CN112839083A - Data transmission method and device and readable storage medium - Google Patents
Data transmission method and device and readable storage medium Download PDFInfo
- Publication number
- CN112839083A CN112839083A CN202011643353.5A CN202011643353A CN112839083A CN 112839083 A CN112839083 A CN 112839083A CN 202011643353 A CN202011643353 A CN 202011643353A CN 112839083 A CN112839083 A CN 112839083A
- Authority
- CN
- China
- Prior art keywords
- interface
- request
- interfaces
- data
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
Abstract
The application provides a data transmission method and device and a readable storage medium. In the data transmission method, a proxy server detects the corresponding interface function of the request data of a service system, and transmits the request data of the interfaces with the same function after carrying out duplicate removal processing on the request data; or the request data of the interface of the function needing to be excluded is not transmitted, so that the interface desensitization of the service system is realized; and on the other hand, sensitive information detection is carried out on the response data of the service system, and desensitization treatment is carried out on the response data containing the sensitive information and then transmission is carried out, so that information desensitization of the service system is realized. Therefore, the data transmission method can realize function desensitization of the service system and improve the safety of data transmission in the service system.
Description
Technical Field
The present application relates to the field of data security technologies, and in particular, to a data transmission method and apparatus, and a readable storage medium.
Background
For a service system, data is received through various interfaces, and different interfaces may be configured with the same function or different functions; for interfaces configured to the same function, it is easy to receive unsecured request data, resulting in lower security of data transmitted by the business system.
In the prior art, in order to improve the data security of a business system, the function of the business system is artificially modified, and the mode is complex.
Disclosure of Invention
An object of the embodiments of the present application is to provide a data transmission method and apparatus, and a readable storage medium, so as to improve security of data transmission without modifying a function of a service system.
In a first aspect, an embodiment of the present application provides a data transmission method, which is applied to a proxy server of a service system, where the service system further includes a server, and the proxy server is in communication connection with the server, and the method includes: acquiring a plurality of request data received by a plurality of interfaces of the service system; detecting whether a first interface exists in the plurality of interfaces, wherein the first interface is an interface with the same function, and the interfaces except the first interface in the plurality of interfaces are second interfaces; if the first interface is detected, determining a target interface from the first interface; and sending the request data received by the target interface and the request data received by the second interface to the server, and blocking the request data received by the interfaces except the target interface in the first interface.
In the embodiment of the application, compared with the prior art, by setting the proxy server, after the proxy server obtains the request data received by the plurality of interfaces, whether the interfaces with the same function exist in the plurality of interfaces is detected; if the interface is detected, only transmitting the data received by the appointed target interface of the interface to the server, and blocking the data of other interfaces of the interface; the duplicate removal of the interfaces with the same function is realized, and the safety of data transmitted to the server is improved; and data of other interfaces outside the interfaces are normally transmitted, so that the normal function of the service system is ensured. Therefore, the method improves the safety of data transmission under the condition of not modifying the function of the service system.
As a possible implementation manner, the request data includes a request identifier, and the request identifier is used for representing a function of a corresponding receiving interface; the detecting whether a first interface exists in the plurality of interfaces comprises: detecting whether the request identifications in the request data are the same request identifications; and if the same request identification is detected, determining a receiving interface corresponding to the request data corresponding to the same request identification as the first interface.
In the embodiment of the application, the effective detection of the first interface is realized through the request identifier included in the request data.
As a possible implementation manner, if the first interface is detected, determining a target interface from the first interfaces includes: acquiring preset configuration information of the first interface; the configuration information is used for representing whether the request data received by the first interface needs to be blocked or not; and determining one target interface from the first interfaces according to the configuration information.
In the embodiment of the application, whether the request data of each interface in the first interface needs to be blocked is judged according to the configuration information of the first interface, so that effective determination of a target interface is realized.
As a possible implementation manner, after the obtaining of the plurality of request data received by the plurality of interfaces of the service system, the method further includes: detecting whether a third interface exists in the plurality of interfaces; the function of the third interface is a function which needs to be eliminated by the service system; and if the third interface is detected, blocking the request data received by the third interface.
In the embodiment of the application, in addition to the duplicate removal of the interfaces with the same function, the blocking of the request of the interface with the function to be excluded can be realized by detecting the interface corresponding to the function to be excluded of the service, so that the security of data transmission is further improved.
As a possible implementation manner, the request data includes a request identifier, and the request identifier is used for representing a function of a corresponding receiving interface; the detecting whether a third interface exists in the plurality of interfaces includes: detecting whether a preset specified request identifier exists in a request identifier in each request datum; the function of the corresponding receiving interface represented by the specified request identification is a function which needs to be eliminated by the service system; and if the specified request identifier is detected, determining a receiving interface corresponding to the request data corresponding to the specified request identifier as the third interface.
In the embodiment of the application, whether the specified request identifier exists in the request data can be detected through the preset specified request identifier and the request identifier included in the request data, and if the specified request identifier exists, the interface corresponding to the corresponding request data is a functional interface to be excluded, so that effective determination of the third interface is realized.
As a possible implementation, the method further includes: and if the first interface is not detected, all the request data are sent to the server.
In the embodiment of the application, if the first interface is not detected, the request data received by the plurality of interfaces are all sent to the server, so that the normal function of the service system is ensured.
As a possible implementation, the method further includes: acquiring response data to be sent by the server; detecting whether sensitive information exists in the response data; if sensitive information exists in the response data, replacing the sensitive information to obtain desensitized response data; and sending the desensitized response data to a corresponding data receiving end.
In the embodiment of the application, for the response data to be sent by the server, the proxy server can also detect whether sensitive information exists, and if so, the response data is replaced by the proxy server and then sent to the corresponding data receiving end, so that desensitization of the response data sent outside is realized, and the safety of data transmission is further improved.
As a possible implementation manner, if there is sensitive information in the response data, replacing the sensitive information to obtain desensitized response data includes: if sensitive information exists in the response data, replacing the sensitive information through a preset algorithm to obtain desensitized response data; wherein the preset algorithm is as follows: any one of a random algorithm, a dictionary algorithm, and a reversible algorithm.
In the embodiment of the application, the sensitive information can be effectively replaced through various preset desensitization algorithms, effective desensitization of response data is realized, and the safety of data transmission is further improved.
In a second aspect, an embodiment of the present application provides a data transmission apparatus, which is applied to a proxy server of a service system, where the service system further includes a server, and the proxy server is in communication connection with the server, where the data transmission apparatus includes: functional modules for implementing the data transmission method described in the first aspect and any one of the possible implementation manners of the first aspect.
In a third aspect, an embodiment of the present application provides a readable storage medium, where a computer program is stored on the readable storage medium, and when the computer program is executed by a computer, the computer program performs the data transmission method described in the first aspect and any one of the possible implementation manners of the first aspect.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic structural diagram of a service system provided in an embodiment of the present application;
fig. 2 is a flowchart of a data transmission method according to an embodiment of the present application;
fig. 3 is a functional structure block diagram of a data transmission device according to an embodiment of the present application.
Icon: 100-a business system; 110-a client; 120-a proxy server; 130-a server; 300-a data transmission device; 310-an acquisition module; 320-processing module.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Referring to fig. 1, a schematic structural diagram of a service system 100 provided in an embodiment of the present application is shown, where the service system 100 includes: client 110, proxy server 120, and server 130. Wherein the client 110 is communicatively coupled to the proxy server 120 and the server 130 is communicatively coupled to the proxy server 120.
It is understood that the client 110 and the server 130 are fixed components in the business system. The proxy server 120 is a newly added data transfer node, and the proxy server 120 may be deployed on the client 110 or on the server 130, without modifying the functions of the client 110 and the server 130, such as: the functional interface between the server 130 and the client 110 need not be modified.
In the embodiment of the present application, two kinds of data are involved, one is that the client 110 transmits request data to the server 130, and the other is that the server 130 transmits response data to the client 110. The transmission process of the two data is an independent data transmission process, that is, no specific correspondence exists between the response data and the request data.
By adopting the technical scheme of the embodiment of the application, the transmission path of the first data transmission mode is as follows: the request data transmitted by the client 110 is not directly transmitted to the server 130, and needs to be detected by the proxy server 120, and then the proxy server 120 determines whether the corresponding request data needs to be transmitted to the server 130, and if so, transmits the corresponding request data to the server 130. The transmission path of the second data transmission mode is: the response data transmitted by the server 130 is not directly transmitted to the client 110, and needs to be detected by the proxy server 120, and then the server 130 processes the response data according to the detection result and then transmits the response data, or directly transmits the response data to the client 110.
The service system 100 may be various service systems, such as: the application system of various application programs, data processing system, etc. are not limited in the embodiments of the present application.
The above-mentioned building modes among the client 110, the proxy server 120 and the server 130, and the implementation modes of the client 110, the proxy server 120 and the server 130 are implemented by using techniques mature in the field, and are not described in detail in the embodiments of the present application.
Referring to fig. 2, a flowchart of a data transmission method provided in the embodiment of the present application is shown, where the data transmission method can be applied to the proxy server 120, and includes:
step 210: a plurality of request data received by a plurality of interfaces of a service system are acquired.
Step 220: detecting whether a first interface exists in the plurality of interfaces. The first interface is an interface with the same function, and the interfaces except the first interface in the plurality of interfaces are second interfaces.
Step 230: and if the first interface is detected, determining a target interface from the first interfaces.
Step 240: sending the request data received by the target interface and the request data received by the second interface to the server 130, and blocking the request data received by the interfaces other than the target interface in the first interface.
In the embodiment of the application, compared with the prior art, by setting the proxy server, after the proxy server obtains the request data received by the plurality of interfaces, whether the interfaces with the same function exist in the plurality of interfaces is detected; if the interface is detected, only transmitting the data received by the appointed target interface of the interface to the server, and blocking the data of other interfaces of the interface; the duplicate removal of the interfaces with the same function is realized, and the safety of data transmitted to the server is improved; and data of other interfaces outside the interfaces are normally transmitted, so that the normal function of the service system is ensured. Therefore, the method improves the safety of data transmission under the condition of not modifying the function of the service system.
A detailed implementation of steps 210-240 is described next.
As will be understood in conjunction with the description of the foregoing application scenario, in step 210, the plurality of request data may be request data sent by the client 110. The plurality of request data includes request data received by a plurality of interfaces, wherein each interface may also receive a plurality of request data. Such as: assuming that there are 10 interfaces each receiving 2 request data, the plurality of request data in step 210 is 20 request data.
For the proxy server 120, the plurality of request data may be obtained by obtaining network traffic of the service system.
For multiple interfaces, the functions configured by the service system 100 may be the same or different. Therefore, in step 220, the proxy server 120 detects whether a first interface exists in the plurality of interfaces, and the first interface is a functionally identical interface. It is understood that there may be a plurality of first interfaces and a plurality of corresponding functions. Such as: the proxy server 120 detects that there are two first interfaces in the plurality of interfaces, where the first interface includes 5 interfaces, and the function of the 5 interfaces is function a, and the second interface includes 3 interfaces, and the function of the 3 interfaces is function B.
In addition, among the plurality of interfaces, the other interfaces except the first interface are the second interfaces, the second interfaces are the interfaces with different functions, and the functions of the second interfaces are different from those of the first interfaces. Continuing the example, the plurality of interfaces further includes 4 interfaces with different functions, except for 5 first interfaces corresponding to the function a and 3 first interfaces corresponding to the function B, and the 4 interfaces do not have the function a and the function B, and the 4 interfaces are second interfaces.
As an optional implementation, step 220 includes: detecting whether the request identifications in the request data are the same request identifications; and if the same request identification is detected, determining a receiving interface corresponding to the request data corresponding to the same request identification as the first interface.
In this embodiment, before detecting whether the request identifiers are the same, the proxy server 120 may decode the request data to obtain the request identifier therein. The decoding methods include but are not limited to: URL (Uniform Resource Locator), base64 decoding (an encoding scheme for transmitting 8-Bit byte codes), etc.
After parsing out the plaintext data in the request data, the detection of the same request identification may be achieved by a detection service of the proxy server 120. In the embodiment of the present application, the request identifier includes but is not limited to: GET, POST, PUT, UPTADE and the like request corresponding identifiers (URIs), and the URIs corresponding to the requests are different. The detection service of the proxy server 120 may be an ICAP (Internet Content Adaptation Protocol) service.
As an example, assuming that it is detected that the request identifier in the request data received by the interface a and the request identifier in the request data received by the interface b are both the request identifiers corresponding to the GET requests, the interface a and the interface b may be determined as the first interface.
If the proxy server 120 detects the first interface in step 220, a target interface is determined from the first interface in step 230. As an alternative embodiment, the steps include: acquiring preset configuration information of a first interface; the configuration information is used for representing whether the request data received by the first interface needs to be blocked or not; and determining a target interface from the first interfaces according to the configuration information.
In such an embodiment, users with rights, such as: an administrator or a developer of the service system may preset configuration information of each interface having the same function, for example: the functions of the interface a, the interface b and the interface c are all function A, and a user can set the configuration information of the interface a as blocking-free, the configuration information of the interface b as blocking-required and the configuration information of the interface c as blocking-required. Then the target interface among interface a, interface b and interface c is interface a.
When the configuration information is preset, how to configure each interface with the same function may be determined according to an actual application scenario, for example: the functions of the interface a, the interface b and the interface c are all function a, but the processing speed of the interface a is the fastest, and the interface b and the interface c are not commonly used interfaces, so that the not commonly used interfaces are easy to become attack breakthrough ports from the perspective of security analysis, and the security protection of the commonly used interfaces is better; thus, interface b and interface c are configured to require blocking, while interface a is configured not to require blocking. In the embodiment of the present application, the configuration is only an exemplary example, and in actual application, the configuration may be flexibly performed according to different application scenarios.
For the proxy server 120, a lot of request data may be acquired, and it takes time for the detection service to perform detection based on the request identifier, so the proxy server 120 may query the detection service for the detection result in a polling manner, for example, query the detection result once every 50ms, and further, the processing efficiency of the proxy server 120 may be ensured.
In the embodiment of the application, whether the request data of each interface in the first interface needs to be blocked is judged according to the configuration information of the first interface, so that effective determination of a target interface is realized.
After the target interface is determined in step 230, in step 240, the request data received by the target interface and the request data received by the second interface are sent to the server 130, and the request data received by the interfaces other than the target interface in the first interface are blocked.
In step 240, it is equivalent to release or block the requested data according to the detection result. The request data of the target interface and the second interface need not be blocked, and thus, the corresponding request data may be transmitted to the server 130. And the request data corresponding to the interface except the target interface in the first interface needs to be blocked, and the blocking mode comprises the following steps: request data is not sent to server 130; or marking the request data as blocking request data and then sending the blocking request data to a preset processing device for processing the blocking request data, and the like.
If the first interface is not detected in step 220, that is, there is no functionally identical interface among the plurality of interfaces corresponding to the plurality of request data, in this case, the method further includes: if the first interface is not detected, all the request data are sent to the server 130. In this embodiment, all requested data is passed.
In the embodiment of the application, if the first interface is not detected, the request data received by the plurality of interfaces are all sent to the server, so that the normal function of the service system is ensured.
In the embodiment of the present application, in addition to the request data of the interfaces with the same function needing to be blocked, an isolated function interface may be configured, and the request data corresponding to the isolated function interface also needs to be blocked. Therefore, as an alternative embodiment, after step 210, the method further comprises: detecting whether a third interface exists in the plurality of interfaces; the function of the third interface is a function that needs to be excluded by the service system 100; and if the third interface is detected, blocking the request data received by the third interface.
In this embodiment, the third interface is a function that needs to be excluded, i.e. a stand-alone function, such as: if some service systems 100 do not provide UPDATE function, the interface having UPDATE function is the third interface.
Similarly to the detection method of the first interface, the request data may be decoded first to obtain the request identifier therein, and this part refers to the foregoing embodiment of the detection of the first interface. And then detecting whether the request identifier in each request datum has a preset specified request identifier, wherein the detection mode also refers to the detection implementation mode of the first interface.
For the specified request identifier, the function of the corresponding receiving interface represented by the specified request identifier is a function that needs to be excluded by the service system 100, and if the specified request identifier is detected, the receiving interface corresponding to the request data corresponding to the specified request identifier is determined as a third interface. Such as: the request identifier is designated as the URI corresponding to the UPDATE request.
It is to be understood that one or more specific request identifiers may be preset, and correspondingly, one or more finally determined third interfaces may also be preset.
Further, if the third interface is detected, the request data received by the third interface is subjected to the blocking process, and the implementation of the blocking process refers to the foregoing embodiment.
Correspondingly, after the proxy server 120 sends all the request data that need not be blocked to the server 130 and the server 130 feeds back the response data, the proxy server 120 transmits the response data to the client 110 through the interface corresponding to the request data corresponding to the response data. Such as: the response data corresponding to the request data of the target interface is transmitted to the client 110 through the target interface.
The above process may also perform a corresponding desensitization process for the data transfer link from the client 110 to the proxy 120 to the server 130, and for the link from the server 130 to the proxy 120 to the client 110, for the proxy 120.
Therefore, as an optional implementation, the method further comprises: acquiring response data to be sent by the server 130; detecting whether sensitive information exists in the response data; if sensitive information exists in the response data, replacing the sensitive information to obtain desensitized response data; and sending the desensitized response data to a corresponding data receiving end.
In this embodiment of the application, for the response data to be sent by the server 130, the proxy server 120 may further detect whether there is sensitive information, and if there is sensitive information, the response data is replaced by the proxy server 120 and then sent to the corresponding data receiving end, so as to implement desensitization of the response data sent from the outside, and further improve the security of data transmission.
The proxy server 120 serves as a transfer node between the server 130 and the client 110, and the proxy server 120 can directly obtain response data to be sent.
When detecting whether sensitive information exists in the response data, the method can be realized through a pre-configured sensitive information field. Specifically, after acquiring the response data, the proxy server 120 analyzes the response data to obtain corresponding plaintext data, and the embodiment of the analysis refers to the foregoing embodiment.
After the corresponding plaintext data is obtained, matching each field in the plaintext data with a preset sensitive information field, and if the matching is successful, judging the corresponding field as sensitive information; if the match is not successful, it is determined that there is no sensitive information in the response data.
In the embodiment of the present application, the detection of the response data can also be implemented by a pre-configured detection service, and reference is made to the description in the foregoing embodiment, and the description is not repeated here.
Correspondingly, if the response data is determined to have no sensitive information, the response data can be directly sent to the corresponding data receiving end. The corresponding data receiving end may be understood as the client 110 corresponding to the response data, and the response data may include the identifier of the corresponding client 110, and the corresponding data receiving end may be determined through the identifier.
By way of example, sensitive information includes, but is not limited to: name, identification number, address, telephone number, bank card number, custom string, mailbox address, company name, IP (Internet Protocol) address, URL address, organization code, uniform social credit code, business license number, date, zip code, hospital department, passport, etc. These sensitive information may be the title of the page, the tags, information in the menu.
If the sensitive information is determined to exist in the response data, desensitizing the sensitive information, as an optional implementation, the desensitizing process includes: if sensitive information exists in the response data, replacing the sensitive information through a preset algorithm to obtain desensitized response data; wherein, the preset algorithm is as follows: any one of a random algorithm, a dictionary algorithm, and a reversible algorithm.
Among them, the random algorithm includes but is not limited to: disorder, random number of bits, random number, random percentage, etc. Such as: and if the sensitive information is the identification number, carrying out disorder processing on the identification number to obtain the desensitized identification number.
Dictionary algorithms include, but are not limited to: a list of strings, an array of strings, an interval dictionary, a dictionary, associated field replacements, a cross dictionary, etc. Such as: and assuming that the sensitive information is the identification number, converting the identification number into a character string list to obtain the desensitized identification number.
Reversible algorithms include, but are not limited to: encryption, coded encryption, and the like. Such as: and supposing that the sensitive information is the identity card number, converting the identity card number in an encryption or coding encryption mode to obtain the desensitized identity card number.
The above algorithms are only exemplary, and in practical applications, more implementable desensitization algorithms, such as simulation algorithms, may be used to convert sensitive information into corresponding desensitization simulation information.
It should be noted that after the sensitive information is replaced to obtain desensitized response data, the relationship between the sensitive information before replacement and the desensitized sensitive information may be correspondingly stored, and after the client 110 receives the response data, the proxy server 120 is queried about the corresponding relationship, so that the original data can be resolved. In addition to this embodiment, it is also possible for the proxy server 120 to synchronize the desensitization algorithm it employs to the client 110 in time, and the client 110 implements restoration of the original data based on the desensitization algorithm and the desensitized response data.
In this embodiment of the application, the sensitive information may also be a file, and for file desensitization, the method is suitable for detecting that the response data includes file data, and the file data is a sensitive file, and the proxy server 120 may desensitize the response data according to a preset file desensitization mode.
After the desensitization of the response data is completed, the proxy server 120 may send the desensitized response data to the client 110 through the corresponding interface.
Based on the same inventive concept, please refer to fig. 3, an embodiment of the present application further provides a data transmission apparatus 300, which includes an obtaining module 310 and a processing module 320.
The obtaining module 310 is configured to: a plurality of request data received by a plurality of interfaces of the business system 100 is obtained. The processing module 320 is configured to: detecting whether a first interface exists in the plurality of interfaces, wherein the first interface is an interface with the same function, and the interfaces except the first interface in the plurality of interfaces are second interfaces; if the first interface is detected, determining a target interface from the first interface; sending the request data received by the target interface and the request data received by the second interface to the server 130, and blocking the request data received by the interfaces other than the target interface in the first interface.
In this embodiment of the application, the processing module 320 is specifically configured to: detecting whether the request identifications in the request data are the same request identifications; and if the same request identification is detected, determining a receiving interface corresponding to the request data corresponding to the same request identification as the first interface.
In this embodiment of the application, the processing module 320 is further specifically configured to: acquiring preset configuration information of the first interface; the configuration information is used for representing whether the request data received by the first interface needs to be blocked or not; and determining one target interface from the first interfaces according to the configuration information.
In this embodiment of the application, the processing module 320 is further configured to: detecting whether a third interface exists in the plurality of interfaces; the function of the third interface is a function which needs to be eliminated by the service system; and if the third interface is detected, blocking the request data received by the third interface.
In this embodiment of the application, the processing module 320 is further specifically configured to: detecting whether a preset specified request identifier exists in a request identifier in each request datum; the function of the corresponding receiving interface represented by the specified request identification is a function which needs to be eliminated by the service system; and if the specified request identifier is detected, determining a receiving interface corresponding to the request data corresponding to the specified request identifier as the third interface.
In this embodiment of the application, the processing module 320 is further configured to send all the request data to the server 130 if the first interface is not detected.
In this embodiment of the present application, the obtaining module 310 is further configured to: acquiring response data to be sent by the server 130; the processing module 320 is further configured to: detecting whether sensitive information exists in the response data; if sensitive information exists in the response data, replacing the sensitive information to obtain desensitized response data; and sending the desensitized response data to a corresponding data receiving end.
In this embodiment of the application, the processing module 320 is specifically configured to: if sensitive information exists in the response data, replacing the sensitive information through a preset algorithm to obtain desensitized response data; wherein the preset algorithm is as follows: any one of a random algorithm, a dictionary algorithm, and a reversible algorithm.
The data transmission apparatus 300 corresponds to the data transmission method in the foregoing embodiment, and the implementation of each module thereof may refer to the implementation of each step of the data transmission method in the foregoing embodiment, which is not described herein again.
Based on the same inventive concept, embodiments of the present application further provide a readable storage medium, where a computer program is stored on the readable storage medium, and when the computer program is executed by a computer, the data transmission method according to the embodiments of the present application is executed.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (10)
1. A data transmission method, applied to a proxy server of a service system, wherein the service system further includes a server, and the proxy server is in communication connection with the server, and the method includes:
acquiring a plurality of request data received by a plurality of interfaces of the service system;
detecting whether a first interface exists in the plurality of interfaces, wherein the first interface is an interface with the same function, and the interfaces except the first interface in the plurality of interfaces are second interfaces;
if the first interface is detected, determining a target interface from the first interface;
and sending the request data received by the target interface and the request data received by the second interface to the server, and blocking the request data received by the interfaces except the target interface in the first interface.
2. The method according to claim 1, wherein the request data includes a request identifier, and the request identifier is used for representing a function of a corresponding receiving interface; the detecting whether a first interface exists in the plurality of interfaces comprises:
detecting whether the request identifications in the request data are the same request identifications;
and if the same request identification is detected, determining a receiving interface corresponding to the request data corresponding to the same request identification as the first interface.
3. The method of claim 1, wherein determining a target interface from the first interfaces if the first interfaces are detected comprises:
acquiring preset configuration information of the first interface; the configuration information is used for representing whether the request data received by the first interface needs to be blocked or not;
and determining one target interface from the first interfaces according to the configuration information.
4. The method of claim 1, wherein after the obtaining a plurality of request data received by a plurality of interfaces of the business system, the method further comprises:
detecting whether a third interface exists in the plurality of interfaces; the function of the third interface is a function which needs to be eliminated by the service system;
and if the third interface is detected, blocking the request data received by the third interface.
5. The method according to claim 4, wherein the request data includes a request identifier, and the request identifier is used for representing a function of a corresponding receiving interface; the detecting whether a third interface exists in the plurality of interfaces includes:
detecting whether a preset specified request identifier exists in a request identifier in each request datum; the function of the corresponding receiving interface represented by the specified request identification is a function which needs to be eliminated by the service system;
and if the specified request identifier is detected, determining a receiving interface corresponding to the request data corresponding to the specified request identifier as the third interface.
6. The method of claim 1, further comprising:
and if the first interface is not detected, all the request data are sent to the server.
7. The method of claim 1, further comprising:
acquiring response data to be sent by the server;
detecting whether sensitive information exists in the response data;
if sensitive information exists in the response data, replacing the sensitive information to obtain desensitized response data;
and sending the desensitized response data to a corresponding data receiving end.
8. The method of claim 7, wherein if sensitive information exists in the response data, replacing the sensitive information to obtain desensitized response data comprises:
if sensitive information exists in the response data, replacing the sensitive information through a preset algorithm to obtain desensitized response data; wherein the preset algorithm is as follows: any one of a random algorithm, a dictionary algorithm, and a reversible algorithm.
9. A data transmission apparatus, applied to a proxy server of a service system, the service system further including a server, the proxy server being communicatively connected to the server, the apparatus comprising:
the acquisition module is used for acquiring a plurality of request data received by a plurality of interfaces of the service system;
a processing module to:
detecting whether a first interface exists in the plurality of interfaces, wherein the first interface is an interface with the same function, and the interfaces except the first interface in the plurality of interfaces are second interfaces;
if the first interface is detected, determining a target interface from the first interface;
and sending the request data received by the target interface and the request data received by the second interface to the server, and blocking the request data received by the interfaces except the target interface in the first interface.
10. A readable storage medium, characterized in that the readable storage medium has stored thereon a computer program which, when executed by a computer, performs the data transmission method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011643353.5A CN112839083B (en) | 2020-12-30 | 2020-12-30 | Data transmission method and device and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011643353.5A CN112839083B (en) | 2020-12-30 | 2020-12-30 | Data transmission method and device and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112839083A true CN112839083A (en) | 2021-05-25 |
| CN112839083B CN112839083B (en) | 2022-07-12 |
Family
ID=75927127
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011643353.5A Active CN112839083B (en) | 2020-12-30 | 2020-12-30 | Data transmission method and device and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112839083B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113434740A (en) * | 2021-06-22 | 2021-09-24 | 中国平安人寿保险股份有限公司 | Sensitive information monitoring method and device, terminal equipment and storage medium |
| CN113794735A (en) * | 2021-09-29 | 2021-12-14 | 北京雅丁信息技术有限公司 | Sensitive data security protection method under SAAS system scene |
| CN113938524A (en) * | 2021-12-17 | 2022-01-14 | 杭州海康威视数字技术股份有限公司 | Method and system for monitoring sensitive information leakage of Internet of things terminal based on flow agent |
| CN113992345A (en) * | 2021-09-13 | 2022-01-28 | 百度在线网络技术(北京)有限公司 | Method and device for encrypting and decrypting webpage sensitive data, electronic equipment and storage medium |
| CN114726605A (en) * | 2022-03-30 | 2022-07-08 | 医渡云(北京)技术有限公司 | Sensitive data filtering method, device and system and computer equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101146205A (en) * | 2006-09-15 | 2008-03-19 | 中兴通讯股份有限公司 | Content distribution policy processing method for interactive network TV |
| CN103294551A (en) * | 2013-06-05 | 2013-09-11 | 上海西本网络科技有限公司 | Interface call management method and server |
| CN107766088A (en) * | 2017-09-27 | 2018-03-06 | 努比亚技术有限公司 | Interface optimization method, system and computer-readable recording medium |
| US20180196647A1 (en) * | 2017-01-09 | 2018-07-12 | International Business Machines Corporation | Application Programming Interface Discovery Using Pattern Recognition |
| CN109842610A (en) * | 2018-12-13 | 2019-06-04 | 平安科技(深圳)有限公司 | Interface requests processing method, device, computer equipment and storage medium |
| CN110895544A (en) * | 2018-08-24 | 2020-03-20 | 北京国双科技有限公司 | Interface data processing method, device, system and storage medium |
-
2020
- 2020-12-30 CN CN202011643353.5A patent/CN112839083B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101146205A (en) * | 2006-09-15 | 2008-03-19 | 中兴通讯股份有限公司 | Content distribution policy processing method for interactive network TV |
| CN103294551A (en) * | 2013-06-05 | 2013-09-11 | 上海西本网络科技有限公司 | Interface call management method and server |
| US20180196647A1 (en) * | 2017-01-09 | 2018-07-12 | International Business Machines Corporation | Application Programming Interface Discovery Using Pattern Recognition |
| CN107766088A (en) * | 2017-09-27 | 2018-03-06 | 努比亚技术有限公司 | Interface optimization method, system and computer-readable recording medium |
| CN110895544A (en) * | 2018-08-24 | 2020-03-20 | 北京国双科技有限公司 | Interface data processing method, device, system and storage medium |
| CN109842610A (en) * | 2018-12-13 | 2019-06-04 | 平安科技(深圳)有限公司 | Interface requests processing method, device, computer equipment and storage medium |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113434740A (en) * | 2021-06-22 | 2021-09-24 | 中国平安人寿保险股份有限公司 | Sensitive information monitoring method and device, terminal equipment and storage medium |
| CN113992345A (en) * | 2021-09-13 | 2022-01-28 | 百度在线网络技术(北京)有限公司 | Method and device for encrypting and decrypting webpage sensitive data, electronic equipment and storage medium |
| CN113794735A (en) * | 2021-09-29 | 2021-12-14 | 北京雅丁信息技术有限公司 | Sensitive data security protection method under SAAS system scene |
| CN113938524A (en) * | 2021-12-17 | 2022-01-14 | 杭州海康威视数字技术股份有限公司 | Method and system for monitoring sensitive information leakage of Internet of things terminal based on flow agent |
| CN114726605A (en) * | 2022-03-30 | 2022-07-08 | 医渡云(北京)技术有限公司 | Sensitive data filtering method, device and system and computer equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112839083B (en) | 2022-07-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112839083B (en) | Data transmission method and device and readable storage medium | |
| CN112468520B (en) | Data detection method, device and equipment and readable storage medium | |
| US8375425B2 (en) | Password expiration based on vulnerability detection | |
| US20060112422A1 (en) | Data transfer using hyper-text transfer protocol (HTTP) query strings | |
| WO2010003261A1 (en) | Web application security filtering | |
| CN108063833B (en) | HTTP DNS analysis message processing method and device | |
| CN110839004A (en) | Method and device for access authentication | |
| CN116471109B (en) | Data transmission method, system, first end and control equipment | |
| CN111240862A (en) | Universal interface platform and data conversion method | |
| CN113660250B (en) | Defense method, device and system based on WEB application firewall and electronic device | |
| WO2008007984A2 (en) | Text encoding system and method | |
| US8005920B2 (en) | Method and apparatus for transmitting arbitrarily large amounts of data over the internet | |
| US20030065953A1 (en) | Proxy unit, method for the computer-assisted protection of an application server program, a system having a proxy unit and a unit for executing an application server program | |
| CN102523239A (en) | Secure sharing method for resource information of Internet of things | |
| EP1330082A2 (en) | Computer network for providing services controlled by e-mail | |
| US11218479B2 (en) | Authentication broker apparatus and non-transitory computer readable medium storing authentication broker program | |
| CN111324914B (en) | File transmission method, device, server, equipment and medium | |
| CN114338126A (en) | Network application identification method and device | |
| CN109145645B (en) | Method for protecting short message verification code in android mobile phone | |
| CN115567271B (en) | Authentication method and device, page skip method and device, electronic equipment and medium | |
| CN116488947B (en) | Security element treatment method | |
| CN116166736B (en) | Block chain data uplink method, device and medium based on application program interface | |
| CN116502192B (en) | Data confusion method and device and electronic equipment | |
| CN108632090B (en) | Network management method and system | |
| CN114257442A (en) | Method and device for detecting transmission loophole and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |