CN112714128A - Data desensitization processing method and device - Google Patents

Data desensitization processing method and device Download PDF

Info

Publication number
CN112714128A
CN112714128A CN202011608567.9A CN202011608567A CN112714128A CN 112714128 A CN112714128 A CN 112714128A CN 202011608567 A CN202011608567 A CN 202011608567A CN 112714128 A CN112714128 A CN 112714128A
Authority
CN
China
Prior art keywords
data
desensitization
communication packet
desensitized
real
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011608567.9A
Other languages
Chinese (zh)
Inventor
杨海峰
李彦君
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Dbsec Technology Co ltd
Original Assignee
Beijing Dbsec Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Dbsec Technology Co ltd filed Critical Beijing Dbsec Technology Co ltd
Priority to CN202011608567.9A priority Critical patent/CN112714128A/en
Publication of CN112714128A publication Critical patent/CN112714128A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6263Protecting personal data, e.g. for financial or medical purposes during internet communication, e.g. revealing personal data from cookies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Medical Informatics (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Technology Law (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Databases & Information Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a data desensitization processing method and a data desensitization processing device, wherein the method comprises the following steps: analyzing the network communication packet requested to be acquired by the data acquirer to obtain real data provided by the data provider; desensitizing the real data; the data after desensitization processing is sent to the data acquirer, the problems that data desensitization is carried out in a data extraction mode in the related technology, omission exists in the data which are not extracted, and certain limitation exists can be solved.

Description

Data desensitization processing method and device
Technical Field
The invention relates to the technical field of data security, in particular to a data desensitization processing method and device.
Background
Data desensitization refers to operations such as masking, obfuscating, deforming and the like on data obtaining operations of an application or operation and maintenance and data content in a returned result of a request data interface, so that the interface, the application and personnel can perform normal query and data obtaining operations, follow-up data sharing, statistics and the like can be performed normally, real sensitive data cannot be obtained, and the safety of the sensitive data is guaranteed. In many practical application scenarios, data of a client needs to be shared and provided for multiple departments and personnel for the purposes of statistical analysis, application development test, maintenance of operation and maintenance personnel and the like, but when the departments and the personnel use the data, all real data cannot be seen according to the working range and the authority of the departments and the personnel, so that the data leakage is avoided, and a safety event is caused.
In the related technology, a database of a data provider is accessed, data is extracted in batches, desensitization processing is carried out, the database can be accessed only by obtaining authorization of the data provider, so that data desensitization has certain limitation, and data which are not extracted are omitted.
Aiming at the problems that data desensitization is carried out by a data extraction mode in the related technology, omission exists in data which are not extracted, and certain limitation exists, no solution is provided.
Disclosure of Invention
The embodiment of the invention provides a data desensitization processing method and device, which are used for at least solving the problems that data desensitization is carried out in a data extraction mode in the related technology, and the data which are not extracted are missed and have certain limitation.
According to an embodiment of the present invention, there is provided a data desensitization processing method including: analyzing the network communication packet requested to be acquired by the data acquirer to obtain real data provided by the data provider; desensitizing the real data; and sending the desensitized data to the data acquisition party.
In an exemplary embodiment, before parsing the network communication packet requested to be obtained by the data obtaining party, the method further comprises: intercepting a data acquisition request sent by the data acquisition party to the data provider; and determining the target and the range of the data acquisition according to the request content of the data acquisition request.
In one exemplary embodiment, desensitizing the real data comprises: determining a desensitization processing mode and a data range to be desensitized according to the target and the range; and desensitizing the real data according to the desensitizing processing mode and the data range to be desensitized.
In an exemplary embodiment, sending the desensitized data to the data acquirer includes: replacing the real data of the network data packet with the desensitized data to obtain a desensitized communication packet; and sending the communication packet after the desensitization treatment to the data acquisition party.
In an exemplary embodiment, before sending the communication packet after the desensitization processing to the data acquirer, the method further includes: and modifying the information of the communication protocol layer to enable the data acquirer to identify the communication packet after desensitization processing.
In one exemplary embodiment, modifying the information of the communication protocol layer includes:
modifying bytes which represent the data length in the communication packet into the real length of the communication packet after desensitization treatment; or
And modifying the byte length of the protocol header for identifying the length of the communication protocol packet into the real length of the communication packet after desensitization treatment.
According to still another embodiment of the present invention, there is provided a data desensitization processing apparatus including: the analysis module is used for analyzing the network communication packet requested to be acquired by the data acquirer to obtain real data provided by the data provider; the desensitization processing module is used for desensitizing the real data; and the sending module is used for sending the desensitized data to the data acquisition party.
In one exemplary embodiment, the apparatus further comprises: the intercepting module is used for intercepting a data acquisition request sent by the data acquisition party to the data provider; and the determining module is used for determining the target and the range of the data acquisition according to the request content of the data acquisition request.
In one exemplary embodiment, the desensitization processing module comprises: the determining submodule is used for determining a desensitization processing mode and a data range to be desensitized according to the target and the range; and the desensitization processing submodule is used for performing desensitization processing on the real data according to the desensitization processing mode and the data range to be desensitized.
In one exemplary embodiment, the transmitting module includes: the replacing submodule is used for replacing the real data of the network data packet with the desensitized data to obtain a communication packet after desensitization; and the sending submodule is used for sending the communication packet subjected to desensitization treatment to the data acquisition party.
In one exemplary embodiment, the apparatus further comprises: and the modification module is used for modifying the information of the communication protocol layer so that the data acquisition party can identify the communication packet after desensitization treatment.
In an exemplary embodiment, the modifying module is further configured to modify bytes in the communication packet, which indicate a data length, to a real length of the communication packet after the desensitization processing; or modifying the byte length of the protocol header for marking the length of the communication protocol packet into the real length of the communication packet after desensitization treatment.
According to a further embodiment of the present invention, a computer-readable storage medium is also provided, in which a computer program is stored, wherein the computer program is configured to perform the steps of any of the above-described method embodiments when executed.
According to yet another embodiment of the present invention, there is also provided an electronic device, including a memory in which a computer program is stored and a processor configured to execute the computer program to perform the steps in any of the above method embodiments.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
fig. 1 is a block diagram of a hardware configuration of a mobile terminal of a data desensitization processing method according to an embodiment of the present invention;
FIG. 2 is a flow diagram of a data desensitization processing method according to an embodiment of the present invention;
FIG. 3 is a flow diagram of a data desensitization processing method according to an alternative embodiment of the present invention;
FIG. 4 is a flow diagram of a data desensitization processing method according to an alternative embodiment of the present invention (two);
FIG. 5 is a flow diagram of a data desensitization processing method according to an alternative embodiment of the present invention (III);
FIG. 6 is a flow diagram of a data desensitization processing method according to an alternative embodiment of the present Invention (IV);
FIG. 7 is a flow diagram of a method for data desensitization based on network communication packet implementation according to an alternate embodiment of the present invention;
FIG. 8 is a block diagram of the structure of a data desensitization processing apparatus according to an embodiment of the present invention;
FIG. 9 is a block diagram of the data desensitization processing apparatus according to an alternative embodiment of the present invention;
fig. 10 is a block diagram of a data desensitization processing apparatus according to an alternative embodiment of the present invention.
Detailed Description
The invention will be described in detail hereinafter with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
Example 1
The method provided by the first embodiment of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Taking a mobile terminal as an example, fig. 1 is a hardware structure block diagram of a mobile terminal of the data desensitization processing method according to the embodiment of the present invention, and as shown in fig. 1, the mobile terminal may include one or more processors 102 (only one is shown in fig. 1) (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA), and a memory 104 for storing data, and optionally, the mobile terminal may further include a transmission device 106 for communication function and an input/output device 108. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration, and does not limit the structure of the mobile terminal. For example, the mobile terminal may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 can be used for storing computer programs, for example, software programs and modules of application software, such as computer programs corresponding to the data desensitization processing method in the embodiment of the present invention, and the processor 102 executes the computer programs stored in the memory 104 to execute various functional applications and data processing, i.e., to implement the method described above. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the mobile terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the mobile terminal. In one example, the transmission device 106 includes a Network adapter (NIC), which can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
In this embodiment, a data desensitization processing method operating in the mobile terminal or the network architecture is provided, fig. 2 is a flowchart of the data desensitization processing method according to the embodiment of the present invention, and as shown in fig. 2, the flowchart includes the following steps:
step S202, analyzing the network communication packet requested to be acquired by the data acquirer to obtain real data provided by the data provider;
step S204, desensitizing the real data;
and step S206, sending the desensitized data to the data acquirer.
Analyzing the network communication packet requested to be acquired by the data acquirer through the steps S202 to S206 to obtain real data provided by the data provider; desensitizing the real data; the data after desensitization processing is sent to the data acquisition party, the problems that data desensitization is carried out in a data extraction mode in the related technology, omission exists in the data which are not extracted, and certain limitation exists can be solved, the network communication packet which is sent to the data acquisition party by a data provider is intercepted, desensitization processing is carried out on the intercepted network communication packet, desensitization processing is carried out on all accessed data, the security of the acquired data is ensured, and authorization from the data provider is avoided because the data provider does not need to be accessed.
Fig. 3 is a flowchart (one) of a data desensitization processing method according to an alternative embodiment of the present invention, as shown in fig. 3, before the step S202, the method further includes:
step S302, intercepting a data acquisition request sent by the data acquisition party to the data provider;
step S304, determining the target and the range of the data acquisition according to the request content of the data acquisition request.
For different data types and data storage modes, the data acquisition request contains different types of effective information for positioning the target and the range.
For example: structured data, such as a common relational database, a data acquisition request depends on initiating a Structured Query Language (SQL) Query, and the database returns two-dimensional data that can be tabulated. Including but not limited to Oracle, SQL Server, MySQL, Db2, SAP Hana. At this time, the SQL semantics of the request needs to be analyzed, and in combination with the context information of the session environment at the time of login, which fields are obtained by this data, and the table, schema, database, and service to which these fields belong, are located. For locating a particular data asset. E.g., Oracle database, by analyzing the confirmation fields, tables to which the fields belong, schema, instance, IP and port of the database service; the MySQL database can confirm the fields, the database to which the fields belong, and the IP and port of the database; the SQL Server database can identify the field, the mode name to which the field belongs, the database name, the service name, the IP (Internet protocol) of the database service, and the port.
Semi-structured data, such as common big data storage engines, including but not limited to Hbase, MongoDB, Elatics research. The data acquisition request depends on an Application Programming Interface (API) Interface or a hypertext transfer protocol Http access, and at this time, the returned data cannot be strictly tabular, but can be represented as custom nested level Key-Value data, similar to Json and Extensible Markup Language (XML). At this point, the specific asset that this data acquisition access is to acquire needs to be located by analyzing the request. For example, Hbase can locate the table, column family, row key accessed this time; MongoDB can locate database, collection, document and field related to the data acquisition; the flexible search server Elmaticsearch may locate document, type, index to be retrieved.
For unstructured telephony data, such as common file stores, including but not limited to HDFS, GFS. The requested document name, the directory path to which it belongs, may be located.
In short, before analyzing the network communication packet, a data acquisition request sent by a data acquisition party needs to be intercepted, and a target and a range of data acquisition are determined according to the data acquisition request.
Fig. 4 is a flowchart of a data desensitization processing method according to an alternative embodiment of the present invention (ii), and as shown in fig. 4, the step S204 includes:
step S402, determining a desensitization processing mode and a data range to be desensitized according to the target and the range;
and S404, desensitizing the real data according to the desensitizing processing mode and the data range to be desensitized.
Different desensitization strategies and desensitization ranges (namely data ranges to be desensitized) can be established according to different targets and ranges, and finally, the data returned by the data provider is desensitized. For example:
structured data, such as a common relational database. A certain column of data returned may be desensitized, a particular row of data may be desensitized, and a particular cell of data may be desensitized. The field to be desensitized, the table to be desensitized, the type of data to be desensitized are specified when the desensitization policy is configured. And row set desensitization can be accomplished. Common shielding, data replacement, data invalidation processing, data random generation, data rounding and offset calculation conversion, data dictionary mapping, data generation according to a self-defined specified format specification, format reservation and data characteristic desensitization, generalization desensitization, data consistency desensitization and reversibility desensitization. Association and combined desensitization may also be made, for example: the character string information part is replaced by information such as asterisk and the like; when the queried field A meets a specific condition, desensitizing the field B; operation logic desensitization is reserved, A, B, C fields are desensitized, and the operation relation of the C field relative to the A, B field is required to be reserved after desensitization is completed; desensitizing portions of the row data that are characteristic of a certain data type.
Semi-structured data, such as the common big data storage engine. A memory cell to be desensitized may be specified. The minimum storage unit calling is different for different storage engines. For example, a designated column for HBase, data that can desensitize a particular row key, data that can desensitize a particular column family; MongoDB can specify field desensitization, can document desensitization, can perform collection desensitization. Also, all stores may be desensitized when the returned data meets a certain characteristic. Desensitization methods and structure-based data are consistent: common shielding, data replacement, data invalidation processing, data random generation, data rounding and offset calculation conversion, data dictionary mapping, data generation according to a self-defined specified format specification, format reservation and data characteristic desensitization, generalization desensitization, data consistency desensitization and reversibility desensitization. Association and combined desensitization may also be made, for example: the character string information part is replaced by information such as asterisk and the like; when the queried field A meets a specific condition, desensitizing the field B; operation logic desensitization is reserved, A, B, C fields are desensitized, and the operation relation of the C field relative to the A, B field is required to be reserved after desensitization is completed; desensitizing portions of the row data that are characteristic of a certain data type.
For unstructured speech data, such as a common file store. Files and directories may be designated for desensitization. And simultaneously, whether the data content stored in the file conforms to the specific data characteristics can be detected. Desensitizing the data to match the data characteristics. The desensitization method comprises common shielding, data replacement, data invalidation processing, data random generation, data rounding and offset calculation conversion, data dictionary mapping, data generation according to a self-defined specified format specification, format reservation and data characteristic desensitization, generalization desensitization, data consistency desensitization and reversibility desensitization.
In short, desensitization of real data requires: and determining a desensitization mode and a desensitization data range according to the target and the range of the data acquisition, and performing desensitization treatment on the real data according to the determined desensitization mode and the data range.
Fig. 5 is a flow chart (iii) of a data desensitization processing method according to an alternative embodiment of the present invention, and as shown in fig. 5, the step S206 includes:
step S502, replacing the real data of the network data packet with the desensitized data to obtain a desensitized communication packet;
and step S504, sending the communication packet after desensitization treatment to the data acquisition party.
In other words, sending desensitized data to the data acquirer requires: the real data of the network data packet is replaced by desensitized data to obtain a desensitized communication packet, and the desensitized communication packet is sent to a data acquisition party.
Fig. 6 is a flowchart (iv) of a data desensitization processing method according to an alternative embodiment of the present invention, and as shown in fig. 6, before step S504, the method further includes:
step S503, modifying information of the communication protocol layer, so that the data acquirer can identify the communication packet after the desensitization processing. Further, step S503 may specifically include: modifying bytes which represent the data length in the communication packet into the real length of the communication packet after desensitization treatment; or modifying the byte length of the protocol header for marking the length of the communication protocol packet into the real length of the communication packet after desensitization treatment.
That is, it is also necessary to modify the information of the communication protocol layer before transmitting the communication packet so that the data acquirer can identify the communication packet after desensitization.
Fig. 7 is a flowchart of a data desensitization method implemented based on network communication packets according to an alternative embodiment of the present invention, as shown in fig. 7, including the following steps:
step S1, analyzing the request direction communication packet to obtain the request object;
step S2, forwarding the communication packet of the original request direction;
step S3, receiving an original response communication packet;
and step S4, sending the communication packet after desensitization.
Specifically, a communication packet of a data request is intercepted and analyzed, and the target and the range of the data acquisition and query are confirmed; forwarding the data request communication packet to a data provider, and enabling the data provider to normally return real data; intercepting and analyzing a communication packet returned by the data, and confirming the content returned by the data; judging a desensitization method required to be performed and a data range to be desensitized by combining an analysis result of the request direction; generating data after desensitization of the data needing to be sensitive; replacing real sensitive data in the network communication packet with desensitized data, and correspondingly modifying corresponding information of a communication protocol layer to enable a data acquisition party to still normally identify; and forwarding the processed communication packet to a data acquisition party.
It should be emphasized that the examples described herein are illustrative and not restrictive, and thus the invention includes, without limitation, examples described in specific embodiments, as well as other embodiments that may occur to those skilled in the art upon reading the teachings herein.
Example 2
According to another embodiment of the present invention, there is also provided a data desensitization processing apparatus, and fig. 8 is a block diagram of a structure of the data desensitization processing apparatus according to the embodiment of the present invention, as shown in fig. 8, including:
the analysis module 82 is used for analyzing the network communication packet requested to be acquired by the data acquirer to obtain real data provided by the data provider;
a desensitization processing module 84, configured to perform desensitization processing on the real data;
and the sending module 86 is configured to send the desensitized data to the data acquirer.
By the device, the network communication packet requested to be acquired by the data acquirer is analyzed to obtain real data provided by the data provider; desensitizing the real data; the data after desensitization processing is sent to the data acquisition party, the problems that data desensitization is carried out in a data extraction mode in the related technology, omission exists in the data which are not extracted, and certain limitation exists can be solved, the network communication packet which is sent to the data acquisition party by a data provider is intercepted, desensitization processing is carried out on the intercepted network communication packet, desensitization processing is carried out on all accessed data, the security of the acquired data is ensured, and authorization from the data provider is avoided because the data provider does not need to be accessed.
Fig. 9 is a block diagram (one) of the structure of a data desensitization processing apparatus according to an alternative embodiment of the present invention, as shown in fig. 9, the apparatus further includes:
an intercepting module 92, configured to intercept a data acquisition request sent by the data acquirer to the data provider;
the determining module 94 is configured to determine the target and the range of the data acquisition according to the request content of the data acquisition request.
In short, before analyzing the network communication packet, a data acquisition request sent by a data acquisition party needs to be intercepted, and a target and a range of data acquisition are determined according to the data acquisition request.
Fig. 10 is a block diagram of a data desensitization processing apparatus according to an alternative embodiment of the present invention (ii), and as shown in fig. 10, the desensitization processing module 84 includes:
the determining submodule 102 is used for determining a desensitization processing mode and a data range to be desensitized according to the target and the range;
and the desensitization processing submodule 104 is configured to perform desensitization processing on the real data according to the desensitization processing mode and the data range to be desensitized.
In short, desensitization of real data requires: and determining a desensitization mode and a desensitization data range according to the target and the range of the data acquisition, and performing desensitization treatment on the real data according to the determined desensitization mode and the data range.
In an alternative embodiment, the sending module 86 includes: the replacing submodule is used for replacing the real data of the network data packet with the desensitized data to obtain a communication packet after desensitization; and the sending submodule is used for sending the communication packet subjected to desensitization treatment to the data acquisition party.
In other words, sending desensitized data to the data acquirer requires: the real data of the network data packet is replaced by desensitized data to obtain a desensitized communication packet, and the desensitized communication packet is sent to a data acquisition party.
In an optional embodiment, the apparatus further comprises: and the modification module is used for modifying the information of the communication protocol layer so that the data acquisition party can identify the communication packet after desensitization treatment.
In an exemplary embodiment, the modifying module is further configured to modify bytes in the communication packet, which indicate a data length, to a real length of the communication packet after the desensitization processing; or modifying the byte length of the protocol header for marking the length of the communication protocol packet into the real length of the communication packet after desensitization treatment.
That is, it is also necessary to modify the information of the communication protocol layer before transmitting the communication packet so that the data acquirer can identify the communication packet after desensitization.
It should be noted that, the above modules may be implemented by software or hardware, and for the latter, the following may be implemented, but not limited to: the modules are all positioned in the same processor; alternatively, the modules are respectively located in different processors in any combination.
Example 3
Embodiments of the present invention also provide a computer-readable storage medium, in which a computer program is stored, wherein the computer program is configured to perform the steps of any of the above method embodiments when executed.
Alternatively, in the present embodiment, the storage medium may be configured to store a computer program for executing the steps of:
s1, analyzing the network communication packet requested to be acquired by the data acquirer to obtain the real data provided by the data provider;
s2, desensitizing the real data;
and S3, sending the desensitized data to the data acquirer.
Optionally, in this embodiment, the storage medium may include, but is not limited to: various media capable of storing computer programs, such as a usb disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
Example 4
Embodiments of the present invention also provide an electronic device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, analyzing the network communication packet requested to be acquired by the data acquirer to obtain the real data provided by the data provider;
s2, desensitizing the real data;
and S3, sending the desensitized data to the data acquirer.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments and optional implementation manners, and this embodiment is not described herein again.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A method of data desensitization processing, comprising:
analyzing the network communication packet requested to be acquired by the data acquirer to obtain real data provided by the data provider;
desensitizing the real data;
and sending the desensitized data to the data acquisition party.
2. The method of claim 1, wherein prior to parsing the network communication packet requested for retrieval by the data retriever, the method further comprises:
intercepting a data acquisition request sent by the data acquisition party to the data provider;
and determining the target and the range of the data acquisition according to the request content of the data acquisition request.
3. The method of claim 2, wherein desensitizing the real data comprises:
determining a desensitization processing mode and a data range to be desensitized according to the target and the range;
and desensitizing the real data according to the desensitizing processing mode and the data range to be desensitized.
4. The method of claim 1, wherein sending desensitized data to the data acquirer comprises:
replacing the real data of the network data packet with the desensitized data to obtain a desensitized communication packet;
and sending the communication packet after the desensitization treatment to the data acquisition party.
5. The method of claim 4, wherein prior to sending the desensitized communication packet to the data acquirer, the method further comprises:
and modifying the information of the communication protocol layer to enable the data acquirer to identify the communication packet after desensitization processing.
6. The method of claim 5, wherein modifying the information of the communication protocol layer comprises:
modifying bytes which represent the data length in the communication packet into the real length of the communication packet after desensitization treatment; or
And modifying the byte length of the protocol header for identifying the length of the communication protocol packet into the real length of the communication packet after desensitization treatment.
7. A data desensitization processing apparatus, comprising:
the analysis module is used for analyzing the network communication packet requested to be acquired by the data acquirer to obtain real data provided by the data provider;
the desensitization processing module is used for desensitizing the real data;
and the sending module is used for sending the desensitized data to the data acquisition party.
8. The apparatus of claim 7, further comprising:
the intercepting module is used for intercepting a data acquisition request sent by the data acquisition party to the data provider;
and the determining module is used for determining the target and the range of the data acquisition according to the request content of the data acquisition request.
9. A computer-readable storage medium, in which a computer program is stored, wherein the computer program is configured to carry out the method of any one of claims 1 to 6 when executed.
10. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and wherein the processor is arranged to execute the computer program to perform the method of any of claims 1 to 6.
CN202011608567.9A 2020-12-29 2020-12-29 Data desensitization processing method and device Pending CN112714128A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011608567.9A CN112714128A (en) 2020-12-29 2020-12-29 Data desensitization processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011608567.9A CN112714128A (en) 2020-12-29 2020-12-29 Data desensitization processing method and device

Publications (1)

Publication Number Publication Date
CN112714128A true CN112714128A (en) 2021-04-27

Family

ID=75547198

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011608567.9A Pending CN112714128A (en) 2020-12-29 2020-12-29 Data desensitization processing method and device

Country Status (1)

Country Link
CN (1) CN112714128A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115730345A (en) * 2022-11-03 2023-03-03 支付宝(杭州)信息技术有限公司 Private data processing method, detection engine and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130167192A1 (en) * 2011-12-27 2013-06-27 Wellpoint, Inc. Method and system for data pattern matching, masking and removal of sensitive data
CN109063511A (en) * 2018-08-16 2018-12-21 深圳云安宝科技有限公司 Data access control method, device, proxy server and medium based on Web API
CN109325326A (en) * 2018-08-16 2019-02-12 深圳云安宝科技有限公司 Data desensitization method, device, equipment and medium when unstructured data accesses
CN111241577A (en) * 2020-01-06 2020-06-05 上海孚厘金融信息服务有限公司 Method for desensitizing displayed data

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130167192A1 (en) * 2011-12-27 2013-06-27 Wellpoint, Inc. Method and system for data pattern matching, masking and removal of sensitive data
CN109063511A (en) * 2018-08-16 2018-12-21 深圳云安宝科技有限公司 Data access control method, device, proxy server and medium based on Web API
CN109325326A (en) * 2018-08-16 2019-02-12 深圳云安宝科技有限公司 Data desensitization method, device, equipment and medium when unstructured data accesses
CN111241577A (en) * 2020-01-06 2020-06-05 上海孚厘金融信息服务有限公司 Method for desensitizing displayed data

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115730345A (en) * 2022-11-03 2023-03-03 支付宝(杭州)信息技术有限公司 Private data processing method, detection engine and system
CN115730345B (en) * 2022-11-03 2023-10-20 支付宝(杭州)信息技术有限公司 Privacy data processing method, detection engine and system

Similar Documents

Publication Publication Date Title
CN111259036B (en) Cross-library and cross-table query method, device, server and storage medium
EP3726411B1 (en) Data desensitising method, server, terminal, and computer-readable storage medium
US10769228B2 (en) Systems and methods for web analytics testing and web development
CN110610196B (en) Desensitization method, system, computer device and computer readable storage medium
CN110489315B (en) Operation request tracking method, operation request tracking device and server
US11188443B2 (en) Method, apparatus and system for processing log data
CN112817973B (en) Data processing method, device, data processing equipment and storage medium
CN109800258A (en) Data file dispositions method, device, computer equipment and storage medium
CN110990362A (en) Log query processing method and device, computer equipment and storage medium
CN110795756A (en) Data desensitization method and device, computer equipment and computer readable storage medium
CN111625559B (en) Data information multidimensional query method and system
CN111740868A (en) Alarm data processing method and device and storage medium
CN111064725A (en) Code zero intrusion interface verification method and device
CN112866348A (en) Database access method and device, computer equipment and storage medium
CN108154024B (en) Data retrieval method and device and electronic equipment
CN114444072A (en) Database cluster patrol method, database cluster patrol device, database cluster patrol equipment and database cluster patrol storage medium
CN112839077A (en) Sensitive data determination method and device
CN112714128A (en) Data desensitization processing method and device
CN111339170A (en) Data processing method and device, computer equipment and storage medium
CN113032836B (en) Data desensitization method and apparatus
CN111782428B (en) Data calling system and method
CN115795187A (en) Resource access method, device and equipment
CN114153696A (en) Cloud native application health detection method and device, computer equipment and storage medium
CN113553344A (en) Business data management method, system, computer equipment and storage medium
CN108172299B (en) Medical data remote computing system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210427