CN113158242A - Method and system for preventing sensitive data of database from being leaked - Google Patents
Method and system for preventing sensitive data of database from being leaked Download PDFInfo
- Publication number
- CN113158242A CN113158242A CN202110405807.3A CN202110405807A CN113158242A CN 113158242 A CN113158242 A CN 113158242A CN 202110405807 A CN202110405807 A CN 202110405807A CN 113158242 A CN113158242 A CN 113158242A
- Authority
- CN
- China
- Prior art keywords
- access
- server
- data
- database
- authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 36
- 230000002159 abnormal effect Effects 0.000 claims abstract description 8
- 230000035945 sensitivity Effects 0.000 claims description 28
- 238000004891 communication Methods 0.000 claims description 4
- 238000012795 verification Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/22—Indexing; Data structures therefor; Storage structures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Data Mining & Analysis (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Storage Device Security (AREA)
Abstract
The invention belongs to the technical field of sensitive data protection, and discloses a method and a system for preventing sensitive data of a database from being leaked, wherein the method comprises the following steps: s1, receiving a data access request sent by a first access terminal; s2, judging whether the data access request contains an expected access position or not; yes, go to step S3; otherwise, the process proceeds to step S4; s3, identifying a first access right of the first access terminal; s4, judging whether the expected access position is matched with the first access authority or not; yes, go to step S5; otherwise, the process proceeds to step S6; s5, performing data access according to the expected access position; s6, executing an abnormal access alarm, preventing access and clearing a first access right of the first access terminal; in summary, when data access is performed, fixed-point access is performed, and the expected access position and the access authority of the access terminal are compared to determine whether abnormal access exists, so that leakage of sensitive data can be effectively avoided.
Description
Technical Field
The invention belongs to the technical field of sensitive data protection, and particularly relates to a method and a system for preventing sensitive data of a database from being leaked.
Background
With the rapid development and popularization of the internet and the mobile internet, the internet application becomes a main means for obtaining and releasing information for daily individuals, enterprises, government departments and the like, so that the data volume in the internet database is larger and larger, and more sensitive data are available in the corresponding data, such as personal identification cards, bank card numbers, personal home addresses, telephone numbers, mobile geographic tracks and the like.
At present, in order to ensure the data security between the terminal device and the internet database, an internet operator controls the terminal device to access the internet database through a unified security management platform, and the management platform realizes the identity verification of the terminal device based on a verification key mode, and then the mode still has certain security problems; for example: when the terminal equipment of a certain user is stolen, the thief can check the sensitive data from the database through the terminal, so that the sensitive data is leaked.
Disclosure of Invention
In view of the above, it is an object of the present invention to provide a method and system for preventing leakage of sensitive data in a database.
In order to achieve the purpose, the invention provides the following technical scheme:
a method for preventing sensitive data of a database from being leaked relates to an access terminal and a server which can be connected in a communication way, wherein the server is provided with the database comprising a plurality of sub-libraries, and the plurality of sub-libraries are used for storing the sensitive data in a grading way; the method comprises the following steps:
s1, receiving a data access request sent by a first access terminal in a server;
s2, judging whether the data access request contains an expected access position or not; yes, go to step S3; otherwise, the process proceeds to step S4;
s3, identifying a first access right of the first access terminal;
s4, judging whether the expected access position is matched with the first access authority or not; yes, go to step S5; otherwise, the process proceeds to step S6;
s5, performing data access according to the expected access position;
and S6, executing abnormal access alarm, preventing access and clearing the first access authority of the first access terminal.
Preferably, before receiving the data access request, the method further comprises the following steps of:
performing sensitivity level marking on a plurality of sub-libraries of the database;
and identifying the sensitivity level of target data to be stored, and storing the target data in a corresponding sub-library according to the sensitivity level.
Preferably, the sensitivity level labels of any one of the sub-libraries are in any integer range between 0% and 100%, and the sensitivity level labels of each sub-library are different.
Further, when identifying the sensitivity level of the target data to be stored, the method includes:
sensitive information in the target data is obtained;
and calculating the proportion of the sensitive information in the total information of the target data, and determining the sensitivity level of the target data according to the proportion.
Preferably, before receiving the data access request, the method further includes setting a first access right of the first access terminal:
receiving an authority setting request sent by the first access terminal, wherein the authority setting request comprises identity information of the first access terminal and a target authority expected to be set;
acquiring all second access terminals currently having the target authority;
sending the permission setting request to all second access terminals;
and receiving request feedback of all second access terminals, and executing authority setting operation according to the request feedback.
Specifically, when all the request feedbacks of the second access terminal are granted, the target authority is set as the first access authority of the first access terminal; and when the request feedback of at least one second access terminal is rejected, rejecting the authority setting request of the first access terminal.
Preferably, the access rights include at least a viewing right and a downloading right, and: when the expected access position is only matched with the viewing permission, entering a first access page in the expected access position; and when the expected access position is matched with the viewing right and the downloading right, entering a second access page in the expected access position.
A system for preventing sensitive data of a database from leaking relates to an access terminal and a server which can be connected in a communication way, wherein the server is provided with the database comprising a plurality of sub-libraries, and the plurality of sub-libraries are used for storing the sensitive data in a grading way; the system comprises:
a first receiving module; the server is arranged in the server and used for receiving a data access request sent by a first access terminal;
a first analysis module; the server is used for analyzing and obtaining the expected access position of the first access terminal from the data access request received by the first receiving module;
an identification module; the first access authority is arranged in the server and used for identifying the first access authority of the first access terminal;
a judgment module; the server is used for judging whether the expected access position is matched with the first access right or not;
a first execution module; and the server is arranged in the server and is used for executing alarm or access according to the analysis result of the first analysis module or the judgment result of the judgment module.
Preferably, the system further comprises:
a marking module; the system comprises a server, a plurality of sub-libraries and a plurality of sub-libraries, wherein the sub-libraries are used for carrying out sensitivity level marking on the database;
a calculation module; the server is arranged in the server and used for calculating the sensitivity level of each stored data in the database;
a hierarchical storage module; and the storage data is arranged in the server and is used for storing each storage data in a corresponding sub-library in a grading manner according to the calculation result of the calculation module.
Preferably, the system further comprises:
a second receiving module; the first access terminal is arranged in the server and used for receiving the authority setting request sent by the first access terminal; the second access terminal is also used for receiving request feedback of all the second access terminals;
a second analysis module; the second receiving module is used for receiving a right setting request sent by the first access terminal and sending the right setting request to the server;
an acquisition module; the second access terminals are arranged in the server and used for acquiring all the second access terminals with the target authority currently;
a sending module; the authority setting request is set in the server and used for sending the authority setting request to all the second access terminals;
a second execution module; and the second receiving module is arranged in the server and used for feeding back and executing authority setting operation according to the request received by the second receiving module.
Compared with the prior art, the invention has the following beneficial effects:
based on the method and the system for preventing the sensitive data of the database from being leaked, the sensitive data are stored in a plurality of sub-databases of the database in a grading manner, and fixed-point access is executed during data access, so that the effect of judging whether abnormal access exists or not is achieved by comparing the expected access position and the access authority of an access terminal, and an alarm is given in time during the abnormal access, so that the phenomenon of sensitive data leakage can be effectively avoided.
In addition, in the invention, when the setting of the target access authority of a certain access terminal is executed, the consent of other access terminals with the target access authority is required to be solicited, so that the data access security of the whole database is further improved, and the leakage-proof effect of sensitive data is further improved.
Drawings
FIG. 1 is a flow chart of a method for preventing leakage of sensitive data in a database according to the present invention;
FIG. 2 is a block diagram of a system for preventing leakage of sensitive data in a database according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the present invention, particularly, the access terminal 100 and the server 200 are communicably connected, and the server 200 is provided with a database including a plurality of sub-libraries for hierarchically storing sensitive data. The following embodiments are provided for secure storage and access of sensitive data in the database.
Example one
Referring to fig. 1, an embodiment of the present invention provides a method for preventing leakage of sensitive data in a database, and the method includes the following steps:
s1, receiving a data access request sent by a first access terminal in a server;
s2, judging whether the data access request contains an expected access position or not; yes, go to step S3; otherwise, the process proceeds to step S4; specifically, the desired access location is a sub-library that the first access terminal desires to access;
s3, identifying a first access right of a first access terminal; specifically, the first access right is a sub-library that can be accessed by the first access terminal under the current limit right;
s4, judging whether the expected access position is matched with the first access authority or not; yes, go to step S5; otherwise, the process proceeds to step S6;
s5, performing data access according to the expected access position;
and S6, executing abnormal access alarm, preventing access and clearing the first access authority of the first access terminal. Based on the method, once the first access terminal has abnormal access, the access cannot be executed again, and therefore the access safety of the whole database is effectively improved. In addition, if the operation is wrong, the recovery access can be performed by the way of the access authority setting.
Specifically, the access right setting should be performed before the server receives the data access request, taking setting the first access right of the first access terminal as an example:
receiving an authority setting request sent by a first access terminal, wherein the authority setting request comprises identity information of the first access terminal and a target authority expected to be set;
acquiring all second access terminals currently having target authority;
sending permission setting requests to all second access terminals;
receiving request feedback of all second access terminals: when the request feedback of all the second access terminals is agreed, setting the target authority as the first access authority of the first access terminal; and rejecting the authority setting request of the first access terminal when the request feedback of at least one second access terminal is rejected.
It is worth mentioning that: the access authority at least comprises a viewing authority and a downloading authority, and when the expected access position is only matched with the viewing authority, a first access page in the expected access position is entered (in the first access page, the accessed data is in a non-downloadable state); and when the expected access position is matched with both the viewing right and the downloading right, entering a second access page in the expected access position (in the second access page, the accessed data is in a downloadable state).
In this embodiment, further, before receiving the data access request, the method further includes the step of hierarchically storing the sensitive data:
performing sensitivity level marking on a plurality of sub-libraries of the database; specifically, the sensitivity level labels of any one sub-library are in any integer range between 0% and 100%, and the sensitivity level labels of each sub-library are different. Assuming that the database contains 5 sub-libraries, the sensitivity levels of the 5 sub-libraries can be labeled 0% -20% (primary), 20% -40% (secondary), 40% -60% (tertiary), 60-80% (quaternary), 80% -100% (quinary), respectively.
Acquiring sensitive information in target data to be stored; calculating the proportion of the sensitive information in the total information of the target data, and determining the sensitivity level of the target data according to the proportion; specifically, the method comprises the following steps: when the target data is a document, the total information of the target data is all characters contained in the whole document, the sensitive information is sensitive characters in the whole document, and the sensitivity level calculation mode of the target data is as follows: number of sensitive characters/number of total characters. When the target data is a picture, the total information of the target data is all images contained in the whole picture, the sensitive information is a sensitive image in the whole picture, and the mode for calculating the sensitivity level of the target data is as follows: sensitive image area/total image number.
And storing the target data in the corresponding sub-library according to the sensitivity level.
As can be seen from the above, the expected access location is any one of the first to fifth sub-libraries, and the first access right is also any one of the first to fifth sub-libraries. Specifically, the method comprises the following steps: when the expected access position is the third-level sub-library and the first access right is the second-level sub-library, the expected access position is not matched with the first access right; and when the expected access position is the three-level sub-library and the first access right is the three-level sub-library, the expected access position is matched with the first access right.
In addition, when the first access right is the third-level sub library, after data access is performed according to a desired access position, arbitrary access may be made to the first-level sub library and the second-level sub library, but access to the fourth-level sub library and the fifth-level sub library may not be made. Therefore, when an access terminal with access right of the third-level sub-library performs database access, a data access request containing an expected access position of the third-level sub-library is sent to a server to serve as an access verification step, and after verification is completed, corresponding access to the first-level sub-library, the second-level sub-library and the third-level sub-library is performed.
Example two
Referring to fig. 2, an embodiment of the present invention provides a system for preventing leakage of sensitive data in a database, and the system includes:
a first receiving module 210; a server 200 for receiving a data access request transmitted from the first access terminal 100;
a first analysis module 211; the server 200 is configured to analyze and obtain a desired access location of the first access terminal 100 from the data access request received by the first receiving module 210;
an identification module 212; a first access right provided in the server 200 and identifying the first access terminal 100;
a judgment module 213; the server 200 is used for judging whether the expected access position is matched with the first access right;
a first execution module 214; is provided in the server 200 and is used to perform an alarm or access according to the analysis result of the first analysis module 211 or the judgment result of the judgment module 213.
Further, the system further comprises:
a marking module 215; the server 200 is used for marking the sensitivity levels of a plurality of sub-libraries of the database;
a calculation module 216; the server 200 is used for calculating the sensitivity level of each stored data in the database;
a hierarchical storage module 217; is disposed in the server 200 and is used for storing each stored data in the corresponding sub-library in a hierarchical manner according to the calculation result of the calculation module 216.
Further, the system further comprises:
a second receiving module 218; set in the server 200 and used to receive the authority setting request transmitted by the first access terminal 100; and is also used to receive request feedback of all the second access terminals 100;
a second analysis module 219; the server 200 is used for analyzing and obtaining the target authority which is expected to be set by the first access terminal 100 from the authority setting request received by the second receiving module 218;
an acquisition module 220; set up in server 200, and is used for obtaining all second access terminals 100 with target authority at present;
a sending module 221; set in the server 200 and used to send a permission setting request to all the second access terminals 100;
a second execution module 222; is disposed in the server 200 and is used to perform the authority setting operation according to the request feedback received by the second receiving module 218.
In summary, in the present embodiment, the system for preventing the sensitive data of the database from leaking is implemented by the method disclosed in the first embodiment.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (10)
1. A method for preventing sensitive data of a database from being leaked relates to an access terminal and a server which can be connected in a communication mode, wherein the server is provided with the database comprising a plurality of sub-libraries, and the plurality of sub-libraries are used for storing the sensitive data in a grading mode; the method comprises the following steps:
s1, receiving a data access request sent by a first access terminal in a server;
s2, judging whether the data access request contains an expected access position or not; yes, go to step S3; otherwise, the process proceeds to step S4;
s3, identifying a first access right of the first access terminal;
s4, judging whether the expected access position is matched with the first access authority or not; yes, go to step S5; otherwise, the process proceeds to step S6;
s5, performing data access according to the expected access position;
and S6, executing abnormal access alarm, preventing access and clearing the first access authority of the first access terminal.
2. The method for preventing the leakage of the sensitive data of the database according to claim 1, further comprising the step of, before receiving the data access request, hierarchically storing the sensitive data:
performing sensitivity level marking on a plurality of sub-libraries of the database;
and identifying the sensitivity level of target data to be stored, and storing the target data in a corresponding sub-library according to the sensitivity level.
3. The method for preventing leakage of database sensitive data according to claim 2, wherein: the sensitivity level marks of any one of the sub-libraries are in any integer range between 0% and 100%, and the sensitivity level marks of each sub-library are different.
4. The method for preventing the leakage of the sensitive data of the database according to claim 3, wherein the step of identifying the sensitivity level of the target data to be stored comprises the following steps:
sensitive information in the target data is obtained;
and calculating the proportion of the sensitive information in the total information of the target data, and determining the sensitivity level of the target data according to the proportion.
5. The method for preventing the leakage of the sensitive data of the database according to claim 1, further comprising setting a first access right of the first access terminal before receiving the data access request:
receiving an authority setting request sent by the first access terminal, wherein the authority setting request comprises identity information of the first access terminal and a target authority expected to be set;
acquiring all second access terminals currently having the target authority;
sending the permission setting request to all second access terminals;
and receiving request feedback of all second access terminals, and executing authority setting operation according to the request feedback.
6. The method for preventing leakage of database sensitive data according to claim 6, wherein: when the request feedback of all the second access terminals is approved, setting the target authority as the first access authority of the first access terminal; and when the request feedback of at least one second access terminal is rejected, rejecting the authority setting request of the first access terminal.
7. The method for preventing the leakage of the sensitive data of the database according to claim 6, wherein the access right at least comprises a viewing right and a downloading right, and: when the expected access position is only matched with the viewing permission, entering a first access page in the expected access position; and when the expected access position is matched with the viewing right and the downloading right, entering a second access page in the expected access position.
8. A system for preventing sensitive data of a database from being leaked relates to an access terminal and a server which can be connected in a communication mode, wherein the server is provided with the database comprising a plurality of sub-libraries, and the plurality of sub-libraries are used for storing the sensitive data in a grading mode; the system comprises:
a first receiving module; the server is arranged in the server and used for receiving a data access request sent by a first access terminal;
a first analysis module; the server is used for analyzing and obtaining the expected access position of the first access terminal from the data access request received by the first receiving module;
an identification module; the first access authority is arranged in the server and used for identifying the first access authority of the first access terminal;
a judgment module; the server is used for judging whether the expected access position is matched with the first access right or not;
a first execution module; and the server is arranged in the server and is used for executing alarm or access according to the analysis result of the first analysis module or the judgment result of the judgment module.
9. The system for preventing leakage of database sensitive data according to claim 8, further comprising:
a marking module; the system comprises a server, a plurality of sub-libraries and a plurality of sub-libraries, wherein the sub-libraries are used for carrying out sensitivity level marking on the database;
a calculation module; the server is arranged in the server and used for calculating the sensitivity level of each stored data in the database;
a hierarchical storage module; and the storage data is arranged in the server and is used for storing each storage data in a corresponding sub-library in a grading manner according to the calculation result of the calculation module.
10. The system for preventing leakage of database sensitive data according to claim 8, further comprising:
a second receiving module; the first access terminal is arranged in the server and used for receiving the authority setting request sent by the first access terminal; the second access terminal is also used for receiving request feedback of all the second access terminals;
a second analysis module; the second receiving module is used for receiving a right setting request sent by the first access terminal and sending the right setting request to the server;
an acquisition module; the second access terminals are arranged in the server and used for acquiring all the second access terminals with the target authority currently;
a sending module; the authority setting request is set in the server and used for sending the authority setting request to all the second access terminals;
a second execution module; and the second receiving module is arranged in the server and used for feeding back and executing authority setting operation according to the request received by the second receiving module.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110405807.3A CN113158242A (en) | 2021-04-15 | 2021-04-15 | Method and system for preventing sensitive data of database from being leaked |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110405807.3A CN113158242A (en) | 2021-04-15 | 2021-04-15 | Method and system for preventing sensitive data of database from being leaked |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113158242A true CN113158242A (en) | 2021-07-23 |
Family
ID=76867460
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110405807.3A Withdrawn CN113158242A (en) | 2021-04-15 | 2021-04-15 | Method and system for preventing sensitive data of database from being leaked |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113158242A (en) |
-
2021
- 2021-04-15 CN CN202110405807.3A patent/CN113158242A/en not_active Withdrawn
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11928245B2 (en) | Systems and methods of determining compromised identity information | |
US10268840B2 (en) | Systems and methods of determining compromised identity information | |
US10599872B2 (en) | Systems and methods of determining compromised identity information | |
CN111625809B (en) | Data authorization method and device, electronic equipment and storage medium | |
TWI734466B (en) | Risk assessment method and device for leakage of privacy data | |
Albakri et al. | Risks of sharing cyber incident information | |
CN109684863B (en) | Data leakage prevention method, device, equipment and storage medium | |
Malderle et al. | Gathering and analyzing identity leaks for a proactive warning of affected users | |
CN112084474A (en) | Enterprise archive management method, system, storage medium and electronic equipment | |
CN113158242A (en) | Method and system for preventing sensitive data of database from being leaked | |
CN113904828B (en) | Method, apparatus, device, medium and program product for detecting sensitive information of interface | |
CN113051257B (en) | Service data cleaning method and device | |
CN113179347B (en) | Internet-based mobile phone safety protection system | |
CN111901299A (en) | Application authentication method and device, electronic equipment and storage medium | |
Melshiyan et al. | Information Security Audit Using Open Source Intelligence Methods | |
CN117195297B (en) | ERP-based data security and privacy protection system and method | |
CN112039839A (en) | Operation and maintenance method and device based on customer premise examination and approval authorization | |
KR102564581B1 (en) | Phishing suspected site guidance system and guidance method. | |
KR20040040412A (en) | Management System and method of Social Security number | |
CN110930234B (en) | Financial management method with remote access function | |
US20230385451A1 (en) | Systems and methods of determining compromised identity information | |
CN114626074B (en) | Method and device for protecting data leakage, storage medium and computer equipment | |
CN114971610A (en) | Transfer management method and device | |
CN116074833A (en) | Method and device for judging short message verification code | |
CN112100653A (en) | Method and system for processing front-end sensitive information |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20210723 |