KR102192235B1 - Device for providing digital document de-identification service based on visual studio tools for office - Google Patents

Abstract

Provided is a VSTO-based electronic document de-identification service providing device, which comprises: a search unit which searches for at least one type of personal information when a de-identification menu is selected in an electronic document including at least one of the text, image, and hyperlink; a display unit which collects the number of cases of searched at least one type of personal information by type and displays the result; a format selection unit which selects any one of at least one de-identification format for de-identifying the searched at least one type of personal information; and a processing unit which de-identifies at least one type of personal information in the selected format.

Description

VTS-based electronic document de-identification service providing device {DEVICE FOR PROVIDING DIGITAL DOCUMENT DE-IDENTIFICATION SERVICE BASED ON VISUAL STUDIO TOOLS FOR OFFICE}

The present invention relates to an apparatus for providing a VSTO-based electronic document de-identification service, and provides a platform capable of identifying, extracting, and de-identifying personal information in an electronic document with a function included in an electronic document creation program.

The world is facing personal information issues related to the use of data. The European General Data Protection Regulation (GDPR) requires strong personal information measures such as expanding the subject of personal information protection and strengthening penalties for violations, notification and prior consent when collecting and processing personal information, and guaranteeing the right to be forgotten. , Anonymisation and Pseudonymisation are distinguished so that information about an individual does not identify a specific person, so that the information is deleted or converted into an unrecognizable form. Korea has established standards for processing non-real names, but if too much information is deleted or de-identified, its value as big data is degraded, so the pseudonymized information by de-identifying personal information by passing the recent Data 3 Act Even without the prior consent of the information subject, it can be used or provided with pseudonym information to a third party.

At this time, methodologies for de-identification were disclosed. In this regard, Korean Patent Registration No. 10-2067926 (announced on January 17, 2020), which is a prior art, receives an electronic document including text information from a user and inputs it. From the received electronic document, using a pattern matching program, a pre-matching program, a machine learning program, and a deep learning program to identify non-identifying information for each program, and calculating the accuracy value of the identified non-identifying information using a set weight. If the set accuracy value is more than the preset reference value, the non-identifying information is converted into a replacement string, and the text of the received electronic document and the non-identifying target word included in the sentence are collected and listed as a list for the target electronic document. The configuration is disclosed.

However, in the case of using the above configuration, since de-identification is not performed within the office program that creates the electronic document, a separate program must be reinstalled, and the de-identification operation is performed within the program immediately after creating the electronic document. Instead of doing it, there is a hassle of having to work by running a separate program. In addition, even if multiple computers are connected to one intranet, such as an office, since separate programs must be installed on each computer, installation costs and time are levied. The process of having to work one by one is essentially followed. Accordingly, there is a need to develop a method capable of running within the office program itself even without installing or running a separate program and maintaining a client in a network connected by one intranet at a time.

According to an embodiment of the present invention, by developing a de-identification program so that it can be operated within the office program itself based on VSTO (Visual Studio Tools for Office), the function can be performed in an electronic document without installing or running a separate program. It is possible to perform, set to enable maintenance for multiple clients connected through one intranet, and display the results by analyzing patterns of each personal information, but set the range of identifiable personal information and analyzed personal information By applying a de-identification algorithm according to the form of the personal information, the possibility of leakage of personal information due to unintentional negligence is minimized by preventing de-identification processing impossibility or skip phenomenon caused by the change in the format in which personal information is recorded. It is possible to provide a VSTO-based electronic document de-identification service provision method. However, the technical problem to be achieved by the present embodiment is not limited to the technical problem as described above, and other technical problems may exist.

As a technical means for achieving the above-described technical problem, an embodiment of the present invention provides at least one type of personal information when a de-identification menu is selected in an electronic document including at least one of text, image, and hyperlink. A search unit that searches for, a display unit that collects the number of cases of searched at least one type of personal information by type and displays a result, at least one non-identification unit for de-identifying the searched at least one type of personal information And a format selection unit for selecting one of the de-identification formats among the image formats, and a processing unit for de-identifying at least one type of personal information in the selected format.

According to any one of the above-described problem solving means of the present invention, by developing a de-identification program to be driven within the office program itself based on VSTO (Visual Studio Tools for Office), electronic It allows the user to perform its function within the document, sets it to enable maintenance for multiple clients connected through one intranet, analyzes the patterns of each personal information, and displays the results, but determines the range of identifiable personal information. Personal information through unintentional negligence by preventing de-identification processing impossibility or skip phenomenon that occurs due to changes in the format in which personal information is written by applying a de-identification algorithm according to the type of personal information set and analyzed It can minimize the possibility of leakage.

1 is a view for explaining a VSTO-based electronic document de-identification service providing system according to an embodiment of the present invention.
FIG. 2 is a block diagram illustrating an apparatus for providing a de-identification service included in the system of FIG. 1.
3 and 4 are diagrams for explaining an embodiment in which a VSTO-based electronic document de-identification service is implemented according to an embodiment of the present invention.
5 is a flowchart illustrating a method of providing a VSTO-based electronic document de-identification service according to an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those of ordinary skill in the art can easily implement the present invention. However, the present invention may be implemented in various different forms and is not limited to the embodiments described herein. In the drawings, parts irrelevant to the description are omitted in order to clearly describe the present invention, and similar reference numerals are assigned to similar parts throughout the specification.

Throughout the specification, when a part is said to be "connected" to another part, this includes not only "directly connected" but also "electrically connected" with another element interposed therebetween. . In addition, when a part "includes" a certain component, it means that other components may be further included, and one or more other features, not excluding other components, unless specifically stated to the contrary. It is to be understood that it does not preclude the presence or addition of any number, step, action, component, part, or combination thereof.

The terms "about", "substantially" and the like, as used throughout the specification, are used in or close to the numerical value when manufacturing and material tolerances specific to the stated meaning are presented, and are used in the sense of the present invention. To assist, accurate or absolute figures are used to prevent unfair use of the stated disclosure by unscrupulous infringers. As used throughout the specification of the present invention, the term "step (to)" or "step of" does not mean "step for".

In the present specification, the term "unit" includes a unit realized by hardware, a unit realized by software, and a unit realized using both. Further, one unit may be realized using two or more hardware, or two or more units may be realized using one hardware. Meanwhile,'~ unit' is not meant to be limited to software or hardware, and'~ unit' may be configured to be in an addressable storage medium or configured to reproduce one or more processors. Thus, as an example,'~ unit' refers to components such as software components, object-oriented software components, class components, and task components, processes, functions, properties, and procedures. , Subroutines, segments of program code, drivers, firmware, microcode, circuits, data, databases, data structures, tables, arrays and variables. The components and functions provided in the'~ units' may be combined into a smaller number of elements and'~ units', or may be further divided into additional elements and'~ units'. In addition, components and'~ units' may be implemented to play one or more CPUs in a device or a security multimedia card.

In this specification, some of the operations or functions described as being performed by the terminal, device, or device may be performed instead in a server connected to the terminal, device, or device. Likewise, some of the operations or functions described as being performed by the server may also be performed by a terminal, device, or device connected to the server.

In this specification, some of the operations or functions described as mapping or matching with the terminal means mapping or matching the unique number of the terminal or the identification information of the individual, which is the identification information of the terminal. Can be interpreted as.

Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.

1 is a view for explaining a VSTO-based electronic document de-identification service providing system according to an embodiment of the present invention. Referring to FIG. 1, a VSTO-based electronic document de-identification service providing system 1 may include at least one de-identification service providing device 100 and a de-identification service providing server 300. However, since the VSTO-based electronic document de-identification service providing system 1 of FIG. 1 is only an embodiment of the present invention, the present invention is not limitedly interpreted through FIG. 1.

In this case, each component of FIG. 1 is generally connected through a network 200. For example, as shown in FIG. 1, at least one de-identification service providing apparatus 100 may be connected to the de-identification service providing server 300 through a network 200. In addition, the de-identification service providing server 300 may be connected to at least one de-identification service providing device 100 through the network 200.

Here, the network refers to a connection structure in which information exchange is possible between respective nodes such as a plurality of terminals and servers, and examples of such networks include a local area network (LAN) and a wide area communication network (WAN: Wide Area Network), Internet (WWW: World Wide Web), wired/wireless data communication network, telephone network, wired/wireless television communication network, etc. Examples of wireless data networks include 3G, 4G, 5G, 3GPP (3rd Generation Partnership Project), 5GPP (5th Generation Partnership Project), LTE (Long Term Evolution), WIMAX (World Interoperability for Microwave Access), and Wi-Fi. , Internet, LAN(Local Area Network), Wireless LAN(Wireless Local Area Network), WAN(Wide Area Network), PAN(Personal Area Network), RF(Radio Frequency), Bluetooth(Bluetooth) network, NFC( Near-Field Communication) network, satellite broadcasting network, analog broadcasting network, DMB (Digital Multimedia Broadcasting) network, etc. are included, but are not limited thereto.

In the following, the term “at least one” is defined as a term including the singular number and the plural number, and even if the term “at least one” does not exist, each component may exist in the singular or plural, and may mean the singular or plural. It will be self-evident. In addition, it will be possible to change according to the embodiment that each component is provided in a singular or plural.

At least one de-identification service providing device 100 includes text, images, and hyperlinks included in the electronic document in the electronic document using a web page, app page, program, or application related to the VSTO-based electronic document de-identification service. It may be a device that identifies, detects, and de-identifies personal information included in. At this time, when a menu or icon included in the office program is selected, the de-identification service providing device 100 extracts at least one type of personal information included in the electronic document, collects and outputs the number of personal information for each type. And, after selecting a format for de-identifying personal information, providing de-identified text, image, and hyperlink as a preview, and selecting de-identification processing confirmation menu or icon, selected de-identification It may be a device that de-identifies personal information in a format.

Here, the at least one de-identification service providing apparatus 100 may be implemented as a computer that can access a remote server or terminal through a network. Here, the computer may include, for example, a navigation system, a notebook equipped with a web browser, a desktop, a laptop, and the like. In this case, the at least one de-identification service providing apparatus 100 may be implemented as a terminal capable of accessing a remote server or terminal through a network. The at least one de-identification service providing device 100 is, for example, a wireless communication device that guarantees portability and mobility, and includes a navigation system, a personal communication system (PCS), a global system for mobile communications (GSM), and a personal communication system (PDC). Digital Cellular), PHS (Personal Handyphone System), PDA (Personal Digital Assistant), IMT (International Mobile Telecommunication)-2000, CDMA (Code Division Multiple Access)-2000, W-CDMA (W-Code Division Multiple Access), Wibro (Wireless Broadband Internet) It may include all kinds of handheld-based wireless communication devices such as terminals, smartphones, smartpads, and tablet PCs.

The de-identification service providing server 300 may be a server that provides a VSTO-based electronic document de-identification service web page, an app page, a program, or an application. In addition, when the de-identification service providing server 300 is connected to a closed network such as an intranet, the de-identification service providing server 300 provides at least one de-identification service included in the intranet when an update is required. It may be a server that transmits an update signal to the device 100 to perform an update.

Here, the de-identification service providing server 300 may be implemented as a computer that can access a remote server or terminal through a network. Here, the computer may include, for example, a navigation system, a notebook equipped with a web browser, a desktop, a laptop, and the like.

FIG. 2 is a block diagram illustrating an apparatus for providing a de-identification service included in the system of FIG. 1, and FIGS. 3 and 4 are a VSTO-based electronic document de-identification service implemented according to an embodiment of the present invention. It is a diagram for explaining an embodiment.

2, the de-identification service providing device 100 includes a search unit 310, a display unit 320, a format selection unit 330, a processing unit 340, a preview providing unit 350, and an image A unit 360 and an overlay unit 370 may be included.

The de-identification service providing server 300 or another server (not shown) operating in conjunction with the de-identification service providing device 100 according to an embodiment of the present invention provides a VSTO-based electronic document de-identification service to at least one de-identification service providing device 100 When transmitting an application, program, app page, web page, etc., at least one de-identification service providing device 100 may install a VSTO-based electronic document de-identification service application, program, app page, web page, etc. I can open it. In addition, a service program may be driven in at least one de-identification service providing device 100 by using a script executed in a web browser. Here, the web browser is a program that allows you to use the Web (WWW: World Wide Web) service, which means a program that receives and displays hypertext described in HTML (Hyper Text Mark-up Language). For example, Netscape , Explorer, Chrome, etc. In addition, the application refers to an application program on the terminal, and includes, for example, an app running on a mobile terminal (smartphone).

Referring to FIG. 2, the search unit 110 may search for at least one type of personal information when a de-identification menu is selected in an electronic document including at least one of text, image, and hyperlink. Here, when searching for personal information, technologies such as natural language processing (NLP), entity name recognition, artificial intelligence, and data mining may be used, but this is similar to the content described in the prior art or is the same as known technology, so it is not described in detail. .

At this time, the at least one type of personal information includes, but is not limited to, a social security number, a phone number, a name, an address, a credit card number, a passport number, a driver's registration card number, and a vehicle number, and may vary according to embodiments. In addition, whether or not it corresponds to personal information may vary depending on the embodiments, but in one embodiment of the present invention, the current law standards at the time of filing, that is, Articles 23 and 24 of the Personal Information Protection Act, and Article 19 of the Enforcement Decree of the same law Take as an example the processing of personal information items specified in sensitive information and unique identification information. However, it will be apparent that it is not limited to the above and can be changed according to embodiments.

The National Science and Technology Knowledge Information Service (NTIS) of the Korea Institute of Science and Technology Information conducts an impact assessment on personal information protection and manages it by assigning a grade according to the level of impact on personal information. Hereinafter, Table 1 is a personal information impact level of NTIS, and the first grade is a very important personal information item that can be personally identified by itself or, when combined, can be personally identified.

rank Classification Personal information items Explanation Level 1 Unique identification information Resident registration number, passport number, driver's license number, foreigner registration number * Article 24 of the Personal Information Protection Act and Article 19 of the Enforcement Decree of the same Act Personal information that is personally identifiable or highly sensitive, or personal information whose processing is strictly restricted in accordance with relevant laws and regulations Sensitive information Information that can significantly infringe on privacy, such as ideas and beliefs, membership or withdrawal of trade unions and political parties, political opinions, medical history, physical and mental disabilities, sexual orientation, genetic test information, criminal history information, etc.
* Article 23 of the Personal Information Protection Act and Article 18 of the Enforcement Decree of the same Act Certification information Password, bio information (fingerprint, iris, vein, etc.)
*Article 7 of the standard notice of measures to ensure the stability of personal information Credit information
Financial information Credit information, credit card number, account number, etc.
* Articles 2, 19 of the Act on the Use and Protection of Credit Information and Articles 2, 16 and 21 of the Enforcement Decree of the same Act Location information * Articles 2 and 16 of the Act on Protection and Movement of Location Information Level 2 Personal identification information Name, address, phone number, mobile phone number, email, date of birth, gender, etc. Personal information that can be clearly identified when combined Personal information Education, occupation, height, weight, marital status, family situation, hobbies, etc. Level 3 Automatically generated information IP information, MAC information, site visit records, cookies, etc. Indirect personal information that provides additional information when combined with personally identifiable information Processing information Statistical information, subscriber propensity, etc. Limited identification information Member information, company number, personal identification information for internal use, etc.

At this time, it can be seen that most of the unique identification information is defined as belonging to the first grade, and other personal information is also subject to security in the second and third grades. Here, de-identification processing, for example, masking of personal information itself is also important, but it is also important to select and define in advance which items of personal information to be masked. The data profiling method may be used to select and define items to protect personal information, but is not limited thereto. Data profiling is used to issue data quality problems and find improvements through statistical analysis of source data and metadata. In one embodiment of the present invention, metadata of structured data and unstructured data is analyzed and characteristics of data I will use it to grasp. Accordingly, in an embodiment of the present invention, information on data may be extracted through various analyzes in order to grasp the structure, content, and quality existing in the data by using data profiling.

Data profiling is similar to data mining or knowledge discovery, which automatically extracts hidden knowledge from vast amounts of information in a database. In other words, it is possible to detect errors related to data by using statistical analysis methods, and based on these findings, a discrepancy between management documents and systems is presented to manage high-quality data. In data profiling, there are discovery and verification procedures. Through the discovery process, inaccurate data phenomena with possible errors are discovered, and the discovered phenomena are determined by consulting with business managers.

At this time, the column analysis measures the distribution of data such as Null, Space, effective value, Min, Max, and Rank of a specific column, and the date type analysis is a method of analyzing the data distribution outside the standard format for the date of the character type. Pattern analysis determines whether a specific pattern composed of letters, numbers, etc. has a consistent pattern. Regular expressions are special text patterns that can be used in applications and programming languages as the language that can most effectively express strings with specific rules. In other words, it checks whether a specific content matches a text pattern, finds text that matches a specific pattern within the text, replaces text that matches that pattern with another text, or rearranges part of the matching text, This can be used to split text into smaller text segments.

Meanwhile, for each type of personal information data corresponding to metadata, which is structured data, a security target item to be masked should be selected, and definition for each data type should be prioritized. To this end, in one embodiment of the present invention, personal information to be masked is selected as a social security number, phone number, e-mail, address name, and metadata corresponding thereto is masked, but it is not limited thereto and varies depending on the embodiment. I can. For example, when analyzing a social security number by data profiling, a wide variety of display formats can appear.

In other words, when a character is included in the middle of the resident registration number, only a part of the back is indicated, and the front and back parts of the resident registration number are connected with various separators (hyphen, space, separator omitted, etc.). Therefore, if the resident registration number is extracted only by prediction without data profiling, there is a probability of being omitted. For example, when the resident registration number contains characters (ZZZZZZ-CZZZZZZ), only part of the back part (ZZZZZZ-Z), or connected by various separators, it is difficult to extract only by prediction. When designing a resident registration number extraction algorithm based on the data profiling result, all types of resident registration numbers with various display formats can be extracted, and all types of resident registration numbers are masked and the probability of leaking to the outside without being masked can be zero. Likewise, all kinds of personally identifiable information can be extracted from phone numbers, emails, and address names by data profiling.

The display unit 120 may collect the number of cases of the searched at least one type of personal information by type and display a result. For example, if the type of personal information is an address, how many addresses exist in one electronic document (file) can be summed and shown. In addition, it is possible to show which types of personal information exist, for example, how many addresses exist and how many resident registration numbers exist. It can also tell you where you are.

The format selection unit 130 may receive a selection of any one of at least one de-identification format for de-identifying the searched at least one type of personal information. Here, the at least one de-identification format may include, but is not limited to, deletion, partial deletion, post-space replacement, and noise addition. In addition to this, aggregation may be possible. By showing the total of the data, the individual data values are not displayed.For example, the set of student personal information (Pengsu Kim 180 cm, Dongbang Park 170 cm, Shinki Lee 160 cm, Yunho Choi 150 cm) is the total height of the student, 660 It can be expressed in cm or an average height of 165 cm. At this time, the important point is that disclosure of the attribute information of a group consisting of individuals with specific attributes results in the same result as disclosure of the information of individuals belonging to the group, so this cannot be considered as de-identification, and the attribute information of the group is also Can be de-identified.

In addition, data reduction is to delete unnecessary values or important values related to personal identification among values configured in a data set according to the purpose of data sharing and opening. For example, the personal information of [Pengsoo Kim, 10 years old, living in Seoul, graduating from Antarctic University] can be simplified with the personal information of (10 years old, living in Seoul). In addition, the personal information of (Resident Registration No. 100808-1234567) can be used as the personal information of (born in the 2010s, male). In addition to this, date information related to individuals (qualification acquisition date, pass date, etc.) may be processed annually.

Data Suppression is to hide clear values by converting data values into category values. For example, personal information [Pengsoo Kim, age 10] can be hidden as personal information (Mr. Kim, age 1-10). have. At this time, there is a case where the surname is peculiar, and there are about 500 people in the country of "pyeong", which is a rarity, and if the rarity is combined with level 2 personal information, for example, age and region, the specificity is quite high. Accordingly, if the surname is rarer than other surnames, a method of converting the surname itself to another surname by converting it into a database may also be applied. Data masking prevents the identification of an individual by processing a key personal identifier with a high probability of contributing to identifying an individual by combining with public information, etc. For example, personal information [Pengsoo Kim, 10 years old, living in Seoul, attending Antarctic University] can be prevented from being identified with personal information (Kim**, 10 years old, living in Seoul, ** attending university). At this time, the important point is that certain rules for substituting different values should be exposed so that individuals cannot be easily identified.

The processing unit 140 may de-identify at least one type of personal information in a selected format. The processing unit 140 may also perform pseudonymization processing (Pseudonymizatoin). At this time, the processing unit 140 may set the value converted to the pseudonymization processing to be unique (Distinguishability), and set so that the original, which is at least one information, cannot be inferred from the value converted by the pseudonymization processing. And, since the original does not exist on the system, it can be set to have high availability. At this time, the at least one piece of information corresponding to the previously stored personal identification information may be information to which data masking, which is anonymisation, is applied. At this time, in order to perform pseudonymization processing, that is, in order for the anonymization technology (data masking) to satisfy the pseudonymization condition, the value converted to at least one piece of information must be set to be unique (Distinguishability), and the value converted to masking It must be set so that the original, which is at least one piece of information, cannot be inferred from, and dynamic data masking that is not restored even inside at least one of pages, programs, and applications that access personal information must be applied, and service high availability must be provided. do.

The pseudonymization process may be performed by at least one of heuristic pseudonymization, encryption, and exchange methods, but is not limited thereto. In addition, the pseudonymization processing is performed in combination or alone with any one or a combination of at least one of Aggregation, Data Reduction, Data Suppression, and Data Masking. It could be. After the pseudonymization process (Pseudonymizatoin) is performed, a privacy model that evaluates the quantitative risk of privacy exposure with respect to at least one piece of pseudonymized information can be driven.

As a result of driving the privacy model, it is checked whether at least one pseudonymized information is de-identified by a predetermined probability level or higher, and as a result of the check, at least one pseudonymized information cannot be de-identified by a predetermined probability level or higher. In this case, it is transmitted to the manager terminal to request feedback, and when de-identification is performed above a preset probability level, it can be classified as input data for constructing big data. In this case, the privacy model may be any one or a combination of at least one of k-anonymity, l-diversity, and t-closeness, but is not limited thereto.

In this case, in order to prevent the de-identified data from being re-identified, a differential privacy model may be further used. This is a model proposed by C. Dwork to compensate for the weak point of k-anonymity and l-diversity, and it is an approach that limits the possibility of identification through probabilistic transformation of the records themselves rather than simply changing numbers. The differential privacy model establishes a system that makes it impossible to distinguish between ① the result obtained through the application of a differential algorithm in the data set that does not contain information about a specific person and ② the result obtained from the data set containing the information about that specific person. To do is the basic goal. To achieve this goal, we use a method that eliminates the individual's discrimination by adding an accurately calculated amount of noise to the statistical record. In order to protect sensitive information, the differential privacy model systematically inserts random numbers, and this random number acts as a kind of noise. Through the insertion of this noise, the same result can be produced regardless of whether the data set contains information about a specific person.

Data anonymization techniques have been proven to be vulnerable to minimality attacks when an attacker has prior knowledge, and differential privacy can probably protect each individual's information regardless of the attacker's prior knowledge. When the query result of two neighboring databases D1 and D2 with only one difference in record value is S, and an arbitrary function A satisfies Equation 1 below, it is defined that function A provides ε-differential privacy. do.

Among the various techniques that satisfy this definition of differential privacy, the Laplace Mechanism, which is widely used for numeric data, is a method that generates random numbers through Laplace distribution and adds them to existing data. The equation of the Laplace distribution is shown in Equation 2 below.

In the Laplace method, a Laplace distribution of μ=0 and b=△f/ε is used, where Δf is the maximum difference between the query results of the two neighboring databases D1 and D2.

Next, the differential privacy k-means algorithm (hereinafter, EUGkM) will be described. A K-means algorithm that satisfies the difference privacy can be used as a histogram basis. After dividing the data into several grids, the number of data points in each grid is made into a histogram. After that, the Laplace method is applied to the number of points in each grid, and the K-means algorithm is executed using the center point of each grid. When calculating the center point of each cluster, it is calculated by giving a weight proportional to the number of points each grid has. An equation for calculating the optimal number of grids m using the information protection level ε of the EUGkM algorithm, the total number of data N, and the data dimension d is as shown in Equation 3 below, and θ is a value previously designated by the user.

In the EUGkM algorithm, the process of applying the Laplace technique within each grid is performed independently without the influence of exchange between the grids. Accordingly, in an embodiment of the present invention, a method of creating a histogram by applying the Laplace technique can be distributed and parallelized using Hadoop MapReduce. The method to prevent backtracking so that re-identification is impossible is composed of two MapReduce phases, and in the first phase, a histogram with differential privacy applied in parallel is created, and each grid of the histogram is data in the second phase. Think of it as a point and execute K-means clustering in parallel.

First, the histogram creation process will be described. First, a mapper divides a space including all data by the number of grids obtained using Equation 3. After that, the location of the grid to which each data point belongs is obtained, grouped into one partition including several grids, and sent to the reducer. In this case, in the case of a partition that does not contain any data points, only one dummy grid is transmitted. In the DPHist-MR.reduce function, the Laplace method is applied to the number of data contained in all the grids in the data area of each partition, and the center point of the grid is obtained and exported. In this case, in the case of a grid in which the number of points is 0, it is not transmitted from the mapper and is generated within the reduce function, thereby increasing the distributed parallel effect. In the second process, K-means clustering considers the center point of each grid as one data and performs clustering. In K-means clustering using MapReduce, a map can be implemented to calculate a cluster center point close to each point, and in Reduce, a new center point can be calculated for each cluster.

Through this, a histogram that satisfies the difference privacy is created to perform only relatively small noise insertion, and the problem of performing K-means clustering, that is, a long time is required to process in one machine when the size of the histogram increases. Even if the problem can be solved, and even if the size of the histogram is increased, that is, even if a large amount of noise is inserted to make data protection impossible to attack, by inserting noise in parallel, privacy protection for a large amount of data can be achieved in a short time. And, ultimately, a histogram can be created to ensure differential privacy when performing the K-means clustering algorithm.

The preview providing unit 150 receives a selection of a type to be de-identified from among at least one type of personal information searched by the search unit, and provides a preview in which the selected type of personal information is de-identified. have. If, for example, if masking is selected as the de-identification format after deletion, the electronic document after the personal information has been masked can be output, and in order to receive confirmation from the user whether to make such changes, preview Is to provide. If the user confirms or approves, the masked result is displayed and this state is saved. In this case, the electronic document is a document created with an office program, and de-identification is developed based on Visual Studio Tools for Office (VSTO) and can be driven within the office program. Office program refers to Microsoft Office (MicroSofte Office).

In addition, when the de-identification service providing device 100 is a plurality, when the plurality of de-identification service providing devices form a closed network through an intranet, when an update occurs, a plurality of non-identifying service providing devices are included in the intranet. Distributed to the identification service providing device 100 may be batch updated. This may be possible because one intranet is managed as one user, and may be possible through IaaS (Infra as a Service).

When an image is included in the electronic document, the image unit 160 de-identifies the text included in the image when the text included in the image is a text corresponding to personal information, and the photo included in the image is a portrait photograph. If yes, mosaic treatment can be performed. To this end, the image unit 160 may convert or perform mosaic processing into a virtual face image created using a GAN when a portrait picture, particularly a face picture, is included in the image. The image unit 160 obtains coordinates of a face region with high accuracy using a Multi-Task Cascaded Convolutional Neural Network (MTCNN). MTCNN is a method of finding the location of a face by applying CNN to one image in three steps. In the CNN network in the first step, the approximate position of the face is determined, and the position of the discovered face is examined using the increasingly detailed CNN network.

Next, the image unit 160 starts face recognition, which distinguishes whether it is a human face or an animal animal. A chimpanzee's face, for example, can be mosaicized as long as the eyes, nose, and mouth are similarly arranged. Since various algorithms for face recognition can use known techniques, the present invention is not limited to any one. Then, the image unit 160 proceeds to generate a fake face. In the case of mosaic, it is easy to cover the face, but at first glance, it is possible to recognize roughly the entire line of the face, the position of the eyes and nose, and the position of the mouth. many. For example, if it is an electronic document that summarizes the results of interviews with victims of sex crimes, the risk of identity exposure cannot be ruled out by mosaic alone, since the identity of the victims of sex crimes must be thoroughly hidden.

Accordingly, the image unit 160 may generate a virtual new face in which the face property of a real person is modified using a StarGAN (Unified Generative Adversarial Networks for Multi-Domain Image-to-Image Translation) model. In order to train the network, a data set of celebrity faces from countries around the world can be used, and a data set of celebrity faces can be made of photos. In each photo, each attribute value can be annotated in the form of binary (-1, 1) for attributes related to the face such as hair color, face type, gender, and the presence of glasses. Among the plurality of attributes, the model can be trained by limiting the attributes to the hair color, beard, and glasses that make the face of the person before transformation unrecognizable. A set of images having the same attribute value is defined as one domain.

Deep Identity-Aware Transfer of Facial Attributes (DIAT) using a cross-domain model and Unpaired Image-to-Image Translation using Cycleconsistent Adversarial Networks (CycleGAN) convert images belonging to one domain to several other domains. In order to do so, it was necessary to independently learn different generators that can be converted into respective domains, but the StarGAN used in an embodiment of the present invention operates based on a single generator connecting multiple domains. Can be converted to multiple domains. If two or more properties are modified at the same time, the model right can be protected more accurately, so the StarGAN model is used.

StarGAN is a network in which two modules with opposite purposes compete with each other to generate an image, and is composed of a generator and a discriminator. The generator creates a fake image, and the discriminator is a module that distinguishes the generated image from the real image. The purpose of the generator is to create a fake image that is as real as the discriminator cannot distinguish, and the purpose of the discriminator is to distinguish the image generated by the generator from the real image. The learned generator can create a real-like fake image so that the discriminator cannot distinguish whether it is a real image or a generated image. Here, when training the network, it can be learned using the loss value (Loss) of Wasserstein GAN. If you transform it through the learned StarGAN, you can protect the portrait right and remove the possibility of being recognizable by mosaic treatment.

When a hyperlink is included in the electronic document, when at least one text corresponding to personal information exists in a page that is accessed and output by a hyperlink, the overlay unit 170 includes at least one text containing at least one text. The coordinates and regions may be extracted, and the black box may be overlaid to cover at least one of the extracted coordinates and regions. At this time, when the hyperlink is not a link that moves into one electronic document, but is an external link such as a website, or when the hyperlink is an external link and includes personal information, the method to change it in the device 100 of the present invention as a third party There is no. Therefore, to extract the location of personal information included in the hyperlink, and to "cover" the location and area, a transparent layer corresponding to the size (width and height, resolution) of the website is put on the website, and transparent A black box is included to cover the location and area within the layer and overlayed on the website. Of course, if you put the hyperlink address in another browser and search it, your personal information may be revealed as it is, but you are not liable for personal information exposure due to intentional or negligence as we have fulfilled our responsibilities due to GPDR.

Hereinafter, the operation process according to the configuration of the de-identification service providing server of FIG. 2 will be described in detail with reference to FIGS. 3 and 4 as examples. However, it will be apparent that the embodiment is only any one of various embodiments of the present invention, and is not limited thereto.

Referring to FIG. 3, (a) the de-identification service providing server 300 connects at least one type of personal information, a personal information format according to the type, and a format for de-identifying personal information to form a database. I can. And, (b) when the de-identification service providing server 100 drives it, the corresponding function can be included in any of the menus developed based on MS Office and within the MS Office so that it can be processed in an electronic document. And, when a user writes a document and presses the de-identification process button, the user selects a de-identification format, and (c) de-identification is performed through a process of de-identifying each according to text, image, and hyperlink. do. In the case of (d), this is the de-identification method when the hyperlink is an external link. Here, in addition to overlaying the black box, de-identification data (pseudonymized or anonymized) that has undergone the de-identification process as described above may be overlaid.

In addition, as shown in (a) of FIG. 4, the number of de-identification targets and their types are output to be viewed, and the result according to the de-identification format is provided as a preview as shown in (b). (c) At least one client bound to the intranet does not perform individual updates, but is connected to the de-identification service providing server 300 and if the client's organization, company, etc. is confirmed, all computers bound to the intranet must be updated at once. It can be set so that maintenance is easy by making it possible.

The matters not described in the method of providing the VSTO-based electronic document de-identification service of FIGS. 2 to 4 are the same as or described above with respect to the method of providing the VSTO-based electronic document de-identification service through FIG. Since it can be easily inferred from the contents, the description will be omitted below.

FIG. 5 is a diagram illustrating a process in which data is transmitted and received between components included in the VSTO-based electronic document de-identification service providing system of FIG. 1 according to an embodiment of the present invention. Hereinafter, an example of a process in which data is transmitted/received between each component will be described with reference to FIG. 5, but the present application is not limitedly interpreted as such an embodiment, and is illustrated in FIG. 5 according to various embodiments described above. It is apparent to those skilled in the art that the process of transmitting and receiving data may be changed.

Referring to FIG. 5, the apparatus for providing a de-identification service searches for at least one type of personal information when a de-identification menu is selected in an electronic document including at least one of text, image, and hyperlink (S5100). .

In addition, the de-identification service providing apparatus collects the number of the searched at least one type of personal information and displays the result (S5200), and is used to de-identify the searched at least one type of personal information. Any one of the at least one de-identification format is selected (S5300).

In addition, the device for providing a de-identification service de-identifies at least one type of personal information in a selected format (S5400).

The order between the above-described steps S5100 to S5400 is only an example and is not limited thereto. That is, the order of the above-described steps (S5100 to S5400) may be mutually changed, and some of the steps may be executed or deleted at the same time.

The matters not described with respect to the method of providing the VSTO-based electronic document de-identification service of FIG. 5 are the same as or described above with respect to the method of providing the VSTO-based electronic document de-identification service through FIGS. 1 to 4 above. Since it can be easily inferred from the contents, the description will be omitted below.

The method of providing a VSTO-based electronic document de-identification service according to an embodiment described with reference to FIG. 5 is also implemented in the form of a recording medium including instructions executable by a computer such as an application or program module executed by a computer. Can be. Computer-readable media can be any available media that can be accessed by a computer, and includes both volatile and nonvolatile media, removable and non-removable media. Further, the computer-readable medium may include all computer storage media. Computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data.

The method for providing a VSTO-based electronic document de-identification service according to an embodiment of the present invention described above is applied to an application basically installed in a terminal (this may include a program included in a platform or an operating system basically installed in the terminal). It may be executed by, and may be executed by an application (ie, a program) directly installed on the master terminal by a user through an application providing server such as an application store server, an application, or a web server related to the service. In this sense, the VSTO-based electronic document de-identification service providing method according to an embodiment of the present invention described above is implemented as an application (i.e., a program) installed basically in a terminal or directly installed by a user, and Can be recorded on a recording medium that can be read by

The above description of the present invention is for illustrative purposes only, and those of ordinary skill in the art to which the present invention pertains will be able to understand that other specific forms can be easily modified without changing the technical spirit or essential features of the present invention will be. Therefore, it should be understood that the embodiments described above are illustrative in all respects and not limiting. For example, each component described as a single type may be implemented in a distributed manner, and similarly, components described as being distributed may also be implemented in a combined form.

The scope of the present invention is indicated by the claims to be described later rather than the detailed description, and all changes or modified forms derived from the meaning and scope of the claims and their equivalent concepts should be interpreted as being included in the scope of the present invention. do.

Claims (7)

In the VSTO (Visual Studio Tools for Office)-based electronic document de-identification service providing device,
A search unit for searching at least one type of personal information when a de-identification menu is selected in an electronic document including at least one of text, image, and hyperlink;
A display unit for collecting the number of cases of the searched at least one type of personal information by type and displaying a result;
A format selection unit configured to select one of at least one de-identified format for de-identifying the searched at least one type of personal information;
A processing unit for de-identifying at least one type of personal information in the selected format;
When an image is included in the electronic document, when the text included in the image is a text corresponding to personal information, the text included in the image is de-identified, and when the photo included in the image is a portrait photo, mosaic An image unit that performs processing; And
When a hyperlink is included in the electronic document, when at least one text corresponding to personal information exists in the page accessed and output by the hyperlink, at least one coordinate and area in which the at least one text exists Including; extracting, and overlaying the black box to cover the extracted at least one coordinate and area;
The electronic document is a document created with an office program,
The de-identification is developed based on VSTO and is driven within the office program,
The de-identification service providing device is plural,
When a plurality of de-identification service providing devices form a closed network through an intranet, when an update occurs, it is distributed to a plurality of de-identification service providing devices included in the intranet for batch update,
The search unit,
Use data profiling techniques to preselect and define which items of personal information to de-identify,
The processing unit,
Pseudonymizatoin is performed, and the at least one type of personal information is set so that the value converted to the pseudonymization process is unique (Distinguishability), and at least one piece of information from the value converted by the pseudonymization process It is set so that the original cannot be inferred, and the pseudonymization process is performed by a combination of at least one of Aggregation, Data Reduction, Data Suppression, and Data Masking, After the pseudonymization process is performed, a privacy model that evaluates the quantitative risk of privacy exposure on at least one piece of information is driven, and as a result of driving the privacy model, at least one pseudonymized information is a preset probability level It checks whether abnormality has been de-identified, and if at least one pseudonymized information is not de-identified by more than a preset probability level as a result of the check, it is transmitted to the manager terminal to request feedback. If so, it is classified as input data to build big data,
The image unit,
When a face photo is included in the image, it is converted into a virtual face image created using GAN (Generative Adversarial Networks) or mosaic-processed, and the face area with high accuracy is performed using MTCNN (Multi-Task Cascaded Convolutional Neural Network). Obtaining coordinates
VSTO-based electronic document de-identification service providing device.
delete The method of claim 1,
The at least one type of personal information includes a resident registration number, a phone number, a name, an address, a credit card number, a passport number, a driver registration card number, and a vehicle number,
The at least one de-identification format includes deletion, partial deletion, post-space replacement, and noise addition,
By analyzing the resident registration number by the data profiling method, it is possible to extract when a character is included in the middle of the resident registration number, only a part of the rear part of the resident registration number is marked, and when the front part and the back part of the resident registration number are connected by a separator.
VSTO-based electronic document de-identification service providing device.
delete The method of claim 1,
The de-identification service providing device,
Further comprising: a preview providing unit that receives a selection of a type to be de-identified from among at least one type of personal information searched by the search unit and provides a preview in which the selected type of personal information is de-identified;
VSTO-based electronic document de-identification service providing device.
delete delete

Images