CN117290892A

CN117290892A - Method, apparatus, device and computer readable medium for securing data

Info

Publication number: CN117290892A
Application number: CN202310993429.4A
Authority: CN
Inventors: 武勇
Original assignee: Jingdong Technology Information Technology Co Ltd
Current assignee: Jingdong Technology Information Technology Co Ltd
Priority date: 2023-08-08
Filing date: 2023-08-08
Publication date: 2023-12-26

Abstract

The invention discloses a method, a device, equipment and a computer readable medium for guaranteeing data security, and relates to the technical field of computers. One embodiment of the method comprises the following steps: responding to service operation initiated by a user in a service system, verifying that the service operation meets service operation conditions, and sending access operation parameters; acquiring confusion conditions, operation conditions and encryption conditions in a browser according to associated parameters in access operation parameters; restoring the service information of the access operation parameters according to the confusion conditions, executing the service parameters in the service operation by combining the operation conditions and the encryption conditions, and transmitting the executed service parameters; in the process of executing service operation, acquiring behavior data of a user, identity data of the user in a service system and running environment data of the user so as to identify risks of the user, and updating access operation parameters according to the risks of the user. The embodiment can improve the security of the background data.

Description

Method, apparatus, device and computer readable medium for securing data

Technical Field

The present invention relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a computer readable medium for guaranteeing data security.

Background

Because the internet service is directed to the internet user, the front-end page and the background service interface are exposed in the internet environment. Especially, the front-end page is exposed in the browser without reservation due to the development technology, so that the business logic rules and the back-end service interface address are easily obtained. Therefore, the operation of a real user can be simulated, and a request is initiated to the back-end service, so that data leakage is caused.

In the process of implementing the present invention, the inventor finds that at least the following problems exist in the prior art: since the security is performed by using a dynamic signature method, the key is easily leaked, and the security of the background data is reduced.

Disclosure of Invention

In view of this, embodiments of the present invention provide a method, an apparatus, a device, and a computer readable medium for guaranteeing data security, which can improve security of background data.

To achieve the above object, according to an aspect of the embodiments of the present invention, there is provided a method for securing data, including:

responding to service operation initiated by a user in a service system, and sending access operation parameters if the service operation is verified to meet service operation conditions;

Acquiring confusion conditions of the access operation parameters, operation conditions of the business operation and encryption conditions in a browser according to the associated parameters in the access operation parameters;

after restoring the service information of the access operation parameters according to the confusion condition, executing the service parameters in the service operation by combining the operation condition of the service operation and the encryption condition, and transmitting the executed service parameters;

and in the process of executing the business operation, acquiring behavior data of the user and identity data of the user in a business system, and identifying the risk of the user by the running environment data of the user, and updating the access operation parameters according to the risk of the user.

The obtaining, in the browser, the confusion condition of the access operation parameter, the operation condition of the service operation and the encryption condition according to the associated parameter in the access operation parameter includes:

acquiring the association parameters from the access operation parameters in a browser;

analyzing the association parameters, and acquiring confusion conditions of the access operation parameters, operation conditions of the business operation and encryption conditions from the access operation parameters.

And after restoring the service information of the access operation parameter according to the confusion condition, executing the service parameter in the service operation by combining the operation condition of the service operation and the encryption condition, and transmitting the executed service parameter, wherein the method comprises the following steps:

restoring the service information of the access operation parameters based on the original information of the access operation parameters according to the confusion conditions;

and the service operation meets the operation condition, encrypts the service parameters in the service operation according to the encryption condition, and sends the encrypted service parameters.

During the execution of the business operation, acquiring behavior data of the user, identity data of the user in a business system and running environment data of the user so as to identify risk of the user, wherein the method comprises the following steps:

acquiring behavior data of the user, identity data of the user in a service system and running environment data of the user in the process of executing the service operation;

and identifying the risk of the user according to the user risk identification condition by using the behavior data of the user, the identity data of the user in a service system and the running environment data of the user.

and identifying the risk of the user by adopting a risk user characteristic identification model trained by machine learning and combining the behavior data of the user, the identity data of the user in a service system and the running environment data of the user.

Said updating said access operation parameters in accordance with the risk of said user comprises:

updating one or more of the associated ones of the access operating parameters, the confusion conditions in the access operating parameters and the encryption conditions in dependence on the risk of the user.

The transmission access operation parameter includes:

and if the business operation meets the transmission time condition, transmitting the access operation parameter.

According to a second aspect of an embodiment of the present invention, there is provided an apparatus for securing data, including:

The sending module is used for responding to the service operation initiated by the user in the service system, verifying that the service operation meets the service operation condition, and sending the access operation parameters;

the acquisition module is used for acquiring confusion conditions of the access operation parameters, operation conditions of the business operation and encryption conditions in the browser according to the associated parameters in the access operation parameters;

the service module is used for executing the service parameters in the service operation by combining the operation conditions of the service operation and the encryption conditions after restoring the service information of the access operation parameters according to the confusion conditions, and transmitting the executed service parameters;

and the updating module is used for acquiring the behavior data of the user and the identity data of the user in a service system in the process of executing the service operation, and the running environment data of the user so as to identify the risk of the user and update the access operation parameters according to the risk of the user.

According to a third aspect of an embodiment of the present invention, there is provided an electronic device for securing data, including:

one or more processors;

storage means for storing one or more programs,

The one or more programs, when executed by the one or more processors, cause the one or more processors to implement the methods as described above.

According to a fourth aspect of embodiments of the present invention, there is provided a computer readable medium having stored thereon a computer program which when executed by a processor implements a method as described above.

One embodiment of the above invention has the following advantages or benefits: responding to service operation initiated by a user in a service system, and sending access operation parameters if the service operation is verified to meet service operation conditions; acquiring confusion conditions of the access operation parameters, operation conditions of the business operation and encryption conditions in a browser according to the associated parameters in the access operation parameters; after restoring the service information of the access operation parameters according to the confusion condition, executing the service parameters in the service operation by combining the operation condition and the encryption condition of the service operation, and transmitting the executed service parameters; and in the process of executing the business operation, acquiring behavior data of the user and identity data of the user in a business system, and identifying the risk of the user by the running environment data of the user, and updating the access operation parameters according to the risk of the user. The access operation parameters can be updated in time based on the risk of the user without adopting dynamic signature defense, so that background data is prevented from being revealed, and the security of the background data is further improved.

Further effects of the above-described non-conventional alternatives are described below in connection with the embodiments.

Drawings

The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:

FIG. 1 is an interactive schematic diagram for securing data;

FIG. 2 is a schematic flow chart of a method for securing data according to an embodiment of the present invention;

FIG. 3 is a flow diagram of acquiring confusion conditions, operating conditions, and encryption conditions, according to an embodiment of the invention;

fig. 4 is a schematic flow chart of a procedure for transmitting service parameters after execution according to an embodiment of the present invention;

FIG. 5 is a flow chart of identifying risk of a user according to an embodiment of the present invention;

FIG. 6 is a schematic flow chart of another method for identifying risk of a user according to an embodiment of the present invention;

FIG. 7 is a schematic diagram of the main structure of an apparatus for securing data according to an embodiment of the present invention;

FIG. 8 is an exemplary system architecture diagram in which embodiments of the present invention may be applied;

fig. 9 is a schematic diagram of a computer system suitable for use in implementing an embodiment of the invention.

Detailed Description

Exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, in which various details of the embodiments of the present invention are included to facilitate understanding, and are to be considered merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.

At present, a dynamic signature mode is mainly used for background data security. Backend interfaces can be divided into two classes, one class being interfaces for security defense, collectively referred to as defense interfaces. Another type is a service interface provided for completing service logic, collectively referred to as a service interface.

Before requesting the service interface, the front-end page requests the defending interface to apply a secret key for signing, encrypts service data by using the secret key, and transmits the service data to the service interface. In order to ensure that the access interface for acquiring the key is not accessed randomly, the access_token needs to be carried as a credential when the key generation interface is requested. the token is generated by a front-end timing request defense interface to ensure the validity of the token.

Referring to fig. 1, fig. 1 is an interactive schematic diagram for securing data. The front-end page interacts with the defensive service, and the front-end service acquires the access_token. The user requests a key (secret) by transmitting a service operation. The business request of the user is sent to the business service in a ciphertext mode. And finally, returning the operation result to the user.

By adopting the scheme in fig. 1, the risk discrimination is performed by tracing the behavior with obvious risk characteristics such as the access frequency and the like by requesting the source IP and the identification of the user in the service system as the key information tracked by the user.

Such as: when a certain IP or user identifier accesses the ordering service at a higher frequency, the IP or user identifier can identify that the IP or user is a risk user, and the service stability and the data security are protected by adopting a corresponding defense strategy.

By adopting the mode, the safety logic is solidified and the identification degree of the risk user is low. Specifically, the front-end refreshes token, requests secret, encrypts and other security logic solidification, and once the security logic is cracked, the security logic can attack the back-end service interface once and for all. Such as: after capturing a defensive interface refreshing the token in a packet capturing manner, the front-end identity can be simulated to request the interface to acquire the token, the defensive interface is continuously requested to acquire a signed secret key, then a signature rule is acquired according to a cracked front-end code, and finally, the operation of the front-end is completely simulated to initiate a request to a service interface. Even simulating multiple users to operate in this way. For a risky user that does not have obvious attack characteristics, it is hardly identifiable.

In addition, the identified risk user cannot be interlocked with the security logic. That is, when a certain user is found to be a risk user, the service request is performed by illegally using the key, but the original key cannot be updated or abandoned.

The request identified as the high-risk user cannot be processed in a refined way aiming at different business rules and risk rules, and only can be intercepted roughly, so that the risk user can easily find that the risk user is winded, and the attack strategy is changed.

In summary, the security of the background data is reduced because the security is protected by using a dynamic signature method and the secret key is easily revealed.

In order to improve the security of the background data, the following technical scheme in the embodiment of the invention can be adopted.

Referring to fig. 2, fig. 2 is a main flow chart of a method for guaranteeing data security according to an embodiment of the present invention, in which access operation parameters are updated in time based on risk of a user, so as to improve security of background data. As shown in fig. 2, the method specifically comprises the following steps:

s201, responding to service operation initiated by a user in a service system, and sending access operation parameters if the service operation is verified to meet service operation conditions.

In an embodiment of the present invention, a user may initiate a business operation at a business system in order to perform the business operation. A service system is a system that performs a service. As one example, the business system includes an electronic commerce system. A business operation is an operation involved in performing a business. As one example, the business operation includes logging into a business system.

In an embodiment of the present invention, to improve the validity of the transmission access operation parameter, the service operation needs to be verified. Verifying that the service operation satisfies the service operation condition is a precondition for transmitting the access operation parameter. As one example, the business operation condition includes a preset business operation type. The type of the service operation belongs to the preset service operation type, and the service operation is verified to meet the service operation condition.

In one embodiment of the invention, to limit the time range of a business operation, the business operation is verified with a transmit time condition. That is, the business operation satisfies the transmission time condition, and the access operation parameter is transmitted. As one example, the transmission time condition includes 9 points to 20 points. The sending time in the business operation is between 9 points and 20 points, and the business operation meets the sending time condition; the transmission time in the service operation is outside 9 to 20 points, and the service operation does not satisfy the transmission time condition.

S202, acquiring confusion conditions of the access operation parameters, operation conditions of business operation and encryption conditions in the browser according to the associated parameters in the access operation parameters.

In an embodiment of the invention, the access operation parameters include a (JavaScript, JS) code segment. After receiving the access operation parameters, the user executes the access operation parameters through the browser. As one example, a JS code segment in the access operating parameters is executed using a code segment container in the browser.

Referring to fig. 3, fig. 3 is a flow chart of acquiring a confusion condition, an operation condition, and an encryption condition according to an embodiment of the present invention. The method specifically comprises the following steps:

s301, acquiring related parameters in the access operation parameters in the browser.

In the embodiment of the invention, the access operation parameters comprise JS code segments, associated parameters, confusion conditions, operation conditions and encryption conditions.

The associated parameters are the basis for obtaining the confusion condition, the operation condition and the encryption condition. As one example, the associated parameters include the acquisition locations of the confusion condition, the operation condition, and the encryption condition. Such as: the confusion condition is in the first position; the operating condition is in the second position and the encryption condition is in the third position.

In one embodiment of the present invention, the associated parameter is set at a preset location of the access operation parameter, and the associated parameter may be acquired in the preset location of the access operation parameter in the browser. As one example, the association parameter is set at 10 bytes to 20 bytes of the access operation parameter, and then the association parameter may be acquired at 10 bytes to 20 bytes of the access operation parameter in the browser.

S302, analyzing the related parameters, and acquiring confusion conditions of the access operation parameters, operation conditions of business operation and encryption conditions from the access operation parameters.

The confusion condition includes the confusion manner of the JS code segment. As one example, the confusion manner includes one or more of the following: JS code compression, hash confusion, variable name confusion, key logical string confusion, and zombie code implantation. Such as: during the generation of the JS code segments, confusion is carried out in a random manner, so that all JS code segments cannot be broken by using only one reverse scheme.

The operation conditions of the business operations are parameters preset for different business operations. Multiple parameters may be preset for the same business operation. As one example, the business operation includes obtaining a coupon. For time sensitivity of acquiring coupons, preset operating conditions include a start time point for acquiring coupons and a refresh page interval. Thus, it is necessary for the user to refresh the page according to the operation condition to acquire the coupon after the start time point of the coupon.

The encryption conditions include the encryption mode of the JS code segments. As one example, the encryption scheme includes random ordering and signature rules. When the service interface has a plurality of parameters, the parameters are ordered in a random mode, and then signature rules are adopted to generate signatures so as to encrypt JS code segments.

After the associated parameters are analyzed, the confusion conditions of the access operation parameters, the operation conditions of the business operation and the encryption conditions are acquired from the access operation parameters according to the acquisition positions of the confusion conditions, the operation conditions and the encryption conditions.

In the embodiment of fig. 3, the confusion condition, the operating condition, and the encryption condition are obtained based on the association parameters. For different business operations, the associated parameters, the confusion conditions, the operation conditions and the encryption conditions are not identical, so that the data security can be ensured.

S203, after restoring the business information of the access operation parameters according to the confusion condition, executing the business parameters in the business operation by combining the operation condition and the encryption condition of the business operation, and transmitting the executed business parameters.

And executing the business parameters in the business operation according to the confusion condition, the operation condition and the encryption condition to send the executed business parameters. As an example, the service parameters after execution are sent in a hypertext transfer protocol (Hyper Text Transfer Protocol, HTTP) request.

Referring to fig. 4, fig. 4 is a schematic flow chart of a service parameter after transmission is performed according to an embodiment of the present invention. The method specifically comprises the following steps:

s401, restoring service information of the access operation parameters based on the original information of the access operation parameters according to the confusion condition.

The original information to access the operating parameters includes unreduced JS code segments. The JS code segments are restored on the basis of the original information in order to ensure that the original information is needed as required. Specifically, service information of the access operation parameter is restored based on original information of the access operation parameter according to the confusion condition. Wherein, the business information comprises JS code segments.

As one example, the confusion condition includes variable name confusion. And restoring the service information of the access operation parameters on the basis of the original information of the access operation parameters by adopting variable name confusion.

S402, the service operation meets the operation condition, the service parameters in the service operation are encrypted in the service information according to the encryption condition, and the encrypted service parameters are sent.

Under the condition that the business operation meets the control condition, encrypting the business parameters again; if the operation of the service does not meet the control condition, the service parameters are not required to be encrypted.

Specifically, the service operation satisfies the operation condition, encrypts the service parameters in the service operation in the service information according to the encryption condition, and transmits the encrypted service parameters.

As an example, the service information includes a key required for encryption or signing. And calling a function in the JS code segment in the service information to encrypt the service parameters in the encrypted service operation in the service information in combination with the encryption condition. Then, the encrypted service parameters are sent

In the embodiment of fig. 4, after restoring the service information of the initial access operation parameter, the service parameter is encrypted and transmitted in the service information.

S204, in the process of executing the business operation, acquiring behavior data of the user, identity data of the user in a business system and running environment data of the user so as to identify risks of the user, and updating access operation parameters according to the risks of the user.

The risk of the user has a great influence on guaranteeing the data security. In the case where the risk of the user is large, the possibility of leakage of the access operation parameter is large. Thus, there is a need to identify the risk of the user to update the access operating parameters.

Referring to fig. 5, fig. 5 is a schematic flow chart of identifying risk of a user according to an embodiment of the present invention. The method specifically comprises the following steps:

s501, in the process of executing service operation, acquiring behavior data of a user, identity data of the user in a service system and running environment data of the user.

During execution of the business operations, user data is collected to identify the risk of the user. The user data includes behavior data of the user, identity data of the user in the business system, and running environment data of the user.

The behavior data of the user is the type of operation of the user for the business system. As one example, behavioral data includes login, search, and storage. The identity data of the user in the business system is an identity representation in the business system. As one example, the identity data includes an identity and a login duration. The user's operating environment data is a parameter that initiates business operations. As one example, the operating environment data includes login IP, operating system, and hardware devices.

S502, identifying the risk of the user according to the risk identification condition of the user by using the behavior data of the user, the identity data of the user in the service system and the running environment data of the user.

The user risk identification condition is a basis for identifying the risk of the user. As one example, the user risk identification conditions include behavioral data, identity data, and runtime environment data pertaining to risks.

The behavior data of the user, the identity data of the user in the service system and the running environment data of the user are the same as parameters in the user risk identification condition, and the risk of the identified user is high; and if the behavior data of the user, the identity data of the user in the service system and the running environment data of the user are different from parameters in the user risk identification condition, identifying that the risk of the user is low.

In the embodiment of fig. 5, the risk of the user can be quickly identified using the user risk identification condition.

Referring to fig. 6, fig. 6 is a schematic flow chart of another risk identification for a user according to an embodiment of the present invention. The method specifically comprises the following steps:

s601, in the process of executing service operation, acquiring behavior data of a user, identity data of the user in a service system and running environment data of the user.

S602, adopting a risk user characteristic recognition model trained by machine learning, and recognizing the risk of the user by combining the behavior data of the user, the identity data of the user in a service system and the running environment data of the user.

In order to improve the risk accuracy of identifying the user, a risk user characteristic identification model trained by machine learning can be adopted to identify the risk of the user.

And inputting the behavior data of the user, the identity data of the user in the service system and the running environment data of the user into a risk user characteristic recognition model trained by machine learning, and outputting the risk of the user by the risk user characteristic recognition model. As one example, the risk of the risk user feature recognition model output user is: high.

In the embodiment of fig. 6, risk user feature recognition models are employed to identify risk of users to improve accuracy of recognition.

If the risk of the user is high, the access operation parameter needs to be updated because the possibility of leakage of the access operation parameter is high.

In one embodiment of the invention, the associated parameters in the access operation parameters, the confusion conditions in the access operation parameters, and the encryption conditions are updated in accordance with the risk of the user.

Specifically, if the risk of the user is low, the associated parameter in the updated access operation parameter is the original associated parameter, the confusion condition in the updated access operation parameter is the original confusion condition, and the updated encryption condition is the original encryption condition. In the case where the risk of the user is low, the association parameters, the confusion condition, and the encryption condition are unchanged.

If the risk of the user is high, the associated parameters in the access operation parameters, the confusion condition and the encryption condition in the access operation parameters can be updated. As one example, the associated parameters are modified to parameters other than before, the obfuscation conditions are modified to parameters other than before, or the encryption conditions are modified to parameters other than before.

And the security of the background data is ensured by updating the access operation parameters.

In addition, high risk users may be listed. The users in the list will be identified directly for further processing during subsequent business operations. Such as: for users in the list, after identifying the request, fake business success information can be sent, so that the users cannot identify that the attack of the users is controlled by wind.

In the above embodiment, in response to a service operation initiated by a user in a service system, if the service operation is verified to meet a service operation condition, an access operation parameter is sent; acquiring confusion conditions of the access operation parameters, operation conditions of the business operation and encryption conditions in a browser according to the associated parameters in the access operation parameters; after restoring the service information of the access operation parameters according to the confusion condition, executing the service parameters in the service operation by combining the operation condition and the encryption condition of the service operation, and transmitting the executed service parameters; and in the process of executing the business operation, acquiring behavior data of the user and identity data of the user in a business system, and identifying the risk of the user by the running environment data of the user, and updating the access operation parameters according to the risk of the user. The access operation parameters can be updated in time based on the risk of the user without adopting dynamic signature defense, so that background data is prevented from being revealed, and the security of the background data is further improved.

Referring to fig. 7, fig. 7 is a schematic main structural diagram of a device for guaranteeing data security according to an embodiment of the present invention, where the device for guaranteeing data security may implement a method for guaranteeing data security, and as shown in fig. 7, the device for guaranteeing data security specifically includes:

A sending module 701, configured to respond to a service operation initiated by a user in a service system, verify that the service operation meets a service operation condition, and send an access operation parameter;

an obtaining module 702, configured to obtain, in a browser, a confusion condition of the access operation parameter, an operation condition of the service operation, and an encryption condition according to an associated parameter in the access operation parameter;

a service module 703, configured to execute a service parameter in the service operation by combining an operation condition of the service operation and the encryption condition after restoring the service information of the access operation parameter according to the confusion condition, and send the executed service parameter;

and the updating module 704 is configured to obtain, during the execution of the service operation, behavior data of the user and identity data of the user in a service system, and running environment data of the user, so as to identify a risk of the user, and update the access operation parameter according to the risk of the user.

In one embodiment of the present invention, the obtaining module 702 is specifically configured to obtain, in a browser, the association parameter from the access operation parameters;

In one embodiment of the present invention, the service module 703 is specifically configured to restore the service information of the access operation parameter based on the original information of the access operation parameter according to the confusion condition;

In one embodiment of the present invention, the update module 704 is specifically configured to obtain, during execution of the service operation, behavior data of the user, identity data of the user in a service system, and operation environment data of the user;

In one embodiment of the present invention, the updating module 704 is specifically configured to update one or more of the associated parameters in the access operation parameters, the confusion condition in the access operation parameters, and the encryption condition according to the risk of the user.

In one embodiment of the present invention, the sending module 701 is specifically configured to send the access operation parameter when the service operation meets the sending time condition.

Fig. 8 illustrates an exemplary system architecture 800 to which a data security method or apparatus of securing data may be applied in accordance with an embodiment of the present invention.

As shown in fig. 8, a system architecture 800 may include terminal devices 801, 802, 803, a network 804, and a server 805. The network 804 serves as a medium for providing communication links between the terminal devices 801, 802, 803 and the server 805. The network 804 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.

A user may interact with the server 805 through the network 804 using the terminal devices 801, 802, 803 to receive or send messages or the like. Various communication client applications such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only) may be installed on the terminal devices 801, 802, 803.

The terminal devices 801, 802, 803 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.

The server 805 may be a server providing various services, such as a background management server (by way of example only) that provides support for shopping-type websites browsed by users using the terminal devices 801, 802, 803. The background management server may analyze and process the received data such as the product information query request, and feedback the processing result (e.g., the target push information, the product information—only an example) to the terminal device.

It should be noted that, the method for guaranteeing data security provided in the embodiment of the present invention is generally executed by the server 805, and accordingly, the device for guaranteeing data security is generally disposed in the server 805.

It should be understood that the number of terminal devices, networks and servers in fig. 8 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.

Referring now to FIG. 9, there is illustrated a schematic diagram of a computer system 900 suitable for use in implementing an embodiment of the present invention. The terminal device shown in fig. 9 is only an example, and should not impose any limitation on the functions and the scope of use of the embodiment of the present invention.

As shown in fig. 9, the computer system 900 includes a Central Processing Unit (CPU) 901, which can execute various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 902 or a program loaded from a storage section 908 into a Random Access Memory (RAM) 903. In the RAM 903, various programs and data necessary for the operation of the system 900 are also stored. The CPU 901, ROM 902, and RAM 903 are connected to each other through a bus 904. An input/output (I/O) interface 905 is also connected to the bus 904.

The following components are connected to the I/O interface 905: an input section 906 including a keyboard, a mouse, and the like; an output portion 907 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage portion 908 including a hard disk or the like; and a communication section 909 including a network interface card such as a LAN card, a modem, or the like. The communication section 909 performs communication processing via a network such as the internet. The drive 910 is also connected to the I/O interface 905 as needed. A removable medium 911 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on the drive 910 so that a computer program read out therefrom is installed into the storage section 908 as needed.

In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from the network via the communication portion 909 and/or installed from the removable medium 911. The above-described functions defined in the system of the present invention are performed when the computer program is executed by a Central Processing Unit (CPU) 901.

The computer readable medium shown in the present invention may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The modules involved in the embodiments of the present invention may be implemented in software or in hardware. The described modules may also be provided in a processor, for example, as: a processor includes a sending module, an obtaining module, a service module, and an updating module. Where the names of these modules do not constitute a limitation on the module itself in some cases, for example, the sending module may also be described as "for sending access operation parameters in response to a service operation initiated by a user at a service system, verifying that the service operation satisfies a service operation condition".

As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be present alone without being fitted into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to include:

According to the technical scheme of the embodiment of the invention, the service operation initiated by the user in the service system is responded, and the service operation is verified to meet the service operation condition, and then the access operation parameter is sent; acquiring confusion conditions of the access operation parameters, operation conditions of the business operation and encryption conditions in a browser according to the associated parameters in the access operation parameters; after restoring the service information of the access operation parameters according to the confusion condition, executing the service parameters in the service operation by combining the operation condition and the encryption condition of the service operation, and transmitting the executed service parameters; and in the process of executing the business operation, acquiring behavior data of the user and identity data of the user in a business system, and identifying the risk of the user by the running environment data of the user, and updating the access operation parameters according to the risk of the user. The access operation parameters can be updated in time based on the risk of the user without adopting dynamic signature defense, so that background data is prevented from being revealed, and the security of the background data is further improved.

The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives can occur depending upon design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention. It should be noted that, in the technical solution of the present disclosure, the acquisition, storage, application, etc. of the related personal information of the user all conform to the rules of the related laws and regulations, and do not violate the popular regulations of the public order.

Claims

1. A method of securing data, comprising:

2. The method for securing data according to claim 1, wherein the obtaining, in the browser, the confusion condition of the access operation parameter, the operation condition of the business operation, and the encryption condition according to the associated parameter in the access operation parameter includes:

3. The method according to claim 1, wherein after restoring the service information of the access operation parameter according to the confusion condition, executing the service parameter in the service operation by combining the operation condition of the service operation and the encryption condition, and transmitting the executed service parameter, comprising:

4. The method for securing data according to claim 1, wherein the step of acquiring the behavior data of the user, the identity data of the user in the service system, and the running environment data of the user during the execution of the service operation to identify the risk of the user includes:

5. The method for securing data according to claim 1, wherein the step of acquiring the behavior data of the user, the identity data of the user in the service system, and the running environment data of the user during the execution of the service operation to identify the risk of the user includes:

6. The method of claim 1, wherein updating the access operating parameters based on the risk of the user comprises:

7. The method for securing data as claimed in claim 1, wherein the transmitting access operation parameters includes:

8. An apparatus for securing data, comprising:

9. An electronic device for securing data, comprising:

one or more processors;

storage means for storing one or more programs,

when executed by the one or more processors, causes the one or more processors to implement the method of any of claims 1-7.

10. A computer readable medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method according to any of claims 1-7.