitization effects can be achieved for different users of application programs accessing the database.
In one embodiment, the rule setting module 500 includes a field obtaining sub-module 501 and a setting sub-module 502, wherein:
a field obtaining submodule 501, configured to obtain tables and fields in a database;
a setting sub-module 502 for setting a plurality of desensitization rules according to the tables and fields in the database.
When desensitization rules are set, firstly, tables and fields of statements in a database are acquired through the field acquisition submodule 501, relevant desensitization rules are configured for different fields through the setting submodule 502, and relevant desensitization rule information is returned to the statement restructuring module 600.
In one embodiment, the rule setting module 500 further includes a requirement obtaining sub-module 503 and a modification sub-module 504, wherein:
a requirement obtaining submodule 503, configured to obtain a desensitization requirement of the user;
a modify sub-module 504 for modifying the desensitization rules according to the desensitization needs of the user.
Desensitization rules can be flexibly set, desensitization requirements of users are acquired through the requirement acquisition submodule 503, and then corresponding desensitization rules are added and modified through the modification submodule 504 according to the desensitization requirements of the users, so that the requirements of the users are met.
In one embodiment, the statement reorganization module 600 includes a rule obtaining sub-module 601 and a reorganization sub-module 602, where:
the rule obtaining sub-module 601 is configured to obtain a corresponding desensitization rule according to a WEB user name, a user IP, a database name, a table, and a field;
and the restructuring submodule 602 is configured to restructure the WEB user name, the user IP, the database name, the table, and the field according to the corresponding desensitization rule.
The rule obtaining sub-module 601 searches for a preset corresponding desensitization rule according to the 6 tuple of < database IP, database name, table, field, user IP, WEB user name >, acquires the corresponding desensitization rule, then sends the desensitization rule to the restructuring sub-module 602, and the restructuring sub-module 602 dynamically modifies SQL according to the corresponding desensitization rule, and restructures the WEB user name, the user IP, the database name, the table and the field to generate a new SQL statement.
In one embodiment, the dynamic desensitization system based on the database-driven agent further includes a determining module 700, configured to determine whether all SQL requests of a user include a WEB username, a user IP, and a corresponding database IP and database name, and if yes, the target obtaining sub-module works; if not, the acquisition module 100 is requested to operate.
After the SQL request of the user is obtained, the SQL request of the user is judged through a judging module 700, whether the SQL request of the user contains all complete information such as a WEB user name, a user IP, a corresponding database IP and a database name or not is judged, and if the SQL request of the user contains all complete information, the corresponding WEB user name, the user IP, the corresponding database IP and the corresponding database name are obtained through a target obtaining sub-module; if not, the request obtaining module 100 obtains the SQL request of the user again, and determines again, and obtains the corresponding WEB user name, user IP, and corresponding database IP and database name again, thereby ensuring the accuracy of subsequent data processing.
In summary, embodiments of the present invention provide a dynamic desensitization method and system based on a database driver agent, in which a driver agent db _ proxy.jar packet is added to a WEB application program, an SQL request is proxied, SQL is dynamically modified according to policy configuration and then sent to a database, and three-layer desensitization is implemented on the basis of the driver agent db _ proxy.jar packet. When a user requests SQL, DB _ PROXY firstly acquires the SQL request of the user through the request acquisition module 100, judges the SQL request of the user through the judgment module 700 after acquiring the SQL request of the user, judges whether the SQL request of the user contains all complete information such as a WEB user name, a user IP and corresponding database IP and database name, and acquires the corresponding WEB user name, user IP and corresponding database IP and database name through the target acquisition submodule if the SQL request of the user contains all complete information; if not, the request acquiring module 100 re-acquires the SQL request of the user, re-determines, re-acquires the corresponding WEB username, user IP, and corresponding database IP and database name, and ensures the accuracy of subsequent data processing, the target acquiring module 200 acquires the target information such as the WEB username, user IP, and corresponding database IP and database name according to the SQL request of the user, the content acquiring module 300 queries the corresponding target database according to the WEB username, user IP, and corresponding database IP and database name, and acquires the target SQL content in the corresponding target database, the content analyzing module 400 analyzes the acquired target content to acquire the table and fields of the SQL statement content, the rule setting module 500 configures the table and fields of the database, configures the related desensitization rules for different fields, and returns the related desensitization rule information, the desensitization rule can also be flexibly set, the desensitization requirement of the user is acquired through the requirement acquisition submodule 503, then the corresponding desensitization rule is added and modified through the modification submodule 504 according to the desensitization requirement of the user to meet the user requirement, the rule acquisition submodule 601 searches the preset corresponding desensitization rule according to the 6 tuples of < database IP, database name, table, field, user IP and WEB user name >, acquires the corresponding desensitization rule and then sends the desensitization rule to the recombination submodule 602, the recombination submodule 602 dynamically modifies SQL according to the corresponding desensitization rule to recombine the WEB user name, the user IP, the database name, the table and the field to generate a new SQL statement and send the new SQL statement to the database, on the premise of ensuring that the user uses transparently, no additional equipment is needed to be added, the desensitization effect of the database user and the desensitization of the application program user can be achieved according to different configured desensitization rules, three-layer desensitization is achieved.
The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes will occur to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
It will be evident to those skilled in the art that the present application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.
Claims (10)
1. A dynamic desensitization method based on database-driven agents is characterized by comprising the following steps:
acquiring a SQL request of a user;
acquiring a WEB user name, a user IP and a corresponding database name according to an SQL request of a user;
acquiring SQL content in a corresponding database according to the WEB user name, the user IP and the corresponding database IP and database name;
analyzing SQL contents to obtain tables and fields;
setting a desensitization rule;
and recombining the WEB user name, the user IP, the database name, the table and the field according to a desensitization rule, and generating and sending a new SQL statement.
2. The dynamic desensitization method based on database driven agent according to claim 1, characterized in that, said method for setting desensitization rules comprises the following steps:
acquiring tables and fields in a database;
a plurality of desensitization rules are set according to tables and fields in the database.
3. The dynamic desensitization method based on database driven agent according to claim 2, wherein said method for setting desensitization rules further comprises the steps of:
acquiring desensitization requirements of users;
and modifying the desensitization rule according to the desensitization requirement of the user.
4. The dynamic desensitization method based on database-driven agents according to claim 1, wherein the method for reorganizing WEB user names, user IPs, database names, tables and fields according to desensitization rules comprises the following steps:
acquiring a corresponding desensitization rule according to the WEB user name, the user IP, the database name, the table and the field;
and recombining the WEB user name, the user IP, the database name, the table and the field according to the corresponding desensitization rule.
5. The method of claim 1, wherein the method further comprises the steps of:
judging whether the SQL request of the user completely contains a WEB user name, a user IP and corresponding database IPs and database names, if so, acquiring the WEB user name, the user IP and the corresponding database IPs and database names; and if not, the SQL request of the user is acquired again.
6. A dynamic desensitization system based on database drive agent is characterized by comprising a request acquisition module, a target acquisition module, a content analysis module, a rule setting module and a statement recombination module, wherein:
the request acquisition module is used for acquiring the SQL request of the user;
the target acquisition module is used for acquiring a WEB user name, a user IP and a corresponding database name according to the SQL request of the user;
the content acquisition module is used for acquiring SQL contents in the corresponding database according to the WEB user name, the user IP and the corresponding database IP and database name;
the content analysis module is used for analyzing the SQL content to obtain a table and a field;
the rule setting module is used for setting desensitization rules;
and the statement recombination module is used for recombining the WEB user name, the user IP, the database name, the table and the field according to the desensitization rule, and generating and sending a new SQL statement.
7. The database-driven agent based dynamic desensitization system of claim 6, wherein said rule setting module comprises a field acquisition submodule and a setting submodule, wherein:
the field acquisition submodule is used for acquiring tables and fields in the database;
and the setting submodule is used for setting a plurality of desensitization rules according to the tables and the fields in the database.
8. The database-driven agent-based dynamic desensitization system of claim 7, wherein said rule-setting module further comprises a requirement acquisition sub-module and a modification sub-module, wherein:
the requirement acquisition submodule is used for acquiring desensitization requirements of the user;
and the modification submodule is used for modifying the desensitization rule according to the desensitization requirement of the user.
9. The system of claim 6, wherein the statement reorganization module comprises a rule obtaining sub-module and a reorganization sub-module, wherein:
the rule acquisition submodule is used for acquiring a corresponding desensitization rule according to the WEB user name, the user IP, the database name, the table and the field;
and the recombination submodule is used for recombining the WEB user name, the user IP, the database name, the table and the field according to the corresponding desensitization rule.
10. The dynamic desensitization system based on the database-driven agent according to claim 6, wherein the dynamic desensitization system based on the database-driven agent further comprises a determining module for determining whether the SQL request of the user completely contains the WEB username, the user IP, and the corresponding database IP and database name, and if yes, the target obtaining sub-module works; and if not, requesting the acquisition module to work.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010712492.2A CN112035871A (en) | 2020-07-22 | 2020-07-22 | Dynamic desensitization method and system based on database driven proxy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010712492.2A CN112035871A (en) | 2020-07-22 | 2020-07-22 | Dynamic desensitization method and system based on database driven proxy |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112035871A true CN112035871A (en) | 2020-12-04 |
Family
ID=73582471
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010712492.2A Pending CN112035871A (en) | 2020-07-22 | 2020-07-22 | Dynamic desensitization method and system based on database driven proxy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112035871A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112948877A (en) * | 2021-03-03 | 2021-06-11 | 北京中安星云软件技术有限公司 | Dynamic database desensitization method and system based on TCP (Transmission control protocol) proxy |
| CN113901515A (en) * | 2021-10-11 | 2022-01-07 | 矢量云科信息科技(无锡)有限公司 | Dynamic desensitization processing method and dynamic desensitization system |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106203170A (en) * | 2016-07-19 | 2016-12-07 | 北京同余科技有限公司 | The Database Dynamic desensitization method of servicing of based role and system |
| CN109358869A (en) * | 2018-09-03 | 2019-02-19 | 中国平安人寿保险股份有限公司 | Configuration file amending method, device, computer equipment and storage medium |
| CN110688662A (en) * | 2019-09-16 | 2020-01-14 | 威富通科技有限公司 | Sensitive data desensitization and inverse desensitization method and electronic equipment |
| CN110727949A (en) * | 2019-09-06 | 2020-01-24 | 上海陆家嘴国际金融资产交易市场股份有限公司 | Data storage method and device, computer equipment and storage medium |
| CN110889130A (en) * | 2018-12-10 | 2020-03-17 | 北京炼石网络技术有限公司 | Database-based fine-grained data encryption method, system and device |
| CN111177788A (en) * | 2020-01-07 | 2020-05-19 | 北京启明星辰信息安全技术有限公司 | Hive dynamic desensitization method and dynamic desensitization system |
| CN111400762A (en) * | 2020-03-18 | 2020-07-10 | 上海凯馨信息科技有限公司 | Dynamic desensitization method for oracle database |
| CN111428273A (en) * | 2020-04-23 | 2020-07-17 | 北京中安星云软件技术有限公司 | Dynamic desensitization method and device based on machine learning |
| CN111428141A (en) * | 2020-04-23 | 2020-07-17 | 北京中安星云软件技术有限公司 | Method and device for associating application and database access behavior based on driving agent |
-
2020
- 2020-07-22 CN CN202010712492.2A patent/CN112035871A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106203170A (en) * | 2016-07-19 | 2016-12-07 | 北京同余科技有限公司 | The Database Dynamic desensitization method of servicing of based role and system |
| CN109358869A (en) * | 2018-09-03 | 2019-02-19 | 中国平安人寿保险股份有限公司 | Configuration file amending method, device, computer equipment and storage medium |
| CN110889130A (en) * | 2018-12-10 | 2020-03-17 | 北京炼石网络技术有限公司 | Database-based fine-grained data encryption method, system and device |
| CN110727949A (en) * | 2019-09-06 | 2020-01-24 | 上海陆家嘴国际金融资产交易市场股份有限公司 | Data storage method and device, computer equipment and storage medium |
| CN110688662A (en) * | 2019-09-16 | 2020-01-14 | 威富通科技有限公司 | Sensitive data desensitization and inverse desensitization method and electronic equipment |
| CN111177788A (en) * | 2020-01-07 | 2020-05-19 | 北京启明星辰信息安全技术有限公司 | Hive dynamic desensitization method and dynamic desensitization system |
| CN111400762A (en) * | 2020-03-18 | 2020-07-10 | 上海凯馨信息科技有限公司 | Dynamic desensitization method for oracle database |
| CN111428273A (en) * | 2020-04-23 | 2020-07-17 | 北京中安星云软件技术有限公司 | Dynamic desensitization method and device based on machine learning |
| CN111428141A (en) * | 2020-04-23 | 2020-07-17 | 北京中安星云软件技术有限公司 | Method and device for associating application and database access behavior based on driving agent |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112948877A (en) * | 2021-03-03 | 2021-06-11 | 北京中安星云软件技术有限公司 | Dynamic database desensitization method and system based on TCP (Transmission control protocol) proxy |
| CN113901515A (en) * | 2021-10-11 | 2022-01-07 | 矢量云科信息科技(无锡)有限公司 | Dynamic desensitization processing method and dynamic desensitization system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112615849B (en) | Micro-service access method, device, equipment and storage medium | |
| CN109688120B (en) | Dynamic authority management system based on improved RBAC model and Spring Security framework | |
| US7296077B2 (en) | Method and system for web-based switch-user operation | |
| JP5587732B2 (en) | Computer-implemented method, computer program, and system for managing access to a domain name service (DNS) database | |
| CN103403707B (en) | The system and method exchanged for database proxy request | |
| US8131753B2 (en) | Apparatus and method for accessing and indexing dynamic web pages | |
| US7958105B2 (en) | System and method for filtering database results using dynamic composite queries | |
| CN112035871A (en) | Dynamic desensitization method and system based on database driven proxy | |
| US20140025694A1 (en) | Database query language gateway | |
| US20180191692A1 (en) | Encryption filter | |
| US9363140B2 (en) | System and method for analyzing and reporting gateway configurations and rules | |
| US11640409B2 (en) | Application programming interface (“APIS”) for accessing and amalgamating data from incongruent sources | |
| CN102916991B (en) | Method, system and device for transmitting data | |
| WO2007108874A1 (en) | Declarations for transformations within service sequences | |
| JPH0844643A (en) | Gateway device | |
| WO2020092135A1 (en) | Extracting web api endpoint data from source code | |
| CN109508437B (en) | Search website auditing method, system, gateway equipment and storage medium | |
| CN111310230B (en) | Spatial data processing method, device, equipment and medium | |
| AU2008355023A1 (en) | Generating sitemaps | |
| US20080127234A1 (en) | Methods, systems, and computer program products for a remote request dispatcher extension framework for container based programming models | |
| WO2021184580A1 (en) | Intelligent domain name resolution method and apparatus, electronic device and computer-readable storage medium | |
| CN115543479A (en) | Interface calling analysis method and device suitable for dynamic parameters | |
| CN1620060A (en) | Integrating browser-incompatible information into web content and method for displaying the information | |
| US20040148372A1 (en) | Web-browser based heterogeneous systems management tool | |
| US7788313B2 (en) | System for character validation and method therefor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |