CN112751823A

CN112751823A - Outgoing data generation method, outgoing safety control method and system

Info

Publication number: CN112751823A
Application number: CN202011256447.7A
Authority: CN
Inventors: 邹云峰; 于鹏飞; 石聪聪; 赵洪莹; 单超
Original assignee: State Grid Jiangsu Electric Power Co ltd Marketing Service Center; Global Energy Interconnection Research Institute; Anhui Jiyuan Software Co Ltd
Current assignee: State Grid Jiangsu Electric Power Co ltd Marketing Service Center; Anhui Jiyuan Software Co Ltd
Priority date: 2020-11-11
Filing date: 2020-11-11
Publication date: 2021-05-04

Abstract

The invention provides an outgoing data generation method, an outgoing safety control method and an outgoing safety control system, which comprise the following steps: generating an outgoing task fingerprint based on attribute information of the data to be sent, and establishing an incidence relation between the outgoing task fingerprint and operation data of each generation link of the data to be sent; mapping outgoing task fingerprints into a secret key, and adding the secret key into to-be-sent data based on a preset data watermark adding strategy to form to-be-sent data containing data watermarks; when data containing data watermark leaks: the data watermark of the data to be sent can not only identify the attribute information of the data, but also correlate the operation data of the data in each generation link, once sensitive data leakage occurs, no matter the data manager does not operate properly in the data generation link, or the receiver does not have the responsibility of data safety protection as much as possible, accurate responsibility tracing can be carried out.

Description

Outgoing data generation method, outgoing safety control method and system

Technical Field

The invention belongs to the technical field of data security management and control, and particularly relates to an outgoing data generation method, an outgoing security management and control method and an outgoing security management and control system.

Background

With the continuous development of the information age, the information exchange between different departments and different regions is gradually increased, and the data is usually transferred, recombined and used in the form of structured data among all the ring nodes. In the application of the data dynamic environment, the data leakage risk is huge, so a safety control method is needed to ensure the safety in the data outgoing process.

At present, in the existing research, the traditional identification methods such as document watermarks, page watermarks and the like are adopted to identify the attributes of outgoing data, the method can explicitly identify information such as data sources, data receiving and the like, if the document watermarks and the page watermarks leak along with the data, the method can realize responsibility tracing of a data leakage person, but the method cannot trace back the working errors of the data management person in the data outgoing processing process, so that the responsibility tracing of the data leakage person cannot be performed; meanwhile, the following problems still exist by adopting document watermarks and page watermarks as data identifiers: 1. the traditional document watermark and page watermark are that identification information is added to a data carrier, the data form may change in the normal circulation use process, at this time, the circulation information of the data is identified by the traditional document watermark and page watermark, and the limitation is caused, even the data identification is lost; 2. the traditional document watermark and page watermark are displayed in front of all users, the technology for removing the document watermark and the page watermark specially designed by the users is relatively mature, and the data identification is easy to identify, tamper and delete; 3. data security processing measures cannot be explicitly shown, otherwise a data attacker can conditionally take destructive measures in a targeted manner. Once the data identifier is lost, tampered or deleted, the responsibility tracking after the data leakage cannot be realized, and therefore how to realize the security control of the whole data outgoing process and the data leakage tracking is a technical problem to be solved urgently by those skilled in the art.

Disclosure of Invention

In order to overcome the defects of the prior art, the invention provides an outgoing data generation method, which comprises the following steps:

acquiring data to be sent, attribute information of the data to be sent and operation data of the data to be sent in each generation link;

generating an outgoing task fingerprint based on the attribute information of the data to be sent, and establishing an incidence relation between the outgoing task fingerprint and the operation data of the data to be sent in each generation link;

and mapping the outgoing task fingerprint into a key consistent with the type of the data to be sent, and adding the key into the data to be sent based on a preset data watermark adding strategy to form the data to be sent containing the data watermark.

Preferably, generating an outgoing task fingerprint based on the attribute information of the data to be sent includes:

generating a numerical string of attribute information based on the attribute information of the data to be sent;

mapping the numerical string of the attribute information into an outgoing task fingerprint by adopting an MD5 encryption algorithm;

the attribute information of the data to be sent includes: data manager, data receiver and data application time.

Preferably, mapping the outgoing task fingerprint to a key consistent with the type of data to be sent includes:

and mapping the outgoing task fingerprint into a key consistent with the type of the data to be sent by adopting ASCII coding.

Preferably, after mapping the outgoing task fingerprint to a key consistent with a type of data to be sent, before adding the key to the data to be sent based on a preset data watermarking strategy, the method further includes: and when the generated key is the same as the historical key, adding a random identifier to the current key.

Preferably, the adding the secret key to the data to be sent based on a preset data watermark adding strategy to form the data to be sent containing the data watermark includes:

based on a preset data watermark adding strategy, replacing the set information in the data to be transmitted by adopting the secret key;

and calculating verification information based on the replaced data to be transmitted, and replacing the set information in the data to be transmitted by adopting the verification information to generate the data to be transmitted containing the data watermark.

Preferably, after the data to be sent containing the data watermark is formed, the method further comprises: and rechecking and correcting the data to be sent containing the data watermark until the data to be sent conforming to the approval result is obtained.

Preferably, the operation data of the data to be sent in each link includes: the system comprises outgoing application approval information, data extraction information, sensitive data desensitization information, data watermarking information, data rechecking information and data downloading information of a data person.

Based on the same concept, the invention provides an outgoing data generation system, which comprises:

the data acquisition module is used for acquiring the data to be sent, the attribute information of the data to be sent and the operation data of the data to be sent in each generation link;

the outgoing task fingerprint generating module is used for generating outgoing task fingerprints based on the attribute information of the data to be sent and establishing the incidence relation between the outgoing task fingerprints and the operation data of the data to be sent in each generating link;

and the data watermark adding module is used for mapping the outgoing task fingerprint into a key consistent with the type of the data to be sent, and adding the key into the data to be sent based on a preset data watermark adding strategy to form the data to be sent containing the data watermark.

Preferably, the outgoing task fingerprint generation module includes:

the data attribute extraction unit is used for generating a numerical string of attribute information based on the attribute information of the data to be sent;

the encryption algorithm unit is used for mapping the numerical string of the attribute information into an outgoing task fingerprint by adopting an MD5 encryption algorithm;

Preferably, the data watermarking module includes:

the first data processing unit is used for replacing the set information in the data to be sent by adopting the secret key based on a preset data watermark adding strategy;

and the second data processing unit is used for calculating verification information based on the replaced data to be transmitted, replacing the set information in the generation data by adopting the verification information and generating the data to be transmitted containing the data watermark.

Based on the same conception, the invention provides a control method for data outgoing safety, which comprises the following steps:

when the data to be sent containing the data watermark is sent and leaked:

checking the leaked data to extract data watermark;

obtaining a key corresponding to the data watermark by adopting the inverse operation of the data watermark generating strategy;

generating an outgoing task fingerprint based on the secret key, and retrieving data associated with the outgoing task fingerprint in each generation link;

and performing data disclosure tracing on operation data in each generation link based on the outgoing task fingerprint and the data associated with the outgoing task fingerprint.

Preferably, performing data disclosure tracing on operation data in each generation link based on the outgoing task fingerprint and data associated with the outgoing task fingerprint includes:

determining an outgoing data leakage range, determining whether a data receiver has data leakage responsibility or not based on the data leakage range, and generating attribute information of the leaked data through inverse operation generated by the outgoing task fingerprint when the data receiver is judged to have the data leakage responsibility; locking a data receiver which undertakes data leakage responsibility based on the attribute information;

meanwhile, the data associated with the outgoing task fingerprint is checked in the operation data of each generation link, whether the data outgoing operation process is abnormal or not is determined, and then whether a data manager undertakes data leakage responsibility or not is determined.

Preferably, obtaining the key corresponding to the data watermark by using the inverse operation of the data watermark generation policy includes:

obtaining data information corresponding to the data watermark by adopting the inverse operation of the data watermark generating strategy;

judging whether the data information exists in a history key: if yes, determining the data information as a key corresponding to the data watermark; if the historical key does not exist, performing associated retrieval in the historical key based on the data information, and selecting the historical key which meets the set rule as the key.

Based on the same conception, the invention also provides a control system for data outgoing safety, which comprises: the system comprises a data watermark extraction module, a key restoration module, an outgoing task fingerprint restoration module and a leakage responsibility tracking module;

when the data to be sent containing the data watermark is sent and leaked:

the data watermark extraction module is used for checking the verification information of the leaked data and extracting the data watermark;

the key reduction module is used for obtaining a key corresponding to the data watermark by adopting the inverse operation of the data watermark generation strategy;

the outgoing task fingerprint restoration module is used for generating outgoing task fingerprints based on the secret key and retrieving data related to the outgoing task fingerprints and operating data in each generation link;

and the leakage responsibility tracking module is used for carrying out data leakage responsibility tracing on the operation data of each generation link based on the outgoing task fingerprint and the data associated with the outgoing task fingerprint.

Preferably, the leakage responsibility tracking module comprises:

the data receiver responsibility confirming unit is used for confirming the outgoing data leakage range, confirming whether the data receiver has data leakage responsibility or not based on the data leakage range, and generating attribute information of the leaked data through the inverse operation generated by the outgoing task fingerprint when judging that the data receiver has the data leakage responsibility; locking a data receiver which undertakes data leakage responsibility based on the attribute information;

and the data manager responsibility confirming unit is used for checking the data related to the outgoing task fingerprint in each generation link to determine whether the data outgoing operation process is abnormal or not and further determine whether the data manager undertakes data leakage responsibility or not.

Preferably, the key recovery module includes:

the watermark corresponding data information generating unit is used for obtaining data information corresponding to the data watermark by adopting the inverse operation of the data watermark generating strategy;

a watermark corresponding key generation unit, configured to determine whether the data information exists in a history key: if yes, determining the data information as a key corresponding to the data watermark; if the historical key does not exist, performing associated retrieval in the historical key based on the data information, and selecting the historical key which meets the set rule as the key.

Compared with the closest prior art, the invention has the following beneficial effects:

the invention provides an outgoing data generation method, an outgoing safety control method and an outgoing safety control system, which comprise the following steps: acquiring data to be sent, attribute information of the data to be sent and operation data of the data to be sent in each generation link; generating an outgoing task fingerprint based on the attribute information of the data to be sent, and establishing an incidence relation between the outgoing task fingerprint and the operation data of the data to be sent in each generation link; mapping the outgoing task fingerprint into a key consistent with the type of the data to be sent, and adding the key into the data to be sent based on a preset data watermark adding strategy to form the data to be sent containing a data watermark; when the data to be sent containing the data watermark is sent and leaked: the data watermark of the data to be sent can not only identify the attribute information of the data, but also correlate the operation data of the data in each generation link, once sensitive data leakage occurs, no matter the data manager does not operate properly in the data generation link, or the receiver does not have the responsibility of data safety protection to the greatest extent, accurate responsibility tracing can be carried out.

Drawings

FIG. 1 is a schematic diagram of an outgoing data generation method according to the present invention;

FIG. 2 is a schematic diagram of an outgoing data generation system according to the present invention;

fig. 3 is a schematic diagram of a method for managing and controlling data outgoing security according to the present invention;

fig. 4 is a schematic view of a data outgoing security management and control system provided in the present invention;

fig. 5 is a design architecture diagram of a safety control system for the whole process of data transmission provided in the embodiment of the present invention;

fig. 6 is a flowchart of generating a data watermark by using unique information of a data sending party according to an embodiment of the present invention;

FIG. 7 is a flow chart of outgoing data generation provided in an embodiment of the present invention;

fig. 8 is a flow chart of controlling security of outgoing data according to an embodiment of the present invention.

Detailed Description

The following describes embodiments of the present invention in further detail with reference to the accompanying drawings.

Example 1:

the embodiment provides an outgoing data generation method as shown in fig. 1, including:

s1, acquiring data to be sent, attribute information of the data to be sent and operation data of the data to be sent in each generation link;

s2, generating an outgoing task fingerprint based on the attribute information of the data to be sent, and establishing an incidence relation between the outgoing task fingerprint and the operation data of the data to be sent in each generation link;

s3, mapping the outgoing task fingerprint into a key consistent with the type of the data to be sent, and adding the key into the data to be sent based on a preset data watermark adding strategy to form the data to be sent containing the data watermark.

In the process of data security management and control, sensitive information is leaked due to the fact that data receiving does not have data security protection responsibility as much as possible, sensitive data information is also leaked due to the fact that illegal authorization and improper data security processing measures occur in each operation link of outgoing data generation by a data manager, and therefore, strengthening management and control and responsibility tracing of the outgoing data generation link is an important link for achieving data security management and control.

The design architecture of the safety control system in the whole process of data outgoing in this embodiment is shown in fig. 5, specifically:

the data application module is used for explicitly describing the application time of the data outgoing task, the content of the outgoing data, the application purpose of the outgoing data, the manager of the outgoing data, the receiver of the outgoing data and other information according to the data application submitted by a data applicant (namely a data receiver), wherein the application time of the manager of the outgoing data, the receiver of the outgoing data and the data outgoing task is the important attribute information of the outgoing data;

and the process approval module submits the information described by the data application module to data managers at all levels for approval, and if the content and the use of the outgoing data are reasonable, and the outgoing data managers, the outgoing data receivers and the data outgoing task application time information are clear, the approval is passed, otherwise, the approval is rejected. If sensitive data usage is involved, an extended approval should be made.

And the data extraction module enters a data preparation stage after the process approval is passed. The data preparer selects a data extracting method by the data preparer by connecting the source database and extracting the data which passes the application approval, wherein the optional method is to establish JDBC connection with the source database and then extract the data by compiling related SQL statements.

The data desensitization processing module is used for completing a data extraction method configured by a data preparation person, needing to further configure a desensitization strategy for related sensitive data, and carrying out desensitization processing on the extracted data based on a preset data desensitization strategy, wherein the selectable desensitization strategy comprises the following steps: data partial masking, data plus noise, personal information de-identification, etc.

A data watermark processing module, where a data preparer needs to configure a data watermark adding policy, a data watermark is generated by a system according to information of a whole data outgoing process, and the data watermark can be doped in data to be distributed according to the watermark adding policy selected by the data preparer, and a flowchart of generating the data watermark by using unique information of the data outgoing relation person in this embodiment is shown in fig. 6, and specifically includes:

s2 generates an outgoing task fingerprint based on the attribute information of the pending data, and establishes an association relationship between the outgoing task fingerprint and the operation data of the pending data in each generation link, specifically:

s2-1 numerically connects the system unique information M1 and M2 of the administrator of outgoing data and the receiver of outgoing data for this data outgoing job and the time T (to the nearest second) at which this data outgoing job is applied to a numerical string S, for example, assuming that M1 is 207812, M2 is 207935, and T is 20190815091527, S is 20781220793520190815091527.

Taking the process of sending data out by a national network company as an example, the determination of the digital information identifiers of a data manager and a data receiver is explained as follows: internal employees of the national network company all have unique personnel numbers, if an external unit needs to acquire internal data of the national network company, a paper application with an application form number needs to be submitted to a national network office, and the national network office can arrange specific service personnel to help the application, so that the personnel numbers responsible for arranging the service employees and the data application form number of the external unit can be used as an information identifier of a data receiver; the resource number of each operator worker responsible for the data outgoing task of the national network company can be used as the information identification of the data manager.

S2-2, mapping the numerical string S into a 128-bit data outgoing task fingerprint S1 by using an MD5 encryption algorithm, wherein the outgoing task fingerprint is associated with operation data of each generation link of the outgoing data, and the detailed information of each generation link of the outgoing data, such as outgoing application approval information, data extraction information, sensitive data desensitization information, data watermark adding information, data sampling review information, data specially-assigned person downloading information and the like of the outgoing data of the outgoing task can be inquired by identifying the data outgoing task fingerprint S1.

S3 maps the outgoing task fingerprint to a key consistent with the type of the data to be sent, and adds the key to the data to be sent based on a preset data watermark adding policy to form data to be sent containing a data watermark, specifically:

s3-1 maps the data outbound task fingerprint S1 to a key S2 consistent with the type of data to be sent and guarantees uniqueness of the key S2. For example: if the data outgoing task fingerprint S1 needs to be mapped into numbers, S1 is divided into 16 segments of binary codes with 8 bits, and then the remainder modulo 10 of each segment of binary code is taken to generate a key S2 with 16 digital characters. If the currently generated key S2 collides with a previous key, the collision of key generation can be avoided by adding a random number to the currently generated key S2.

S3-2, according to the data watermark adding strategy configured by the data preparation personnel, the data watermark, namely the high-simulation data key, is generated by replacing the local part of the original data to be distributed with the key S2 and the verification information C. For example: the last four digits of the 4 continuous resident identification numbers can be replaced by 4 segments of digital characters of the secret key S2, the verification information C of the 4 transformed resident identification numbers is calculated, and then the last digit of the 5 th resident identification number is replaced. Thus, the serial 5 transformed resident identification numbers are the generated data watermarks and are also high-imitation data keys.

And the data rechecking module prepares the data to be distributed according to a data extraction method and a data watermarking strategy configured by data preparation personnel, can recheck the randomly sampled data to be distributed after the data is prepared, and judges whether the composite content comprises the data content to be distributed, sensitive data processing and other information is consistent with the approval. The random content can be set, for example, by default, the middle 10 rows of data to be distributed are sampled for review. And if the data is not checked again, returning the data sending task to a data preparation staff, reconfiguring the data extraction method and the data watermarking strategy, and preparing the data to be distributed again until the data is checked again.

And after the data is rechecked, a data applicant can download and acquire the data to be distributed, and before downloading, the identity of a data downloading person can be verified according to the account information and the login IP address during application, so that the purpose that the data is downloaded by a special person is achieved.

In consideration of responsibility tracking after data leakage, the design architecture also comprises a data watermark tracing module, and data leakage tracing can be realized based on data watermarks contained in the leaked data.

Based on the design architecture of the above-mentioned data outgoing overall process security control system, the outgoing data security control flowchart can be represented as fig. 7, which includes: data outgoing application, data outgoing examination and approval, data extraction, sensitive data desensitization, data watermark addition, data sampling rechecking and data professional downloading.

The invention realizes the safety control of the whole process through a mutual linkage supervision mechanism among all links of data outgoing, including all links of data outgoing such as data outgoing application approval, data extraction, sensitive data desensitization, data watermark addition, data sampling rechecking and data professional downloading, and realizes the safety control of the outgoing data generation process from the optimization of the management flow; meanwhile, the key attribute information of the outgoing data is identified by the data watermark, the data watermark is associated with the operation data of the outgoing data in each link, and once data leakage occurs after the data is outgoing, the responsibility link can be traced according to the data watermark added in advance.

The data watermark is added with additional identification information to the data content, the data watermark passes through the high-imitation real data content and is added with the identification information, a user is not easy to perceive the data watermark contained in the streaming data, the user does not know the position of the data watermark distributed in the streaming data, the data watermark is difficult to remove, and the concealment and the robustness of the data watermark are better than those of the traditional document watermark and the traditional page watermark. Therefore, the data watermark is used for identifying the data outgoing process, so that not only can the data application authorization and the data receiving information be identified, but also the data security processing measures can be identified. Once sensitive data is leaked, whether illegal authorization or improper data security processing measures are adopted, a receiver can accurately trace the responsibility and is safer and more reliable.

Example 2:

the embodiment provides an outgoing data generating system as shown in fig. 2, including:

A task-sending fingerprint generation module comprising:

A data watermarking module comprising:

Example 3:

as shown in fig. 3, the embodiment provides a method for managing data outgoing security, including:

when the data to be sent containing the data watermark is sent and leaked:

p1 checks the verification information of the leaked data and extracts the data watermark;

the P2 obtains a key corresponding to the data watermark by adopting the inverse operation of the data watermark generation strategy;

p3 generates an outgoing task fingerprint based on the key and retrieves data associated with the outgoing task fingerprint for each generation link operation;

p4 performs data leakage tracing on each generation link operation data based on the outgoing task fingerprint and data associated with the outgoing task fingerprint.

After the data is distributed to a data applicant for use, if data leakage occurs, responsibility tracing can be performed according to watermark information added in advance, namely, which data leakage occurs is positioned, and then whether illegal authorization, improper data security processing measures or security events caused by data leakage of a receiver are traced, wherein a control flow chart of outgoing data security is shown in fig. 8 and comprises the steps of checking leaked data, extracting data watermark information and retrieving distribution information, and the responsibility tracing method specifically comprises the following steps:

the P1 checks the verification information of the leaked data and extracts the data watermark, and comprises the following steps:

checking information of the leaked data, and if a data content field conforming to the checking rule of the data watermark is extracted, for example, 5 continuous pieces of resident identification number data watermarks can be extracted through the checking information, and only the data conforming to the checking rule contains data watermark information.

P2 obtains the key S2 corresponding to the data watermark by adopting the inverse operation of the data watermark generation strategy;

p3 generates an outgoing task fingerprint based on the key and retrieves data associated with the outgoing task fingerprint for each generation link operation, including:

the data outgoing task fingerprint S1 is searched through S2 in a correlated mode, system unique information M1 and M2 of a manager of outgoing data of the data outgoing task and a receiver of the outgoing data, time T (accurate to seconds) of the data outgoing task application and the like are obtained, and detailed information of each link of the data outgoing, such as examination and approval of the outgoing application, data extraction, sensitive data desensitization, data watermark addition, data sampling rechecking, data special person downloading and the like is further included.

The P4 performs data disclosure tracing on operation data of each generation link based on the outgoing task fingerprint and data associated with the outgoing task fingerprint, and comprises the following steps:

determining the leakage range of outgoing data, and determining whether a data receiver has data leakage responsibility or not based on the data leakage range, wherein the data receiver can determine the responsibility if the data receiver sees the data in a confidential state on the Internet; generating attribute information of the leaked data through inverse operation generated by the outgoing task fingerprint when judging that the data receiver has data leakage responsibility; locking a data receiver which undertakes data leakage responsibility based on the attribute information;

meanwhile, the data associated with the outgoing task fingerprint is checked in the operation data of each generation link, whether the data outgoing operation process is abnormal or not is determined, and then whether a data manager undertakes data leakage responsibility or not is determined. For example: because the client sensitive information is not desensitized as required in the data outgoing process, or the sent data is consistent with the data range applied by the data applicant, the responsibility of the data manager can be determined.

Further, if the data structure is reformed or the local data is modified, the randomly embedded data watermark may be partially destroyed, and a plurality of suspected keys may be extracted, and the key with the largest number of occurrences may be selected for the association search, for example, the keys SS1, SS2, SS3, SS4 and SS5 with the largest number of occurrences may be selected for the association search. And the retrieval result and the detailed information of each outgoing link are restored, and corresponding outgoing services are used as suspected leakage events to provide safety personnel, so that the investigation range is reduced.

Example 4:

the embodiment provides a management and control system for data outgoing security, as shown in fig. 4, including:

the system comprises a data watermark extraction module, a key restoration module, an outgoing task fingerprint restoration module and a leakage responsibility tracking module;

when the data to be sent containing the data watermark is sent and leaked:

A leak liability tracking module, comprising:

A key recovery module comprising:

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It should be noted that the above-mentioned embodiments are only for illustrating the technical solutions of the present application and not for limiting the scope of protection thereof, and although the present application is described in detail with reference to the above-mentioned embodiments, those skilled in the art should understand that after reading the present application, they can make various changes, modifications or equivalents to the specific embodiments of the application, but these changes, modifications or equivalents are all within the scope of protection of the claims to be filed.

Claims

1. A method for generating outgoing data, comprising:

2. The method of claim 1, wherein generating an outgoing task fingerprint based on attribute information of the pending data comprises:

3. The method of claim 1, wherein mapping the outgoing task fingerprint to a key consistent with a pending data type comprises:

4. The method of claim 1, wherein after mapping the outgoing task fingerprint to a key consistent with a type of data to be sent, prior to adding the key to the data to be sent based on a preset data watermarking policy, further comprising: and when the generated key is the same as the historical key, adding a random identifier to the current key.

5. The method of claim 1, wherein the adding the key to the data to be transmitted based on a preset data watermarking strategy to form data to be transmitted with a data watermark comprises:

6. The method of claim 1, wherein after forming the pending data with the data watermark, further comprising: and rechecking and correcting the data to be sent containing the data watermark until the data to be sent conforming to the approval result is obtained.

7. The method of claim 6, wherein the operation data of the links for the data to be transmitted comprises: the system comprises outgoing application approval information, data extraction information, sensitive data desensitization information, data watermarking information, data rechecking information and data downloading information of a data person.

8. An outgoing data generation system, comprising:

9. The system of claim 8, wherein the outgoing task fingerprint generation module comprises:

10. The system of claim 8, wherein the data watermarking module comprises:

11. A control method for data outgoing safety is characterized by comprising the following steps:

when the data to be sent containing the data watermark generated according to the method of any one of the claims 1 to 7 is sent and leaked:

checking the leaked data to extract data watermark;

12. The method of claim 11, wherein the performing data leakage tracing on data at each generation link operation based on the outgoing task fingerprint and data associated with the outgoing task fingerprint comprises:

13. The method as claimed in claim 11, wherein said obtaining the key corresponding to the data watermark by using the inverse operation of the data watermark generation policy comprises:

14. The utility model provides a management and control system of data outgoing safety which characterized in that includes: the system comprises a data watermark extraction module, a key restoration module, an outgoing task fingerprint restoration module and a leakage responsibility tracking module;

when the data to be sent containing the data watermark generated according to the system of any one of the claims 8 to 10 is sent and leaked:

15. The system of claim 14, wherein the leakage responsibility tracking module comprises:

16. The system of claim 14, wherein the key recovery module comprises: