CN112307509A - Desensitization processing method, equipment, medium and electronic equipment - Google Patents
Desensitization processing method, equipment, medium and electronic equipment Download PDFInfo
- Publication number
- CN112307509A CN112307509A CN202011123088.8A CN202011123088A CN112307509A CN 112307509 A CN112307509 A CN 112307509A CN 202011123088 A CN202011123088 A CN 202011123088A CN 112307509 A CN112307509 A CN 112307509A
- Authority
- CN
- China
- Prior art keywords
- desensitized
- desensitization
- attribute information
- determining
- called
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000586 desensitisation Methods 0.000 title claims abstract description 145
- 238000003672 processing method Methods 0.000 title claims abstract description 21
- 238000012545 processing Methods 0.000 claims abstract description 151
- 238000000034 method Methods 0.000 claims description 40
- 238000004590 computer program Methods 0.000 claims description 16
- 230000006870 function Effects 0.000 description 15
- 238000010586 diagram Methods 0.000 description 12
- 230000006872 improvement Effects 0.000 description 9
- 230000008569 process Effects 0.000 description 7
- 230000008859 change Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 230000014509 gene expression Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 229920001296 polysiloxane Polymers 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
Abstract
This specification discloses a desensitization processing method, apparatus, medium, and electronic apparatus, including: intercepting data processing information transmitted between a server and other equipment, and identifying whether a target code called by the data processing information contains a first annotation identifier; if the judgment result is that the first annotation identification is contained, determining that the called target code contains the object to be desensitized, and determining the object type corresponding to the object to be desensitized; determining attribute information corresponding to the object to be desensitized according to the object type; and performing desensitization processing on the determined attribute information by using a set desensitization processing mode. Under the condition that a source program code is not changed, whether an object to be desensitized is contained or not is identified by intercepting data information, and desensitization processing is started if the object to be desensitized is contained, so that the target code of data processing can be quickly executed, equipment resources consumed by execution are saved, and desensitization protection on sensitive data can be guaranteed in time.
Description
Technical Field
The present disclosure relates to the field of internet information processing technologies, and in particular, to a desensitization processing method, device, medium, and electronic device.
Background
Data resources in various industries often contain a large amount of sensitive data and important data, and once the data is revealed or illegally utilized, the data can cause irreparable loss.
In order to improve the data security of the sensitive data and perfect the protection mechanism of the sensitive data, a desensitization processing mode of the sensitive data is provided. Among them, a common desensitization processing method is an annotation + code enhancement method. In the source program code editing stage, annotation identification is carried out on the string data type; in the source program code compiling stage, a plurality of auxiliary functions and auxiliary fields are added to the string data type identified by the annotation in the original source program code in a code enhancement mode, so that the compiled target application program has desensitization processing capability. When the target application program is called, once the field content of the field corresponding to the string data type identified by the annotation is called, the content desensitized to the field content can be directly output.
However, the desensitization treatment method has the following defects in practical application: because a code enhancement mode is adopted at the compiling stage of the source program code, a plurality of auxiliary functions and auxiliary fields are added in the original source program code, so that the original source program code is greatly changed, and meanwhile, the computing resources consumed in the running of the target application program are also increased.
Therefore, the desensitization processing method is provided to solve the problems and improve the protection of sensitive data.
Disclosure of Invention
The present specification provides a desensitization processing method, apparatus, medium, and electronic apparatus, which partially solve the above problems of the prior art.
The technical scheme adopted by the specification is as follows:
a desensitization treatment method provided by the present specification, the method comprising:
intercepting data processing information transmitted between the server and other equipment;
identifying whether target code called by the data processing information contains a first annotation identification;
if the judgment result is that the first annotation identifier is included, determining that the called target code includes an object to be desensitized, and determining an object type corresponding to the object to be desensitized;
determining attribute information corresponding to the object to be desensitized according to the object type;
and performing desensitization processing on the determined attribute information by using a set desensitization processing mode.
Optionally, the method further includes:
if the judgment result is that the first annotation identification is not contained, judging whether the interface for transmitting the data processing information is a designated interface;
if the judgment result is a designated interface, extracting the attribute information of the called object from the target code called by the data processing information through the designated interface;
and performing desensitization processing on the extracted attribute information by using a set desensitization processing mode.
Optionally, extracting, through the designated interface, attribute information of the called object from the target code called by the data processing information includes:
identifying whether the called object contains a second annotation identifier or not from the target code called by the data processing information through the specified interface;
and if the called object contains a second annotation identifier, extracting attribute information of the attribute to be desensitized corresponding to the second annotation identifier according to the second annotation identifier.
Optionally, the method further includes:
and if the judgment result is that the target code is not the designated interface, outputting an execution result corresponding to the target code called by the data processing information.
Optionally, determining attribute information corresponding to the object to be desensitized according to the object type specifically includes:
according to the object type, identifying whether the object to be desensitized contains a second annotation identification;
if the object to be desensitized is determined to contain a second annotation identifier, determining an attribute corresponding to the second annotation identifier according to the second annotation identifier, and extracting attribute information of the determined attribute;
if the object to be desensitized does not contain the second annotation identification, determining all attributes corresponding to the object to be desensitized according to the object type, and extracting attribute information of all the determined attributes.
Optionally, determining attribute information corresponding to the object to be desensitized according to the object type specifically includes:
if the determined object type is the nesting type, sequentially extracting field contents corresponding to fields contained in the nesting type according to nesting logic corresponding to the nesting type;
and determining the extracted field content as the attribute information corresponding to the object to be desensitized.
Optionally, by using a set desensitization processing mode, desensitization processing is performed on the attribute information corresponding to the object to be desensitized, which specifically includes:
according to the attribute information corresponding to the object to be desensitized, whether a desensitization result corresponding to the attribute information of the object to be desensitized exists or not is inquired from a cache database;
if so, outputting the inquired desensitization result;
if the attribute information does not exist, determining the type of the attribute information corresponding to the object to be desensitized, and selecting a desensitization processing mode corresponding to the determined type from the set desensitization processing modes; and performing desensitization treatment on the attribute information corresponding to the object to be desensitized by using the selected desensitization treatment mode to obtain a desensitization result.
This specification provides a desensitization treatment apparatus, including:
the acquisition unit is used for intercepting data processing information transmitted between the server and other equipment;
the identification unit is used for identifying whether the target code called by the data processing information contains a first annotation identification; if the judgment result is that the first annotation identifier is contained, determining that the called target code contains the object to be desensitized, and determining the object type corresponding to the object to be desensitized;
the processing unit is used for determining attribute information corresponding to the object to be desensitized according to the object type; and performing desensitization treatment on the determined attribute information by using a set desensitization treatment mode.
The present specification provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the desensitization processing method described above.
The present specification provides an electronic device comprising a memory, a processor and a computer program stored on the memory and running on the processor, wherein the processor executes the program to implement the desensitization processing method described above.
The technical scheme adopted by the specification can achieve the following beneficial effects:
in the desensitization processing method provided by the specification, when data processing information is transmitted between a server and other equipment, the data processing information is intercepted, and whether a target code called by the data processing information contains a first annotation identifier is identified; if the judgment result is that the first annotation identifier is included, determining that the called target code includes an object to be desensitized, and determining an object type corresponding to the object to be desensitized; determining attribute information corresponding to the object to be desensitized according to the object type; and performing desensitization processing on the determined attribute information by using the set desensitization processing mode. That is to say, the desensitization processing scheme provided in this specification does not need to change a source program code, but identifies whether a to-be-desensitized object is included in transmitted data information by intercepting data information transmitted between a server and other devices in an object code execution stage, and starts desensitization processing if the to-be-desensitized object is included, so that not only can the object code for data processing be ensured to be executed quickly, and device resources consumed by execution are saved, but also desensitization protection can be ensured to be performed on sensitive data in time.
Drawings
The accompanying drawings, which are included to provide a further understanding of the specification and are incorporated in and constitute a part of this specification, illustrate embodiments of the specification and together with the description serve to explain the description and not to limit the specification in a non-limiting sense. In the drawings:
fig. 1 is a schematic flow chart of a desensitization processing method according to an embodiment of the present disclosure;
fig. 2 is a schematic flow chart of a desensitization processing method according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a desensitization processing apparatus according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of an electronic device provided in an embodiment of this specification.
Detailed Description
Based on the above, the present specification provides a desensitization processing method, which intercepts data processing information when the data processing information is transmitted between a server and other devices, and identifies whether a target code called by the data processing information contains a first annotation identifier; if the judgment result is that the first annotation identifier is included, determining that the called target code includes an object to be desensitized, and determining an object type corresponding to the object to be desensitized; determining attribute information corresponding to the object to be desensitized according to the object type; and performing desensitization processing on the determined attribute information by using a set desensitization processing mode. That is to say, the desensitization processing scheme provided in this specification does not need to change the source program code, but in the target code execution stage, identifies whether the transmitted data information includes an object to be desensitized by intercepting the data information transmitted between the server and other devices, and starts desensitization processing if the transmitted data information includes the object to be desensitized, so that not only can the target code for data processing be ensured to be executed quickly, and the device resources consumed by execution are saved, but also desensitization protection can be ensured to be performed on sensitive data in time.
It should be noted that, in the embodiments of the present specification, a first annotation identifier is described, where the first annotation identifier is used to characterize that the identified object code contains an object to be desensitized; in an embodiment of the present specification, a second annotation identifier is recorded, where the second annotation identifier is used for characterizing that the identified object contains an attribute to be desensitized. That is, the "first annotation mark" and the "second annotation mark" described in the embodiments of the present specification belong to different annotation marks, and the "first" and the "second" are used to distinguish the different annotation marks and have no ordering meaning.
In order to make the objects, technical solutions and advantages of the present specification clearer, the technical solutions of the present specification will be clearly and completely described below with reference to specific embodiments of the present specification and corresponding drawings. It is to be understood that the embodiments described are only a few embodiments of the present disclosure, and not all embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments in the present specification without any creative effort belong to the protection scope of the present specification.
The technical solutions provided by the embodiments of the present description are described in detail below with reference to the accompanying drawings.
Fig. 1 is a schematic flow chart of a desensitization processing method according to an embodiment of the present disclosure. The method may be as follows.
In the embodiments provided in the present specification, a large amount of data processing information is generated between the server and other devices due to data interaction, and the data processing information contains some sensitive data and/or important data. In order to ensure the data security of the sensitive data and/or important data, the data processing information can be intercepted by an intercepting tool or an intercepting device before being transmitted through the network.
Subsequently, by identifying the intercepted data processing information, it is determined whether to perform desensitization processing on the content related to the data processing information by using the desensitization processing scheme provided in the present specification.
Step 103: identifying whether target code called by the data processing information includes a first annotation identification.
Wherein the first annotation identification is used for characterizing that the called target code contains an object to be desensitized.
In the embodiment provided in this specification, since in the source code editing stage, an object that needs desensitization may be labeled in the source code, in the source code compiling stage, the object included in the object code corresponding to the generated source code is also labeled, so that it can be identified whether the called object code includes an object to be desensitized by the labeled identifier.
For example: the first annotation is identified as desensizedmark. A segment of code is marked with @ DesensizedMark in front, and the segment of code contains an object to be desensitized.
For example: @ DesensticizedMark
Public Class User { … … }, which indicates that if the section of code of Public Class User { … … } is called, the section of code of Public Class User { } contains the object to be desensitized.
Specifically, the code content of the target code called by the data processing information is identified, whether the target code is marked with a specified annotation identifier (i.e. a first annotation identifier) is judged according to the identified code content, if yes, the target code is indicated to contain the first annotation identifier, and the step 105 is triggered to be executed; if not, the target code is not indicated to contain the first annotation identification.
In the source code editing stage, firstly, an object needing desensitization is determined; secondly, when editing the source code corresponding to the object needing desensitization, annotation identification is added in the source code to realize the annotation of the object, so that the workload of code editing work is increased invisibly, and annotation omission is easy to occur (namely, some desensitization objects needing to be annotated do not have annotation identification added in the source code corresponding to the desensitization objects).
In order to reduce the workload of annotation, in the embodiments provided in this specification, a specified interface (API interface) may be annotated, that is, an annotation identifier is added to a specified interface or interfaces, that is, if the specified interface adds the annotation identifier, it is stated that the object code called through the specified interface contains an object to be desensitized. When editing the source code corresponding to the object needing desensitization, adding code content indicating the specified interface identified by the added annotation into the source code, so that the specified interface is used for certain time once the source code is called, and because the specified interface is used, the desensitization object contained in the source code needs to be desensitized.
If the judgment result in step 103 does not include the first annotation identifier, it is further required to judge whether the interface for transmitting the data processing information is the designated interface; if the judgment result is a designated interface, extracting the attribute information of the called object from the target code called by the data processing information through the designated interface; and performing desensitization processing on the extracted attribute information by using a set desensitization processing mode.
Specifically, first, it is identified whether the called object includes the second annotation identifier from the target code called by the data processing information through the specified interface.
Wherein the second annotation identification is used for characterizing that the identified object contains the attribute to be desensitized.
It should be noted that, here, "whether the called object includes the second annotation identifier is identified from the target code called by the data processing information through the designated interface" may utilize a backward calling mechanism, that is, according to the data processing information, the target code called by the data processing information is determined backward through the designated interface, the called object included in the target code is determined, and then whether the object includes the second annotation identifier is identified.
The "second annotation identification" herein has a different meaning from that of the "first annotation identification". The second annotation identifier is used to characterize the attribute to be desensitized, i.e. a certain attribute in the object is a sensitive attribute, and then a second annotation identifier may be added to the attribute. For example: the second annotation identification may be denoted desensized. For example, the following examples: public Class User { @ Desensized (DesensitedType.NAME) private String name; … …, and the attribute to be desensitized is NAME (NAME).
Secondly, if the called object is determined to contain a second annotation identification, extracting attribute information of the attribute to be desensitized corresponding to the second annotation identification according to the second annotation identification.
And if the called object does not contain the second annotation identification, extracting attribute information of all attributes corresponding to the called object. I.e. it is stated that all properties of the invoked object are properties to be desensitized.
Step 105: and if the judgment result is that the first annotation identifier is contained, determining that the called target code contains the object to be desensitized, and determining the object type corresponding to the object to be desensitized.
In the embodiment provided in this specification, when it is determined that the called object code includes the first annotation identification, it is determined that the object code includes an object to be desensitized, and at this time, it may be determined that the called object code includes the object to be desensitized according to the code content of the object code. The object to be desensitized may be one object or a plurality of objects, and the number of the objects is not limited.
When it is determined that the called target code contains the object to be desensitized, the type of the object corresponding to the object to be desensitized can be further determined. Taking Java programs as an example for illustration, the object types herein may include, but are not limited to: string type, generic, inherited class, queue, nested class, etc.
Step 107: and determining attribute information corresponding to the object to be desensitized according to the object type.
In an embodiment provided by the present description, it is identified whether the object to be desensitized contains a second annotation identification according to the object type.
Wherein the second annotation identification is used for characterizing that the identified object contains the attribute to be desensitized.
If the object to be desensitized is determined to contain a second annotation identifier, determining an attribute corresponding to the second annotation identifier according to the second annotation identifier, and extracting attribute information of the determined attribute. That is, the extracted attributes are the attributes of the second annotation identifier, and may not be all the attributes, and if all the attributes are labeled with the second annotation identifier, the extracted attributes may also be all the attributes.
If the object to be desensitized does not contain the second annotation identification, determining all attributes corresponding to the object to be desensitized according to the object type, and extracting attribute information of all the determined attributes.
Specifically, if the determined object type is a String type, reading field contents corresponding to each field of the String type, and determining the read field contents as attribute information corresponding to the object to be desensitized.
If the determined object type is the nesting type, sequentially extracting field contents corresponding to fields contained in the nesting type according to nesting logic corresponding to the nesting type;
and determining the extracted field content as the attribute information corresponding to the object to be desensitized.
By nested type is understood that one object contains another object. For example: the user class can contain a plurality of different attributes, and can also nest other objects, such as: an address class is nested in the user class, which contains a number of different address attributes.
The user class is assumed to contain a name attribute, a telephone attribute, a bank card number attribute and an address class, and the address class contains a home address attribute, a company address attribute and a school address attribute; then according to the nesting logic corresponding to the user class, the sequentially extracted field contents are: name attribute, phone attribute, bank card number attribute, home address attribute, company address attribute, school address attribute.
Step 109: and performing desensitization processing on the determined attribute information by using a set desensitization processing mode.
In the embodiment provided in this specification, first, according to the attribute information corresponding to the object to be desensitized, whether a desensitization result corresponding to the attribute information of the object to be desensitized exists is queried from a cache database;
secondly, if the desensitization result exists, outputting the inquired desensitization result; if the attribute information does not exist, determining the type of the attribute information corresponding to the object to be desensitized, and selecting a desensitization processing mode corresponding to the determined type from the set desensitization processing modes; and performing desensitization treatment on the attribute information corresponding to the object to be desensitized by using the selected desensitization treatment mode to obtain a desensitization result.
The type of attribute information described here refers to the expression form of attribute information, and includes, for example: text, numbers, characters, etc. Different expressions and corresponding desensitization treatment modes are different, which can also be understood as different desensitization auxiliary functions to be called, and the desensitization auxiliary functions or desensitization treatment modes are not particularly limited herein.
And after the desensitization processing result is obtained by the desensitization processing mode, the desensitization processing result is cached, so that repeated desensitization on the same attribute information of the same object can be avoided, and resources can be saved.
Optionally, when it is determined that the called target code does not include the first annotation identifier, and the transmission interface used by the called target code is not the designated interface, the execution result corresponding to the target code called by the data processing information is output. Namely, the data processing information does not contain desensitization information and does not need desensitization processing.
According to the technical scheme provided by the specification, when data processing information is transmitted between a server and other equipment, the data processing information is intercepted, and whether a target code called by the data processing information contains a first annotation identifier is identified; if the judgment result is that the first annotation identifier is included, determining that the called target code includes an object to be desensitized, and determining an object type corresponding to the object to be desensitized; determining attribute information corresponding to the object to be desensitized according to the object type; and performing desensitization processing on the determined attribute information by using a set desensitization processing mode. That is to say, the desensitization processing scheme provided in this specification does not need to change the source program code, but in the target code execution stage, identifies whether the transmitted data information includes an object to be desensitized by intercepting the data information transmitted between the server and other devices, and starts desensitization processing if the transmitted data information includes the object to be desensitized, so that not only can the target code for data processing be ensured to be executed quickly, and the device resources consumed by execution are saved, but also desensitization protection can be ensured to be performed on sensitive data in time.
Based on the same inventive concept, fig. 2 is a flow chart of a desensitization treatment method provided in the embodiments of the present specification. The method may be as follows.
Step 201: and intercepting data processing information transmitted between the server and other equipment.
Step 203: identifying whether target code called by the data processing information contains a first annotation identification; if yes, go to step 205; if not, go to step 221.
Step 205: and determining that the called target code contains an object to be desensitized, and determining the object type corresponding to the object to be desensitized.
Step 207: identifying whether the object to be desensitized contains a second annotation identifier according to the object type, and if the object to be desensitized contains the second annotation identifier, executing step 209; otherwise, step 211 is executed.
Step 209: and determining the attribute corresponding to the second annotation identifier according to the second annotation identifier, and extracting the attribute information of the determined attribute. The jump executes step 213.
Step 211: and determining all attributes corresponding to the object to be desensitized according to the object type, and extracting attribute information of all determined attributes.
Step 213: according to the attribute information corresponding to the object to be desensitized, inquiring whether a desensitization result corresponding to the attribute information of the object to be desensitized exists from a cache database, and if so, executing step 215; otherwise, step 217 is performed.
Step 215: and outputting the queried desensitization result.
Step 217: and determining the type of the attribute information corresponding to the object to be desensitized, and selecting the desensitization treatment mode corresponding to the determined type from the set desensitization treatment modes.
Step 219: and performing desensitization treatment on the attribute information corresponding to the object to be desensitized by using the selected desensitization treatment mode to obtain a desensitization result.
Step 221: judging whether an interface for transmitting the data processing information is a designated interface; if the judgment result is the designated interface, go to step 223; otherwise, 229 is performed.
Step 223: and through the specified interface, identifying whether the called object contains the second annotation identification or not from the target code called by the data processing information, if so, executing step 225, otherwise, executing step 227.
Step 225: and extracting attribute information of the attribute to be desensitized corresponding to the second annotation identifier according to the second annotation identifier. The jump is performed 213.
Step 227: and extracting attribute information of all attributes corresponding to the called object. The jump is performed 213.
Step 229: and outputting an execution result corresponding to the target code called by the data processing information.
The desensitization processing method provided for the embodiment of the present specification also provides a corresponding device, a storage medium, and an electronic device based on the same idea.
Fig. 3 is a schematic structural diagram of a desensitization treatment apparatus provided in an embodiment of the present specification, where the desensitization treatment apparatus includes: an acquisition unit 301, a recognition unit 302 and a processing unit 303, wherein:
an acquiring unit 301, configured to intercept data processing information transmitted between a server and other devices;
an identifying unit 302, configured to identify whether a target code called by the data processing information includes a first annotation identifier; if the judgment result is that the first annotation identifier is contained, determining that the called target code contains the object to be desensitized, and determining the object type corresponding to the object to be desensitized;
the processing unit 303 is configured to determine, according to the object type, attribute information corresponding to the object to be desensitized; and performing desensitization processing on the determined attribute information by using a set desensitization processing mode.
In another embodiment provided in this specification, the identifying unit 302 is further configured to determine whether an interface for transmitting the data processing information is a designated interface if the determination result does not include the first annotation identifier;
the processing unit 303 is further configured to, if the determination result is a designated interface, extract attribute information of the called object from the target code called by the data processing information through the designated interface; and performing desensitization processing on the extracted attribute information by using a set desensitization processing mode.
In another embodiment provided in this specification, the extracting, by the processing unit 303, attribute information of the called object from the code called by the data processing information through the designated interface specifically includes:
identifying whether the called object contains a second annotation identifier or not from the target code called by the data processing information through the specified interface;
and if the called object contains a second annotation identifier, extracting attribute information of the attribute to be desensitized corresponding to the second annotation identifier according to the second annotation identifier.
In another embodiment provided in this specification, the processing unit 303 is further configured to output an execution result corresponding to the target code called by the data processing information if the result is determined that the target code is not the designated interface.
In another embodiment provided in this specification, the determining, by the processing unit 303, attribute information corresponding to the object to be desensitized according to the object type specifically includes:
according to the object type, identifying whether the object to be desensitized contains a second annotation identification;
if the object to be desensitized is determined to contain a second annotation identifier, determining an attribute corresponding to the second annotation identifier according to the second annotation identifier, and extracting attribute information of the determined attribute;
if the object to be desensitized does not contain the second annotation identification, determining all attributes corresponding to the object to be desensitized according to the object type, and extracting attribute information of all the determined attributes.
In another embodiment provided in this specification, the determining, by the processing unit 303, attribute information corresponding to the object to be desensitized according to the object type specifically includes:
if the determined object type is the nesting type, sequentially extracting field contents corresponding to fields contained in the nesting type according to nesting logic corresponding to the nesting type;
and determining the extracted field content as the attribute information corresponding to the object to be desensitized.
In another embodiment provided in this specification, the performing, by the processing unit 303, desensitization processing on the attribute information corresponding to the object to be desensitized by using a set desensitization processing mode specifically includes:
according to the attribute information corresponding to the object to be desensitized, whether a desensitization result corresponding to the attribute information of the object to be desensitized exists or not is inquired from a cache database;
if so, outputting the inquired desensitization result;
if the attribute information does not exist, determining the type of the attribute information corresponding to the object to be desensitized, and selecting a desensitization processing mode corresponding to the determined type from the set desensitization processing modes; and performing desensitization treatment on the attribute information corresponding to the object to be desensitized by using the selected desensitization treatment mode to obtain a desensitization result.
It should be noted that the desensitization processing apparatus provided in the embodiment of the present specification may be implemented in a hardware manner, or may be implemented in a software manner, where the implementation manner is not specifically limited. When the desensitization processing equipment transmits data processing information between a server and other equipment, intercepting the data processing information, and identifying whether a target code called by the data processing information contains a first annotation identifier; if the judgment result is that the first annotation identifier is contained, determining that the called target code contains the object to be desensitized, and determining the object type corresponding to the object to be desensitized; determining attribute information corresponding to the object to be desensitized according to the object type; and performing desensitization processing on the determined attribute information by using a set desensitization processing mode. That is to say, the desensitization processing scheme provided in this specification does not need to change a source program code, but identifies whether a to-be-desensitized object is included in transmitted data information by intercepting data information transmitted between a server and other devices in an object code execution stage, and starts desensitization processing if the to-be-desensitized object is included, so that not only can quick execution of the object code of data processing be ensured, and device resources consumed by execution are saved, but also timely desensitization protection of sensitive data can be ensured.
The present specification also provides a computer readable storage medium storing a computer program which, when executed by a processor, is operable to perform the desensitization processing method provided in fig. 1 above.
Based on the desensitization processing method shown in fig. 1, the embodiment of the present specification further provides a schematic structural diagram of the electronic device shown in fig. 4. As shown in fig. 4, at the hardware level, the electronic device includes a processor, an internal bus, a network interface, a memory, and a non-volatile memory, but may also include hardware required for other services. The processor reads the corresponding computer program from the non-volatile memory into the memory and then runs the computer program to implement the desensitization processing method described above with reference to fig. 1. Intercepting data processing information when the data processing information is transmitted between a server and other equipment, and identifying whether a target code called by the data processing information contains a first annotation identification; if the judgment result is that the first annotation identifier is included, determining that the called target code includes an object to be desensitized, and determining an object type corresponding to the object to be desensitized; determining attribute information corresponding to the object to be desensitized according to the object type; and performing desensitization processing on the determined attribute information by using a set desensitization processing mode. That is to say, the desensitization processing scheme provided in this specification does not need to change the source program code, but in the target code execution stage, identifies whether the transmitted data information includes an object to be desensitized by intercepting the data information transmitted between the server and other devices, and starts desensitization processing if the transmitted data information includes the object to be desensitized, so that not only can the target code for data processing be ensured to be executed quickly, and the device resources consumed by execution are saved, but also desensitization protection can be ensured to be performed on sensitive data in time.
Of course, besides software implementation, this specification does not exclude other implementations, such as logic devices or combination of software and hardware, and the like, that is, the execution subject of the following processing flow is not limited to each logic unit, and may be hardware or logic devices.
In the 90 s of the 20 th century, improvements to a technology could clearly distinguish between improvements in hardware (e.g., improvements to circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements to process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical blocks. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually making an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as abel (advanced Boolean Expression Language), ahdl (alternate Language Description Language), traffic, pl (core unified Programming Language), HDCal, JHDL (Java Hardware Description Language), langue, Lola, HDL, laspam, hardbylangue (Hardware Description Language), vhjhdul, and vhigh-Language, which are currently used in most general. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: the ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functions may be implemented entirely by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functions of the various elements may be implemented in the same one or more software and/or hardware implementations of the present description.
As will be appreciated by one skilled in the art, embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, the description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, magnetic disk memory, CD-ROM, optical memory, etc.) having computer-usable program code embodied in the medium.
The description has been presented with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the description. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or Flash memory (Flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement the information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium which can be used to store information which can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, the description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
This description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The embodiments in the present specification are described in a progressive manner, and portions that are similar to each other in the embodiments are referred to each other, and each embodiment focuses on differences from other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only an example of the present specification, and is not intended to limit the present specification. Various modifications and alterations to this description will become apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present specification should be included in the scope of the claims of the present specification.
Claims (10)
1. A method of desensitization treatment, said method comprising:
intercepting data processing information transmitted between the server and other equipment;
identifying whether target code called by the data processing information contains a first annotation identification;
if the judgment result is that the first annotation identifier is included, determining that the called target code includes an object to be desensitized, and determining an object type corresponding to the object to be desensitized;
determining attribute information corresponding to the object to be desensitized according to the object type;
and performing desensitization processing on the determined attribute information by using a set desensitization processing mode.
2. The method of claim 1, wherein the method further comprises:
if the judgment result is that the first annotation identification is not contained, judging whether the interface for transmitting the data processing information is a designated interface;
if the judgment result is a designated interface, extracting the attribute information of the called object from the target code called by the data processing information through the designated interface;
and performing desensitization processing on the extracted attribute information by using a set desensitization processing mode.
3. The method of claim 2, wherein extracting, through the specified interface, attribute information of the called object from the object code called by the data processing information specifically comprises:
identifying whether a called object contains a second annotation identifier or not from the target code called by the data processing information through the specified interface;
and if the called object contains a second annotation identifier, extracting attribute information of the attribute to be desensitized corresponding to the second annotation identifier according to the second annotation identifier.
4. The method of claim 2, wherein the method further comprises:
and if the judgment result is that the target code is not the designated interface, outputting an execution result corresponding to the target code called by the data processing information.
5. The method according to claim 1, wherein determining attribute information corresponding to the object to be desensitized according to the object type specifically includes:
according to the object type, identifying whether the object to be desensitized contains a second annotation identification;
if the object to be desensitized is determined to contain a second annotation identifier, determining an attribute corresponding to the second annotation identifier according to the second annotation identifier, and extracting attribute information of the determined attribute;
if the object to be desensitized does not contain the second annotation identification, determining all attributes corresponding to the object to be desensitized according to the object type, and extracting attribute information of all the determined attributes.
6. The method according to claim 1, wherein determining attribute information corresponding to the object to be desensitized according to the object type specifically includes:
if the determined object type is the nesting type, sequentially extracting field contents corresponding to fields contained in the nesting type according to nesting logic corresponding to the nesting type;
and determining the extracted field content as the attribute information corresponding to the object to be desensitized.
7. The method according to claim 1, wherein desensitization processing is performed on the attribute information corresponding to the object to be desensitized by using a set desensitization processing mode, and the desensitization processing method specifically includes:
according to the attribute information corresponding to the object to be desensitized, whether a desensitization result corresponding to the attribute information of the object to be desensitized exists or not is inquired from a cache database;
if so, outputting the inquired desensitization result;
if the attribute information does not exist, determining the type of the attribute information corresponding to the object to be desensitized, and selecting a desensitization processing mode corresponding to the determined type from the set desensitization processing modes; and performing desensitization treatment on the attribute information corresponding to the object to be desensitized by using the selected desensitization treatment mode to obtain a desensitization result.
8. A desensitization treatment apparatus, characterized in that the desensitization treatment apparatus comprises:
the acquisition unit is used for intercepting data processing information transmitted between the server and other equipment;
the identification unit is used for identifying whether the target code called by the data processing information contains a first annotation identifier or not; if the judgment result is that the first annotation identifier is included, determining that the called target code includes an object to be desensitized, and determining an object type corresponding to the object to be desensitized;
the processing unit is used for determining attribute information corresponding to the object to be desensitized according to the object type; and performing desensitization processing on the determined attribute information by using a set desensitization processing mode.
9. A computer-readable storage medium, characterized in that the storage medium stores a computer program which, when executed by a processor, implements the desensitization processing method of any preceding claim 1 to 7.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and running on the processor, wherein the processor implements the desensitization processing method of any preceding claim 1 to 7 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011123088.8A CN112307509A (en) | 2020-10-20 | 2020-10-20 | Desensitization processing method, equipment, medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011123088.8A CN112307509A (en) | 2020-10-20 | 2020-10-20 | Desensitization processing method, equipment, medium and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112307509A true CN112307509A (en) | 2021-02-02 |
Family
ID=74327984
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011123088.8A Pending CN112307509A (en) | 2020-10-20 | 2020-10-20 | Desensitization processing method, equipment, medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112307509A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113407989A (en) * | 2021-05-26 | 2021-09-17 | 天九共享网络科技集团有限公司 | Data desensitization method and device, electronic equipment and storage medium |
| CN113642025A (en) * | 2021-08-30 | 2021-11-12 | 平安医疗健康管理股份有限公司 | Interface data processing method, device, equipment and storage medium |
| CN115378735A (en) * | 2022-10-19 | 2022-11-22 | 支付宝(杭州)信息技术有限公司 | Data processing method and device, storage medium and electronic equipment |
| CN116595590A (en) * | 2023-07-19 | 2023-08-15 | 智慧眼科技股份有限公司 | Data desensitization method, device, computer equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180137303A1 (en) * | 2016-11-15 | 2018-05-17 | International Business Machines Corporation | Intercepting sensitive data using hashed candidates |
| CN108664812A (en) * | 2018-05-14 | 2018-10-16 | 阿里巴巴集团控股有限公司 | Information desensitization method, apparatus and system |
| CN109815742A (en) * | 2019-02-22 | 2019-05-28 | 蔷薇智慧科技有限公司 | Data desensitization method and device |
| CN110688662A (en) * | 2019-09-16 | 2020-01-14 | 威富通科技有限公司 | Sensitive data desensitization and inverse desensitization method and electronic equipment |
| CN111737746A (en) * | 2020-06-24 | 2020-10-02 | 四川长虹电器股份有限公司 | Method for desensitizing dynamic configuration data based on java annotation |
-
2020
- 2020-10-20 CN CN202011123088.8A patent/CN112307509A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180137303A1 (en) * | 2016-11-15 | 2018-05-17 | International Business Machines Corporation | Intercepting sensitive data using hashed candidates |
| CN108664812A (en) * | 2018-05-14 | 2018-10-16 | 阿里巴巴集团控股有限公司 | Information desensitization method, apparatus and system |
| CN109815742A (en) * | 2019-02-22 | 2019-05-28 | 蔷薇智慧科技有限公司 | Data desensitization method and device |
| CN110688662A (en) * | 2019-09-16 | 2020-01-14 | 威富通科技有限公司 | Sensitive data desensitization and inverse desensitization method and electronic equipment |
| CN111737746A (en) * | 2020-06-24 | 2020-10-02 | 四川长虹电器股份有限公司 | Method for desensitizing dynamic configuration data based on java annotation |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113407989A (en) * | 2021-05-26 | 2021-09-17 | 天九共享网络科技集团有限公司 | Data desensitization method and device, electronic equipment and storage medium |
| CN113642025A (en) * | 2021-08-30 | 2021-11-12 | 平安医疗健康管理股份有限公司 | Interface data processing method, device, equipment and storage medium |
| CN115378735A (en) * | 2022-10-19 | 2022-11-22 | 支付宝(杭州)信息技术有限公司 | Data processing method and device, storage medium and electronic equipment |
| CN116595590A (en) * | 2023-07-19 | 2023-08-15 | 智慧眼科技股份有限公司 | Data desensitization method, device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112307509A (en) | Desensitization processing method, equipment, medium and electronic equipment | |
| CN107368292B (en) | Resource compiling method and device | |
| CN108170656B (en) | Template creating method, document creating method, rendering method and rendering device | |
| CN105824830B (en) | Method, client and equipment for displaying page | |
| CN108268289B (en) | Parameter configuration method, device and system for web application | |
| CN107786630B (en) | Web application package processing method, device and equipment | |
| CN107066519B (en) | Task detection method and device | |
| CN108595246B (en) | Method, device and equipment for running application | |
| CN108846069B (en) | Document execution method and device based on markup language | |
| CN108170430B (en) | Interface display method and system | |
| CN111241040B (en) | Information acquisition method and device, electronic equipment and computer storage medium | |
| CN107391529B (en) | Method and device for realizing Object Relation Mapping (ORM) | |
| CN111368902A (en) | Data labeling method and device | |
| CN105867886B (en) | Method and device for writing table | |
| CN111694992A (en) | Data processing method and device | |
| CN108874379B (en) | Page processing method and device | |
| CN112579955A (en) | Page access method, equipment, medium and electronic equipment | |
| CN111538667A (en) | Page testing method and device | |
| CN109409037B (en) | Method, device and equipment for generating data confusion rule | |
| CN111078435A (en) | Service processing method and device and electronic equipment | |
| CN107562423B (en) | UI page development method and device | |
| CN107239270B (en) | Code processing method and device | |
| CN111967769A (en) | Risk identification method, device, equipment and medium | |
| CN111324778A (en) | Data and service processing method and device and electronic equipment | |
| CN111966709A (en) | Data query method and device and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |