CN113238816A - Assembly for data desensitization - Google Patents
Assembly for data desensitization Download PDFInfo
- Publication number
- CN113238816A CN113238816A CN202110533419.3A CN202110533419A CN113238816A CN 113238816 A CN113238816 A CN 113238816A CN 202110533419 A CN202110533419 A CN 202110533419A CN 113238816 A CN113238816 A CN 113238816A
- Authority
- CN
- China
- Prior art keywords
- desensitization
- data
- algorithm
- strategy
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000586 desensitisation Methods 0.000 title claims abstract description 172
- 238000012545 processing Methods 0.000 claims abstract description 23
- 238000011161 development Methods 0.000 claims abstract description 22
- 230000006978 adaptation Effects 0.000 claims abstract description 10
- 238000006243 chemical reaction Methods 0.000 claims abstract description 6
- 238000001514 detection method Methods 0.000 claims description 4
- 238000000034 method Methods 0.000 abstract description 18
- 230000008569 process Effects 0.000 abstract description 10
- 230000008878 coupling Effects 0.000 abstract description 3
- 238000010168 coupling process Methods 0.000 abstract description 3
- 238000005859 coupling reaction Methods 0.000 abstract description 3
- 238000013461 design Methods 0.000 abstract description 3
- 230000006870 function Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44521—Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
- G06F9/44526—Plug-ins; Add-ons
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
- G06F21/6254—Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to an assembly for data desensitization, comprising: the access configuration layer is used for configuring a data desensitization strategy and a desensitization algorithm according to an external service system and completing authentication of the service system; the adaptation layer is used for adapting the data desensitization strategy and the desensitization algorithm to a database and development framework corresponding to the business system; the conversion layer is used for determining an original query result according to a query request of a user and performing desensitization processing on the original query result according to a data desensitization strategy and a desensitization algorithm; the output layer is used for outputting the desensitization processing result. The component can be flexibly connected with different systems without development, the systems can be accessed and used only through simple configuration, service codes are not invaded, the component can be adapted to various development frames, and the component can be accessed and used at one time, so that the working efficiency is improved; the invention adopts modular design, the desensitization realization process is low in coupling with a database and a development framework of a system, easy to expand and strong in reusability.
Description
Technical Field
The invention relates to the technical field of data desensitization processing, in particular to an assembly for data desensitization.
Background
With the development of the information age, the information data is increased explosively, and the data security is more and more important, particularly, sensitive information such as user privacy and company confidentiality is involved, and the data needs to be desensitized so as to reliably protect the sensitive privacy data. Common desensitization methods currently use virtual numbers, virtual nicknames, or special characters instead of keywords, etc. Data desensitization is not only on the user presentation level, but also needs to consider ways for professional technicians to obtain information, and procedures such as DB (Database) data, log data, remote call between services, and the like should ensure that sensitive information is not exposed. At present, a plurality of systems have different desensitization implementations, different frames also need independent development desensitization implementations, the existing implementation method carries out desensitization directly in the form of business codes, the number of repeated operations is large, the development efficiency is low, the developed desensitization implementation process is closely coupled with a database used by the system and the development frames, the reusability and the portability are poor, and different systems cannot be flexibly docked.
Disclosure of Invention
In view of the above, it is an object of the present invention to overcome the deficiencies of the prior art and to provide an assembly for data desensitization.
In order to achieve the purpose, the invention adopts the following technical scheme: an assembly for data desensitization, comprising:
the access configuration layer is used for configuring a data desensitization strategy and a desensitization algorithm according to an external service system and completing authentication of the service system;
the adaptation layer is used for adapting the data desensitization strategy and the desensitization algorithm to a database and development framework corresponding to the business system;
the conversion layer is used for determining an original query result according to a query request of a user and performing desensitization processing on the original query result according to the data desensitization strategy and the desensitization algorithm to obtain a desensitization processing result;
and the output layer is used for outputting the desensitization processing result to an external service system.
Optionally, the data desensitization policy includes: and (4) specifying a desensitization field, a sensitive word library, a sensitive word detection algorithm and a structure and distribution rule after data desensitization.
Optionally, the desensitization field includes at least one of:
identity card number, bank card number and mobile phone number.
Optionally, the desensitization algorithm includes: hash desensitization, mask desensitization, replacement desensitization, transform desensitization, encryption desensitization, and shuffle desensitization.
Optionally, the development framework comprises at least one of:
MVC、RPC、ORM、LOG;
the adaptation layer includes: MVC, RPC, ORM, and LOG framework.
Optionally, the determining an original query result according to a query request of a user, and performing desensitization processing on the original query result according to the data desensitization policy and the desensitization algorithm includes:
according to the query request, finding an original query result in a database corresponding to the service system;
judging whether a desensitization field exists in the original query result according to the data desensitization strategy;
when a desensitization field exists in the original query result, desensitization processing is carried out on the desensitization field by using the desensitization algorithm so that the processed desensitization data conform to a data structure and distribution rule specified in the data desensitization strategy.
Optionally, the assembly further comprises:
and the user-defined plug-in is used for customizing the desensitization rule according to the user requirement when the user-defined function is opened. .
Optionally, the customizing plug-in customizes the desensitization rule according to the user requirement, including:
and dynamically adjusting a data desensitization strategy and a desensitization algorithm according to the user requirements.
The invention adopts the technical scheme that the component for data desensitization comprises: the access configuration layer is used for configuring a data desensitization strategy and a desensitization algorithm according to an external service system and completing authentication of the service system; the adaptation layer is used for adapting the data desensitization strategy and the desensitization algorithm to a database and development framework corresponding to the business system; the conversion layer is used for determining an original query result according to a query request of a user and performing desensitization processing on the original query result according to the data desensitization strategy and the desensitization algorithm to obtain a desensitization processing result; and the output layer is used for outputting the desensitization processing result to an external service system. The component can flexibly joint different systems, when one system needs data desensitization, the component only needs to be accessed into the system without development, the system can be accessed and used only through simple configuration, service codes are not invaded, and the component can be adapted to various development frames and is accessed and used everywhere once, so that the working efficiency is improved; the invention adopts modular design, the desensitization realization process is low in coupling with a database and a development framework of the system, easy to expand and strong in reusability and portability.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic diagram of the overall architecture provided by an assembly for data desensitization of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be described in detail below. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the examples given herein without any inventive step, are within the scope of the present invention.
FIG. 1 is a schematic diagram of the overall architecture provided by an assembly for data desensitization of the present invention.
As shown in FIG. 1, an assembly for data desensitization according to the present invention comprises:
the access configuration layer is used for configuring a data desensitization strategy and a desensitization algorithm according to an external service system and completing authentication of the service system;
the adaptation layer is used for adapting the data desensitization strategy and the desensitization algorithm to a database and development framework corresponding to the business system;
the conversion layer is used for determining an original query result according to a query request of a user and performing desensitization processing on the original query result according to the data desensitization strategy and the desensitization algorithm to obtain a desensitization processing result;
and the output layer is used for outputting the desensitization processing result to an external service system.
Optionally, the data desensitization policy includes: and (4) specifying a desensitization field, a sensitive word library, a sensitive word detection algorithm and a structure and distribution rule after data desensitization.
Further, the desensitization field includes at least one of:
identity card number, bank card number and mobile phone number.
Further, the desensitization algorithm comprises: hash desensitization, mask desensitization, replacement desensitization, transform desensitization, encryption desensitization, and shuffle desensitization.
Further, the development framework includes at least one of:
MVC、RPC、ORM、LOG;
the adaptation layer includes: MVC (Model View Controller), RPC (Remote Procedure Call), ORM (Object-Relational Mapping), and LOG framework generic adapters.
Further, the determining an original query result according to a query request of a user, and performing desensitization processing on the original query result according to the data desensitization policy and the desensitization algorithm includes:
according to the query request, finding an original query result in a database corresponding to the service system;
judging whether a desensitization field exists in the original query result according to the data desensitization strategy;
when a desensitization field exists in the original query result, desensitization processing is carried out on the desensitization field by using the desensitization algorithm so that the processed desensitization data conform to a data structure and distribution rule specified in the data desensitization strategy.
In practical application, the network architecture of the component adopts a logically-connected agent access mode, so that a developer can easily interface a dynamic desensitization agent end without changing the existing network architecture and authority structure.
The architecture of the component is divided into an access configuration layer, an adaptation layer, a conversion layer and an output layer. The output layer, such as SPI (Serial Peripheral Interface) in fig. 1, may perform data interaction with an external device, and output a data desensitization result to the external device. The adaptation layer is divided into four blocks, providing common universal adapters for ORM, RPC, MVC and LOG frameworks. The component can be adapted to various development frames, and is used everywhere by one-time access, so that the working efficiency is improved.
In practical use, a user can input a query request through a service system, the component of the invention acquires the query request through interaction with the service system, and searches an original query result in a database corresponding to the service system according to the query request; detecting the original query result by using a sensitive word detection algorithm according to a sensitive word bank so as to judge whether a desensitization field exists in the original query result; when desensitization fields exist in the original query result, desensitization processing is carried out on sensitive data such as the identity card number, the bank card number, the mobile phone number and the like through rich desensitization algorithms and a pre-configured desensitization strategy, and meanwhile, various desensitization strategies such as high imitation desensitization (the data after desensitization still has the same data structure, check rules and distribution situation as before desensitization) are supported.
The invention realizes the comprehensive protection of system data in the process of safety protection by using conventional SQL statements or complex functions and storage processes no matter whether the sensitive data access comes from an internal application or an operation and maintenance console. The invention uses desensitization data (which can be regarded as encrypted data) to replace real data to respond to the user query request, and also supports the desensitization data to be used as a new query dependent condition, thereby realizing data mining and associated query and better ensuring data security.
In actual use, before a user performs query operation, the user can configure a data desensitization strategy and a desensitization algorithm according to an external service system, and the component supports dynamic assignment of a desensitization field and a desensitization strategy; and if the user does not configure the data desensitization strategy and the desensitization algorithm, the component processes according to the preset data desensitization strategy and the desensitization algorithm.
Further, the assembly further comprises:
and the user-defined plug-in is used for customizing the desensitization rule according to the user requirement when the user-defined function is opened.
Further, the customized plug-in customizes the desensitization rule according to the user requirement, including:
and dynamically adjusting a data desensitization strategy and a desensitization algorithm according to the user requirements.
In actual use, the external world can open or close the self-defined function of the component through the SPI, and when the self-defined function is opened, a user can define the desensitization rule, so that the component can process according to the defined desensitization rule.
The component can flexibly joint different systems, when one system needs data desensitization, the component only needs to be accessed into the system without development, the system can be accessed and used only through simple configuration, service codes are not invaded, and the component can be adapted to various development frames and is accessed and used everywhere once, so that the working efficiency is improved; the invention adopts modular design, the desensitization realization process is low in coupling with a database and a development framework of a system, easy to expand and strong in reusability and portability; the invention also supports the user to carry out self-defined configuration on the data desensitization strategy and the desensitization algorithm according to the requirements, the component supports the dynamic assignment of the desensitization field and the desensitization strategy, the use is flexible, and the data security can be better ensured according to the requirements.
It is understood that the same or similar parts in the above embodiments may be mutually referred to, and the same or similar parts in other embodiments may be referred to for the content which is not described in detail in some embodiments.
It should be noted that the terms "first," "second," and the like in the description of the present invention are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. Further, in the description of the present invention, the meaning of "a plurality" means at least two unless otherwise specified.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.
The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.
Claims (8)
1. An assembly for data desensitization, comprising:
the access configuration layer is used for configuring a data desensitization strategy and a desensitization algorithm according to an external service system and completing authentication of the service system;
the adaptation layer is used for adapting the data desensitization strategy and the desensitization algorithm to a database and development framework corresponding to the business system;
the conversion layer is used for determining an original query result according to a query request of a user and performing desensitization processing on the original query result according to the data desensitization strategy and the desensitization algorithm to obtain a desensitization processing result;
and the output layer is used for outputting the desensitization processing result to an external service system.
2. The assembly of claim 1,
the data desensitization strategy comprises: and (4) specifying a desensitization field, a sensitive word library, a sensitive word detection algorithm and a structure and distribution rule after data desensitization.
3. The component of claim 2, wherein the desensitization field comprises at least one of:
identity card number, bank card number and mobile phone number.
4. The assembly of claim 1,
the desensitization algorithm includes: hash desensitization, mask desensitization, replacement desensitization, transform desensitization, encryption desensitization, and shuffle desensitization.
5. The component of claim 1, wherein the development framework comprises at least one of:
MVC、RPC、ORM、LOG;
the adaptation layer includes: MVC, RPC, ORM, and LOG framework.
6. The component of claim 2, wherein the determining of an original query result from a query request by a user and the desensitization processing of the original query result according to the data desensitization policy and the desensitization algorithm comprises:
according to the query request, finding an original query result in a database corresponding to the service system;
judging whether a desensitization field exists in the original query result according to the data desensitization strategy;
when a desensitization field exists in the original query result, desensitization processing is carried out on the desensitization field by using the desensitization algorithm so that the processed desensitization data conform to a data structure and distribution rule specified in the data desensitization strategy.
7. The assembly of any one of claims 1 to 6, further comprising:
and the user-defined plug-in is used for customizing the desensitization rule according to the user requirement when the user-defined function is opened.
8. The component of claim 7, wherein the custom plug-in customizes desensitization rules according to user requirements, comprising:
and dynamically adjusting a data desensitization strategy and a desensitization algorithm according to the user requirements.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110533419.3A CN113238816A (en) | 2021-05-17 | 2021-05-17 | Assembly for data desensitization |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110533419.3A CN113238816A (en) | 2021-05-17 | 2021-05-17 | Assembly for data desensitization |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113238816A true CN113238816A (en) | 2021-08-10 |
Family
ID=77134579
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110533419.3A Pending CN113238816A (en) | 2021-05-17 | 2021-05-17 | Assembly for data desensitization |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113238816A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111274610A (en) * | 2020-01-21 | 2020-06-12 | 京东数字科技控股有限公司 | Data desensitization method and device and desensitization service platform |
| WO2020211222A1 (en) * | 2019-04-15 | 2020-10-22 | 厦门市美亚柏科信息股份有限公司 | Method and device for providing micro-service based on data service platform, and storage medium |
| CN112580094A (en) * | 2020-12-14 | 2021-03-30 | 京东数字科技控股股份有限公司 | Data processing method, electronic device, and storage medium |
-
2021
- 2021-05-17 CN CN202110533419.3A patent/CN113238816A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020211222A1 (en) * | 2019-04-15 | 2020-10-22 | 厦门市美亚柏科信息股份有限公司 | Method and device for providing micro-service based on data service platform, and storage medium |
| CN111274610A (en) * | 2020-01-21 | 2020-06-12 | 京东数字科技控股有限公司 | Data desensitization method and device and desensitization service platform |
| CN112580094A (en) * | 2020-12-14 | 2021-03-30 | 京东数字科技控股股份有限公司 | Data processing method, electronic device, and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 焦伟等: "测试数据脱敏技术框架的研究与探讨", 《中国金融电脑》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2020233219A1 (en) | Abnormal problem locating method and device, apparatus and computer readable storage medium | |
| Ray et al. | LRBAC: A location-aware role-based access control model | |
| WO2017133203A1 (en) | Method and device for virtualizing execution environment and accessing virtual execution environment | |
| CN109361517A (en) | A kind of virtualization cloud cipher machine system and its implementation based on cloud computing | |
| EP3029593A1 (en) | System and method of limiting the operation of trusted applications in the presence of suspicious programs | |
| CN103353931A (en) | Security-enhanced computer systems and methods | |
| US20180107493A1 (en) | Synchronous control method and device via external apparatus | |
| US10831897B2 (en) | Selective enforcement of secure boot database entries in an information handling system | |
| CN109614203B (en) | Android application cloud data evidence obtaining and analyzing system and method based on application data simulation | |
| WO2024021577A1 (en) | Tamper-proof data protection method and system | |
| CN106203092A (en) | Method and device for intercepting shutdown of malicious program and electronic equipment | |
| WO2024021861A1 (en) | Data recovery method and electronic device | |
| CN111522785B (en) | Data extraction auditing method, device and equipment | |
| CN113282628A (en) | Big data platform access method and device, big data platform and electronic equipment | |
| CN115203719A (en) | Method, device and equipment for desensitizing SQL (structured query language) statement and computer-readable storage medium | |
| US7979891B2 (en) | Method and system for securing execution of untrusted applications | |
| CN113238816A (en) | Assembly for data desensitization | |
| CN113282959A (en) | Service data processing method and device and electronic equipment | |
| CN117150478A (en) | Trust root, chip and data verification method based on system on chip | |
| WO2024011856A1 (en) | Metadata acquisition method and apparatus, and device and storage medium | |
| CN111046115A (en) | Knowledge graph-based heterogeneous database interconnection management method | |
| WO2020052383A1 (en) | Fingerprint processing system and method, and fingerprint device | |
| JPH04147361A (en) | System for processing for change of processing screen | |
| CN113434908A (en) | Data desensitization method based on Logback log component | |
| CN115640567A (en) | TEE integrity authentication method, device, system and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210810 |
|
| RJ01 | Rejection of invention patent application after publication |