CN117633863A - Database data desensitization method, system, device and readable storage medium - Google Patents

Database data desensitization method, system, device and readable storage medium Download PDF

Info

Publication number
CN117633863A
CN117633863A CN202311356192.5A CN202311356192A CN117633863A CN 117633863 A CN117633863 A CN 117633863A CN 202311356192 A CN202311356192 A CN 202311356192A CN 117633863 A CN117633863 A CN 117633863A
Authority
CN
China
Prior art keywords
data
desensitization
target
request instruction
database
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311356192.5A
Other languages
Chinese (zh)
Inventor
蔡家坡
陈晓西
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Shenxinfu Information Security Co ltd
Original Assignee
Shenzhen Shenxinfu Information Security Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Shenxinfu Information Security Co ltd filed Critical Shenzhen Shenxinfu Information Security Co ltd
Priority to CN202311356192.5A priority Critical patent/CN117633863A/en
Publication of CN117633863A publication Critical patent/CN117633863A/en
Pending legal-status Critical Current

Links

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The embodiment of the application provides a method, a system, a device and a readable storage medium for desensitizing database data, which are used for overcoming the problem of sensitive data leakage so as to maintain confidentiality of data in a database. The desensitization method of the database data comprises the following steps: receiving a data request instruction of a user to a target database, and acquiring data to be desensitized of the target database according to the data request instruction; predefining a data desensitization strategy according to the target database, and judging whether the data request instruction triggers the data desensitization strategy or not; if yes, executing the data desensitization strategy on the data to be desensitized, acquiring target desensitization data, and returning the target desensitization data to the user so that the user refers to the target desensitization data in the target database.

Description

Database data desensitization method, system, device and readable storage medium
Technical Field
The embodiment of the application relates to the technical field of computer information processing, in particular to a database data desensitizing method, a database data desensitizing system, a database data desensitizing device and a readable storage medium.
Background
With the development of computer technology and network communication technology and the arrival of big data age, database technology has become an important technical means for organizing and managing a large amount of data in information society, and is the basis of modern network informatization management systems.
However, in the prior art, in order to meet the operation and maintenance requirements, enterprises generally need to give the operation and maintenance personnel a background database operation and maintenance or an administrator authority, and in general database gateway products, the authority model cannot filter out certain specific lines or control the authority of certain specific lines. Therefore, the operation and maintenance personnel can randomly read/steal the confidential data in the enterprise by using the background operation and maintenance management authority, so that the private data of the company/client is leaked. Thus, most enterprises require desensitization of certain fields of certain data at the time of querying based on the data security requirements. However, the database is subjected to static desensitization, that is, the data is subjected to desensitization when being put in storage. Therefore, in other scenes, the original data needs to be queried, and the desensitized static data needs to be subjected to data reduction based on a certain rule, so that the complexity and stability of an enterprise internal system are greatly increased.
Disclosure of Invention
The embodiment of the application provides a database data desensitizing method and related equipment, which are used for overcoming the problem of sensitive data leakage so as to maintain confidentiality of data in a database.
An embodiment of the present application provides a method for desensitizing database data, applied to a gateway system, including:
receiving a data request instruction of a user to a target database, and acquiring data to be desensitized of the target database according to the data request instruction;
predefining a data desensitization strategy according to the target database, and judging whether the data request instruction triggers the data desensitization strategy or not;
if yes, executing the data desensitization strategy on the data to be desensitized, acquiring target desensitization data, and returning the target desensitization data to the user so that the user refers to the target desensitization data in the target database.
Optionally, the receiving a data request instruction of a user to a target database, and obtaining data to be desensitized of the target database according to the data request instruction includes:
receiving the data request instruction, and analyzing the data request instruction to analyze the data request instruction into a data type and a data field of user demand data corresponding to the data request instruction; the user demand data are data corresponding to the data request instruction in the target database by the user;
Acquiring the data type and the data field of the user demand data, and performing word segmentation analysis on the data type and the data field to acquire key desensitization fields under different data types;
and acquiring the data to be desensitized according to all the key desensitization fields.
Optionally, the predefining the data desensitization policy according to the target database, and determining whether the data request instruction triggers the data desensitization policy includes:
determining a sensitive data index set and a data desensitization rule corresponding to the sensitive data index set according to all data in the target database; wherein the sensitive data index set comprises a desensitization data category and a desensitization keyword;
judging whether the data field and the data type are in a sensitive data index set or not so as to judge whether the data request instruction triggers the data desensitization strategy or not;
and if the data field and/or the data type belong to the sensitive data index set, executing the step of executing the data desensitization strategy on the data to be desensitized.
Optionally, the method further comprises:
multithreading is used for inquiring tag characteristic data of all data fields and data types in the target database;
And combining all the tag characteristic data, and matching the combined tag characteristic data with the sensitive data index set and the data desensitization rule to generate the data desensitization strategy.
Optionally, the acquiring the data to be desensitized according to all the key desensitization fields includes:
abstracting the grammar structure of the key desensitization field under different data types to generate a grammar tree comprising a plurality of grammar types;
generating the data to be desensitized based on the grammar tree of the plurality of grammar types.
Optionally, the performing the data desensitization policy on the data to be desensitized, to obtain target desensitized data includes:
performing desensitization replacement on the data to be desensitized according to the data desensitization strategy;
determining a target desensitization field meeting the data desensitization strategy in the key desensitization fields of the data to be desensitized;
performing reverse grammar tree operation on the target desensitization field, the data types subjected to desensitization replacement and the data fields to generate target desensitization data corresponding to different data types; the target desensitization data are data with the same grammar structure as the user demand data.
Optionally, the predefining the data desensitization policy according to the target database includes:
calling a callback function, and inquiring key desensitization fields under different data types one by one to acquire control data corresponding to any key desensitization field;
and determining the data desensitization strategy according to all the control data.
Optionally, if the data request instruction triggers the data desensitization policy, the method further includes:
and refusing the user to access the target database.
A second aspect of the embodiments of the present application provides a database data desensitizing system applied to a gateway system, the desensitizing system including:
the receiving unit is used for receiving a data request instruction of a user to a target database and acquiring data to be desensitized of the target database according to the data request instruction;
the judging unit is used for predefining a data desensitization strategy according to the target database and judging whether the data request instruction triggers the data desensitization strategy or not;
and the execution unit is used for executing the data desensitization strategy on the data to be desensitized when the data request instruction triggers the data desensitization strategy, acquiring target desensitization data and returning the target desensitization data to the user so that the user refers to the target desensitization data in the target database.
A second aspect of embodiments of the present application provides a method for performing the desensitization described in the first aspect.
A third aspect of the embodiments of the present application provides a database data desensitizing apparatus, including:
the device comprises a central processing unit, a memory, an input/output interface, a wired or wireless network interface and a power supply;
the memory is a short-term memory or a persistent memory;
the central processor is configured to communicate with the memory and to execute instruction operations in the memory to perform the desensitization method of the first aspect.
A fourth aspect of the embodiments of the present application provides a computer-readable storage medium, wherein the computer-readable storage medium comprises instructions that, when executed on a computer, cause the computer to perform the desensitization method according to the first aspect.
From the above technical solutions, the embodiments of the present application have the following advantages: according to the desensitization method disclosed by the embodiment of the application, the data request instruction of a user to the target database is received, and the data to be desensitized of the target database is obtained according to the data request instruction; predefining a data desensitization strategy according to a target database, and judging whether a data request instruction triggers the data desensitization strategy or not; if yes, executing a data desensitization strategy on the data to be desensitized, acquiring target desensitization data, and returning the target desensitization data to the user so that the user refers to the target desensitization data in the target database. The gateway system can determine the data desensitization strategy based on the target database, thereby determining the target desensitization data according to the data request instruction of the user, and controlling the management authority of the user to the current database.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings may be obtained according to these drawings for a person having ordinary skill in the art.
FIG. 1 is a diagram showing a comparison between a conventional scheme and a database acquisition scheme of the present application;
FIG. 2 is a schematic diagram of a lexical parsing engine according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram of a service design according to an embodiment of the present application;
FIG. 4 is a flow chart of a method for desensitizing database data according to an embodiment of the present disclosure;
FIG. 5 is a flow chart of another method for desensitizing database data disclosed in embodiments of the present application;
FIG. 6 is a logic execution diagram of an SQL injection module according to an embodiment of the present disclosure;
FIG. 7 is a logic execution diagram of a policy matching module according to an embodiment of the present disclosure;
FIG. 8 is a logic execution diagram of another policy matching module disclosed in an embodiment of the present application;
FIG. 9 is a selection of a desensitization strategy disclosed in an embodiment of the present application;
FIG. 10 is a selection chart of another desensitization strategy disclosed in the examples of the present application;
FIG. 11 is a schematic diagram of a database data desensitizing system according to an embodiment of the present disclosure;
fig. 12 is a schematic structural diagram of a database data desensitizing apparatus according to an embodiment of the present application.
Detailed Description
In the prior art, corporate operation staff can retrieve data under corporate specific rights directly in the background. Wherein, the searching scheme has at least three kinds.
Scheme one: database native capabilities.
The rights limits of a general database can only meet the rights control of a minimum granularity to a table. But in most cases, the company does not split certain special data into another table separately, which brings about a large maintenance cost for the service system.
Scheme II: a common approach in the industry is to provide SDK capabilities in a local development library where dynamic query restrictions are artificially inserted. Thus, only authority control and row filtering in the development process can be satisfied.
The architecture design greatly increases the development cost of enterprises, has great business invasiveness, and even can need the transformation of a business database by matching with authority control. Meanwhile, aiming at the operation and maintenance scene, the operation and maintenance personnel use the issued database client program, and most of the database program cannot be directly embedded into the custom database driver.
Scheme III: the industry typically uses java's database lexical parsing plug-ins for products in the database gateway.
Drawbacks to database schemes that are sensitive to time response: the scheme is overweight, and single-node resource consumption is large. And in the aspect of testing the lexical support strength of the currently released database gateway products, most products only support certain data of specific versions, and have larger product defects from the aspect of breadth and depth. Moreover, since part of the product does not have a complete grammar tree for abstracting SQL sentences, complete business understanding can not be performed on complex nested SQL sentences, and authority control is invalid.
Thus, based on the above description, the pain point of enterprise data security at the present stage is obvious:
pain point one: enterprises generally need to give operation and maintenance personnel access to a background database or an administrator to meet operation and maintenance requirements, and in a general database, an access model cannot filter or control access to certain specific lines. And the operation and maintenance personnel can randomly read/steal confidential data in the enterprise by utilizing the background operation and maintenance management authority, so that private data of the company/client is leaked.
Pain point two: most enterprise data security requirements require that certain fields of certain data be dynamically desensitized during query, such as mobile phone numbers in personal information data, and dynamically replaced during query. However, in the existing solutions, a database static desensitization mode is mostly adopted, that is, the data is already desensitized when being put in storage. Therefore, in other scenes, the original data needs to be queried, and the desensitized static data needs to be subjected to data reduction based on a certain rule, so that the complexity and stability of an enterprise internal system are greatly increased. In the big data scene, dynamic desensitization is adopted to greatly increase the burden of the database, consume a large amount of resources of the database and influence the normal business of enterprises and the stability of the database.
Therefore, in view of the foregoing, there is a need for a way to control rights and desensitize data that maintains database data security and prevents data disclosure. When the operation and maintenance personnel select relevant user data, the lexical analysis engine in the gateway system can return the filtered database data to the operation and maintenance personnel based on the modes of authority management, policy matching and the like. Specifically, the authority control strategy can be dynamically adjusted based on the authority of the background manager, and meanwhile, the data of the sensitive user can be dynamically filtered based on the authority of the background manager. This will be described in detail later for ease of understanding and description.
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
Referring to fig. 2, fig. 2 is a schematic diagram of an architecture of a lexical parsing engine according to an embodiment of the present disclosure. Specifically, based on various problems described in fig. 1, the technical scheme of the application provides a lexical analysis engine, and the following design and development are performed for the lexical engine.
Wherein, rust language is adopted as basic language from development language. This is because of the Rust language garbage collection (GC, garbage collection) pressure, which is inherently advantageous in the face of highly concurrent scenarios, particularly in the area of traffic handling. At the same time, models, particularly highly modular product architecture, can be designed. Can quickly respond and complete the support for the newly added SQL grammar. It should be noted that, the SQL statement is a query description statement for a relational database. For convenience of description, a detailed description thereof will be omitted.
As can be seen from fig. 2, the lexical parsing engine is mainly divided into a parsing module and a service module (service abstraction module). The parsing module at least comprises a grammar tree module (AST), a Custom parsing module (Custom), a word segmentation module (token), a NoSQL parser (NoSQL) and a classification module (Dialect). The service modules include at least CAPI modules, SQL such as modules, SQL replace modules, and SQL reverse modules. It should be noted that, the NoSQL statement is a query description statement for a non-relational database. Whereas AST is an abstract syntax tree. For ease of understanding, the functions of each of the parsing module and the business module in the lexical parsing engine are described in detail below.
In the parsing module, an AST module is used for high-level abstract SQL basic grammar structure. The Tokenizer module is used to define different key modules. The Dialect module is used for defining different grammars of different data SQL. The custom parser is used to parse non-standard SQL syntax. NoSQL parsers are used to abstract SQL grammars. The business module is used for abstraction. The CAPI module is used for calling the FFI interface to complete interaction with other languages and mainly provides a function calling mode. And the SQL injection module is mainly used for filtering and injecting services for NoSQL and SQL rows. And the SQL replacing module is mainly used for desensitizing the request directions of NoSQL and SQL databases. And the SQL reverse module is mainly used for restoring SQL sentences by injecting the changed SQL grammar tree.
Based on the functional descriptions of the various modules in FIG. 2, in one embodiment, the CAPI module in the lexical analysis engine invokes SQL so that the Dialect module analyzes which data the SQL belongs to. The token module performs word segmentation analysis, and the AST module generates a grammar tree based on the analysis result. Thus, SQL rights management is performed to restrict SQL. Finally, the SQL injection module/SQL replacement module carries out SQL modification so as to return a final result. Specifically, the filtered database data is returned to the user. It should be noted that, the SQL rights management is a rights management policy, which specifically includes: 1. access rights policies for a library, table, or column; 2. a data dynamic filtering strategy; 3. dynamic desensitization strategy for column data.
For a detailed description of the specific design structure of each module in the embodiment in fig. 2, please refer to fig. 3, fig. 3 is a service design structure diagram disclosed in the embodiment of the present application. Fig. 3 includes fig. 3a and fig. 3b. FIG. 3a is an incoming, primarily SQL mapping statement in the data direction. From the flow, the SQL engine mainly acts on the request direction of SQL execution, and the SQL engine implantation strategy matching engine completes authority management and control, line filtering and data desensitization on SQL sentences. FIG. 3b is a block diagram of the generation and outgoing of SQL statements in the data direction, based primarily on server responses. The policy enforcement points (PEP, policy enforcementpoint) can perform the distribution of SQL statements. In this service structure, postgreSQL (GreenPlum) and Hive are mainly applied. The functions supported by each module in the lexical analysis engine are specifically described in the following. For PostgreSQL, the SQL full syntax supports 95% and does not support the storage process. For Hive, the SQL syntax supports 90% and can customize java code but does not support storage procedures.
In particular, postgreSQL may support multiple functions. (1) The query of the Select statement is supported, and unlimited nesting of the Select in the From, in the white and in the column is supported. (2) And supporting the unlimited nested query with the nested query and tracing the nested query with the nested query. Query injection capability is the same as (1). (3) And (3) supporting the line filtering of the creatable statement nested query statement, wherein the query injection capability is the same as that of (1), and the replication of the application scene restriction table is realized. (4) And supporting the line filtering of the Createview statement nested query statement, wherein the query injection capability is the same as that of (1), and the replication of the application scene restriction table is realized. (5) Support the line filtering of nested query statement in Insert, apply the scene to limit the line data to duplicate. Query injection capability is the same as (1), applying replication of the scene restriction table. (6) The nested query statement in the cursor Declare is supported, and the query injection capability is the same as (1). (7) The accuracy rate of the method is more than 70% because the support of the pre-judgment that the dividing and self-defining function does not support the analysis processing of the return column of the SQL statement.
Hive may also support multiple functions. (1) The query of the Select statement is supported, and unlimited nesting of the Select in the From, in the white and in the column is supported. (2) And supporting the nested query with and tracing the nested query with. Query injection capability is the same as (1). (3) And (3) supporting the line filtering of the creatable statement nested query statement, wherein the query injection capability is the same as that of (1), and the replication of the application scene restriction table is realized. (4) And supporting the line filtering of the Createview statement nested query statement, wherein the query injection capability is the same as that of (1), and the replication of the application scene restriction table is realized. (5) Support the line filtering of nested query statement in Insert, apply the scene to limit the line data to duplicate. Query injection capability is the same as (1), applying replication of the scene restriction table. (6) And (3) supporting nested query sentences in directors, wherein the query injection capacity is the same as that of (1), and the application scene restriction table is copied. (7) The accuracy rate of the method is more than 70% because the support of the pre-judgment that the dividing and self-defining function does not support the analysis processing of the return column of the SQL statement. Dynamic response desensitization may be applied.
Based on the description, in the implementation process of the actual scheme, the method can meet the requirements that the lexical analysis, the line filtering and the authority control of daily simple query sentences are within 30 microseconds, the response is usually within 1s+ according to different data volume, and the time consumed by the SQL engine is within one thousandth of the total response. The lexical analysis, line filtering and authority control of daily complex nested (more than 5 layers) sentences are within 210 microseconds, the minimum response is usually within 10 seconds+, and the time consumed by the SQL engine is within one ten thousandth of the total response. Daily and complex nesting, a general tool generates about one thousand rows of SQL statement lexical analysis, row filtering and authority control within 810 microseconds, and the SQL returns to the minute level, so that the time consumed by an SQL engine is negligible.
For convenience in describing the specific application methods of fig. 2 and fig. 3 in the embodiments of the present application, please refer to fig. 4, and fig. 4 is a flow chart of a database data desensitizing method disclosed in the embodiments of the present application. Including steps 401-403.
401. And receiving a data request instruction of a user to the target database, and acquiring the data to be desensitized of the target database according to the data request instruction.
When a user requests to review data in the target database, a data request instruction may be submitted to the gateway system. The gateway system can analyze the data request instruction, so that the data to be desensitized related to the data request instruction of the target database can be obtained according to the data request instruction.
In one particular embodiment, a user may select data to be reviewed at a front end interface of the gateway system, thereby submitting data request instructions related to review of the data. The gateway system obtains the data to be desensitized in the target database according to the data request instruction. Specifically, the data to be desensitized may be a pre-stored personnel name, ID identifier, work department, work post, telephone number or work address in the target database, where the data content of the pre-stored data to be desensitized in the target database is not limited, and will not be described in detail later.
Based on the above embodiment, in another specific embodiment, the data to be desensitized is pre-stored in a real table. Wherein, the data to be desensitized of different types are stored in the form of a table, namely, the data of different rows and columns are stored.
402. And predefining the data desensitization strategy according to the target database, and judging whether the data request instruction triggers the data desensitization strategy or not.
After the data to be desensitized is acquired, a database definition of the target database is acquired, so that a data desensitization strategy is predefined according to the database definition, and whether a data request instruction triggers the data desensitization strategy is judged. It will be appreciated that the database definition includes data fields for the data to be desensitized and their associated data types.
In one specific embodiment, based on the lexical analysis engine described in fig. 2 and 3, the gateway system may set a corresponding data desensitization policy in the lexical analysis engine according to the target database definition, so as to determine whether the database data triggers the data desensitization policy according to the database data requested in the data request instruction.
Based on the above embodiment, it should be noted that the lexical analysis engine supports the SQL grammar, so that the lexical analysis, the line filtering and the authority control can be performed based on the SQL statement in the target database, thereby generating the data desensitization policy of the target database. The implementation manner or implementation principle of the foregoing may refer to fig. 2 and 3 for a description of the lexical analysis engine, which is not repeated herein.
403. And executing a data desensitization strategy on the data to be desensitized, acquiring target desensitization data, and returning the target desensitization data to the user so that the user refers to the target desensitization data in the target database.
When the data request instruction triggers the data desensitization strategy, the data desensitization strategy is executed on the data to be desensitized, so that target desensitized data after data desensitization is obtained. Thus, the gateway system returns the target desensitization data to the user so that the user can review the target desensitization data in the target database. It will be appreciated that the target desensitisation data displayed in the front-end interface may still be presented in the form of a line, i.e. in the data sheet the ID identification, work department, work post, telephone number or work address etc. of any person is taken as a row and the desensitisation data corresponding to different persons is taken as a column etc. It should be understood that, the specific arrangement is not limited herein, and may be set according to actual requirements.
In one specific embodiment, the gateway system executes the data desensitization policy on the data to be desensitized, so that a series of data meeting the data desensitization policy in the data to be desensitized are hidden or encrypted, and the specific desensitization mode is not limited herein. Thereby returning the desensitized data after being hidden or encrypted to the user.
Based on the above embodiment, in another specific embodiment, the agreed hidden mode or the encryption mode may be provided with a plurality of types, and when the encryption mode or the hidden mode is greater than or equal to two types, the data desensitization is performed by adopting the agreed encryption mode or the hidden mode. In addition, the encryption mode or the hiding mode is not limited, and can be flexibly set according to specific application scenes.
According to the method for desensitizing database data, disclosed by the embodiment, a data request instruction of a user to a target database is received, and the data to be desensitized of the target database is obtained according to the data request instruction; predefining a data desensitization strategy according to a target database, and judging whether a data request instruction triggers the data desensitization strategy or not; if yes, executing a data desensitization strategy on the data to be desensitized, acquiring target desensitization data, and returning the target desensitization data to the user so that the user refers to the target desensitization data in the target database. The gateway system can determine the data desensitization strategy based on the target database, thereby determining the target desensitization data according to the data request instruction of the user, and controlling the management authority of the user to the current database.
For convenience in describing the above-described desensitization method described in fig. 4 in detail, please refer to fig. 5, and fig. 5 is a flow chart of another method for desensitizing database data according to an embodiment of the present application. Including steps 501-510.
501. And receiving the data request instruction, and analyzing the data request instruction to analyze the data request instruction into the data type and the data field of the user demand data corresponding to the data request instruction.
Step 501 in this embodiment is similar to step 401 in fig. 4, and detailed description thereof is omitted herein. However, it should be noted that, after receiving the data request, the gateway system may analyze the data request command to analyze the data request command into the data type and the data field corresponding to the user demand data. It will be appreciated that the user demand data is data that the user selects in the front end interface and stores in the target database. The data type refers to the type of data in the particular target database (e.g., person name, ID identification, work department, work post, phone number or work address, etc. as described in step 401). Data fields refer to certain fields in database data. For example, the mobile phone number in the personal information data is "12345678900". For convenience of description, a detailed description thereof will be omitted.
In another embodiment, step 501 may parse the SQL statement by a Dialect module in the lexical parsing engine to determine different data types and syntax types of SQL for the data fields.
Based on the foregoing, referring to fig. 6, fig. 6 is a logic execution diagram of an SQL injection module according to an embodiment of the present application. It will be appreciated that in another specific embodiment of step 501, the lexical parsing engine first initializes the internal modules and initializes the threads, wherein the number of threads may be specified for current limiting. Then, the sql_player (SQL parser, i.e., dialect module) method is called externally for SQL parsing and injection. And generating an analysis structure body, and placing the analysis structure body into a pipeline.
502. And acquiring the data type and the data field of the data required by the user, and performing word segmentation analysis on the data type and the data field to acquire key desensitization fields under different data types.
The gateway system obtains the analyzed data type and data field corresponding to the data required by the user, so that word segmentation analysis is carried out on the data type and the data field, and key desensitization fields under different data types are obtained.
In one specific embodiment, a lexical analysis engine in the gateway system obtains a data type and a data field of user demand data, and then performs word segmentation analysis on the data type and the data field, thereby determining a plurality of desensitization key fields. In particular, a key desensitization field is a field that is capable of specifying at least one of several features of database data in a target database.
Based on the above embodiment, in another specific embodiment, since the target database described in this embodiment mainly serves the enterprise, the data types are mostly the person name, ID identification, work department, work post, telephone number, work address, or the like described in the above. The key desensitization field in one embodiment may be, for example, an organization, a labor, an operator, a development, etc., the corresponding job is an employee, a minor, a major, etc., and the job address may be Shenzhen, changsha, wuhan, new York, etc. Specific contents of the desensitization key fields under different data types are not limited herein, and will not be described in detail later.
In summary, key desensitization fields for different data types can be obtained.
In another embodiment, step 502 may parse the SQL statement by a tokenizer module in the lexical parse engine to parse and define the different key desensitization fields.
It should be understood that in another embodiment of step 502, referring to fig. 6, sql_pre_process is a preprocessing module (i.e. a Tokenozer module), data is read from a pipeline, and preprocessing is performed first to parse and process SQL having context attributes. The parse_sql_t is an SQL parsing interface, and can abstract and support SQL, noSQL, customSQL, an actual entry function of a service. If the failure occurs, the channel is directly put into the channel. It is to be understood that when the execution fails, the pass flow is directly carried out, i.e. the SQL statement is not processed.
503. The method comprises the steps of abstracting grammar structures of key desensitization fields under different data types, generating grammar trees comprising a plurality of grammar types, and generating data to be desensitized based on the grammar trees of the plurality of grammar types.
When the key desensitization field under different data types is obtained, the SQL grammar structure of the key desensitization field can be abstracted, so that a grammar tree comprising a plurality of grammar types is generated, and the data to be desensitized is generated based on the grammar tree of different grammar types.
In one specific embodiment, the lexical analysis engine acquires the SQL sentences (i.e. the key desensitization fields under different data types) transmitted by the PEP nodes, and the syntax-based structure of the SQL can be highly abstract by using the AST module, so that syntax trees with different syntax types can be generated, namely the data to be desensitized is generated. It will be appreciated that since the analysis is done from the complete syntax tree in this embodiment, it differs from the conventional injection scheme in that the accuracy is much higher than in the scheme of analyzing SQL by means of regular expressions.
Based on the above embodiment, in another specific embodiment, referring to fig. 6, the parameter_sql_t_ast module (i.e. AST module) performs SQL syntax tree parsing. Based on this embodiment, referring to fig. 7, fig. 7 is a logic execution diagram of a policy matching module disclosed in the embodiment of the present application. As can be seen from the first step of fig. 7, the SQL engine can generate the syntax tree AST by using the above module when receiving the SQL statement that is input by the PEP node. The specific generation method is not described here in detail.
504. And calling a callback function, inquiring key desensitization fields under different data types one by one to acquire control data corresponding to any key desensitization field, and determining a data desensitization strategy according to all the control data.
Based on step 502, key desensitization fields of different data types are queried one by calling a callback function, so that control data corresponding to any associated desensitization field is obtained, and a data desensitization strategy is determined according to the obtained control data.
In one specific embodiment, referring to fig. 7, the parameter_sql_t_strategy module invokes the callback function through rotation, and each time a minimum query unit is entered: databases, real tables, key desensitization fields or operation types, etc. Thereby generating relevant control data, and returning the control data for SQL injection and authority management and control. And finally determines a data desensitization strategy, i.e. a strategy for limiting SQL statements, based on the control data.
In another specific embodiment, step 504 is a refinement of step 402 in fig. 4, specifically, step 504 may be performed directly after acquiring key desensitization fields under different data types, and acquiring data to be desensitized according to all key desensitization fields. The specific implementation step is described in detail in step 502, and details are not described here.
In another embodiment, step 505 may be performed directly after step 503 without performing step 504. In particular, there is no limitation herein.
505. And the multi-thread queries tag characteristic data of all data fields and data types in the target database to combine all tag characteristic data, and determines a sensitive data index set and a data desensitization rule corresponding to the sensitive data index set according to all data in the target database.
The gateway system can be used for multi-threaded inquiry of all tag characteristic data with different data fields and data types in the target database, so that all tag characteristic data are combined, and then a sensitive data index set and a data desensitization rule corresponding to the sensitive data index set are determined according to all data in the target database.
In one particular embodiment, referring to FIG. 7, the SQL engine in the gateway system determines the tag characteristic data in the target data by traversing all the data fields and data types in the target data. It is to be understood that tag characteristic data may be understood as data in which a data field is associated with a data type, for example, a data field such as Changsha, shenzhen, or Wuhan is present in a database, and the corresponding data type is a working position. Therefore, the tag characteristic data may be regarded as cod4 or the like, which corresponds to the data type in the data field. For other things, such as personnel name, ID identification, work department, work post or telephone number, etc., a detailed description is omitted here. All tag characteristic data is then combined. And then determining a sensitive data index set according to all the data in the target database. In particular, the sensitive data index set may be understood as limiting or prohibiting the SQL statement and its related fields, etc. that the user refers to. Corresponding data desensitization rules, i.e. related hiding or encryption rules, etc. are then set based on the sensitive data index set.
Based on the above embodiment, in another specific embodiment, refer to step four and step five in fig. 7. The relevant sensitive data index set is set by SQL induced, so that the middle stage in FIG. 3 utilizes the policy matching engine to determine relevant data desensitization rules.
It should be understood that, in another specific embodiment, reference may be made to fig. 8, and fig. 8 is a logic execution diagram of another policy matching module disclosed in an embodiment of the present application. Step two of the diagram two (request SQL parsing) can be seen in FIG. 8. Tags (tables, kv) can be queried multi-threaded so that all tags are queried by entities (database, real tables, columns and user)/(index, key), and by combining the tags, a rule set can be generated by matching with a policy table. Wherein the related databases, real tables, columns, and users can be understood as the data fields and data types thereof. The index and key are understood to be tag characteristic data. Step 506 may be performed by combining the tag features described above, and in conjunction with the set data desensitization rules.
In another embodiment, referring to FIG. 6, for row filtering, the parameter_sql_t_object may be used for SQL injection, which acts on row filtering. The minimum unit of each injection of a nested statement needs to be assigned to a specific SQL field statement.
506. And matching the combined tag characteristic data with the sensitive data index set and the data desensitization rule to generate a data desensitization strategy.
Based on step 505, the combined tag characteristic data is matched with the sensitive data index set and the data desensitization rule, thereby generating a data desensitization strategy.
In one specific embodiment, based on the temporary rule set in fig. 8, the data in the foregoing may be subjected to rule matching in combination with the line filtering policy in fig. 6, so as to generate a data desensitizing policy.
507. And judging whether the data field and the data type are in a sensitive data index set or not so as to judge whether the data request instruction triggers a data desensitization strategy or not. If the data field and/or data type belongs to the sensitive data index set, step 508 is performed; if the data request instruction does not trigger the data desensitization policy, step 510 is performed.
And judging whether the data field and the data type in the data request instruction are in a sensitive data index set or not, so as to judge whether the data request instruction triggers a data desensitization strategy or not. When the data field and/or data type belongs to the sensitive data index set, step 508 is performed; step 510 is performed when the data request instruction triggers a data desensitization policy.
In one specific embodiment, whether the data request instruction triggers a data desensitization policy is determined by determining whether a data field and a data type included in user demand data in the data request instruction are in a sensitive data index set. Specifically, the SQL engine determines that the data request instruction triggers the data desensitization policy by determining the data fields and the data types in the sensitive data index set that are limited to access based on the data desensitization rule, so as to match the data fields and the data types in the data request instruction, and if all the matching is successful, then executing step 510. If the matching fails completely, all the data requested in the data request instruction can be returned to the user. If the matching portion fails, step 508 is performed.
508. And performing desensitization replacement on the data to be desensitized according to the data desensitization strategy, and determining target desensitization fields meeting the data desensitization strategy in key desensitization fields of the data to be desensitized.
Based on step 507, the data to be desensitized may be desensitized according to the data desensitization policy, so as to determine a target desensitization field satisfying the data desensitization policy from the key desensitization fields of the data to be desensitized. It will be appreciated that the target desensitization field at this time has the same syntax structure as the user demand data.
In one specific embodiment, SQL injection or SQL substitution can be performed on the data type and the data field of the data to be desensitized according to the data desensitization strategy, so that SQL modification on the data to be desensitized is realized. Wherein in this embodiment, it may be performed by an SQL injection module or an SQL replacement module in the business module. Thereby, a target desensitization field is generated.
509. And performing reverse syntax tree operation on the target desensitization field, the data types subjected to desensitization replacement and the data fields to generate target desensitization data corresponding to different data types.
After the target desensitization field is generated, the target desensitization field, the data type subjected to desensitization replacement and the data field can be subjected to reverse syntax tree operation, so that target desensitization data corresponding to different data types are generated.
In one specific embodiment, the method can be executed by an SQL reverse module in the service module, so that the SQL syntax tree after the injection change is restored into an SQL sentence, and the SQL sentence is returned to the PEP node. Specifically, in fig. 6, the parameter_sql_post module returns corresponding result data to the user by combining the target desensitization data in the above.
510. The user is denied access to the target database.
When the data request instruction triggers a data desensitization policy, the user is denied access to the target database.
Based on the description of fig. 4 and 5, reference may be made to fig. 9 and 10. Wherein, fig. 9 is a selection chart of a desensitization strategy disclosed in the embodiment of the present application; FIG. 10 is a selection chart of another desensitization strategy disclosed in the examples of the present application. As can be seen in fig. 9, the sensitive user's data can be dynamically filtered through the rights of the background management rights. In this embodiment of the present application, specifically, a relevant data desensitization policy may be set, and the data desensitization policy may be integrated into a front-end page, so that a provider or a background manager may set a certain user (or a caller) to query. At the position of
In fig. 9, the data desensitization policy is field data set in a specific real table (test_for_mask) in the database, and the value of the designated access col6 (in the above embodiment, the working position) is not equal to the secondary length. The remaining field data is filtered out.
In fig. 10, the data desensitization policy is set in a specific real table (ww_table 1) in the database, and field data with chinese names is desensitized. Thereby displaying the corresponding english name. For example Wang Meimei, can show up as wmm after desensitization. Corresponding other elements, such as work, technical or research and development, may be denoted as technical or research, respectively. The specific manner of desensitization is not limited herein, and will not be described in detail later.
By the desensitization method of the database data disclosed by the embodiment, SQL can be analyzed by using a relational database (PostgreSQL, mySQL, hive, MSSQL) and a non-relational database (elastic search). Meanwhile, relational databases (PostgreSQL and Hive) can extract blood-lineage relationships based on SQL libraries, tables, columns. Meanwhile, the relational databases (PostgreSQL and Hive) can also perform actions with line filtering, rights management and request direction desensitization. Moreover, compared with the traditional injection prevention scheme, the method can complete analysis from the complete grammar tree, and the accuracy is far higher than that of the SQL scheme by analyzing through a regular expression mode. Furthermore, due to the highly modular product architecture, new SQL grammars can be quickly supported.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
If the scheme involves sensitive information (e.g., user information, business information), it should be noted that the collection, use and handling of the sensitive information requires compliance with laws and regulations of the relevant country and region, and needs to be performed with approval or consent of the corresponding subject (e.g., user or business, etc.).
Referring to fig. 11, fig. 11 is a schematic structural diagram of a database data desensitizing system according to an embodiment of the present disclosure.
A receiving unit 1101, configured to receive a data request instruction from a user to a target database, and obtain data to be desensitized of the target database according to the data request instruction;
a judging unit 1102, configured to predefine a data desensitization policy according to the target database, and judge whether the data request instruction triggers the data desensitization policy;
the execution unit 1103 is configured to execute the data desensitization policy on the data to be desensitized when the data request instruction triggers the data desensitization policy, obtain the target desensitization data, and return the target desensitization data to the user, so that the user refers to the target desensitization data in the target database.
Illustratively, the system further comprises: an acquisition unit 1104;
the receiving unit 1101 is specifically configured to receive a data request instruction, and analyze the data request instruction to analyze the data request instruction into a data type and a data field of user demand data corresponding to the data request instruction; the user demand data is data corresponding to the data request instruction in the target database;
An obtaining unit 1104, configured to obtain a data type and a data field of the user demand data, and perform word segmentation analysis on the data type and the data field to obtain key desensitization fields under different data types;
the acquiring unit 1104 is further configured to acquire data to be desensitized according to all key desensitization fields.
Illustratively, the system further comprises: a determination unit 1105;
a determining unit 1105, configured to determine a sensitive data index set and a data desensitization rule corresponding to the sensitive data index set according to all data in the target database; wherein the sensitive data index set comprises a desensitization data category and a desensitization keyword;
the judging unit 1102 is specifically configured to judge whether the data field and the data type are in the sensitive data index set, so as to judge whether the data request instruction triggers a data desensitization policy;
the execution unit 1103 is specifically configured to execute the step of executing the data desensitization policy on the data to be desensitized when the data field and/or the data type belong to the sensitive data index set.
Illustratively, the system further comprises: a query unit 1106;
a query unit 1106, configured to multi-thread query tag feature data of all data fields and data types in the target database;
And the query unit 1106 is configured to combine all the tag feature data, and match the combined tag feature data with the sensitive data index set and the data desensitization rule, so as to generate a data desensitization policy.
Illustratively, the system further comprises: a generating unit 1107;
a generating unit 1107, specifically configured to abstract the syntax structure of the key desensitization field under different data types, and generate a syntax tree including multiple syntax types;
the generating unit 1107 is further configured to generate data to be desensitized based on syntax trees of a plurality of syntax types.
Illustratively, the system further comprises: a replacement unit 1108;
a replacing unit 1108, configured to perform desensitization replacement on the data to be desensitized according to the data desensitization policy;
a determining unit 1105, configured to determine a target desensitization field that satisfies a data desensitization policy in key desensitization fields of the data to be desensitized;
the generating unit 1107 is specifically configured to perform reverse syntax tree operation on the target desensitization field and the data type and the data field after desensitization replacement, so as to generate target desensitization data corresponding to different data types; the target desensitization data is data with the same grammar structure as the user demand data.
Illustratively, the system includes:
The query unit 1106 is specifically configured to call a callback function, and query key desensitization fields under different data types one by one, so as to obtain control data corresponding to any key desensitization field;
query unit 1106 has a determination for determining a data desensitization policy based on all control data.
Illustratively, if the data request instruction does not trigger the data desensitization policy, the system further comprises: a reject unit 1109;
a rejecting unit 1109 for rejecting the user to access the target database.
Referring to fig. 12, a schematic structural diagram of a database data desensitizing apparatus according to an embodiment of the present application includes:
a central processor 1201, a memory 1205, an input/output interface 1204, a wired or wireless network interface 1203, and a power supply 1202;
memory 1205 is a transient memory or a persistent memory;
the central processor 1201 is configured to communicate with the memory 1205 and to execute the instruction operations in the memory 1205 to perform the desensitization method of the embodiments shown in fig. 4 or fig. 5 described above.
The embodiment of the application further provides a chip system, which is characterized in that the chip system comprises at least one processor and a communication interface, the communication interface and the at least one processor are interconnected through a line, and the at least one processor is used for running a computer program or instructions to execute the desensitizing method in the embodiment shown in fig. 4 or fig. 5.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (RAM, random access memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

Claims (11)

1. A method of desensitizing database data for use in a gateway system, the method comprising:
receiving a data request instruction of a user to a target database, and acquiring data to be desensitized of the target database according to the data request instruction;
predefining a data desensitization strategy according to the target database, and judging whether the data request instruction triggers the data desensitization strategy or not;
if yes, executing the data desensitization strategy on the data to be desensitized, acquiring target desensitization data, and returning the target desensitization data to the user so that the user refers to the target desensitization data in the target database.
2. The desensitizing method according to claim 1, wherein said receiving a data request instruction from a user to a target database and acquiring data to be desensitized of the target database according to the data request instruction comprises:
receiving the data request instruction, and analyzing the data request instruction to analyze the data request instruction into a data type and a data field of user demand data corresponding to the data request instruction; the user demand data are data corresponding to the data request instruction in the target database by the user;
Acquiring the data type and the data field of the user demand data, and performing word segmentation analysis on the data type and the data field to acquire key desensitization fields under different data types;
and acquiring the data to be desensitized according to all the key desensitization fields.
3. The method of desensitizing according to claim 2, wherein said predefining a data desensitizing policy according to said target database and determining whether said data request instruction triggers said data desensitizing policy comprises:
determining a sensitive data index set and a data desensitization rule corresponding to the sensitive data index set according to all data in the target database; wherein the sensitive data index set comprises a desensitization data category and a desensitization keyword;
judging whether the data field and the data type are in a sensitive data index set or not so as to judge whether the data request instruction triggers the data desensitization strategy or not;
and if the data field and/or the data type belong to the sensitive data index set, executing the step of executing the data desensitization strategy on the data to be desensitized.
4. A method of desensitizing according to claim 3, further comprising:
Multithreading is used for inquiring tag characteristic data of all data fields and data types in the target database;
and combining all the tag characteristic data, and matching the combined tag characteristic data with the sensitive data index set and the data desensitization rule to generate the data desensitization strategy.
5. The method of desensitizing according to claim 2, wherein said obtaining said data to be desensitized according to all said key desensitization fields comprises:
abstracting the grammar structure of the key desensitization field under different data types to generate a grammar tree comprising a plurality of grammar types;
generating the data to be desensitized based on the grammar tree of the plurality of grammar types.
6. The method of desensitizing according to claim 5, wherein said performing said data desensitizing strategy on said data to be desensitized, obtaining target desensitized data, comprises:
performing desensitization replacement on the data to be desensitized according to the data desensitization strategy;
determining a target desensitization field meeting the data desensitization strategy in the key desensitization fields of the data to be desensitized;
performing reverse grammar tree operation on the target desensitization field, the data types subjected to desensitization replacement and the data fields to generate target desensitization data corresponding to different data types; the target desensitization data are data with the same grammar structure as the user demand data.
7. The method of desensitizing according to claim 5, wherein said predefining a data desensitizing strategy according to said target database comprises:
calling a callback function, and inquiring key desensitization fields under different data types one by one to acquire control data corresponding to any key desensitization field;
and determining the data desensitization strategy according to all the control data.
8. The method of desensitizing according to claim 1, wherein if said data request instruction triggers said data desensitizing policy, said method further comprising:
and refusing the user to access the target database.
9. A database data desensitization system, the system comprising:
the receiving unit is used for receiving a data request instruction of a user to a target database and acquiring data to be desensitized of the target database according to the data request instruction;
the judging unit is used for predefining a data desensitization strategy according to the target database and judging whether the data request instruction triggers the data desensitization strategy or not;
and the execution unit is used for executing the data desensitization strategy on the data to be desensitized when the data request instruction triggers the data desensitization strategy, acquiring target desensitization data and returning the target desensitization data to the user so that the user refers to the target desensitization data in the target database.
10. A database data desensitizing apparatus, said apparatus comprising:
the device comprises a central processing unit, a memory, an input/output interface, a wired or wireless network interface and a power supply;
the memory is a short-term memory or a persistent memory;
the central processor is configured to communicate with the memory and to execute instruction operations in the memory to perform the data desensitization method according to any one of claims 1-8.
11. A computer readable storage medium comprising instructions which, when run on a computer, cause the computer to perform the data desensitisation method according to any of claims 1 to 8.
CN202311356192.5A 2023-10-18 2023-10-18 Database data desensitization method, system, device and readable storage medium Pending CN117633863A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311356192.5A CN117633863A (en) 2023-10-18 2023-10-18 Database data desensitization method, system, device and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311356192.5A CN117633863A (en) 2023-10-18 2023-10-18 Database data desensitization method, system, device and readable storage medium

Publications (1)

Publication Number Publication Date
CN117633863A true CN117633863A (en) 2024-03-01

Family

ID=90031024

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311356192.5A Pending CN117633863A (en) 2023-10-18 2023-10-18 Database data desensitization method, system, device and readable storage medium

Country Status (1)

Country Link
CN (1) CN117633863A (en)

Similar Documents

Publication Publication Date Title
US11392586B2 (en) Data protection method and device and storage medium
US8930403B2 (en) Fine-grained relational database access-control policy enforcement using reverse queries
CN110532797A (en) The desensitization method and system of big data
CN108171073B (en) Private data identification method based on code layer semantic parsing drive
US10438008B2 (en) Row level security
US20090094193A1 (en) Secure normal forms
US20170083722A1 (en) Dynamic data masking system and method
CN112560100B (en) Data desensitizing method and device, computer readable storage medium and electronic equipment
US20220100899A1 (en) Protecting sensitive data in documents
US20200334375A1 (en) Constraint querying for collaborative intelligence and constraint computing
US7904472B1 (en) Scanning application binaries to identify database queries
US20070239471A1 (en) Systems and methods for specifying security for business objects using a domain specific language
US8965879B2 (en) Unique join data caching method
Caruccio et al. GDPR compliant information confidentiality preservation in big data processing
US20160267085A1 (en) Providing answers to questions having both rankable and probabilistic components
Bański Access control by query rewriting: the case of KorAP
CN110895537A (en) Method and device for freely inquiring authority control
CN114356968A (en) Query statement generation method and device, computer equipment and storage medium
GB2600823A (en) Masking sensitive information in a document
US11968214B2 (en) Efficient retrieval and rendering of access-controlled computer resources
US20240127379A1 (en) Generating actionable information from documents
CN106020923A (en) SELinux strategy compiling method and system
CN106778341A (en) data right management system and method
CN117633863A (en) Database data desensitization method, system, device and readable storage medium
CN114969819A (en) Data asset risk discovery method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination