CN113377800A - Data security sharing method and device - Google Patents
Data security sharing method and device Download PDFInfo
- Publication number
- CN113377800A CN113377800A CN202110637980.6A CN202110637980A CN113377800A CN 113377800 A CN113377800 A CN 113377800A CN 202110637980 A CN202110637980 A CN 202110637980A CN 113377800 A CN113377800 A CN 113377800A
- Authority
- CN
- China
- Prior art keywords
- data
- databases
- mapping
- database
- sharing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/27—Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
Abstract
The application provides a data security sharing method and a data security sharing device, which are applied to data security sharing among a plurality of databases which are mutually heterogeneous. And secondly, the data is safely shared through authority management and control and abnormal behavior detection, and abnormal behaviors are detected by monitoring in real time in the data sharing process, so that the safety of data sharing is fully guaranteed, and the abnormal use is quickly and accurately supervised.
Description
Technical Field
The present application relates to the field of data security processing technologies, and in particular, to a method and an apparatus for sharing data security.
Background
With the increasing prominence of the value of data, the data has become an important target of attackers. On one hand, the situation of data security is severe, and on the other hand, the supervision and control of data security are strengthened. As a core node for data centralized storage, processing, analysis and transaction, various data centers guarantee data security without collateral credit.
At present, data are centrally processed, widely shared and cross-used in a complex application scene, so that a data center faces a new security risk, and the following requirements exist in security protection: (1) the data security situation is more complex due to more open data environment, more frequent data flow and more complex data interaction, so that the research on data sharing and distribution security risk analysis and sensitive data identification technology is urgently needed to be developed; (2) aiming at the condition that an outer network system has a large amount of access to inner network sensitive data in the power service, the research of a data dynamic desensitization technology adapting to the existing strong logic isolation architecture is urgently needed to be developed; (3) in data service scenes such as data analysis and test, data is intensively shared, the risk of sensitive data batch leakage exists, and safety control measures aiming at the whole processes of data sharing, use, recovery and the like are lacked at present; when structured data is distributed to internal units or outside a third party of the society, the safety control of the native environment is separated, and the responsibility tracing capability when leakage occurs after the structured data is sent out is not available at present.
Therefore, how to solve the problems of sensitive data leakage and dispersed authority management in the data processing link of virtual data in secure sharing, and implement synchronization of heterogeneous databases, unified authority management and control, and secure recovery of sensitive data is a problem to be solved urgently by those skilled in the art.
Disclosure of Invention
The application provides a data security sharing method and device, which are used for solving the problems of sensitive data leakage and dispersed authority management in a data processing link of virtual data in security sharing, and realizing synchronization of heterogeneous databases, unified authority management and control and security recovery of sensitive data.
In order to achieve the above object, the present application provides the following technical solutions:
a data security sharing method is applied to data security sharing among a plurality of databases which are mutually heterogeneous, and specifically comprises the following steps:
receiving a shared data query request sent by a data access party;
based on the shared data query request, determining that the data access party has the authority of accessing the requested shared data through unified authority control;
converting the shared data query request into a query request conforming to the definition according to the definition of any one of a plurality of databases to which the requested shared data belongs;
based on the mapping relation between the definition of any one database and the definitions of other databases, inquiring the requested shared data according to the inquiry request conforming to the definition;
and returning the inquired shared data to the data access party to execute the safe sharing of the data.
A data security sharing apparatus, which is applied to data security sharing between a plurality of databases that are heterogeneous to each other, the apparatus comprising:
the first processing unit is used for receiving a shared data query request sent by a data access party;
the second processing unit is used for determining that the data access party has the authority of accessing the requested shared data through unified authority control based on the shared data query request;
a third processing unit, configured to convert the shared data query request into a query request conforming to a definition according to the definition of any one of multiple databases to which the requested shared data belongs;
the fourth processing unit is used for inquiring the requested shared data according to the inquiry request conforming to the definition based on the mapping relation between the definition of any one database and the definitions of other databases;
and the fifth processing unit is used for returning the inquired shared data to the data access party so as to execute the safe sharing of the data.
A storage medium comprising a stored program, wherein a device on which the storage medium is located is controlled to perform the data security sharing method as described above when the program runs.
An electronic device comprising at least one processor, and at least one memory, bus connected with the processor; the processor and the memory complete mutual communication through the bus; the processor is configured to call program instructions in the memory to perform the data security sharing method as described above.
The data security sharing method and device are applied to data security sharing among a plurality of databases which are mutually heterogeneous, mapping relations between definitions of the databases and definitions of other databases are predefined, and after a shared data query request sent by a data access party is received, the data access party is determined to have the authority of accessing the requested shared data through unified authority control based on the shared data query request; then according to the definition of any one database in the plurality of databases of the requested shared data, converting the shared data query request into a query request conforming to the definition; then based on the mapping relation between the definition of any one database and the definitions of other databases, inquiring the requested shared data according to the inquiry request conforming to the definition; and finally, returning the inquired shared data to the data access party to execute the safe sharing of the data.
In the application, firstly, shared data is inquired based on virtual mapping of each heterogeneous database, the heterogeneous databases are unified through document type definition, resource waste of a data center is avoided by using the virtual database in a multiplexing mode, and the shared data is inquired based on mapping relation to realize safe and efficient virtual mapping of heterogeneous and multi-source data. And secondly, the data is safely shared through authority management and control and abnormal behavior detection, and abnormal behaviors are detected by monitoring in real time in the data sharing process, so that the safety of data sharing is fully guaranteed, and the abnormal use is quickly and accurately supervised.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a data security sharing method disclosed in an embodiment of the present application;
FIG. 2 is a schematic diagram of a data application process and a data monitoring process disclosed in an embodiment of the present application;
FIG. 3 is a flowchart illustrating an embodiment of step S102 disclosed in the embodiments of the present application;
fig. 4 is a schematic flowchart of a specific implementation of a method for constructing a preset mapping relationship disclosed in an embodiment of the present application;
FIG. 5 is a block diagram of a database virtualization technique according to an embodiment of the present disclosure;
fig. 6 is a schematic architecture diagram of a virtual data center disclosed in an embodiment of the present application;
FIG. 7 is a flowchart illustrating an embodiment of step S105 disclosed in the examples of the present application;
fig. 8 is a schematic structural diagram of a data security sharing device disclosed in an embodiment of the present application;
fig. 9 is a schematic structural diagram of a system for implementing a data security sharing method disclosed in an embodiment of the present application;
fig. 10 is a schematic structural diagram of an electronic device disclosed in an embodiment of the present application.
Detailed Description
The applicant finds in research that there are several technical solutions for data security in the prior art:
first, when data sharing is implemented, the databases are different in source and are usually heterogeneous databases, and the heterogeneous databases cannot be synchronized when data sharing, accessing and requesting are performed.
For example, in the prior art, synchronization of heterogeneous databases is usually achieved based on recognition of SQL language, but when the current database cannot recognize the SQL language of the remote database, access to corresponding data faces a certain obstacle. When the virtual database accesses a plurality of heterogeneous databases, the SQL language needs to be identified for the heterogeneous databases one to one, which not only causes the situation that part of data cannot be read, but also brings a lot of repetitive work, and the acquisition of the structural relationship of each heterogeneous database is very passive.
Secondly, when the structured data are distributed outwards, the safety control of the native environment can be separated, and the prior art cannot realize uniform authority control.
Since most data are classified into secret data with secret level, data resources are often leaked when data sharing is performed. In the prior art, certain authority is usually set for the grade of the data and the access party of the data, but the authority is often fixed authority set manually or automatically by a machine. However, in the face of a complex data wind control environment, static permissions obviously cannot meet the requirements of data sharing permissions, and therefore, a dynamic permission distribution and control means is urgently needed.
Thirdly, in the data sharing process, once the heterogeneous database side proposes to terminate data sharing, the existing data sharing scheme can cause leakage of partial data, and complete recovery of the data can not be achieved on the basis of not damaging the original data confidentiality.
When one party decides to terminate the data sharing process, the recovery of data in the prior art is limited to the recovery of the data which is not shared, and the shared data cannot be recovered, which causes the leakage of data resources, thereby destroying the integrity of the original data.
The application provides a data security sharing method and device, which are used for achieving synchronization of heterogeneous databases, unified authority control and safe recovery of sensitive data.
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, a schematic flow chart of a data security sharing method according to an embodiment of the present application is shown. As shown in fig. 1, an embodiment of the present application provides a data security sharing method, which is applied to data security sharing among a plurality of databases that are heterogeneous to each other, and the method includes the following steps:
s101: and receiving a shared data query request sent by a data access party.
In the embodiment of the present application, two heterogeneous databases are used for explanation, for example, the first database (big data platform database Hive) sends a shared data query request to the second database (relational database MySQL), and the second database sends response information to the first database, where the response information includes shared data required by an access party and also includes a document type definition of the second database. And based on the document type definition of the second database, the first database generates a database table, and writes the data for sharing into the database table of the first database in the form of the document type definition of the second database so as to realize data sharing with the second database.
S102: and determining that the data access party has the authority for accessing the requested shared data through unified authority management and control based on the shared data query request.
In the embodiment of the application, data security sharing is realized through authority management and control and abnormal behavior detection.
It should be noted that, the determining that the data accessing party has the authority to access the requested shared data through unified authority management and control based on the shared data query request specifically includes:
and determining whether the data access party has the authority for accessing the shared data inquired through the preset mapping relation table or not according to fine-grained unified authority control, wherein the fine-grained unified authority control is data use authority control implemented based on a minimization principle, and can prevent an unauthorized user from accessing sensitive data, and data access can be performed through preset access operation only through an authorized access subject.
In order to strengthen the control strength of the unified data authority, in the embodiment of the application, aiming at the technical research of fine-grained unified authority control: on one hand, when data is applied, fine-grained data use permission distribution is carried out on an accessible database, an accessible data table, an executable operation set, an accessible time period and an accessible address; on the other hand, once the data use authority is approved, abnormal operation of the user can be found as the basis of abnormal monitoring of data access. Specifically, the data application process and the data monitoring process are shown in fig. 2.
In the embodiment of the application, the authority control based on the attributes is adopted, and different from a common mode of associating the user with the authority in a certain mode, the authority control carries out authorization judgment by dynamically calculating one or a group of attributes to judge whether certain conditions are met. Specifically, the access attributes of the data can be classified into four types: user attributes, environment attributes, operational attributes and object attributes are mapped into actual various access authorizations or restrictions to achieve very flexible rights control.
Establishing an attribute set, wherein the attribute set comprises a plurality of groups of attributes, each group of attributes has an attribute name and an attribute value, and logically combining the plurality of groups of attributes in the attribute set so as to generate different authority control schemes, and dynamically updating/switching the authority control schemes to protect sensitive data. And when judging whether the data access party has the authority for accessing the shared data, acquiring the authority attribute set and the shared data authority attribute set of the data access party, and determining whether the matching degree is greater than or equal to a threshold value through matching degree calculation so as to perform data security sharing.
In this embodiment of the application, as shown in fig. 3, in step S102, it is determined that the data accessing party has an authority to access the requested shared data according to fine-grained unified authority management and control, where the fine-grained unified authority management and control is data usage authority management and control implemented based on a minimization principle, and the method specifically includes the following steps:
s301: acquiring a permission attribute set and a shared data permission attribute set of the data access party;
s302: performing matching degree calculation on the permission attribute set of the data access party and the shared data permission attribute set;
s303: and when the calculated matching degree is greater than or equal to a preset threshold value, determining that the data access party has the authority of accessing the requested shared data.
S103: and converting the shared data query request into a query request conforming to the definition according to the definition of any one database in the plurality of databases of the requested shared data.
In this step, since the shared data is from a plurality of heterogeneous databases, the shared data query request needs to be converted into a query request conforming to the definitions of the heterogeneous databases.
S104: and querying the requested shared data according to the query request conforming to the definition of the mapping relation between the definition of any one database and the definitions of other databases.
In this step, the preset mapping relationship database is implemented based on markup language heterogeneous data consistency and multi-user virtual database mapping, and includes: mapping relations among the heterogeneous databases and mapping relations between the virtual database in the multiplexing mode and the heterogeneous databases.
The embodiment of the application provides safe data sharing service for the heterogeneous databases, so that the SQL requests from the heterogeneous databases with different logic structures and statement grammars are targeted; that is, an integration scheme needs to be provided in the virtual data center to solve the integration problem of the heterogeneous databases, and the present invention uses a markup language-based heterogeneous data reconciliation method to convert SQL statements, which also provides the possibility for multi-source data virtual abstraction in the virtual data center. The method is particularly realized by heterogeneous data consistency based on a markup language and multi-user virtual database mapping.
In an embodiment of the present application, as shown in fig. 4, the method for constructing the preset mapping relationship may specifically include the following steps:
s401: establishing document type definitions of all databases based on a heterogeneous data consistency method of a markup language;
in the step, the SQL statement is converted and recorded into the document based on the heterogeneous data consistency method of the markup language. Based on the markup language, the user can create new markup as desired, wherein the tagged element can include several attributes, and can include several sub-elements, which can be text data or tagged elements. Meanwhile, a document type definition is declared in a document type, which is a definition of element types, attributes, entities, and symbols, that is, a grammatical constraint on markup and element structures appearing in a document. It defines the markup required by the document, such as the types of elements that can be used in the document, the relationships that may exist between these elements. And when the SQL statement is converted and the document is input, converting the SQL statement based on the definition and writing the SQL statement into the document.
S402: describing each database resource by using a multiplexing virtual data center, and constructing a mode multiplexing virtual database, wherein the mode multiplexing virtual database is used for providing a global unified view of the database resources;
in the step, data requested by multiple users are sourced from multiple different databases, in order to integrate the heterogeneous databases into a virtual data center divided according to user requests and avoid relative isolation among the multiple heterogeneous databases, the method adopts a mode multiplexing virtual data center construction strategy, describes various database resources by using the multiplexed virtual data center, and provides a global unified view of the database resources through a virtual database mode. The mode multiplexing is mainly characterized in that in the construction process of the virtual data center, a global unified view of information resources is described according to the internal relation among data in the database, the inheritance characteristics of an object-oriented design method are used for reference, and the inheritance relation among a plurality of databases which are mutually heterogeneous is expressed by using a tree structure, so that the repeated work of the construction of the virtual data center is reduced, and the internal relation among the heterogeneous databases is reserved.
The database virtualization technology can be based on a piece of reference data, so that a plurality of virtual database instances can be safely and quickly created and managed, the virtual database instances run independently and do not interfere with each other, and the architecture of the database virtualization technology is shown in fig. 5.
In the embodiment of the present application, the generating the virtual database of the multiplexing mode mainly includes:
1) the virtual database comprises a virtual database on a father node and a virtual database on a child node;
2) when a child node virtual database is created, directly inheriting a virtual table of a parent node virtual database, wherein the child node virtual database automatically has all virtual fields of the parent virtual table;
3) on the basis of direct inheritance, a virtual table of a child node virtual database can be created, and the virtual table of the child node virtual database is directly inherited by a next layer of virtual database;
therefore, the virtual database of the global unified view generated by the multiplexing mode can clearly and consistently represent the data information of a plurality of databases which are mutually heterogeneous.
S403: generating the preset mapping relation by using virtual mapping according to the document type definition of each database, wherein the preset mapping relation comprises: mapping relations among all databases and mapping relations among the virtual databases in the multiplexing mode and all databases.
In this step, as shown in fig. 7, each database may construct an XML document by generating a snapshot, where the XML describes the document type definition of the database. And meanwhile, acquiring data source relational mapping documents among the databases, and realizing integrated data loading (facing to a virtual data center) based on the summarized XML documents and the data source relational mapping documents.
And determining the mapping relation among the databases, and acquiring the mapping relation between the virtual database and each database. Through query mapping, the query request of the virtual database is converted into the query request conforming to the definition of the database, and data (from a plurality of databases which are mutually heterogeneous) is further acquired.
It should be noted that, in the embodiment of the present application, after the virtual database and the first database complete query mapping, the query request of the virtual database may also be directly converted into a query request conforming to the definitions of other databases (the second database and the third database) based on the mapping relationship between the databases, so as to reduce the number of times of query mapping.
In this embodiment of the application, the generating the preset mapping relationship by using virtual mapping according to the document type definition of each database includes: creating XML documents corresponding to the databases by generating snapshots, wherein the XML documents are used for describing document type definitions of the databases; acquiring data source relation mapping documents among databases; determining a first mapping relation between databases and a second mapping relation between the virtual database in the multiplexing mode and each database according to the XML document and the data source relation mapping document; and generating the preset mapping relation according to the first mapping relation and the second mapping relation.
S105: and returning the inquired shared data to the data access party to execute the safe sharing of the data.
Aiming at the problem that high-risk operation behaviors, unauthorized access behaviors, batch access behaviors and the like which are possibly generated during data security sharing have security risk behaviors, the embodiment of the application detects abnormal behaviors of database users based on feature analysis. In the step S105, performing the data security sharing and performing the abnormal behavior detection includes:
performing abnormal behavior detection for the data accessor based on feature analysis, the abnormal behavior comprising: one or more of high-risk operation behaviors, unauthorized access behaviors and batch access behaviors.
In this embodiment of the application, as shown in fig. 7, in the step S105, performing abnormal behavior detection while performing the secure data sharing specifically includes the following steps:
s701: extracting the behavior characteristics of the data access party in real time in the data security sharing process;
s702: and comparing the behavior characteristics of the data access party with the normal behavior characteristics of a preset user to realize the detection of the abnormal user behavior, wherein the normal behavior characteristics of the preset user are determined by the historical data of the data access party.
It should be noted that, in the embodiment of the present application, a state set needs to be generated according to the past behavior of the user and the features extracted from the past query request, a normal behavior mode of the user is established through training, and the abnormal behavior of the user is determined according to the state set, so as to monitor the abnormal data access for the high-risk operation behavior, the unauthorized access behavior, and the batch access behavior. On the premise of not influencing data integrity and data access performance, abnormal data access is monitored by analyzing past behavior characteristics of a data access party, and abnormal data access monitoring is realized.
In practical application, in data security sharing, feature analysis is carried out on past request statements submitted by a user, a standard state set of user behavior features is constructed based on the feature analysis, and an abnormal behavior discrimination model is trained by utilizing the standard state set. Specifically, a past request statement submitted by a user is extracted, the past request statement is split, analyzed, cleaned and the like, and key features in the past request statement are extracted through feature generalization. The above key features are used as the input of a discrimination model, and the discrimination threshold value of the model is obtained through training (continuously learning grammar rules). The method specifically comprises the following steps:
the standard state set is Z, Z ═ { Z1, Z2, …, zN }, where N is the number of possible states, and the state value at time t is zt; the observation set is W, W ═ { W1, W2, …, wM }, where M is the number of possible observations and the observation at time t is wt; e is a state sequence with length T, E ═ { E1, E2, …, eT }, and the corresponding observation sequence is D ═ D1, D2, …, dT }; the initial state probability vector is G, G ═ G (gi), where gi ═ P (e1 ═ zi), i ═ 1, 2, …, N, gi is the probability that at time t ═ 1, is in state zi; the state transition probability matrix is X ═ xij]N×NWhere, xij ═ P (et +1 ═ zj | et ═ zi), i ═ 1, 2, …, N; j ═ 1, 2, …, N, xij is the probability of transitioning to state zj at time t +1, subject to state zi at time t; the observation probability transition matrix is Y, Y ═ yj (k)]M×MWherein, yj(k)=P(dt=wk|et=zj),k=1,2,…,M;j=1,2,…,N,yj(k) Is the probability that observation wk is generated under the condition that time t is in state zj.
The discriminant model shown above, described collectively by G, X and Y, determines a discriminant threshold based on a set of standard states during the training process. In the data sharing process, the user behaviors are monitored in real time (sentences describing the user behaviors are obtained, the sentences are split, analyzed, cleaned and the like, features in the sentences are extracted through feature generalization), a score value is calculated for the real-time behaviors of the user by using a trained discrimination model, when the score value is larger than a discrimination threshold value, input is proved to be abnormal, namely, abnormal behaviors are detected, and when the score value is not larger than the discrimination threshold value, input is proved to be normal.
In some embodiments, the user behavior characteristics are firstly constructed, a user normal behavior sequence library is generated by collecting and preprocessing statements generated by user historical operations, and the characteristics of the user normal behaviors are extracted to be used as a basis for detecting the abnormal behavior characteristics of the user. And then comparing and detecting abnormal behaviors, and when a new request is generated, extracting the behavior characteristics of the request and comparing the extracted behavior characteristics with the established normal behavior characteristics of the user to realize the detection of the abnormal user behaviors.
According to the embodiment of the application, through research on abnormal behavior detection of the database user based on characteristic analysis, the safety problem caused in the data safety sharing process is solved, and the method has monitoring capability on various safety risk behaviors such as high-risk operation behaviors, unauthorized access behaviors and batch access behaviors.
S106: and when the data security sharing is finished or interrupted, performing security recovery on the shared data.
Aiming at the possible needs of recovering shared data in a database (for example, when a data access party is found to have abnormal behavior, data sharing has to be interrupted; and for example, the data sharing process is ended), the embodiment of the application provides a safe recovery mechanism, the database provides database snapshots and data mapping relations to a virtual data center, and the virtual data center completes safe recovery of data according to a data source relation mapping document; when the database provides a request for ending the shared data, the data source relational mapping document is deleted, and the data loading of the virtual data center cannot be normally carried out. For the database requesting termination of shared data, the privacy and integrity of the data stored therein are ensured.
In this step, when the data sharing is ended or interrupted, performing security recovery on the shared data includes: when the data sharing is finished or interrupted, the access right of the data access party is cancelled; and after the access authority of the data access party is revoked, recovering the dynamic data mapped by the data source relation by adopting a dynamic data recovery mode based on the data source relation mapping.
Aiming at the problem of revoking the user authority after the user request is completed, the embodiment of the application adopts a user attribute revoking scheme based on a white list: when the portal host completes all user requests, the system needs to recover the user authority to prevent data access without permission. The concept of white lists corresponds to "black lists", which are a list of entities (programs, email addresses, domain names, web addresses) that are "known to be good" in contrast to black lists, which are intended not to block certain things. Therefore, it is not necessary to run antivirus software that must be constantly updated, and anything that is not on the list will be prevented from running; the system can be protected from attacks.
It should be noted that the white list technique is very convenient, and gives administrators and companies great power to control programs that can enter the network or run on machines, and has the advantages that the white list technique cannot run or pass except entities on the list, and the defects are that: entities not on the list cannot function and pass through.
In the embodiment of the application, the user permission revocation based on the white list means that after the user request is completed, the access permission of the user to the shared data is revoked, the user is deleted from the white list and the list is updated, and simultaneously, the attribute value of each attribute in the permission attribute set of the data access party is updated. Next time when the user accesses the shared data again, whether the user has the access right needs to be judged again according to the process of whether the user has the access right.
Further, after the authority is revoked, the dynamic data based on the data source relation mapping is further recycled.
Aiming at the problem of safe recovery of virtual data, the embodiment of the application adopts a dynamic data recovery mode based on data source relational mapping. When the database proposes a request for terminating shared data, the virtual data center first needs to determine whether the identity of the database issuing the request is legal or not, considering the existence of an attacker which may pretend to be a legal identity database. If the user is judged to be an illegal user, directly ending the response operation to the user; if the user is judged to be a legal user, deleting the data source information mapping text (comprising the mapping relation between the databases and the mapping relation between the virtual database and each database) to ensure that the virtual data center cannot complete the data loading function, then updating the database list, removing the database which provides the request for terminating the shared data from the list, and finally providing the database snapshot and the data mapping relation to the virtual data center by the rest databases.
Furthermore, since the data stored in each database in the embodiment of the present application may be sensitive data, desensitization processing needs to be performed on the sensitive data based on a desensitization algorithm first, and then a mapping relationship acquisition process is performed on the desensitization data after the desensitization processing. The desensitization algorithm adopted by the embodiment of the application comprises the following steps:
1) comparing the characteristics of the original data with preset sensitive data to determine the sensitive type of the original data, and desensitizing the original data by using corresponding desensitization types and Hash mapping;
2) if the desensitization type of the original data is not met, carrying out random mixed-arranging treatment on the original data, and dividing the treatment into full mixed-arranging and local mixed-arranging;
3) and storing a mapping table of desensitization processing and shuffling processing.
In the data sharing and data recovery, the mapping relationships between the databases, between the databases and the virtual database, or between the databases and the virtual database are extracted or deleted only for the desensitized/shuffled data.
The data security sharing method provided by the embodiment of the application is applied to data security sharing among a plurality of databases which are mutually heterogeneous, the mapping relation between the definition of each database and the definition of other databases is predefined, and after a shared data query request sent by a data access party is received, the data access party is determined to have the authority of accessing the requested shared data through unified authority control based on the shared data query request; then according to the definition of any one database in the multiple databases of the requested shared data, converting the shared data query request into a query request conforming to the definition; then based on the mapping relation between the definition of any one database and the definitions of other databases, inquiring the requested shared data according to the inquiry request conforming to the definition; and finally, returning the inquired shared data to the data access party to execute the safe sharing of the data.
Firstly, the embodiment of the application realizes the query of shared data based on the virtual mapping of each heterogeneous database, realizes the consistency of the heterogeneous databases through document type definition, and avoids the resource waste of a data center by utilizing the virtual database in a multiplexing mode; and querying shared data based on the mapping relation to realize safe and efficient virtual mapping of heterogeneous and multi-source data.
Secondly, the embodiment of the application realizes the safe sharing of data through the authority management and control and the behavior supervision, dynamically manages the authority of a data access party, determines the access right for each data sharing through dynamic matching, and only monitors in real time to detect abnormal behaviors in the data sharing process, thereby fully ensuring the safety of data sharing and realizing the rapid and accurate supervision of abnormal use.
Finally, the embodiment of the application performs safe recovery on the shared data when finishing/interrupting data sharing, revokes the access authority of the data access party and deletes the dynamic data mapped by the data source relation, does not damage the integrity of the data source, performs desensitization cleaning processing on the original data, and further protects the original data.
Referring to fig. 8, based on the data security sharing method disclosed in the foregoing embodiment, the present embodiment correspondingly discloses a data security sharing apparatus, which is applied to data security sharing among a plurality of databases that are heterogeneous to each other, and the apparatus includes:
a first processing unit 81, configured to receive a shared data query request sent by a data access party;
the second processing unit 82 is configured to determine, based on the shared data query request, that the data accessing party has an authority to access the requested shared data through unified authority control;
a third processing unit 83, configured to convert the shared data query request into a query request meeting a definition according to the definition of any one of the multiple databases to which the requested shared data belongs;
a fourth processing unit 84, configured to query the requested shared data according to the query request conforming to the definition based on a mapping relationship between the definition of any one database and the definitions of other databases;
and the fifth processing unit 85 is configured to return the queried shared data to the data access party, so as to perform the secure sharing of the data.
Further, the apparatus further comprises:
a sixth processing unit 86, configured to perform secure reclamation on the shared data when the secure sharing of the data is ended or interrupted.
Further, the sixth processing unit 86 is specifically configured to:
when the data sharing is finished or interrupted, the access right of the data access party is cancelled;
and after the access authority of the data access party is revoked, recovering the dynamic data mapped by the data source relation by adopting a dynamic data recovery mode based on the data source relation mapping.
Further, the second processing unit 82 is specifically configured to:
acquiring a permission attribute set and a shared data permission attribute set of the data access party;
performing matching degree calculation on the permission attribute set of the data access party and the shared data permission attribute set;
and when the calculated matching degree is greater than or equal to a preset threshold value, determining that the data access party has the authority of accessing the requested shared data.
Further, the fifth processing unit 85 is specifically configured to:
performing abnormal behavior detection for the data accessor based on feature analysis, the abnormal behavior comprising: one or more of high-risk operation behaviors, unauthorized access behaviors and batch access behaviors. .
Further, the fifth processing unit 85 is specifically configured to:
extracting the behavior characteristics of the data access party in real time in the data security sharing process;
and comparing the behavior characteristics of the data access party with the normal behavior characteristics of a preset user to realize the detection of the abnormal user behavior, wherein the normal behavior characteristics of the preset user are determined by the historical data of the data access party. .
Further, the fourth processing unit 84 is specifically configured to:
establishing document type definitions of all databases based on a heterogeneous data consistency method of a markup language;
describing each database resource by using a multiplexing virtual data center, and constructing a mode multiplexing virtual database, wherein the mode multiplexing virtual database is used for providing a global unified view of the database resources;
generating the preset mapping relation by using virtual mapping according to the document type definition of each database, wherein the preset mapping relation comprises: mapping relations among all databases and mapping relations among the virtual databases in the multiplexing mode and all databases.
Further, the fourth processing unit 84 is specifically configured to:
creating XML documents corresponding to the databases by generating snapshots, wherein the XML documents are used for describing document type definitions of the heterogeneous databases;
acquiring data source relation mapping documents among databases;
determining a first mapping relation between databases and a second mapping relation between the virtual database in the multiplexing mode and each database according to the XML document and the data source relation mapping document;
and generating the preset mapping relation according to the first mapping relation and the second mapping relation.
Further, when the shared data is sensitive data, the apparatus further includes:
a seventh processing unit, configured to perform desensitization processing on the sensitive data based on a desensitization algorithm, where the desensitization algorithm includes:
performing characteristic comparison on original data and preset sensitive data to determine a sensitive type of the original data, and performing desensitization processing on the original data by using corresponding desensitization types and Hash mapping;
if the desensitization type of the original data is not met, carrying out random mixed-arranging treatment on the original data, and dividing the treatment into full mixed-arranging and local mixed-arranging;
and storing a mapping table of desensitization processing and shuffling processing.
The data security sharing device comprises a processor and a memory, wherein the first processing unit, the second processing unit, the third processing unit, the fourth processing unit, the fifth processing unit and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to realize corresponding functions.
The processor comprises a kernel, and the kernel calls the corresponding program unit from the memory. The kernel can be set to be one or more than one, the problems of sensitive data leakage and dispersed authority management in the data processing link of virtual data in the safety sharing process are solved by adjusting kernel parameters, and synchronization, unified authority management and control and safe recovery of sensitive data of heterogeneous databases are realized.
The embodiment of the application also provides a system for realizing the data security sharing, and the system supports the security management and control of the whole process of data application, distribution, use and recovery according to the permission minimization principle based on the data security sharing tool prototype of the data snapshot, and totally comprises 7 primary function modules. As shown in fig. 9, the system can implement data authority management, sensitive data management, data security sharing, data usage monitoring, data security recovery, data security audit, and system configuration management, where:
the data authority management realizes the management of the process of applying for sharing data and the authority management of the shared and distributed data, the requirements of data users, data use contents, data use environments, data use periods and the like are required to be explained when the data are applied, and the authority is created and distributed by the approval personnel according to the actual service scene.
The sensitive data management automatically identifies the sensitive information contained in the shared data through the type and the characteristics of the built-in sensitive information, and stores the type and the position of the sensitive data, the algorithm comprises real-time data deformation and desensitization of the sensitive data, and the desensitization algorithm comprises replacement, confusion, simulation and the like.
The data security sharing realizes that one desensitized datum data is safely and quickly distributed to a plurality of data use environments for independent and safe use of different data analysis personnel through a data security snapshot and a database virtualization technology according to the data use permission.
And the data use monitoring realizes safety monitoring in the data use process, including use operation statistics, violation behavior monitoring, user behavior analysis and use alarm management. And monitoring the illegal behavior, and monitoring the illegal behavior in real time by setting an operation behavior rule.
The data security recovery realizes the security filing and destruction of the data at the end of the data use period, and consists of three parts, namely data authority recovery, data security filing and data security destruction.
The data security audit realizes the security audit of the whole process from application, use to recovery of data, and comprises three parts of audit log generation, audit log viewing and audit log statistics.
The system configuration management realizes the configuration management functions of system parameters and environment of a data security compliance management platform and consists of five parts, namely user configuration management, role configuration management, network configuration management, node configuration management and storage configuration management.
An embodiment of the present application provides a storage medium, on which a program is stored, which when executed by a processor implements the data security sharing method.
The embodiment of the application provides a processor, wherein the processor is used for running a program, and the data security sharing method is executed when the program runs.
An embodiment of the present application provides an electronic device, as shown in fig. 10, the electronic device 100 includes at least one processor 1001, and at least one memory 1002 and a bus 1003 connected to the processor; the processor 1001 and the memory 1002 complete communication with each other through the bus 1003; the processor 1001 is used for calling the program instructions in the memory 1002 to execute the data security sharing method described above.
The electronic device herein may be a server, a PC, a PAD, a mobile phone, etc.
The present application further provides a computer program product adapted to perform a program for initializing the following method steps when executed on a data processing device:
receiving a shared data query request sent by a data access party;
based on the shared data query request, determining that the data access party has the authority of accessing the requested shared data through unified authority control;
converting the shared data query request into a query request conforming to the definition according to the definition of any one of a plurality of databases to which the requested shared data belongs;
based on the mapping relation between the definition of any one database and the definitions of other databases, inquiring the requested shared data according to the inquiry request conforming to the definition;
and returning the inquired shared data to the data access party to execute the safe sharing of the data.
Further, the method further comprises:
and when the data security sharing is finished or interrupted, performing security recovery on the shared data.
Further, the performing, when the data sharing is ended or interrupted, the secure recovery on the shared data includes:
when the data sharing is finished or interrupted, the access right of the data access party is cancelled;
and after the access authority of the data access party is revoked, recovering the dynamic data mapped by the data source relation by adopting a dynamic data recovery mode based on the data source relation mapping.
Further, the determining that the data accessing party has the authority to access the requested shared data according to fine-grained unified authority control, where the fine-grained unified authority control is data usage authority control implemented based on a minimization principle, specifically includes:
acquiring a permission attribute set and a shared data permission attribute set of the data access party;
performing matching degree calculation on the permission attribute set of the data access party and the shared data permission attribute set;
and when the calculated matching degree is greater than or equal to a preset threshold value, determining that the data access party has the authority of accessing the requested shared data.
Further, executing abnormal behavior detection while executing the data security sharing specifically includes:
performing abnormal behavior detection for the data accessor based on feature analysis, the abnormal behavior comprising: one or more of high-risk operation behaviors, unauthorized access behaviors and batch access behaviors.
Further, the performing, based on the feature analysis, the abnormal behavior detection for the data accessing party specifically includes:
extracting the behavior characteristics of the data access party in real time in the data security sharing process;
and comparing the behavior characteristics of the data access party with the normal behavior characteristics of a preset user to realize the detection of the abnormal user behavior, wherein the normal behavior characteristics of the preset user are determined by the historical data of the data access party.
Further, the method for constructing the preset mapping relationship includes:
establishing document type definitions of all databases based on a heterogeneous data consistency method of a markup language;
describing each database resource by using a multiplexing virtual data center, and constructing a mode multiplexing virtual database, wherein the mode multiplexing virtual database is used for providing a global unified view of the database resources;
generating the preset mapping relation by using virtual mapping according to the document type definition of each database, wherein the preset mapping relation comprises: mapping relations among all databases and mapping relations among the virtual databases in the multiplexing mode and all databases.
Further, the generating the preset mapping relationship by using virtual mapping according to the document type definition of each database includes:
creating XML documents corresponding to the databases by generating snapshots, wherein the XML documents are used for describing document type definitions of the databases;
acquiring data source relation mapping documents among databases;
determining a first mapping relation between databases and a second mapping relation between the virtual database in the multiplexing mode and each database according to the XML document and the data source relation mapping document;
and generating the preset mapping relation according to the first mapping relation and the second mapping relation.
Further, when the shared data is sensitive data, the method further includes:
desensitizing the sensitive data based on a desensitizing algorithm, wherein the desensitizing algorithm comprises:
performing characteristic comparison on original data and preset sensitive data to determine a sensitive type of the original data, and performing desensitization processing on the original data by using corresponding desensitization types and Hash mapping;
if the desensitization type of the original data is not met, carrying out random mixed-arranging treatment on the original data, and dividing the treatment into full mixed-arranging and local mixed-arranging;
and storing a mapping table of desensitization processing and shuffling processing.
The present application is described in terms of flowcharts and/or block diagrams of methods, apparatus (systems), computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a device includes one or more processors (CPUs), memory, and a bus. The device may also include input/output interfaces, network interfaces, and the like.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip. The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (20)
1. A data security sharing method is applied to data security sharing among a plurality of databases which are mutually heterogeneous, and specifically comprises the following steps:
receiving a shared data query request sent by a data access party;
based on the shared data query request, determining that the data access party has the authority of accessing the requested shared data through unified authority control;
converting the shared data query request into a query request conforming to the definition according to the definition of any one of a plurality of databases to which the requested shared data belongs;
based on the mapping relation between the definition of any one database and the definitions of other databases, inquiring the requested shared data according to the inquiry request conforming to the definition;
and returning the inquired shared data to the data access party to execute the safe sharing of the data.
2. The method of claim 1, further comprising:
and when the data security sharing is finished or interrupted, performing security recovery on the shared data.
3. The method of claim 2, wherein the performing secure reclamation of the shared data upon ending or interrupting data sharing comprises:
when the data sharing is finished or interrupted, the access right of the data access party is cancelled;
and after the access authority of the data access party is revoked, recovering the dynamic data mapped by the data source relation by adopting a dynamic data recovery mode based on the data source relation mapping.
4. The method according to claim 1, wherein the determining, through unified authority management and control, that the data accessing party has the authority to access the requested shared data is determined according to fine-grained unified authority management and control, and the fine-grained unified authority management and control is data usage authority management and control implemented based on a minimization principle, and specifically includes:
acquiring a permission attribute set and a shared data permission attribute set of the data access party;
performing matching degree calculation on the permission attribute set of the data access party and the shared data permission attribute set;
and when the calculated matching degree is greater than or equal to a preset threshold value, determining that the data access party has the authority of accessing the requested shared data.
5. The method according to claim 1, wherein performing abnormal behavior detection while performing the secure sharing of data specifically comprises:
performing abnormal behavior detection for the data accessor based on feature analysis, the abnormal behavior comprising: one or more of high-risk operation behaviors, unauthorized access behaviors and batch access behaviors.
6. The method of claim 5, wherein performing abnormal behavior detection for the data accessor based on the feature analysis comprises:
extracting the behavior characteristics of the data access party in real time in the data security sharing process;
and comparing the behavior characteristics of the data access party with the normal behavior characteristics of a preset user to realize the detection of the abnormal user behavior, wherein the normal behavior characteristics of the preset user are determined by the historical data of the data access party.
7. The method according to claim 1, wherein the method for constructing the preset mapping relationship comprises:
establishing document type definitions of all databases based on a heterogeneous data consistency method of a markup language;
describing each database resource by using a multiplexing virtual data center, and constructing a mode multiplexing virtual database, wherein the mode multiplexing virtual database is used for providing a global unified view of the database resources;
generating the preset mapping relation by using virtual mapping according to the document type definition of each database, wherein the preset mapping relation comprises: mapping relations among all databases and mapping relations among the virtual databases in the multiplexing mode and all databases.
8. The method according to claim 7, wherein the generating the preset mapping relationship by using the virtual mapping according to the document type definition of each database comprises:
creating XML documents corresponding to the databases by generating snapshots, wherein the XML documents are used for describing document type definitions of the databases;
acquiring data source relation mapping documents among databases;
determining a first mapping relation between databases and a second mapping relation between the virtual database in the multiplexing mode and each database according to the XML document and the data source relation mapping document;
and generating the preset mapping relation according to the first mapping relation and the second mapping relation.
9. The method of claim 1, wherein when the shared data is sensitive data, the method further comprises:
desensitizing the sensitive data based on a desensitizing algorithm, wherein the desensitizing algorithm comprises:
performing characteristic comparison on original data and preset sensitive data to determine a sensitive type of the original data, and performing desensitization processing on the original data by using corresponding desensitization types and Hash mapping;
if the desensitization type of the original data is not met, carrying out random mixed-arranging treatment on the original data, and dividing the treatment into full mixed-arranging and local mixed-arranging;
and storing a mapping table of desensitization processing and shuffling processing.
10. A data security sharing apparatus, which is applied to data security sharing among a plurality of databases that are heterogeneous to each other, the apparatus comprising:
the first processing unit is used for receiving a shared data query request sent by a data access party;
the second processing unit is used for determining that the data access party has the authority of accessing the requested shared data through unified authority control based on the shared data query request;
a third processing unit, configured to convert the shared data query request into a query request conforming to a definition according to the definition of any one of multiple databases to which the requested shared data belongs;
the fourth processing unit is used for inquiring the requested shared data according to the inquiry request conforming to the definition based on the mapping relation between the definition of any one database and the definitions of other databases;
and the fifth processing unit is used for returning the inquired shared data to the data access party so as to execute the safe sharing of the data.
11. The apparatus of claim 10, further comprising:
and the sixth processing unit is used for executing safe recovery on the shared data when the safe sharing of the data is finished or interrupted.
12. The method according to claim 11, wherein the sixth processing unit is specifically configured to:
when the data sharing is finished or interrupted, the access right of the data access party is cancelled;
and after the access authority of the data access party is revoked, recovering the dynamic data mapped by the data source relation by adopting a dynamic data recovery mode based on the data source relation mapping.
13. The apparatus according to claim 10, wherein the second processing unit is specifically configured to:
acquiring a permission attribute set and a shared data permission attribute set of the data access party;
performing matching degree calculation on the permission attribute set of the data access party and the shared data permission attribute set;
and when the calculated matching degree is greater than or equal to a preset threshold value, determining that the data access party has the authority of accessing the requested shared data.
14. The apparatus according to claim 10, wherein the fifth processing unit is specifically configured to:
performing abnormal behavior detection for the data accessor based on feature analysis, the abnormal behavior comprising: one or more of high-risk operation behaviors, unauthorized access behaviors and batch access behaviors.
15. The apparatus of claim 14, wherein the fifth processing unit is configured to:
extracting the behavior characteristics of the data access party in real time in the data security sharing process;
and comparing the behavior characteristics of the data access party with the normal behavior characteristics of a preset user to realize the detection of the abnormal user behavior, wherein the normal behavior characteristics of the preset user are determined by the historical data of the data access party.
16. The apparatus according to claim 10, wherein the fourth processing unit is specifically configured to:
establishing document type definitions of all databases based on a heterogeneous data consistency method of a markup language;
describing each database resource by using a multiplexing virtual data center, and constructing a mode multiplexing virtual database, wherein the mode multiplexing virtual database is used for providing a global unified view of the database resources;
generating the preset mapping relation by using virtual mapping according to the document type definition of each database, wherein the preset mapping relation comprises: mapping relations among all databases and mapping relations among the virtual databases in the multiplexing mode and all databases.
17. The apparatus according to claim 16, wherein the fourth processing unit is specifically configured to:
creating XML documents corresponding to the databases by generating snapshots, wherein the XML documents are used for describing document type definitions of the databases;
acquiring data source relation mapping documents among databases;
determining a first mapping relation between databases and a second mapping relation between the virtual database in the multiplexing mode and each database according to the XML document and the data source relation mapping document;
and generating the preset mapping relation according to the first mapping relation and the second mapping relation.
18. The apparatus of claim 10, wherein when the shared data is sensitive data, the apparatus further comprises:
a seventh processing unit, configured to perform desensitization processing on the sensitive data based on a desensitization algorithm, where the desensitization algorithm includes:
performing characteristic comparison on original data and preset sensitive data to determine a sensitive type of the original data, and performing desensitization processing on the original data by using corresponding desensitization types and Hash mapping;
if the desensitization type of the original data is not met, carrying out random mixed-arranging treatment on the original data, and dividing the treatment into full mixed-arranging and local mixed-arranging;
and storing a mapping table of desensitization processing and shuffling processing.
19. A storage medium, characterized in that the storage medium comprises a stored program, wherein a device on which the storage medium is located is controlled to execute the data security sharing method according to any one of claims 1 to 9 when the program runs.
20. An electronic device comprising at least one processor, and at least one memory, bus connected to the processor; the processor and the memory complete mutual communication through the bus; the processor is configured to call program instructions in the memory to perform the data security sharing method of any one of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110637980.6A CN113377800A (en) | 2021-06-08 | 2021-06-08 | Data security sharing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110637980.6A CN113377800A (en) | 2021-06-08 | 2021-06-08 | Data security sharing method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113377800A true CN113377800A (en) | 2021-09-10 |
Family
ID=77576597
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110637980.6A Pending CN113377800A (en) | 2021-06-08 | 2021-06-08 | Data security sharing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113377800A (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101187937A (en) * | 2007-10-30 | 2008-05-28 | 北京航空航天大学 | Mode multiplexing isomerous database access and integration method under gridding environment |
| CN105721433A (en) * | 2016-01-18 | 2016-06-29 | 河南科技大学 | Access control method of user private data of online social networks |
| CN108900483A (en) * | 2018-06-13 | 2018-11-27 | 江苏物联网研究发展中心 | Cloud storage fine-grained access control method, data upload and data access method |
| CN108920702A (en) * | 2018-07-18 | 2018-11-30 | 四川师范大学 | Realize that heterogeneous database synchronizes the online method exchanged and share |
| CN110633292A (en) * | 2019-09-19 | 2019-12-31 | 上海依图网络科技有限公司 | Query method, device, medium, equipment and system for heterogeneous database |
| CN110727693A (en) * | 2018-07-16 | 2020-01-24 | 中兴通讯股份有限公司 | Method, device, equipment, plug-in and storage medium for accessing heterogeneous database |
| CN111526020A (en) * | 2020-04-13 | 2020-08-11 | 青岛酒店管理职业技术学院 | Safety sharing method |
| CN111581231A (en) * | 2020-04-20 | 2020-08-25 | 北京明略软件系统有限公司 | Query method and device based on heterogeneous database |
| CN112463843A (en) * | 2020-11-27 | 2021-03-09 | 国家电网有限公司大数据中心 | Power grid data sharing method and system based on block chain and data resource catalog |
| CN112580091A (en) * | 2020-11-04 | 2021-03-30 | 京信数据科技有限公司 | Fine-grained data access control method and device |
| CN112835873A (en) * | 2021-02-26 | 2021-05-25 | 中国电力科学研究院有限公司 | Power grid regulation and control heterogeneous system service access method, system, equipment and medium |
-
2021
- 2021-06-08 CN CN202110637980.6A patent/CN113377800A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101187937A (en) * | 2007-10-30 | 2008-05-28 | 北京航空航天大学 | Mode multiplexing isomerous database access and integration method under gridding environment |
| CN105721433A (en) * | 2016-01-18 | 2016-06-29 | 河南科技大学 | Access control method of user private data of online social networks |
| CN108900483A (en) * | 2018-06-13 | 2018-11-27 | 江苏物联网研究发展中心 | Cloud storage fine-grained access control method, data upload and data access method |
| CN110727693A (en) * | 2018-07-16 | 2020-01-24 | 中兴通讯股份有限公司 | Method, device, equipment, plug-in and storage medium for accessing heterogeneous database |
| CN108920702A (en) * | 2018-07-18 | 2018-11-30 | 四川师范大学 | Realize that heterogeneous database synchronizes the online method exchanged and share |
| CN110633292A (en) * | 2019-09-19 | 2019-12-31 | 上海依图网络科技有限公司 | Query method, device, medium, equipment and system for heterogeneous database |
| CN111526020A (en) * | 2020-04-13 | 2020-08-11 | 青岛酒店管理职业技术学院 | Safety sharing method |
| CN111581231A (en) * | 2020-04-20 | 2020-08-25 | 北京明略软件系统有限公司 | Query method and device based on heterogeneous database |
| CN112580091A (en) * | 2020-11-04 | 2021-03-30 | 京信数据科技有限公司 | Fine-grained data access control method and device |
| CN112463843A (en) * | 2020-11-27 | 2021-03-09 | 国家电网有限公司大数据中心 | Power grid data sharing method and system based on block chain and data resource catalog |
| CN112835873A (en) * | 2021-02-26 | 2021-05-25 | 中国电力科学研究院有限公司 | Power grid regulation and control heterogeneous system service access method, system, equipment and medium |
Non-Patent Citations (1)
| Title |
|---|
| 匿名: "SpringSecurity---细粒度的权限控制", 《GO语言中文社区》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101331495B (en) | Reference monitor system and method for enforcing information flow policies | |
| CN101331496B (en) | System and method for associating security information with information objects in a data processing system | |
| CN106789964B (en) | Cloud resource pool data security detection method and system | |
| KR102542720B1 (en) | System for providing internet of behavior based intelligent data security platform service for zero trust security | |
| US20100281060A1 (en) | Type system for access control lists | |
| CN110020687B (en) | Abnormal behavior analysis method and device based on operator situation perception portrait | |
| Karafili et al. | Argumentation-based security for social good | |
| US11275850B1 (en) | Multi-faceted security framework for unstructured storage objects | |
| CN115017526A (en) | Database access method and device, electronic equipment and storage medium | |
| CN114372098A (en) | Platform and method for protecting and mining power data middling station private data based on privileged account management | |
| CN111931239A (en) | Data leakage prevention system for database security protection | |
| KR102311997B1 (en) | Apparatus and method for endpoint detection and response terminal based on artificial intelligence behavior analysis | |
| CN111740973A (en) | Intelligent defense system and method for block chain service and application | |
| CN112149112A (en) | Enterprise information security management method based on authority separation | |
| CN113377800A (en) | Data security sharing method and device | |
| CN116028953A (en) | Data encryption method based on privacy calculation | |
| CN111563269B (en) | Sensitive data security protection method and system based on shadow system | |
| RU2399091C2 (en) | Method for adaptive parametric control of safety of information systems and system for realising said method | |
| CN114328119A (en) | Database monitoring method, system and server | |
| El Ouazzani et al. | Dynamic management of data warehouse security levels based on user profiles | |
| Panda et al. | Securing database integrity in intelligent government systems that employ fog computing technology | |
| Zhou | Construction of Computer Network Security Defense System Based On Big Data | |
| Lonetti et al. | Issues and Challenges of Access Control in the Cloud. | |
| US8756699B1 (en) | Counting unique identifiers securely | |
| Wan et al. | Context-aware security solutions for cyber physical systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210910 |