CN113297622A - Log desensitization method, system, electronic equipment and storage medium - Google Patents

Log desensitization method, system, electronic equipment and storage medium Download PDF

Info

Publication number
CN113297622A
CN113297622A CN202110695741.6A CN202110695741A CN113297622A CN 113297622 A CN113297622 A CN 113297622A CN 202110695741 A CN202110695741 A CN 202110695741A CN 113297622 A CN113297622 A CN 113297622A
Authority
CN
China
Prior art keywords
data
target object
annotation
desensitized
desensitization
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110695741.6A
Other languages
Chinese (zh)
Inventor
孙正浩
王雷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An E Wallet Electronic Commerce Co Ltd
Original Assignee
Ping An E Wallet Electronic Commerce Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An E Wallet Electronic Commerce Co Ltd filed Critical Ping An E Wallet Electronic Commerce Co Ltd
Priority to CN202110695741.6A priority Critical patent/CN113297622A/en
Publication of CN113297622A publication Critical patent/CN113297622A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/20Natural language analysis
    • G06F40/253Grammatical analysis; Style critique
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • G06F8/42Syntactic analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • G06F8/42Syntactic analysis
    • G06F8/425Lexical analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • G06F8/43Checking; Contextual analysis
    • G06F8/436Semantic checking
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/52Binary to binary

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computational Linguistics (AREA)
  • Health & Medical Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Audiology, Speech & Language Pathology (AREA)
  • General Health & Medical Sciences (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a log desensitization method, a system, electronic equipment and a storage medium, wherein the method comprises the following steps: intercepting a data printing request sent by a user, and extracting a first annotation in the data printing request; acquiring the data to be desensitized, and extracting a second annotation and a third annotation in the data to be desensitized; the second annotation is used for characterizing the type of the target object in the data to be desensitized, and the third annotation is used for characterizing the attribute value of the target object in the data to be desensitized; determining a preset configuration rule corresponding to the target object based on the type of the target object; and after desensitizing the attribute values based on the configuration rule, sending the data printing request to a printing interface, and executing printing operation. And manual code processing is not needed to be carried out on each sensitive data in log printing during desensitization processing, so that personal information privacy data is effectively prevented from being leaked, and privacy safety is ensured.

Description

Log desensitization method, system, electronic equipment and storage medium
Technical Field
The invention relates to the technical field of data processing, in particular to a log desensitization method, a log desensitization system, electronic equipment and a storage medium.
Background
With the rapid development of informatization, computer networks have been extended to various fields of work and life, more and more organizations or hackers collect and use personal information, and illegal collection, abuse, leakage and the like of the personal information also appear, so that the privacy security of the personal information faces serious threats, especially the financial field directly relates to fund security. Therefore, when the log of the business system is printed, some sensitive data including the name, the identification card number, the bank card number and the mobile phone number need to be desensitized to hide personal information and ensure privacy and safety.
In the prior art, a hard numbering mode is usually adopted to perform desensitization processing on sensitive data in log printing, that is, each sensitive data in the log printing is manually coded, so that a large number of codes with repeated actions are required for support, the codes are not easy to read and maintain, key fields are easy to omit, personal information is not hidden, and personal information privacy security risks are caused.
Therefore, how to quickly and accurately desensitize sensitive data during log printing and ensure personal information privacy safety is a big problem to be solved at present.
Disclosure of Invention
The invention aims to provide a log desensitization method, a log desensitization system, an electronic device and a storage medium, which are used for solving the problems in the prior art.
To achieve the above object, the present invention provides a log desensitization method, including:
intercepting a data printing request sent by a user, and extracting a first annotation in the data printing request; wherein the first annotation is used to characterize data to be desensitized in the data print request;
acquiring the data to be desensitized, and extracting a second annotation and a third annotation in the data to be desensitized; wherein the second annotation is used for characterizing the type of the target object in the data to be desensitized, and the third annotation is used for characterizing the attribute value of the target object in the data to be desensitized;
determining a preset configuration rule corresponding to the target object based on the type of the target object;
and after desensitizing the attribute values based on the configuration rule, sending the data printing request to a printing interface, and executing printing operation.
Preferably, the determining, based on the type of the target object, a preset configuration rule corresponding to the target object further includes:
finding out the configuration rule corresponding to the type of the target object from a preset configuration strategy area; the configuration policy area stores the type of each target object and the corresponding relationship between the types of the target objects and the corresponding configuration rules in advance.
Preferably, the configuration policy area is constructed by:
compiling the data to be desensitized into an initial byte code file, and operating the initial byte code file;
performing recursive analysis on the operating initial byte code file by adopting a byte code operating frame to obtain a target object set, and storing the target object set in the configuration strategy area; the target object set comprises the type of the target object and a corresponding index value, and the index value is used for representing the number of the type of the target object;
calling a preset configuration rule corresponding to the target object according to the index value;
and storing the corresponding relation between the target object set and the corresponding configuration rule into the configuration strategy area.
Preferably, the compiling the data to be desensitized into an initial byte code file and running the initial byte code file further includes:
analyzing the data to be desensitized based on the first annotation to obtain an analysis result;
reading the second annotation and the third annotation from the analysis result to obtain a data model file;
setting the data model file as a source code file, and calling a preset compiler to compile the source code file into the initial byte code file;
and loading the initial byte code file through a preset virtual machine, converting the initial byte code file into a machine code and executing the machine code.
Preferably, the operating of the initial bytecode file is recursively analyzed by using a bytecode manipulation frame to obtain a target object set, and the target object set is stored in the configuration policy area; wherein the target object set includes a type of the target object and a corresponding index value, and the index value is used to characterize a number of the type of the target object, and further includes:
loading the initial byte code file by adopting a byte code manipulation frame;
carrying out recursive analysis on the initial byte code file to obtain a plurality of types of the target objects;
setting corresponding index values according to the types of the target objects, and generating a plurality of target object sets according to the types of the target objects and the corresponding index values;
and respectively storing a plurality of target object sets into the configuration strategy area.
Preferably, the data printing request comprises public data and/or data to be desensitized, the data to be desensitized is used for representing private data containing personal information, and the public data is used for representing data not containing personal information;
intercepting a data printing request sent by a user, and extracting a first annotation in the data printing request; wherein the first annotation is used for characterizing the data to be desensitized in the data print request, further comprising:
and if the first annotation is not extracted from the data printing request, sending the data printing request to a printing interface, and executing printing operation.
Preferably, the configuration rules include desensitization rules based on which the attribute values are desensitized and recovery rules;
after desensitizing the attribute values based on the configuration rule, sending the data printing request to a printing interface, and after executing a printing operation, the method further includes:
and after the desensitization value is restored based on the restoration rule, storing the desensitization value into a cache.
To achieve the above object, the present invention also provides a log desensitization system, including:
the system comprises an interception unit, a data printing unit and a processing unit, wherein the interception unit is used for intercepting a data printing request sent by a user and extracting a first annotation in the data printing request; wherein the first annotation is used to characterize data to be desensitized in the data print request;
the acquisition unit is used for acquiring the data to be desensitized and extracting a second annotation and a third annotation in the data to be desensitized; wherein the second annotation is used for characterizing the type of the target object in the data to be desensitized, and the third annotation is used for characterizing the attribute value of the target object in the data to be desensitized;
the determining unit is used for determining a preset configuration rule corresponding to the target object based on the type of the target object;
and the desensitization unit is used for sending the data printing request to a printing interface after desensitizing the attribute values based on the configuration rule and executing printing operation.
In order to achieve the above object, the present invention also provides an electronic device, including:
a memory storing at least one instruction; and
a processor executing instructions stored in the memory to implement the log desensitization method of any of the above.
To achieve the above object, the present invention also provides a computer-readable storage medium having at least one instruction stored therein, the at least one instruction being executed by a processor in an electronic device to implement the log desensitization method of any one of the above.
The beneficial effects of the above technical scheme are that:
according to the log desensitization method, the log desensitization system, the electronic equipment and the storage medium, when an input port of a printing interface monitors a data printing request of a user, an interceptor intercepts the data printing request sent by the user, extracts a first annotation in the data printing request, acquires data to be desensitized, extracts a second annotation and a third annotation in the data to be desensitized, determines a preset configuration rule corresponding to a target object based on the type of the target object, desensitizes an attribute value based on the configuration rule, sends the data printing request to the printing interface, executes printing operation, and outputs a result, namely log data hiding private data such as personal information. And after the printing operation is finished, restoring the desensitization value based on the restoration rule and storing the desensitization value in a cache, so that a user can call or inquire the desensitization value conveniently at the later stage. And manual code processing is not needed to be carried out on each sensitive data in log printing during desensitization processing, so that personal information privacy data is effectively prevented from being leaked, and privacy safety is ensured. Meanwhile, the public data are matched one by one through regular expressions, missing data to be desensitized are prevented from being unidentified, and desensitization accuracy is guaranteed.
The invention automatically produces the target object set through a byte code manipulation frame (ASM), and traverses all data in the data model file by adopting a recursive algorithm, thereby avoiding missing of data to be desensitized. By caching the corresponding relation between each target object set and the corresponding configuration rule to the configuration strategy area, the corresponding configuration rule can be directly searched from the configuration strategy area when being inquired, and the efficiency and the accuracy of data desensitization operation are improved.
Drawings
FIG. 1 is a schematic flow chart a of a first embodiment of a log desensitization method according to the present invention;
FIG. 2 is a schematic flow chart b of a first embodiment of the log desensitization method of the present invention;
FIG. 3 is a functional unit diagram of a log desensitization system according to a second embodiment of the log desensitization method of the present invention;
fig. 4 is a schematic structural diagram of an electronic device according to a third embodiment of the log desensitization method of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the descriptions relating to "first", "second", etc. in the embodiments of the present application are only for descriptive purposes and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In addition, technical solutions between various embodiments may be combined with each other, but must be realized by a person skilled in the art, and when the technical solutions are contradictory or cannot be realized, such a combination should not be considered to exist, and is not within the protection scope of the present application.
In the description of the present application, it should be understood that the numerical references before the steps do not identify the order of performing the steps, but merely serve to facilitate the description of the present application and to distinguish each step, and therefore should not be construed as limiting the present application.
Example one
Referring to fig. 1, it is a schematic flow chart a of a first embodiment of a log desensitization method according to this embodiment, and as can be seen from the figure, the method specifically includes the following steps:
s100: intercepting a data printing request sent by a user, and extracting a first annotation in the data printing request; wherein the first annotation is used to characterize the data to be desensitized in the data print request.
In this embodiment, the data print request is a log data print request. Network devices, systems, and service programs, etc. generate a log event record during operation, and each log line records a description of the relevant operations, such as date, time, user, and action. In order to facilitate understanding of the operation conditions of the network equipment, the system, the service program and the like, logs in the operation systems of the network equipment, the system, the service program and the like can be printed out, so that the operation of the network equipment, the system, the service program and the like can be visually tracked, the reason for errors can be visually found when the faults occur, and a large amount of repair time can be saved.
In an exemplary embodiment, the data print request includes public data and/or data to be desensitized. The data to be desensitized is used for representing private data (such as names, identification numbers, mobile phone numbers, addresses and the like) containing personal information, and the public data is used for representing data not containing personal information.
The user selects log data (public data and/or data to be desensitized), and sends a data printing request to an input port of a printing interface so as to print the log data. When the input port of the printing interface monitors the data printing request of the user, an interceptor is called to intercept the data printing request, and log data in the data printing request is identified, so that the log data is prevented from being directly input into the printing interface to be printed and output, and the personal information privacy security risk caused by directly outputting the log data containing the data to be desensitized without desensitization treatment is avoided.
And when the interceptor intercepts the data printing request, automatically identifying the log data. If the interceptor identifies the first annotation from the data printing request, the interceptor represents that the data printing request contains the data to be desensitized, and the interceptor intercepts the data printing request containing the data to be desensitized at an input port of a printing interface, so that the privacy of personal information is prevented from being revealed due to direct output of the data to be desensitized.
If the interceptor does not identify the first annotation from the data printing request, the interceptor indicates that the data printing request does not contain the data to be desensitized and only contains public data, and the interceptor sends the data printing request which does not contain the data to be desensitized to an input port of a printing interface, and the data printing request is output after printing operation is executed.
S200: acquiring the data to be desensitized, and extracting a second annotation and a third annotation in the data to be desensitized; wherein the second annotation is used for characterizing the type of the target object in the data to be desensitized, and the third annotation is used for characterizing the attribute value of the target object in the data to be desensitized.
In this embodiment, the data to be desensitized includes a plurality of types of target objects. Wherein, one target object can comprise a plurality of attribute values, but one attribute value only corresponds to one target object. It is understood that the types of the target object may include: name class, mobile phone number class, address class, etc.; the attribute values of the target object corresponding to the name class may include: zhang III, Wang Xiaohua and the like, and the attribute value of the target object corresponding to the mobile phone number class can comprise: 13355667788, 18866223399, etc., the attribute values of the target object corresponding to an address class may include: jiangsu No. 99 of Changning district in Shanghai 999, and Haihu district school No. 88 of Beijing district, No. 8 of 888. Namely, the target object of one name class comprises Zhang III and Wang Xiaohua, but Zhang III can only correspond to the target object of the name class and can not correspond to the target object of the mobile phone number class.
In an exemplary embodiment, when the interceptor intercepts the data printing request and extracts the first annotation, the data to be desensitized is acquired according to the first annotation, and the second annotation and the third annotation in the data to be desensitized are extracted through the interceptor, so as to acquire the type and the corresponding attribute value of each target object in the data to be desensitized. Preferably, the invention uses an AOP (aspect oriented programming) interceptor, and the object-oriented features are inheritance, polymorphism, and encapsulation, so that different classes are designed with different methods, thereby facilitating the codes to be dispersed into one class, reducing the coupling degree between various codes, and improving the reusability of the classes, which is not limited herein.
Specifically, the annotation information may be labeled in advance by a business research and development staff, and the business research and development staff may customize the data to be desensitized according to different businesses. The annotation information is usually labeled according to different meanings of the annotation information, so as to distinguish the annotation information when the annotation information is extracted. For example: the first annotation is marked on the data to be desensitized by adopting @ OffSensitive and is used for representing the data to be desensitized in the data printing request; the second annotation adopts @ Shield, is characterized on the target object and is used for characterizing the type of the target object in the data to be desensitized; and the third annotation adopts @ NShield, is marked on the attribute value and is used for representing the attribute value of the target object in the data to be desensitized.
Preferably, since the annotation information is labeled in advance by a service developer, conditions such as missing or few labels may exist, so that the interceptor cannot acquire all data to be desensitized in the log data. For other data (which can be understood as the above public data) which are not marked by annotation information, matching one by adopting a regular expression rule, when suspected data to be desensitized are identified, suspending the data printing request, and sending abnormal information to a user sending end to remind the user that the unmarked data to be desensitized exist in log data selected by the user, and after the user queries the unmarked data to be desensitized according to the abnormal information and marks the data with annotation information, continuing to execute the data printing request. By carrying out regular expression one-by-one matching on the public data, the condition that missing data to be desensitized is not identified, so that personal information is not hidden and personal information privacy security risks are caused is prevented.
S300: and determining a preset configuration rule corresponding to the target object based on the type of the target object.
In an exemplary embodiment, the configuration rule corresponding to the type of the target object is found out from a preset configuration policy area; the configuration policy area stores the type of each target object and the corresponding relationship between the types of the target objects and the corresponding configuration rules in advance.
Referring to fig. 2, which is a schematic flow diagram b of a first embodiment of a log desensitization method according to this embodiment, it can be seen from the diagram that the step of constructing the configuration policy area includes:
s301: compiling the data to be desensitized into an initial byte code file, and operating the initial byte code file.
In the compiling process, an original data structure of data to be desensitized is abstracted, and a batch of data models are created to generate data model files. Wherein, the data model in the data model file can have the functions of acquiring and setting data. For example: and acquiring a plurality of target objects, numbering the target objects, and distinguishing the types of the target objects according to the numbers.
Specifically, the data to be desensitized is analyzed based on the first annotation to obtain an analysis result, the second annotation and the third annotation are read from the analysis result, each target object is obtained, an original data structure of each target object is abstracted, a batch of data models are created, and a data model file is generated, wherein the data model file can be a java-type template file. If the original data structures of two or more target objects are the same, one data model is created, and different data models are created according to different original data structures. It can be understood that: and if two of the three target objects are name-class target objects, creating a name-class data model according to the original data structures of the two name-class target objects, and if the other one is mobile phone number-class target object, creating another mobile phone number-class data model according to the original data structure of the mobile phone number-class target object.
Meanwhile, the data model file is set as a source code file, a preset compiler is called to compile the source code file into the initial byte code file, the initial byte code file is loaded through a preset virtual machine, and finally the initial byte code file is converted into machine codes and executed. The preset compiler is a java compiler (e.g., a front-end compiler), the file extension of the initial bytecode file is class, the preset virtual machine is a Java Virtual Machine (JVM), and the machine code recognizable by the java virtual machine is binary data, which is not limited herein.
In an exemplary embodiment, compiling the source code file into the initial bytecode file by using a front-end compiler specifically includes the following steps:
(1) lexical and grammatical analysis. Converting the character stream in the source code file into a marker (Token) set through a lexical analyzer and a syntax analyzer in a front-end compiler, and constructing an abstract syntax tree according to the marker (Token) set. Wherein the marker (Token) is the smallest element in the compilation process; each node of the abstract syntax tree is used to characterize a syntax structure in the source code file. For example: package, type, operator, modifier, etc.
(2) And filling the symbol table. The symbol table is a table constructed from a plurality of sets of symbol addresses and symbol information. It can be understood that the symbol information is an attribute value (variable) of the target object, the symbol address is a type of the target object, and a one-to-one correspondence relationship between the attribute value of the target object and the corresponding type is stored in the symbol table.
(3) And (5) annotation processing. And analyzing the second annotation and the third annotation through an annotation processor in the front-end compiler, and reading corresponding information (the attribute value and the type of the target object) from the abstract syntax tree.
(4) And (5) semantic analysis. Based on the symbol table, each variable is checked for a corresponding data structure (type).
(5) A bytecode file is generated. And converting the abstract syntax tree and the symbol table into byte codes and outputting the class file.
After the bytecode file is generated, the class file is converted into machine code by a JIT compiler (just-in-time compiler), so that a Java Virtual Machine (JVM) runs the machine code.
S302: performing recursive analysis on the operating initial byte code file by adopting a byte code operating frame to obtain a target object set, and storing the target object set in the configuration strategy area; wherein the set of target objects includes a type of the target object and a corresponding index value; the index value is used to characterize the number of the type of the target object.
The initial byte code file is used for representing a file abstractly created from an original data structure of data to be desensitized, and comprises a plurality of data models with the functions of acquiring and setting data. For example: the type of the target object is obtained, namely an object with similar functions is dynamically created through byte codes, and more functions are expanded for the object. It can be understood that a plurality of target objects are obtained, after the plurality of target objects are classified, a new type is defined for the classified target objects, different types of target objects are numbered, and the type of the target object is automatically identified according to the number.
In this embodiment, the number is set as an index value of the type of the target object, and a target object set is generated according to the type of the target object and the corresponding index value and stored in the configuration policy area. If a plurality of types of target objects exist in the data to be desensitized, the data to be desensitized can be distinguished through the index values. For example: the index value of the target object of the name type is 1, and the index value of the target object of the mobile phone number type is 2.
Specifically, a bytecode manipulation frame is used for loading the initial bytecode file, the initial bytecode file is subjected to recursive parsing to obtain types of a plurality of target objects, corresponding index values are set according to the types of the plurality of target objects, a plurality of target object sets are generated according to the types of the plurality of target objects and the corresponding index values, and finally the plurality of target object sets are stored in the configuration policy area respectively.
S303: and calling a preset configuration rule corresponding to the target object according to the index value. In an exemplary embodiment, the configuration rules are numbered in advance, and the preset configuration rules corresponding to the target object are called according to the index value. For example: the number of the configuration rule of the name type is 1, the index value of the target object of the name type is also 1, and the configuration rule corresponding to the target object can be called by matching the number with the index value.
In an exemplary embodiment, at least one desensitization rule corresponding to the index value is found from a preset configuration file according to the index value to form the configuration rule. Wherein, the configuration file is stored with the corresponding relationship of each index value and the corresponding desensitization rule in advance. For example: the corresponding relationship between each index value and the corresponding desensitization rule can be stored in the form of an Excel file or the like, and a plurality of desensitization rules corresponding to the index values can be searched from the Excel file.
Or numbering each desensitization rule in advance, and calling a plurality of desensitization rules corresponding to the target object according to the index value. For example: desensitization rules for cell number types include: the desensitization rules of the masking algorithm 1a and the desensitization rules of the pseudonym algorithm 1b are adopted, and the index value of the target object of the name type is 1, so that a plurality of desensitization rules corresponding to the target object can be called by matching the number 1 with the first characters of 1a and 1 b.
It is understood that one index value, i.e. more than one desensitization rule corresponding to one target object, adapts different desensitization rules according to different desensitization degree requirements. For example: the type of the target object is a mobile phone number, and when running errors require log data to be checked for printing, a masking algorithm can be selected as an adaptive desensitization rule; when the outsourcing or third party service provider needs log data or the test development environment needs to keep the relationship between fields for printing, a pseudonym algorithm can be selected as an adaptive desensitization rule, namely, a virtual mobile phone number which accords with a mobile phone number coding rule is randomly generated so as to ensure the normal operation of the service.
And aiming at the types of the same target objects, matching the corresponding desensitization rules and selecting the desensitization rules by service personnel according to the printing requirements. For example: when the printing requirement is that log data is required to be checked for printing due to operation errors, a masking algorithm is adopted as an adaptive desensitization rule; and when the printing requirement is that the outsourcing or a third-party service provider needs log data or the test development environment needs to keep the relationship between the fields for printing, adopting a pseudonymous algorithm as an adaptive desensitization rule.
Specifically, the data printing requests are marked according to different printing requirements in a preset mode, and corresponding desensitization rules are adapted according to the different printing requirements according to the marks. For example: when the printing requirement is that log data is required to be checked for printing due to operation errors, marking a data printing request a; and marking a data printing request b when log data is needed for outsourcing or a third party service provider or when the test development environment needs to maintain the relationship between the fields for printing. And after the corresponding desensitization rules are acquired according to the index values, selecting one from the desensitization rules as an adaptive desensitization rule according to the mark of the data printing request to form the configuration rule.
S304: and storing the corresponding relation between the target object set and the corresponding configuration rule into the configuration strategy area.
A target object set is automatically produced through a byte code manipulation framework (ASM), and all data in a data model file are traversed by adopting a recursive algorithm, so that missing of data to be desensitized is avoided. By caching the corresponding relation between each target object set and the corresponding configuration rule to the configuration strategy area, the corresponding configuration rule can be directly searched from the configuration strategy area when being inquired, and the efficiency and the accuracy of data desensitization operation are improved.
S400: and after desensitizing the attribute values based on the configuration rule, sending the data printing request to a printing interface, and executing printing operation.
In an exemplary embodiment, the configuration rules include desensitization rules and recovery rules. Desensitizing the attribute values based on the desensitization rule. The desensitization rule may preset a processing rule for each desensitization data according to a business requirement, for example: taking a desensitization rule of a masking algorithm as an example, the first M bits and the last N bits of attribute value data in the desensitization data can be reserved, and the other bits of the attribute value data in the desensitization data are replaced by coincidences, wherein M and N are integers both larger than 1. For example: for the desensitization rule of the target object of the mobile phone number type, M is 3, N is 4, the values correspond to each other, and the attribute value is 13355667788, so the desensitization value is 133 × 7788.
After desensitization is completed, the data printing request is sent to the printing interface, printing operation is executed, the output result is log data hiding privacy data such as personal information, personal information privacy data are effectively prevented from being leaked, and privacy safety is guaranteed.
And after the printing operation is finished, restoring the desensitization value based on the restoration rule and storing the desensitization value in a cache. And the recovery rule corresponds to the desensitization rule, and when desensitization is carried out based on the desensitization rule, the corresponding recovery rule is automatically generated. For example: the desensitization rule for the target object of the mobile phone number type is: m is 3, N is 4, x is coincided, attribute value is 13355667788, and desensitization value is 133 x 7788. The automatically generated recovery rules are: and reserving the first 3 bits and the last 4 bits of the attribute value data in the desensitization data, and replacing other bits in the desensitization value data with 5566 to restore the desensitization value and store the desensitization value in a cache, so that a later-stage user can call or inquire the desensitization value conveniently.
Example two
Fig. 3 is a functional unit diagram of a log desensitization system according to a second embodiment of the log desensitization method of this embodiment.
The system comprises an intercepting unit 31, an acquiring unit 32, a determining unit 33 and a desensitizing unit 34. The unit referred to in the present invention is a series of computer program segments capable of being executed by a processor and performing a fixed function, and is stored in a memory. In the present embodiment, the functions of the units will be described in detail in the following embodiments.
The intercepting unit 31 is configured to intercept a data printing request sent by a user, and extract a first annotation in the data printing request; wherein the first annotation is used to characterize the data to be desensitized in the data print request.
In an exemplary embodiment, when the input port of the printing interface monitors a data printing request of the user, the intercepting unit 31 is called to intercept the data printing request, and identify log data in the data printing request, so that the log data is prevented from being directly input into the printing interface for printing output, and the risk of personal information privacy security caused by directly outputting the log data containing data to be desensitized without desensitization processing is avoided.
The obtaining unit 32 is configured to obtain the data to be desensitized, and extract a second annotation and a third annotation in the data to be desensitized; wherein the second annotation is used for characterizing the type of the target object in the data to be desensitized, and the third annotation is used for characterizing the attribute value of the target object in the data to be desensitized.
In an exemplary embodiment, when the intercepting unit 31 intercepts the data printing request and extracts the first annotation, the acquiring unit 32 acquires the data to be desensitized, extracts the second annotation and the third annotation in the data to be desensitized through the intercepting unit 31, and acquires the type and the corresponding attribute value of each target object in the data to be desensitized through the acquiring unit 32.
If the obtaining unit 32 does not recognize the first annotation from the data printing request, it indicates that the data printing request does not include the data to be desensitized, and only includes public data, and sends the data printing request that does not include the data to be desensitized to an input port of a printing interface, and outputs the data after executing a printing operation.
The determining unit 33 is configured to determine a preset configuration rule corresponding to the target object based on the type of the target object.
In an exemplary embodiment, the determining unit 33 finds the configuration rule corresponding to the type of the target object from a preset configuration policy area; the configuration policy area stores the type of each target object and the corresponding relationship between the types of the target objects and the corresponding configuration rules in advance.
Specifically, the data to be desensitized is compiled into an initial byte code file, and the initial byte code file is operated; performing recursive analysis on the operating initial byte code file by adopting a byte code operating frame to obtain a target object set, and storing the target object set in the configuration strategy area; wherein the set of target objects includes a type of the target object and a corresponding index value; the index value is used for representing the number of the type of the target object; calling a preset configuration rule corresponding to the target object according to the index value; and storing the corresponding relation between the target object set and the corresponding configuration rule into the configuration strategy area.
The desensitization unit 34 is configured to send the data print request to a print interface after desensitizing the attribute value based on the configuration rule, and execute a print operation.
In an exemplary embodiment, after desensitization is completed, a data printing request is sent to a printing interface, printing operation is executed, an output result is log data with privacy data such as personal information hidden, personal information privacy data are effectively prevented from being leaked, and privacy safety is ensured. Meanwhile, after the printing operation is finished, the desensitization value is restored based on the restoration rule and is stored in a cache, so that a user can call or inquire the desensitization value conveniently at the later stage.
EXAMPLE III
Fig. 4 is a schematic structural diagram of an electronic device according to a third embodiment of the log desensitization method of this embodiment.
In the exemplary embodiment, electronic device 4 includes, but is not limited to, a memory 41, a processor 42, and a computer program, such as a logging desensitization program, stored in memory 41 and executable on the processor. It will be appreciated by those skilled in the art that the schematic diagrams are merely examples of an electronic device and do not constitute a limitation of an electronic device, and may include more or fewer components than those shown, or some components in combination, or different components, for example, the electronic device may also include input output devices, network access devices, buses, etc.
The memory 41 includes at least one type of computer-readable storage medium including a flash memory, a hard disk, a multimedia card, a card type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a Programmable Read Only Memory (PROM), a magnetic memory, a magnetic disk, an optical disk, etc. In some embodiments, the memory 41 may be an internal storage module of the electronic device, such as a hard disk or a memory of the electronic device. In other embodiments, the memory 41 may also be an external storage device of the electronic device, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like provided on the electronic device. Of course, the memory 41 may also include both internal and external memory modules of the electronic device. In this embodiment, the memory 41 is generally used for storing an operating system and various types of application software installed in the electronic device. Further, the memory 41 may also be used to temporarily store various types of data that have been output or are to be output.
The Processor 42 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, or the like. The processor 42 is an operation core and a control center of the electronic device, and is connected to each part of the whole electronic device by various interfaces and lines, and executes an operating system of the electronic device and various installed application programs, program codes, and the like.
The processor 42 executes the operating system of the electronic device as well as various applications installed. The processor 42 executes the application program to implement the steps in the various log desensitization method embodiments described above, such as steps S100, S200, S300, S400 shown in fig. 1.
Example four
The present embodiment also provides a computer-readable storage medium, such as a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, a server, an App application mall, etc., on which a computer program is stored, which when executed by a processor implements corresponding functions. The computer-readable storage medium of the present embodiment is used for storing a computer program for implementing the log desensitization method, and implements the log desensitization method of the first or second or third embodiment when executed by the processor 42.

Claims (10)

1. A method of log desensitization, the method comprising:
intercepting a data printing request sent by a user, and extracting a first annotation in the data printing request; wherein the first annotation is used to characterize data to be desensitized in the data print request;
acquiring the data to be desensitized, and extracting a second annotation and a third annotation in the data to be desensitized; wherein the second annotation is used for characterizing the type of the target object in the data to be desensitized, and the third annotation is used for characterizing the attribute value of the target object in the data to be desensitized;
determining a preset configuration rule corresponding to the target object based on the type of the target object;
and after desensitizing the attribute values based on the configuration rule, sending the data printing request to a printing interface, and executing printing operation.
2. The log desensitization method according to claim 1, wherein determining the preset configuration rules corresponding to the target objects based on the types of the target objects further comprises:
finding out the configuration rule corresponding to the type of the target object from a preset configuration strategy area; the configuration policy area stores the type of each target object and the corresponding relationship between the types of the target objects and the corresponding configuration rules in advance.
3. A log desensitization method according to claim 2, wherein said configuration policy zone is constructed by:
compiling the data to be desensitized into an initial byte code file, and operating the initial byte code file;
performing recursive analysis on the operating initial byte code file by adopting a byte code operating frame to obtain a target object set, and storing the target object set in the configuration strategy area; the target object set comprises the type of the target object and a corresponding index value, and the index value is used for representing the number of the type of the target object;
calling a preset configuration rule corresponding to the target object according to the index value;
and storing the corresponding relation between the target object set and the corresponding configuration rule into the configuration strategy area.
4. The log desensitization method according to claim 3, wherein said compiling the data to be desensitized into an initial bytecode file and running the initial bytecode file, further comprising:
analyzing the data to be desensitized based on the first annotation to obtain an analysis result;
reading the second annotation and the third annotation from the analysis result to obtain a data model file;
setting the data model file as a source code file, and calling a preset compiler to compile the source code file into the initial byte code file;
and loading the initial byte code file through a preset virtual machine, converting the initial byte code file into a machine code and executing the machine code.
5. The log desensitization method according to claim 3, wherein said employing a bytecode manipulation framework to recursively parse said running said initial bytecode file to obtain a set of target objects, and storing said set of target objects in said configuration policy area; wherein the target object set includes a type of the target object and a corresponding index value, and the index value is used to characterize a number of the type of the target object, and further includes:
loading the initial byte code file by adopting a byte code manipulation frame;
carrying out recursive analysis on the initial byte code file to obtain a plurality of types of the target objects;
setting corresponding index values according to the types of the target objects, and generating a plurality of target object sets according to the types of the target objects and the corresponding index values;
and respectively storing a plurality of target object sets into the configuration strategy area.
6. The log desensitization method according to claim 1, wherein the data print request includes public data and/or data to be desensitized, the data to be desensitized being used to characterize private data containing personal information, the public data being used to characterize data not containing personal information;
intercepting a data printing request sent by a user, and extracting a first annotation in the data printing request; wherein the first annotation is used for characterizing the data to be desensitized in the data print request, further comprising:
and if the first annotation is not extracted from the data printing request, sending the data printing request to a printing interface, and executing printing operation.
7. A log desensitization method according to claim 1, wherein the configuration rules include desensitization rules based on which the attribute values are desensitized and recovery rules;
after desensitizing the attribute values based on the configuration rule, sending the data printing request to a printing interface, and after executing a printing operation, the method further includes:
and after the desensitization value is restored based on the restoration rule, storing the desensitization value into a cache.
8. A logging desensitization system, comprising:
the system comprises an interception unit, a data printing unit and a processing unit, wherein the interception unit is used for intercepting a data printing request sent by a user and extracting a first annotation in the data printing request; wherein the first annotation is used to characterize data to be desensitized in the data print request;
the acquisition unit is used for acquiring the data to be desensitized and extracting a second annotation and a third annotation in the data to be desensitized; wherein the second annotation is used for characterizing the type of the target object in the data to be desensitized, and the third annotation is used for characterizing the attribute value of the target object in the data to be desensitized;
the determining unit is used for determining a preset configuration rule corresponding to the target object based on the type of the target object;
and the desensitization unit is used for sending the data printing request to a printing interface after desensitizing the attribute values based on the configuration rule and executing printing operation.
9. An electronic device, characterized in that the electronic device comprises:
a memory storing at least one instruction; and
a processor executing instructions stored in the memory to implement the method of desensitizing logging as claimed in any of claims 1 to 7.
10. A computer-readable storage medium having stored therein at least one instruction for execution by a processor in an electronic device to implement a log desensitization method according to any of claims 1 to 7.
CN202110695741.6A 2021-06-23 2021-06-23 Log desensitization method, system, electronic equipment and storage medium Pending CN113297622A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110695741.6A CN113297622A (en) 2021-06-23 2021-06-23 Log desensitization method, system, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110695741.6A CN113297622A (en) 2021-06-23 2021-06-23 Log desensitization method, system, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN113297622A true CN113297622A (en) 2021-08-24

Family

ID=77329186

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110695741.6A Pending CN113297622A (en) 2021-06-23 2021-06-23 Log desensitization method, system, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113297622A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114021185A (en) * 2021-10-29 2022-02-08 深圳市欢太数字科技有限公司 Log desensitization method, log desensitization device, electronic device, and readable storage medium
CN114491642A (en) * 2022-02-14 2022-05-13 杭州华橙软件技术有限公司 Sensitive data processing method and device, storage medium and electronic device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114021185A (en) * 2021-10-29 2022-02-08 深圳市欢太数字科技有限公司 Log desensitization method, log desensitization device, electronic device, and readable storage medium
CN114491642A (en) * 2022-02-14 2022-05-13 杭州华橙软件技术有限公司 Sensitive data processing method and device, storage medium and electronic device

Similar Documents

Publication Publication Date Title
US9715593B2 (en) Software vulnerabilities detection system and methods
US7849509B2 (en) Detection of security vulnerabilities in computer programs
CN111651784A (en) Log desensitization method, device, equipment and computer readable storage medium
US9824214B2 (en) High performance software vulnerabilities detection system and methods
CN110225029B (en) Injection attack detection method, device, server and storage medium
US20070271617A1 (en) Vulnerability check program, vulnerability check apparatus, and vulnerability check method
US9552272B1 (en) Utility to instantly protect sensitive information for an application log at runtime
CN106778288A (en) A kind of method and system of data desensitization
CN110866258B (en) Rapid vulnerability positioning method, electronic device and storage medium
JP2013137740A (en) Secret information identification method, information processor, and program
CN113297622A (en) Log desensitization method, system, electronic equipment and storage medium
CN111767573A (en) Database security management method and device, electronic equipment and readable storage medium
US20230418951A1 (en) Apparatus and method for analyzing vulnerabilities of smart contract code
CN114238948A (en) Application program detection method and device, electronic equipment and storage medium
CN115080406A (en) Code log generation method, device, equipment and storage medium
CN113254470A (en) Data change method and device, computer equipment and storage medium
CN112329043A (en) Information encryption processing method, device, computer equipment and medium
CN116340989A (en) Data desensitization method and device, electronic equipment and storage medium
CN111552792A (en) Information query method and device, electronic equipment and storage medium
Chahar et al. Code analysis for software and system security using open source tools
US9171168B2 (en) Determine anomalies in web application code based on authorization checks
Zhang et al. Contextual approach for identifying malicious inter-component privacy leaks in android apps
WO2019134771A1 (en) Binary image stack cookie protection
US11886589B2 (en) Process wrapping method for evading anti-analysis of native codes, recording medium and device for performing the method
CN112433943A (en) Method, device, equipment and medium for detecting environment variable based on abstract syntax tree

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination