CN112800474B - Data desensitization method and device, storage medium and electronic device - Google Patents
Data desensitization method and device, storage medium and electronic device Download PDFInfo
- Publication number
- CN112800474B CN112800474B CN202110293303.7A CN202110293303A CN112800474B CN 112800474 B CN112800474 B CN 112800474B CN 202110293303 A CN202110293303 A CN 202110293303A CN 112800474 B CN112800474 B CN 112800474B
- Authority
- CN
- China
- Prior art keywords
- data
- instruction
- target
- desensitization
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
- G06F21/6254—Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/242—Query formulation
- G06F16/2433—Query languages
- G06F16/2445—Data retrieval commands; View definitions
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Databases & Information Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Computational Linguistics (AREA)
- Mathematical Physics (AREA)
- Medical Informatics (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the invention provides a data desensitization method, a data desensitization device, a storage medium and an electronic device, wherein the method comprises the following steps: acquiring a data calling instruction; sensitive data detection is carried out on the data calling instruction, and the data calling instruction is processed based on target sensitive data under the condition that the data calling instruction is detected to contain the target sensitive data, so that a data detection instruction is obtained; sending the data detection instruction to a database; acquiring target data fed back by the database based on the data detection instruction; performing first integration processing on the target data and the data calling instruction to obtain first integrated data; desensitizing and rewriting the target data included in the first integrated data based on a desensitization rule corresponding to the target sensitive data to obtain target desensitized data. By the method and the device, the problem of poor controllability of data desensitization in the related technology is solved, and the effect of improving the controllability of data desensitization is further achieved.
Description
Technical Field
The embodiment of the invention relates to the field of communication, in particular to a data desensitization method, a data desensitization device, a storage medium and an electronic device.
Background
The existing data desensitization mode is that a client and a data end are connected through a deployed proxy plug-in, and desensitization processing is carried out on interactive data through the proxy plug-in; the desensitization mode needs to deploy additional proxy plug-ins, increases operation cost, and also needs to involve changes of a service layer ip (Internet protocol address) and an output port, so that desensitization content cannot be controlled, and controllability of data desensitization is reduced.
At present, no better solution is provided for the above problems.
Disclosure of Invention
The embodiment of the invention provides a data desensitization method, a data desensitization device, a storage medium and an electronic device, which are used for at least solving the problems of high desensitization processing cost and poor controllability of a desensitization process in the related technology.
According to an embodiment of the present invention, there is provided a data desensitization method including:
acquiring a data calling instruction;
sensitive data detection is carried out on the data calling instruction, and the data calling instruction is processed based on target sensitive data under the condition that the data calling instruction is detected to contain the target sensitive data, so that a data detection instruction is obtained;
sending the data detection instruction to a database;
acquiring target data fed back by the database based on the data detection instruction;
performing first integration processing on the target data and the data calling instruction to obtain first integrated data;
desensitizing and rewriting the target data included in the first integrated data based on a desensitization rule corresponding to the target sensitive data to obtain target desensitized data.
In an exemplary embodiment, performing sensitive data detection on the data fetch instruction, and in a case that it is detected that the data fetch instruction contains the sensitive data, processing the data fetch instruction based on the sensitive data to obtain a data detection instruction includes:
carrying out syntactic analysis processing on the data calling instruction to obtain a syntactic analysis result;
determining the sensitive data corresponding to the data calling instruction according to the syntactic analysis result;
and performing second integration processing on the data calling instruction based on the sensitive data to obtain the data detection instruction.
In an exemplary embodiment, sending the data probing instructions to a database comprises:
performing statement detection processing on the data detection instruction;
and sending the data detection instruction to the database under the condition that the detection result is that the data detection instruction meets the preset condition.
In an exemplary embodiment, the obtaining target data fed back by the database based on the data detection instruction includes:
obtaining a calling result fed back by the database based on the data detection instruction;
and analyzing the calling result to obtain the target data.
In an exemplary embodiment, after obtaining the target desensitization data, the method further comprises:
and feeding back the target desensitization data to the database so that the database performs feedback processing on the target desensitization data.
According to another embodiment of the present invention, there is provided a data desensitization apparatus including:
the instruction receiving module is used for acquiring a data calling instruction;
the instruction generation module is used for detecting sensitive data of the data calling instruction and processing the data calling instruction based on the target sensitive data to obtain a data detection instruction under the condition that the data calling instruction is detected to contain the target sensitive data;
the instruction sending module is used for sending the data detection instruction to a database;
the data receiving module is used for acquiring target data fed back by the database based on the data detection instruction;
the first integration module is used for performing first integration processing on the target data and the data calling instruction to obtain first integrated data;
and the desensitization rewriting module is used for desensitizing and rewriting the target data included in the first integrated data based on a desensitization rule corresponding to the target sensitive data to obtain target desensitization data.
In one exemplary embodiment, further comprising:
and the protocol stack is used for controlling the instruction receiving module and the data receiving module to receive the instructions and controlling the instruction sending module to forward the instructions.
In one exemplary embodiment, the instruction generation module includes:
the syntactic analysis unit is used for carrying out syntactic analysis processing on the data calling instruction so as to obtain a syntactic analysis result;
the data determining unit is used for determining the sensitive data corresponding to the data calling instruction according to the grammar analysis result;
and the instruction generating unit is used for carrying out second integration processing on the data calling instruction based on the sensitive data so as to obtain the data detection instruction.
According to a further embodiment of the present invention, there is also provided a computer-readable storage medium having a computer program stored thereon, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
According to yet another embodiment of the present invention, there is also provided an electronic device, including a memory in which a computer program is stored and a processor configured to execute the computer program to perform the steps in any of the above method embodiments.
According to the invention, because the desensitization rule is determined by detecting the sensitive data, the control on the desensitization process can be realized by adjusting the desensitization rule, and because an agent plug-in is not required to be arranged, the problems of high desensitization processing cost and poor controllability in the related technology can be solved, and the effects of reducing the desensitization cost and improving the controllability of the desensitization process are achieved.
Drawings
Fig. 1 is a block diagram of a hardware structure of a mobile terminal of a data desensitization method according to an embodiment of the present invention;
FIG. 2 is a flow diagram of a method of data desensitization according to an embodiment of the present invention;
FIG. 3 is a block diagram of a data desensitization apparatus according to an embodiment of the present invention;
fig. 4 is a flow chart according to a specific embodiment of the present invention.
Detailed Description
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings in conjunction with the embodiments.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
The method embodiments provided in the embodiments of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Taking the example of operating on a mobile terminal, fig. 1 is a hardware structure block diagram of the mobile terminal of a data desensitization method according to an embodiment of the present invention. As shown in fig. 1, the mobile terminal may include one or more (only one shown in fig. 1) processors 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA), and a memory 104 for storing data, wherein the mobile terminal may further include a transmission device 106 for communication functions and an input-output device 108. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration, and does not limit the structure of the mobile terminal. For example, the mobile terminal may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 can be used for storing computer programs, for example, software programs and modules of application software, such as a computer program corresponding to a data desensitization method in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the computer programs stored in the memory 104, so as to implement the method described above. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the mobile terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the mobile terminal. In one example, the transmission device 106 includes a Network adapter (NIC), which can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
In this embodiment, a data desensitization method is provided, and fig. 2 is a flow chart according to an embodiment of the present invention, as shown in fig. 2, the flow chart includes the following steps:
step S202, acquiring a data calling instruction;
in this embodiment, the data retrieval instruction may be (but is not limited to) obtained by intercepting initial instruction data sent to the database by the client through the lightweight protocol stack, and the instruction data can be conveniently controlled by intercepting the data through the lightweight protocol stack.
The data calling instruction may include (but is not limited to) a code instruction of the calling instruction, identification information of the data calling instruction, an address of the client, identification information of data to be called, and the like; the transmission of the data retrieval command may be performed through ethernet or bluetooth, or may be performed through a wireless transmission network such as 3G/4G/5G/quantum communication, or may be performed through other methods.
For example, a desensitization device including a lightweight protocol stack is accessed to a Data transmission network, and then the lightweight protocol stack controls a dpdk (Data Plane Development Kit) in the desensitization device to intercept an SQL (Structured Query Language) statement sent by a client to a database.
Step S204, sensitive data detection is carried out on the data calling instruction, and the data calling instruction is processed based on the target sensitive data under the condition that the data calling instruction is detected to contain the target sensitive data, so that a data detection instruction is obtained;
in this embodiment, the detection of the data retrieval instruction is to determine whether the data to be retrieved includes target sensitive data, so as to facilitate desensitization processing on the sensitive data; and the data detection instruction is used for calling the target sensitive data from the database so as to perform desensitization processing on the target sensitive data.
The target sensitive data comprises (but is not limited to) a plurality of preset data types and a plurality of specific data corresponding to the data types; the sensitive data detection may (but is not limited to) detect all fields included in the data call instruction one by one, may also detect a target field included in the data call instruction, and may also detect fields included in the data call instruction randomly, and the detection manner may (but is not limited to) compare fields included in the data call instruction with preset fields, or may be detection by other manners; the data detection instruction includes (but is not limited to) a code of the instruction, identification information of the target sensitive data, identification information of the data detection instruction, a feedback address of the target sensitive data, and the like; the processing of the data call instruction may be (but is not limited to) performed by a processing module preset in the desensitization device, and the processing manner may be performed according to a preset algorithm or may be performed by the processing manner.
For example, if a statement with a field select is detected in the data call instruction, the instruction contains target sensitive data, and thus desensitization processing needs to be performed on the target data and the communication packet corresponding to the statement.
Step S206, sending a data detection instruction to a database;
in this embodiment, the data detection instruction is sent to the database to instruct the database to feed back the target sensitive data to the desensitization device for desensitization processing.
The transmission of the data detection command may be performed through ethernet or bluetooth, or may be performed through a wireless transmission network such as 3G/4G/5G/quantum communication, or may be performed through other methods.
For example, a dpdk in a lightweight protocol stack control desensitization device sends data probing instructions to the database.
Step S208, target data fed back by the database based on the data detection instruction is obtained;
it should be noted that the target data fed back by the database may be received by a dpdk in the lightweight protocol stack control desensitization device.
Step S2010, performing first integration processing on the target data and the data calling instruction to obtain first integrated data;
in this embodiment, the target data and the data calling instruction are integrated so that the database can feed back desensitized data to the client according to the data feedback address included in the data calling instruction.
The first integration processing is to determine the content represented by the field identifying the target data in the call instruction, for example, determine the field represented by the select instruction, and the specific method is to deform the instruction executed by the client, and the integration method may (but is not limited to) apply the query statement outside the original query statement, where the original query statement is used as the call table of the new query statement, or may be integration through other methods; the first integrated process may be (but is not limited to) performed in a process module preset in the desensitization apparatus.
Step S2012, desensitize and rewrite the target data included in the first integrated data based on the desensitization rule corresponding to the target sensitive data, so as to obtain target desensitized data.
In this embodiment, overwriting the target data may be (but is not limited to) adding a protection field or an obfuscation field to the field used to identify the target data, making the target data non-sensitive data, thereby achieving desensitization of the data.
The desensitization rewriting may (but is not limited to) be performed by a preset processing module in the desensitization device, and the processing mode may be performed according to a preset desensitization algorithm or may be performed by the preset desensitization algorithm.
For example, field information obtained by first integration is spliced into a part of an inquiry statement, an original inquiry statement is used as a call table of a new inquiry statement, then the field information and the call table form a new desensitization statement, and fields and desensitization rules in the spliced new statement are matched one by one; and if the matching is successful, replacing the corresponding fields through the corresponding desensitization algorithm until all the fields are sequentially judged to be completely changed, and then forwarding the new desensitization statement to the database server.
Through the steps, the proxy plug-in is not needed to be set, and only the lightweight protocol stack needs to be set, so that the operation cost is reduced, the control on the desensitization process can be realized by setting the preset desensitization rule, the problems of high operation cost and poor controllability in the related technology are solved, and the control precision of the desensitization process is improved.
The main body of the above steps may be a base station, a terminal, etc., but is not limited thereto.
In an optional embodiment, performing sensitive data detection on the data fetching instruction, and in a case that it is detected that the data fetching instruction contains sensitive data, processing the data fetching instruction based on the sensitive data to obtain the data probing instruction includes:
step S2042, carrying out syntactic analysis processing on the data calling instruction to obtain a syntactic analysis result;
step S2044, determining sensitive data corresponding to the data calling instruction according to the syntax analysis result;
step S2046, based on the sensitive data, performing a second integration process on the data retrieval instruction to obtain a data detection instruction.
In this embodiment, the statement analysis is performed on the data call instruction to determine the information included in the data call instruction and to determine the grammar rule in the data call instruction, so as to facilitate the field integration.
Wherein, the syntax analysis processing may (but is not limited to) include analyzing information such as identification information, client addresses, syntax rules, data contents, and the like contained in the data call instruction; the determination of the target sensitive data can be determined by identifying the identification information of the target sensitive data; the second integration processing includes (but is not limited to) integrating information such as the analyzed client address, and reasonably creating and destroying a handle of the data detection instruction.
In an alternative embodiment, sending the data probing instructions to the database comprises:
step S2062, performing statement detection processing on the data detection instruction;
step S2064, sending the data detection instruction to the database when the detection result is that the data detection instruction meets the predetermined condition.
In this embodiment, the statement detection processing is performed on the data detection instruction to ensure the correctness of the data detection instruction, so as to avoid data recognition errors or recognition incapability caused by wrong syntax.
Wherein, the statement detection processing may (but is not limited to) include detecting whether the syntax of the data detection instruction conforms to the syntax rule, whether the identification is correct, whether the address is correct, and the like; the predetermined conditions may include, but are not limited to, the grammar satisfying the grammar rules, the identification being correct, and the like.
In an optional embodiment, acquiring the target data fed back by the database based on the data detection instruction comprises:
step S2082, obtaining a calling result fed back by the database based on the data detection instruction;
and step S2084, analyzing the retrieval result to obtain target data.
In this embodiment, the retrieval result includes (but is not limited to) identification information of the target sensitive data, a corresponding desensitization rule identification, and the like, and the target data includes information such as the target sensitive data and a client address; the parsing process includes (but is not limited to) recognizing the retrieval result, detecting the target field, and the like.
In an alternative embodiment, after obtaining the target desensitization data, the method further comprises:
step S2014, feeding back the target desensitization data to the database, so that the database performs feedback processing on the target desensitization data.
In this embodiment, the target desensitization data is fed back to the client from the database, so that the problems of transmission errors and the like generated in the data transmission process of the desensitization device can be avoided.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
In this embodiment, a data desensitization apparatus is further provided, and the apparatus is used to implement the above embodiments and preferred embodiments, which have already been described and will not be described again. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 3 is a block diagram showing the structure of a data desensitization apparatus according to an embodiment of the present invention, as shown in fig. 3, the apparatus including:
the instruction receiving module 32 is configured to obtain a data call instruction;
the instruction generating module 34 is configured to perform sensitive data detection on the data invoking instruction, and process the data invoking instruction based on the target sensitive data to obtain a data detection instruction when the data invoking instruction is detected to include the target sensitive data;
an instruction sending module 36, configured to send a data detection instruction to a database;
the data receiving module 38 is configured to obtain target data fed back by the database based on the data detection instruction;
a first integration module 310, configured to perform a first integration process on the target data and the data invoking instruction to obtain first integrated data;
a desensitization rewriting module 312, configured to perform desensitization rewriting on the target data included in the first integrated data based on a desensitization rule corresponding to the target sensitive data, so as to obtain target desensitization data.
In an optional embodiment, the apparatus further comprises:
and the protocol stack 314 is configured to control the instruction receiving module and the data receiving module to receive an instruction, and control the instruction sending module to forward the instruction.
In an alternative embodiment, the instruction generation module 34 includes:
a syntax analysis unit 342, configured to perform syntax analysis processing on the data call instruction to obtain a syntax analysis result;
a data determining unit 344, configured to determine, according to the syntax analysis result, sensitive data corresponding to the data invoking instruction;
the instruction generating unit 346 is configured to perform a second integration process on the data fetching instruction based on the sensitive data to obtain a data detecting instruction.
In an alternative embodiment, the instruction sending module 36 includes:
a sentence detection unit 362 that performs sentence detection processing on the data probe instruction;
the instruction sending unit 364 sends the data probing instruction to the database if the detection result is that the data probing instruction meets the predetermined condition.
In an alternative embodiment, the data receiving module 38 includes:
a retrieval result receiving unit 382 configured to obtain a retrieval result fed back by the database based on the data detection instruction;
and the retrieval result analysis unit 384 is used for analyzing the retrieval result to obtain the target data.
In an optional embodiment, the apparatus further comprises:
and the data feedback module 316 is configured to, after the target desensitization data is obtained, feed back the target desensitization data to the database, so that the database performs feedback processing on the target desensitization data.
It should be noted that, the above modules may be implemented by software or hardware, and for the latter, the following may be implemented, but not limited to: the modules are all positioned in the same processor; alternatively, the modules are respectively located in different processors in any combination.
The present invention will be described with reference to specific examples.
As shown in fig. 4, the method specifically includes the following steps:
step 1: the SQL statement sent by the client is intercepted and is not forwarded to the database (corresponding to step S401 in fig. 4).
Step 2: and performing statement analysis on the intercepted statement to determine target sensitive data, and generating a field detection statement according to the target sensitive data (corresponding to step S402 in fig. 4).
And step 3: the constructed field probe sentence is sent to the database (corresponding to step S403 in fig. 4).
And 4, step 4: and collecting a response result returned by the detection statement at the database end, and analyzing and acquiring the field through a protocol (corresponding to step S404 in fig. 4).
And 5: and writing back and integrating the detected fields and the original statement.
Step 6: desensitize rewriting the written statement (corresponding to steps S405 and S406 in fig. 4).
And 7: the rewritten sentence is transmitted to the database (corresponding to step S407 in fig. 4).
And 8: and the data end sends the returned desensitization data to the client, namely, a dynamic desensitization process is completed.
For example, desensitization equipment containing a lightweight protocol stack is connected in series to a database network to hijack a network packet sent to the database by a client, and the matching verification of a desensitization rule is performed on the hijacked network packet; and if the check result is a select statement, the statement and the communication packet need to be tampered, the tampered communication packet is sent to the database to obtain the accessed return field, and then the database end returns all the influence fields of the statement.
Then, after receiving the communication packet, the desensitization device does not send the communication packet to the client, performs desensitization rewriting by combining with the original statement, and sends the rewritten statement to the database, and at this time, the database returns to the desensitization database and forwards the desensitization database to the client.
The method comprises the steps of realizing a lightweight protocol stack under the condition of a network bridge, controlling a dpdk to transfer a communication packet to the protocol stack after intercepting the communication packet, and transferring the processed communication packet to the dpdk for forwarding after the protocol stack finishes processing. When the modification of SQL involves a change in the SQL length, i.e. the size of the communication packet changes, the protocol stack performs sequence calculation to desensitize the branch variable length.
It should be noted that the deployment manner of this embodiment is a deployment manner of a bridge.
The sentence rewriting principle of this embodiment is: and (3) performing syntax analysis on the original statement to reform a field detection statement, and writing the statement into a corresponding position of the communication packet if the correctness of SQL is ensured and syntax errors cannot exist.
The statement handle processing principle of this embodiment is: the detection statement is a statement inserted in the original interaction and is not a statement executed by the client, so that a handle of the detection statement is reasonably established and destroyed, and the handle of the database is prevented from being leaked.
Embodiments of the present invention also provide a computer-readable storage medium having a computer program stored thereon, wherein the computer program is arranged to perform the steps of any of the above-mentioned method embodiments when executed.
In an exemplary embodiment, the computer-readable storage medium may include, but is not limited to: various media capable of storing computer programs, such as a usb disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
Embodiments of the present invention also provide an electronic device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the steps of any of the above method embodiments.
In an exemplary embodiment, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
For specific examples in this embodiment, reference may be made to the examples described in the above embodiments and exemplary embodiments, and details of this embodiment are not repeated herein.
It will be apparent to those skilled in the art that the various modules or steps of the invention described above may be implemented using a general purpose computing device, they may be centralized on a single computing device or distributed across a network of computing devices, and they may be implemented using program code executable by the computing devices, such that they may be stored in a memory device and executed by the computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into various integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A method of data desensitization, comprising:
acquiring a data calling instruction from a client;
sensitive data detection is carried out on the data calling instruction, and the data calling instruction is processed based on target sensitive data under the condition that the data calling instruction is detected to contain the target sensitive data, so that a data detection instruction is obtained;
sending the data detection instruction to a database;
acquiring target data fed back by the database based on the data detection instruction;
performing first integration processing on the target data and the data calling instruction to obtain first integrated data;
desensitizing and rewriting the target data included in the first integrated data based on a desensitization rule corresponding to the target sensitive data to obtain target desensitized data;
sending the target desensitization data to the client.
2. The method of claim 1, wherein performing sensitive data detection on the data fetch instruction, and in the case that it is detected that the data fetch instruction contains the sensitive data, processing the data fetch instruction based on the sensitive data to obtain a data probe instruction comprises:
carrying out syntactic analysis processing on the data calling instruction to obtain a syntactic analysis result;
determining the sensitive data corresponding to the data calling instruction according to the syntactic analysis result;
and performing second integration processing on the data calling instruction based on the sensitive data to obtain the data detection instruction.
3. The method of claim 1, wherein sending the data probing instructions to a database comprises:
performing statement detection processing on the data detection instruction;
and sending the data detection instruction to the database under the condition that the detection result is that the data detection instruction meets the preset condition.
4. The method of claim 1, wherein the obtaining target data fed back by the database based on the data detection instructions comprises:
obtaining a calling result fed back by the database based on the data detection instruction;
and analyzing the calling result to obtain the target data.
5. The method of claim 1, wherein after obtaining the target desensitization data, the method further comprises:
and feeding back the target desensitization data to the database so that the database performs feedback processing on the target desensitization data.
6. A data desensitization apparatus, comprising:
the instruction receiving module is used for acquiring a data calling instruction from the client;
the instruction generation module is used for detecting sensitive data of the data calling instruction and processing the data calling instruction based on the target sensitive data to obtain a data detection instruction under the condition that the data calling instruction is detected to contain the target sensitive data;
the instruction sending module is used for sending the data detection instruction to a database;
the data receiving module is used for acquiring target data fed back by the database based on the data detection instruction;
the first integration module is used for performing first integration processing on the target data and the data calling instruction to obtain first integrated data;
a desensitization rewriting module, configured to perform desensitization rewriting on the target data included in the first integrated data based on a desensitization rule corresponding to the target sensitive data to obtain target desensitization data;
and the data sending module is used for sending the target desensitization data to the client.
7. The apparatus of claim 6, further comprising:
and the protocol stack is used for controlling the instruction receiving module and the data receiving module to receive the instructions and controlling the instruction sending module to forward the instructions.
8. The apparatus of claim 6, wherein the instruction generation module comprises:
the syntactic analysis unit is used for carrying out syntactic analysis processing on the data calling instruction so as to obtain a syntactic analysis result;
the data determining unit is used for determining the sensitive data corresponding to the data calling instruction according to the grammar analysis result;
and the instruction generating unit is used for carrying out second integration processing on the data calling instruction based on the sensitive data so as to obtain the data detection instruction.
9. A computer-readable storage medium, in which a computer program is stored, wherein the computer program is arranged to perform the method of any of claims 1 to 5 when executed.
10. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and wherein the processor is arranged to execute the computer program to perform the method of any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110293303.7A CN112800474B (en) | 2021-03-19 | 2021-03-19 | Data desensitization method and device, storage medium and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110293303.7A CN112800474B (en) | 2021-03-19 | 2021-03-19 | Data desensitization method and device, storage medium and electronic device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112800474A CN112800474A (en) | 2021-05-14 |
| CN112800474B true CN112800474B (en) | 2021-08-10 |
Family
ID=75815534
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110293303.7A Active CN112800474B (en) | 2021-03-19 | 2021-03-19 | Data desensitization method and device, storage medium and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112800474B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116737756B (en) * | 2023-08-15 | 2023-11-03 | 腾讯科技(深圳)有限公司 | Data query method, device, equipment and storage medium |
Family Cites Families (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106295388B (en) * | 2015-06-04 | 2019-09-10 | 中国移动通信集团山东有限公司 | A kind of data desensitization method and device |
| US9736139B2 (en) * | 2015-08-13 | 2017-08-15 | Microsoft Technology Licensing, Llc | Storage of captured sensitive data with bypass of local storage |
| CN106407843A (en) * | 2016-10-17 | 2017-02-15 | 深圳中兴网信科技有限公司 | Data desensitization method and data desensitization device |
| CN108304726A (en) * | 2017-01-13 | 2018-07-20 | 中国移动通信集团贵州有限公司 | Data desensitization method and device |
| CN107392051A (en) * | 2017-07-28 | 2017-11-24 | 北京明朝万达科技股份有限公司 | A kind of big data processing method and system |
| CN109992986B (en) * | 2017-12-29 | 2021-05-11 | 中国移动通信集团上海有限公司 | Desensitization processing method and device for sensitive data |
| CN108509805A (en) * | 2018-03-21 | 2018-09-07 | 深圳天源迪科信息技术股份有限公司 | Data encrypting and deciphering and desensitization runtime engine and its working method |
| CN110489990B (en) * | 2018-05-15 | 2021-08-31 | 中国移动通信集团浙江有限公司 | Sensitive data processing method and device, electronic equipment and storage medium |
| CN109635027B (en) * | 2018-12-03 | 2022-11-25 | 北京安华金和科技有限公司 | Method for realizing database access result set detection |
| CN110188565A (en) * | 2019-04-17 | 2019-08-30 | 平安科技(深圳)有限公司 | Data desensitization method, device, computer equipment and storage medium |
| CN110889134B (en) * | 2019-11-11 | 2024-01-23 | 北京中电飞华通信股份有限公司 | Data desensitizing method and device and electronic equipment |
| CN111199054B (en) * | 2019-12-20 | 2023-09-19 | 深圳昂楷科技有限公司 | Data desensitization method and device and data desensitization equipment |
-
2021
- 2021-03-19 CN CN202110293303.7A patent/CN112800474B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN112800474A (en) | 2021-05-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111045756B (en) | Method, apparatus, computing device and medium for generating interface service | |
| CN109800258B (en) | Data file deployment method, device, computer equipment and storage medium | |
| CN111786959B (en) | Security protection method, WAF system, electronic device and storage medium | |
| CN106656650B (en) | Method and system for generating service test environment, and method, device and system for service test | |
| CN109829287A (en) | Api interface permission access method, equipment, storage medium and device | |
| CN111970236B (en) | Cross-network data transmission method and device | |
| CN110096380B (en) | Android internal communication method, system, device and storage medium | |
| CN111683066A (en) | Heterogeneous system integration method and device, computer equipment and storage medium | |
| CN112800474B (en) | Data desensitization method and device, storage medium and electronic device | |
| CN111143532B (en) | Dialogue unit access method, device, equipment and storage medium | |
| CN114239026A (en) | Information desensitization conversion processing method, device, computer equipment and storage medium | |
| EP4142238A1 (en) | Pico base station configuration method and apparatus, and storage medium and electronic apparatus | |
| CN116627849B (en) | System test method, device, equipment and storage medium | |
| CN113032836B (en) | Data desensitization method and apparatus | |
| CN115426299A (en) | Method and device for identifying non-characteristic data, computer equipment and storage medium | |
| CN114253441A (en) | Target function starting method and device, storage medium and electronic device | |
| CN112035379B (en) | Method and device for using storage space, storage medium and electronic device | |
| US11804986B2 (en) | Method for the remote management of a device connected to a residential gateway | |
| CN112906048A (en) | Secret state data access protection method for db2 data | |
| CN112804261A (en) | Data forwarding control method and device, storage medium and electronic device | |
| CN110457196A (en) | The acquisition methods and device of function timing | |
| CN116680203B (en) | Multi-tenant-oriented SaaS platform testing method, device, equipment and medium | |
| CN115827392B (en) | Monitoring method, device and system of distributed system | |
| CN110099096B (en) | Application program configuration method, device, computer equipment and storage medium | |
| CN114742653A (en) | Transaction control method and device, storage medium and electronic device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |