CN112487458A - Implementation method and system using government affair open sensitive data - Google Patents
Implementation method and system using government affair open sensitive data Download PDFInfo
- Publication number
- CN112487458A CN112487458A CN202011426500.3A CN202011426500A CN112487458A CN 112487458 A CN112487458 A CN 112487458A CN 202011426500 A CN202011426500 A CN 202011426500A CN 112487458 A CN112487458 A CN 112487458A
- Authority
- CN
- China
- Prior art keywords
- data
- user
- container
- layer
- sensitive
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a method and a system for realizing the use of government open sensitive data, belonging to the technical field of computer application, aiming at solving the technical problem of protecting the sensitive data of government open from leakage, tampering and secondary distribution and meeting the use and mining of the government open sensitive data by a data demander on the premise of data safety, and adopting the technical scheme that: sensitive data opening is carried out in a data service mode with authority, a closed container system is used as a data processing factory, a strict auditing flow is used as a guarantee for preventing data leakage, the privacy of a user result is protected in a mode of a bottom-layer asymmetric encryption operation result, an automatically-adjusted operation management system is used for dynamically scheduling the container, the stable operation of the operation management system is guaranteed, and a one-stop service portal is used for providing a simple operation and mining tool for a data user; the system comprises a base layer, a container layer, a data layer, an application layer and a user layer.
Description
Technical Field
The invention relates to the technical field of computer application, in particular to a method and a system for realizing the use of government affair open sensitive data.
Background
With the development of the internet, the informatization of the digital government is increasingly profound. Data has become a completely new driver to promote economic development and technological innovation. The public data opening of governments is accelerated in order to improve the utilization rate of public data resources in the world. However, the information technology is a double-edged sword, which brings convenience to the progress and development of the digital government and brings a lot of potential safety hazards.
At present, the big data industry is transited from a stage of solving the 'data island' to 'making data generate value', and data exchange, transaction and analysis application become necessary development directions. In the process of opening government affair data by a digital government, the data privacy is protected, and the data leakage and secondary distribution are prevented from becoming core problems of government open sensitive data; this is in direct opposition to the appeal that the data demander wants to apply the full amount of data, mining the value of the data to the maximum. This is a contradiction between the supply and demand parties, which greatly restricts the development of the big data industry. Since the government affair data relates to a large amount of personal privacy and even confidential information, how to protect the personal and national data security while opening the government affair data is the first problem faced by all government affair and public data holding departments, and is one of the core capabilities of all levels of governments and public service organizations for promoting the opening of the government affair big data and requiring urgent construction reinforcement.
The traditional solution to the security problem of sensitive data opening is as follows:
access control is carried out according to user authority, role auditing and other means, and third-party application is prevented from accessing data without authorization;
secondly, performing data desensitization processing on the sensitive data, and providing the desensitized data to a data demand side.
However, both of the above conventional approaches have significant problems: the user authentication mode cannot prevent the secondary distribution of data, and the management is complex and easy to omit; desensitization of the data can lead to problems such as reduced data quality, loss of assay value, and the like. Therefore, the two methods cannot well solve the core contradiction in the process of opening the government affair sensitive data.
Therefore, how to protect sensitive data opened by government affairs from being leaked, tampered and secondarily distributed is a technical problem to be solved urgently at present on the premise of data safety and meeting the requirement of data demanders on using and mining the sensitive data opened by government affairs.
Patent document CN107633181A discloses a data model for data open sharing and an operating system thereof. The data model of the present invention comprises: a basic component unit data box for providing open data for a data user, including data description, data manipulation and data constraint of the data box, and properties of the data box; the data anti-leakage and data right protection mechanism is packaged in the data box, and is provided with an interface used by external software; the metering and pricing of the data boxes are that the quantity, the time and the like of the data boxes required by the data users are calculated according to the requirements and the targets set by the data users, and the pricing is carried out. However, the technical scheme is heavier than that the data volume is small, a mode that the data is canned into a data box is adopted, both sides of data use need to operate in a command mode, and effective supervision and examination is lacked; the opening problem of government affairs sensitive data cannot be solved.
Disclosure of Invention
The technical task of the invention is to provide a method and a system for realizing the use of government open sensitive data, so as to solve the problem that the use and mining of government open sensitive data by a data demander are met on the premise of data safety under the condition that the government open sensitive data is protected from leakage, tampering and secondary distribution.
The technical task of the present invention is achieved in a manner, an implementation method using government open sensitive data, the method is to open sensitive data in a data service mode with authority, use a closed container system as a data processing factory, a strict auditing flow is taken as a guarantee for preventing data leakage, the privacy of the user result is protected in a mode of a bottom-layer asymmetric encryption operation result, the container is dynamically scheduled by the automatically adjusted operation management system to ensure the stable operation of the operation management system, a one-stop service portal is used for providing simple operation and mining tools for data users, so that sensitive data opened by government affairs are protected from being leaked, tampered and secondarily distributed, high quality of the data is guaranteed, and the requirements of the data users on using and mining the sensitive data opened by the government affairs are met; the method comprises the following specific steps:
s1, defining the flow and use of data and the safety of the data for a data manager;
and S2, aiming at the data manager and the data user, the use and the analysis of the government affair sensitive data are determined from the open to the data user, and the mining result is obtained.
Preferably, in step S1, the flow and use of data and the security of data are specified as follows:
s101, a data manager pumps government affair sensitive data into a database of a data open platform;
s102, a data owner opens a data service, the data service is only called by an ip of a server of a cluster where a container is located, and the limitation is completed by a data opening platform;
s103, calling a data service to extract data into the container when the container runs, and encrypting and calculating;
s104, the container is destroyed after calculation is completed, sensitive data existing in the memory is lost after destruction, and the container is burnt after reading of the data is completed, so that the risk of secondary distribution is avoided.
Preferably, in step S2, facing the data manager and the data consumer, the specific government affairs sensitive data is used and analyzed from open to the data consumer, and the mining result is obtained as follows:
s201, a data manager opens government affair sensitive data in a data service mode through an open platform and issues the government affair sensitive data to the data open platform;
s202, a data user inquires and applies for a data service using sensitive data in an algorithm model on a data open platform;
s203, the data manager checks the application information of the user, and selects whether the application information passes the check or not by combining the sensitive characteristic of the data and the basic information of the user:
if the audit is passed, executing step S204;
s204, the administrator checks and passes, and the data user can check and see the applied data service in the service portal; based on data service, a user writes an algorithm model in a service portal and submits the algorithm model to a data manager for examination;
s205, an algorithm manager tests and runs the algorithm model in an algorithm auditing system; the test operation result is fed back to the test view, and the data manager selects whether to pass the audit according to the test operation result:
if the audit is passed, step S206 is executed;
and S206, the data user runs the approved algorithm model and obtains the data mining result in the modes of online preview, downloading and online calling.
Preferably, the sensitive data is opened, that is, the sensitive data source is registered as a data service, the service registration of a single sensitive data source comprises the setting of parameters and the self-defined setting of input and output parameters, the data source is embodied as a data service according to actual services, and a gateway is used for calling authority limitation.
Preferably, the closed container system is based on a kubernets cluster as a management container and is assisted by an operation management system to dynamically allocate communication ports; the operation management system is used for performing the works of creating, calling, deleting, port allocation, operation data encryption and container scheduling on the container, and guaranteeing the normal operation of a data user complaint model and the stability of the system.
Preferably, the asymmetric encryption means that the operation result is encrypted by using a public key of the user in the container layer, and after the operation result returns to the service portal, the user completes decryption at the front end of the browser or completes decryption by writing a program by himself, and no one except the user himself can decrypt the result of the algorithm.
A system for using open sensitive data of government affairs comprises a base layer, a container layer, a data layer, an application layer and a user layer;
wherein, the basic layer is the hardware basic facility of the system and is used for ensuring the operation of calculation, storage and network;
the container layer is a docker container management layer realized based on a docker mirror image technology and a kubenetes cluster management technology; the container layer is the actual inflow direction of data, the actual place for sensitive data operation and the bottom foundation for realizing the government open sensitive data system; the container layer is used for providing functions of model container establishment, model algorithm import, container operation, container scheduling and container arrangement for the operation management system;
the data layer is a source layer of government affair sensitive data; the data layer is used for registering government affair sensitive data as data services through the data open platform, easily managing and monitoring the calling condition of the services, and indirectly ensuring the safety of the data, and the data layer comprises the following specific steps:
firstly, a data manager registers government affair sensitive data as data service of paging inquiry in a data open platform, wherein the data service is full or assigned attribute;
for government affair sensitive data, a data manager customizes the service to a data service which can be called only by a container, limits the calling authority of the service through a data open platform and does not open the data service to the outside;
the calling condition of the service can be easily managed and monitored on the data open platform, and the safety of the data is indirectly ensured;
the application layer comprises auditing, monitoring, statistical analysis and operation management of data services;
the user layer comprises a data manager and a data user; the data manager is used for opening a data interface, auditing an algorithm model, monitoring model operation, performing model operation statistical analysis and performing model operation management; the data user needs to apply for an interface, compile a model, wait for verification, run the model and call a result when using government affair sensitive data; the operation of a data user is carried out on an application layer of the system, and the data layer, the container layer and the base layer are invisible to the user, so that the safety of original sensitive data is guaranteed to a great extent, and the integrity of data use is indirectly guaranteed.
Preferably, the application layer comprises a service portal, an auditing system, a monitoring system, a statistical analysis system and an operation management system;
the service portal is a window facing to a data user, and the data user completes the compiling, running and calling of an algorithm model in the system so as to complete the use and mining of government affair sensitive data; the service portal also provides a symmetric key generation tool for encrypting the operation result; a user only needs to extract a core code, user personal information and an algorithm model name of the algorithm model to complete the creation of an algorithm, and a calling interface of sensitive data in the algorithm model can be automatically generated by a service portal; in order to ensure that data obtained by a user is not stolen by anyone, before the user runs an algorithm, a system can forcibly require the user to upload a public key of an asymmetric encryption key, and after the algorithm is finished running, a running result is encrypted at a container layer, so that the privacy of a mining result is ensured;
the auditing system is a platform for managing the algorithm by a data manager, an algorithm model code written by a user is displayed and tested in the system, and finally, the administrator audits whether the algorithm model passes or not, so that the auditing system is a key link for protecting sensitive data; the method comprises the following steps that a test process can be performed with previewing of an algorithm model, an auditing system can push the algorithm model to an operation management system, the operation management system calls a container layer interface, an independent container containing an algorithm model code source file is created, a port which is open to an operation management system is distributed for information communication, after operation is finished, return data is submitted to a message queue monitored by the auditing system through a communication port, after the auditing system monitors messages, the return data returns to a calling page of an administrator, and the administrator audits whether the return data passes or not;
the statistical analysis system is used for performing statistical analysis on the use condition of system resources and the distribution condition of the algorithm model;
the monitoring system monitors the running state of the algorithm model, and records and reviews the operation behaviors of a data manager and a data user;
the operation management system is a background system for managing the operation of the algorithm model, is not open to data users and data managers, and has the related functions in the operation of the algorithm model of data encryption, safe multi-party calculation, memory allocation calculation and automatic resource expansion.
An electronic device, comprising: a memory and at least one processor;
wherein the memory stores computer-executable instructions;
the at least one processor executing the computer-executable instructions stored by the memory causes the at least one processor to perform the method of implementing the use of government open sensitive data as described above.
A computer readable storage medium having stored thereon computer executable instructions which, when executed by a processor, implement a method for implementing the use of government open sensitive data as described above.
The implementation method and the system for using the government open sensitive data have the following advantages that:
the method not only ensures that sensitive data opened by government affairs are not leaked, tampered and secondarily distributed, but also ensures that the data has higher quality, and meets the requirements of a data demander on the use and mining of the sensitive data opened by government affairs; the visual one-stop algorithm model operation process is provided, the threshold of a data user for calling government affair sensitive data is reduced, the data is better promoted to become power for promoting economic development and technical innovation, and the value of the data is realized;
the invention solves the opening problem of government affair sensitive data, adopts the right data service mode to load data, opens the user by a one-stop service portal, realizes the one-stop completion of the requirement of the data user by open algorithm model coding and strict user authority examination and supervision, and has simple and understandable operation and low technical threshold.
Drawings
The invention is further described below with reference to the accompanying drawings.
FIG. 1 is a flow diagram of an implementation method using government open sensitive data;
fig. 2 is a block diagram of a structure using government open sensitive data.
Detailed Description
The method and system for implementing the invention using government open sensitive data will be described in detail with reference to the accompanying drawings and specific embodiments.
Example 1:
the method for realizing the use of the government open sensitive data comprises the steps of opening the sensitive data in a data service mode with authority, using a closed container system as a data processing factory, using a strict auditing flow as a guarantee for preventing data leakage, protecting the privacy of the results of users in a mode of bottom-layer asymmetric encryption operation results, dynamically scheduling the container by an automatically-adjusted operation management system, ensuring the stable operation of the operation management system, and providing simple operation and mining tools for data users by using a one-stop service portal, so that the sensitive data opened by the government are protected from being leaked, tampered and secondarily distributed, the data have higher quality is guaranteed, and the requirements of the data users on the use and mining of the government open sensitive data are met; as shown in fig. 1, the following are specific:
s1, defining the flow and use of data and the safety of the data for a data manager;
and S2, aiming at the data manager and the data user, the use and the analysis of the government affair sensitive data are determined from the open to the data user, and the mining result is obtained.
The sensitive data opening in the embodiment means that a sensitive data source is registered as a data service, the service registration of a single sensitive data source comprises setting of parameters and custom setting of input and output parameters, the data source is regarded as a data service according to actual business, and a gateway is used for calling authority limit.
The closed container system in this embodiment is based on a kubernets cluster as a management container, and is assisted by an operation management system to dynamically allocate communication ports;
the asymmetric encryption in this embodiment means that the operation result is encrypted by using the public key of the user in the container layer, and after the operation result is returned to the service portal, the user completes decryption at the front end of the browser or completes decryption by writing a program by himself, and no one can decrypt the result of the algorithm except for the user himself.
In step S1 in this embodiment, the flow and use of data and the security of data are specified as follows:
s101, a data manager pumps government affair sensitive data into a database of a data open platform; the current data open platform supports main stream databases such as mysql, oracle, sqlserver and the like, and also supports domestic databases such as Dameng, Hangao and the like;
s102, a data owner opens a data service, the data service is only called by an ip of a server of a cluster where a container is located, and the limitation is completed by a data opening platform;
s103, calling a data service to extract data into the container when the container runs, and encrypting and calculating; the algorithm model cannot communicate with an external network and leak data in the operation process, and whether sensitive data are leaked in the operation result or not is firstly trial-run and audited by a data manager, so that the sensitive data are safe;
s104, the container is destroyed after calculation is completed, sensitive data existing in the memory is lost after destruction, and the container is burnt after reading of the data is completed, so that the risk of secondary distribution is avoided.
In step S2 of this embodiment, the data manager and the data consumer are faced with the specific step of determining that the government affairs sensitive data is used and analyzed by the data consumer from the open state, and the mining result is specifically as follows:
s201, a data manager opens government affair sensitive data in a data service mode through an open platform and issues the government affair sensitive data to the data open platform;
s202, a data user inquires and applies for a data service using sensitive data in an algorithm model on a data open platform;
s203, the data manager checks the application information of the user, and selects whether the application information passes the check or not by combining the sensitive characteristic of the data and the basic information of the user:
if the audit is passed, executing step S204;
s204, the administrator checks and passes, and the data user can check and see the applied data service in the service portal; based on data service, a user writes an algorithm model in a service portal and submits the algorithm model to a data manager for examination;
s205, an algorithm manager tests and runs the algorithm model in an algorithm auditing system; the test operation result is fed back to the test view, and the data manager selects whether to pass the audit according to the test operation result:
if the audit is passed, step S206 is executed;
and S206, the data user runs the approved algorithm model and obtains the data mining result in the modes of online preview, downloading and online calling.
The above is the operation process for completing the respective requirements in the data owner and the data user system. In the whole process, the monitoring system monitors the operation of the model and the auditing of the key behavior in real time; the operation management system performs the operations of creating, calling, deleting, port distributing, operating data encrypting, container scheduling and the like on the container, and ensures the normal operation of the data user algorithm model and the stability of the system.
Example 2:
as shown in fig. 2, the system for using sensitive data of government affairs openness of the present invention includes a base layer, a container layer, a data layer, an application layer and a user layer;
wherein, the basic layer is the hardware basic facility of the system and is used for ensuring the operation of calculation, storage and network;
the container layer is a docker container management layer realized based on a docker mirror image technology and a kubenetes cluster management technology; the container layer is the actual inflow direction of data, the actual place for sensitive data operation and the bottom foundation for realizing the government open sensitive data system; the container layer is used for providing functions of model container establishment, model algorithm import, container operation, container scheduling and container arrangement for the operation management system;
the data layer is a source layer of government affair sensitive data; in recent years, countries and places have vigorously promoted internet and government affair services, and an information network support system with the advantages of network interconnection, safety, manageability, controllability and continuous upgrading of capacity and an information resource open system with comprehensive catalogs, resource classification and sharing according to needs are basically realized, and all levels of data open platforms based on the two systems are reliable-quality data sources which are open to the public. The data layer is used for registering government affair sensitive data as data services through the data open platform, easily managing and monitoring the calling condition of the services, and indirectly ensuring the safety of the data, and the data layer specifically comprises the following steps:
firstly, a data manager registers government affair sensitive data as data service of paging inquiry in a data open platform, wherein the data service is full or assigned attribute;
for government affair sensitive data, a data manager customizes the service to a data service which can be called only by a container, limits the calling authority of the service through a data open platform and does not open the data service to the outside;
the calling condition of the service can be easily managed and monitored on the data open platform, and the safety of the data is indirectly ensured;
the application layer comprises auditing, monitoring, statistical analysis and operation management of data services;
the user layer comprises a data manager and a data user; the data manager is used for opening a data interface, auditing an algorithm model, monitoring model operation, performing model operation statistical analysis and performing model operation management; the data user needs to apply for an interface, compile a model, wait for verification, run the model and call a result when using government affair sensitive data; the operation of a data user is carried out on an application layer of the system, and the data layer, the container layer and the base layer are invisible to the user, so that the safety of original sensitive data is guaranteed to a great extent, and the integrity of data use is indirectly guaranteed.
The application layer in the embodiment comprises a service portal, an auditing system, a monitoring system, a statistical analysis system and an operation management system;
the service portal is a window facing to a data user, and the data user completes the compiling, running and calling of an algorithm model in the system so as to complete the use and mining of government affair sensitive data; the service portal also provides a symmetric key generation tool for encrypting the operation result; a user only needs to extract a core code, user personal information and an algorithm model name of the algorithm model to complete the creation of an algorithm, and a calling interface of sensitive data in the algorithm model can be automatically generated by a service portal; in order to ensure that data obtained by a user is not stolen by anyone, before the user runs an algorithm, a system can forcibly require the user to upload a public key of an asymmetric encryption key, and after the algorithm is finished running, a running result is encrypted at a container layer, so that the privacy of a mining result is ensured;
the auditing system is a platform for managing the algorithm by a data manager, an algorithm model code written by a user is displayed and tested in the system, and finally, the administrator audits whether the algorithm model passes or not, so that the auditing system is a key link for protecting sensitive data; the method comprises the following steps that a test process can be performed with previewing of an algorithm model, an auditing system can push the algorithm model to an operation management system, the operation management system calls a container layer interface, an independent container containing an algorithm model code source file is created, a port which is open to an operation management system is distributed for information communication, after operation is finished, return data is submitted to a message queue monitored by the auditing system through a communication port, after the auditing system monitors messages, the return data returns to a calling page of an administrator, and the administrator audits whether the return data passes or not;
the statistical analysis system is used for performing statistical analysis on the use condition of system resources and the distribution condition of the algorithm model;
the monitoring system monitors the running state of the algorithm model, and records and reviews the operation behaviors of a data manager and a data user;
the operation management system is a background system for managing the operation of the algorithm model, is not open to data users and data managers, and has the related functions in the operation of the algorithm model of data encryption, safe multi-party calculation, memory allocation calculation and automatic resource expansion.
Example 3:
an embodiment of the present invention further provides an electronic device, including: a memory and at least one processor;
wherein the memory stores computer-executable instructions;
the at least one processor executing the computer-executable instructions stored by the memory causes the at least one processor to perform an implementation method using government open sensitive data as in any embodiment.
Example 4:
embodiments of the present invention further provide a computer-readable storage medium, in which a plurality of instructions are stored, and the instructions are loaded by a processor, so that the processor executes the implementation method using the government open sensitive data in any embodiment of the present invention. Specifically, a system or an apparatus equipped with a storage medium on which software program codes that realize the functions of any of the above-described embodiments are stored may be provided, and a computer (or a CPU or MPU) of the system or the apparatus is caused to read out and execute the program codes stored in the storage medium.
In this case, the program code itself read from the storage medium can realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code constitute a part of the present invention.
Examples of the storage medium for supplying the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-R using government open-ended sensitive data implementation methods and systems M, DVD-RW, DVD + RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer via a communications network.
Further, it should be clear that the functions of any one of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform a part or all of the actual operations based on the instructions of the program code.
Further, it is to be understood that the program code read out from the storage medium is written to a memory provided in an expansion board inserted into the computer or to a memory provided in an expansion unit connected to the computer, and then causes a CPU or the like mounted on the expansion board or the expansion unit to perform part or all of the actual operations based on instructions of the program code, thereby realizing the functions of any of the above-described embodiments.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. A method for realizing the use of government open sensitive data is characterized in that sensitive data opening is carried out in a data service mode with authority, a closed container system is used as a data processing factory, a strict auditing flow is used as a guarantee for preventing data leakage, the privacy of a user result is protected in a mode of a bottom layer asymmetric encryption operation result, an automatically adjusted operation management system is used for dynamically scheduling a container to ensure the stable operation of the operation management system, a one-stop service portal is used for providing simple operation and mining tools for data users, the sensitive data of government opening are protected from being leaked, tampered and secondarily distributed, the data have higher quality is guaranteed, and the requirements of the data users for using and mining the sensitive data of government opening are met; the method comprises the following specific steps:
s1, defining the flow and use of data and the safety of the data for a data manager;
and S2, aiming at the data manager and the data user, the government affair sensitive data is definitely used and analyzed from the open to the data user, and the mining result is obtained.
2. An implementation method for using government open sensitive data according to claim 1, wherein the step S1 is specifically as follows:
s101, a data manager pumps government affair sensitive data into a database of a data open platform;
s102, a data owner opens a data service, the data service is only called by an ip of a server of a cluster where a container is located, and the limitation is completed by a data opening platform;
s103, calling a data service to extract data into the container when the container runs, and encrypting and calculating;
s104, the container is destroyed after calculation is completed, sensitive data existing in the memory disappear after destruction, and the container is burnt after reading of the data is completed, so that the risk of secondary distribution is avoided.
3. The method for implementing the use of the government open sensitive data according to claim 1, wherein the step S2, facing the data manager and the data user, specifies that the government open sensitive data is used and analyzed from open to the data user, and the mining result is as follows:
s201, opening government affair sensitive data in a data service mode through an open platform by a data manager, and releasing the government affair sensitive data to the data open platform;
s202, a data user inquires and applies for a data service using sensitive data in an algorithm model on a data open platform;
s203, the data manager checks the application information of the user, and selects whether the application information passes the check or not by combining the sensitive characteristic of the data and the basic information of the user:
if the audit is passed, executing step S204;
s204, the administrator checks and passes, and the data user can check and see the applied data service in the service portal; based on data service, a user writes an algorithm model in a service portal and submits the algorithm model to a data manager for examination;
s205, an algorithm manager tests and runs the algorithm model in an algorithm auditing system; the test operation result is fed back to the test view, and the data manager selects whether to pass the audit according to the test operation result:
if the audit is passed, step S206 is executed;
and S206, the data user runs the approved algorithm model and obtains the data mining result in the modes of online preview, downloading and online calling.
4. The method for implementing the use of the sensitive data for government affairs openness according to claim 1, wherein the sensitive data openness means that the sensitive data sources are registered as data services, the service registration of a single sensitive data source comprises setting of parameters and custom setting of input and output parameters, the data source is embodied as a data service according to actual business, and the gateway is used for calling authority limitation.
5. The method of claim 1, wherein the closed container system is based on a kubernets cluster as a management container and is assisted by an operation management system to dynamically allocate communication ports; the operation management system is used for creating, calling, deleting, port distributing, operating data encryption and container scheduling of the container, and guarantees normal operation of a data user complaint model and stability of the system.
6. A method for realizing the use of open sensitive data of government affairs according to any one of claims 1-5, wherein the asymmetric encryption is that the operation result is encrypted by the public key of the user in the container layer, and after the operation result is returned to the service portal, the user completes decryption in the front end of the browser or completes decryption by writing a program by himself, and no one except the user himself can complete the decryption algorithm result.
7. A system for using government open sensitive data is characterized in that the system comprises a base layer, a container layer, a data layer, an application layer and a user layer;
wherein, the basic layer is the hardware basic facility of the system and is used for ensuring the operation of calculation, storage and network;
the container layer is a docker container management layer realized based on a docker mirror image technology and a kubenetes cluster management technology; the container layer is the actual inflow direction of the data, the actual place for sensitive data operation and the bottom foundation for realizing the government affair open sensitive data system; the container layer is used for providing functions of model container establishment, model algorithm import, container operation, container scheduling and container arrangement for the operation management system;
the data layer is a source layer of government affair sensitive data; the data layer is used for registering government affair sensitive data as data services through the data open platform, easily managing and monitoring the calling condition of the services, and indirectly ensuring the safety of the data, and the data layer specifically comprises the following steps:
firstly, a data manager registers government affair sensitive data as data service for paging query in a data open platform, wherein the data service is full or assigned attribute;
for government affair sensitive data, a data manager customizes the service to a data service which can be called only by a container, limits the calling authority of the service through a data open platform and does not open the data service to the outside;
the calling condition of the service can be easily managed and monitored on the data open platform, and the safety of the data is indirectly ensured;
the application layer comprises auditing, monitoring, statistical analysis and operation management of data services;
the user layer comprises a data manager and a data user; the data manager is used for opening a data interface, auditing an algorithm model, monitoring model operation, performing model operation statistical analysis and performing model operation management; the data user needs to apply for an interface, compile a model, wait for verification, run the model and call a result when using government affair sensitive data; the operations of the data user are all performed at the application layer of the system, and the data layer, the container layer and the base layer are invisible to the user.
8. The system for using government open sensitive data according to claim 7, wherein the application layer comprises a service portal, an auditing system, a monitoring system, a statistical analysis system and an operation management system;
the service portal is a window facing to a data user, and the data user completes the compiling, running and calling of an algorithm model in the system so as to complete the use and mining of government affair sensitive data; the service portal also provides a symmetric key generation tool for encrypting the operation result; a user only needs to extract a core code, user personal information and an algorithm model name of the algorithm model to complete the creation of an algorithm, and a calling interface of sensitive data in the algorithm model can be automatically generated by a service portal; before the user runs the algorithm, the system can forcibly require the user to upload a public key of the asymmetric encryption key, and after the algorithm runs, the running result can be encrypted at a container layer, so that the privacy of the mining result is ensured;
the auditing system is a platform for managing the algorithm by a data manager, an algorithm model code written by a user is displayed and tested in the system, and finally, the administrator audits whether the algorithm model passes or not, which is a key link for protecting sensitive data; the method comprises the following steps that a test process can be performed with previewing of an algorithm model, an auditing system can push the algorithm model to an operation management system, the operation management system calls a container layer interface, an independent container containing an algorithm model code source file is created, a port which is open to an operation management system is distributed for information communication, after operation is finished, return data is submitted to a message queue monitored by the auditing system through a communication port, after the auditing system monitors a message, the return data returns to a calling page of an administrator, and the administrator audits whether the return data passes or not;
the statistical analysis system is used for performing statistical analysis on the use condition of system resources and the distribution condition of the algorithm model;
the monitoring system monitors the running state of the algorithm model, and records and reviews the operation behaviors of a data manager and a data user;
the operation management system is a background system for managing the operation of the algorithm model, and performs related functions in the operation of the algorithm model for data encryption, safe multiparty calculation, memory allocation calculation and automatic resource expansion.
9. An electronic device, comprising: a memory and at least one processor;
wherein the memory stores computer-executable instructions;
the at least one processor executing the computer-executable instructions stored by the memory causes the at least one processor to perform an implementation of a method using government open sensitive data according to any one of claims 1 to 6.
10. A computer-readable storage medium having stored thereon computer-executable instructions which, when executed by a processor, implement a method of using government open sensitive data according to claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011426500.3A CN112487458B (en) | 2020-12-09 | 2020-12-09 | Implementation method and system using government affair open sensitive data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011426500.3A CN112487458B (en) | 2020-12-09 | 2020-12-09 | Implementation method and system using government affair open sensitive data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112487458A true CN112487458A (en) | 2021-03-12 |
| CN112487458B CN112487458B (en) | 2023-01-20 |
Family
ID=74940668
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011426500.3A Active CN112487458B (en) | 2020-12-09 | 2020-12-09 | Implementation method and system using government affair open sensitive data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112487458B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112906069A (en) * | 2021-03-18 | 2021-06-04 | 上海能链众合科技有限公司 | Trusted computing method for block chain registration management process |
| CN115982097A (en) * | 2022-12-20 | 2023-04-18 | 河北东软软件有限公司 | Data filing method and device based on government affair data and related components |
| CN117574424A (en) * | 2023-11-09 | 2024-02-20 | 湖北清江水电开发有限责任公司 | Intelligent power data pushing management system and method based on big data |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103220141A (en) * | 2012-01-18 | 2013-07-24 | 中国移动通信集团辽宁有限公司 | Sensitive data protecting method and system based on group key strategy |
| CN107066887A (en) * | 2016-02-10 | 2017-08-18 | 道芬综合公司 | Processing unit with sensitive data access module |
| CN108664802A (en) * | 2018-03-20 | 2018-10-16 | 西安烽火软件科技有限公司 | A kind of method and system of protecting sensitive data |
| CN109325326A (en) * | 2018-08-16 | 2019-02-12 | 深圳云安宝科技有限公司 | Data desensitization method, device, equipment and medium when unstructured data accesses |
| CN109766719A (en) * | 2018-12-28 | 2019-05-17 | 微梦创科网络科技(中国)有限公司 | A kind of sensitive information detection method, device and electronic equipment |
| CN109829653A (en) * | 2019-02-13 | 2019-05-31 | 普元信息技术股份有限公司 | The system and method that door opening mechanism realizes performance appraisal function are shared based on government affairs big data |
| CN109858258A (en) * | 2018-12-28 | 2019-06-07 | 北京市天元网络技术股份有限公司 | Government data based on block chain exchanges method and device |
| CN110049021A (en) * | 2019-03-27 | 2019-07-23 | 中国电力科学研究院有限公司 | Data of information system safety protecting method and system |
| CN110781236A (en) * | 2019-10-29 | 2020-02-11 | 山西云时代技术有限公司 | Method for constructing government affair big data management system |
| CN110826053A (en) * | 2019-10-11 | 2020-02-21 | 北京市天元网络技术股份有限公司 | Container-based data sandbox operation result safe output method and device |
| CN111143880A (en) * | 2019-12-27 | 2020-05-12 | 中电长城网际系统应用有限公司 | Data processing method and device, electronic equipment and readable medium |
-
2020
- 2020-12-09 CN CN202011426500.3A patent/CN112487458B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103220141A (en) * | 2012-01-18 | 2013-07-24 | 中国移动通信集团辽宁有限公司 | Sensitive data protecting method and system based on group key strategy |
| CN107066887A (en) * | 2016-02-10 | 2017-08-18 | 道芬综合公司 | Processing unit with sensitive data access module |
| CN108664802A (en) * | 2018-03-20 | 2018-10-16 | 西安烽火软件科技有限公司 | A kind of method and system of protecting sensitive data |
| CN109325326A (en) * | 2018-08-16 | 2019-02-12 | 深圳云安宝科技有限公司 | Data desensitization method, device, equipment and medium when unstructured data accesses |
| CN109766719A (en) * | 2018-12-28 | 2019-05-17 | 微梦创科网络科技(中国)有限公司 | A kind of sensitive information detection method, device and electronic equipment |
| CN109858258A (en) * | 2018-12-28 | 2019-06-07 | 北京市天元网络技术股份有限公司 | Government data based on block chain exchanges method and device |
| CN109829653A (en) * | 2019-02-13 | 2019-05-31 | 普元信息技术股份有限公司 | The system and method that door opening mechanism realizes performance appraisal function are shared based on government affairs big data |
| CN110049021A (en) * | 2019-03-27 | 2019-07-23 | 中国电力科学研究院有限公司 | Data of information system safety protecting method and system |
| CN110826053A (en) * | 2019-10-11 | 2020-02-21 | 北京市天元网络技术股份有限公司 | Container-based data sandbox operation result safe output method and device |
| CN110781236A (en) * | 2019-10-29 | 2020-02-11 | 山西云时代技术有限公司 | Method for constructing government affair big data management system |
| CN111143880A (en) * | 2019-12-27 | 2020-05-12 | 中电长城网际系统应用有限公司 | Data processing method and device, electronic equipment and readable medium |
Non-Patent Citations (1)
| Title |
|---|
| 肖安: "大规模容器云平台稳定性闭环解决方案的设计与实现", 《中国知网硕士电子期刊出版信息》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112906069A (en) * | 2021-03-18 | 2021-06-04 | 上海能链众合科技有限公司 | Trusted computing method for block chain registration management process |
| CN112906069B (en) * | 2021-03-18 | 2023-08-29 | 上海零数众合信息科技有限公司 | Trusted computing method for blockchain registration management process |
| CN115982097A (en) * | 2022-12-20 | 2023-04-18 | 河北东软软件有限公司 | Data filing method and device based on government affair data and related components |
| CN115982097B (en) * | 2022-12-20 | 2023-10-27 | 河北东软软件有限公司 | Government data-based data archiving method and device and related components |
| CN117574424A (en) * | 2023-11-09 | 2024-02-20 | 湖北清江水电开发有限责任公司 | Intelligent power data pushing management system and method based on big data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112487458B (en) | 2023-01-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Maesa et al. | Blockchain based access control services | |
| US11244393B2 (en) | Credit blockchain system, credit data storage method, device, and medium | |
| CN112487458B (en) | Implementation method and system using government affair open sensitive data | |
| CN109214197B (en) | Method, apparatus and storage medium for processing private data based on block chain | |
| Basin et al. | On purpose and by necessity: compliance under the GDPR | |
| Beckers et al. | A pattern-based method for establishing a cloud-specific information security management system: Establishing information security management systems for clouds considering security, privacy, and legal compliance | |
| US8332922B2 (en) | Transferable restricted security tokens | |
| US7370366B2 (en) | Data management system and method | |
| Hu et al. | Guidelines for access control system evaluation metrics | |
| CN103559118B (en) | A kind of method for auditing safely based on AOP and annotating information system | |
| US11811907B2 (en) | Data processing permits system with keys | |
| US20090313079A1 (en) | Managing access rights using projects | |
| CN102930225A (en) | Electronic document access control method based on confidential identifier | |
| CN113468576B (en) | Role-based data security access method and device | |
| CN103778379B (en) | Application in management equipment performs and data access | |
| US7822729B2 (en) | Swapping multiple object aliases in a database system | |
| CN114265577A (en) | Service data processing method and device, computer equipment and storage medium | |
| US11238178B2 (en) | Blockchain network to protect identity data attributes using data owner-defined policies | |
| CN114969832B (en) | Private data management method and system based on server-free architecture | |
| CN116739596A (en) | Blockchain-based transaction supervision method, device, equipment, medium and product | |
| Bezzi et al. | Data usage control in the future internet cloud | |
| JP2021157564A (en) | Information processing device, information processing method, and program | |
| Alagar et al. | Uniform service description and contextual access control for trustworthy cloud computing | |
| Alotaibi | A secure business process modelling for better alignment between business and IT | |
| Faizan et al. | i*(iStar) Security Hierarchy for Cloud Computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |