CN112800397A - Data asset protection method, system, electronic equipment and storage medium - Google Patents
Data asset protection method, system, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN112800397A CN112800397A CN202110199120.9A CN202110199120A CN112800397A CN 112800397 A CN112800397 A CN 112800397A CN 202110199120 A CN202110199120 A CN 202110199120A CN 112800397 A CN112800397 A CN 112800397A
- Authority
- CN
- China
- Prior art keywords
- data asset
- data
- client
- digital watermark
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 65
- 230000000903 blocking effect Effects 0.000 claims abstract description 8
- 230000006399 behavior Effects 0.000 claims description 46
- 230000035945 sensitivity Effects 0.000 claims description 31
- 230000008569 process Effects 0.000 claims description 15
- 238000012795 verification Methods 0.000 claims description 15
- 238000004891 communication Methods 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 8
- 230000004044 response Effects 0.000 claims description 7
- 238000010586 diagram Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 230000002159 abnormal effect Effects 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 6
- 230000008901 benefit Effects 0.000 description 4
- 206010000117 Abnormal behaviour Diseases 0.000 description 3
- 230000009471 action Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 238000012550 audit Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- PCTMTFRHKVHKIS-BMFZQQSSSA-N (1s,3r,4e,6e,8e,10e,12e,14e,16e,18s,19r,20r,21s,25r,27r,30r,31r,33s,35r,37s,38r)-3-[(2r,3s,4s,5s,6r)-4-amino-3,5-dihydroxy-6-methyloxan-2-yl]oxy-19,25,27,30,31,33,35,37-octahydroxy-18,20,21-trimethyl-23-oxo-22,39-dioxabicyclo[33.3.1]nonatriaconta-4,6,8,10 Chemical compound C1C=C2C[C@@H](OS(O)(=O)=O)CC[C@]2(C)[C@@H]2[C@@H]1[C@@H]1CC[C@H]([C@H](C)CCCC(C)C)[C@@]1(C)CC2.O[C@H]1[C@@H](N)[C@H](O)[C@@H](C)O[C@H]1O[C@H]1/C=C/C=C/C=C/C=C/C=C/C=C/C=C/[C@H](C)[C@@H](O)[C@@H](C)[C@H](C)OC(=O)C[C@H](O)C[C@H](O)CC[C@@H](O)[C@H](O)C[C@H](O)C[C@](O)(C[C@H](O)[C@H]2C(O)=O)O[C@H]2C1 PCTMTFRHKVHKIS-BMFZQQSSSA-N 0.000 description 1
- 101100321992 Drosophila melanogaster ABCD gene Proteins 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000000586 desensitisation Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000005096 rolling process Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/16—Program or content traceability, e.g. by watermarking
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
Abstract
The application belongs to the technical field of computers, and relates to a data asset protection method, a data asset protection system, electronic equipment and a storage medium. The system comprises: the client agent deployed on the client is used for acquiring user behavior data; the security center is used for analyzing the user behavior data, comparing the digital watermark with a digital watermark stored and recorded in advance when detecting that the user behavior data contains the digital watermark, if the same digital watermark exists, judging whether the network environment position information of the data flow containing the digital watermark is consistent with the network environment position information of the data asset stored and recorded in advance and having the same digital watermark, and if the same digital watermark exists, sending alarm information to the client and blocking the access operation of the client. The client agent is deployed on the client to monitor the user behavior, the acquired result is transmitted back to the security center to be analyzed, and meanwhile, the security protection of the data assets is achieved by adding the digital watermark.
Description
Technical Field
The application belongs to the technical field of computers, and particularly relates to a data asset protection method, a data asset protection system, electronic equipment and a storage medium.
Background
Data assets refer to data resources owned or controlled by an enterprise that can bring economic benefits to the enterprise. The existing Data asset security protection method is mainly characterized in that a corresponding Data asset scanner is deployed at a Data exchange node inside a core network domain, and the corresponding Data asset scanner logs in a service system cluster node to perform sensitive Data asset scanning, or a plurality of traditional Data security products (such as Data Leakage Prevention (DLP), database audit, database vulnerability scanning, Data desensitization systems and the like) are integrated to form a set of comprehensive Data asset security protection system.
Disclosure of Invention
In view of this, an object of the present application is to provide a method, a system, an electronic device and a storage medium for protecting data assets, so as to solve the problems that the existing data asset protection method cannot protect data assets comprehensively and conveniently and has poor applicability.
The embodiment of the application is realized as follows:
in a first aspect, an embodiment of the present application provides a data asset protection system, including: the client agent is deployed at the client and used for acquiring user behavior data; and the safety center is used for analyzing the user behavior data, comparing the digital watermark with a digital watermark stored and recorded in advance when the user behavior data is detected to contain the digital watermark, judging whether the network environment position information of the data flow containing the digital watermark is consistent with the network environment position information of the data asset stored and recorded in advance with the digital watermark if the same digital watermark exists, and sending alarm information to the client and blocking the access operation of the client if the same digital watermark does not exist. The client side agent is deployed on the client side to monitor the user behavior, the acquired result is transmitted back to the security center to be analyzed, and meanwhile, the data asset is comprehensively protected by adding the digital watermark, so that the data asset is prevented from being leaked, and the problems that the data asset cannot be comprehensively and conveniently protected and the applicability is poor in the conventional data asset protection method are solved.
With reference to one possible implementation manner of the embodiment of the first aspect, the data asset protection system further includes: the server-side agent is deployed on the server and used for identifying the data assets corresponding to the data asset identification strategy according to the data asset identification strategy in the scanning task issued by the security center, adding digital watermarks to the data assets with the sensitivity levels higher than the preset level and encrypting the data asset identification results containing the digital watermarks, wherein the data asset identification results comprise network environment position information of the data assets; and the security center is also used for decrypting the encrypted data sent by the server agent and storing the data asset identification result containing the digital watermark obtained by decryption. In the embodiment of the application, the scanned data assets are added with the digital watermarks and are transmitted back to the security center for storage, so that the data assets can be comprehensively and conveniently protected.
With reference to a possible implementation manner of the embodiment of the first aspect, the security center is further configured to analyze traffic message data returned by the client agent or the server agent, and when it is detected that data asset digital watermark information added by the server agent of the system exists in the traffic message data, query a message data record related to the data asset including the digital watermark, and restore a complete process of leakage flow of the data asset. In the embodiment of the application, by adding the digital watermark, when the flow message data is analyzed subsequently, the complete process of leakage circulation of the data asset can be restored based on the message data record related to the data asset containing the same digital watermark, and the tracing of the data asset is realized.
With reference to a possible implementation manner of the embodiment of the first aspect, the client proxy is further configured to send an identity registration request to the security center, where the identity registration request carries device information of the client and identity authentication information required by a user to log in the client; the security center is further configured to respond to the identity registration request to complete registration, calculate a hash value based on the identity authentication information and the device information, and store the calculated hash value in association with the device information. In the embodiment of the application, when identity registration is carried out, the hash value is calculated based on the equipment information of the client and the identity authentication information required by the user for logging in the client, and the calculated hash value and the equipment information are stored in an associated manner, so that the identity of the logged-in user can be authenticated subsequently based on the hash value, and the data asset can be accessed only by entity users and equipment which are registered through a platform.
With reference to a possible implementation manner of the embodiment of the first aspect, the client proxy is further configured to send a login authentication request to the security center, where the login authentication request carries device information of the client and identity verification information required by a user to log in the client; the security center is further configured to calculate a hash value based on the identity verification information and the device information, compare the calculated hash value with a hash value corresponding to the device information stored during registration, verify whether the login authentication request is legal, and return a verification result to the client agent. In the embodiment of the application, the hash value is calculated by carrying the equipment information of the client and the identity verification information required by the user to log in the client in the login authentication request sent during login, and the calculated hash value is compared with the hash value corresponding to the equipment information stored during registration to verify, so that the login can be successful only when the hash values are consistent, and only the entity user and the equipment registered by a platform can access the data asset.
With reference to a possible implementation manner of the embodiment of the first aspect, the security center is further configured to assign role identities to client agents that send the identity registration requests when registration is completed in response to the identity registration requests, where sensitivity levels of data assets that can be accessed by different role identities are different. In the embodiment of the application, different role identities are given to different client-side agents, so that the fine protection control of a user when the user accesses the data assets of the server-side is realized.
With reference to a possible implementation manner of the first aspect, the client agent is configured to identify a data asset corresponding to a data asset identification policy according to the data asset identification policy in a scanning task issued by the security center, add a digital watermark to a data asset whose sensitivity level is higher than a preset level, and encrypt a data asset identification result including the digital watermark, where the data asset identification result includes network environment location information of the data asset; and the security center is also used for decrypting the encrypted data sent by the client agent and storing the data asset identification result containing the digital watermark obtained by decryption.
In a second aspect, an embodiment of the present application further provides a data asset protection method, which is applied to a security center, where the security center communicates with a client agent, and the method includes: analyzing the user behavior data sent by the client agent; when the user behavior data is detected to contain the digital watermark, comparing the digital watermark with the digital watermark stored and recorded in advance; if the same digital watermark exists, judging whether the network environment position information of the data flow containing the digital watermark is consistent with the network environment position information of the data asset which is stored and recorded in advance and has the same digital watermark; and if the client side is inconsistent with the client side, sending alarm information to the client side, and blocking the access operation of the client side.
With reference to a possible implementation manner of the embodiment of the second aspect, the security center is in communication with a server-side agent, and the method further includes: sending a scanning task to the server agent so that the server agent identifies a data asset corresponding to a data asset identification strategy according to the data asset identification strategy in the scanning task, adds a digital watermark to the data asset with the sensitivity level higher than a preset level, and encrypts a data asset identification result containing the digital watermark, wherein the data asset identification result comprises network environment position information of the data asset; and decrypting the encrypted data sent by the server agent, and storing the data asset identification result containing the digital watermark obtained by decryption.
In combination with one possible implementation manner of the embodiment of the second aspect, the method further includes: analyzing the flow message data returned by the client agent or the server agent, inquiring the message data record related to the data asset containing the digital watermark when detecting that the data asset digital watermark information added by the server agent of the system exists in the flow message data, and restoring the complete process of the leakage circulation of the data asset.
With reference to a possible implementation manner of the embodiment of the second aspect, before analyzing the user behavior data sent by the client agent, the method further includes: receiving a login authentication request sent by the client agent, wherein the login authentication request carries equipment information of a client and identity authentication information required by a user to login the client; and calculating a hash value based on the identity verification information and the equipment information, comparing the calculated hash value with a hash value corresponding to the equipment information stored during registration to verify whether the login authentication request is legal or not, and returning a verification result to the client agent.
With reference to one possible implementation manner of the embodiment of the second aspect, before receiving the login authentication request sent by the client agent, the method further includes: receiving an identity registration request sent by the client agent, wherein the identity registration request carries equipment information of the client and identity authentication information required by a user for logging in the client; and when the registration is completed in response to the identity registration request, giving role identities to client agents sending the identity registration request, wherein the data assets which can be accessed by different role identities have different sensitivity levels.
In combination with one possible implementation manner of the embodiment of the second aspect, the method further includes: sending a scanning task to the client agent so that the client agent identifies the data asset corresponding to the data asset identification strategy according to the data asset identification strategy in the scanning task, adds a digital watermark to the data asset with the sensitivity level higher than a preset level, and encrypts a data asset identification result containing the digital watermark, wherein the data asset identification result comprises network environment position information of the data asset; and decrypting the encrypted data sent by the client agent, and storing the data asset identification result containing the digital watermark obtained by decryption.
In a third aspect, an embodiment of the present application further provides an electronic device, including: a memory and a processor, the processor coupled to the memory; the memory is used for storing programs; the processor is configured to call a program stored in the memory to perform the method according to the second aspect embodiment and/or any possible implementation manner of the second aspect embodiment.
In a fourth aspect, embodiments of the present application further provide a storage medium, on which a computer program is stored, where the computer program is executed by a processor to perform the method provided in the foregoing second aspect and/or any possible implementation manner of the second aspect.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the embodiments of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and drawings.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts. The foregoing and other objects, features and advantages of the application will be apparent from the accompanying drawings. Like reference numerals refer to like parts throughout the drawings. The drawings are not intended to be to scale as practical, emphasis instead being placed upon illustrating the subject matter of the present application.
Fig. 1 shows a block diagram of a data asset protection system according to an embodiment of the present application.
Fig. 2 is a schematic flow chart illustrating a data asset protection method according to an embodiment of the present application.
Fig. 3 shows a block diagram of a data asset protection device according to an embodiment of the present application.
Fig. 4 shows a schematic structural diagram of an electronic device provided in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, relational terms such as "first," "second," and the like may be used solely in the description herein to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Further, the term "and/or" in the present application is only one kind of association relationship describing the associated object, and means that three kinds of relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone.
In view of the defects of the existing data asset protection method, for example, the defect that the data assets cannot be protected comprehensively and conveniently by deploying the corresponding data asset scanner at the data exchange node inside the core network domain exists, and the problems of high cost and poor applicability exist by integrating a plurality of traditional data security products to form a set of comprehensive data asset security protection system. In view of this, the embodiment of the present application provides a data asset protection system, where a client agent and a server agent are respectively deployed on a client and a server in a user network environment, so as to perform active detection discovery and user behavior monitoring on data assets, and simultaneously transmit collected results back to a security center of the system for analysis, thereby implementing automatic identification, classification and classification, risk monitoring and security protection on data assets, so as to effectively guarantee data asset security, make user behavior controllable, visible, and traceable, and guarantee internal data security.
For ease of understanding, the data asset protection system provided by the embodiment of the present application will be described below with reference to fig. 1. The data asset protection system includes: the system comprises a client agent deployed at a client, a server agent deployed at a server and a security center. The security center is the core of the system, and can adopt a B/S (Browser/Server) architecture design, and the Client agent and the Server agent can adopt a C/S (Client/Server) architecture design. The server agent installation environment is typically a Linux operating system. The client agent installation environment is typically a Windows operating system.
The server agent is mainly responsible for identifying the data assets corresponding to the data asset identification strategy according to the data asset identification strategy in the scanning task issued by the security center, adding digital watermarks to the data assets with the sensitivity levels higher than preset levels (such as extremely high sensitivity level and high sensitivity level), encrypting the data asset identification results (including data asset names, types, quantity, bearing modes, network environment position information, digital watermark information and the like) containing the digital watermarks, and transmitting the data asset identification results back to the security center for analysis. And the security center is used for decrypting the encrypted data sent by the server agent and storing the data asset identification result containing the digital watermark obtained by decryption. The sensitivity levels of the data assets can be divided into 4 different sensitivity levels according to the industry sensitive data asset classification and classification standard specification, such as S1, low sensitivity level, S2, medium sensitivity level, S3, high sensitivity level and S4, ultrahigh sensitivity level. When the server agent adds the digital watermark, the digital watermark can be added in a steganography mode, and the digital watermarks added to different data assets can be different.
In addition, the server-side proxy is further configured to send a registration request to the security center, where the registration request carries device information of the server (e.g., Serial Number (SN) of the device, Media Access Control (MAC) address, and Internet Protocol (IP) address information). After the server agent is installed, the equipment information of the server is automatically identified, and a registration application is automatically submitted to the security center. After receiving the server agent registration application, the security center needs to perform secondary audit confirmation by an administrator, and registration can be completed through the rear side. After the registration is finished, the server agent generally keeps session communication with a security center of the patent system in a long connection mode, the security center can regularly detect whether the SN number, the MAC address and the IP address information of the server under the current environment state are consistent with the information recorded by the registration binding of the security center, and when any one of the information is different from the information recorded during the registration, the server agent is not allowed to access.
In addition, the server-side agent also sends the traffic message data acquired by the server-side agent to the security center, so that the security center can analyze the traffic message data sent by the server-side agent, obtain the access behavior and communication traffic of the registered equipment and the equipment with unknown identity to the data assets, and complete circulation mapping of the data assets in the whole network. For example, when it is detected that data asset digital watermark information added by a server agent of the system exists in traffic message data, a message data record related to the data asset containing the digital watermark is queried, and a complete process of leakage circulation of the data asset is restored. The traffic message data collected by the server agent not only comes from the traffic actively accessed by the client, but also includes the communication traffic between the server and other servers.
The client agent mainly aims at identity authentication and certification of the user, access control, client information acquisition and the like. For example, the client agent is used for collecting user behavior data and sending the collected user behavior data to the security center for analysis. The security center continuously evaluates user behaviors (such as accessing or operating data assets, increasing, deleting, checking, copying, sending mails, transmitting files of instant communication tools and the like in the form of flow message data) generated by the client agent based on a trust evaluation algorithm model, and when the client agent user is found to be abnormal or risky, the trust level of the user is reduced, the user access is limited or prohibited, dynamic access control is realized, and the data asset access security is continuously ensured. The security center analyzes the user behavior data, compares the digital watermark with the digital watermark stored and recorded in advance when detecting that the user behavior data contains the digital watermark, judges whether the network environment position information (including an SN (serial number), an MAC (media access control) address and an IP (Internet protocol) address of a server to which the digital watermark belongs, the file position of the data asset and the like) of the data flow containing the digital watermark is consistent with the network environment position information of the data asset stored and recorded in advance and having the same digital watermark if the digital watermark exists, and sends alarm information to the client if the digital watermark does not exist, and blocks the access operation of the client. If the operation behaviors are inconsistent, the user is considered to generate abnormal or illegal operation behaviors, the security center immediately sends an alarm to the client and the manager in the modes of short messages, mails, system prompt messages and the like, immediately blocks corresponding operations or networks of the user, and simultaneously prompts the client to take the user as the agent possibly to be suspected of illegal behaviors. And if the two are consistent, continuing to perform monitoring analysis.
Optionally, the client agent may have, in addition to the above functions, a data asset identification function (including receiving a data asset identification policy issued by the security center, adding a digital watermark to the highly sensitive data asset, identifying data return, and the like) the same as that of the server agent. For example, the client agent may also be configured to identify, according to a data asset identification policy in a scanning task issued by the security center, a data asset corresponding to the data asset identification policy, add a digital watermark to a data asset whose sensitivity level is higher than a preset level, and encrypt a data asset identification result including the digital watermark, where the data asset identification result includes network environment location information of the data asset. And the security center is also used for decrypting the encrypted data sent by the client agent and storing the data asset identification result containing the digital watermark obtained by decryption.
Optionally, after the client agent is deployed on the client, the client agent is configured to send an identity registration request to the security center, where the identity registration request carries device information (such as an SN number, an MAC address, and IP address information) of the client and authentication information (an account number + a password) required by the user to log in the client. And after receiving the identity registration request sent by the client agent, the security center responds to the identity registration request to complete registration, calculates a hash value based on the identity authentication information and the equipment information, and stores the calculated hash value and the equipment information in an associated manner. When the security center stores the calculated hash value, the security center may perform uplink storage based on a block chain technique.
When a user needs to access the server, the user needs to log in the client proxy, and at the moment, the client proxy is also used for sending a login authentication request to the security center, wherein the login authentication request carries the equipment information of the client and the identity authentication information required by the user to log in the client. And the safety center is also used for calculating a hash value based on the identity authentication information and the equipment information, comparing the calculated hash value with the hash value corresponding to the equipment information stored during registration to verify whether the login authentication request is legal or not, and returning a verification result to the client agent. If the login authentication request is legal or not, namely the comparison result is consistent, the user is allowed to login, otherwise, the user is not allowed to login. And logging in when the hash values are consistent so as to ensure that only entity users and equipment registered by the platform can access the data assets, and dynamically checking the identity information of the client agent in real time in the access process so as to ensure the continuous credibility of the identity of the subject.
When the client agent accesses the data assets on the server, fine access control is carried out according to the access control strategy issued by the security center. The security center performs refined Access Control on the process of accessing the server data assets by the client agent through an Access Control model of Role-Based Access Control (RBAC) + MAC. When the client agent is successfully registered, the security center is also used for endowing role identities (the default can be divided into four levels of L1-L4) for the client agent sending the identity registration request, wherein the sensitivity levels of data assets which can be accessed by different role identities are different. Further, the security center (or administrator, of course) assigns an initial role identity level (L1-L4) to the client based on the real identity of the user of the client agent in conjunction with the RBAC model to limit the user' S access to data assets at different sensitive levels (S1-S4), and also assigns an initial trust level (four levels of ABCD in total, initially A, highest A, and lowest D) to each client agent. And then, the access control model based on the MAC can perform access control (control contents such as port, IP address black and white list, access time period and file increasing and deleting modification authority) in a policy authorization form on the client agent user, and the fine access control of the user when accessing the data asset of the server is achieved by combining the two models, so that the system helps the industry user to solve the problems of data asset leakage, tampering and the like caused by authority abuse, access control non-strictness and the like.
In addition, the client agent can also regularly transmit the flow message data collected by the client agent to the security center, so that the security center can analyze the flow message data, and when the flow message data is detected to have data asset digital watermark information added by the server agent of the system (in such a case, a user may have leaked the sensitive data asset by some unknown means and has bypassed the leakage-proof detection means of the system), the client agent queries the message data record related to the data asset containing the digital watermark, and restores the complete process of the leakage circulation of the data asset. Meanwhile, according to quintuple information such as IP addresses and the like contained in the message, the source tracing and the responsibility tracing are carried out on related violation personnel.
The security center is responsible for analyzing the user behavior data sent by the client agent, analyzing the traffic message data sent by the server agent, configuring, issuing and the like of a data asset identification policy and a user behavior access control policy, and storing data asset data information and user behavior data information generated after analysis in a database and a log analysis platform (such as an ELK, wherein the ELK is composed of three open source tools, namely, ElasticSearch, logstack and kia). The data asset information comprises data asset name, data asset type, sensitivity level, quantity, data asset network environment position information (belonging equipment information, operating system, IP/IP section, storage mode, file/table name), data asset attribution system, data asset accountant, data asset responsibility department, data asset generation or discovery time and the like. The user behavior data information comprises abnormal access behaviors, abnormal operation behaviors, abnormal outgoing behaviors and the like. Users can perform custom advanced query of data asset data and behavior data on the WEB interface of the system.
In addition, the security center can also visually display data, for example, the security center dynamically and visually displays data asset information and user behavior information by using a multi-dimensional front-end WEB chart. Including but not limited to data asset total and distribution information, data asset type distribution information, data asset access heat TOP map, hotspot data asset word cloud, data asset whole network distribution position information, abnormal behavior quantity, abnormal behavior (access behavior, operation behavior, outgoing behavior) classification proportion, latest abnormal behavior details, security threat quantity, security threat trend, security threat grading proportion, security threat classification proportion, latest security threat detail rolling display, data asset TOP ranking influenced by security threats, etc.
The embodiment of the application also provides a data asset protection method, which is applied to a security center, wherein the security center is also communicated with a client agent and a server agent. The steps included in the data asset protection method provided by the embodiment of the present application will be described with reference to fig. 2.
Step S101: and analyzing the user behavior data sent by the client agent.
Step S102: and when the user behavior data is detected to contain the digital watermark, comparing the digital watermark with the digital watermark stored and recorded in advance.
Step S103: if the same digital watermark exists, judging whether the network environment position information of the data flow containing the digital watermark is consistent with the network environment position information of the data assets which are stored and recorded in advance and have the same digital watermark.
If not, go to step S104.
Step S104: and sending alarm information to the client and blocking the access operation of the client.
In one embodiment, in addition to sending the warning information to the client, the system can also send a warning to the administrator of the security center in a system prompt message, short message or mail manner.
Wherein the method further comprises: the security center sends a scanning task to the server agent so that the server agent identifies the data asset corresponding to the data asset identification strategy according to the data asset identification strategy in the scanning task, adds a digital watermark to the data asset with the sensitivity level higher than the preset level, and encrypts a data asset identification result containing the digital watermark, wherein the data asset identification result comprises network environment position information of the data asset. And the security center decrypts the encrypted data sent by the server agent and stores the data asset identification result containing the digital watermark obtained by decryption.
After the server-side agent is successfully registered in the security center, the server-side agent automatically starts to execute a corresponding data asset identification task when receiving a data asset identification strategy issued by the security center. The server agent identifies the data assets of corresponding types based on an identification strategy issued by the security center, adds digital watermarks to the data assets of extremely high sensitivity levels and high sensitivity levels in a steganography mode according to industry sensitive data asset classification standard specifications defined by users, and encrypts and returns identified result data (including data asset names, types, quantity, bearing modes, network environment position information, digital watermark information and the like) to the security center and stores and records the data assets. When the security center analyzes the user behavior data collected and returned by the client agent, if the message data in the user behavior data contains the digital watermark information added to the data asset by the server agent of the system when identifying the data asset, the digital watermark information is compared with the digital watermark information stored and recorded by the security center, if the same digital watermark information exists, then it will be continuously determined whether the network environment location information of the message data stream containing the digital watermark is consistent with the data asset environment information recorded in the security center database and identical with the digital watermark, if not, the user is considered to generate abnormal or illegal operation behaviors, the security center immediately sends an alarm to the client and the administrator in the modes of short messages, mails, system prompt messages and the like, and immediately blocking the corresponding operation or network of the user, and simultaneously prompting that the client-side agent user is possibly suspected of violation.
The method further comprises the following steps: and the safety center analyzes the flow message data returned by the client agent or the server agent, and when detecting that the data asset digital watermark information added by the server agent of the system exists in the flow message data, inquires the message data record related to the data asset containing the digital watermark, and restores the complete process of the leakage circulation of the data asset. When the security center detects and analyzes that the data asset digital watermark information added by the server agent of the system exists in the flow message data collected and returned by the client agent and the server agent mirror image (the situation may be that a user has leaked out the sensitive data asset by some unknown means and bypasses the leakage-proof detection means of the system), the security center can initiate an alarm to a system administrator, simultaneously inquire the message data record related to the data asset containing the digital watermark information, restore the complete process of the leakage circulation of the whole data asset, and simultaneously trace the source of related offenders according to quintuple information such as IP addresses and the like contained in the message.
Before analyzing the user behavior data sent by the client agent, the method further comprises: receiving a login authentication request sent by the client agent, wherein the login authentication request carries equipment information of a client and identity authentication information required by a user to login the client; and calculating a hash value based on the identity verification information and the equipment information, comparing the calculated hash value with a hash value corresponding to the equipment information stored during registration to verify whether the login authentication request is legal or not, and returning a verification result to the client agent.
Before receiving the login authentication request sent by the client agent, the method further comprises: receiving an identity registration request sent by the client agent, wherein the identity registration request carries equipment information of the client and identity authentication information required by a user for logging in the client; and when the registration is completed in response to the identity registration request, giving role identities to client agents sending the identity registration request, wherein the data assets which can be accessed by different role identities have different sensitivity levels.
The method further comprises the following steps: sending a scanning task to the client agent so that the client agent identifies the data asset corresponding to the data asset identification strategy according to the data asset identification strategy in the scanning task, adds a digital watermark to the data asset with the sensitivity level higher than a preset level, and encrypts a data asset identification result containing the digital watermark, wherein the data asset identification result comprises network environment position information of the data asset;
and decrypting the encrypted data sent by the client agent, and storing the data asset identification result containing the digital watermark obtained by decryption.
For the undescribed part of the method embodiment, reference may be made to the contents of the foregoing system embodiment, and repeated descriptions are omitted for the sake of avoiding redundancy.
As shown in fig. 3, an embodiment of the present application further provides a data asset protection device 100 applied to a security center, where the data asset protection device 100 includes: a processing module 110 and an alarm module 120.
A processing module 110, configured to analyze user behavior data sent by the client agent; when the user behavior data is detected to contain the digital watermark, comparing the digital watermark with the digital watermark stored and recorded in advance; if the same digital watermark exists, judging whether the network environment position information of the data flow containing the digital watermark is consistent with the network environment position information of the data assets which are stored and recorded in advance and have the same digital watermark.
And an alarm module 120, configured to send alarm information to the client if the client is inconsistent with the client, and block access operation of the client. Optionally, the warning module 120 may send a warning to the administrator of the security center in a system prompt mode, a short message mode, or an email mode, in addition to sending the warning to the client.
The data asset protection device 100 further comprises: and the sending module is used for sending a scanning task to the server agent so that the server agent identifies the data asset corresponding to the data asset identification strategy according to the data asset identification strategy in the scanning task, adds a digital watermark to the data asset with the sensitivity level higher than the preset level, and encrypts a data asset identification result containing the digital watermark, wherein the data asset identification result comprises network environment position information of the data asset.
The processing module 110 is further configured to decrypt the encrypted data sent by the server agent, and store a data asset identification result containing the digital watermark obtained by decryption.
The processing module 110 is further configured to analyze the flow message data returned by the client agent or the server agent, and when detecting that the data asset digital watermark information added by the server agent of the system exists in the flow message data, query a message data record related to the data asset containing the digital watermark, and restore a complete process of the leakage flow of the data asset.
The data asset protection device 100 further comprises: and the receiving module is used for receiving a login authentication request sent by the client agent, wherein the login authentication request carries equipment information of the client and identity authentication information required by a user to log in the client.
Correspondingly, the processing module 110 is further configured to calculate a hash value based on the identity verification information and the device information, compare the calculated hash value with a hash value corresponding to the device information stored during registration to verify whether the login authentication request is valid, and return a verification result to the client agent.
The receiving module is further configured to receive an identity registration request sent by the client agent, where the identity registration request carries device information of the client and authentication information required by a user to log in the client; correspondingly, the processing module 110 is further configured to complete registration in response to the identity registration request, calculate a hash value based on the identity authentication information and the device information in the identity registration request, store the calculated hash value in association with the device information, and assign role identities to client agents that send the identity registration request when completing registration in response to the identity registration request, where different role identities have different sensitivity levels of data assets that can be accessed.
The data asset protection device 100 provided in the embodiment of the present application has the same implementation principle and the same technical effect as those of the foregoing method embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the foregoing method embodiments for the parts of the device embodiments that are not mentioned.
As shown in fig. 4, fig. 4 is a block diagram illustrating a structure of an electronic device 200 according to an embodiment of the present disclosure. The electronic device 200 includes: a transceiver 210, a memory 220, a communication bus 230, and a processor 240.
The elements of the transceiver 210, the memory 220, and the processor 240 are electrically connected to each other directly or indirectly to achieve data transmission or interaction. For example, the components may be electrically coupled to each other via one or more communication buses 230 or signal lines. The transceiver 210 is used for transceiving data. The memory 220 is used to store a computer program such as the software functional module shown in fig. 3, i.e., the data asset protection device 100. The data asset protection device 100 includes at least one software function module, which may be stored in the memory 220 in the form of software or firmware (firmware) or solidified in an Operating System (OS) of the electronic device 200. The processor 240 is configured to execute executable modules stored in the memory 220, such as software functional modules or computer programs included in the data asset protection device 100. For example, the processor 240 is configured to analyze the user behavior data sent by the client agent; when the user behavior data is detected to contain the digital watermark, comparing the digital watermark with the digital watermark stored and recorded in advance; if the same digital watermark exists, judging whether the network environment position information of the data flow containing the digital watermark is consistent with the network environment position information of the data asset which is stored and recorded in advance and has the same digital watermark; and if the client side is inconsistent with the client side, sending alarm information to the client side, and blocking the access operation of the client side.
The Memory 220 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like.
The processor 240 may be an integrated circuit chip having signal processing capabilities. The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor 240 may be any conventional processor or the like.
The electronic device 200 includes, but is not limited to, the security center.
The embodiment of the present application further provides a non-volatile computer-readable storage medium (hereinafter, referred to as a storage medium), where the storage medium stores a computer program, and the computer program is executed by the computer, such as the electronic device 200, to execute the above-mentioned data asset protection method.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a notebook computer, a server, or an electronic device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (15)
1. A data asset protection system, comprising:
the client agent is deployed at the client and used for acquiring user behavior data;
and the safety center is used for analyzing the user behavior data, comparing the digital watermark with a digital watermark stored and recorded in advance when the user behavior data is detected to contain the digital watermark, judging whether the network environment position information of the data flow containing the digital watermark is consistent with the network environment position information of the data asset stored and recorded in advance with the digital watermark if the same digital watermark exists, and sending alarm information to the client and blocking the access operation of the client if the same digital watermark does not exist.
2. The data asset protection system of claim 1, further comprising:
the server-side agent is deployed on the server and used for identifying the data assets corresponding to the data asset identification strategy according to the data asset identification strategy in the scanning task issued by the security center, adding digital watermarks to the data assets with the sensitivity levels higher than the preset level and encrypting the data asset identification results containing the digital watermarks, wherein the data asset identification results comprise network environment position information of the data assets;
and the security center is also used for decrypting the encrypted data sent by the server agent and storing the data asset identification result containing the digital watermark obtained by decryption.
3. The data asset protection system according to claim 2, wherein the security center is further configured to analyze the traffic message data returned by the client agent or the server agent, and when detecting that the data asset digital watermark information added by the server agent of the system exists in the traffic message data, query a message data record related to the data asset containing the digital watermark, and restore a complete process of the leakage flow of the data asset.
4. The data asset protection system of claim 1,
the client proxy is further configured to send an identity registration request to the security center, where the identity registration request carries device information of the client and authentication information required by a user to log in the client;
the security center is further configured to respond to the identity registration request to complete registration, calculate a hash value based on the identity authentication information and the device information, and store the calculated hash value in association with the device information.
5. The data asset protection system of claim 4,
the client agent is also used for sending a login authentication request to the security center, wherein the login authentication request carries the equipment information of the client and the identity authentication information required by the user to login the client;
the security center is further configured to calculate a hash value based on the identity verification information and the device information, compare the calculated hash value with a hash value corresponding to the device information stored during registration, verify whether the login authentication request is legal, and return a verification result to the client agent.
6. The data asset protection system of claim 4, wherein the security center is further configured to assign role identities to client agents that send the identity registration requests upon completion of registration in response to the identity registration requests, wherein different role identities have different levels of sensitivity to data assets accessible thereto.
7. The data asset protection system according to claim 1, wherein the client agent is configured to identify a data asset corresponding to a data asset identification policy in a scanning task issued by the security center according to the data asset identification policy, add a digital watermark to a data asset whose sensitivity level is higher than a preset level, and encrypt a data asset identification result including the digital watermark, where the data asset identification result includes network environment location information of the data asset;
and the security center is also used for decrypting the encrypted data sent by the client agent and storing the data asset identification result containing the digital watermark obtained by decryption.
8. A method for data asset protection, applied to a security center in communication with a client agent, the method comprising:
analyzing the user behavior data sent by the client agent;
when the user behavior data is detected to contain the digital watermark, comparing the digital watermark with the digital watermark stored and recorded in advance;
if the same digital watermark exists, judging whether the network environment position information of the data flow containing the digital watermark is consistent with the network environment position information of the data asset which is stored and recorded in advance and has the same digital watermark;
and if the client side is inconsistent with the client side, sending alarm information to the client side, and blocking the access operation of the client side.
9. The method of claim 8, wherein the security center is in communication with a server-side agent, the method further comprising:
sending a scanning task to the server agent so that the server agent identifies a data asset corresponding to a data asset identification strategy according to the data asset identification strategy in the scanning task, adds a digital watermark to the data asset with the sensitivity level higher than a preset level, and encrypts a data asset identification result containing the digital watermark, wherein the data asset identification result comprises network environment position information of the data asset;
and decrypting the encrypted data sent by the server agent, and storing the data asset identification result containing the digital watermark obtained by decryption.
10. The method of claim 9, further comprising:
analyzing the flow message data returned by the client agent or the server agent, inquiring the message data record related to the data asset containing the digital watermark when detecting that the data asset digital watermark information added by the server agent of the system exists in the flow message data, and restoring the complete process of the leakage circulation of the data asset.
11. The method of claim 8, wherein prior to analyzing the user behavior data sent by the client agent, the method further comprises:
receiving a login authentication request sent by the client agent, wherein the login authentication request carries equipment information of a client and identity authentication information required by a user to login the client;
and calculating a hash value based on the identity verification information and the equipment information, comparing the calculated hash value with a hash value corresponding to the equipment information stored during registration to verify whether the login authentication request is legal or not, and returning a verification result to the client agent.
12. The method of claim 11, wherein prior to receiving the login authentication request sent by the client agent, the method further comprises:
receiving an identity registration request sent by the client agent, wherein the identity registration request carries equipment information of the client and identity authentication information required by a user for logging in the client;
and when the registration is completed in response to the identity registration request, giving role identities to client agents sending the identity registration request, wherein the data assets which can be accessed by different role identities have different sensitivity levels.
13. The method of claim 8, further comprising:
sending a scanning task to the client agent so that the client agent identifies the data asset corresponding to the data asset identification strategy according to the data asset identification strategy in the scanning task, adds a digital watermark to the data asset with the sensitivity level higher than a preset level, and encrypts a data asset identification result containing the digital watermark, wherein the data asset identification result comprises network environment position information of the data asset;
and decrypting the encrypted data sent by the client agent, and storing the data asset identification result containing the digital watermark obtained by decryption.
14. An electronic device, comprising:
a memory and a processor, the processor coupled to the memory;
the memory is used for storing programs;
the processor to invoke a program stored in the memory to perform the method of any of claims 8-13.
15. A storage medium having stored thereon a computer program which, when executed by a processor, performs the method of any one of claims 8-13.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110199120.9A CN112800397A (en) | 2021-02-22 | 2021-02-22 | Data asset protection method, system, electronic equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110199120.9A CN112800397A (en) | 2021-02-22 | 2021-02-22 | Data asset protection method, system, electronic equipment and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112800397A true CN112800397A (en) | 2021-05-14 |
Family
ID=75815352
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110199120.9A Pending CN112800397A (en) | 2021-02-22 | 2021-02-22 | Data asset protection method, system, electronic equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112800397A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113553554A (en) * | 2021-07-12 | 2021-10-26 | 国网青海省电力公司信息通信公司 | Operation and maintenance system for radio stations in data |
CN113726789A (en) * | 2021-09-01 | 2021-11-30 | 北京天空卫士网络安全技术有限公司 | Sensitive data interception method and device |
CN114422246A (en) * | 2022-01-20 | 2022-04-29 | 国家药品监督管理局信息中心(中国食品药品监管数据中心) | Data reading method and system and electronic equipment |
CN114615030A (en) * | 2022-02-27 | 2022-06-10 | 江苏欧软信息科技有限公司 | Identity authentication method and system based on industrial Internet platform |
CN115168888A (en) * | 2022-09-07 | 2022-10-11 | 杭州海康威视数字技术股份有限公司 | Service self-adaptive data management method, device and equipment |
CN116684199A (en) * | 2023-07-31 | 2023-09-01 | 四川奥诚科技有限责任公司 | Dual-proxy-based data asset security protection system and method |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1556987A (en) * | 2001-09-22 | 2004-12-22 | 英特尔公司 | Method and apparatus for content protection across an interface |
US20050251491A1 (en) * | 1998-08-13 | 2005-11-10 | International Business Machines Corporation | Key management system |
CN101789942A (en) * | 2010-01-29 | 2010-07-28 | 蓝盾信息安全技术股份有限公司 | Method for preventing sensitive data from betraying confidential matters and device thereof |
CN103841120A (en) * | 2014-03-28 | 2014-06-04 | 北京网秦天下科技有限公司 | Data security management method, mobile terminal and system based on digital watermarking |
CN108702360A (en) * | 2016-02-15 | 2018-10-23 | 思科技术公司 | Use the digital asset Preservation tactics of dynamic network attribute |
CN109992936A (en) * | 2017-12-31 | 2019-07-09 | 中国移动通信集团河北有限公司 | Data source tracing method, device, equipment and medium based on data watermark |
-
2021
- 2021-02-22 CN CN202110199120.9A patent/CN112800397A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050251491A1 (en) * | 1998-08-13 | 2005-11-10 | International Business Machines Corporation | Key management system |
CN1556987A (en) * | 2001-09-22 | 2004-12-22 | 英特尔公司 | Method and apparatus for content protection across an interface |
CN101789942A (en) * | 2010-01-29 | 2010-07-28 | 蓝盾信息安全技术股份有限公司 | Method for preventing sensitive data from betraying confidential matters and device thereof |
CN103841120A (en) * | 2014-03-28 | 2014-06-04 | 北京网秦天下科技有限公司 | Data security management method, mobile terminal and system based on digital watermarking |
CN108702360A (en) * | 2016-02-15 | 2018-10-23 | 思科技术公司 | Use the digital asset Preservation tactics of dynamic network attribute |
CN109992936A (en) * | 2017-12-31 | 2019-07-09 | 中国移动通信集团河北有限公司 | Data source tracing method, device, equipment and medium based on data watermark |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113553554A (en) * | 2021-07-12 | 2021-10-26 | 国网青海省电力公司信息通信公司 | Operation and maintenance system for radio stations in data |
CN113726789A (en) * | 2021-09-01 | 2021-11-30 | 北京天空卫士网络安全技术有限公司 | Sensitive data interception method and device |
CN113726789B (en) * | 2021-09-01 | 2023-07-28 | 北京天空卫士网络安全技术有限公司 | Sensitive data interception method and device |
CN114422246A (en) * | 2022-01-20 | 2022-04-29 | 国家药品监督管理局信息中心(中国食品药品监管数据中心) | Data reading method and system and electronic equipment |
CN114615030A (en) * | 2022-02-27 | 2022-06-10 | 江苏欧软信息科技有限公司 | Identity authentication method and system based on industrial Internet platform |
CN114615030B (en) * | 2022-02-27 | 2023-09-19 | 江苏欧软信息科技有限公司 | Identity authentication method and system based on industrial Internet platform |
CN115168888A (en) * | 2022-09-07 | 2022-10-11 | 杭州海康威视数字技术股份有限公司 | Service self-adaptive data management method, device and equipment |
CN115168888B (en) * | 2022-09-07 | 2023-01-24 | 杭州海康威视数字技术股份有限公司 | Service self-adaptive data management method, device and equipment |
CN116684199A (en) * | 2023-07-31 | 2023-09-01 | 四川奥诚科技有限责任公司 | Dual-proxy-based data asset security protection system and method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112800397A (en) | Data asset protection method, system, electronic equipment and storage medium | |
EP2656270B1 (en) | Tamper proof location services | |
CN106487775B (en) | Service data processing method and device based on cloud platform | |
US9411962B2 (en) | System and methods for secure utilization of attestation in policy-based decision making for mobile device management and security | |
US7281267B2 (en) | Software audit system | |
US10699234B1 (en) | Computer systems and methods to protect user credential against phishing | |
US9282114B1 (en) | Generation of alerts in an event management system based upon risk | |
US20170324777A1 (en) | Injecting supplemental data into data queries at network end-points | |
US8245042B2 (en) | Shielding a sensitive file | |
US11356452B2 (en) | System, computer program product and method for risk evaluation of API login and use | |
CN110889130B (en) | Database-based fine-grained data encryption method, system and device | |
US20170324774A1 (en) | Adding supplemental data to a security-related query | |
US11765171B2 (en) | Monitoring security configurations of cloud-based services | |
CN109936555A (en) | A kind of date storage method based on cloud platform, apparatus and system | |
CN112329042A (en) | Big data secure storage system and method | |
US20190018751A1 (en) | Digital Asset Tracking System And Method | |
Stankov et al. | Vulnerability and protection of business management systems: threats and challenges | |
CN111046405A (en) | Data processing method, device, equipment and storage medium | |
JP2004213475A (en) | Login request reception device and access management device | |
CN113922975A (en) | Security control method, server, terminal, system and storage medium | |
CN113239349B (en) | Network security testing method for power monitoring system | |
WO2019235450A1 (en) | Information processing device, information processing method, information processing program, and information processing system | |
JP2004213476A (en) | Injustice access detection device | |
CN108134781B (en) | Important information data secrecy monitoring system | |
CN112118241A (en) | Audit penetration testing method, testing node server, management server and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210514 |