CN114595481A - Method, device, equipment and storage medium for processing response data - Google Patents

Method, device, equipment and storage medium for processing response data Download PDF

Info

Publication number
CN114595481A
CN114595481A CN202210222286.2A CN202210222286A CN114595481A CN 114595481 A CN114595481 A CN 114595481A CN 202210222286 A CN202210222286 A CN 202210222286A CN 114595481 A CN114595481 A CN 114595481A
Authority
CN
China
Prior art keywords
access
data
desensitization
interface
party
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210222286.2A
Other languages
Chinese (zh)
Inventor
钟丹东
李业兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Baowangda Software Technology Co ltd
Original Assignee
Jiangsu Baowangda Software Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Baowangda Software Technology Co ltd filed Critical Jiangsu Baowangda Software Technology Co ltd
Priority to CN202210222286.2A priority Critical patent/CN114595481A/en
Publication of CN114595481A publication Critical patent/CN114595481A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6254Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2103Challenge-response

Abstract

The invention discloses a method, a device, equipment and a storage medium for processing response data. Wherein, the method comprises the following steps: responding to a data access request sent by an access party, and acquiring response data corresponding to the data access request; determining access account information of the access party according to the access token of the access party; desensitizing the response data according to the access account information, the client desensitizing strategy of the access party and the interface desensitizing strategy of the access interface; and feeding back response data after desensitization processing to the access party. According to the technical scheme, different desensitization strategies can be provided for users with different access rights, and sensitive data desensitization service is flexibly provided for an access party aiming at access account information of the access party.

Description

Method, device, equipment and storage medium for processing response data
Technical Field
The embodiment of the invention relates to the field of computers, in particular to a method, a device, equipment and a storage medium for processing response data.
Background
With the development of computer technology, it is more and more common to acquire response data by sending a data access request to a server, however, the response data fed back by the server may contain sensitive data such as an identity card number, a mobile phone number, a card number, a client number, and the like, so that a proper desensitization scheme needs to be formulated to perform desensitization processing on the sensitive data in the response data. Therefore, how to flexibly and accurately perform desensitization processing on response data is a problem which needs to be solved at present.
Disclosure of Invention
The embodiment of the invention provides a method, a device, equipment and a storage medium for processing response data, which are used for desensitizing the response data fed back to an access party.
In a first aspect, an embodiment of the present invention provides a method for processing response data, including:
responding to a data access request sent by an access party, and acquiring response data corresponding to the data access request;
determining access account information of the access party according to the access token of the access party;
desensitizing the response data according to the access account information, a client desensitizing strategy of an access party and an interface desensitizing strategy of an access interface;
and feeding back response data after desensitization processing to the access party.
In a second aspect, an embodiment of the present invention further provides a device for processing response data, including:
the response data acquisition module is used for responding to a data access request sent by an access party and acquiring response data corresponding to the data access request;
the access account information determining module is used for determining the access account information of the access party according to the access token of the access party;
the response data desensitization module is used for desensitizing the response data according to the access account information, the client desensitization strategy of the access party and the interface desensitization strategy of the access interface;
and the response data feedback module is used for feeding back the desensitized response data to the access party.
In a third aspect, an embodiment of the present invention further provides an electronic device, where the electronic device includes:
one or more processors;
storage means for storing one or more programs;
when the one or more programs are executed by the one or more processors, the one or more processors implement the method for processing the response data according to any embodiment of the present invention.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements a method for processing response data according to any embodiment of the present invention.
According to the technical scheme provided by the embodiment of the invention, the response data corresponding to the data access request is intercepted and acquired through the information security system. Determining access account information of an access party based on an access token of the access party, desensitizing sensitive data in response data according to the access account information, a client desensitizing policy of the access party and an interface desensitizing policy of an access interface to obtain desensitized response data, and feeding back the desensitized response data to the access party. According to the scheme, whether desensitization processing is carried out on response data fed back to an access party or not is flexibly determined according to access account information, a client desensitization strategy of the access party and an interface desensitization strategy of an access interface, desensitization service of response data to a specific access party through the interface desensitization strategy of the access interface can be supported, different desensitization strategies are provided for users with different access rights, the problem that desensitization processing is carried out on the access interface by adopting a uniform desensitization mode corresponding to the response data, the flexibility is poor is solved, and the effect of providing sensitive data desensitization service for the access party flexibly according to the access account information of the access party is achieved.
Drawings
Fig. 1 is a flowchart of a method for processing response data according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for processing response data according to a second embodiment of the present invention;
fig. 3 is a flowchart of a method for processing response data according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of a device for processing response data according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to a fifth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a flowchart of a method for processing response data according to an embodiment of the present invention, which is applicable to how to process data. The method may be performed by a processing device for providing product response data according to an embodiment of the present invention, and the device may be implemented in software and/or hardware. The device can be configured in an information security system, and the information security system can be configured in electronic equipment, and the method specifically comprises the following steps:
and S110, responding to the data access request sent by the access party, and acquiring response data corresponding to the data access request.
The access request data refers to an access request sent by an access party when the access party needs to acquire the network data. The response data refers to network data which is fed back to the access party by the target object according to the access request data of the access party and is acquired by the access party.
Specifically, the information security system is adopted to detect whether the access interface receives a data access request sent by an access party in real time, and when the access party sends the access request to the access interface, the access interface feeds back response data to the access party according to the access request of the access party. When detecting that an access request is sent to an access interface by an access direction, the information security system intercepts and acquires response data fed back to the access direction by the access interface based on data of the access direction, and simultaneously acquires the data access request sent by the access direction to the access interface.
And S120, determining the access account information of the access party according to the access token of the access party.
The access token is a simulation token used for identifying access account information of an access party, and the access account information comprises an access party account and access party authority.
Wherein the access party authority comprises the access authority of the access party to the sensitive data with different levels.
Specifically, the access account information of the access party is pre-stored in a storage space of the information security system, and when the access party logs in an operating system page, the operating system can create an access token for the access party, wherein the access token comprises a system identification code returned by a login process of the access party and a permission list allocated to the access party. The data access request sent by the access party carries an access token of the access party, the information security system intercepts and acquires response data, then further acquires the data access request of the access party, acquires the access token of the access party according to the data access request of the access party, calls an identity query interface of the access party through the access token, and queries account information matched with the access token of the access party from a storage space of the information security system to serve as the account information of the access party.
S130, desensitizing treatment is carried out on the corresponding answer data according to the access account information, the client desensitizing strategy of the access party and the interface desensitizing strategy of the access interface.
The client desensitization policy of the access party refers to a desensitization policy configured for the access party in advance through an HTTP (Hyper Text Transfer Protocol) Protocol proxy service according to actual requirements of the access party and access party authority of the access party. The interface desensitization strategy of the access interface refers to a desensitization strategy which is configured for the access interface in advance through an HTTP protocol proxy service according to actual needs.
Specifically, according to actual needs, an interface desensitization policy is configured for an access interface in advance, and a client desensitization policy is configured for an access party. The client desensitization strategy of the access party and the interface desensitization strategy of the access interface are stored in the storage space of the information security system in advance. The desensitization strategy comprises a preset desensitization mode for desensitizing sensitive data and desensitization treatment of sensitive data in response data fed back to an access party by adopting different desensitization modes according to the access party with different access rights. Sensitive data refers to data that may cause serious harm to the society or individuals after leakage. For example, the sensitive data is divided into primary sensitive data, secondary sensitive data, and tertiary sensitive data. The data with the greatest harm possibly brought to the society or individuals after the first-level sensitive data are leaked, and the data with the least harm possibly brought to the society or individuals after the third-level sensitive data are leaked. If the access party has the access authority of the second-level sensitive data and the third-level sensitive data, the client desensitization strategy of the access party comprises desensitizing only the first-level sensitive data. Desensitization modalities include: invalidation, random value substitution, data substitution, symmetric encryption, averaging, and offset rounding, etc.
Further, after the information security system acquires response data corresponding to the data access request, whether the response data contain sensitive data or not is judged, and if the response data do not contain sensitive data, the access interface is controlled to feed the response data back to the access party; if the response data contains sensitive data, determining whether the access party has the access authority of the sensitive data contained in the response data according to the access account information, and if the access party has the access authority of the sensitive data, controlling the access interface to feed the response data back to the access party; if the access party does not have the access authority of the sensitive data, further determining whether a client desensitization strategy of the access party is consistent with an interface desensitization strategy of the access interface, and if the client desensitization strategy is inconsistent with the interface desensitization strategy, controlling the access interface to feed back response data to the access party; and if the client desensitization strategy is consistent with the interface desensitization strategy, the access interface performs desensitization processing on the response data according to the interface desensitization strategy to obtain desensitized response data.
And S140, feeding the response data after desensitization back to the access party.
Specifically, the access interface performs desensitization processing on the response data by adopting a desensitization mode set in the interface desensitization strategy according to the interface desensitization strategy, and feeds the desensitized response data back to the access party after desensitization processing is obtained.
According to the technical scheme provided by the embodiment, the response data corresponding to the data access request is intercepted and acquired through the information security system. Determining access account information of an access party based on an access token of the access party, desensitizing sensitive data in response data according to the access account information, a client desensitizing policy of the access party and an interface desensitizing policy of an access interface to obtain desensitized response data, and feeding back the desensitized response data to the access party. According to the scheme, whether desensitization treatment is carried out on response data fed back to the access party or not is flexibly determined according to the access account information, the client desensitization strategy of the access party and the interface desensitization strategy of the access interface, desensitization service of response data to a specific access party through the interface desensitization strategy of the access interface can be supported, different desensitization strategies are provided for users with different access rights, the problem that desensitization treatment is carried out on response data by the access interface in a unified desensitization mode is solved, flexibility is poor, and the effect of providing desensitization service of sensitive data for the access party flexibly according to the access account information of the access party is achieved.
Example two
Fig. 2 is a flowchart of a processing method of response data according to a second embodiment of the present invention, which is optimized based on the above embodiments, and provides an optional embodiment of performing desensitization processing on response data according to a matching relationship between a client desensitization policy and an interface desensitization policy of an access interface and a matching relationship between access account information and service account information. Specifically, as shown in fig. 2, the method for processing response data provided in this embodiment may include:
s210, responding to the data access request sent by the access party, and acquiring response data corresponding to the data access request.
And S220, determining the access account information of the access party according to the access token of the access party.
Preferably, another implementable manner of determining the access account information of the accessing party according to the access token of the accessing party in the embodiment may be to determine whether the request resource information of the accessing party is consistent with the interface resource information of the access interface; and if the access account information is consistent with the access token of the access party, determining the access account information of the access party according to the access token of the access party.
The Resource information refers to a URL (Uniform Resource Locator), and the URL may be used to identify a network Resource. The URL includes the HTTP protocol, domain name, path, query parameters, and anchor point of the network resource. The resource information request refers to resource information requested to be acquired by the access party through the data access request; the interface resource information refers to resource information of an interface desensitization strategy of an access interface.
Specifically, the data access request of the access party carries request resource information of the access party, and the response data corresponding to the data access request carries interface resource information of the access interface. The information security system intercepts and acquires the response data and simultaneously acquires the data access request of the access party, extracts the request resource information of the access party from the data access request of the access party, and extracts the interface resource information of the access interface from the response data. And comparing the request resource information with the interface resource information, and if the comparison result of the request resource information and the interface resource information is consistent, determining the access account information of the access party according to the access token of the access party.
Optionally, if the comparison result between the request resource information and the interface resource information is inconsistent, the information of data access failure is fed back to the access party. Or, if the comparison result of the request resource information and the interface resource information is inconsistent, directly feeding back response data to the access party.
Whether the access party meets the condition that the access interface executes the response data desensitization service is preliminarily judged according to the consistency of the request resource information of the access party and the interface resource information of the access interface, and when the access party does not meet the condition that the access interface executes the response data desensitization service, the response data can be timely fed back to the access party, so that the data feedback efficiency is improved.
S230, determining a first matching relation between the client desensitization strategy of the access party and the interface desensitization strategy of the access interface.
Specifically, the information security system intercepts and acquires response data of the access interface, acquires an interface desensitization strategy of the access interface, and determines a client desensitization strategy of the access party according to access account information of the access party. And matching the client desensitization strategy and the interface desensitization strategy, and determining a first matching relationship between the client desensitization strategy of the access party and the interface desensitization strategy of the access interface according to a matching result. If the matching results of the client desensitization strategy and the interface desensitization strategy are consistent, the first matching relationship is that the client desensitization strategy is matched with the interface desensitization strategy; if the matching result of the client desensitization strategy and the interface desensitization strategy is inconsistent, the first matching relationship is that the client desensitization strategy is not matched with the interface desensitization strategy.
Preferably, the first matching relationship between the client desensitization policy and the interface desensitization policy is determined according to the request resource information of the access party and the interface resource information of the access interface.
Specifically, the information security system intercepts and acquires response data and simultaneously acquires a data access request of an access party, acquires request resource information of the access party and interface resource information of an access interface according to the data access request of the access party, compares the request resource information with the interface resource information, and determines that the first matching relationship is matching if the comparison result of the request resource information and the interface resource information is consistent; and if the comparison result of the request resource information and the interface resource information is inconsistent, determining that the first matching relationship is not matched.
And S240, if the first matching relationship is matching, determining a second matching relationship between the access account information and the service account information.
The service account information refers to account information of an access interface which needs to provide desensitized data service.
Specifically, according to actual requirements, a desensitization strategy is allocated to the access interface in advance, a service account is allocated to the access interface, and the service account information and the desensitization strategy are stored in a storage space of the access interface. And if the first matching relationship between the client desensitization strategy and the interface desensitization strategy is determined to be matching, further determining whether the access account information and the service account information are consistent. If the access account information is consistent with the service account information, determining that the second matching relationship is matching; and if the access account information and the service account information are inconsistent, determining that the second matching relationship is not matched.
And S250, if the second matching relation is matching, performing desensitization treatment on the corresponding answer data.
Specifically, if the second matching relationship between the access account information and the service account information is matching, an interface desensitization policy of the access interface is adopted, desensitization processing is performed on the response data, and the response data after desensitization processing is obtained.
Optionally, if the first matching relationship and/or the second matching relationship are not matched, the response data is fed back to the access party client.
Preferably, a desensitization rule of the sensitive data may be determined according to a data type of the sensitive data in the response data, and desensitization may be performed on the sensitive data based on the desensitization rule of the sensitive data. Specifically, the method can be realized by the following substeps:
s2501, sensitive data in the response data are obtained.
Specifically, after the information security system intercepts and acquires the response data, sensitive data contained in the response data is determined. For example, the sensitive data may be determined by constructing a sensitive database, where the sensitive database contains common sensitive data. The method comprises the steps of performing segmentation processing on response data to obtain a response data segment, performing similarity comparison on the response data segment and sensitive data in a sensitive database, setting a similarity threshold according to actual needs, and determining that the sensitive data exists in the response data segment if the similarity between the response data segment and any sensitive data stored in the sensitive database is greater than or equal to the similarity threshold; and if the similarity of the response data segment and any sensitive data stored in the sensitive database is smaller than the similarity threshold, determining that no sensitive data exists in the response data segment.
S2502, determining the data type of the sensitive data.
The data type of the sensitive data refers to a category to which the sensitive data belongs, and for example, the data type of the sensitive data may include: field data, letter data, message data, and numeric data.
Specifically, after the sensitive data in the response data are acquired, the data type of the sensitive data in the response data is analyzed, and the data type of the sensitive data is determined.
S2503, determining a desensitization rule of the sensitive data according to the data type.
The desensitization rule refers to a desensitization mode adopted when desensitization is performed on sensitive data of different data types. And setting a desensitization mode in the desensitization strategy to determine a desensitization rule of the sensitive data according to the desensitization strategy.
Specifically, a desensitization mode in the interface desensitization strategy is preset, that is, a desensitization mode for setting sensitive data for different types of sensitive data is set, and a desensitization rule is determined based on the desensitization mode for different types of sensitive data. The response data may include one sensitive data, or may include two or more sensitive data. After the data type of the sensitive data in the response data is determined, different desensitization modes are adopted for the sensitive data of different data types based on desensitization rules of the sensitive data.
Illustratively, the desensitization rule may be: for sensitive data with the data type of field data, desensitizing the sensitive data by adopting a desensitization mode of invalidation treatment; for sensitive data with the data type of letter data, desensitizing the sensitive data by adopting a desensitizing mode of random value replacement or data replacement; desensitizing sensitive data with a data type of message data by adopting a symmetric encryption desensitizing mode; for sensitive data with the data type of numerical data, desensitizing the sensitive data by adopting a desensitizing mode of taking an average value or an offset integer. The desensitization mode of the invalidation processing refers to desensitizing the sensitive data by cutting, encrypting or hiding the field data value when processing the data to be desensitized, so that the sensitive data has no use value any more. The desensitization of the invalidation process may be by replacing sensitive data with special characters. Desensitization by random value replacement refers to changing letters in sensitive data to random letters using random numbers. The desensitization mode of data replacement refers to replacing sensitive data with a set virtual value, for example, when the sensitive data is resolved to be a mobile phone number, the sensitive data is replaced with "123456". The desensitization mode of symmetric encryption is to encrypt sensitive data through an encryption key and an algorithm, the format of a ciphertext is consistent with that of original data in a logic rule, and the original data can be recovered through key decryption. The desensitization mode of the average value is often used in a statistical scene, and for numerical data, the average value of the numerical data is calculated first, so that the data values of the desensitized response data are randomly distributed around the average value, and the sum of the response data is kept unchanged. Desensitization by offset rounding refers to changing the digital data by random shifting.
S2504, desensitizing processing is conducted on the sensitive data based on desensitizing rules.
Specifically, through the access interface, desensitization processing is performed on different types of sensitive data in response data in different desensitization modes based on desensitization rules, and response data after desensitization processing are obtained.
For example, the response data may be segmented to obtain response data segments, and it may be determined whether sensitive data exists in each response data segment. The response data segment without the sensitive data is not processed; and for the response data segment with the sensitive data, determining the data type of the sensitive data in the response data segment, and desensitizing the sensitive data by adopting a desensitizing mode corresponding to the data type of the sensitive data based on a desensitizing rule. After desensitization treatment of the sensitive data in all the response data segments is completed, the response data segments without the sensitive data and the response data segments after desensitization treatment are sequentially arranged according to the data sequence of the response data to obtain the response data after desensitization treatment.
By formulating desensitization rules in the desensitization strategy, different desensitization modes are adopted for different types of sensitive data in response data, so that the desensitization strategy is more flexible and the applicability is wider.
And S260, feeding back the response data after desensitization processing to the access party.
According to the technical scheme provided by the embodiment, a first matching relationship between a client desensitization strategy of an access party and an interface desensitization strategy of an access interface is determined, a second matching relationship between access account information and service account information is determined, and whether desensitization processing is performed on corresponding answer data is determined according to the first matching relationship and the second matching relationship. And when the first matching relationship and the second matching relationship are both matched, desensitization processing is performed on the response data according to an interface desensitization strategy of the access interface, so that the accuracy of the access interface in determining whether the access party is a service account needing desensitization service is ensured, and abnormal data processing caused by misjudgment of the access party by the access interface is avoided.
EXAMPLE III
Fig. 3 is a flowchart of a processing method for response data according to a third embodiment of the present invention, and this embodiment is suitable for performing data processing on response data of an access interface when the access interface feeds back response data to an access party based on a data access request of the access party, so as to implement a situation of desensitizing sensitive data in the response data. Specifically, as shown in fig. 3, the method for processing response data provided in this embodiment may include:
and configuring an interface desensitization strategy for the access interface through the HTTP protocol proxy service, wherein the interface desensitization strategy comprises desensitization rules of sensitive data. And allocating a service account for the access interface, wherein the client desensitization policy of the service account configured for the access interface is consistent with the interface desensitization policy of the access interface. And storing the service account number allocated for the access interface and the interface desensitization strategy of the access interface in a storage space of the access interface.
The access direction sends a data access request to the access interface, and the access interface generates response data according to the data access request. The information security system intercepts and acquires a data access request of an access party and response data of an access interface, acquires a URL (uniform resource locator) of the data access request and a URL of the access interface, takes the URL of the data access request as request resource information of the access party, and takes the URL of the access interface as interface resource information of the access interface. Determining whether the URL of the data access request is consistent with the URL of the access interface, and if the URL of the data access request is inconsistent with the URL of the access interface, feeding response data serving as response data back to the access party by the access interface; and if the URL of the data access request is consistent with the URL of the access interface, acquiring an access token of the access party, calling an identity query interface of the access party, and determining access account information of the access party according to the access token of the access party. Comparing whether the access account information of the access party is consistent with the service account information of the access interface or not, and if the access account information of the access party is inconsistent with the service account information of the access interface, feeding response data serving as response data back to the access party by the access interface; and if the access account information of the access party is consistent with the service account information of the access interface, determining that the client desensitization strategy of the access party is consistent with the interface desensitization strategy of the access interface. Further, whether the response data contain sensitive data is determined, and if the response data do not contain the sensitive data, the access interface feeds the response data serving as response data back to the access party; and if the response data contains the sensitive data, determining the data type of the sensitive data, inquiring a desensitization rule of the sensitive data defined in the interface desensitization strategy, performing desensitization treatment on the sensitive data in the response data by adopting a desensitization mode corresponding to the data type of the sensitive data in the response data according to the desensitization rule of the sensitive data, and feeding back the desensitized response data serving as response data to the access party.
According to the technical scheme provided by the embodiment, the interface desensitization strategy is configured for the access interface in advance, and the service account is allocated for the access interface. The information security system can acquire the access account information of the access party, the URL of the data access request and the URL of the access interface according to the data access request of the access party and the response data of the access interface, and determine whether to perform desensitization processing on the response data of the access interface according to the consistency of the URL of the data access request and the URL of the access interface, the consistency of the access account information of the access party and the service account information of the access interface and whether the response data contains sensitive data. If the response data of the access interface needs to be processed, the desensitization rule of the sensitive data can be further determined based on the data type of the sensitive data in the response data. According to the scheme, the access interface can perform flexible desensitization processing on response data fed back to the access party based on account information of the access party, so that the requirement of desensitization of response data of different access parties is met.
Example four
Fig. 4 is a schematic structural diagram of a response data processing apparatus according to a fourth embodiment of the present invention, which is applicable to a case of performing desensitization processing on response data fed back to an access party by an access interface, as shown in fig. 4, the response data processing apparatus includes: a response data acquisition module 410, an access account information determination module 420, a response data desensitization module 430, and a response data feedback module 440.
The response data obtaining module 410 is configured to, in response to a data access request sent by an access party, obtain response data corresponding to the data access request;
an access account information determining module 420, configured to determine access account information of an accessing party according to an access token of the accessing party;
the response data desensitization module 430 is configured to perform desensitization processing on response data according to the access account information, the client desensitization policy of the access party, and the interface desensitization policy of the access interface;
and the response data feedback module 440 is configured to feed back the desensitized response data to the access party.
According to the technical scheme provided by the embodiment, the response data corresponding to the data access request is intercepted and acquired through the information security system. Determining access account information of an access party based on an access token of the access party, desensitizing sensitive data in response data according to the access account information, a client desensitizing policy of the access party and an interface desensitizing policy of an access interface to obtain desensitized response data, and feeding back the desensitized response data to the access party. According to the scheme, whether desensitization treatment is carried out on response data fed back to the access party or not is flexibly determined according to the access account information, the client desensitization strategy of the access party and the interface desensitization strategy of the access interface, desensitization service of response data to a specific access party through the interface desensitization strategy of the access interface can be supported, different desensitization strategies are provided for users with different access rights, the problem that desensitization treatment is carried out on response data by the access interface in a unified desensitization mode is solved, flexibility is poor, and the effect of providing desensitization service of sensitive data for the access party flexibly according to the access account information of the access party is achieved.
Wherein, the response data desensitization module 430 further comprises:
the first matching relation determining module is used for determining a first matching relation between a client desensitization strategy of an access party and an interface desensitization strategy of an access interface;
the second matching relationship determining module is used for determining a second matching relationship between the access account information and the service account information if the first matching relationship is matching;
and the desensitization processing determining module is used for performing desensitization processing on the corresponding answer data if the second matching relationship is matching.
Illustratively, the first matching relationship determining module is specifically configured to:
and determining a first matching relationship between the client desensitization strategy and the interface desensitization strategy according to the request resource information of the access party and the interface resource information of the access interface.
Illustratively, the second matching relationship determining module is specifically configured to:
and if the first matching relation and/or the second matching relation are/is not matched, feeding the response data back to the access party client.
Further, the response data desensitization module 430 is specifically configured to:
sensitive data in the response data are obtained;
determining a data type of the sensitive data;
determining a desensitization rule of the sensitive data according to the data type;
and desensitizing the sensitive data based on desensitizing rules.
Illustratively, the access account information determining module 420 is further configured to:
determining whether the request resource information of the access party is consistent with the interface resource information of the access interface;
and if so, determining the access account information of the access party according to the access token of the access party.
The processing device for response data provided by the embodiment can be applied to the processing method for response data provided by any embodiment, and has corresponding functions and beneficial effects.
EXAMPLE five
Fig. 5 is a schematic structural diagram of an electronic device according to a fifth embodiment of the present invention. FIG. 5 illustrates a schematic diagram of an electronic device 10 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital assistants, cellular phones, smart phones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 5, the electronic device 10 includes at least one processor 11, and a memory communicatively connected to the at least one processor 11, such as a Read Only Memory (ROM)12, a Random Access Memory (RAM)13, and the like, wherein the memory stores a computer program executable by the at least one processor, and the processor 11 can perform various suitable actions and processes according to the computer program stored in the Read Only Memory (ROM)12 or the computer program loaded from a storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data necessary for the operation of the electronic apparatus 10 may also be stored. The processor 11, the ROM 12, and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to the bus 14.
A number of components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, or the like; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, or the like. The processor 11 performs the respective methods and processes described above, such as the processing method of the response data.
In some embodiments, the method of processing the response data may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into the RAM 13 and executed by the processor 11, one or more steps of the processing method of the reply data described above may be performed. Alternatively, in other embodiments, the processor 11 may be configured by any other suitable means (e.g. by means of firmware) to perform the processing method of the reply data.
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, Field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Computer programs for implementing the methods of the present invention can be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be performed. A computer program can execute entirely on a machine, partly on a machine, as a stand-alone software package partly on a machine and partly on a remote machine or entirely on a remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), Wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service are overcome.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present invention may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired result of the technical solution of the present invention can be achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A method for processing response data, comprising:
responding to a data access request sent by an access party, and acquiring response data corresponding to the data access request;
determining access account information of the access party according to the access token of the access party;
desensitizing the response data according to the access account information, the client desensitizing strategy of the access party and the interface desensitizing strategy of the access interface;
and feeding back response data after desensitization processing to the access party.
2. The method according to claim 1, wherein the desensitizing processing of the response data according to the access account information, the client desensitizing policy of the accessing party, and the interface desensitizing policy of the access interface comprises:
determining a first matching relationship between a client desensitization policy of an access party and an interface desensitization policy of an access interface;
if the first matching relationship is matching, determining a second matching relationship between the access account information and the service account information;
and if the second matching relationship is matching, desensitizing the response data.
3. The method of claim 2, wherein determining a first matching relationship between a client desensitization policy of the accessing party and an interface desensitization policy of the accessing interface comprises:
and determining a first matching relationship between the client desensitization strategy and the interface desensitization strategy according to the request resource information of the access party and the interface resource information of the access interface.
4. The method according to claim 2, characterized in that if the first matching relationship and/or the second matching relationship is/are not matched, the response data is fed back to the accessing client.
5. The method of claim 1 or 2, wherein said desensitizing said response data comprises:
sensitive data in the response data are obtained;
determining a data type of the sensitive data;
determining desensitization rules of the sensitive data according to the data type;
desensitizing the sensitive data based on the desensitization rule.
6. The method of claim 1, wherein determining access account information of the accessing party according to the access token of the accessing party further comprises:
determining whether the request resource information of the access party is consistent with the interface resource information of the access interface;
and if the access account information is consistent with the access token of the access party, determining the access account information of the access party according to the access token of the access party.
7. An apparatus for processing response data, comprising:
the response data acquisition module is used for responding to a data access request sent by an access party and acquiring response data corresponding to the data access request;
the access account information determining module is used for determining the access account information of the access party according to the access token of the access party;
the response data desensitization module is used for desensitizing the response data according to the access account information, the client desensitization strategy of the access party and the interface desensitization strategy of the access interface;
and the response data feedback module is used for feeding back the desensitized response data to the access party.
8. The apparatus of claim 7, wherein the response data desensitization module further comprises:
the first matching relation determining module is used for determining a first matching relation between a client desensitization strategy of an access party and an interface desensitization strategy of an access interface;
a second matching relationship determination module, configured to determine a second matching relationship between the access account information and the service account information if the first matching relationship is a match;
and the desensitization processing determining module is used for performing desensitization processing on the response data if the second matching relationship is matching.
9. An electronic device, characterized in that the electronic device comprises:
one or more processors;
storage means for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement a method of processing reply data as claimed in any one of claims 1 to 6.
10. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, carries out the method of processing reply data according to any one of claims 1 to 6.
CN202210222286.2A 2022-03-09 2022-03-09 Method, device, equipment and storage medium for processing response data Pending CN114595481A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210222286.2A CN114595481A (en) 2022-03-09 2022-03-09 Method, device, equipment and storage medium for processing response data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210222286.2A CN114595481A (en) 2022-03-09 2022-03-09 Method, device, equipment and storage medium for processing response data

Publications (1)

Publication Number Publication Date
CN114595481A true CN114595481A (en) 2022-06-07

Family

ID=81816333

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210222286.2A Pending CN114595481A (en) 2022-03-09 2022-03-09 Method, device, equipment and storage medium for processing response data

Country Status (1)

Country Link
CN (1) CN114595481A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116305071A (en) * 2023-03-18 2023-06-23 广州锦拓信息科技有限公司 Account password security system based on artificial intelligence

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116305071A (en) * 2023-03-18 2023-06-23 广州锦拓信息科技有限公司 Account password security system based on artificial intelligence
CN116305071B (en) * 2023-03-18 2023-09-26 广州锦拓信息科技有限公司 Account password security system based on artificial intelligence

Similar Documents

Publication Publication Date Title
US10091230B1 (en) Aggregating identity data from multiple sources for user controlled distribution to trusted risk engines
CN110610196B (en) Desensitization method, system, computer device and computer readable storage medium
US11762979B2 (en) Management of login information affected by a data breach
US10104112B2 (en) Rating threat submitter
WO2009094086A2 (en) A feedback augmented object reputation service
CN109547426B (en) Service response method and server
JP2022166187A (en) Method, device, and electronic apparatus for determining instance risk level in cloud server
CN114595481A (en) Method, device, equipment and storage medium for processing response data
CN116781425B (en) Service data acquisition method, device, equipment and storage medium
CN116015840B (en) Data operation auditing method, system, equipment and storage medium
CN117195263A (en) Database encryption method and device
CN114372078A (en) Data security protection method and device
CN113824717A (en) Configuration checking method and device
US10395058B1 (en) Systems and methods for obtaining anonymized information derived from data obtained from external data providers
CN115622794B (en) Encryption and decryption method, device, equipment and storage medium
CN112637110B (en) Method for detecting password, password detection device and storage medium
CN115859349B (en) Data desensitization method and device, electronic equipment and storage medium
EP3806019A1 (en) Systems and methods for gated offer eligibility verification
CN116594894A (en) Interface testing method and device, electronic equipment and storage medium
CN117313133A (en) Data desensitization method, device, equipment and storage medium
CN115643002A (en) Service processing method, device and storage medium
CN117077199A (en) File access control method, device, equipment and medium
CN116305277A (en) Data processing method, device, medium and electronic equipment
CN115238310A (en) Data encryption and decryption method, device, equipment and storage medium
CN116208423A (en) Message encryption method, message decryption method, message encryption device and message decryption device and program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination