CN115277083B - Data transmission control method, device, system and computer equipment - Google Patents
Data transmission control method, device, system and computer equipment Download PDFInfo
- Publication number
- CN115277083B CN115277083B CN202210718697.0A CN202210718697A CN115277083B CN 115277083 B CN115277083 B CN 115277083B CN 202210718697 A CN202210718697 A CN 202210718697A CN 115277083 B CN115277083 B CN 115277083B
- Authority
- CN
- China
- Prior art keywords
- data
- maintenance
- gateway
- sensitive
- target system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 90
- 230000005540 biological transmission Effects 0.000 title claims abstract description 65
- 238000012423 maintenance Methods 0.000 claims abstract description 228
- 238000004590 computer program Methods 0.000 claims abstract description 35
- 238000004458 analytical method Methods 0.000 claims abstract description 19
- 238000012545 processing Methods 0.000 claims description 59
- 230000008569 process Effects 0.000 claims description 53
- 230000011218 segmentation Effects 0.000 claims description 20
- 230000005484 gravity Effects 0.000 claims description 12
- 238000004891 communication Methods 0.000 claims description 8
- 238000013480 data collection Methods 0.000 claims description 5
- 238000001514 detection method Methods 0.000 claims description 3
- 238000012795 verification Methods 0.000 claims description 3
- 238000000586 desensitisation Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 7
- 230000035945 sensitivity Effects 0.000 description 6
- 238000004140 cleaning Methods 0.000 description 4
- 238000001914 filtration Methods 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 238000006243 chemical reaction Methods 0.000 description 3
- 238000003745 diagnosis Methods 0.000 description 3
- 238000012549 training Methods 0.000 description 3
- 230000009365 direct transmission Effects 0.000 description 2
- 238000003384 imaging method Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000026676 system process Effects 0.000 description 2
- 238000012935 Averaging Methods 0.000 description 1
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 238000009825 accumulation Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 201000010099 disease Diseases 0.000 description 1
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 1
- 229940079593 drug Drugs 0.000 description 1
- 239000003814 drug Substances 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000000873 masking effect Effects 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/88—Medical equipments
Abstract
The present application relates to a data transmission control method, apparatus, system, computer device, storage medium, and computer program product. The method comprises the following steps: acquiring service data transmitted by a target system through electronic equipment connected with a first gateway; determining the operation and maintenance data of the target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a data platform deployed in an intranet of the data platform by a target system; transmitting the operation and maintenance data to a second gateway; the sent operation and maintenance data are used for being transmitted to the data platform, and the data platform is instructed to conduct operation and maintenance analysis based on the operation and maintenance data. The method can ensure the safety and privacy of data transmitted to the data platform, and can uniformly collect and manage the operation maintenance data of a plurality of software systems in the same local area network range, thereby improving the maintenance efficiency of the plurality of software systems.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a data transmission control method, apparatus, system, and computer device.
Background
The medical software industry has data security sensitivity, patient information, diagnosis information and image information belong to confidential data, and interface data transmission among all business subsystems in a hospital needs to be subjected to interface authentication so as to prevent hackers from obtaining confidential data of the hospital.
The current medical software in-hospital operation and maintenance data uploading adopts a client direct transmission mode, and each service subsystem such as an operation and maintenance monitoring platform, a log platform, a deployment platform and the like is respectively provided with a client in a hospital, and each client respectively collects related service data and transmits the related service data to a cloud through a network. However, the relevant data of the hospital relate to more privacy sensitive data, the processing mechanisms of the privacy sensitive data by the third party clients are different, the direct transmission collection and transmission mode may relate to the information security of the hospital, the security holes are extremely large, the hospital cannot acquire the security holes in time, the uploaded data cannot be monitored and managed uniformly, and the problem of unsafe data transmission exists. In addition, as the number of the business subsystems of the hospital is increased, the data processing modes and formats of all the clients which are directly transmitted to the cloud are not uniform, so that the operation and maintenance work in the hospital needs to be respectively carried out on the clients of all the business subsystems, a large amount of manpower and material resources are wasted, operation and maintenance personnel cannot quickly collect the operation and maintenance data of a plurality of mutually related client systems, and unified management, control and maintenance of all the business systems cannot be carried out
Disclosure of Invention
In view of the foregoing, it is desirable to provide a data transmission control method, apparatus, computer device, computer-readable storage medium, and computer program product capable of ensuring the security of data transmission while improving the maintenance efficiency for a plurality of software systems.
In a first aspect, the present application provides a data transmission control method. The method is applied to a first gateway which is configured on the boundary of a hospital intranet in a data transmission system, at least one target system is configured in the hospital intranet, the data transmission system also comprises a second gateway which is configured in a data platform intranet, and the method comprises the following steps:
acquiring service data transmitted by a target system;
determining the operation and maintenance data of the target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a data platform deployed in an intranet of the data platform by a target system;
transmitting the operation and maintenance data to a second gateway; the operation and maintenance data sent to the second gateway are used for being transmitted to the data platform, so that the data platform performs operation and maintenance analysis based on the operation and maintenance data.
In one embodiment, determining the operational dimension of the target system from the traffic data includes:
And desensitizing the sensitive data in the service data to obtain the operation and maintenance data of the target system.
In one embodiment, desensitizing sensitive data in service data to obtain operation data of a target system includes:
performing at least one sensitive word recognition and at least one sensitive data processing based on the service data to obtain intermediate process data;
and carrying out recognition processing on keywords corresponding to each item of data in the intermediate process data to obtain the operation and maintenance data.
In one embodiment, performing at least one sensitive word recognition and at least one sensitive data rejection process based on the business data to obtain intermediate process data includes:
word segmentation processing is carried out on the business data to obtain a first keyword corresponding to each item of data in the business data;
identifying first sensitive data in the service data based on first keywords corresponding to various data in the service data;
and removing the first sensitive data from the service data to obtain intermediate process data.
In one embodiment, identifying first sensitive data in the service data based on first keywords corresponding to each item of data in the service data includes:
Acquiring a sensitive word set corresponding to a target system, wherein the sensitive word set comprises a plurality of sensitive words corresponding to the target system;
calculating the similarity between each first keyword and each sensitive word, and obtaining the matching degree of the sensitive word set corresponding to each first keyword according to the similarity between each first keyword and each sensitive word and the specific gravity parameter of each sensitive word in the sensitive word set;
marking data corresponding to the first keyword with the corresponding matching degree meeting the preset condition as high matching degree data;
and taking all the high-matching-degree data in the service data as first sensitive data.
In one embodiment, before sending the operation data to the second gateway, the method further comprises:
encrypting the operation and maintenance data to obtain the operation and maintenance data after the encryption;
and detecting network security information of the internal network of the hospital, and transmitting the encrypted operation and maintenance data to the second gateway under the condition that the network security information meets network security conditions.
In a second aspect, the present application further provides a data transmission control apparatus. The device is applied to a first gateway which is arranged on the boundary of a hospital intranet in a data transmission system, at least one target system is arranged in the hospital intranet, the data transmission system also comprises a second gateway which is arranged in a data platform intranet, and the device comprises:
The data acquisition module is used for acquiring service data transmitted by the target system;
the data processing module is used for determining the operation and maintenance data of the target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a data platform deployed in an intranet of the data platform by a target system;
the data transmission module is used for transmitting the operation and maintenance data to the second gateway; the operation and maintenance data sent to the second gateway are used for being transmitted to the data platform, so that the data platform performs operation and maintenance analysis based on the operation and maintenance data.
In a third aspect, the present application further provides a data transmission control system. The system comprises a first gateway configured on the boundary of a hospital intranet and a second gateway configured in a data platform intranet, wherein at least one target system is configured in the hospital intranet;
the first gateway is also used for acquiring service data transmitted by the target system and determining the operation and maintenance data of the target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a data platform deployed in an intranet of the data platform by a target system;
the first gateway is also used for identifying sensitive data in the service data, performing desensitization processing on the sensitive data to obtain operation and maintenance data of the target system, and sending the operation and maintenance data to the second gateway;
And the second gateway is used for receiving the operation and maintenance data and transmitting the operation and maintenance data to the data platform, and the transmitted operation and maintenance data are used for indicating the data platform to perform operation and maintenance analysis based on the operation and maintenance data.
In one embodiment, the first gateway is further configured to obtain a data access request generated by the target system, add a security protection policy to the data access request, and send the data access request to the second gateway;
the second gateway is further used for receiving the data access request, verifying the security protection policy from the data access request, acquiring data information corresponding to the data access request from the data platform under the condition that verification is passed, and transmitting the data information to the first gateway.
In a fourth aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor which when executing the computer program performs the steps of:
acquiring service data transmitted by a target system through electronic equipment connected with a first gateway;
determining the operation and maintenance data of the target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a data platform deployed in an intranet of the data platform by a target system;
Transmitting the operation and maintenance data to a second gateway; the sent operation and maintenance data are used for being transmitted to the data platform, and the data platform is instructed to conduct operation and maintenance analysis based on the operation and maintenance data.
In a fifth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:
acquiring service data transmitted by a target system through electronic equipment connected with a first gateway;
determining the operation and maintenance data of the target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a data platform deployed in an intranet of the data platform by a target system;
transmitting the operation and maintenance data to a second gateway; the sent operation and maintenance data are used for being transmitted to the data platform, and the data platform is instructed to conduct operation and maintenance analysis based on the operation and maintenance data.
In a sixth aspect, the present application also provides a computer program product. The computer program product comprises a computer program which, when executed by a processor, implements the steps of:
acquiring service data transmitted by a target system through electronic equipment connected with a first gateway;
determining the operation and maintenance data of the target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a data platform deployed in an intranet of the data platform by a target system;
Transmitting the operation and maintenance data to a second gateway; the sent operation and maintenance data are used for being transmitted to the data platform, and the data platform is instructed to conduct operation and maintenance analysis based on the operation and maintenance data.
The data transmission control method, the device, the system, the computer equipment, the storage medium and the computer program product acquire service data transmitted by a target system; determining the operation and maintenance data of the target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a data platform deployed in an intranet of the data platform by a target system; transmitting the operation and maintenance data to a second gateway; the operation and maintenance data sent to the second gateway are used for being transmitted to the data platform, so that the data platform performs operation and maintenance analysis based on the operation and maintenance data. Through the first gateway configured at the boundary of the hospital intranet, service data are collected from all target systems in the hospital intranet, operation and maintenance data are screened from the service data, data irrelevant to the operation and maintenance of all target systems are removed, then the operation and maintenance data are sent to a data platform, the safety and privacy of data transmitted to the data platform can be ensured, the operation and maintenance data of a plurality of software systems in the same local area network range can be uniformly collected and managed, and the maintenance efficiency of the multi-software system is improved.
Drawings
FIG. 1 is an application environment diagram of a data transmission control method in one embodiment;
FIG. 2 is a flow chart of a data transmission control method in one embodiment;
FIG. 3 is a flow diagram of a desensitization process in one embodiment;
FIG. 4 is a logic flow diagram of a method of data transmission control in one embodiment;
FIG. 5 is a flow chart of data transmission in one embodiment;
FIG. 6 is a schematic diagram of a data transmission control system according to one embodiment;
FIG. 7 is a block diagram showing the structure of a data transmission control device according to an embodiment;
fig. 8 is an internal structural diagram of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
The data transmission control method provided by the embodiment of the application can be applied to an application environment shown in fig. 1. Wherein a first gateway in the first border server 102 communicates with a second gateway in the second border server 104 via a network. The first border server 102 is configured in the first intranet, and the first gateway communicates with a plurality of target systems in the first intranet, where each target system is disposed on each electronic device connected to the first intranet. The second border server 104 is disposed in a second intranet, a data platform is disposed in the second intranet, and the second gateway communicates with the data platform. The first gateway may be implemented through a hardware structure and/or a software service deployed on the first border server, and the second gateway may be implemented through a hardware structure and/or a software service deployed on the second border server. The electronic device may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices, and portable wearable devices, and the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices, and the like. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. The server may be implemented as a stand-alone server or as a server cluster composed of a plurality of servers.
In one embodiment, as shown in fig. 2, a data transmission control method is provided, which is illustrated by taking a first gateway applied to the first border server 102 in fig. 1 as an example, and includes the following steps:
step 202, obtaining service data transmitted by a target system.
The first intranet may be, but not limited to, a hospital intranet, the second intranet may be, but not limited to, a cloud data platform capable of analyzing and processing data related to a target system, where the target system includes, but not limited to, software running on each terminal in the hospital intranet, a client, a service system, and the like. For example, the target system in the hospital intranet may be a medical imaging software information system, a reservation software information system, a remote diagnosis software information system, an in-hospital monitoring alarm client, an audit deployment client, a log client, and the like. The first gateway may be a software service configured in a first border server of the hospital intranet, or may be a hardware device that is in connection communication with the first border server of the hospital intranet. The electronic devices are terminals connected with the hospital intranet, and each target system is installed and operated on each electronic device.
Alternatively, the first gateway may actively collect service data generated when the target systems process services from the respective target systems. The first gateway can also send a data collection request to the electronic device through the hospital intranet first, request the data collection authority of the electronic device or the target system, and after the electronic device or the target system opens the authority to the first gateway, the first gateway actively collects service data generated when the target system processes the service from the target system. Each target system can also actively transmit service data generated when the target system processes the service to the first gateway. This embodiment is not limited thereto.
Step 204, determining the operation and maintenance data of the target system from the service data; the operation and maintenance data refer to operation and maintenance data of the target system related to a data platform deployed in the data platform intranet.
Optionally, after collecting the service data of the target system, the first gateway performs data processing on the service data, screens out data irrelevant to operation and maintenance of the target system, screens out data irrelevant to a data platform, and only retains operation and maintenance data of a background of the target system relevant to the data platform.
Specifically, the first gateway performs desensitization processing on sensitive data in the service data to obtain operation and maintenance data of the target system. The sensitive data can be identified by preset sensitive words, and in general, personal information related to patients and families, personal information of medical staff, disease diagnosis information, prescription information and other information irrelevant to the operation of the target system are all regarded as sensitive information in a hospital system. Desensitization processing includes, but is not limited to, data substitution, masking, randomization, generalization, averaging, offset rounding of sensitive data or sensitive words.
Step 206, sending the operation and maintenance data to the second gateway; the operation and maintenance data sent to the second gateway are used for being transmitted to the data platform, so that the data platform performs operation and maintenance analysis based on the operation and maintenance data.
The second gateway may be a software service configured in a second border server of the data platform intranet, or may be a hardware device connected and communicating with the second border server of the data platform intranet, or may be a data receiving module in the data platform (configured in the second border server of the data platform intranet).
Optionally, after the first gateway collects the operation and maintenance data of each target system, the operation and maintenance data is transmitted to the second gateway through the external network. Since the first gateway is configured in the internal network of the hospital, the data transmission between the first gateway and the second gateway is required to meet the software information security standard of the medical industry and is required to accord with ISO27001.
In one possible implementation, an end user of the intranet can communicate with the first gateway through the intranet, and query the first gateway for the operation and maintenance data to be sent or sent to the second gateway on the interactive interface of the first gateway.
In another possible implementation manner, if the hospital includes a main hospital area and a plurality of subordinate hospital areas, the first gateway may be configured at an intranet boundary of the main hospital area, and a respective one of the separation gateways may be configured at an intranet boundary of each of the subordinate hospital areas. Each of the sub-hospital gateways has the same function as the first gateway, but cannot directly perform data transmission with the second gateway, and after each of the sub-hospital gateways acquires the operation and maintenance data of a sub-hospital region of a target system in each of the sub-hospital region internal networks, the operation and maintenance data of the sub-hospital region are transmitted to the first gateway, and then the first gateway transmits the operation and maintenance data of the sub-hospital region to the second gateway through an external network.
In the data transmission control method, service data transmitted by a target system is acquired through electronic equipment connected with a first gateway; determining the operation and maintenance data of the target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a data platform deployed in an intranet of the data platform by a target system; transmitting the operation and maintenance data to a second gateway; the operation and maintenance data sent to the second gateway are used for being transmitted to the data platform, so that the data platform performs operation and maintenance analysis based on the operation and maintenance data. Through the first gateway configured at the boundary of the hospital intranet, service data are collected from all target systems in the hospital intranet, operation and maintenance data are screened from the service data, data irrelevant to the operation and maintenance of all target systems are removed, then the operation and maintenance data are sent to a data platform, the safety and privacy of data transmitted to the data platform can be ensured, the operation and maintenance data of a plurality of software systems in the same local area network range can be uniformly collected and managed, and the maintenance efficiency of the multi-software system is improved.
In one embodiment, desensitizing sensitive data in service data to obtain the operation and maintenance data of a target system includes: performing at least one sensitive word recognition and at least one sensitive data processing based on the service data to obtain intermediate process data; and carrying out recognition processing on keywords corresponding to each item of data in the intermediate process data to obtain the operation and maintenance data.
The sensitive words are determined based on a sensitive word set matched with the hospital intranet, the sensitive word set is a set of word stock obtained based on training of real data of medical software, and data containing words matched with the word stock is sensitive data.
Optionally, the first gateway performs at least one sensitive word recognition and at least one sensitive data rejection process based on the service data to obtain intermediate process data; and identifying keywords corresponding to various data in the intermediate process data, and performing character conversion processing on the keywords to obtain the operation and maintenance data.
Specifically, before identifying sensitive data in service data, the first gateway performs data cleaning on the service data, and the data cleaning process includes checking data consistency, processing invalid values, missing values and the like. Then selecting a plurality of sensitive keywords from the service data, removing the keywords with higher sensitivity, and repeating the steps for a plurality of times to obtain intermediate process data. Then, the key words left in the intermediate process data are key words with lower sensitivity, words with low matching degree are converted into special characters through a code table, so that the intermediate process data are further desensitized, and the safety compliance of operation and maintenance data is ensured.
In one embodiment, performing at least one sensitive word recognition and at least one sensitive data rejection process based on the business data to obtain intermediate process data, including: word segmentation processing is carried out on the business data to obtain a first keyword corresponding to each item of data in the business data; identifying first sensitive data in the service data based on first keywords corresponding to various data in the service data; and removing the first sensitive data from the service data to obtain intermediate process data.
The sensitive data includes, but is not limited to, a dicom (Digital Imaging and Communications in Medicine, i.e., digital imaging and communication medical) file suffix and file thereof, a medical feature picture, a human feature picture, a patient name, a patient age, a visit record, a medical diagnosis idiom, a telephone number, and other privacy information.
In a possible implementation manner, a first gateway performs word segmentation processing on service data to obtain a first keyword corresponding to each item of data in the service data; identifying first sensitive data in the service data based on first keywords corresponding to various data in the service data; removing the first sensitive data from the service data to obtain low-matching-degree data; word segmentation processing is carried out on the low-matching-degree data to obtain second keywords corresponding to each item of data in the low-matching-degree data; identifying second sensitive data in the low-matching-degree data based on second keywords corresponding to various data in the low-matching-degree data; and removing the second sensitive data from the low-matching-degree data to obtain intermediate process data.
Specifically, as shown in fig. 3, the first gateway performs jieba word segmentation on the service data to obtain a first keyword corresponding to each item of data in the service data, matches the segmented data with the sensitive word set, and determines data related to the first keyword with higher matching degree with the sensitive word set as high matching degree data (first sensitive data) based on a similarity algorithm of collaborative filtering training to remove. And performing jieba word segmentation on the rest low-matching-degree data again to obtain second keywords corresponding to each item of data in the low-matching-degree data (the word segmentation result is different from that of the first time because of the change of the total data), matching the segmented data with the sensitive word set, and determining data related to the second keywords with higher matching degree with the sensitive word set as second high-matching-degree data (second sensitive data) based on a similarity algorithm of collaborative filtering training to remove. And finally obtaining intermediate process data with the keywords removed twice with high sensitivity. Furthermore, in the second sensitive data removing process, all data related to the second keywords are not removed, and the second keywords remained in the intermediate process data are converted into special characters through a code table, so that the intermediate process data are further subjected to desensitization processing to obtain desensitized data (operation and maintenance data), and the safety compliance of the operation and maintenance data is ensured. The similarity algorithm may be, but is not limited to, euclidean distance, normalized Euclidean distance, manhattan distance, chebyshev distance, angle cosine distance, pearson correlation coefficient, and Hamming distance.
In this embodiment, word segmentation is performed on service data to obtain a first keyword corresponding to each item of data in the service data; identifying first sensitive data in the service data based on first keywords corresponding to various data in the service data; and removing the first sensitive data from the service data to obtain intermediate process data. The method and the device can accurately desensitize the service data, remove data irrelevant to the service data, ensure the safety compliance of data transmission and protect the privacy of users.
In one embodiment, identifying first sensitive data in the business data based on first keywords corresponding to each item of data in the business data includes: acquiring a sensitive word set corresponding to a target system, wherein the sensitive word set comprises a plurality of sensitive words corresponding to the target system; calculating the similarity between each first keyword and each sensitive word, and obtaining the matching degree of the sensitive word set corresponding to each first keyword according to the similarity between each first keyword and each sensitive word and the specific gravity parameter of each sensitive word in the sensitive word set; marking data corresponding to the first keyword with the corresponding matching degree meeting the preset condition as high matching degree data; and taking all the high-matching-degree data in the service data as first sensitive data.
Wherein the set of sensitive words includes, but is not limited to, sensitive data based on accumulation of medical industry customer sensitive data and security compliance. The specific gravity parameter is used for representing the sensitivity degree of one sensitive word in the sensitive word set, and the higher the specific gravity parameter of one sensitive word is, the higher the sensitivity degree of the sensitive word is, and the higher the priority of the desensitization treatment is required in all the sensitive words in the sensitive word set.
Optionally, the plurality of sensitive words corresponding to the target system may be obtained from a pre-constructed sensitive word set, where the sensitive word set includes a plurality of sensitive words corresponding to the target system, the sensitive word set may be configured in a sensitive database, and the sensitive database may store the plurality of sensitive word sets at the same time, where each sensitive word set corresponds to one target system respectively. When the first gateway identifies first sensitive data in the business data of the target system, one sensitive word set corresponding to the current target system is firstly matched from a sensitive database, and then a plurality of sensitive words corresponding to the target system are acquired from the sensitive word set. The first gateway calculates the similarity between each first keyword in the service data and the sensitive word in the sensitive word set through a similarity algorithm trained by collaborative filtering, and calculates the matching degree of each first keyword corresponding to the sensitive word set by combining the specific gravity parameter of each sensitive word in the sensitive word set. For example, the higher the similarity of the first keyword α corresponding to the sensitive word a, and the higher the ratio of the sensitive word a in the sensitive word set, the higher the matching degree of the first keyword α corresponding to the sensitive word set. Marking a first keyword with the matching degree higher than a first threshold value, marking data where the part of marked first keyword is positioned as high matching degree data, wherein the high matching degree data is first sensitive data to be removed, and obtaining low matching degree data after removal.
Further, the jieba word segmentation (Python Chinese word segmentation component) is performed on the rest low-matching-degree data again, so that a second keyword corresponding to each item of data in the low-matching-degree data is obtained. And calculating the similarity between each second keyword in the segmented low-matching-degree data and the sensitive word in the sensitive word set through a similarity algorithm trained by collaborative filtering, and calculating the matching degree of each second keyword corresponding to the sensitive word set by combining the specific gravity parameter of each sensitive word in the sensitive word set. Marking a second keyword with the matching degree higher than a second threshold value, marking data of the second keyword with the matching degree being marked as second highest matching degree data, wherein the second highest matching degree data is second sensitive data to be removed, and obtaining intermediate process data after removal. The second threshold value and the first threshold value may be the same or different, and this embodiment is not limited thereto.
In this embodiment, a sensitive word set corresponding to a target system is obtained, where the sensitive word set includes a plurality of sensitive words corresponding to the target system; calculating the similarity between each first keyword and each sensitive word, and obtaining the matching degree of the sensitive word set corresponding to each first keyword according to the similarity between each first keyword and each sensitive word and the specific gravity parameter of each sensitive word in the sensitive word set; marking data corresponding to the first keyword with the corresponding matching degree meeting the preset condition as high matching degree data; and taking all the high-matching-degree data in the service data as first sensitive data. The method can accurately judge the high-sensitivity data in the service data, ensure that the data is not transmitted to outside the internal network of the hospital, ensure the safety compliance of data transmission and simultaneously protect the privacy of users.
In one embodiment, before sending the transport data to the second gateway, further comprising: encrypting the operation and maintenance data to obtain the operation and maintenance data after the encryption; and detecting network security information of the internal network of the hospital, and transmitting the encrypted operation and maintenance data to the second gateway under the condition that the network security information meets network security conditions.
Optionally, before the first gateway sends the operation and maintenance data to the second gateway, encryption processing is further required to be performed on the operation and maintenance data, so as to obtain the operation and maintenance data after encryption processing. The encryption mode is determined according to the transmitted target data platform so that only the target data platform can decrypt the encrypted data. And a website application level intrusion prevention system (Web Application Firewall, WAF for short) is configured on the first gateway, so that batch interception of malicious attacks is realized, and the information security of data transmission to the data platform is ensured. The first gateway detects malicious attacks according to a preset period, and meanwhile, the first gateway detects the malicious attacks before transmitting data each time, and when detecting that malicious attacks occur on the internal network of a hospital, electronic equipment in the internal network of the hospital, the first gateway, the second gateway or other network channels can directly block attack sources and stop transmitting data continuously. Malicious attack detection is carried out before data transmission every time, so that data loss and information leakage are avoided.
In the embodiment, encryption processing is performed on the operation and maintenance data to obtain operation and maintenance data after encryption processing; and detecting network security information of the internal network of the hospital, and transmitting the encrypted operation and maintenance data to the second gateway under the condition that the network security information meets network security conditions. Through data encryption and network security detection, the security compliance of data transmission can be ensured, and the privacy of a user can be protected.
In one embodiment, as shown in fig. 4 and fig. 5, a data transmission control method is applied to a first gateway configured at a boundary of a hospital intranet in a data transmission system, where the hospital intranet is configured with at least one target system, and the data transmission system further includes a second gateway configured in a data platform intranet, and includes:
and acquiring service data transmitted by the target system through the electronic equipment connected with the first gateway, and cleaning the service data.
And performing word segmentation processing on the service data to obtain a first keyword corresponding to each item of data in the service data. Acquiring a sensitive word set corresponding to a target system, wherein the sensitive word set comprises a plurality of sensitive words corresponding to the target system; calculating the similarity between each first keyword and each sensitive word to obtain the matching degree of the sensitive word set corresponding to each first keyword; marking data corresponding to the first keyword with the corresponding matching degree meeting the preset condition as high matching degree data; and taking all the high-matching-degree data in the service data as first sensitive data. Removing the first sensitive data from the service data to obtain low-matching-degree data; word segmentation processing is carried out on the low-matching-degree data to obtain second keywords corresponding to each item of data in the low-matching-degree data; identifying second sensitive data in the low-matching-degree data based on second keywords corresponding to various data in the low-matching-degree data; and removing the second sensitive data from the low-matching-degree data to obtain intermediate process data. And identifying keywords corresponding to various data in the intermediate process data, and performing character conversion processing on the keywords to obtain the operation and maintenance data. The operation and maintenance data refer to operation and maintenance data of the target system related to a data platform deployed in the data platform intranet.
Encrypting the operation and maintenance data to obtain the operation and maintenance data after the encryption; and detecting network security information of the internal network of the hospital, and transmitting the encrypted operation and maintenance data to the second gateway under the condition that the network security information meets network security conditions. The sent operation and maintenance data are used for being transmitted to the data platform, and the data platform is instructed to conduct operation and maintenance analysis based on the operation and maintenance data.
In one embodiment, as shown in fig. 4 and fig. 5, a data transmission control method is applied to a second gateway configured in an intranet of a data platform in a data transmission system, where the data transmission system further includes a first gateway configured in an intranet boundary of a hospital, and at least one target system is configured in the intranet of the hospital, and includes:
and receiving the encrypted operation and maintenance data transmitted by the first gateway, detecting network security information of the intranet of the data platform, decrypting the encrypted operation and maintenance data and identifying operation and maintenance data of each type in the operation and maintenance data under the condition that the network security information passes the authentication, wherein the operation and maintenance data of each type comprises but is not limited to system upgrade data, system log data, system security monitoring data and the like. And respectively transmitting the operation and maintenance data of each category to a service unit corresponding to the data platform. And each service unit of the data platform stores and analyzes the operation and maintenance data of different categories respectively.
In one embodiment, for example, as shown in fig. 6, a data transmission control method is applied to a data transmission control system, where the system includes a first gateway configured at an intranet boundary server of a hospital, and a second gateway configured at an intranet boundary server of a data platform, at least one target system is configured in the intranet of the hospital, at least one service unit is configured in the data platform, and each service unit is respectively used for executing a data analysis service.
And the target system is used for transmitting the service data to the first gateway through the hospital intranet.
And the target system is also used for sending a data access request to the first gateway through the hospital intranet.
The first gateway is used for acquiring service data transmitted by the target system through electronic equipment connected with the first gateway and cleaning the service data.
The first gateway is also used for carrying out word segmentation processing on the service data to obtain a first keyword corresponding to each item of data in the service data. Acquiring a sensitive word set corresponding to a target system, wherein the sensitive word set comprises a plurality of sensitive words corresponding to the target system; calculating the similarity between each first keyword and each sensitive word to obtain the matching degree of the sensitive word set corresponding to each first keyword; marking data corresponding to the first keyword with the corresponding matching degree meeting the preset condition as high matching degree data; and taking all the high-matching-degree data in the service data as first sensitive data. Removing the first sensitive data from the service data to obtain low-matching-degree data; word segmentation processing is carried out on the low-matching-degree data to obtain second keywords corresponding to each item of data in the low-matching-degree data; identifying second sensitive data in the low-matching-degree data based on second keywords corresponding to various data in the low-matching-degree data; and removing the second sensitive data from the low-matching-degree data to obtain intermediate process data. And identifying keywords corresponding to various data in the intermediate process data, and performing character conversion processing on the keywords to obtain the operation and maintenance data. The operation and maintenance data refer to operation and maintenance data of the target system related to a data platform deployed in the data platform intranet.
The first gateway is also used for encrypting the operation and maintenance data to obtain the operation and maintenance data after the encryption; and detecting network security information of the internal network of the hospital, and transmitting the encrypted operation and maintenance data to the second gateway under the condition that the network security information meets network security conditions.
The first gateway is further used for acquiring a data access request generated by the target system, adding a security protection policy to the data access request, and sending the data access request to the second gateway. For example, the hospital local accesses the data platform through the first gateway, then the URL (Universal Resource Locator, uniform resource locator) of the hospital local adds a token to the data access request through the first gateway, the feature value (the feature value is only allowed to be used once and updated every time the request) and the data transferred by post is encrypted by JWT. The second gateway receives the request of the hospital, firstly verifies the token, then intelligently analyzes whether the token is disguised by a hacker (judged according to the characteristic value), and then carries out JWT decryption after authentication. Among them, json Web Token (JWT), a Json-based open standard ((RFC 7519)) that is implemented to pass declarations between network application environments, is designed to be compact and secure, and is particularly well suited for single sign-on (SSO) scenarios for distributed sites.
The second gateway is used for receiving the encrypted operation and maintenance data transmitted by the first gateway, detecting network security information of the intranet of the data platform based on WAF, decrypting the encrypted operation and maintenance data and identifying operation and maintenance data of each type in the operation and maintenance data under the condition that the network security information passes authentication, wherein the operation and maintenance data of each type comprises but is not limited to system upgrade data, system log data, system security monitoring data and the like, and transmitting the operation and maintenance data of each type to a service unit corresponding to the data platform respectively.
The second gateway is further configured to receive the data access request transmitted by the first gateway, verify the security protection policy from the data access request, obtain data information corresponding to the data access request from the data platform when verification is passed, and transmit the data information to the first gateway. For example, the hospital local accesses the data platform through the first gateway, then the URL of the hospital local adds a token through the first gateway, the feature value (the feature value is only allowed to be used once and updated every time a request) and the data transferred by post is encrypted by JWT. The second gateway receives the request of the hospital, firstly verifies the token, then intelligently analyzes whether the token is disguised by a hacker (judged according to the characteristic value), then carries out JWT decryption after passing the authentication, acquires data information corresponding to the data access request from the data platform according to the decrypted data access request, and transmits the data information to the first gateway.
And the data platform is used for respectively storing and analyzing the operation and maintenance data of different categories through the service units integrated on the platform.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides a data transmission control device for realizing the above related data transmission control method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in the embodiments of the data transmission control device or devices provided below may refer to the limitation of the data transmission control method hereinabove, and will not be repeated herein.
In one embodiment, as shown in fig. 7, there is provided a data transmission control apparatus 700 applied to a first gateway configured in a boundary of a hospital intranet in a data transmission system, where at least one target system is configured in the hospital intranet, the data transmission system further includes a second gateway configured in a data platform intranet, the apparatus includes: a data acquisition module 701, a data processing module 702 and a data transmission module 703, wherein:
the data acquisition module 701 is configured to acquire service data transmitted by the target system.
The data processing module 702 is configured to determine the operation and maintenance data of the target system from the service data; the operation and maintenance data refer to operation and maintenance data of the target system related to a data platform deployed in the data platform intranet.
A data transmission module 703, configured to send operation and maintenance data to the second gateway; the operation and maintenance data sent to the second gateway are used for being transmitted to the data platform, so that the data platform performs operation and maintenance analysis based on the operation and maintenance data.
In one embodiment, the data processing module 702 is further configured to perform desensitization processing on sensitive data in the service data, so as to obtain operation and maintenance data of the target system.
In one embodiment, the data processing module 702 is further configured to perform at least one sensitive word recognition and at least one sensitive data processing based on the business data to obtain intermediate process data; and carrying out recognition processing on keywords corresponding to each item of data in the intermediate process data to obtain the operation and maintenance data.
In one embodiment, the data processing module 702 is further configured to perform word segmentation on the service data to obtain a first keyword corresponding to each item of data in the service data; identifying first sensitive data in the service data based on first keywords corresponding to various data in the service data; and removing the first sensitive data from the service data to obtain intermediate process data.
In one embodiment, the data processing module 702 is further configured to obtain a set of sensitive words corresponding to a target system, where the set of sensitive words includes a plurality of sensitive words corresponding to the target system; calculating the similarity between each first keyword and each sensitive word, and obtaining the matching degree of the sensitive word set corresponding to each first keyword according to the similarity between each first keyword and each sensitive word and the specific gravity parameter of each sensitive word in the sensitive word set; marking data corresponding to the first keyword with the corresponding matching degree meeting the preset condition as high matching degree data; and taking all the high-matching-degree data in the service data as first sensitive data.
In one embodiment, the data transmission module 703 is further configured to encrypt the operation and maintenance data to obtain encrypted operation and maintenance data; and detecting network security information of the internal network of the hospital, and transmitting the encrypted operation and maintenance data to the second gateway under the condition that the network security information meets network security conditions.
The respective modules in the above-described data transmission control apparatus may be implemented in whole or in part by software, hardware, and a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server, and the internal structure of which may be as shown in fig. 8. The computer device includes a processor, a memory, an Input/Output interface (I/O) and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is for storing the operation and maintenance data. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a data transmission control method.
It will be appreciated by those skilled in the art that the structure shown in fig. 8 is merely a block diagram of some of the structures associated with the present application and is not limiting of the computer device to which the present application may be applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided comprising a memory and a processor, the memory having stored therein a computer program, the processor when executing the computer program performing the steps of: acquiring service data transmitted by a target system; determining the operation and maintenance data of the target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a data platform deployed in an intranet of the data platform by a target system; transmitting the operation and maintenance data to a second gateway; the operation and maintenance data sent to the second gateway are used for being transmitted to the data platform, so that the data platform performs operation and maintenance analysis based on the operation and maintenance data.
In one embodiment, the processor when executing the computer program further performs the steps of: and desensitizing the sensitive data in the service data to obtain the operation and maintenance data of the target system.
In one embodiment, the processor when executing the computer program further performs the steps of: performing at least one sensitive word recognition and at least one sensitive data processing based on the service data to obtain intermediate process data; and carrying out recognition processing on keywords corresponding to each item of data in the intermediate process data to obtain the operation and maintenance data.
In one embodiment, the processor when executing the computer program further performs the steps of: word segmentation processing is carried out on the business data to obtain a first keyword corresponding to each item of data in the business data; identifying first sensitive data in the service data based on first keywords corresponding to various data in the service data; and removing the first sensitive data from the service data to obtain intermediate process data.
In one embodiment, the processor when executing the computer program further performs the steps of: acquiring a sensitive word set corresponding to a target system, wherein the sensitive word set comprises a plurality of sensitive words corresponding to the target system; calculating the similarity between each first keyword and each sensitive word, and obtaining the matching degree of the sensitive word set corresponding to each first keyword according to the similarity between each first keyword and each sensitive word and the specific gravity parameter of each sensitive word in the sensitive word set; marking data corresponding to the first keyword with the corresponding matching degree meeting the preset condition as high matching degree data; and taking all the high-matching-degree data in the service data as first sensitive data.
In one embodiment, the processor when executing the computer program further performs the steps of: encrypting the operation and maintenance data to obtain the operation and maintenance data after the encryption; and detecting network security information of the internal network of the hospital, and transmitting the encrypted operation and maintenance data to the second gateway under the condition that the network security information meets network security conditions.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of: acquiring service data transmitted by a target system; determining the operation and maintenance data of the target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a data platform deployed in an intranet of the data platform by a target system; transmitting the operation and maintenance data to a second gateway; the operation and maintenance data sent to the second gateway are used for being transmitted to the data platform, so that the data platform performs operation and maintenance analysis based on the operation and maintenance data.
In one embodiment, the computer program when executed by the processor further performs the steps of: and desensitizing the sensitive data in the service data to obtain the operation and maintenance data of the target system.
In one embodiment, the computer program when executed by the processor further performs the steps of: performing at least one sensitive word recognition and at least one sensitive data processing based on the service data to obtain intermediate process data; and carrying out recognition processing on keywords corresponding to each item of data in the intermediate process data to obtain the operation and maintenance data.
In one embodiment, the computer program when executed by the processor further performs the steps of: word segmentation processing is carried out on the business data to obtain a first keyword corresponding to each item of data in the business data; identifying first sensitive data in the service data based on first keywords corresponding to various data in the service data; and removing the first sensitive data from the service data to obtain intermediate process data.
In one embodiment, the computer program when executed by the processor further performs the steps of: acquiring a sensitive word set corresponding to a target system, wherein the sensitive word set comprises a plurality of sensitive words corresponding to the target system; calculating the similarity between each first keyword and each sensitive word, and obtaining the matching degree of the sensitive word set corresponding to each first keyword according to the similarity between each first keyword and each sensitive word and the specific gravity parameter of each sensitive word in the sensitive word set; marking data corresponding to the first keyword with the corresponding matching degree meeting the preset condition as high matching degree data; and taking all the high-matching-degree data in the service data as first sensitive data.
In one embodiment, the computer program when executed by the processor further performs the steps of: encrypting the operation and maintenance data to obtain the operation and maintenance data after the encryption; and detecting network security information of the internal network of the hospital, and transmitting the encrypted operation and maintenance data to the second gateway under the condition that the network security information meets network security conditions.
In one embodiment, a computer program product is provided comprising a computer program which, when executed by a processor, performs the steps of: acquiring service data transmitted by a target system; determining the operation and maintenance data of the target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a data platform deployed in an intranet of the data platform by a target system; transmitting the operation and maintenance data to a second gateway; the operation and maintenance data sent to the second gateway are used for being transmitted to the data platform, so that the data platform performs operation and maintenance analysis based on the operation and maintenance data.
In one embodiment, the computer program when executed by the processor further performs the steps of: and desensitizing the sensitive data in the service data to obtain the operation and maintenance data of the target system.
In one embodiment, the computer program when executed by the processor further performs the steps of: performing at least one sensitive word recognition and at least one sensitive data processing based on the service data to obtain intermediate process data; and carrying out recognition processing on keywords corresponding to each item of data in the intermediate process data to obtain the operation and maintenance data.
In one embodiment, the computer program when executed by the processor further performs the steps of: word segmentation processing is carried out on the business data to obtain a first keyword corresponding to each item of data in the business data; identifying first sensitive data in the service data based on first keywords corresponding to various data in the service data; and removing the first sensitive data from the service data to obtain intermediate process data.
In one embodiment, the computer program when executed by the processor further performs the steps of: acquiring a sensitive word set corresponding to a target system, wherein the sensitive word set comprises a plurality of sensitive words corresponding to the target system; calculating the similarity between each first keyword and each sensitive word, and obtaining the matching degree of the sensitive word set corresponding to each first keyword according to the similarity between each first keyword and each sensitive word and the specific gravity parameter of each sensitive word in the sensitive word set; marking data corresponding to the first keyword with the corresponding matching degree meeting the preset condition as high matching degree data; and taking all the high-matching-degree data in the service data as first sensitive data.
In one embodiment, the computer program when executed by the processor further performs the steps of: encrypting the operation and maintenance data to obtain the operation and maintenance data after the encryption; and detecting network security information of the internal network of the hospital, and transmitting the encrypted operation and maintenance data to the second gateway under the condition that the network security information meets network security conditions.
It should be noted that, the user information (including, but not limited to, user equipment information, user personal information, etc.) and the data (including, but not limited to, data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data are required to comply with the related laws and regulations and standards of the related countries and regions.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the various embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the various embodiments provided herein may include at least one of relational databases and non-relational databases. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic units, quantum computing-based data processing logic units, etc., without being limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples only represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the present application. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application shall be subject to the appended claims.
Claims (10)
1. The data transmission control method is characterized by being applied to a first gateway which is arranged on the boundary of a hospital intranet in a data transmission system, wherein at least one target system is arranged in the hospital intranet, the data transmission system also comprises a second gateway which is arranged in a data platform intranet, and the method comprises the following steps:
sending a data request to the target system, and acquiring service data transmitted by the target system under the condition that the target system opens a data collection authority to the first gateway; the target system comprises at least one of software, a client and a service system which are operated on each terminal in the hospital intranet;
Performing at least one sensitive word recognition and at least one sensitive data processing based on the service data to obtain intermediate process data, and performing keyword recognition processing corresponding to each item of data in the intermediate process data to obtain operation data; the operation and maintenance data refer to operation and maintenance data related to a data platform deployed in the data platform intranet of the target system;
sending the operation and maintenance data to the second gateway, detecting malicious attacks according to a preset period, and stopping sending the operation and maintenance data to the second gateway under the condition that the malicious attacks exist; the operation and maintenance data sent to the second gateway are used for being transmitted to the data platform, so that the data platform performs operation and maintenance analysis based on the operation and maintenance data; the transmission of the operation and maintenance data meets the software information safety standard of the medical industry.
2. The method according to claim 1, wherein the performing at least one sensitive word recognition and at least one sensitive data rejection process based on the business data to obtain intermediate process data includes:
word segmentation processing is carried out on the service data to obtain a first keyword corresponding to each item of data in the service data;
Identifying first sensitive data in the service data based on first keywords corresponding to various data in the service data;
and removing the first sensitive data from the service data to obtain intermediate process data.
3. The method according to claim 2, wherein the identifying the first sensitive data in the service data based on the first keywords corresponding to each item of data in the service data comprises:
acquiring a sensitive word set corresponding to the target system, wherein the sensitive word set comprises a plurality of sensitive words corresponding to the target system;
calculating the similarity between each first keyword and each sensitive word, and obtaining the matching degree of each first keyword corresponding to the sensitive word set according to the similarity between each first keyword and each sensitive word and the specific gravity parameter of each sensitive word in the sensitive word set;
marking data corresponding to the first keyword with the corresponding matching degree meeting the preset condition as high matching degree data;
and taking all the high-matching data in the service data as the first sensitive data.
4. The method of claim 2, wherein said removing said first sensitive data from said traffic data to obtain intermediate process data comprises:
Removing the first sensitive data from the service data to obtain low-matching-degree data;
word segmentation processing is carried out on the low-matching-degree data to obtain second keywords corresponding to all data in the low-matching-degree data;
identifying second sensitive data in the low-matching-degree data based on second keywords corresponding to various data in the low-matching-degree data;
and removing the second sensitive data from the low-matching-degree data to obtain the intermediate process data.
5. The method of claim 1, wherein the first gateway comprises a software service configured in a first border server of the hospital intranet or a hardware device in communication with the first border server connection; the second gateway comprises a software service configured in a second boundary server of the data platform intranet, or a hardware device connected and communicated with the second boundary server, or a data receiving module configured in the second boundary server.
6. The method of claim 1, wherein prior to sending the operation data to the second gateway, further comprising:
encrypting the operation and maintenance data to obtain encrypted operation and maintenance data;
And detecting the network security information of the internal network of the hospital, and transmitting the encrypted operation and maintenance data to the second gateway under the condition that the network security information meets the network security condition.
7. A data transmission control device, wherein the device is applied to a first gateway in a data transmission system, the first gateway being configured in a boundary of a hospital intranet, at least one target system being configured in the hospital intranet, the data transmission system further comprising a second gateway configured in a data platform intranet, the device comprising:
the data acquisition module is used for sending a data request to the target system and acquiring service data transmitted by the target system under the condition that the target system opens a data collection authority to the first gateway; the target system comprises at least one of software, a client and a service system which are operated on each terminal in the hospital intranet;
the data processing module is used for carrying out at least one sensitive word recognition and at least one sensitive data processing based on the service data to obtain intermediate process data, and carrying out keyword recognition processing corresponding to each item of data in the intermediate process data to obtain operation data; the operation and maintenance data refer to operation and maintenance data related to a data platform deployed in the data platform intranet of the target system;
The data transmission module is used for sending the operation and maintenance data to the second gateway, detecting malicious attacks according to a preset period and stopping sending the operation and maintenance data to the second gateway under the condition that the malicious attacks exist; the operation and maintenance data sent to the second gateway are used for being transmitted to the data platform, so that the data platform performs operation and maintenance analysis based on the operation and maintenance data; the transmission of the operation and maintenance data meets the software information safety standard of the medical industry.
8. The data transmission control system is characterized by comprising a first gateway configured on the boundary of a hospital intranet and a second gateway configured in a data platform intranet, wherein at least one target system is configured in the hospital intranet;
the first gateway is further used for sending a data request to the target system, acquiring service data transmitted by the target system under the condition that the target system opens data collection authority to the first gateway, performing at least one sensitive word recognition and at least one sensitive data processing based on the service data to obtain intermediate process data, and performing keyword recognition processing corresponding to each item of data in the intermediate process data to obtain operation data; the operation and maintenance data refer to operation and maintenance data related to a data platform deployed in the data platform intranet of the target system; the target system comprises at least one of software, a client and a service system which are operated on each terminal in the hospital intranet;
The first gateway is further configured to send the operation and maintenance data to the second gateway, and perform malicious attack detection according to a preset period, and stop sending the operation and maintenance data to the second gateway when a malicious attack exists; the transmission of the operation and maintenance data meets the software information safety standard of the medical industry;
the second gateway is configured to receive the operation and maintenance data, and transmit the operation and maintenance data to a data platform, where the transmitted operation and maintenance data is used to instruct the data platform to perform operation and maintenance analysis based on the operation and maintenance data.
9. The system of claim 8, wherein the first gateway is further configured to obtain a data access request generated by the target system, add a security protection policy to the data access request, and send the data access request to the second gateway;
the second gateway is further configured to receive the data access request, verify the security protection policy from the data access request, obtain data information corresponding to the data access request from the data platform when the verification is passed, and transmit the data information to the first gateway.
10. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 6 when the computer program is executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210718697.0A CN115277083B (en) | 2022-06-23 | 2022-06-23 | Data transmission control method, device, system and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210718697.0A CN115277083B (en) | 2022-06-23 | 2022-06-23 | Data transmission control method, device, system and computer equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115277083A CN115277083A (en) | 2022-11-01 |
| CN115277083B true CN115277083B (en) | 2024-03-22 |
Family
ID=83762607
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210718697.0A Active CN115277083B (en) | 2022-06-23 | 2022-06-23 | Data transmission control method, device, system and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115277083B (en) |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106331176A (en) * | 2016-10-27 | 2017-01-11 | 智者四海(北京)技术有限公司 | Interaction platform of internal and external networks |
| CN106412097A (en) * | 2016-11-01 | 2017-02-15 | 南方电网科学研究院有限责任公司 | Substation equipment operation and maintenance mobile system and method |
| CN107633380A (en) * | 2017-08-30 | 2018-01-26 | 北京明朝万达科技股份有限公司 | The task measures and procedures for the examination and approval and system of a kind of anti-data-leakage system |
| CN107871086A (en) * | 2017-10-13 | 2018-04-03 | 平安科技(深圳)有限公司 | Sensitive information screen method, application server and computer-readable recording medium |
| CN108280130A (en) * | 2017-12-22 | 2018-07-13 | 中国电子科技集团公司第三十研究所 | A method of finding sensitive data in text big data |
| CN111597310A (en) * | 2020-05-26 | 2020-08-28 | 成都卫士通信息产业股份有限公司 | Sensitive content detection method, device, equipment and medium |
| CN111818187A (en) * | 2020-09-03 | 2020-10-23 | 国网汇通金财(北京)信息科技有限公司 | Intranet and extranet communication method and system |
| CN111931956A (en) * | 2020-08-06 | 2020-11-13 | 泛湖海韵(济南)信息科技有限公司 | Management system for isolated monitoring of operation and maintenance of medical equipment |
| CN112073544A (en) * | 2020-11-16 | 2020-12-11 | 震坤行网络技术(南京)有限公司 | Method, computing device, and computer storage medium for processing sensor data |
| CN112182461A (en) * | 2020-08-21 | 2021-01-05 | 杭州安恒信息技术股份有限公司 | Method and device for calculating webpage sensitivity |
| CN112434082A (en) * | 2020-11-25 | 2021-03-02 | 平安普惠企业管理有限公司 | Operation and maintenance resource management method, device, equipment and medium |
| CN113506096A (en) * | 2021-09-08 | 2021-10-15 | 国网浙江省电力有限公司 | Inter-system interface method based on industrial internet identification analysis system |
| CN114491646A (en) * | 2022-02-16 | 2022-05-13 | 平安普惠企业管理有限公司 | Data desensitization method and device, electronic equipment and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7797341B2 (en) * | 2007-04-30 | 2010-09-14 | Hewlett-Packard Development Company, L.P. | Desensitizing database information |
| CN109154932A (en) * | 2016-05-12 | 2019-01-04 | M2Md科技股份有限公司 | The management method and system of different classes of radio communication service are provided from different mobile networks |
-
2022
- 2022-06-23 CN CN202210718697.0A patent/CN115277083B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106331176A (en) * | 2016-10-27 | 2017-01-11 | 智者四海(北京)技术有限公司 | Interaction platform of internal and external networks |
| CN106412097A (en) * | 2016-11-01 | 2017-02-15 | 南方电网科学研究院有限责任公司 | Substation equipment operation and maintenance mobile system and method |
| CN107633380A (en) * | 2017-08-30 | 2018-01-26 | 北京明朝万达科技股份有限公司 | The task measures and procedures for the examination and approval and system of a kind of anti-data-leakage system |
| CN107871086A (en) * | 2017-10-13 | 2018-04-03 | 平安科技(深圳)有限公司 | Sensitive information screen method, application server and computer-readable recording medium |
| CN108280130A (en) * | 2017-12-22 | 2018-07-13 | 中国电子科技集团公司第三十研究所 | A method of finding sensitive data in text big data |
| CN111597310A (en) * | 2020-05-26 | 2020-08-28 | 成都卫士通信息产业股份有限公司 | Sensitive content detection method, device, equipment and medium |
| CN111931956A (en) * | 2020-08-06 | 2020-11-13 | 泛湖海韵(济南)信息科技有限公司 | Management system for isolated monitoring of operation and maintenance of medical equipment |
| CN112182461A (en) * | 2020-08-21 | 2021-01-05 | 杭州安恒信息技术股份有限公司 | Method and device for calculating webpage sensitivity |
| CN111818187A (en) * | 2020-09-03 | 2020-10-23 | 国网汇通金财(北京)信息科技有限公司 | Intranet and extranet communication method and system |
| CN112073544A (en) * | 2020-11-16 | 2020-12-11 | 震坤行网络技术(南京)有限公司 | Method, computing device, and computer storage medium for processing sensor data |
| CN112434082A (en) * | 2020-11-25 | 2021-03-02 | 平安普惠企业管理有限公司 | Operation and maintenance resource management method, device, equipment and medium |
| CN113506096A (en) * | 2021-09-08 | 2021-10-15 | 国网浙江省电力有限公司 | Inter-system interface method based on industrial internet identification analysis system |
| CN114491646A (en) * | 2022-02-16 | 2022-05-13 | 平安普惠企业管理有限公司 | Data desensitization method and device, electronic equipment and storage medium |
Non-Patent Citations (3)
| Title |
|---|
| 基于可信计算的医院数据安全交互平台设计和应用;张晓平;朱卓谨;施咏月;;江苏卫生事业管理(01);全文 * |
| 张晓平 ; 朱卓谨 ; 施咏月 ; .基于可信计算的医院数据安全交互平台设计和应用.江苏卫生事业管理.2020,(01),全文. * |
| 结合触发事件及词性分析的敏感信息识别方法;刘聪;王永利;周子韬;犹锋;张才俊;;计算机工程与应用(20);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115277083A (en) | 2022-11-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113574838B (en) | System and method for filtering internet traffic through client fingerprint | |
| Li et al. | IoT forensics: Amazon echo as a use case | |
| US11399079B2 (en) | Zero-knowledge environment based networking engine | |
| CN110431817B (en) | Identifying malicious network devices | |
| US20220166792A1 (en) | Detecting use of compromised security credentials in private enterprise networks | |
| Khaloufi et al. | Security model for big healthcare data lifecycle | |
| Oh et al. | A comprehensive survey on security and privacy for electronic health data | |
| US11438360B2 (en) | Determining the intersection of a set of compromised credentials with a set of active credentials with data structures and architectures that expedite comparisons | |
| Dezfoli et al. | Digital forensic trends and future | |
| Alghofaili et al. | Secure cloud infrastructure: A survey on issues, current solutions, and open challenges | |
| Jolfaei et al. | A survey on blockchain-based IoMT systems: Towards scalability | |
| US20150186635A1 (en) | Granular Redaction of Resources | |
| US20230300153A1 (en) | Data Surveillance In a Zero-Trust Network | |
| US20160301693A1 (en) | System and method for identifying and protecting sensitive data using client file digital fingerprint | |
| Unal et al. | Machine learning for the security of healthcare systems based on Internet of Things and edge computing | |
| KR102337836B1 (en) | External information recognizing and information providing method using blockchain | |
| da Silva et al. | Identifying privacy functional requirements for crowdsourcing applications in smart cities | |
| Jeyavel et al. | Security vulnerabilities and intelligent solutions for iomt systems | |
| US20230231860A1 (en) | Iot device identification by machine learning with time series behavioral and statistical features | |
| US9143517B2 (en) | Threat exchange information protection | |
| CN115277083B (en) | Data transmission control method, device, system and computer equipment | |
| Sokolova et al. | Security of the telemedicine system information infrastructure | |
| Iorliam | Cybersecurity in Nigeria: A Case Study of Surveillance and Prevention of Digital Crime | |
| Rana et al. | A vital fusion of Internet of medical things and blockchain to transform data privacy and security | |
| Henriques et al. | A Survey on Forensics and Compliance Auditing for Critical Infrastructure Protection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |