CN114666138A - Data protection method and protection system - Google Patents
Data protection method and protection system Download PDFInfo
- Publication number
- CN114666138A CN114666138A CN202210299823.3A CN202210299823A CN114666138A CN 114666138 A CN114666138 A CN 114666138A CN 202210299823 A CN202210299823 A CN 202210299823A CN 114666138 A CN114666138 A CN 114666138A
- Authority
- CN
- China
- Prior art keywords
- cloud server
- client
- access
- reading
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Abstract
The invention is suitable for the field of computers, and provides a data protection method and a protection system, which comprise the following steps: setting different protection levels for a plurality of cloud servers, and dividing the cloud servers into a first cloud server and a second cloud server, wherein the protection level of the second cloud server is higher than that of the first cloud server; acquiring an access instruction sent by a user based on a client, and analyzing an access requirement based on the access instruction and the corresponding access authority; matching the client access authority with the target cloud server access authority in the access requirement; the method has the advantages that the operation request type obtained in advance is matched with the operation permission level type of the target cloud server, and the client side is allowed to execute the operation instruction, and the method has the following beneficial effects: the data can be effectively protected on the basis of ensuring convenient operation of a user.
Description
Technical Field
The invention belongs to the technical field of computers, and particularly relates to a data protection method and a protection system.
Background
Data is an expression form of facts, concepts or instructions, and can be processed by manual or automatic devices, and the essence of data processing is data acquisition, storage, retrieval, processing, transformation, transmission and the like.
With increasing emphasis on the prevalence of data security, individuals and enterprises generally pay more money to purchase various security products, such as firewalls, VPNs, intrusion prevention systems, application control gateways, various antivirus software, and the like, and hope to construct an all-around secure office application environment in which all data is generated and applied, so as to ensure the security of the data, which is much more than the value of the devices themselves.
The cloud computing server is also called as a cloud server or a cloud host, is a host product in a cloud computing service system, effectively solves the defects of large management difficulty and weak business expansibility in the traditional physical host and VPS service, but usually needs to spend a lot of funds to realize the protection and storage of data by the cloud server, but the protection capability of the cloud server on the data cannot achieve the ideal effect.
Disclosure of Invention
An embodiment of the present invention provides a data protection method and a protection system, which are intended to solve the problems set forth in the foregoing background art.
The embodiment of the present invention is implemented as follows, and in one aspect, a data protection method includes the following steps:
the method comprises the following steps:
setting different protection levels for a plurality of cloud servers, and dividing the cloud servers into a first cloud server and a second cloud server, wherein the protection level of the second cloud server is higher than that of the first cloud server;
acquiring an access instruction sent by a user based on a client, and analyzing an access requirement based on the access instruction and the corresponding access authority;
matching the client access authority with the target cloud server access authority in the access requirement;
the method comprises the steps that a client admission execution operation instruction with the operation request type obtained in advance and the operation permission level type of a target cloud server matched is obtained;
detecting an operation instruction requested to be executed by a client, allowing a user to perform non-reading operation on a first cloud server based on the client when detecting that the client requests to execute a non-malicious operation instruction, converting the non-reading operation instruction meeting the safety requirement into storage data and storing the storage data in a second cloud server;
when the client request for executing the reading operation instruction is detected, the user is allowed to perform direct reading and indirect reading associated with the second cloud server on the basis of the client on the first cloud server.
As a further scheme of the present invention, the setting of different protection levels for a plurality of cloud servers, and dividing the cloud servers into a first cloud server and a second cloud server, wherein the step of setting the protection level of the second cloud server higher than the protection level of the first cloud server specifically includes:
acquiring current cloud server information, wherein the cloud server information at least comprises the number of cloud servers and corresponding memories;
classifying the cloud servers so that the cloud server category comprises a first cloud server and a second cloud server;
and obtaining firewall programs with different grades, and running the firewall programs on the first cloud server and the second cloud server, wherein the fireproof grade of the firewall program corresponding to the first cloud server is lower than that of the firewall program corresponding to the second cloud server.
As a still further scheme of the present invention, the classifying the cloud server specifically includes:
the method comprises the steps of distributing the number of cloud servers, wherein the number of the first cloud server and the number of the second cloud server are at least one;
and respectively calculating the total memory of the cloud servers, so that the total memory of the second cloud server is not less than the total memory of the first cloud server.
As a further scheme of the present invention, the obtaining an access instruction sent by a user based on a client, and the analyzing an access requirement based on the access instruction in combination with a corresponding access right specifically includes:
receiving an access instruction sent by a user at a client;
verifying the security access level of the account corresponding to the client based on the access instruction;
matching corresponding client access rights according to the security access level of the account;
and extracting the target cloud server access object in the access instruction of the user.
As a further scheme of the present invention, the matching of the client access right with the target cloud server access right in the access requirement specifically includes:
acquiring corresponding operation permission based on a target cloud server;
detecting whether the access authority of the client is matched with the operation authority corresponding to the target cloud server;
and if so, releasing the corresponding cloud server operation authority according to the access requirement, otherwise, sending a single access refusing instruction to the client, and setting the corresponding cloud server access port as a corresponding client access refusing port.
As a further scheme of the present invention, the client admission execution operation instruction for matching the pre-obtained operation request type with the operation permission level type of the target cloud server specifically includes:
acquiring an operation request type of a user after the user accesses a target cloud server based on a client;
the method comprises the steps of obtaining predefined operation permission level types of a first cloud server and a second cloud server, wherein the first cloud server allows non-reading and reading, and the second cloud server only allows indirect non-reading;
and setting the client with the operation request type matched with the operation permission level type of the client admission target cloud server as a client allowing to execute the corresponding operation instruction.
As a further scheme of the present invention, the converting the non-read operation instruction meeting the security requirement into the storage data and then storing the storage data in the second cloud server specifically includes:
performing safety detection on a non-reading operation instruction which is requested to be executed by a client, and acquiring non-reading operation data based on a safety detection coincidence result;
normalizing the non-reading operation data, and extracting the characteristic information of the non-reading operation data, wherein the characteristic information at least comprises a data type and a characteristic of a reading result expected by a user;
calling a corresponding standard frame model in a model library according to the characteristic information, receiving parameter modification of a standard frame model by a user, and performing unsupervised training on non-read operation data to obtain a read model;
screening a plurality of data sets with different significant characteristics from the non-reading operation data, performing precision correction on the reading model based on the data sets, binding the reading model with the characteristics of the expected reading result of the user when the precision of the reading model reaches a set threshold value, storing the reading model and storing the non-reading operation data in a second cloud server.
As a further aspect of the present invention, when it is detected that the client requests to execute the read operation instruction, the allowing the user to perform direct reading in the first cloud server and indirect reading associated with the second cloud server based on the client specifically includes:
acquiring a reading operation instruction of a user, and extracting a target data type and a target expected reading result characteristic;
and applying the target data type and the target expected reading result characteristic to the corresponding reading model for processing, and feeding back the processing result to the corresponding client.
As a further aspect of the present invention, in another aspect, a data protection system includes:
the system comprises a dividing module, a judging module and a judging module, wherein the dividing module is used for setting different protection grades for a plurality of cloud servers and dividing the cloud servers into a first cloud server and a second cloud server, and the protection grade of the second cloud server is higher than that of the first cloud server;
the analysis module is used for acquiring an access instruction sent by a user based on a client and analyzing an access requirement based on the access instruction and the corresponding access authority;
the matching module is used for matching the client access authority with the target cloud server access authority in the access requirement;
the execution module is used for allowing the client side matched with the operation permission level type of the target cloud server to access and execute the operation instruction, wherein the operation request type is obtained in advance;
the first detection authorization module is used for detecting an operation instruction requested to be executed by the client, allowing a user to perform non-reading operation on the first cloud server based on the client when detecting that the client requests to execute a non-malicious operation instruction, converting the non-reading operation instruction meeting the safety requirement into storage data and storing the storage data in the second cloud server;
and the second detection authorization module is used for allowing the user to perform direct reading and indirect reading associated with the second cloud server on the basis of the client when the client requests to execute the reading operation instruction.
According to the data protection method and the data protection system provided by the embodiment of the invention, the first cloud server allows non-reading and reading, the second cloud server only allows indirect non-reading, and in combination with the fact that the protection level of the second cloud server is higher than that of the first cloud server, the capital cost and the protection capability are balanced, the threat degree of malicious codes and the like on the main storage position of the data, namely the second cloud server, is effectively reduced, meanwhile, the target data of the second cloud server can be read through an indirect channel (a client and the first cloud server), the operation of a user is facilitated, and particularly, the efficiency of indirectly obtaining the target processing data can be greatly improved by establishing a reading model.
Drawings
Fig. 1 is a diagram of an implementation environment of a data protection method.
Fig. 2 is a main flow chart of a data protection method.
Fig. 3 is a flowchart for setting different protection levels for a plurality of cloud servers and dividing the cloud servers into a first cloud server and a second cloud server.
Fig. 4 is a flowchart for acquiring an access instruction sent by a user based on a client, and analyzing an access requirement based on the access instruction and a corresponding access right.
Fig. 5 is a flowchart of converting a non-read operation command meeting the security requirement into storage data and storing the storage data in the second cloud server.
Fig. 6 is a main structural diagram of a data protection system.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Specific implementations of the present invention are described in detail below with reference to specific embodiments.
The data protection method and the data protection system provided by the invention solve the technical problems in the background technology.
As shown in fig. 1 and fig. 2, an implementation environment diagram and a main flow diagram of a data protection method are respectively provided, and the data protection method includes:
step S10: setting different protection levels for a plurality of cloud servers, and dividing the cloud servers into a first cloud server and a second cloud server, wherein the protection level of the second cloud server is higher than that of the first cloud server;
step S11: acquiring an access instruction sent by a user based on a client, and analyzing an access requirement based on the access instruction and the corresponding access authority;
step S12: matching the client access authority with the target cloud server access authority in the access requirement;
step S13: the method comprises the steps that a client admission execution operation instruction with the operation request type obtained in advance and the operation permission level type of a target cloud server matched is obtained; and
step S14: detecting an operation instruction requested to be executed by a client, allowing a user to perform non-reading operation on a first cloud server based on the client when detecting that the client requests to execute a non-malicious operation instruction, converting the non-reading operation instruction meeting the safety requirement into storage data, and storing the storage data in a second cloud server;
step S15: when the client request for executing the reading operation instruction is detected, the user is allowed to perform direct reading and indirect reading associated with the second cloud server on the basis of the client on the first cloud server.
In the embodiment, when the method is applied, an access instruction sent by a user based on a client is obtained through setting that the protection level of a second cloud server is higher than that of a first cloud server, an access requirement is analyzed through combining the access instruction with corresponding access authority, the operation instruction is allowed to be executed by the client with the operation request type obtained in advance and the operation authority level type of a target cloud server matched, namely, corresponding operation authority matching can be carried out only through the access authority matching, the operation type mainly comprises writing, reading, updating, deleting and the like, except reading, the structure of data can be changed more or less, the operation is defined as non-reading operation, reading operation is distinguished, the operation instruction requested to be executed by the client is detected, when the client requests to execute the non-malicious operation instruction, the user is allowed to carry out the non-reading operation on the first cloud server based on the client, and the non-reading operation instruction meeting the safety requirement is converted into the storage data and then stored in the second cloud server, when the client side is detected to request to execute the reading operation instruction, the user is allowed to directly read from the first cloud server and indirectly read associated with the second cloud server based on the client side, namely the first cloud server is allowed to perform non-reading and reading, the second cloud server is only allowed to perform indirect non-reading, and by combining that the protection grade of the second cloud server is higher than that of the first cloud server, the threat degree of malicious codes and the like on the main storage position of the data, namely the second cloud server, can be effectively reduced, and meanwhile, the target data of the second cloud server can be read through an indirect channel (the client side and the first cloud server), so that the user operation is facilitated.
As shown in fig. 3, as a preferred embodiment of the present invention, the setting different protection levels for a plurality of cloud servers, and dividing the cloud servers into a first cloud server and a second cloud server, where the protection level of the second cloud server is higher than that of the first cloud server specifically includes:
step S101: acquiring current cloud server information, wherein the cloud server information at least comprises the number of cloud servers and corresponding memories;
step S102: classifying the cloud servers so that the cloud server category comprises a first cloud server and a second cloud server;
step S103: and obtaining firewall programs with different grades, and running the firewall programs on the first cloud server and the second cloud server, wherein the fireproof grade of the firewall program corresponding to the first cloud server is lower than that of the firewall program corresponding to the second cloud server.
As a preferred embodiment of the present invention, the classifying the cloud server specifically includes:
step S1021: the method comprises the steps of distributing the number of cloud servers, wherein the number of the first cloud server and the number of the second cloud server are at least one;
step S1022: and respectively calculating the total memory of the cloud servers, so that the total memory of the second cloud server is not less than the total memory of the first cloud server.
In the embodiment, when the method is applied, the total memory of the second cloud server is not less than that of the first cloud server, that is, the second cloud server is mainly used for storing data, and the first cloud server is mainly used for reading and writing (not used as a main storage tool, and the reading operation can read flash data during writing).
As shown in fig. 4, as a preferred embodiment of the present invention, the acquiring an access instruction sent by a user based on a client, and resolving an access requirement based on the access instruction and a corresponding access right specifically includes:
step S111: receiving an access instruction sent by a user at a client;
step S112: verifying the security access level of the account corresponding to the client based on the access instruction;
step S113: matching corresponding client access rights according to the security access level of the account;
step S114: and extracting the target cloud server access object in the access instruction of the user.
As a preferred embodiment of the present invention, the matching of the client access right and the target cloud server access right in the access requirement specifically includes:
step S121: acquiring corresponding operation permission based on a target cloud server;
step S122: detecting whether the access authority of the client is matched with the operation authority corresponding to the target cloud server;
step S123: and if so, releasing the corresponding cloud server operation authority according to the access requirement, otherwise, sending a single access refusing instruction to the client, and setting the corresponding cloud server access port as a corresponding client access refusing port.
In the embodiment, when the method is applied, the operation can be performed after the access authority is matched, and when whether the access authority of the client is matched with the operation authority corresponding to the target cloud server is detected, the access can be refused when a preset frequency threshold is reached, namely, the fault-tolerant frequency that the access authority of the client is not matched with the operation authority corresponding to the target cloud server can be set according to actual requirements.
As a preferred embodiment of the present invention, the operation instruction for performing admission to a client, which matches a pre-obtained operation request type with an operation permission level type of a target cloud server, specifically includes:
step S131: acquiring an operation request type of a user after the user accesses a target cloud server based on a client;
step S132: the method comprises the steps of obtaining predefined operation permission level types of a first cloud server and a second cloud server, wherein the first cloud server allows non-reading and reading, and the second cloud server only allows indirect non-reading;
step S133: and setting the client with the operation request type matched with the operation permission level type of the client admission target cloud server as a client allowing to execute the corresponding operation instruction.
In the embodiment, when the method is applied, namely the admission operation of the cloud server is set, the first cloud server allows non-reading and reading, and the second cloud server only allows indirect non-reading, namely subsequent indirect acquisition based on the client and the first cloud server.
As shown in fig. 5, as a preferred embodiment of the present invention, the converting the non-read operation instruction meeting the security requirement into the storage data and then storing the storage data in the second cloud server specifically includes:
step S141: performing safety detection on a non-reading operation instruction which is requested to be executed by a client, and acquiring non-reading operation data based on a safety detection coincidence result;
step S142: normalizing the non-reading operation data, and extracting the characteristic information of the non-reading operation data, wherein the characteristic information at least comprises a data type and a characteristic of a reading result expected by a user;
step S143: calling a corresponding standard frame model in a model library according to the characteristic information, receiving parameter modification of a standard frame model by a user, and performing unsupervised training on non-read operation data to obtain a read model;
step S144: after a plurality of data sets with different significant characteristics are screened from the non-read operation data, the read model is subjected to precision correction based on the data sets, when the precision of the read model reaches a set threshold, the read model is bound with the characteristics of a read result expected by a user, the read model is stored, and the non-read operation data is stored in a second cloud server.
In this embodiment, when the method is applied, the method may be performed based on a Convolutional Neural Network (CNN) operation principle, the amplitude of each dimension data may be normalized to the same range by performing normalization processing on non-read operation data, that is, interference caused by difference of value ranges of each dimension data is reduced, the data type is obtained mainly to facilitate subsequent processing of different types of data, a characteristic of a read result desired by a user may indicate a result desired by the user to be read, for example, when a video is processed, a frame number including a person in the video is desired to be obtained, and a standard framework model in a model library includes a model neural network hierarchy structure, for example: the data input layer/the convolution calculation layer/the excitation layer/the pooling layer/the full connection layer, the convolution calculation layer comprises corresponding level functions and the like, unsupervised training can improve the processing of data with large quantity, the processing efficiency is improved, the unsupervised training corresponds to the supervised training, the accuracy of data processing (such as data classification, image recognition of follow-up examples and the like) of the reading model can be obviously improved by carrying out accuracy correction on the reading model by a data set by comprising different significant characteristics, the follow-up expected result can be accurately obtained, and if the accuracy of the reading model does not reach a set threshold value, the offset, the initial weight and the like can be changed, so that the reading model with ideal accuracy is obtained.
When it is detected that the client requests to execute the read operation instruction, allowing the user to perform direct reading in the first cloud server and indirect reading associated with the second cloud server based on the client specifically includes:
step S151: acquiring a reading operation instruction of a user, and extracting a target data type and a target expected reading result characteristic;
step S152: and applying the target data type and the target expected reading result characteristic to the corresponding reading model for processing, and feeding back the processing result to the corresponding client.
When the method is applied, the target data type and the target expected reading result characteristic are applied to the corresponding reading model for processing, and the processing result is fed back to the corresponding client, the information can not be directly read from the second cloud server, but is indirectly read from the second cloud server, so that the non-reading operation realized by malicious codes in the direct reading process can be effectively prevented, the data stored in the second cloud server can be effectively protected, meanwhile, by applying the target data type and the target expected reading result characteristics to the corresponding reading model, the expected target can be quickly read through the trained reading model, for example, the number of high-definition pictures, the number of pictures containing people, the number of frames of a specific scene contained in the video, and the like, thereby greatly improving the efficiency of indirectly acquiring the target processing data from the second cloud server.
As another preferred embodiment of the present invention, as shown in fig. 6, in another aspect, a data protection system includes:
the system comprises a dividing module 100, a first storage module and a second storage module, wherein the dividing module is used for setting different protection levels for a plurality of cloud servers and dividing the cloud servers into a first cloud server and a second cloud server, and the protection level of the second cloud server is higher than that of the first cloud server;
the analysis module 200 is used for acquiring an access instruction sent by a user based on a client, and analyzing an access requirement based on the access instruction and the corresponding access authority;
the matching module 300 is used for matching the client access authority with the target cloud server access authority in the access requirement;
the execution module 400 is configured to allow the client, which matches the pre-acquired operation request type with the operation permission level type of the target cloud server, to execute the operation instruction; and
the first detection authorization module 500 is used for detecting an operation instruction requested to be executed by a client, allowing a user to perform non-reading operation on a first cloud server based on the client when detecting that the client requests to execute a non-malicious operation instruction, converting the non-reading operation instruction meeting the security requirement into storage data, and storing the storage data in a second cloud server;
the second detection authorization module 600 is configured to, when it is detected that the client requests to execute a read operation instruction, allow the user to perform direct reading and indirect reading associated with the second cloud server on the basis of the client at the first cloud server.
The invention provides a data protection method in the above embodiment, and provides a data protection system based on the data protection method, the protection level of the second cloud server is higher than that of the first cloud server, the whole storage cost and protection cost fund are lower, the access instruction sent by the user based on the client is obtained, the access requirement is analyzed based on the access instruction and the corresponding access authority, the operation instruction is executed by the client access with the operation request type matched with the operation authority level type of the target cloud server, namely the corresponding operation authority matching can be carried out through the access authority matching, the operation instruction requested to be executed by the client is detected, when the client requests to execute the non-malicious operation instruction, the user is allowed to carry out the non-reading operation on the first cloud server based on the client, and the non-reading operation instruction meeting the safety requirement is converted into storage data to be stored in the second cloud server, when detecting that the client requests to execute the reading operation instruction, allowing the user to perform direct reading and indirect reading associated with the second cloud server based on the client, namely, the first cloud server allows non-reading and reading, the second cloud server only allows indirect non-reading, and by combining the fact that the protection level of the second cloud server is higher than that of the first cloud server, the threat degree of malicious codes and the like on the main storage position of data, namely the second cloud server, is effectively reduced, meanwhile, target data of the second cloud server can be read through an indirect channel (the client and the first cloud server), so that the operation of a user is facilitated, particularly, the efficiency of indirectly acquiring target processing data can be greatly improved by establishing the reading model.
In order to load the above method and system to operate successfully, the system may include more or less components than those described above, or combine some components, or different components, in addition to the various modules described above, for example, input/output devices, network access devices, buses, processors, memories, and the like.
The memory may be used to store computer and system programs and/or modules, and the processor may perform various functions by executing or executing the computer programs and/or modules stored in the memory and invoking data stored in the memory. The memory may mainly include a program storage area and a data storage area, where the program storage area may store an operating system, an application program required by at least one function (such as an information collection template presentation function, a product information distribution function, and the like), and the like. The storage data area may store data created according to the use of the berth-state display system (e.g., product information acquisition templates corresponding to different product types, product information that needs to be issued by different product providers, etc.), and the like. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) card, a flash memory card (FlashCard), at least one disk storage device, a flash memory device, or other volatile solid state storage device.
It should be understood that, although the steps in the flowcharts of the embodiments of the present invention are shown in sequence as indicated by the arrows, the steps are not necessarily executed in sequence as indicated by the arrows. The steps are not limited to being performed in the exact order illustrated and, unless explicitly stated herein, may be performed in other orders. Moreover, at least a portion of the steps in various embodiments may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in turn or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is specific and detailed, but not to be understood as limiting the scope of the present invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
Claims (9)
1. A method of data protection, the method comprising:
setting different protection levels for a plurality of cloud servers, and dividing the cloud servers into a first cloud server and a second cloud server, wherein the protection level of the second cloud server is higher than that of the first cloud server;
acquiring an access instruction sent by a user based on a client, and analyzing an access requirement based on the access instruction and the corresponding access authority;
matching the client access authority with the target cloud server access authority in the access requirement;
the method comprises the steps that a client admission execution operation instruction with the operation request type obtained in advance and the operation permission level type of a target cloud server matched is obtained;
detecting an operation instruction requested to be executed by a client, allowing a user to perform non-reading operation on a first cloud server based on the client when detecting that the client requests to execute a non-malicious operation instruction, converting the non-reading operation instruction meeting the safety requirement into storage data and storing the storage data in a second cloud server;
when detecting that the client requests to execute the reading operation instruction, allowing the user to perform direct reading and indirect reading associated with the second cloud server on the basis of the client on the first cloud server.
2. The data protection method according to claim 1, wherein the setting of different protection levels for the plurality of cloud servers divides the cloud servers into a first cloud server and a second cloud server, wherein the setting of the protection level of the second cloud server higher than the protection level of the first cloud server specifically comprises:
acquiring current cloud server information, wherein the cloud server information at least comprises the number of cloud servers and corresponding memories;
classifying the cloud servers so that the cloud server category comprises a first cloud server and a second cloud server;
and obtaining firewall programs with different grades, and operating the firewall programs on the first cloud server and the second cloud server, wherein the firewall program fire grade corresponding to the first cloud server is lower than the firewall program fire grade corresponding to the second cloud server.
3. The data protection method according to claim 1, wherein the classifying the cloud server specifically comprises: the method comprises the steps of distributing the number of cloud servers, wherein the number of the first cloud server and the number of the second cloud server are at least one;
and respectively calculating the total memory of the cloud servers, so that the total memory of the second cloud server is not less than the total memory of the first cloud server.
4. The data protection method according to claim 1, wherein the obtaining of the access instruction sent by the user based on the client and the resolving of the access requirement based on the access instruction in combination with the corresponding access right specifically include:
receiving an access instruction sent by a user at a client;
verifying the security access level of the account corresponding to the client based on the access instruction;
matching corresponding client access rights according to the security access level of the account;
and extracting the target cloud server access object in the access instruction of the user.
5. The data protection method according to claim 4, wherein the matching of the client access right with the target cloud server access right in the access requirement specifically comprises:
acquiring corresponding operation permission based on a target cloud server;
detecting whether the access authority of the client is matched with the operation authority corresponding to the target cloud server;
and if so, releasing the corresponding cloud server operation authority according to the access requirement, otherwise, sending a single access refusing instruction to the client, and setting the corresponding cloud server access port as a corresponding client access refusing port.
6. The data protection method according to claim 1, wherein the performing of the operation instruction for the client admission that matches the pre-obtained operation request type with the operation permission level type of the target cloud server specifically includes:
acquiring an operation request type of a user after the user accesses a target cloud server based on a client;
the method comprises the steps of obtaining predefined operation permission level types of a first cloud server and a second cloud server, wherein the first cloud server allows non-reading and reading, and the second cloud server only allows indirect non-reading;
and setting the client with the operation request type matched with the operation permission level type of the client admission target cloud server as a client allowing to execute the corresponding operation instruction.
7. The data protection method according to claim 1, wherein the step of converting the non-read operation instruction meeting the security requirement into the storage data and then storing the storage data in the second cloud server specifically comprises:
performing safety detection on a non-reading operation instruction which is requested to be executed by a client, and acquiring non-reading operation data based on a safety detection coincidence result;
normalizing the non-reading operation data, and extracting the characteristic information of the non-reading operation data, wherein the characteristic information at least comprises a data type and a characteristic of a reading result expected by a user;
calling a corresponding standard frame model in a model library according to the characteristic information, receiving parameter modification of a standard frame model by a user, and performing unsupervised training on non-read operation data to obtain a read model;
screening a plurality of data sets with different significant characteristics from the non-reading operation data, performing precision correction on the reading model based on the data sets, binding the reading model with the characteristics of the expected reading result of the user when the precision of the reading model reaches a set threshold value, storing the reading model and storing the non-reading operation data in a second cloud server.
8. The data protection method according to claim 7, wherein when it is detected that the client requests execution of the read operation instruction, allowing the user to perform direct reading at the first cloud server and indirect reading associated with the second cloud server based on the client specifically comprises:
acquiring a reading operation instruction of a user, and extracting a target data type and a target expected reading result characteristic;
and applying the target data type and the target expected reading result characteristic to the corresponding reading model for processing, and feeding back the processing result to the corresponding client.
9. A data protection system, characterized in that the system comprises:
the system comprises a dividing module, a judging module and a judging module, wherein the dividing module is used for setting different protection grades for a plurality of cloud servers and dividing the cloud servers into a first cloud server and a second cloud server, and the protection grade of the second cloud server is higher than that of the first cloud server;
the analysis module is used for acquiring an access instruction sent by a user based on a client and analyzing an access requirement based on the access instruction and the corresponding access authority;
the matching module is used for matching the client access authority with the target cloud server access authority in the access requirement;
the execution module is used for allowing the client side matched with the operation permission level type of the target cloud server to access and execute the operation instruction, wherein the operation request type is obtained in advance;
the first detection authorization module is used for detecting an operation instruction requested to be executed by the client, allowing a user to perform non-reading operation on the first cloud server based on the client when detecting that the client requests to execute a non-malicious operation instruction, converting the non-reading operation instruction meeting the safety requirement into storage data and storing the storage data in the second cloud server;
and the second detection authorization module is used for allowing the user to perform direct reading and indirect reading associated with the second cloud server on the basis of the client when the client requests to execute the reading operation instruction.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210299823.3A CN114666138A (en) | 2022-03-25 | 2022-03-25 | Data protection method and protection system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210299823.3A CN114666138A (en) | 2022-03-25 | 2022-03-25 | Data protection method and protection system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114666138A true CN114666138A (en) | 2022-06-24 |
Family
ID=82031335
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210299823.3A Withdrawn CN114666138A (en) | 2022-03-25 | 2022-03-25 | Data protection method and protection system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114666138A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120167180A1 (en) * | 2010-12-22 | 2012-06-28 | Hon Hai Precision Industry Co., Ltd. | Cloud server and access management method |
| CN106850653A (en) * | 2017-02-22 | 2017-06-13 | 郑州云海信息技术有限公司 | A kind of access method and access mechanism of cloud data |
| CN111835711A (en) * | 2020-06-01 | 2020-10-27 | 广东职业技术学院 | Digital encryption cloud service information protection method and cloud service system |
| CN114117532A (en) * | 2021-11-29 | 2022-03-01 | 深圳壹账通智能科技有限公司 | Cloud server access method and device, electronic equipment and storage medium |
-
2022
- 2022-03-25 CN CN202210299823.3A patent/CN114666138A/en not_active Withdrawn
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120167180A1 (en) * | 2010-12-22 | 2012-06-28 | Hon Hai Precision Industry Co., Ltd. | Cloud server and access management method |
| CN106850653A (en) * | 2017-02-22 | 2017-06-13 | 郑州云海信息技术有限公司 | A kind of access method and access mechanism of cloud data |
| CN111835711A (en) * | 2020-06-01 | 2020-10-27 | 广东职业技术学院 | Digital encryption cloud service information protection method and cloud service system |
| CN114117532A (en) * | 2021-11-29 | 2022-03-01 | 深圳壹账通智能科技有限公司 | Cloud server access method and device, electronic equipment and storage medium |
Non-Patent Citations (2)
| Title |
|---|
| 徐丽娟等: "浅析云计算环境下等级保护访问控制测评技术研究", 《信息网络安全》 * |
| 王小威等: "一种基于任务角色的云计算访问控制模型", 《计算机工程》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11663609B2 (en) | Method and apparatus to enforce smart contract execution hierarchy on blockchain | |
| RU2454714C1 (en) | System and method of increasing efficiency of detecting unknown harmful objects | |
| US20200241975A1 (en) | Automated regulation compliance for backup and restore in a storage environment | |
| US11895134B2 (en) | Securing applications through similarity-based risk assessment | |
| US11295027B2 (en) | System and method for protecting electronic documents containing confidential information from unauthorized access | |
| US10275396B1 (en) | Techniques for data classification based on sensitive data | |
| US20220321550A1 (en) | Techniques for mitigating leakage of user credentials | |
| CN110647832A (en) | Method and device for acquiring information in certificate, electronic equipment and storage medium | |
| US20210312064A1 (en) | Device and method for secure private data aggregation | |
| CN114666138A (en) | Data protection method and protection system | |
| CN116226865A (en) | Security detection method, device, server, medium and product of cloud native application | |
| WO2023124166A1 (en) | Threat intelligence endogenous production method and apparatus | |
| US20230005122A1 (en) | Image forgery detection via pixel-metadata consistency analysis | |
| CN113239126A (en) | Business activity information standardization scheme based on BOR method | |
| US9836664B1 (en) | Method and system for identifying and addressing imaging artifacts to enable a software system to provide financial services based on an image of a financial document | |
| CN115809466B (en) | Security requirement generation method and device based on STRIDE model, electronic equipment and medium | |
| CN115174275B (en) | Remote control method and device based on cloud | |
| US11838300B1 (en) | Run-time configurable cybersecurity system | |
| US11847845B2 (en) | Integrating a widget in a third-party application | |
| CN113032747B (en) | Display control method, device, terminal and storage medium for management system | |
| US20240070319A1 (en) | Dynamically updating classifier priority of a classifier model in digital data discovery | |
| US20240045952A1 (en) | Protection of neural networks against cloning attacks | |
| US11755775B2 (en) | Upload management | |
| CN115473735A (en) | Risk assessment method and device for data request | |
| CN116861384A (en) | Customer identity authentication method, device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20220624 |
|
| WW01 | Invention patent application withdrawn after publication |