CN115967549A - Anti-leakage method based on internal and external network information transmission and related equipment thereof - Google Patents
Anti-leakage method based on internal and external network information transmission and related equipment thereof Download PDFInfo
- Publication number
- CN115967549A CN115967549A CN202211559305.7A CN202211559305A CN115967549A CN 115967549 A CN115967549 A CN 115967549A CN 202211559305 A CN202211559305 A CN 202211559305A CN 115967549 A CN115967549 A CN 115967549A
- Authority
- CN
- China
- Prior art keywords
- information
- operated
- terminal environment
- sensitive
- text
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The application discloses an anti-leakage method based on internal and external network information transmission and related equipment thereof, and belongs to the technical field of data security. The method comprises the steps of determining a receiving terminal environment corresponding to current information operation; if the receiving terminal environment corresponding to the current information operation is the external network environment, reading the information to be operated; carrying out sensitive field identification and desensitization on information to be operated; acquiring a first identifier stored in advance; marking the desensitized information to be operated by using the first identifier; and sending the marked information to be operated to the first terminal environment. In addition, the application also relates to a block chain technology, and information to be operated can be stored in the block chain. According to the method and the device, under the condition of guaranteeing network and data safety, sensitive data in the internal and external network information transmission process are identified and encrypted, the safety of internal and external network information transmission is improved, meanwhile, some safety compliance operations are allowed to be used in the internal and external network information transmission process, and the working efficiency is improved.
Description
Technical Field
The application belongs to the technical field of data security, and particularly relates to an anti-leakage method based on internal and external network information transmission and related equipment thereof.
Background
With the continuous development of network informatization, the demand of network information integration is increasing. Currently, most enterprise network environments are generally composed of two parts: the first is a business network for information exchange inside enterprises, commonly called an intranet; and the other is an office network which can acquire Internet information resources in time, commonly called as an extranet. The intranet of enterprise is the platform that ensures the inside information exchange of enterprise, the business is carried out, and in order to effectively ensure its safety, most enterprises have all carried out strict inside and outside net from the physical aspect and keep apart, and these two sets of networks are each other not communicated, and the operation of such intranet relative safety to the safety and stability of guaranteeing enterprise network system plays the positive role.
The confidentiality of data in the internal network of an enterprise can be guaranteed by physical isolation of the two networks, but the development is limited although the data security is guaranteed, so that the internal network and the external network are in an information isolated island state. Most of the internal and external network physical isolation forbids functions of cutting, copying, pasting and the like, or sets webpage content to prevent screen copy, however, the functions of cutting, copying, pasting and the like are inevitably needed to be used when the internal and external network information is switched in the work so as to improve the work efficiency. Therefore, under the condition of ensuring network and data security, how to identify limited private data in the process of transmitting intranet and extranet information is a problem to be solved urgently, so that in a safety compliance operation range set by an enterprise, employees of the enterprise can normally copy, paste and the like to improve working efficiency.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method and an apparatus for preventing leakage based on intranet and extranet information transmission, a computer device, and a storage medium, so as to identify limited private data in the intranet and extranet information transmission process under the condition of ensuring network and data security.
In order to solve the above technical problem, an embodiment of the present application provides an anti-leakage method based on internal and external network information transmission, which adopts the following technical scheme:
an anti-leakage method based on internal and external network information transmission comprises the following steps:
receiving an information operation instruction, and determining a receiving terminal environment corresponding to the current information operation according to the information operation instruction;
if the receiving terminal environment corresponding to the current information operation is a first terminal environment, reading information to be operated, wherein the first terminal environment is an external network environment;
sensitive field identification is carried out on the information to be operated, and desensitization treatment is carried out on the identified sensitive field;
acquiring a first pre-stored identifier, wherein the first identifier corresponds to the first terminal environment;
marking the desensitized information to be operated by using the first identifier;
and sending the marked information to be operated to the first terminal environment.
Further, the performing sensitive field identification on the information to be operated and performing desensitization processing on the identified sensitive field specifically includes:
analyzing the information to be operated, and extracting text contents in the information to be operated;
performing word segmentation processing on the text content, and extracting sensitive fields from the text word segmentation;
and acquiring a preset encryption key, and performing desensitization processing on the sensitive field by using the encryption key.
Further, the performing word segmentation processing on the text content and extracting sensitive fields from the text word segmentation specifically includes:
labeling the text participles to obtain participle labels corresponding to the text participles;
and importing the text participles and the participle labels into a preset sensitive word extraction model, and outputting sensitive fields corresponding to the text participles.
Further, the importing the text participle and the participle tag into a preset sensitive word extraction model, and outputting a sensitive field corresponding to the text participle specifically includes:
encoding the text word segmentation to obtain a word segmentation encoding vector, and encoding the word segmentation label to obtain a label encoding vector;
mapping the word segmentation coding vector and the label coding vector to the same feature space, and obtaining a vector mapping result;
performing logistic regression processing on the vector mapping result to obtain a characteristic regression vector;
and decoding the characteristic regression vector to obtain a sensitive field corresponding to the text participle.
Further, before the step of importing the text participles and the participle tags into a preset sensitive word extraction model and outputting a sensitive field corresponding to the text participles, the method further includes:
acquiring a training sample, and performing word segmentation on the training sample to obtain a sample word segmentation;
labeling the sample word segmentation to obtain a sample label corresponding to the sample word segmentation;
importing the sample word segmentation and the sample label into a preset classification model, and outputting a sensitive word extraction result;
and iteratively updating the classification model based on the sensitive word extraction result and a preset standard result to obtain the sensitive word extraction model.
Further, the iteratively updating the classification model based on the sensitive word extraction result and a preset standard result to obtain the sensitive word extraction model specifically includes:
calculating the error between the sensitive word extraction result and the standard result to obtain a prediction error;
and comparing the prediction error with a preset error threshold, and when the prediction error is larger than the error threshold, iterating the classification model until the prediction error is smaller than or equal to the error threshold, so as to obtain the trained sensitive word extraction model.
Further, the receiving the terminal environment includes a second terminal environment, the second terminal environment is an intranet environment, and after the receiving the information operation instruction and determining the receiving terminal environment corresponding to the current information operation according to the information operation instruction, the method further includes:
if the receiving terminal environment corresponding to the current information operation is a second terminal environment, reading information to be operated;
acquiring a pre-stored second identifier, wherein the second identifier corresponds to the first terminal environment;
marking the read information to be operated by using the second identifier;
and sending the marked information to be operated to the second terminal environment.
In order to solve the above technical problem, an embodiment of the present application further provides an anti-disclosure device based on intranet and extranet information transmission, which adopts the following technical scheme:
an anti-disclosure device based on internal and external network information transmission, comprising:
the terminal environment confirmation module is used for receiving the information operation instruction and determining the receiving terminal environment corresponding to the current information operation according to the information operation instruction;
a first information reading module, configured to read information to be operated when a receiving terminal environment corresponding to the current information operation is a first terminal environment, where the first terminal environment is an extranet environment;
the sensitive field identification module is used for carrying out sensitive field identification on the information to be operated and carrying out desensitization treatment on the identified sensitive field;
a first identifier obtaining module, configured to obtain a first identifier stored in advance, where the first identifier corresponds to the first terminal environment;
the first information identification module is used for marking the desensitized information to be operated by using the first identification;
and the first information sending module is used for sending the marked information to be operated to the first terminal environment.
In order to solve the above technical problem, an embodiment of the present application further provides a computer device, which adopts the following technical solutions:
a computer device comprising a memory and a processor, wherein the memory stores computer readable instructions, and the processor executes the computer readable instructions to implement the steps of the method for preventing leakage based on intranet and extranet information transmission according to any one of the above.
In order to solve the above technical problem, an embodiment of the present application further provides a computer-readable storage medium, which adopts the following technical solutions:
a computer readable storage medium having computer readable instructions stored thereon, which when executed by a processor, implement the steps of the method for preventing leakage based on intranet and extranet information transmission as described in any one of the above.
Compared with the prior art, the embodiment of the application mainly has the following beneficial effects:
the application discloses an anti-leakage method based on internal and external network information transmission and related equipment thereof, and belongs to the technical field of data security. The method comprises the steps of determining a receiving terminal environment corresponding to current information operation; if the receiving terminal environment corresponding to the current information operation is a first terminal environment, reading information to be operated, wherein the first terminal environment is an external network environment; carrying out sensitive field identification on information to be operated, and carrying out desensitization processing on the identified sensitive field; acquiring a first pre-stored identifier, wherein the first identifier corresponds to a first terminal environment; marking the desensitized information to be operated by using the first identifier; and sending the marked information to be operated to the first terminal environment. According to the method and the device, under the condition of guaranteeing network and data safety, through identifying and encrypting sensitive data in the process of transmitting the information of the internal and external networks and identifying the information to be operated, whether the current information operation is in the safe compliant operation range or not is determined, so that the safety of the information transmission of the internal and external networks is improved, meanwhile, some safe compliant operations are allowed to be used in the process of transmitting the information of the internal and external networks, and the working efficiency is improved.
Drawings
In order to more clearly illustrate the solution of the present application, the drawings used in the description of the embodiments of the present application will be briefly described below, and it is obvious that the drawings in the description below are some embodiments of the present application, and that other drawings may be obtained by those skilled in the art without inventive effort.
FIG. 1 illustrates an exemplary system architecture diagram in which the present application may be applied;
FIG. 2 illustrates a flow diagram of one embodiment of a method for internal and external network information transfer based privacy protection in accordance with the present application;
fig. 3 is a schematic structural diagram illustrating an embodiment of an internal and external network information transmission-based security device according to the present application;
FIG. 4 shows a schematic block diagram of one embodiment of a computer device according to the present application.
Detailed Description
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used in the description of the application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "including" and "having," and any variations thereof, in the description and claims of this application and the description of the above figures are intended to cover non-exclusive inclusions. The terms "first," "second," and the like in the description and claims of this application or in the above-described drawings are used for distinguishing between different objects and not for describing a particular order.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings.
As shown in fig. 1, the system architecture 100 may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
A user may use terminal devices 101, 102, 103 to interact with a server 105 over a network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have various communication client applications installed thereon, such as a web browser application, a shopping application, a search application, an instant messaging tool, a mailbox client, social platform software, and the like.
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to a smart phone, a tablet computer, an e-book reader, an MP3 player (Moving Picture Experts Group Audio Layer III, motion Picture Experts Group Audio Layer 3), an MP4 player (Moving Picture Experts Group Audio Layer IV, motion Picture Experts Group Audio Layer 4), a laptop portable computer, a desktop computer, and the like.
The server 105 may be a server that provides various services, for example, a background server that provides support for pages displayed on the terminal devices 101, 102, and 103, and may be an independent server, or a cloud server that provides basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a web service, cloud communication, a middleware service, a domain name service, a security service, a Content Delivery Network (CDN), and a big data and artificial intelligence platform.
It should be noted that the method for preventing disclosure based on information transmission of the internal and external networks provided in the embodiment of the present application is generally executed by a server, and accordingly, an apparatus for preventing disclosure based on information transmission of the internal and external networks is generally disposed in the server.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
With continued reference to fig. 2, a flow diagram of one embodiment of a method for protecting against compromise based on intra-and extranet information transfer according to the present application is shown. The embodiment of the application can acquire and process related data based on an artificial intelligence technology. Among them, artificial Intelligence (AI) is a theory, method, technique and application system that simulates, extends and expands human Intelligence using a digital computer or a machine controlled by a digital computer, senses the environment, acquires knowledge and uses the knowledge to obtain the best result.
The artificial intelligence infrastructure generally includes technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a robot technology, a biological recognition technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and the like.
At present, the confidentiality of data in an intranet of an enterprise is mostly ensured by adopting an intranet and extranet physical isolation mode in the market, but the data security is guaranteed by the isolation scheme, but the development and interaction of the data are limited, so that the intranet and the extranet are in an information isolated island state, most of the intranet and extranet physical isolation can prohibit functions such as cutting, copying and pasting, or set up webpage content screen copy prevention, and the functions such as cutting, copying and pasting are inevitably needed to be used during switching of intranet and extranet information in work so as to improve the working efficiency.
The application discloses an anti-leakage method based on internal and external network information transmission and related equipment thereof, which belong to the technical field of data security.
The anti-leakage method based on internal and external network information transmission comprises the following steps:
s201, receiving an information operation instruction, and determining a receiving terminal environment corresponding to the current information operation according to the information operation instruction.
In this embodiment, when the server receives the information operation instruction, it determines, according to the information operation instruction, a receiving terminal environment corresponding to the current information operation, where the receiving terminal environment includes a first terminal environment and a second terminal environment, the first terminal environment is an external network environment, and the second terminal environment is an internal network environment, that is, the server analyzes the information operation instruction to determine whether the current information operation of the user is completely performed in the internal network environment, if the current information operation is completely performed in the internal network environment, it is generally desirable that strict data desensitization operation is not required, and if the current information operation relates to the external network environment, it is necessary to perform, according to a preset security compliance operation, identification and encryption on sensitive data in the internal and external network information transmission process, so as to improve the security of the internal and external network information transmission.
In this embodiment, an electronic device (for example, a server shown in fig. 1) on which the internal and external network information transmission-based anti-leakage method operates may receive the information operation instruction in a wired connection manner or a wireless connection manner. It is noted that the wireless connection may include, but is not limited to, a 3G/4G connection, a WiFi connection, a bluetooth connection, a WiMAX connection, a Zigbee connection, a UWB (ultra wideband) connection, and other wireless connection now known or developed in the future.
It should be noted that, in a specific embodiment of the present application, the current information operation includes cutting, copying, pasting, sending, and the like, and the present application is not limited thereto.
S202, if the receiving terminal environment corresponding to the current information operation is the first terminal environment, the information to be operated is read, wherein the first terminal environment is the external network environment.
In this embodiment, the receiving terminal environment includes a first terminal environment and a second terminal environment, the first terminal environment is an external network environment, the second terminal environment is an internal network environment, and if the receiving terminal environment corresponding to the current information operation is the first terminal environment, that is, the receiving terminal environment corresponding to the current information operation is the external network environment, the server reads the information to be operated corresponding to the current information operation, and identifies and encrypts sensitive data in the information to be operated.
S203, sensitive field identification is carried out on the information to be operated, and desensitization treatment is carried out on the identified sensitive field.
In this embodiment, after determining that the current information operation relates to an external network environment, the server starts a sensitive data identification and desensitization program to identify a sensitive field in the information to be operated and perform desensitization processing on the identified sensitive field.
Further, sensitive field identification is performed on the information to be operated, and desensitization processing is performed on the identified sensitive field, which specifically includes:
analyzing the information to be operated, and extracting text contents in the information to be operated;
performing word segmentation processing on the text content, and extracting sensitive fields from the text word segmentation;
and acquiring a preset encryption key, and carrying out desensitization processing on the sensitive field by using the encryption key.
In this embodiment, the analyzing, by the server, the information to be operated includes identifying a type, a format, and a content of a file of the information to be operated, so as to extract text content in the information to be operated, for example, if the information to be operated is picture information, the text in the picture is identified by using an OCR character recognition technology and converted into a uniform text format, so as to extract a sensitive field in the subsequent step. After the text content is obtained, the server inputs the text content into a preset sensitive word extraction model, performs word segmentation on the text content, extracts a sensitive field from the text word segmentation, finally obtains a preset encryption key, and performs desensitization on the sensitive field by using the encryption key.
In a specific embodiment of the present application, word segmentation processing may be performed on text content through a machine learning word segmentation algorithm or a semantic recognition word segmentation algorithm, for example, a hidden markov model is used to perform word segmentation processing on the text content to obtain text word segmentation, the text word segmentation is labeled based on a preset regular matching rule, all the text word segmentation is labeled by using the regular matching, and a word segmentation label of a sample word segmentation is obtained.
In the embodiment, after the current information operation is determined to relate to the external network environment, the security of internal and external network information transmission is improved by extracting the text content in the information to be operated, identifying the text participles, extracting the sensitive fields, and carrying out desensitization processing on the sensitive fields by using the encryption key.
Further, performing word segmentation processing on the text content, and extracting sensitive fields in the text word segmentation, specifically including:
labeling the text participles to obtain participle labels corresponding to the text participles;
and importing the text participles and the participle labels into a preset sensitive word extraction model, and outputting sensitive fields corresponding to the text participles.
The server inputs the text content into a preset sensitive word extraction model, and sensitive field recognition is realized through the sensitive word extraction model, wherein the sensitive word extraction model can be any deep learning model, such as a CNN model, a BERT model and the like. In a specific embodiment of the present application, the sensitive word extraction model may be obtained by training a BERT serialization labeling model, which can solve the sequence labeling problem, and feature classification is implemented by sequence labeling. Taking part-of-speech tagging as an example, after an encoding vector of BERT is mapped to a tag set through an FC layer, an output vector of a single token is processed through Softmax (logistic regression function), and a numerical value of each dimension represents a probability that the part-of-speech of the token is a certain part-of-speech.
In this embodiment, the server labels the text participles to obtain participle tags corresponding to the text participles, inputs the text participles and the participle tags into a trained sensitive word extraction model, and outputs sensitive fields corresponding to the text participles.
Further, the method includes the steps of importing the text participles and the participle labels into a preset sensitive word extraction model, and outputting sensitive fields corresponding to the text participles, and specifically includes the steps of:
the method comprises the steps of coding text word segmentation to obtain word segmentation coding vectors, and coding word segmentation labels to obtain label coding vectors;
mapping the word segmentation coding vector and the label coding vector to the same characteristic space, and acquiring a vector mapping result;
performing logistic regression processing on the vector mapping result to obtain a characteristic regression vector;
and decoding the characteristic regression vector to obtain the sensitive field corresponding to the text participle.
In this embodiment, the trained sensitive word extraction model includes an encoding (Encoder) layer, a decoding (Decoder) layer, and a full connected layers (FC) layer, where a text participle is encoded in the Encoder layer to obtain a participle encoding vector, and a participle tag is encoded to obtain a tag encoding vector, the FC layer maps the participle encoding vector and the tag encoding vector to the same feature space and obtains a vector mapping result, a Softmax function preset in the sensitive word extraction model is used to perform logistic regression on a vector mapping result output by the FC layer to obtain a feature regression vector, and the Decoder layer decodes the feature regression vector to obtain a sensitive field corresponding to the text participle.
In the embodiment, the sensitive field identification is carried out on the information to be operated through the sensitive word extraction model trained in advance, so that the sensitive field in the information to be operated is obtained.
Further, before the text segmentation and the segmentation label are imported into a preset sensitive word extraction model and a sensitive field corresponding to the text segmentation is output, the method further comprises the following steps:
acquiring a training sample, and segmenting the training sample to obtain a sample segmentation;
labeling the sample word segmentation to obtain a sample label corresponding to the sample word segmentation;
importing the sample word segmentation and the sample label into a preset classification model, and outputting a sensitive word extraction result;
and iteratively updating the classification model based on the sensitive word extraction result and a preset standard result to obtain a sensitive word extraction model.
In this embodiment, before performing sensitive field recognition by using a sensitive word extraction model, the sensitive word extraction model is trained, taking a BERT model as an example, when performing model training, a server obtains a pre-stored training sample, performs word segmentation on the training sample to obtain a sample word segmentation, labels the sample word segmentation to obtain a sample label corresponding to the sample word segmentation, introduces the sample word segmentation and the sample label into the preset BERT model, obtains an output sensitive word extraction result, and iteratively updates the BERT model based on the sensitive word extraction result and a preset standard result to obtain the sensitive word extraction model.
The BERT model comprises an Encoder layer, a Decoder layer and an FC layer, wherein sample participles are coded in the Encoder layer to obtain sample coding vectors, sample labels are coded to obtain sample label vectors, the FC layer maps the sample coding vectors and the sample label vectors to the same characteristic space and obtains vector mapping results, logical regression processing is carried out on the vector mapping results output by the FC layer by using a Softmax function preset in the BERT model to obtain sample regression vectors, and the sample regression vectors are decoded in the Decoder layer to obtain sensitive fields corresponding to the sample participles.
Further, iteratively updating the classification model based on the sensitive word extraction result and a preset standard result to obtain a sensitive word extraction model, which specifically includes:
calculating the error between the sensitive word extraction result and the standard result to obtain a prediction error;
and comparing the prediction error with a preset error threshold, and when the prediction error is larger than the error threshold, iterating the classification model until the prediction error is smaller than or equal to the error threshold, so as to obtain the trained sensitive word extraction model.
In this embodiment, the sensitive word extraction result includes a sensitive field corresponding to the sample segmentation, and the standard result is the sample segmentation carrying the sample label. The server obtains the sensitive field in the sensitive word extraction result, calculates the error between the sensitive field in the sensitive word extraction result and the sample participle carrying the sample label through the loss function of the sensitive word extraction model to obtain a prediction error, compares the prediction error with a preset error threshold value, and iterates the classification model by using a back propagation algorithm when the prediction error is larger than the error threshold value until the prediction error is smaller than or equal to the error threshold value to obtain a trained sensitive word extraction model.
In the embodiment, the method obtains the sensitive word extraction model by training the BERT model through the training samples, calculates the prediction error based on the loss function of the sensitive word extraction model, iterates the sensitive word extraction model based on the back propagation algorithm, and improves the prediction precision of the sensitive word extraction model.
S204, a first identifier stored in advance is obtained, wherein the first identifier corresponds to the first terminal environment.
In this embodiment, a first identifier and a second identifier are pre-stored in the database, where the first identifier corresponds to a first terminal environment, that is, the first identifier is an extranet operation identifier, an information operation carrying the first identifier is an operation related to an extranet, and the second identifier corresponds to a second terminal environment, that is, the first identifier is an intranet operation identifier, and an information operation carrying the second identifier is an operation only related to an intranet. And the server acquires a pre-stored first identifier after determining that the current information operation relates to an external network environment.
And S205, marking the desensitized information to be operated by using the first identifier.
In this embodiment, after determining that the current information operation relates to an external network environment, the server acquires a first identifier stored in advance, and marks desensitized information to be operated by using the first identifier, where the information operation carrying the first identifier is an operation relating to an external network, and the first identifier can be recognized by an external network client.
And S206, sending the marked information to be operated to the first terminal environment.
In this embodiment, after the server marks desensitized information to be operated by using the first identifier, the marked information to be operated is sent to the first terminal environment, so as to complete information operation of the internal network and the external network.
In the embodiment, the application discloses an anti-disclosure method based on internal and external network information transmission, and belongs to the technical field of data security. The method comprises the steps of determining a receiving terminal environment corresponding to current information operation; if the receiving terminal environment corresponding to the current information operation is a first terminal environment, reading information to be operated, wherein the first terminal environment is an external network environment; carrying out sensitive field identification on information to be operated, and carrying out desensitization processing on the identified sensitive field; acquiring a first pre-stored identifier, wherein the first identifier corresponds to a first terminal environment; marking the desensitized information to be operated by using the first identifier; and sending the marked information to be operated to the first terminal environment. According to the method and the device, under the condition of guaranteeing network and data safety, through identifying and encrypting sensitive data in the process of transmitting the information of the internal and external networks and identifying the information to be operated, whether the current information operation is in the safe compliant operation range or not is determined, so that the safety of the information transmission of the internal and external networks is improved, meanwhile, some safe compliant operations are allowed to be used in the process of transmitting the information of the internal and external networks, and the working efficiency is improved.
Further, the receiving terminal environment includes a second terminal environment, the second terminal environment is an intranet environment, and after receiving the information operation instruction and determining the receiving terminal environment corresponding to the current information operation according to the information operation instruction, the method further includes:
if the receiving terminal environment corresponding to the current information operation is a second terminal environment, reading information to be operated;
acquiring a pre-stored second identifier, wherein the second identifier corresponds to the first terminal environment;
marking the read information to be operated by using the second identifier;
and sending the marked information to be operated to the second terminal environment.
In this embodiment, when the server detects that the receiving terminal environment corresponding to the current information operation is the second terminal environment, and the second terminal environment is the intranet environment, that is, the receiving terminal environment corresponding to the current information operation is the intranet environment, it indicates that this operation is only completed in the intranet environment, and in general, it is not necessary to perform a strict data desensitization operation. When the server detects that the current information operation is only completed in an intranet environment, the server reads the information to be operated corresponding to the current information operation, and obtains a pre-stored second identifier, wherein the second identifier corresponds to the first terminal environment, the information to be operated is marked by the second identifier, the information operation carrying the second identifier is only related to the operation of the intranet, and the second identifier can only be recognized by an intranet client. And after the information to be operated is marked by the second identifier, the marked information to be operated is sent to the second terminal environment.
In the embodiment, when it is detected that the current information operation is only completed in the intranet environment, desensitization operation on information to be operated corresponding to the current information operation may not be required in the safety compliance operation range, and the current operation is recorded in a direct marking manner, so that the calculation resources are saved.
It should be emphasized that, in order to further ensure the privacy and security of the information to be operated, the information to be operated may also be stored in a node of a block chain.
The block chain referred by the application is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware associated with computer readable instructions, which can be stored in a computer readable storage medium, and when executed, can include processes of the embodiments of the methods described above. The storage medium may be a non-volatile storage medium such as a magnetic disk, an optical disk, a Read-Only Memory (ROM), or a Random Access Memory (RAM).
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and may be performed in other orders unless explicitly stated herein. Moreover, at least a portion of the steps in the flow chart of the figure may include multiple sub-steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of execution is not necessarily sequential, but may be performed alternately or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
With further reference to fig. 3, as an implementation of the method shown in fig. 2, the present application provides an embodiment of a divulgence prevention apparatus based on intranet and extranet information transmission, where the embodiment of the apparatus corresponds to the embodiment of the method shown in fig. 2, and the apparatus may be specifically applied to various electronic devices.
As shown in fig. 3, the device 300 for preventing disclosure based on intranet and extranet information transmission according to this embodiment includes:
a terminal environment confirmation module 301, configured to receive the information operation instruction, and determine, according to the information operation instruction, a receiving terminal environment corresponding to the current information operation;
a first information reading module 302, configured to read information to be operated when a receiving terminal environment corresponding to a current information operation is a first terminal environment, where the first terminal environment is an external network environment;
the sensitive field identification module 303 is configured to perform sensitive field identification on the information to be operated, and perform desensitization processing on the identified sensitive field;
a first identifier obtaining module 304, configured to obtain a first identifier stored in advance, where the first identifier corresponds to a first terminal environment;
a first information identification module 305, configured to mark desensitized information to be operated with a first identifier;
a first information sending module 306, configured to send the marked information to be operated to the first terminal environment.
Further, the sensitive field identifying module 303 specifically includes:
the operation information analysis sub-module is used for analyzing the information to be operated and extracting text contents in the information to be operated;
the sensitive field identification submodule is used for performing word segmentation processing on the text content and extracting a sensitive field from the text word segmentation;
and the sensitive field desensitization sub-module is used for acquiring a preset encryption key and performing desensitization processing on the sensitive field by using the encryption key.
Further, the sensitive field identification submodule specifically includes:
the text word segmentation labeling unit is used for labeling the text word segmentation to obtain a word segmentation label corresponding to the text word segmentation;
and the sensitive field identification unit is used for importing the text participles and the participle labels into a preset sensitive word extraction model and outputting the sensitive fields corresponding to the text participles.
Further, the sensitive field identification unit specifically includes:
the text word segmentation coding subunit is used for coding text words to obtain word segmentation coding vectors and coding word segmentation labels to obtain label coding vectors;
the coding vector mapping subunit is used for mapping the participle coding vector and the label coding vector to the same feature space and acquiring a vector mapping result;
the mapping logistic regression subunit is used for carrying out logistic regression processing on the vector mapping result to obtain a characteristic regression vector;
and the regression vector decoding subunit is used for decoding the characteristic regression vector to obtain the sensitive field corresponding to the text participle.
Further, the device 300 for preventing disclosure based on intranet and extranet information transmission further includes:
the training sample word segmentation module is used for acquiring a training sample and segmenting words of the training sample to obtain sample word segmentation;
the sample word segmentation labeling module is used for labeling the sample word segmentation to obtain a sample label corresponding to the sample word segmentation;
the sample sensitive word extraction module is used for importing the sample participles and the sample labels into a preset classification model and outputting a sensitive word extraction result;
and the model iteration module is used for iteratively updating the classification model based on the sensitive word extraction result and a preset standard result to obtain the sensitive word extraction model.
Further, the model iteration module specifically includes:
the prediction error calculation submodule is used for calculating the error between the sensitive word extraction result and the standard result to obtain a prediction error;
and the model iteration submodule is used for comparing the prediction error with a preset error threshold, and when the prediction error is larger than the error threshold, iterating the classification model until the prediction error is smaller than or equal to the error threshold, so as to obtain the trained sensitive word extraction model.
Further, the internal and external network information transmission-based anti-disclosure device 30 further includes:
the second information reading module is used for reading the information to be operated when the receiving terminal environment corresponding to the current information operation is the second terminal environment;
the second identifier acquisition module is used for acquiring a prestored second identifier, wherein the second identifier corresponds to the first terminal environment;
the second information identification module is used for marking the read information to be operated by utilizing a second identification;
and the second information sending module is used for sending the marked information to be operated to the second terminal environment.
In the above embodiment, the application discloses an anti-disclosure device based on intranet and extranet information transmission, and belongs to the technical field of data security. The method comprises the steps of determining a receiving terminal environment corresponding to current information operation; if the receiving terminal environment corresponding to the current information operation is a first terminal environment, reading information to be operated, wherein the first terminal environment is an external network environment; sensitive field identification is carried out on the information to be operated, and desensitization treatment is carried out on the identified sensitive field; acquiring a first pre-stored identifier, wherein the first identifier corresponds to a first terminal environment; marking the desensitized information to be operated by using the first identifier; and sending the marked information to be operated to the first terminal environment. According to the method and the device, under the condition of guaranteeing network and data safety, sensitive data in the information transmission process of the internal and external networks are identified and encrypted, the information to be operated is identified, whether the current information operation is in the safe compliance operation range or not is determined, so that the safety of the information transmission of the internal and external networks is improved, meanwhile, some safe compliance operations are allowed to be used in the information transmission process of the internal and external networks, and the working efficiency is improved.
In order to solve the technical problem, an embodiment of the present application further provides a computer device. Referring to fig. 4 in particular, fig. 4 is a block diagram of a basic structure of a computer device according to the embodiment.
The computer device 4 comprises a memory 41, a processor 42, and a network interface 43, which are communicatively connected to each other via a system bus. It is noted that only computer device 4 having components 41-43 is shown, but it is understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead. As will be understood by those skilled in the art, the computer device is a device capable of automatically performing numerical calculation and/or information processing according to instructions set or stored in advance, and the hardware thereof includes but is not limited to a microprocessor, an Application Specific Integrated Circuit (ASIC), a Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), an embedded device, and the like.
The computer device can be a desktop computer, a notebook, a palm computer, a cloud server and other computing devices. The computer equipment can carry out man-machine interaction with a user through a keyboard, a mouse, a remote controller, a touch panel or voice control equipment and the like.
The memory 41 includes at least one type of readable storage medium including flash memory, hard disks, multimedia cards, card-type memory (e.g., SD or DX memory, etc.), random Access Memory (RAM), static Random Access Memory (SRAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), programmable Read Only Memory (PROM), magnetic memory, magnetic disks, optical disks, etc. In some embodiments, the memory 41 may be an internal storage unit of the computer device 4, such as a hard disk or a memory of the computer device 4. In other embodiments, the memory 41 may also be an external storage device of the computer device 4, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the computer device 4. Of course, the memory 41 may also include both internal and external storage devices of the computer device 4. In this embodiment, the memory 41 is generally used for storing an operating system installed in the computer device 4 and various types of application software, such as computer readable instructions of a security method based on intranet and intranet information transmission. Further, the memory 41 may also be used to temporarily store various types of data that have been output or are to be output.
The processor 42 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data Processing chip in some embodiments. The processor 42 is typically used to control the overall operation of the computer device 4. In this embodiment, the processor 42 is configured to execute the computer readable instructions stored in the memory 41 or process data, for example, execute the computer readable instructions of the method for preventing leakage based on intranet and extranet information transmission.
The network interface 43 may comprise a wireless network interface or a wired network interface, and the network interface 43 is generally used for establishing communication connection between the computer device 4 and other electronic devices.
The application discloses computer equipment belongs to data security technical field. The method comprises the steps of determining a receiving terminal environment corresponding to current information operation; if the receiving terminal environment corresponding to the current information operation is a first terminal environment, reading information to be operated, wherein the first terminal environment is an external network environment; sensitive field identification is carried out on the information to be operated, and desensitization treatment is carried out on the identified sensitive field; acquiring a first pre-stored identifier, wherein the first identifier corresponds to a first terminal environment; marking the desensitized information to be operated by using the first identifier; and sending the marked information to be operated to the first terminal environment. According to the method and the device, under the condition of guaranteeing network and data safety, sensitive data in the information transmission process of the internal and external networks are identified and encrypted, the information to be operated is identified, whether the current information operation is in the safe compliance operation range or not is determined, so that the safety of the information transmission of the internal and external networks is improved, meanwhile, some safe compliance operations are allowed to be used in the information transmission process of the internal and external networks, and the working efficiency is improved.
The present application further provides another embodiment, which is to provide a computer-readable storage medium storing computer-readable instructions executable by at least one processor, so that the at least one processor performs the steps of the method for preventing leakage based on intranet and extranet information transmission as described above.
The application discloses a storage medium, and belongs to the technical field of data security. The method comprises the steps of determining a receiving terminal environment corresponding to current information operation; if the receiving terminal environment corresponding to the current information operation is a first terminal environment, reading information to be operated, wherein the first terminal environment is an external network environment; sensitive field identification is carried out on the information to be operated, and desensitization treatment is carried out on the identified sensitive field; acquiring a first pre-stored identifier, wherein the first identifier corresponds to a first terminal environment; marking the desensitized information to be operated by using the first identifier; and sending the marked information to be operated to the first terminal environment. According to the method and the device, under the condition of guaranteeing network and data safety, sensitive data in the information transmission process of the internal and external networks are identified and encrypted, the information to be operated is identified, whether the current information operation is in the safe compliance operation range or not is determined, so that the safety of the information transmission of the internal and external networks is improved, meanwhile, some safe compliance operations are allowed to be used in the information transmission process of the internal and external networks, and the working efficiency is improved.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present application.
The application is operational with numerous general purpose or special purpose computing system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet-type devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like. The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
It should be understood that the above-described embodiments are merely exemplary of some, and not all, embodiments of the present application, and that the drawings illustrate preferred embodiments of the present application without limiting the scope of the claims appended hereto. This application is capable of embodiments in many different forms and is provided for the purpose of enabling a thorough understanding of the disclosure of the application. Although the present application has been described in detail with reference to the foregoing embodiments, it will be apparent to one skilled in the art that the present application may be practiced without modification or with equivalents of some of the features described in the foregoing embodiments. All equivalent structures made by using the contents of the specification and the drawings of the present application are directly or indirectly applied to other related technical fields, and all the equivalent structures are within the protection scope of the present application.
Claims (10)
1. An anti-leakage method based on internal and external network information transmission is characterized by comprising the following steps:
receiving an information operation instruction, and determining a receiving terminal environment corresponding to the current information operation according to the information operation instruction;
if the receiving terminal environment corresponding to the current information operation is a first terminal environment, reading information to be operated, wherein the first terminal environment is an external network environment;
carrying out sensitive field identification on the information to be operated, and carrying out desensitization treatment on the identified sensitive field;
acquiring a first pre-stored identifier, wherein the first identifier corresponds to the first terminal environment;
marking the desensitized information to be operated by using the first identifier;
and sending the marked information to be operated to the first terminal environment.
2. The method for preventing leakage based on intranet and extranet information transmission according to claim 1, wherein the identifying the sensitive field of the information to be operated and desensitizing the identified sensitive field comprise:
analyzing the information to be operated, and extracting text content in the information to be operated;
performing word segmentation processing on the text content, and extracting sensitive fields from text word segmentation;
and acquiring a preset encryption key, and performing desensitization processing on the sensitive field by using the encryption key.
3. The intranet and extranet information transmission-based leakage prevention method according to claim 2, wherein the word segmentation processing is performed on the text content, and a sensitive field is extracted from a text word segmentation, and the method specifically comprises:
labeling the text participles to obtain participle labels corresponding to the text participles;
and importing the text participles and the participle labels into a preset sensitive word extraction model, and outputting sensitive fields corresponding to the text participles.
4. The intranet and extranet information transmission-based leakage prevention method according to claim 3, wherein the step of importing the text participles and the participle tags into a preset sensitive word extraction model and outputting the sensitive fields corresponding to the text participles specifically comprises:
encoding the text word segmentation to obtain a word segmentation encoding vector, and encoding the word segmentation label to obtain a label encoding vector;
mapping the word segmentation coding vector and the label coding vector to the same feature space, and obtaining a vector mapping result;
performing logistic regression processing on the vector mapping result to obtain a characteristic regression vector;
and decoding the characteristic regression vector to obtain a sensitive field corresponding to the text participle.
5. The method for preventing leakage based on intranet and extranet information transmission as claimed in claim 3, wherein before the step of importing the text participle and the participle tag into a preset sensitive word extraction model and outputting a sensitive field corresponding to the text participle, the method further comprises:
acquiring a training sample, and performing word segmentation on the training sample to obtain a sample word segmentation;
labeling the sample word segmentation to obtain a sample label corresponding to the sample word segmentation;
importing the sample word segmentation and the sample label into a preset classification model, and outputting a sensitive word extraction result;
and iteratively updating the classification model based on the sensitive word extraction result and a preset standard result to obtain the sensitive word extraction model.
6. The method for preventing leakage based on intranet and extranet information transmission according to claim 5, wherein the iteratively updating the classification model based on the sensitive word extraction result and a preset standard result to obtain the sensitive word extraction model specifically comprises:
calculating the error between the sensitive word extraction result and the standard result to obtain a prediction error;
and comparing the prediction error with a preset error threshold, and when the prediction error is larger than the error threshold, iterating the classification model until the prediction error is smaller than or equal to the error threshold, so as to obtain the trained sensitive word extraction model.
7. The method according to any one of claims 1 to 6, wherein the receiving terminal environment comprises a second terminal environment, the second terminal environment is an intranet environment, and after the receiving information operation instruction is received and the receiving terminal environment corresponding to the current information operation is determined according to the information operation instruction, the method further comprises:
if the receiving terminal environment corresponding to the current information operation is a second terminal environment, reading information to be operated;
acquiring a pre-stored second identifier, wherein the second identifier corresponds to the first terminal environment;
marking the read information to be operated by using the second identifier;
and sending the marked information to be operated to the second terminal environment.
8. An anti-disclosure device based on internal and external network information transmission, comprising:
the terminal environment confirmation module is used for receiving the information operation instruction and determining the receiving terminal environment corresponding to the current information operation according to the information operation instruction;
a first information reading module, configured to read information to be operated when a receiving terminal environment corresponding to the current information operation is a first terminal environment, where the first terminal environment is an external network environment;
the sensitive field identification module is used for carrying out sensitive field identification on the information to be operated and carrying out desensitization treatment on the identified sensitive field;
a first identifier obtaining module, configured to obtain a first identifier stored in advance, where the first identifier corresponds to the first terminal environment;
the first information identification module is used for marking the desensitized information to be operated by using the first identification;
and the first information sending module is used for sending the marked information to be operated to the first terminal environment.
9. A computer device comprising a memory and a processor, wherein the memory stores computer readable instructions, and the processor executes the computer readable instructions to implement the steps of the method for preventing leakage based on intranet information transmission according to any one of claims 1 to 7.
10. A computer readable storage medium, characterized in that, the computer readable storage medium stores thereon computer readable instructions, which when executed by a processor, implement the steps of the internal and external network information transmission-based anti-leakage method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211559305.7A CN115967549A (en) | 2022-12-06 | 2022-12-06 | Anti-leakage method based on internal and external network information transmission and related equipment thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211559305.7A CN115967549A (en) | 2022-12-06 | 2022-12-06 | Anti-leakage method based on internal and external network information transmission and related equipment thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115967549A true CN115967549A (en) | 2023-04-14 |
Family
ID=87353419
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211559305.7A Pending CN115967549A (en) | 2022-12-06 | 2022-12-06 | Anti-leakage method based on internal and external network information transmission and related equipment thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115967549A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116260657A (en) * | 2023-05-09 | 2023-06-13 | 南京汇荣信息技术有限公司 | Information encryption method and system suitable for network security system |
-
2022
- 2022-12-06 CN CN202211559305.7A patent/CN115967549A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116260657A (en) * | 2023-05-09 | 2023-06-13 | 南京汇荣信息技术有限公司 | Information encryption method and system suitable for network security system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112685565B (en) | Text classification method based on multi-mode information fusion and related equipment thereof | |
| CN113761577A (en) | Big data desensitization method and device, computer equipment and storage medium | |
| CN112632278A (en) | Labeling method, device, equipment and storage medium based on multi-label classification | |
| CN111783471A (en) | Semantic recognition method, device, equipment and storage medium of natural language | |
| CN112084779B (en) | Entity acquisition method, device, equipment and storage medium for semantic recognition | |
| CN113505601A (en) | Positive and negative sample pair construction method and device, computer equipment and storage medium | |
| CN112860919A (en) | Data labeling method, device and equipment based on generative model and storage medium | |
| CN112084752A (en) | Statement marking method, device, equipment and storage medium based on natural language | |
| CN115544560A (en) | Desensitization method and device for sensitive information, computer equipment and storage medium | |
| CN113569998A (en) | Automatic bill identification method and device, computer equipment and storage medium | |
| CN115757731A (en) | Dialogue question rewriting method, device, computer equipment and storage medium | |
| CN115438149A (en) | End-to-end model training method and device, computer equipment and storage medium | |
| CN115967549A (en) | Anti-leakage method based on internal and external network information transmission and related equipment thereof | |
| CN114780701A (en) | Automatic question-answer matching method, device, computer equipment and storage medium | |
| CN113869789A (en) | Risk monitoring method and device, computer equipment and storage medium | |
| CN115730603A (en) | Information extraction method, device, equipment and storage medium based on artificial intelligence | |
| CN115238009A (en) | Metadata management method, device and equipment based on blood vessel margin analysis and storage medium | |
| CN115373634A (en) | Random code generation method and device, computer equipment and storage medium | |
| CN114398477A (en) | Policy recommendation method based on knowledge graph and related equipment thereof | |
| CN112949320A (en) | Sequence labeling method, device, equipment and medium based on conditional random field | |
| CN112199954A (en) | Disease entity matching method and device based on voice semantics and computer equipment | |
| CN112949317B (en) | Text semantic recognition method and device, computer equipment and storage medium | |
| CN114647733B (en) | Question and answer corpus evaluation method and device, computer equipment and storage medium | |
| CN113255292B (en) | End-to-end text generation method based on pre-training model and related equipment | |
| CN115544282A (en) | Data processing method, device and equipment based on graph database and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |