CN117763595A - Data privacy protection method applied to data management system - Google Patents
Data privacy protection method applied to data management system Download PDFInfo
- Publication number
- CN117763595A CN117763595A CN202311149449.XA CN202311149449A CN117763595A CN 117763595 A CN117763595 A CN 117763595A CN 202311149449 A CN202311149449 A CN 202311149449A CN 117763595 A CN117763595 A CN 117763595A
- Authority
- CN
- China
- Prior art keywords
- data
- data resource
- service
- applicant
- resource service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000013523 data management Methods 0.000 title claims abstract description 40
- 238000012795 verification Methods 0.000 claims abstract description 7
- 230000002159 abnormal effect Effects 0.000 claims description 10
- 238000003062 neural network model Methods 0.000 claims description 5
- 230000001174 ascending effect Effects 0.000 claims description 4
- 230000006872 improvement Effects 0.000 description 9
- 230000005540 biological transmission Effects 0.000 description 8
- 230000006870 function Effects 0.000 description 6
- 238000000586 desensitisation Methods 0.000 description 5
- 238000007726 management method Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 230000008520 organization Effects 0.000 description 3
- 238000012550 audit Methods 0.000 description 2
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 1
- 230000004308 accommodation Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a data privacy protection method applied to a data management system, belongs to the technical field of data security, and solves the problem of insufficient data security caused by simple data privacy protection method in the existing data management system. Comprising the following steps: receiving a data resource service application of the applicant, and acquiring an approval grade according to the security level of the data resource and the security credit score of the applicant; transmitting the data resource service application to an approver corresponding to the approval level, and generating a service authentication token and a service version for the approved data resource service; constructing and transmitting a data resource service access request, checking the received data resource service access request, and returning a data resource service signature encrypted by a private key of an approver and data resource service content encrypted by an applicant public key after the verification is passed; after the data resource service signature is checked, decrypting to obtain the data resource service content. The data security is improved by integrally considering the data resource participants.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a data privacy protection method applied to a data management system.
Background
The actual service data are scattered in each service system, and the data standards are not uniform, the data quality is poor, and the value of the data is difficult to release.
The data management system is constructed as a tool for improving the value density of data, and mainly comprises the functions of data access, data processing, data management, data organization and data service, so that enterprises can be helped to establish standard data application standards, data inconsistency is eliminated, the data quality in the enterprises is improved, and the wide sharing of the data is promoted.
With the expansion of the data sharing degree and range, the data security problem is also increasingly prominent, and sensitive data leakage is frequent. In order to prevent sensitive data from leaking, the current data management system only simply integrates the functions of data encryption and data desensitization, realizes the encryption and desensitization of data assets, does not use privacy protection technology from the whole consideration of data resource participants, limits data sharing, causes that each data owner can only use small-scale data held by the data owners, and the data is difficult to aggregate through sharing fusion and cannot well exert the value of data elements.
Disclosure of Invention
In view of the above analysis, the embodiment of the invention aims to provide a data privacy protection method applied to a data management system, which is used for solving the problem of insufficient data security caused by simple data privacy protection method in the existing data management system.
The embodiment of the invention provides a data privacy protection method applied to a data management system, which comprises the following steps:
receiving a data resource service application of the applicant, and acquiring an approval grade according to the security level of the data resource and the security credit score of the applicant;
transmitting the data resource service application to an approver corresponding to the approval level, and generating a service authentication token and a service version for the approved data resource service;
constructing and transmitting a data resource service access request according to the information of the approver and the applicant, the service authentication token and the service version, checking the received data resource service access request, and returning a data resource service signature encrypted by the private key of the approver and a data resource service content encrypted by the public key of the applicant after the verification is passed;
after the data resource service signature is checked, decrypting to obtain the data resource service content.
Based on further improvement of the method, obtaining the approval level according to the security level of the data resource and the security credit score of the applicant comprises the following steps:
identifying a security level according to a data resource data item in a data resource service application, and acquiring a corresponding initial level according to the security level;
and calculating a security credit score according to the abnormal operation times of the applicant in the behavior log, and reducing the initial grade by one level when the data resource is applied by the applicant for the first time and the security credit score is larger than a score threshold value to obtain an approval grade, otherwise, taking the initial grade as the approval grade.
Based on a further improvement of the above method, identifying the security level from the data resource data item in the data resource service application includes:
according to the similarity and the similarity threshold value, converting names of data items of data resources similar to words in a preset word stock into corresponding words in the word stock;
combining the names of the converted data resource data items to obtain a plurality of groups of data items to be identified, transmitting the data items into a trained neural network model, and predicting the security level; the highest security level is taken as the final security level.
Based on further improvements of the above method, a security credit score is calculated from the number of abnormal operations of the applicant in the behavior log, comprising: counting the times of using the data management system by the applicant abnormally from the behavior log, the times of calling the data resource service interface illegally and the times of logging in the data management system abnormally; and deducting the score corresponding to the times from the security credit full score to obtain a security credit score.
Based on a further improvement of the above method, the method further comprises: before approval by an approver, the risk information is obtained by comparing the security level of the data resource with the service range according to the security level and the service range of the applicant, and the risk information is sent to the approver.
Based on a further improvement of the above method, constructing a data resource service access request based on the approver and applicant information, the service authentication token and the service version, comprising:
the user token, the service authentication token and the service version of the applicant are respectively used as a request item, and each request item and the value thereof are spliced into a request item character string; splicing the access address of the data resource service and the query item and the parameter value thereof into a request address character string;
taking the spliced character string of the public key of the approver as a secret key, encrypting the request item character string and the request address character string, and then encrypting again to obtain a first digital abstract; encrypting the first digital abstract according to the private key of the applicant to obtain signature information;
placing the data resource request item and the signature information into a data resource service access request header; and obtaining parameter values according to the request parameters of the data resource service, putting the parameter values into a data resource service access request main body, and constructing a data resource service access request.
Based on the further improvement of the method, each request item and the value thereof are spliced into a request item character string, comprising the following steps: after the corresponding values of the request items are spliced through ";
splicing the access address of the data resource service, the query item and the parameter value thereof into a request address character string, comprising: after the query terms are spliced into the corresponding parameter values through "=", splicing the query terms and the parameter values thereof according to the dictionary ascending sequence of the query term names.
Based on a further improvement of the method, the data resource service signature encrypted by the private key of the approver is obtained by the following steps:
acquiring data resource service return content, and encrypting data item information of the data resource to generate a second digital abstract; and respectively encrypting and generating a data resource service signature according to the private key of each approver.
Based on a further improvement of the above method, the data resource service content encrypted by the applicant public key comprises: and the data resource service content is obtained by encrypting the data resource identifier, the data resource information, the data resource data item information and the data resource data content according to the applicant public key.
Based on further improvement of the method, the data management system obtains public keys and private keys of an applicant and an approver through an interface externally provided by a security management center; and the approval log of the approver is stored in the data management system and pushed to the safety management center for storage of both sides.
Compared with the prior art, the invention has at least one of the following beneficial effects:
1. the security level of the data resources used by the applicant is predicted through the neural network model, a basis is provided for the decision approval process of an approver, the data resource service application specification is guaranteed, and the leakage risk of the data resources is controlled from the source. Meanwhile, the safety event log is completely recorded and is backed up and stored through the data management system and the safety management center, so that the behavior of the data resource service participants is strictly constrained, responsibilities of the data resource participants are effectively bound, and the compliance of the use of the data resource is ensured.
2. In the transmission process of the data resource, an encryption algorithm is adopted to encrypt and sign the double token forms of the user token and the data service authentication token, so that the integrity and the privacy of the data in the directional transmission and transmission processes are ensured.
3. The participants of the coordinated data resource service jointly protect the data privacy, and the limitation of adopting data encryption and desensitization technical means in the past is broken through.
In the invention, the technical schemes can be mutually combined to realize more preferable combination schemes. Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description and drawings.
Drawings
The drawings are only for purposes of illustrating particular embodiments and are not to be construed as limiting the invention, like reference numerals being used to refer to like parts throughout the several views.
FIG. 1 is a flow chart of a data privacy protection method applied to a data management system in an embodiment of the invention.
Detailed Description
Preferred embodiments of the present invention will now be described in detail with reference to the accompanying drawings, which form a part hereof, and together with the description serve to explain the principles of the invention, and are not intended to limit the scope of the invention.
In one embodiment of the present invention, a data privacy protection method applied to a data governance system is disclosed, as shown in fig. 1, comprising the steps of:
s11, receiving a data resource service application of the applicant, and acquiring an approval level according to the security level of the data resource and the security credit score of the applicant;
s12, sending the data resource service application to an approver corresponding to the approval level, and generating a service authentication token and a service version for the approved data resource service;
s13, constructing and sending a data resource service access request according to the information of the approver and the applicant, the service authentication token and the service version, checking the received data resource service access request, and returning a data resource service signature encrypted by the private key of the approver and a data resource service content encrypted by the public key of the applicant after the verification is passed;
s14, after the data resource service signature is checked, decrypting to obtain the data resource service content.
It should be noted that, in this embodiment, the data management system has complete functions of user management, authority management, approval management, and audit management, and provides support for user registration, authority application, transaction approval, and log audit; and simultaneously accessing the data of each application system of the enterprise, and providing application registration, data processing, data management, data organization and data service functions of each application. The applicant and the approver are legal registered users of the data management system, and the data management system grants the approver certain data resource approval authority according to the management function of the organization; the applicant obtains the whole situation of the required data resources by inquiring the data resources, dynamically obtains the corresponding approval grade by applying for each data resource service, and obtains the data resource service provided by the data management system after approval.
Before step S11, the applicant queries the service condition of the data resource by calling the interface, and knows the overall condition of the required data resource. Specifically, the data resource service query interface is an API interface satisfying the Restful style, and the interface provides a service for querying various data resource conditions, where the request parameters include: query conditions, data resource information to be returned, and whether to return data resource data items; the response result comprises: a data resource identifier, data resource information, and a data resource data item; wherein the data resource information includes: the method comprises the steps of data resource catalog number, data resource name, data resource description, units to which the data resource belongs, service scope to which the data resource belongs, approval information, data resource state, time stamp, data number, data size and data fingerprint; the data fingerprint is a hash value of the data resource content calculated by an encryption algorithm. Illustratively, the encryption algorithm uses the SM3, MD5 or SHA1 algorithm.
In step S11, the applicant applies for 1 or more selected data resource services according to the queried data resource service conditions, selects a required data resource data item, namely data resource field information to be acquired, and the data management system acquires a corresponding approval level and starts an approval process according to the security level of each data resource and the security credit score of the applicant. Different approval levels have different approval orders and approvers.
It should be noted that, according to the security level of the data resource and the security credit score of the applicant, obtaining the approval level includes:
(1) and identifying the security level according to the data item of the data resource in the data resource service application, and acquiring the corresponding initial level according to the security level.
It should be noted that, the security level of the data resource is obtained by comprehensively analyzing the security levels of the fields, and some fields are common in view of the security levels alone, but the security levels may be improved when the fields are combined together. Such as: the security levels of fields such as railway ticket booking, hotel accommodation, logistics and the like belong to the general field, but the security level is important when the fields are combined together, and the manual judgment workload of the field combination is very large.
Specifically, according to the similarity and the similarity threshold value, converting names of data resource data items similar to words in a preset word stock into corresponding words in the word stock; combining the names of the converted data resource data items to obtain a plurality of groups of data items to be identified, transmitting the data items into a trained neural network model, and predicting the security level; the highest security level is taken as the final security level.
It should be noted that, the longest length of each group of data items to be identified is set according to practical situations, and the longest length is not exceeded when the data items are arranged and combined.
The security level in this embodiment includes: public, general, important and special, the corresponding approval grades are automatic approval, primary approval, secondary approval and tertiary approval. The automatic approval refers to the data resource service application submitted by the applicant automatically by the approval center according to a preset approver; the first-level approval refers to approval of a data resource service application submitted by an applicant by a department to which the applicant belongs; the second-level approval refers to approval of the data resource service application submitted by the applicant by the lead of the department to which the applicant belongs and the lead of the direct superior department in sequence; the third-level approval refers to approval of the data resource service application submitted by the applicant by the lead of the department to which the applicant belongs, the lead of the direct superior department and the lead of the business director in sequence. And obtaining an initial grade according to the approval grade corresponding to the predicted highest security grade.
(2) And calculating a security credit score according to the abnormal operation times of the applicant in the behavior log, and reducing the initial grade by one level when the data resource is applied by the applicant for the first time and the security credit score is larger than a score threshold value to obtain an approval grade, otherwise, taking the initial grade as the approval grade.
Specifically, according to the abnormal operation times of the applicant in the behavior log, calculating a security credit score includes: counting the times of using the data management system by the applicant abnormally from the behavior log, the times of calling the data resource service interface illegally and the times of logging in the data management system abnormally; and deducting the score corresponding to the times from the security credit full score to obtain a security credit score.
It should be noted that the data management system records a behavior log of all operations of each user. Based on the recorded behavior log, counting the times of abnormal use of the data management system by the applicant, such as data resource service application refused by out-of-range application, misuse approval and illegal downloading of data resources; the number of times of illegal calling the data resource service interface, such as the out-of-date use of the data resource service interface, the request of falsified wrong signature information on the data resource service interface, the use beyond the authority range, and the like; the number of times of abnormal logging in the data management system, such as the exceeding of the number of times of continuous password transmission, is locked, ukey of other users is used, and an abnormal IP end logs in and the like.
The score corresponding to each abnormal operation frequency is determined according to the actual situation, the obtained security credit score is larger than a score threshold value, and the data resource is applied for the first time by the applicant, the initial grade is reduced by one grade, and the approval grade is obtained. Illustratively, the three-level approval is reduced to the two-level approval, and the approval process is shortened.
Further, before approval by an approver, the risk information is obtained by comparing the security level of the data resource and the service range of the applicant according to the security level and the service range of the applicant, and is sent to the approver.
Specifically, firstly, according to the service range of the applicant and the service range of the data resource, whether the application condition is met or not is identified, and application rejection processing is carried out on the application which does not meet the application condition. The business scope of the user belongs to the product sales, only the data resources in the business scope of the product sales can be checked, if the data resources belong to the profit information of the enterprise, the business scope of the business scope and the business scope are not matched, the application condition is not met, and the business scope is taken as an illegal application to return to the applicant.
If the application condition is met, the security level of the applicant is greater than or equal to the security level of the data resource, the risk is lower, and otherwise, the risk is higher. For example, if the applicant's security level is a secret, then the authorized access security level is an important, general and public data resource. The data management system prompts corresponding risk information to an approver, provides approval decision basis for the approver, guarantees the standard of data resource service application, and controls the leakage risk of the data resource from the source.
In step S12, the approver checks risk information during approval of the data resource service application. Further, each data resource data item is selected to be encrypted by a data encryption function, and/or data desensitization rules are selected to desensitize data resource sensitive information, so that when the applicant subsequently has the authority of the data resource service, the data item of the data resource selected by part cannot be completely understood and used, and the sensitive information is prevented from being abused and leaked.
And for the approved data resource service, the data management system generates a service authentication token for the data resource service according to the unique identification of the applicant and the data resource service address, and acquires the current service version information of the data resource service. Illustratively, a service authentication token is generated using the Jose4j library.
The service authentication token and the service version are used for constructing a data resource service access request head when accessing the data resource service, the service authentication token is used for ensuring that the data resource service is approved, and the service version is used for ensuring that the service version applied by the applicant is consistent with the authorized service version. Preferably, the service authentication token has a validity time, beyond which the data service authentication token will expire.
The approval log of the approver is stored in the data management system and pushed to the safety management center, the two parties are stored and backed up, the approval content is prevented from being forged, tampered and deleted, the approval log is used for archiving and reserving the evidence, the data resource is conveniently and illegally used to carry out the overtaking, and the illegal punishment is increased.
The applicant accesses the approved data resource service in step S13, constructs and transmits a data resource service access request according to the approver and applicant information, the service authentication token and the service version, and comprises the following steps:
(1) the user token, the service authentication token and the service version of the applicant are respectively used as a request item, and each request item and the value thereof are spliced into a request item character string; and splicing the access address of the data resource service and the query term and the parameter value thereof into a request address character string.
It should be noted that, the user token of the applicant is generated by the data management system after the applicant logs in successfully; the request items in this embodiment include, but are not limited to: applicant's user token, service authentication token and service version. Preferably, the method further comprises: the HTTP request method has the following values: PUT, GET, POST, HEAD, DELETE, etc.; the type of the requested content has the value: application/json; the request time has a value of the current operation time.
Splicing each request item and the value thereof into a request item character string, wherein the method comprises the following steps: and splicing the corresponding values of the request items through 'n', and splicing the request items and the values thereof according to the dictionary ascending sequence of the names of the request items. Note that there are no spaces.
Illustratively, the request items corresponding to the user tokens are: the value of the x-data-user-token is: OC4 xmjgumq= = = | NzI4Nzg OWNij; the request items corresponding to the service authentication tokens are: the value of the x-data-service-token is: da$12nd$8i6bnnr4ikq6utdi 1nf97e3z6zi; the request items corresponding to the service version are: the value of the x-data-client-version is: v2.1. The spliced request string is: x-data-client-version v2.1\nx-data-service-token: da$12$8I6BNNR4IKQ6UT DI1NF97E3Z6ZI\nx-data-user-token: OC4 xMjgMQ= | NzI4Nzg OWNij.
Splicing the access address of the data resource service, the query item and the parameter value thereof into a request address character string, comprising: after the query terms are spliced into the corresponding parameter values through "=", splicing the query terms and the parameter values thereof according to the dictionary ascending sequence of the query term names.
It should be noted that, the query terms of the data resource service in this embodiment include, but are not limited to: the data resource service comprises a data resource service identifier, a data resource service name, a data resource service query condition, an application identifier to which the data resource service belongs, an application name to which the data resource service belongs and a data resource identifier.
Illustratively, the access address of the data resource service is: https:// api. Xxx. Com/data/service, the spliced request address string is: https:// api. Xx. Com/data/serviceapiid=100000101108 & apiname =_516c\u53f8\u4eba\u5458& appid=2000020000008 & appname =_4eba\u5458\u753b\u50cf & c2 =_63a5\u53e3& resource name=r 000100010023.
(2) Taking the spliced character string of the public key of the approver as a secret key, encrypting the request item character string and the request address character string, and then encrypting again to obtain a first digital abstract; and encrypting the first digital abstract according to the private key of the applicant to obtain signature information.
It should be noted that, the data management system obtains public keys and private keys of the applicant and the approver through an interface provided by the security management center. At least 1 approver of the data resource service application takes a spliced character string of a public key of the approver as a secret key, encrypts a request item character string and a request address character string by adopting a national secret SM2 algorithm, encrypts again by adopting the national secret SM3 algorithm to obtain a first digital abstract, and encrypts the first digital abstract by adopting the national secret SM2 algorithm to obtain signature information according to a private key of an applicant.
In the embodiment, privacy protection of the data resource service is integrally considered from the data resource participants, and simultaneously, the private key of the applicant and the public key of each approver are used to associate all the participants with the use of the data resource service, so that responsibility is jointly born, and the compliance of the use of the data resource is ensured.
(3) Placing the data resource request item and the signature information into a data resource service access request header; and obtaining parameter values according to the request parameters of the data resource service, putting the parameter values into a data resource service access request main body, and constructing a data resource service access request.
It should be noted that, the request parameters of the data resource service generally include query terms of the data resource service, so that the data management system can construct an actual data abstract according to the received request parameter values and the method of the step (1) (2), so that after decrypting the signature information in the received request header of the data resource service according to the public key of the applicant, a first digital abstract is obtained, the actual data abstract is compared with the first digital abstract, if the actual data abstract is inconsistent, the verification is not passed, and access is refused; if the data resource service access requests are consistent, the received data resource service access requests are not tampered, and verification is passed.
And generating a data resource service signature encrypted by the private key of the approver and data resource service content encrypted by the public key of the applicant for the data resource service which passes the verification, and returning the data resource service signature and the data resource service content to the applicant.
Specifically, the data resource service signature encrypted by the approver private key is obtained by:
acquiring data resource service return content, and encrypting data item information of the data resource by adopting a national encryption SM3 algorithm to generate a second digital abstract; and respectively encrypting and generating a data resource service signature by adopting a national secret SM2 algorithm according to the private key of each approver.
Data asset service content encrypted by an applicant public key, comprising: and encrypting the data resource identification, the data resource information, the data resource data item information and the data resource data content by adopting a national secret SM2 algorithm according to the public key of the applicant.
It should be noted that, according to the public key and the private key of the applicant and the approver, the asymmetric encryption algorithm is adopted to encrypt and sign the service content of the data resource, so as to ensure the security and tamper resistance of the data in the transmission process; the method and the device realize the purposes that the data privacy applies for who is responsible and the data privacy approves who is responsible, so that the multiparty participation main body jointly protects the data privacy.
In step S14, after receiving the returned content information, the applicant decrypts the corresponding data resource service signature by using the public key of each approver to obtain a second digital digest, if there are multiple approvers, the decrypted multiple second digital digests are consistent first, then the data resource service content is decrypted by using the private key of the applicant, the data resource data item in the decrypted data resource service content is taken out, then a third digital digest is obtained by using a national secret SM3 algorithm, the third digital digest is compared with the second digital digest, and if the decrypted data is consistent, no tampering of the data is confirmed.
Preferably, the method further comprises: and encrypting the decrypted data content of the data resource according to the encryption method of the data fingerprint in the data resource information, and identifying whether the decrypted data content is consistent with the received data fingerprint.
Compared with the prior art, the data privacy protection method applied to the data management system provided by the embodiment predicts the security level of the data resources used by the applicant through the neural network model, provides a basis for the decision approval process of an approver, guarantees the service application specification of the data resources, and controls the leakage risk of the data resources from the source. Meanwhile, the safety event log is completely recorded and is backed up and stored through the data management system and the safety management center, so that the behavior of the data resource service participants is strictly constrained, responsibilities of the data resource participants are effectively bound, and the compliance of the use of the data resource is ensured. In the transmission process of the data resource, an encryption algorithm is adopted to encrypt and sign the double token forms of the user token and the data service authentication token, so that the integrity and the privacy of the data in the directional transmission and transmission processes are ensured. The participants of the coordinated data resource service jointly protect the data privacy, and the limitation of adopting data encryption and desensitization technical means in the past is broken through.
Those skilled in the art will appreciate that all or part of the flow of the methods of the embodiments described above may be accomplished by way of a computer program to instruct associated hardware, where the program may be stored on a computer readable storage medium. Wherein the computer readable storage medium is a magnetic disk, an optical disk, a read-only memory or a random access memory, etc.
The present invention is not limited to the above-mentioned embodiments, and any changes or substitutions that can be easily understood by those skilled in the art within the technical scope of the present invention are intended to be included in the scope of the present invention.
Claims (10)
1. The data privacy protection method applied to the data management system is characterized by comprising the following steps of:
receiving a data resource service application of the applicant, and acquiring an approval grade according to the security level of the data resource and the security credit score of the applicant;
transmitting the data resource service application to an approver corresponding to the approval level, and generating a service authentication token and a service version for the approved data resource service;
constructing and transmitting a data resource service access request according to the information of the approver and the applicant, the service authentication token and the service version, checking the received data resource service access request, and returning a data resource service signature encrypted by the private key of the approver and a data resource service content encrypted by the public key of the applicant after the verification is passed;
after the data resource service signature is checked, decrypting to obtain the data resource service content.
2. The method for protecting data privacy applied to a data governance system according to claim 1, wherein said obtaining an approval level based on a security level of a data resource and a security credit score of an applicant comprises:
identifying a security level according to a data resource data item in a data resource service application, and acquiring a corresponding initial level according to the security level;
and calculating a security credit score according to the abnormal operation times of the applicant in the behavior log, and reducing the initial grade by one level when the data resource is applied by the applicant for the first time and the security credit score is larger than a score threshold value to obtain an approval grade, otherwise, taking the initial grade as the approval grade.
3. The method for protecting data privacy applied to a data governance system according to claim 2, wherein said identifying a security level based on a data item of a data resource in a data resource service application comprises:
according to the similarity and the similarity threshold value, converting names of data items of data resources similar to words in a preset word stock into corresponding words in the word stock;
combining the names of the converted data resource data items to obtain a plurality of groups of data items to be identified, transmitting the data items into a trained neural network model, and predicting the security level; the highest security level is taken as the final security level.
4. The method for protecting data privacy applied to a data governance system according to claim 2, wherein said calculating a security credit score according to the number of abnormal operations of the applicant in the behavior log comprises: counting the times of using the data management system by the applicant abnormally from the behavior log, the times of calling the data resource service interface illegally and the times of logging in the data management system abnormally; and deducting the score corresponding to the times from the security credit full score to obtain a security credit score.
5. A method of protecting data privacy for application to a data governance system according to claim 3 and also comprising: before approval by an approver, the risk information is obtained by comparing the security level of the data resource with the service range according to the security level and the service range of the applicant, and the risk information is sent to the approver.
6. The method of claim 1, wherein constructing a data resource service access request based on the approver and applicant information, the service authentication token, and the service version comprises:
the user token, the service authentication token and the service version of the applicant are respectively used as a request item, and each request item and the value thereof are spliced into a request item character string; splicing the access address of the data resource service and the query item and the parameter value thereof into a request address character string;
taking the spliced character string of the public key of the approver as a secret key, encrypting the request item character string and the request address character string, and then encrypting again to obtain a first digital abstract; encrypting the first digital abstract according to the private key of the applicant to obtain signature information;
placing the data resource request item and the signature information into a data resource service access request header; and obtaining parameter values according to the request parameters of the data resource service, putting the parameter values into a data resource service access request main body, and constructing a data resource service access request.
7. The method for protecting data privacy applied to a data governance system according to claim 6, wherein said concatenating each request item and its value into a request item string comprises: after the corresponding values of the request items are spliced through ";
the splicing the access address, the query item and the parameter value of the access address and the query item of the data resource service into a request address character string comprises the following steps: after the query terms are spliced into the corresponding parameter values through "=", splicing the query terms and the parameter values thereof according to the dictionary ascending sequence of the query term names.
8. The data privacy protection method applied to data governance system of claim 6, wherein the data resource service signature encrypted by the approver private key is obtained by:
acquiring data resource service return content, and encrypting data item information of the data resource to generate a second digital abstract; and respectively encrypting and generating a data resource service signature according to the private key of each approver.
9. The method for protecting data privacy for data governance system of claim 6, wherein the data asset service contents encrypted by applicant public key comprises: and the data resource service content is obtained by encrypting the data resource identifier, the data resource information, the data resource data item information and the data resource data content according to the applicant public key.
10. The data privacy protection method applied to the data governance system according to claim 6, wherein the data governance system obtains public keys and private keys of an applicant and an approver through an interface externally provided by a security management center; and the approval log of the approver is stored in the data management system and pushed to the safety management center for storage of both sides.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311149449.XA CN117763595A (en) | 2023-09-07 | 2023-09-07 | Data privacy protection method applied to data management system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311149449.XA CN117763595A (en) | 2023-09-07 | 2023-09-07 | Data privacy protection method applied to data management system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117763595A true CN117763595A (en) | 2024-03-26 |
Family
ID=90311148
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311149449.XA Pending CN117763595A (en) | 2023-09-07 | 2023-09-07 | Data privacy protection method applied to data management system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117763595A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118410405A (en) * | 2024-07-01 | 2024-07-30 | 中科聚信信息技术(北京)有限公司 | Intelligent identification system for hierarchical relationship of data assets |
-
2023
- 2023-09-07 CN CN202311149449.XA patent/CN117763595A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118410405A (en) * | 2024-07-01 | 2024-07-30 | 中科聚信信息技术(北京)有限公司 | Intelligent identification system for hierarchical relationship of data assets |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11314891B2 (en) | Method and system for managing access to personal data by means of a smart contract | |
| CN109922039B (en) | Semi-centralized identity management method based on block chain technology | |
| US8656166B2 (en) | Storage and authentication of data transactions | |
| KR102255287B1 (en) | Physical identity management system using One-time-password on Blockchain | |
| US5991406A (en) | System and method for data recovery | |
| KR101296195B1 (en) | A method for controlling access to file systems, related system, SIM card and computer program product for use therein | |
| KR101957064B1 (en) | One Time Password based Decryption System for Protecting Personal Information on Blockchain security technology | |
| US20080310619A1 (en) | Process of Encryption and Operational Control of Tagged Data Elements | |
| US20080167994A1 (en) | Digital Inheritance | |
| US6571337B1 (en) | Delayed secure data retrieval | |
| US20110289318A1 (en) | System and Method for Online Digital Signature and Verification | |
| KR20020060075A (en) | Method and apparatus for protecting file system based on digital signature certificate | |
| US20220141014A1 (en) | Storing secret data on a blockchain | |
| US20030196090A1 (en) | Digital signature system | |
| US20190005258A1 (en) | A method for encrypting data and a method for decrypting data | |
| CN117763595A (en) | Data privacy protection method applied to data management system | |
| KR102405471B1 (en) | Image data security method using block chain and system performing thereof | |
| CN114969786A (en) | Block chain-based insurance function data processing method, node and system | |
| WO2019213752A1 (en) | A method and system for managing digital assets in a blockchain | |
| JPH05298174A (en) | Remote file access system | |
| KR20190027207A (en) | System and method for verifying integrity of personal information | |
| CN108322311B (en) | Method and device for generating digital certificate | |
| CN114239081A (en) | Business certificate processing method, system and electronic equipment | |
| CN110445756B (en) | Method for realizing searchable encryption audit logs in cloud storage | |
| TWI737139B (en) | Personal data protection application system and personal data protection application method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |