CN114036564A - Construction method of private data derivative graph - Google Patents

Construction method of private data derivative graph Download PDF

Info

Publication number
CN114036564A
CN114036564A CN202111367854.XA CN202111367854A CN114036564A CN 114036564 A CN114036564 A CN 114036564A CN 202111367854 A CN202111367854 A CN 202111367854A CN 114036564 A CN114036564 A CN 114036564A
Authority
CN
China
Prior art keywords
employee
node
data
authority
creating
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111367854.XA
Other languages
Chinese (zh)
Inventor
徐文浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202111367854.XA priority Critical patent/CN114036564A/en
Publication of CN114036564A publication Critical patent/CN114036564A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/23Updating
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/26Visual data mining; Browsing structured data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases
    • G06F16/285Clustering or classification

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

A method for constructing a private data derivative graph is disclosed. The method comprises the steps of taking objects such as user privacy data, a database, operation authority, employees and the like in an enterprise as nodes, taking the relationship among the objects or the executed operation as edges, and constructing a graph structure (called a privacy data derivative graph) which means that the relationship among the objects or the executed operation is represented in a graph structure mode. In the scheme, the private data derivative graph and the artificial intelligence algorithm can be combined, and the staff who obtain the private data of the user in violation of rules can be found.

Description

Construction method of private data derivative graph
Technical Field
The embodiment of the specification relates to the technical field of information, in particular to a method for constructing a private data derivative diagram.
Background
In the process of providing services for users, enterprises often master some user privacy data, such as names, identification numbers, face pictures and the like of the users. For data security reasons, enterprises have a need to analyze the abnormal flow of user private data within the enterprise (e.g., into the hands of employees without authority).
At present, enterprises generally adopt a mode of analyzing behavior logs of employees in the enterprises one by one to find whether abnormal circulation of user privacy data exists or not.
Based on the prior art, there is a need for a more efficient way to analyze the abnormal flow of user private data within an enterprise.
Disclosure of Invention
In order to solve the problem that the efficiency of an existing method for performing abnormal flow analysis on user private data by an enterprise is too low, an embodiment of the present specification provides a method for constructing a private data derivative diagram, and a technical scheme is as follows:
according to a first aspect of embodiments of the present specification, there is provided a method for constructing a private data derivative graph, where the private data derivative graph includes a plurality of nodes and edges between the nodes, the method including:
aiming at each user privacy data, creating a data node corresponding to the user privacy data, determining a storage node corresponding to a database for storing the user privacy data, and creating a relation class edge between the data node and the storage node;
for each database, determining an authority node corresponding to an operation authority for executing the operation on the database, and creating an operation class edge between a storage node corresponding to the database and the authority node;
and for each operation authority, determining an employee node corresponding to each employee related to the operation authority, and creating a relationship class edge between the authority node corresponding to the operation authority and each determined employee node.
According to the 2 nd aspect of the embodiments of the present specification, there is provided a private data abnormal flow analysis method based on the private data derivative diagram constructed by the method of the 1 st aspect, including:
determining user privacy data to be analyzed;
in a private data derivative graph, determining each employee node which can be connected to a data node corresponding to the user private data;
adding the determined staff corresponding to each staff node into a staff list corresponding to the user privacy data;
and for any employee, if the fact that the employee acquires the user privacy data is monitored, and the fact that the employee is not in the employee list corresponding to the user privacy data is determined, determining that the behavior of the employee for acquiring the user privacy data is abnormal.
According to the 3 rd aspect of the embodiments of the present specification, there is provided a private data abnormal flow analysis method based on the private data derivative diagram constructed by the method of the 1 st aspect, including:
determining an employee to be analyzed;
determining, in a private data derivative graph, each data node that is connectable to a corresponding employee node of the employee;
adding the determined user privacy data corresponding to each data node into a data list corresponding to the employee;
and for any user privacy data, if the situation that the employee acquires the user privacy data is monitored and the situation that the user privacy data is not in the data list corresponding to the employee is determined, determining that the behavior of the employee for acquiring the user privacy data is abnormal.
In the technical solution provided in the embodiment of the present specification, objects such as user privacy data, a database, an operation authority, employees, and the like in an enterprise are used as nodes, and relationships between the objects or executed operations are used as edges to construct a graph structure (referred to as a privacy data derivative graph), that is, the relationships between the objects or executed operations are represented in a graph structure manner. Based on the graph structure, the circulation condition of the user privacy data can be known globally, and the abnormal circulation analysis of the user privacy data can be efficiently and accurately realized.
In the scheme, the private data derivative graph and the artificial intelligence algorithm can be combined, and the staff who obtain the private data of the user in violation of rules can be found.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of embodiments of the invention.
In addition, any one of the embodiments in the present specification is not required to achieve all of the effects described above.
Drawings
In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the embodiments of the present specification, and other drawings can be obtained by those skilled in the art according to the drawings.
Fig. 1 is a schematic structural diagram of a private data derivative diagram provided in an embodiment of the present specification;
FIG. 2 is a schematic flowchart of a method for constructing a private data derivative graph according to an embodiment of the present disclosure;
FIG. 3 is a schematic flow chart diagram illustrating another method for constructing a private data derivative diagram provided by an embodiment of the present specification;
FIG. 4 is a schematic flow chart diagram illustrating another method for constructing a private data derivative diagram provided by an embodiment of the present specification;
FIG. 5 is a schematic flow chart diagram illustrating another method for constructing a private data derivative diagram provided by an embodiment of the present specification;
FIG. 6 is a schematic diagram of another configuration of a private data derivative graph provided by an embodiment of the present description;
fig. 7 is a flowchart illustrating a private data abnormal flow analysis method provided in an embodiment of the present specification;
fig. 8 is a schematic flowchart of another private data abnormal flow analysis method provided in an embodiment of the present specification;
fig. 9 is a schematic structural diagram of a construction apparatus for a private data derivative diagram provided in an embodiment of the present specification;
fig. 10 is a schematic structural diagram of an apparatus for analyzing abnormal flow of private data according to an embodiment of the present disclosure;
fig. 11 is a schematic structural diagram of an apparatus for analyzing abnormal flow of private data according to an embodiment of the present disclosure;
fig. 12 is a schematic structural diagram of an apparatus for configuring a method according to an embodiment of the present disclosure.
Detailed Description
The existing enterprise analyzes the abnormal circulation of the user privacy data in a mode that the behavior logs of all employees are analyzed one by one, and in the analysis process, the employees who read the user privacy data abnormally are checked by combining an employee authority list.
Clearly, this approach is less efficient. Moreover, because the above manner is essentially from the perspective of a single employee, the abnormal circulation analysis is performed locally on the private data of the user, and the analysis conclusion is often limited locally and sometimes does not conform to the actual situation.
For example, when the authority table of the employee of the enterprise is not updated in time but the read authority of a certain department for private data of a certain user expires, the behavior of the certain employee in the department for acquiring the private data of the user is determined as compliance when the analysis is performed in the existing manner. If the employee is analyzed from the global perspective, the fact that the behavior of the employee is obviously inconsistent with that of a plurality of other employees in the same department and abnormal exists can be found, the employee frequently reads the privacy data of the user recently, and the other employees in the same department do not read the privacy data of the user.
For this reason, in one or more embodiments of the present specification, objects such as user privacy data, databases, operation authorities, employees, and the like in an enterprise are taken as nodes, and relationships between the objects or operations performed are taken as edges, so as to construct a graph structure, that is, the relationships between the objects or operations performed are represented in a graph structure manner. Based on the graph structure, the circulation condition of the user privacy data can be known globally, and the abnormal circulation analysis of the user privacy data can be efficiently and accurately realized.
The present specification refers to the above graph structure as a private data derivation graph, and the following describes the basic components of the private data derivation graph:
the private data derivative graph may include a plurality of nodes and edges between the nodes. Specifically, the private data derivative graph at least comprises 4 types of nodes including a data node, a storage node, an authority node and an employee node, and edges between the data node and the storage node, between the storage node and the authority node and between the authority node and the employee node.
Each data node may correspond to one user privacy data kept by the enterprise, and different privacy data nodes correspond to different user privacy data. Each storage node may correspond to one database of the enterprise, with different storage nodes corresponding to different databases. Each authority node may correspond to an operation authority set in the enterprise, and different authority nodes correspond to different operation authorities. Each employee node may correspond to an employee within the enterprise, with different employee nodes corresponding to different employees.
It should be noted here that, in general, when an enterprise sets an operation right, a corresponding operation right may be set for each database, that is, each database in the enterprise and the operation right may be in a one-to-one correspondence relationship.
The edge between the data node and the storage node may represent: and storing the user privacy data corresponding to the data node in a database corresponding to the storage node.
The edge between the storage node and the authority node may represent: the employee can operate the database corresponding to the storage node through the operation authority corresponding to the authority node (generally, data read-write operation). For convenience of description, the expression "an employee performs an operation on a database by an operation authority" is simply expressed as "the operation authority performs an operation on the database".
The edge between the authority node and the employee node can indicate that an association relationship exists between the employee corresponding to the employee node and the operation authority corresponding to the authority node.
In a broad sense, in a private data derivation graph, an edge between two nodes is typically used to characterize some relationship that exists between the objects to which the two nodes respectively correspond. For convenience of description, in a narrow sense, the edges are classified into two types, one is an edge representing a static relationship between nodes, and the other is an edge representing a dynamic relationship between nodes (i.e., an object corresponding to one node operates on an object corresponding to another node), the former is referred to as a relationship class edge, and the latter is referred to as an operation class edge.
In the embodiment of the present specification, the private data derivative graph is generally a directed graph, and may be an undirected graph, of course.
For the edge between the data node and the storage node, the storage node may point to the data node, which means that the database corresponding to the storage node stores the user privacy data corresponding to the data node.
For the edge between the storage node and the authority node, the authority node may point to the storage node, which indicates that the employee may operate the database corresponding to the storage node through the operation authority corresponding to the authority node.
For the edge between the authority node and the employee node, the employee node can point to the authority node, and the authority node indicates that the employee can apply for, own, and use the operation authority corresponding to the authority node.
Fig. 1 is a schematic structural diagram of a private data derivation diagram provided in an embodiment of this specification. As shown in fig. 1, the user privacy data corresponding to the data node 1 is stored in the database corresponding to the storage node 2, so that a relationship class edge is constructed between the data node 1 and the storage node 2 to indicate that there is a storage relationship between the two. When the fact that the employee passes through the operation authority corresponding to the authority node 2 is monitored, reading operation is conducted on the database corresponding to the storage node 2, and therefore an operation class edge is constructed between the storage node 2 and the authority node 2 and represents that the reading operation is recorded. The employee corresponding to the employee node 1 and the operation authority corresponding to the authority node 2 have an association relationship, so that a relationship class edge is constructed between the employee node 1 and the authority node 2.
In order to make those skilled in the art better understand the technical solutions in the embodiments of the present specification, the technical solutions in the embodiments of the present specification will be described in detail below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all the embodiments. All other embodiments that can be derived by one of ordinary skill in the art from the embodiments given herein are intended to be within the scope of protection.
The technical solutions provided by the embodiments of the present description are described in detail below with reference to the accompanying drawings.
Fig. 2 is a schematic flowchart of a method for constructing a private data derivative graph, provided by an embodiment of the present specification, and includes the following steps:
s200: and aiming at each user privacy data, creating a data node corresponding to the user privacy data, determining a storage node corresponding to a database for storing the user privacy data, and creating a relation class edge between the data node and the storage node.
S202: and aiming at each database, determining an authority node corresponding to the operation authority for executing the operation on the database, and creating an operation class edge between a storage node corresponding to the database and the authority node.
S204: and for each operation authority, determining an employee node corresponding to each employee related to the operation authority, and creating a relationship class edge between the authority node corresponding to the operation authority and each determined employee node.
In one or more embodiments of the present description, an edge may have an attribute. The attributes of the edge may have information written therein regarding the relationship that the edge characterizes. Specifically, the attribute of the relationship class edge may be written with a duration corresponding to the relationship class edge. In practice, the static relationship between two objects is generally time-malleable. The existence period of some static relations can be limited, such as the association relation between the employee and the operation authority, and the existence period of some static relations can be unlimited, such as the relation between the operation authority and the database.
For an operation class edge, operation detail information corresponding to the operation class edge can be written into the attribute of the operation class edge. For example, when a certain operation authority performs data reading operation on a certain database, an operation class edge needs to be constructed between an authority node corresponding to the operation authority and a storage node corresponding to the database, and information such as operation time, operation location, operation staff, operation mode (such as access, download, transmission), operation device IP, and the like is written in the attribute of the operation class edge.
It should be noted that the private data derivative graph construction method shown in fig. 2 is continuously executed, and not only the initial construction of the private data derivative graph but also the supplementary update of the private data derivative graph can be realized. Specifically, when it is monitored that new user privacy data is added to an enterprise, new data operation occurs, new employees are added, and the like, the privacy data derivative graph can be supplemented and updated, so that the privacy data derivative graph conforms to the reality of the enterprise.
In addition, if the relationship between the objects in the enterprise changes, the derived graph of the private data can be correspondingly modified, so that the derived graph of the private data is in accordance with the reality of the enterprise.
For the case that the object corresponding to the node is deleted, the node and the edge connected to the node may be directly deleted. For example, if a business deletes certain user private data, the data node corresponding to the user private data in the private data derivative graph may be deleted accordingly, and the edges (in-degree and out-degree) connected to the data node may be deleted.
For the case that the relationship between the objects corresponding to the two nodes does not exist, the corresponding edge may be deleted, or the existence period in the attribute of the corresponding edge may be modified. For example, if the enterprise transfers a certain user private data from database a to database B, the relationship class edge between the data node corresponding to the user private data and the storage node corresponding to database a may be deleted accordingly (or the deadline of the storage period in the attribute of the relationship class edge is modified to the current time), and a relationship class edge is constructed accordingly between the data node corresponding to the user private data and the storage node corresponding to database B.
In the embodiments of the present specification, the user privacy data generally refers to data collected by an enterprise during a process of providing a service to a user, and the data relates to user privacy, such as a name, a gender, an age, a home address, a face picture, a fingerprint, and the like of the user.
In this context, the expression "construct" is used to mean that an operation of constructing a new node or a new edge is performed. When the expression "determine, there are two meanings: 1, executing the operation of constructing a new node or a new edge; 2. multiplexing already constructed nodes or edges.
In step S200, since a plurality of data nodes may be connected to the same storage node, a storage node having a storage relationship with the data node may have already been constructed for each data node.
In step S202, the operation authority corresponding to the same authority node may operate a certain database more than once, so that there may be more than one operation class edge between the authority node and the storage node, and when the authority node operates the storage node for the first time, the storage node is already created, and the storage node is reused subsequently.
In step S204, one employee may have an association with more than one operation authority, and thus, the employee node may be reused once.
In practice, enterprises typically store collected user privacy data in their own databases. In practice, an enterprise may store different user privacy data in different databases, or may repeatedly store the same user privacy data in different databases.
When both databases store the same user privacy data, the two databases are generally considered to have a "data relationship". Therefore, in this specification embodiment, for each database, a storage node corresponding to the database at each other database in the data lineage relationship may be determined, and a relationship class edge between the storage node corresponding to the database and the determined storage node corresponding to each other database may be constructed. The duration of the data relationship is generally infinite.
As shown in fig. 3, if the database corresponding to the storage node 1 and the database corresponding to the storage node 2 both store the user privacy data corresponding to the data node 3, it is determined that a data consanguinity relationship exists between the database corresponding to the storage node 1 and the database corresponding to the storage node 2, and therefore a relationship class edge is constructed between the storage node 1 and the storage node 2.
Further, as is well known, a database generally implements storage of data in units of data tables. Thus, in embodiments of the present specification, a private data derivative graph may be constructed at a data table granularity. As shown in fig. 4, the data node is not directly connected to the storage node (i.e. there is no direct storage relationship), the data node is connected to the table node, and two table nodes connected to the same data node have a data lineage relationship.
Fig. 5 is a schematic flowchart of another method for constructing a private data derivative diagram provided in an embodiment of the present specification, including the following steps:
s500: and aiming at each user privacy data, creating a data node corresponding to the user privacy data, determining a table node corresponding to a data table for storing the user privacy data, and creating a relation class edge between the data node and the table node.
S502: and for each data table, creating a storage node corresponding to a database for storing the data table, and creating a relationship class edge between the table node corresponding to the data table and the storage node.
S504: and aiming at each database, determining an authority node corresponding to the operation authority for executing the operation on the database, and creating an operation class edge between a storage node corresponding to the database and the authority node.
S506: and for each operation authority, determining an employee node corresponding to each employee related to the operation authority, and creating a relationship class edge between the authority node corresponding to the operation authority and each determined employee node.
It is understood that the principle of the method shown in fig. 5 is substantially the same as that of the method shown in fig. 2, except that in the method shown in fig. 5, a table node is further included in the private data derivative graph, the table node is inserted into the data node and the storage node, the data node and the table node have a storage relationship, and the table node and the storage node have a storage relationship.
The following explanation of the present solution will be equally applied to the method shown in fig. 2 and the method shown in fig. 5.
In this embodiment of the present specification, an edge between an authority node and a storage node is an operation class edge, and specifically, if an operation authority corresponding to the authority node performs N operations on the database, N operation class edges corresponding to the N operations one to one are created between the storage node corresponding to the database and the authority node. That is, an edge can be constructed between the authority node and the storage node when an employee operates the database corresponding to the storage node once through the operation authority corresponding to the authority node. Assuming that the storage node is operated 100 times by the authority node, there may be 100 operation class edges between the authority node and the storage node.
However, the number of edges between the authority node and the storage node is not large enough, and otherwise, the computing resources are consumed too much.
Therefore, in this specification embodiment, the available period corresponding to the privacy data map may be divided into a plurality of operation coverage time periods. And aiming at each operation coverage time period, if the operation authority corresponding to the authority node performs one or more operations on the database in the operation coverage time period, only one operation class edge is created between the storage node corresponding to the database and the authority node. The available period can be specified according to actual needs and can be an indefinite period.
For example, the available period is 1/2019 to 1/2020. For the storage node a and the authority node B, operations occurring in every 15 minutes for the authority node B to the storage node a within 3 days can be uniformly recorded as an edge from the 1 st/0 th point in 2019; within 3 to 7 days, the operations occurring within each hour are recorded as an edge; recording the operation occurring every day as an edge within 7 to 30 days; the weekly occurrence of the operation is noted as one edge for 30 days to one year.
Therefore, the number of edges between the storage node and the authority node can be effectively reduced. It should be noted that, in this way, for each edge between the authority node and the storage node, operation detail information of all operations corresponding to this edge needs to be written in the attribute of this edge.
In an embodiment of this specification, the association relationship between the employee and the operation authority includes: the employee has applied for operating authority; or, the employee already has the operation authority; or, the employee has used the operating right.
It can be understood that, for an employee, the employee generally needs to apply for the operation authority first, and after the application is passed, the employee has the operation authority. And when the data needs to be read, using the corresponding operation authority of the corresponding database.
In this embodiment of the present specification, creating a relationship class edge between the authority node corresponding to the operation authority and each determined employee node may specifically include:
aiming at each determined employee node, when monitoring that an employee corresponding to the employee node applies for the operation authority, creating a relationship class edge between the authority node corresponding to the operation authority and each determined employee node, and writing an authority application relationship in the attribute of the relationship class edge; when monitoring that the employee corresponding to the employee node has the operation authority, writing an authority ownership relationship into the attribute of the relationship class edge; and when the situation that the employee corresponding to the employee node uses the operation authority is monitored, writing the authority use relationship into the attribute of the relationship class edge.
Or for each determined employee node, when it is monitored that the employee corresponding to the employee node has applied for the operation authority, creating a relationship class edge for representing authority application relationship between the authority node corresponding to the operation authority and each determined employee node; when the situation that the employee corresponding to the employee node has the operation authority is monitored, a relationship class edge used for representing the authority ownership relationship is established between the authority node corresponding to the operation authority and each determined employee node; and when the situation that the employee corresponding to the employee node uses the operation authority is monitored, creating a relationship class edge for representing the authority use relationship between the authority node corresponding to the operation authority and each determined employee node.
In an embodiment of the present specification, the private data derivation diagram may further include interface nodes, where each interface node corresponds to one service interface. The service interface can operate the database and can also call other service interfaces. The service interface may also be invoked by the operating authority.
Specifically, for each database, an interface node corresponding to each service interface performing an operation on the database may be created, and an operation class edge between a storage node corresponding to the database and each interface node may be created. Or determining an authority node corresponding to the operation authority for calling the service interface and creating an operation class edge between the interface node corresponding to the service interface and the authority node for each service interface. And for each service interface, determining an interface node corresponding to each other service interface for calling the service interface, and creating an operation class edge between the interface node corresponding to the service interface and the determined interface node corresponding to each other service interface.
In the embodiment of the specification, a plurality of operation authorities can be organized into authority groups, and one group of operation authorities can be conveniently authorized to employees at one time. To this end, permission group nodes may be added to the private data derivative graph, each permission group node corresponding to a permission group.
Specifically, for each operation authority, an authority group node corresponding to the authority group including the operation authority may be created, and a relationship class edge between the authority node corresponding to the operation authority and the authority group node may be created. For each authority group, an employee node corresponding to each employee associated with the authority group may also be determined, and a relationship class edge between the authority group node corresponding to the authority group and each determined employee node may be created.
In this specification embodiment, employee group nodes may also be added to the private data derivative graph, each employee group node corresponding to an employee group.
Specifically, for each employee, an employee group node corresponding to the employee group containing the employee may be created, and a relationship class edge between the employee node corresponding to the employee and the employee group node may be created. In the attribute of the relationship class edge between the employee node and the employee group node, leader information of the employee group, information of each employee of the employee group, information of the employee group that the employee has been left to, and the like can be written.
In addition, in the embodiment of the present specification, there may also be an association relationship between employees, such as alumni, neighbors, relatives, and the like, and therefore, for each employee, an employee node corresponding to each other employee associated with the employee may also be determined, and a relationship class edge between the employee node corresponding to the employee and the determined employee node corresponding to each other employee may also be created.
Fig. 6 is a schematic structural diagram of a private data derivation diagram provided in an embodiment of this specification. As shown in fig. 6, the private data derivative graph includes data nodes, data table nodes, storage nodes, authority group nodes, employee group nodes, and service interface nodes. The data nodes and the data table nodes can have storage relations, the data table nodes and the storage nodes can have storage relations, the authority nodes can execute operations aiming at the storage nodes, the authority nodes and the authority group nodes can have inclusion relations, the employee nodes and the authority nodes can have association relations, the employee nodes and the authority group nodes can have association relations, the employee nodes and the employee group nodes can have inclusion relations, the employee group nodes and the authority nodes can have association relations, and the employee group nodes and the authority group nodes can have association relations. Data consanguinity relationships may also exist between table nodes.
In addition, although not shown in fig. 6, in practical applications, there may be an association relationship between the employee group node and the authority group node, and there may be an association relationship between the employee group node and the authority group node.
Specifically, for each operation authority, an employee group node corresponding to each employee group associated with the operation authority may be determined, and a relationship class edge between the authority node corresponding to the operation authority and the determined employee group node corresponding to each employee group may be created.
For each authority group, an employee group node corresponding to each employee group associated with the authority group may be determined, and a relationship class edge between the authority group node corresponding to the authority group and the determined employee group node corresponding to each employee group may be created.
In addition, after the private data derivative graph is obtained by the method shown in fig. 2, the characteristics of the multiple degree relationship of each node that can be represented by the private data derivative graph can be used to perform global monitoring on the private data flow condition of the user in the enterprise.
For example, each employee who reads the user privacy data within the past month, the reading time, the reading mode, and the reading place of each employee may be queried for certain user privacy data. The number of people who read the privacy data of the user in the past month (one person for each reading operation) and the number of employees (the number of removed persons, which may be read by the same employee multiple times) can also be counted. If the number of times that the user privacy data is read in the past month is too many or the number of staff reading the user privacy data is too many, the user privacy data can be considered to be abnormally transferred, and the transfer condition of the user privacy data needs to be focused.
For example, in practice, an enterprise sometimes defines that a certain user privacy data can only be used by a specific employee group or several employee groups, and after some employees leave the specific employee group, the operation authority of the employees on the database where the user privacy data is located is not timely recovered, and the employees can actually read the user privacy data in violation. For this purpose, based on the private data derivative graph, the circulation path of the user private data-operation authority-employee group (or the circulation path of the user private data-service interface-operation authority-employee group) may be queried regularly (e.g. every minute), it should be noted that, if a certain employee leaves the specific employee group, the duration of the edge between the employee node corresponding to the employee and the employee group node corresponding to the employee group may also be modified to expire, and thus, when querying the path, if the relationship between the employee and the employee group expires, the employee group that the employee has left may not be added to the path. Thus, based on the path, the staff and staff groups which are currently capable of reading the private data of the user can be obtained. If the employee currently having the ability to read the user's private data is found not to be in a particular employee group, or if the employee currently having the ability to read the user's private data is found not to be in a particular employee group, then it may be determined that the employee or the employee group is anomalous in performance.
For example, a private data query record for each employee in a certain employee group within a specified period may be mined based on a private data derivative graph. And analyzing the degree of difference between the data query records of each employee and other employees in the same group, and if the difference between the data query record of a certain employee and the data query records of other employees in the same group is obvious, determining that the behavior of the employee is abnormal. The data query records of the staff with abnormal behaviors can be analyzed, the sensitivity level, the query quantity, the query time, the characteristic information of the staff and the like are extracted, the probability of illegal query of the staff is identified by adopting a classification model, and if the probability is higher, the staff is audited.
In addition, based on the private data derivation diagrams described herein, the present specification further provides the following two private data abnormal flow analysis methods.
Fig. 7 is a schematic flowchart of a private data abnormal flow analysis method provided in an embodiment of this specification, where the method includes the following steps:
s700: user privacy data to be analyzed is determined.
S702: in the private data derivative graph, each employee node connectable to a data node corresponding to the user private data is determined.
S704: and adding the determined staff corresponding to each staff node into a staff list corresponding to the user privacy data.
And for any employee, if the fact that the employee acquires the user privacy data is monitored, and the fact that the employee is not in the employee list corresponding to the user privacy data is determined, determining that the behavior of the employee for acquiring the user privacy data is abnormal.
Fig. 8 is a flowchart of another private data abnormal flow analysis method provided in an embodiment of the present specification, where the method includes the following steps:
s800: the employee to be analyzed is determined.
S802: in the private data derivative graph, each data node connectable to the employee node corresponding to the employee is determined.
S804: and adding the determined user privacy data corresponding to each data node into a data list corresponding to the employee.
And for any user privacy data, if the situation that the employee acquires the user privacy data is monitored and the situation that the user privacy data is not in the data list corresponding to the employee is determined, determining that the behavior of the employee for acquiring the user privacy data is abnormal.
It is noted that "connectable" means directly or indirectly connectable.
Fig. 9 is a schematic structural diagram of an apparatus for constructing a private data derivative graph, where the private data derivative graph includes a plurality of nodes and edges between the nodes, and the apparatus includes:
a first building module 901, which creates a data node corresponding to each user privacy data, determines a storage node corresponding to a database storing the user privacy data, and creates a relationship class edge between the data node and the storage node;
a second building module 902, configured to determine, for each database, an authority node corresponding to an operation authority that has performed an operation on the database, and create an operation class edge between a storage node corresponding to the database and the authority node;
the third building module 903 determines, for each operation authority, an employee node corresponding to each employee associated with the operation authority, and creates a relationship class edge between the authority node corresponding to the operation authority and each determined employee node.
If the operation authority corresponding to the authority node performs N operations on the database, the second building module 902 creates N operation class edges corresponding to the N operations one to one between the storage node corresponding to the database and the authority node.
Dividing an available period corresponding to the private data graph into a plurality of operation coverage time periods;
for each operation coverage time period, if the operation authority corresponding to the authority node performs one or more operations on the database within the operation coverage time period, the second building module 902 creates only one operation class edge between the storage node corresponding to the database and the authority node.
The association relationship between the employee and the operation authority comprises the following steps:
the employee has applied for operating authority; or, the employee already has the operation authority; or, the employee has used the operating right.
The third building module 903, for each determined employee node, when it is monitored that the employee corresponding to the employee node has applied for the operation authority, creates a relationship class edge between the authority node corresponding to the operation authority and each determined employee node, and writes an authority application relationship in the attribute of the relationship class edge; when monitoring that the employee corresponding to the employee node has the operation authority, writing an authority ownership relationship into the attribute of the relationship class edge; and when the situation that the employee corresponding to the employee node uses the operation authority is monitored, writing the authority use relationship into the attribute of the relationship class edge.
The device further comprises:
the fourth building module 904, for each database, creates an interface node corresponding to each service interface that performs an operation on the database, and creates an operation class edge between a storage node corresponding to the database and the interface node corresponding to each service interface.
The fourth building module 904 further determines, for each service interface, an authority node corresponding to each operation authority that has called the service interface, and creates an operation class edge between the interface node corresponding to the service interface and the authority node corresponding to each operation authority.
The fourth building module 904 further determines, for each service interface, an interface node corresponding to each other service interface that has called the service interface, and creates an operation class edge between the interface node corresponding to the service interface and the determined interface node corresponding to each other service interface.
The device further comprises:
the fifth building module 905 creates, for each operation permission, a permission group node corresponding to the permission group including the operation permission, and creates a relationship class edge between the permission node corresponding to the operation permission and the permission group node.
The fifth building module 905 further determines, for each authority group, an employee node corresponding to each employee associated with the authority group, and creates a relationship class edge between the authority group node corresponding to the authority group and each determined employee node.
The device further comprises:
a sixth building module 906, for each employee, creates an employee group node corresponding to the employee group including the employee, and creates a relationship class edge between the employee node corresponding to the employee and the employee group node.
The device further comprises:
a seventh building module 907 determines, for each employee, an employee node corresponding to each other employee associated with the employee, and creates a relationship class edge between the employee node corresponding to the employee and the determined employee node corresponding to each other employee.
The device further comprises:
the first writing module 908 is configured to, for each relationship class edge in the private data derivative graph, write the relationship lifetime corresponding to the relationship class edge into the attribute of the relationship class edge.
The device further comprises:
a second writing module 909, for each operation class edge in the private data derivative graph, writing the operation detail information corresponding to the operation class edge into the attribute of the operation class edge.
Fig. 10 is a schematic structural diagram of an apparatus for analyzing an abnormal flow of private data according to an embodiment of the present specification, where the apparatus includes:
a first determination module 1001 that determines user privacy data to be analyzed;
a second determining module 1002, configured to determine, in the private data derivative graph, each employee node that is connectable to a data node corresponding to the user private data;
the list adding module 1003 is used for adding the staff corresponding to each determined staff node into the staff list corresponding to the user privacy data;
and for any employee, if the fact that the employee acquires the user privacy data is monitored, and the fact that the employee is not in the employee list corresponding to the user privacy data is determined, determining that the behavior of the employee for acquiring the user privacy data is abnormal.
Fig. 11 is a schematic structural diagram of an apparatus for analyzing an abnormal flow of private data according to an embodiment of the present specification, where the apparatus includes:
a first determination module 1101 that determines employees to be analyzed;
a second determining module 1102, configured to determine, in the private data derivative graph, each data node that is connectable to the employee node corresponding to the employee;
the list adding module 1103 is configured to add the determined user privacy data corresponding to each data node to the data list corresponding to the employee;
and for any user privacy data, if the situation that the employee acquires the user privacy data is monitored and the situation that the user privacy data is not in the data list corresponding to the employee is determined, determining that the behavior of the employee for acquiring the user privacy data is abnormal.
Embodiments of the present specification also provide a computer device, which at least includes a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the method shown in fig. 2 when executing the program.
Fig. 12 is a schematic diagram illustrating a more specific hardware structure of a computing device according to an embodiment of the present disclosure, where the computing device may include: a processor 2010, a memory 2020, an input/output interface 2030, a communications interface 2040, and a bus 2050. Wherein the processor 2010, memory 2020, input/output interface 2030, and communication interface 2040 enable communication with each other within the device via bus 1050.
The processor 2010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 2020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random Access Memory), a static Memory device, a dynamic Memory device, or the like. The memory 2020 may store an operating system and other application programs, and when the technical solutions provided by the embodiments of the present specification are implemented by software or firmware, the relevant program codes are stored in the memory 2020 and called by the processor 2010 for execution.
The input/output interface 2030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 2040 is used for connecting a communication module (not shown in the figure) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
The bus 2050 includes a path for communicating information between various components of the device, such as the processor 2010, the memory 2020, the input/output interface 2030, and the communication interface 2040.
It is to be appreciated that while the above-described device illustrates only the processor 2010, the memory 2020, the input/output interface 2030, the communication interface 2040, and the bus 2050, in an implementation, the device may include other components necessary for proper operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
Embodiments of the present description also provide a computer-readable storage medium on which a computer program is stored, which when executed by a processor implements the functions of the method shown in fig. 2.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
From the above description of the embodiments, it is clear to those skilled in the art that the embodiments of the present disclosure can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the embodiments of the present specification may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, or the like, and includes several instructions for enabling a computer device (which may be a personal computer, a service device, or a network device) to execute the methods described in the embodiments or some parts of the embodiments of the present specification.
The systems, methods, modules or units described in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the method embodiment, since it is substantially similar to the method embodiment, it is relatively simple to describe, and reference may be made to the partial description of the method embodiment for relevant points. The above-described method embodiments are merely illustrative, wherein the modules described as separate components may or may not be physically separate, and the functions of the modules may be implemented in one or more software and/or hardware when implementing the embodiments of the present specification. And part or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The foregoing is only a specific embodiment of the embodiments of the present disclosure, and it should be noted that, for those skilled in the art, a plurality of modifications and decorations can be made without departing from the principle of the embodiments of the present disclosure, and these modifications and decorations should also be regarded as the protection scope of the embodiments of the present disclosure.

Claims (21)

1. A method of constructing a private data derivative graph, the private data derivative graph comprising a plurality of nodes and edges between the nodes, the method comprising:
aiming at each user privacy data, creating a data node corresponding to the user privacy data, determining a table node corresponding to a data table for storing the user privacy data, and creating a relation class edge between the data node and the table node;
aiming at each data table, creating a storage node corresponding to a database for storing the data table, and creating a relation class edge between the table node corresponding to the data table and the storage node;
for each database, determining an authority node corresponding to an operation authority for executing the operation on the database, and creating an operation class edge between a storage node corresponding to the database and the authority node;
and for each operation authority, determining an employee node corresponding to each employee related to the operation authority, and creating a relationship class edge between the authority node corresponding to the operation authority and each determined employee node.
2. The method of claim 1, wherein creating an operation class edge between the storage node corresponding to the database and the authority node specifically comprises:
and if the operation authority corresponding to the authority node executes N times of operations on the database, creating N operation class edges which are in one-to-one correspondence with the N times of operations between the storage node corresponding to the database and the authority node.
3. The method of claim 1, dividing an available period corresponding to the private data map into a plurality of operation coverage time periods;
creating an operation class edge between a storage node corresponding to the database and the authority node, specifically comprising:
and aiming at each operation coverage time period, if the operation authority corresponding to the authority node performs one or more operations on the database in the operation coverage time period, only one operation class edge is created between the storage node corresponding to the database and the authority node.
4. The method of claim 1, wherein the association between the employee and the operating right comprises:
the employee has applied for operating authority; or, the employee already has the operation authority; or, the employee has used the operating right.
5. The method of claim 4, wherein creating a relationship class edge between the authority node corresponding to the operation authority and each determined employee node specifically comprises:
aiming at each determined employee node, when monitoring that an employee corresponding to the employee node applies for the operation authority, creating a relationship class edge between the authority node corresponding to the operation authority and each determined employee node, and writing an authority application relationship in the attribute of the relationship class edge;
when monitoring that the employee corresponding to the employee node has the operation authority, writing an authority ownership relationship into the attribute of the relationship class edge;
and when the situation that the employee corresponding to the employee node uses the operation authority is monitored, writing the authority use relationship into the attribute of the relationship class edge.
6. The method of claim 1, further comprising:
and aiming at each database, creating an interface node corresponding to each service interface for executing operation on the database, and creating an operation class edge between a storage node corresponding to the database and the interface node corresponding to each service interface.
7. The method of claim 6, further comprising:
and aiming at each service interface, determining an authority node corresponding to each operation authority of the called service interface, and creating an operation class edge between the interface node corresponding to the service interface and the authority node corresponding to each operation authority.
8. The method of claim 6, further comprising:
and aiming at each service interface, determining an interface node corresponding to each other service interface which calls the service interface, and creating an operation class edge between the interface node corresponding to the service interface and the determined interface node corresponding to each other service interface.
9. The method of claim 1, further comprising:
and aiming at each operation authority, creating an authority group node corresponding to the authority group containing the operation authority, and creating a relation class edge between the authority node corresponding to the operation authority and the authority group node.
10. The method of claim 9, the method further comprising:
for each authority group, determining an employee node corresponding to each employee associated with the authority group, and creating a relationship class edge between the authority group node corresponding to the authority group and each determined employee node.
11. The method of claim 1, further comprising:
and aiming at each employee, creating an employee group node corresponding to the employee group containing the employee, and creating a relationship class edge between the employee node corresponding to the employee and the employee group node.
12. The method of claim 1, further comprising:
for each employee, determining an employee node corresponding to each other employee associated with the employee, and creating a relationship class edge between the employee node corresponding to the employee and the determined employee node corresponding to each other employee.
13. The method of claim 1, further comprising:
and aiming at each data node, if the data node is connected with at least two table nodes, pairwise connecting the table nodes connected with the data node, and creating a relationship class edge between the table nodes connected pairwise.
14. The method of any one of claims 1 to 13, further comprising:
and writing the relationship storage period corresponding to each relationship class edge in the private data derivative graph into the attribute of the relationship class edge.
15. The method of any one of claims 1 to 13, further comprising:
and for each operation class edge in the private data derivative graph, writing operation detail information corresponding to the operation class edge into the attribute of the operation class edge.
16. A private data abnormal flow analysis method based on a private data derivative graph constructed by the method of any one of claims 1 to 15 comprises the following steps:
determining user privacy data to be analyzed;
in a private data derivative graph, determining each employee node which can be connected to a data node corresponding to the user private data;
adding the determined staff corresponding to each staff node into a staff list corresponding to the user privacy data;
and for any employee, if the fact that the employee acquires the user privacy data is monitored, and the fact that the employee is not in the employee list corresponding to the user privacy data is determined, determining that the behavior of the employee for acquiring the user privacy data is abnormal.
17. A private data abnormal flow analysis method based on a private data derivative graph constructed by the method of any one of claims 1 to 15 comprises the following steps:
determining an employee to be analyzed;
determining, in a private data derivative graph, each data node that is connectable to a corresponding employee node of the employee;
adding the determined user privacy data corresponding to each data node into a data list corresponding to the employee;
and for any user privacy data, if the situation that the employee acquires the user privacy data is monitored and the situation that the user privacy data is not in the data list corresponding to the employee is determined, determining that the behavior of the employee for acquiring the user privacy data is abnormal.
18. An apparatus for constructing a private data derivative graph, the private data derivative graph including a plurality of nodes and edges between the nodes, the apparatus comprising:
the first building module is used for creating a data node corresponding to the user privacy data aiming at each user privacy data, determining a table node corresponding to a data table for storing the user privacy data, and creating a relation class edge between the data node and the table node; aiming at each data table, creating a storage node corresponding to a database for storing the data table, and creating a relation class edge between the table node corresponding to the data table and the storage node;
the second construction module is used for determining an authority node corresponding to the operation authority which has performed the operation on each database, and creating an operation class edge between a storage node corresponding to the database and the authority node;
and the third construction module is used for determining an employee node corresponding to each employee related to the operation authority aiming at each operation authority and creating a relation class edge between the authority node corresponding to the operation authority and each determined employee node.
19. An abnormal circulation analysis device of private data based on a private data derivative diagram constructed by the method of any one of claims 1 to 15, comprising:
the first determining module is used for determining the user privacy data to be analyzed;
a second determination module, configured to determine, in a private data derivative graph, each employee node that is connectable to a data node corresponding to the user private data;
the list adding module is used for adding the staff corresponding to each determined staff node into a staff list corresponding to the user privacy data;
and for any employee, if the fact that the employee acquires the user privacy data is monitored, and the fact that the employee is not in the employee list corresponding to the user privacy data is determined, determining that the behavior of the employee for acquiring the user privacy data is abnormal.
20. An abnormal circulation analysis device of private data based on a private data derivative diagram constructed by the method of any one of claims 1 to 15, comprising:
the first determination module is used for determining the staff to be analyzed;
a second determining module, configured to determine, in a private data derivative graph, each data node that is connectable to an employee node corresponding to the employee;
the list adding module is used for adding the determined user privacy data corresponding to each data node into a data list corresponding to the employee;
and for any user privacy data, if the situation that the employee acquires the user privacy data is monitored and the situation that the user privacy data is not in the data list corresponding to the employee is determined, determining that the behavior of the employee for acquiring the user privacy data is abnormal.
21. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program implements the method of any one of claims 1 to 17.
CN202111367854.XA 2019-12-13 2019-12-13 Construction method of private data derivative graph Pending CN114036564A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111367854.XA CN114036564A (en) 2019-12-13 2019-12-13 Construction method of private data derivative graph

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111367854.XA CN114036564A (en) 2019-12-13 2019-12-13 Construction method of private data derivative graph
CN201911285297.XA CN110990878B (en) 2019-12-13 2019-12-13 Construction method of private data derivative graph

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN201911285297.XA Division CN110990878B (en) 2019-12-13 2019-12-13 Construction method of private data derivative graph

Publications (1)

Publication Number Publication Date
CN114036564A true CN114036564A (en) 2022-02-11

Family

ID=70093635

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202111367854.XA Pending CN114036564A (en) 2019-12-13 2019-12-13 Construction method of private data derivative graph
CN201911285297.XA Active CN110990878B (en) 2019-12-13 2019-12-13 Construction method of private data derivative graph

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN201911285297.XA Active CN110990878B (en) 2019-12-13 2019-12-13 Construction method of private data derivative graph

Country Status (1)

Country Link
CN (2) CN114036564A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116070268A (en) * 2023-01-04 2023-05-05 北京夏石科技有限责任公司 Privacy data identification monitoring method, device and equipment

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114816243B (en) * 2022-03-31 2023-02-03 北京优特捷信息技术有限公司 Log compression method and device, electronic equipment and storage medium

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1973053A1 (en) * 2007-03-19 2008-09-24 British Telecommunications Public Limited Company Multiple user access to data triples
US20090097418A1 (en) * 2007-10-11 2009-04-16 Alterpoint, Inc. System and method for network service path analysis
EP2579201A1 (en) * 2011-10-03 2013-04-10 Alcatel Lucent Method for managing a user profile within a social network
CN103745161B (en) * 2013-12-23 2016-08-24 东软集团股份有限公司 Access method of controlling security and device
CN104239799A (en) * 2014-09-05 2014-12-24 清华大学 Android application program privacy stealing detection method and system based on behavior chain
CN105989276B (en) * 2015-02-12 2019-01-15 阿里巴巴集团控股有限公司 Role's optimization method and device in RBAC permission system
CN104731489B (en) * 2015-04-03 2017-08-25 电子科技大学 A kind of method for secret protection applied suitable for roller blind
CN109002468A (en) * 2018-06-08 2018-12-14 浙江捷尚人工智能研究发展有限公司 The cluster anonymous methods and system of diagram data publication secret protection
CN110096895B (en) * 2019-03-22 2022-12-06 西安电子科技大学 Service privacy disclosure detection method based on associated graph and Internet of things service platform
CN112506925A (en) * 2020-12-01 2021-03-16 浙商银行股份有限公司 Data retrieval system and method based on block chain

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116070268A (en) * 2023-01-04 2023-05-05 北京夏石科技有限责任公司 Privacy data identification monitoring method, device and equipment
CN116070268B (en) * 2023-01-04 2024-01-26 北京夏石科技有限责任公司 Privacy data identification monitoring method, device and equipment

Also Published As

Publication number Publication date
CN110990878A (en) 2020-04-10
CN110990878B (en) 2021-09-28

Similar Documents

Publication Publication Date Title
US9230132B2 (en) Anonymization for data having a relational part and sequential part
EP3734489A1 (en) Evidence collection method and system based on blockchain evidence storage
US20120290565A1 (en) Automatic social graph calculation
CN110569657B (en) Data access method, device, equipment and storage medium
CN107133309B (en) Method and device for storing and querying process example, storage medium and electronic equipment
CN109726579B (en) Resource access authority grouping method and equipment
CN107402821B (en) Access control method, device and equipment for shared resources
CN111782668A (en) Data structure reading and updating method and device, and electronic equipment
CN110990878B (en) Construction method of private data derivative graph
WO2016110203A1 (en) File path storing and local file accessing method and device
CN111046052B (en) Method, device and equipment for storing operation records in database
CN109815695A (en) Detection method, device and the equipment of process safety
CN112035676A (en) User operation behavior knowledge graph construction method and device
CN112070637A (en) Case processing method and device based on block chain
US20160092481A1 (en) Information integration and assessment
CN114742024A (en) Service information processing method and device and electronic equipment
CN111291409B (en) Data monitoring method and device
CN112861185A (en) Data automatic deformation transmission method based on Hive data warehouse
CN113792306A (en) Seal management method and device and electronic equipment
CN113836154B (en) Database switching method and device
CN111444215A (en) Blocking method, device and equipment in block chain type account book
CN112988291B (en) Page event management method and device, computer readable medium and electronic equipment
US11614993B1 (en) System and method for restoring deleted objects and their assignments to other objects based on any deletion of the other objects
CN114363461B (en) Application control method, device, electronic equipment and computer readable storage medium
US10007683B1 (en) Conditional creation of child nodes based on ancestor node metadata runtime values

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination