TWI453621B - A decentralized environmental information inquiry system based on user privacy - Google Patents

A decentralized environmental information inquiry system based on user privacy Download PDF

Info

Publication number
TWI453621B
TWI453621B TW100139514A TW100139514A TWI453621B TW I453621 B TWI453621 B TW I453621B TW 100139514 A TW100139514 A TW 100139514A TW 100139514 A TW100139514 A TW 100139514A TW I453621 B TWI453621 B TW I453621B
Authority
TW
Taiwan
Prior art keywords
data
module
search
subsystem
result
Prior art date
Application number
TW100139514A
Other languages
Chinese (zh)
Other versions
TW201317824A (en
Original Assignee
Chunghwa Telecom Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chunghwa Telecom Co Ltd filed Critical Chunghwa Telecom Co Ltd
Priority to TW100139514A priority Critical patent/TWI453621B/en
Publication of TW201317824A publication Critical patent/TW201317824A/en
Application granted granted Critical
Publication of TWI453621B publication Critical patent/TWI453621B/en

Links

Landscapes

  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Computer And Data Communications (AREA)

Description

基於使用者隱私之分散式環境資料詢問系統Decentralized environmental data query system based on user privacy

本發明係關於一種基於使用者隱私,將詢問資訊以密文方式進行處理,並且透過密文搜尋方法,在不被資訊提供者知道使用者欲找的資料情況下,達成詢問的目的;其中更可透過一定程度信任的遠端運算資源,協助提升運算效能,節省使用者端的運算資源消耗與需求;運算後結果將提供回使用者裝置,進行後續處理,整個過程可在不改變使用者操作習慣與預期結果下完成。The present invention relates to a method for processing an inquiry message in a ciphertext manner based on user privacy, and through a ciphertext search method, to achieve an inquiry without knowing the information that the user wants to find by the information provider; Through a certain degree of trusted remote computing resources, it can help improve computing performance and save computing resources consumption and demand on the user side; the result will be provided back to the user device for subsequent processing, and the whole process can be used without changing the user's operating habits. Completed with expected results.

一般資訊詢問或分析系統往往都是將欲詢問資訊傳送至服務伺服器做進一步的搜尋,多數情況使用者不知其詢問內容是否有暴露風險;此外,目前可看到的各種資料分析應用系統,均會將相關資料分析比對程式放置於裝置內,如電腦惡意分析系統目前多以主機型分析技術為主,相關的惡意軟體特徵值由遠端更新伺服器不時提供最新的特徵碼下載,再由主機內惡意程式分析系統直接分析使用者裝置上的資料。而在行動平台上,目前可看到的惡意程式分析方法主要也是依循此機制運作。然而,個人通訊裝置的續航力考量現在已是極為重要的一環,惡意程式分析基本上屬於需要較高運算資源的應用。目前部分防毒業者會將部分的分析運算移至雲端系統完成,雖可達到減少行動平台資源使用的目的,但如果使用者資料未經過妥善處理而以明文上載分析,則在分析的主機上會有暴露隱私的問題發生。The general information inquiry or analysis system often sends the information to be sent to the service server for further search. In most cases, the user does not know whether the content of the inquiry is exposed to the risk; in addition, various data analysis application systems that can be seen at present are The relevant data analysis comparison program is placed in the device. For example, the computer malicious analysis system is mainly based on host-based analysis technology, and the related malicious software feature values are provided by the remote update server from time to time to provide the latest feature code download, and then The data on the user device is directly analyzed by the host malware analysis system. On the mobile platform, the malware analysis methods currently visible are mainly based on this mechanism. However, the endurance considerations of personal communication devices are now an extremely important part. Malware analysis is basically an application that requires higher computing resources. At present, some anti-virus operators will move some of the analysis operations to the cloud system. Although the purpose of reducing the use of mobile platform resources can be achieved, if the user data is not properly processed and uploaded in clear text, there will be a host on the analysis. The problem of exposing privacy occurs.

本發明以保護使用者隱私為前提,且在行動平台有限的運算與電力資源考量下,完成基於內容保護之資料詢問,並透過此架構所發展之系統,如雲端惡意分析服務,讓使用者無須擔心分析時會有隱私資料洩漏的情形,並在分析後仍可確認由外界得到的訊息是可信賴的。The invention is based on the premise of protecting the privacy of the user, and under the limited computing operation and power resources of the mobile platform, the content inquiry based on the content protection is completed, and the system developed through the architecture, such as the cloud malicious analysis service, does not need the user. Worried about the leakage of privacy data during the analysis, and after the analysis can still confirm that the information obtained by the outside world is trustworthy.

本發明之目的即在於提供一種基於使用者隱私之分散式環境資料詢問系統,透過資訊安全加密技術的方法,將使用者的資料以密文的方式傳送至遠端進行分析,並且透過高效能的運算資源即時提供使用者可信賴之最新且明確的詢問結果。除了兼具節省行動平台的運算資源消耗以及硬體資源的要求,將運算需求較大的操作以及需要經常更新的搜尋特徵值集中遠端處理,可確保搜尋正確性,避免因時間差造成如惡意程式分析時的遺漏風險。The object of the present invention is to provide a distributed environment data inquiry system based on user privacy, which transmits the user's data in a ciphertext manner to the remote end for analysis through the method of information security encryption technology, and through high-performance The computing resources provide up-to-date and clear query results that users can trust. In addition to the computational resource consumption and hardware resources required to save the mobile platform, the operation with large computing requirements and the remote processing of the search feature values that need to be updated frequently can ensure the correctness of the search and avoid the malformation caused by the time difference. The risk of omission during analysis.

達成上述發明目的之一種基於使用者隱私之分散式環境資料詢問系統,包含三個子系統:資料分析處理子系統、個人運算輔助子系統與資料過濾分析子系統,透過快速且有效之加密演算法以達到隱密使用者端的詢問資料,完成詢問結果的搜尋。以惡意簡訊或來電分析的例子來說,個人行動裝置一旦取得新的簡訊或者有來電時,可立即自動執行上載分析動作,並在得到分析結果以後,隨即進行後續因應處理動作,如發現為惡意簡訊或來電時,立即提出警示告知使用者。A decentralized environmental data query system based on user privacy that achieves the above object includes three subsystems: a data analysis processing subsystem, a personal computing auxiliary subsystem, and a data filtering analysis subsystem, through a fast and efficient encryption algorithm. The inquiry data of the hidden user end is reached, and the search result of the inquiry result is completed. In the case of a malicious newsletter or caller analysis, once the personal mobile device obtains a new newsletter or has an incoming call, the upload analysis action can be automatically executed immediately, and after the analysis result is obtained, the subsequent response action is immediately performed, such as being found to be malicious. When the newsletter or call comes in, immediately alert the user.

而使用者端的隱私保護方式為,在詢問內容送至資料提供端以前,會使用具有可運算解讀的密文串流加以隱藏資訊,並且隱藏資訊的內容經過資訊提供者內容比對以後,可以透過相關雜湊運算最多只可找出使用者可能需要的資訊,達成隱私保護之目的。The privacy protection method of the user side is that before the inquiry content is sent to the data providing end, the ciphertext stream with the operability and interpretation can be used to hide the information, and the content of the hidden information can be compared after the information provider content is compared. The relevant hashing operation can only find out the information that the user may need, and achieve the purpose of privacy protection.

如圖一所示為本發明之系統架構圖,主要分為三個子系統,資料分析處理子系統1、個人運算輔助子系統2與資料過濾分析子系統3,且中間傳輸過程可透過加密通道進行通訊。FIG. 1 is a system architecture diagram of the present invention, which is mainly divided into three subsystems, a data analysis processing subsystem 1, a personal operation auxiliary subsystem 2, and a data filtering analysis subsystem 3, and the intermediate transmission process can be performed through an encrypted channel. communication.

資料分析處理子系統1包含三個模組:詢問內容擷取模組11、詢問內容加密模組12與行動平台特徵分析模組13,可將分析的關鍵詢問內容選取出來,並透過加密方法將相關內容隱藏起來,交由後續系統進行分析,以節省進行特徵分析所需要耗費之裝置資源,以及降低維護更新特徵值之需要。The data analysis processing subsystem 1 comprises three modules: a query content capture module 11, a query content encryption module 12 and a mobile platform feature analysis module 13, which can select the key query content of the analysis and use an encryption method. The related content is hidden and analyzed by subsequent systems to save the device resources required for feature analysis and reduce the need to maintain updated feature values.

詢問內容擷取模組11,主要由裝置取得要詢問之內容,具備以下功能:The content capturing module 11 is inquired, and the device mainly obtains the content to be inquired, and has the following functions:

a. 以資訊型態與字典檔過濾比對機制,提供關鍵資訊內容擷取機制;a. Filtering comparison mechanism with information type and dictionary file to provide key information content extraction mechanism;

b. 將擷取內容正規化,以進行後續詢問內容加密。b. Normalize the captured content for subsequent enquiry content encryption.

詢問內容加密模組12,提供將詢問內容處理為密文的機制,其方法如圖三所示:The content encryption module 12 is queried to provide a mechanism for processing the query content into ciphertext, and the method is as shown in FIG.

a. 產生可讓資料過濾分析子系統3從中確認有效性以及具識別性之密文串流(cipher stream);其中密文串流的內容包含:亂數、亂數帶入特定雜湊函數之結果與一識別值;a. generating a cipher stream from which the data filtering analysis subsystem 3 can confirm validity and identification; wherein the contents of the ciphertext stream include: random numbers, random numbers, and results of specific hash functions With an identification value;

b. 將密文串流與詢問內容進行互斥運算(XOR)產生密文(ciphertext);b. ciphertext is generated by mutually exclusive operation (XOR) of the ciphertext stream and the query content;

c. 將密文送到資料過濾分析子系統3,以及將識別值送至個人運算輔助子系統2。c. Send the ciphertext to the data filtering analysis subsystem 3, and send the identification value to the personal computing auxiliary subsystem 2.

行動平台特徵分析模組13,處理由個人運算輔助子系統2或資料過濾分析子系統3所得到的結果,並由此結果分析判斷是否有找到詢問資訊。此模組具有下列功能:The action platform feature analysis module 13 processes the results obtained by the personal operation assistant subsystem 2 or the data filter analysis subsystem 3, and analyzes the results to determine whether the query information is found. This module has the following features:

a. 取回個人運算輔助子系統2或資料過濾分析子系統3的運算結果,根據取得之結果,以詢問資訊之明文內容進行最終特徵分析匹對結果確認。a. The operation result of the personal operation auxiliary subsystem 2 or the data filtering analysis subsystem 3 is retrieved, and based on the obtained result, the final feature analysis is performed to confirm the result with the plaintext content of the inquiry information.

個人運算輔助子系統2則包含快速過濾識別單元模組21與搜尋結果過濾輔助模組22,為個人專屬的運算輔助系統,將使用者端原有的運算需求分攤移轉至較信任且資源較多之遠端協助運算的環境,以利分析結果的產出。由於個人運算輔助子系統2主要作為輔助運算之用,透過本發明的機制由資料分析處理子系統1僅會得到部分資訊,以達到協助運算之目的。個人運算輔助子系統2運算結果會送至行動平台進行後續處理及應用。The personal computing auxiliary subsystem 2 includes a fast filtering identification unit module 21 and a search result filtering auxiliary module 22, which is an individual-specific arithmetic auxiliary system, and transfers the original computing requirements of the user terminal to a more trustworthy resource. More remote assistance operations in the environment to facilitate the analysis of the output of the results. Since the personal operation auxiliary subsystem 2 is mainly used as an auxiliary operation, the data analysis processing subsystem 1 only obtains part of the information through the mechanism of the present invention to achieve the purpose of assisting the operation. The results of the personal computing assistant subsystem 2 are sent to the mobile platform for subsequent processing and application.

快速過濾識別單元模組21,主要接收資料分析處理子系統1提供之密文串流識別值,並提供搜尋結果過濾輔助模組22密文串流之識別值。The fast filter identification unit module 21 mainly receives the ciphertext stream identification value provided by the data analysis processing subsystem 1, and provides the identification value of the ciphertext stream of the search result filtering auxiliary module 22.

搜尋結果過濾輔助模組22,協助初步過濾篩選要回傳至資料分析處理子系統1的資料,以減少資料分析處理子系統1的運算需要。其功能如下:The search result filtering auxiliary module 22 assists the preliminary filtering to filter the data to be returned to the data analysis processing subsystem 1 to reduce the computing needs of the data analysis processing subsystem 1. Its function is as follows:

a. 由快速過濾識別單元模組21取得密文串流識別值;a. The ciphertext stream identification value is obtained by the fast filter identification unit module 21;

b. 由搜尋結果收集處理模組32取得搜尋結果與表示搜尋結果識別值集合的布隆過濾器以及;b. The search result collection processing module 32 obtains the search result and the Bloom filter indicating the set of search result identification values;

c. 使用快速過濾識別單元模組21的識別值與搜尋結果收集處理模組32提供之搜尋結果識別值集合布隆過濾器(bloom filter)進行存在性確認。若表示存在,則將搜尋結果收集處理模組32取得之搜尋結果傳至行動平台特徵分析模組13,反之則通知行動平台特徵分析模組13無匹對之情形。c. Using the identification value of the fast filter identification unit module 21 and the search result identification value set bloom filter provided by the search result collection processing module 32 for presence confirmation. If the indication is present, the search result obtained by the search result collection processing module 32 is transmitted to the mobile platform feature analysis module 13, and vice versa, the mobile platform feature analysis module 13 is notified that there is no match.

資料過濾分析子系統3包含有搜尋比對模組31、搜尋結果收集處理模組32與搜尋比對值模組33三模組,提供使用者加密詢問內容與搜尋資料比對之分析作業。原始的資料可能因變異性較大,在提供搜尋以前可進行資料索引(indexing)作業。由於來自使用者的資訊均為加密密文,比對作業必須透過進一步的密文運算方法確認是否有匹對。由於比對過程具有模糊化的特性(外部系統無法明確知道使用者欲分析之資訊),若找到可匹對的資料,系統會待所有符合的資料彙整好,送予個人運算輔助子系統2進行過濾作業。若資料本身屬結構化之完全匹對型態,回傳至個人運算輔助子系統2的資料可使用布隆過濾器資料結構進行有效的資料壓縮,除了可節省網路傳送所需之頻寬,更可減少後續比對作業的運算需求。The data filtering analysis subsystem 3 includes a search comparison module 31, a search result collection processing module 32, and a search comparison value module 33, and provides an analysis operation for comparing the user's encrypted inquiry content with the search data. The original data may be subject to variability and may be indexed before the search is provided. Since the information from the user is encrypted ciphertext, the matching job must be confirmed by a further ciphertext operation method. Because the comparison process has the characteristics of fuzzification (the external system cannot clearly know the information that the user wants to analyze), if the matching data is found, the system will wait for all the matching data to be collected and send it to the personal computing assistant subsystem 2 for Filter the job. If the data itself is of a completely structured type, the data transmitted back to the personal computing auxiliary subsystem 2 can be effectively compressed using the Bloom filter data structure, in addition to saving the bandwidth required for network transmission. It can also reduce the computational requirements of subsequent comparison jobs.

搜尋比對模組31,提供詢問密文內容與資料搜尋比對機制。此模組具有下列之功能:The search comparison module 31 provides a query ciphertext content and data search comparison mechanism. This module has the following features:

a. 將詢問內容加密模組12傳送來的密文與搜尋比對值模組33提供的資料索引明文進行互斥運算;a. The ciphertext sent by the query content encryption module 12 and the data index plaintext provided by the search comparison value module 33 are mutually exclusive;

b. 將互斥運算後的串流做進一步有效性確認,確定是否為候選結果。在有效性確認中,如圖三所示,將密文串流內表示亂數的欄位帶入雜湊函數,並且比對運算後的值是否與密文串流內表示雜湊函數值的欄位相等。若二值相等則表示此資訊與候選結果符合,並將對應之搜尋結果以及運算後之串流內識別值資訊交至搜尋結果收集處理模組32統整。b. Perform the validity check of the mutually exclusive stream to determine whether it is a candidate result. In the validity confirmation, as shown in FIG. 3, the field indicating the random number in the ciphertext stream is brought into the hash function, and the comparison value is compared with the field indicating the value of the hash function in the ciphertext stream. Wait. If the two values are equal, the information is matched with the candidate result, and the corresponding search result and the intra-stream identification value information after the operation are submitted to the search result collection processing module 32 for integration.

搜尋結果收集處理模組32,主要收集由搜尋比對模組31確認為候選搜尋結果的資訊,交由個人運算輔助子系統2處理。此模組主要具備的功能如下:The search result collection processing module 32 mainly collects information confirmed by the search comparison module 31 as a candidate search result, and is processed by the personal operation support subsystem 2. The main functions of this module are as follows:

a. 由搜尋比對模組31收集確認為候選結果之資訊,以及;a. The information obtained by the search comparison module 31 is confirmed as a candidate result, and;

b. 收集候選結果所對應之識別值。為快速過濾及節省傳輸頻寬,識別值集合可以布隆過濾器結構形式存放;b. Collect the identification values corresponding to the candidate results. For fast filtering and saving transmission bandwidth, the set of identification values can be stored in the form of a Bloom filter structure;

c. 在搜尋比對模組31完成搜尋以後,依是否需要個人運算輔助子系統2的協助選擇,將收集之搜尋結果傳送至搜尋結果過濾輔助模組22或行動平台特徵分析模組13。c. After the search module 31 completes the search, the collected search results are transmitted to the search result filtering assistance module 22 or the mobile platform feature analysis module 13 according to whether the personal computing assistant subsystem 2 needs the assistance selection.

搜尋比對值模組33,提供可用來搜尋的比對資訊以及對應之原始資料。在提供搜尋以前可將原始資料先進行資料索引作業,使得資料可與來自資料分析處理子系統1的內容正確地進行互斥運算與有效性確認。另外可配合搜尋比對模組31進行搜尋比對作業,在確定資料為候選結果後,將原始資料與串流內的識別值傳送至搜尋結果收集處理模組32彙整。The search comparison value module 33 provides comparison information that can be used for searching and corresponding raw materials. Before the search is provided, the original data can be indexed first, so that the data can be correctly mutually exclusive and validated with the content from the data analysis processing subsystem 1. In addition, the search comparison module 31 can be used to perform the search comparison operation. After the data is determined as the candidate result, the original data and the identification value in the stream are transmitted to the search result collection processing module 32 for aggregation.

基於使用者隱私之分散式環境資料詢問系統的運作流程可參考圖二。當使用者裝置需要詢問某些資訊時,如:來電是否為詐騙電話、簡訊的可信度以及適地性資訊等等,避免詢問過程間接透露使用者關聯的隱私。除了系統溝通過程均使用加密通道(TLS,Transport Layer Security)傳遞訊息之外,資訊分析處理子系統1將詢問內容送至資料過濾分析子系統3以前,內容即使用加密技術將詢問明文轉換成可支援搜尋之密文形式。The operational flow of the decentralized environmental data query system based on user privacy can be referred to Figure 2. When the user device needs to ask for certain information, such as whether the incoming call is a fraudulent call, the credibility of the newsletter, and the suitability information, etc., the inquiry process is indirectly revealed to the user's associated privacy. In addition to the system communication process using the encrypted channel (TLS, Transport Layer Security) to deliver the message, the information analysis processing subsystem 1 sends the query content to the data filtering analysis subsystem 3, the content is encrypted using the encryption technology to convert the query plaintext into Support the cipher text form of the search.

在密文準備好後,將部分密文資訊,即其中的識別值給予快速過濾識別單元模組21協助後續的結果過濾,以減少資訊分析處理子系統1的資源使用,並且提升整體使用效能。當詢問密文傳送至資料過濾分析子系統3之後,搜尋比對機制會將密文與搜尋比對明文進行互斥運算,並且將互斥運算完的結果進行候選結果有效性的確認,確定目前的資料是否為使用者可能需要的結果。而有效性的確認方法可使用剛運算後的密文串流內表示亂數值與雜湊函數值(hash value)的相等性來確認。在資訊分析處理子系統1產生密文串流時,串流中一部分的資訊包含:產生的亂數值以及使用該亂數值算出之雜湊函數值(資料分析處理子系統1與資料過濾分析子系統3需選用相同的雜湊函數,作為相等性的確認;當資料過濾分析子系統3完成互斥運算產生密文串流後,將表示亂數的欄位區段帶進前述所一致採用的雜湊函數,並且比對運算後的值是否與密文串流內表示雜湊函數值的欄位相等。若二值相等則表示此資訊為候選結果,並在搜尋比對值模組33將此運算後的密文串流識別值以布隆過濾器加以存放;反之,則是無關聯的資訊。After the ciphertext is prepared, part of the ciphertext information, that is, the identification value thereof, is given to the quick filter identification unit module 21 to assist subsequent result filtering to reduce the resource usage of the information analysis processing subsystem 1 and improve the overall use efficiency. After the ciphertext is sent to the data filtering analysis subsystem 3, the search matching mechanism will mutually mutrate the ciphertext and the search plaintext, and the result of the mutually exclusive operation is confirmed by the validity of the candidate result to determine the current Whether the information is the result that the user may need. The validity verification method can be confirmed by expressing the equality of the hash value and the hash function value in the ciphertext stream after the operation. When the information analysis processing subsystem 1 generates the ciphertext stream, a part of the information in the stream includes: the generated random value and the hash function value calculated using the random number (data analysis processing subsystem 1 and data filtering analysis subsystem 3) The same hash function needs to be selected as the confirmation of equality; when the data filtering analysis subsystem 3 completes the mutual exclusion operation to generate the ciphertext stream, the field segment indicating the random number is brought into the previously used hash function. And whether the value after the comparison operation is equal to the field indicating the value of the hash function in the ciphertext stream. If the two values are equal, the information is a candidate result, and the search is performed after the comparison value module 33 performs the operation. The text stream identification value is stored in the Bloom filter; otherwise, it is unrelated information.

在考慮整體系統效能上,對於候選結果的收集存放可分兩種類型。在搜尋比對值模組33,搜尋欲回傳的資料若為較固定格式的資料,如詐騙電話號碼、釣魚網站網址,可直接以索引值表示,在這種情況的候選結果收集時,亦可以使用布隆過濾器將資料以雜湊函數的應用加以壓縮,除了可以減少傳輸頻寬的使用,更可加速比對判斷的時間。而另一種的資料收集存放方式則是,,若欲回傳的資料本身具有較大的變異性,如病毒碼、入侵偵測系統規則等,無法單純利用資料結構壓縮的技巧處理時,則搜尋結果收集處理模組32會將所有欲回傳的資料收集一併傳送。例如,個人運算輔助子系統2可協助資訊分析處理子系統1進行搜尋結果的過濾,即會在搜尋結果過濾輔助模組22,以快速過濾識別單元模組21取得之密文串流識別值與來自搜尋結果收集處理模組32的密文串流識別值布隆過濾器進行比對,若計算後在此布隆過濾器表示匹對,則初步過濾表示符合搜尋結果,並將搜尋結果集合轉送至資訊分析處理子系統1進行最後處理;反之,則表示沒有搜尋到相關資訊。In considering the overall system performance, the collection and storage of candidate results can be divided into two types. In the search comparison value module 33, if the search for the data to be returned is a fixed format data, such as a fraudulent telephone number or a phishing website URL, it may be directly represented by an index value, and when the candidate result in this case is collected, The Bloom filter can be used to compress the data with the application of the hash function, in addition to reducing the use of the transmission bandwidth and speeding up the comparison. Another method of data collection and storage is that if the data to be returned has a large variability, such as virus code, intrusion detection system rules, etc., it cannot be processed by simply using the data structure compression technique. The result collection processing module 32 collects all the data to be returned. For example, the personal computing assistant subsystem 2 can assist the information analysis processing subsystem 1 in filtering the search results, that is, in the search result filtering assistant module 22, to quickly filter the ciphertext stream identification values obtained by the recognition unit module 21 and The ciphertext stream identification value Bloom filter from the search result collection processing module 32 performs comparison. If the Bloom filter indicates a pair after the calculation, the preliminary filtering indicates that the search result is met, and the search result set is transferred. The final processing is performed to the information analysis processing subsystem 1; otherwise, the related information is not found.

當搜尋結果回傳到行動平台特徵分析模組13,則進行最後的搜尋結果判斷,若搜尋結果以布隆過濾器表現,則行動平台特徵分析模組13以搜尋明文直接帶入存在性驗證使用之雜湊函數來確認搜尋結果是否存在。另外若搜尋結果為一般收集明文結果,則以原本應用方式進行,例如,回傳結果是一般病毒碼特徵值,或入侵偵測系統規則,則帶入原分析系統作為特徵值檢測之用;若為單純資料搜尋,則以搜尋演算法進行回傳結果的明文搜尋。When the search result is transmitted back to the mobile platform feature analysis module 13, the final search result is judged. If the search result is expressed by the Bloom filter, the mobile platform feature analysis module 13 directly brings the presence verification to the search plaintext. The hash function to confirm the existence of the search results. In addition, if the search result is a general collection of plaintext results, the original application method is used. For example, the return result is a general virus code feature value, or an intrusion detection system rule, and is brought into the original analysis system as a feature value detection; For pure data search, the search algorithm is used to search the plaintext of the returned results.

本發明所提供之一種基於使用者隱私之分散式環境資料詢問系統,與其他習用之系統相互比較時,更具有下列之優點:The distributed environment data inquiry system based on user privacy provided by the invention has the following advantages when compared with other conventional systems:

1. 本發明所提供之詢問系統主要特點在於使用者可不需改變使用方式,並可在不提供資訊供應者明確內容的情況下完成最新資訊搜尋之任務,確保使用者端詢問資訊不透露至外界。1. The main feature of the inquiry system provided by the present invention is that the user can change the usage mode, and can complete the latest information search task without providing the information provider with clear content, so as to ensure that the user side does not disclose the information to the outside world. .

2. 本發明在詢問機制上,可使資料分析過濾子系統透過平行運算的方式擴展橫向資源的運用,加速搜尋結果的提供,以利需要快速回應結果的應用。2. In the inquiry mechanism, the data analysis filtering subsystem can expand the application of horizontal resources through parallel operations, and accelerate the provision of search results, so as to facilitate the application of quick response results.

3. 本發明可依照信賴程度使用個人運算輔助子系統,透過部分已知資訊協助資料運算過濾作業,對於運算資源與續航力優先考量的行動平台來說,具有正向效能與的幫助。3. The invention can use the personal operation auxiliary subsystem according to the degree of trust, and assists the data operation filtering operation through some known information, and has positive performance and help for the action platform with the computing resources and the endurance priority.

4. 本發明對於具單純格式的回傳資料或者作為資料存在判斷的記錄,使用布隆過濾器資料結構的應用可做到快速確認結果存在性之判斷以及壓縮回傳資料量以提高傳輸率之優點。4. The present invention can be used to quickly confirm the existence of the result and compress the amount of returned data to improve the transmission rate for the return data with simple format or the record of the existence of the data. advantage.

上列詳細說明係針對本發明之一可行實施例之具體說明,惟該實施例並非用以限制本發明之專利範圍,凡未脫離本發明技藝精神所為之等效實施或變更,均應包含於本案之專利範圍中。The detailed description of the preferred embodiments of the present invention is intended to be limited to the scope of the invention, and is not intended to limit the scope of the invention. The patent scope of this case.

綜上所述,本案不但在技術思想上確屬創新,並能較習用物品增進上述多項功效,應已充分符合新穎性及進步性之法定發明專利要件,爰依法提出申請,懇請 貴局核准本件發明專利申請案,以勵發明,至感德便。To sum up, this case is not only innovative in terms of technical thinking, but also able to enhance the above-mentioned multiple functions compared with conventional articles. It should fully comply with the statutory invention patent requirements of novelty and progressiveness, and apply in accordance with the law. I urge you to approve this article. Invention patent application, in order to invent invention, to the sense of virtue.

1...資料分析處理子系統1. . . Data analysis processing subsystem

11...詢問內容擷取模組11. . . Ask the content capture module

12...詢問內容加密模組12. . . Ask the content encryption module

13...行動平台特徵分析模組13. . . Mobile platform feature analysis module

2...個人運算輔助子系統2. . . Personal arithmetic auxiliary subsystem

21...快速過濾識別單元模組twenty one. . . Fast filter identification unit module

22...搜尋結果過濾輔助模組twenty two. . . Search result filtering auxiliary module

3...資料過濾分析子系統3. . . Data filtering analysis subsystem

31...搜尋比對模組31. . . Search comparison module

32...搜尋結果收集處理模組32. . . Search result collection processing module

33...搜尋比對值模組33. . . Search comparison value module

請參閱有關本發明之詳細說明及其附圖,將可進一步瞭解本發明之技術內容及其目的功效;有關附圖為:Please refer to the detailed description of the present invention and the accompanying drawings, and the technical contents of the present invention and its effects can be further understood; the related drawings are:

請參閱本發明相關之詳細說明與附圖,將可進一步瞭解本發明之技術內容及目的功效;有關附圖為:The technical content and the purpose of the present invention will be further understood by referring to the detailed description and drawings related to the present invention;

圖一為本發明之系統架構圖;Figure 1 is a system architecture diagram of the present invention;

圖二為本發明應用服務之流程圖;Figure 2 is a flow chart of the application service of the present invention;

圖三為本發明密文串流與詢問內容互斥運算示意圖。FIG. 3 is a schematic diagram of a mutual exclusion operation between a ciphertext stream and an inquiry content according to the present invention.

1...資料分析處理子系統1. . . Data analysis processing subsystem

11...詢問內容擷取模組11. . . Ask the content capture module

12...詢問內容加密模組12. . . Ask the content encryption module

13...行動平台特徵分析模組13. . . Mobile platform feature analysis module

2...個人運算輔助子系統2. . . Personal arithmetic auxiliary subsystem

21...快速過濾識別單元模組twenty one. . . Fast filter identification unit module

22...搜尋結果過濾輔助模組twenty two. . . Search result filtering auxiliary module

3...資料過濾分析子系統3. . . Data filtering analysis subsystem

31...搜尋比對模組31. . . Search comparison module

32...搜尋結果收集處理模組32. . . Search result collection processing module

33...搜尋比對值模組33. . . Search comparison value module

Claims (12)

一種基於使用者隱私之分散式環境資料詢問系統,採用加密通道傳輸協定(TLS,Transport Layer Security)互通訊息,其中包括:一資料分析處理子系統,主要係將欲詢問的資訊擷取出來,並透過加密方法將相關內容隱藏起來,以密文方式提供給資料過濾分析子系統;一資料過濾分析子系統,主要為資料的前置索引處理,供後續比對分析之用;並且對來自前端詢問密文與資料進行比對運算,並將前者運算完的結果進行候選結果有效性的確認,確定並收集為使用者所需之結果;一個人運算輔助子系統,接收資料分析處理子系統提供的部分訊問資訊,並對於資料過濾分析子系統提供的搜尋結果可先做初步過濾,待進一步確定搜尋結果為使用者裝置所需要的,再給予資料分析處理子系統作最終確認。 A decentralized environment data query system based on user privacy, which uses the TLS (Transport Layer Security) mutual communication information, including: a data analysis processing subsystem, which mainly extracts the information to be inquired, and The relevant content is hidden by encryption method and provided to the data filtering analysis subsystem in cipher text; a data filtering analysis subsystem is mainly used for pre-index processing of data for subsequent comparison analysis; The ciphertext and the data are compared, and the result of the former calculation is confirmed by the validity of the candidate result, and the result required by the user is determined and collected; a human arithmetic auxiliary subsystem receives the part provided by the data analysis processing subsystem. Interrogation information, and the search results provided by the data filtering analysis subsystem can be initially filtered. After further determining the search results for the user device, the data analysis processing subsystem is finally confirmed. 如申請專利範圍第1項所述基於使用者隱私之分散式環境資料詢問系統,其中資料分析處理子系統包含有:一詢問內容擷取模組,由裝置取得要詢問之內容,詢問內容的擷取方式可為自行輸入、使用特定資訊型 態或字典檔等方式進行詢問內容的擷取;一詢問內容加密模組,將詢問內容處理成為資料過濾分析子系統可確認有效性的密文形式,包含產生具識別性之密文串流並與詢問內容進行互斥運算產生密文,並交由後續分析系統解析;一行動平台特徵分析模組,接收詢問內容擷取模組所發出之詢問結果。 The distributed environment data inquiry system based on user privacy, as described in claim 1, wherein the data analysis processing subsystem includes: a query content capture module, and the device obtains the content to be inquired, and asks for content. The method can be self-input, use specific information type State or dictionary file, etc.; querying the content encryption module, processing the query content into a ciphertext form in which the data filtering analysis subsystem can confirm validity, including generating a ciphertext stream with identification and Mutual exclusion operation with the query content generates ciphertext, and is analyzed by the subsequent analysis system; a mobile platform feature analysis module receives the inquiry result sent by the query content capture module. 如申請專利範圍第1項所述基於使用者隱私之分散式環境資料詢問系統,其中個人運算輔助子系統包含有:一快速過濾識別單元模組,接收資料分析處理子系統提供可支援搜尋結果過濾之密文串流內的識別值;一搜尋結果過濾輔助模組,協助過濾由資料過濾分析子系統取得之搜尋結果,以減少資料分析處理子系統的運算需要。 The decentralized environmental data query system based on user privacy according to claim 1, wherein the personal computing auxiliary subsystem comprises: a fast filtering identification unit module, and the receiving data analysis processing subsystem provides support for searching result filtering. The identification value in the ciphertext stream; a search result filtering auxiliary module, which assists in filtering the search results obtained by the data filtering analysis subsystem to reduce the computing needs of the data analysis processing subsystem. 如申請專利範圍第1項所述基於使用者隱私之分散式環境資料詢問系統,其中資料過濾分析子系統包含有:一搜尋比對模組,將取得的詢問密文與搜尋比對值模組提供的所有資料索引明文進行互斥運算,所得密文串流做進一步有效性確認,確定是否為候選結果;一搜尋結果收集處理模組,收集搜尋比對模組確認為候選搜尋結果的資訊,候選結果所對應之識別值;一搜尋比對值模組,進行前置資料索引處理作業,使得表示資料的索引可與詢問密文正確地進行互斥運算與有效性確認。The distributed environment data query system based on user privacy, as described in claim 1, wherein the data filtering analysis subsystem comprises: a search matching module, and the obtained query ciphertext and search comparison value module All the data indexes provided are mutually exclusive, and the obtained ciphertext stream is further validated to determine whether it is a candidate result; a search result collection processing module collects information that the search comparison module confirms as a candidate search result, The identification value corresponding to the candidate result; a search comparison value module performs a pre-data index processing operation, so that the index representing the data can be mutually mutually exclusive and validated with the challenge ciphertext. 如申請範圍第2項所述基於使用者隱私之分散式環境資料詢問系統,其中當行動平台特徵分析模組所接收的詢問結果為無資料,表示詢問無符合內容;若有回傳資料,則此模組會進一步以詢問內容明文做最終確認。The decentralized environmental data inquiry system based on user privacy according to item 2 of the application scope, wherein the result of the inquiry received by the action platform feature analysis module is no data, indicating that the content is not met; if there is a return data, This module will further confirm the content with the plaintext of the inquiry. 如申請範圍第5項所述基於使用者隱私之分散式環境資料詢問系統,若因考量傳輸以及判斷效率,且回傳結果以布隆過濾器結構型態表現,可使用存在性驗證使用之雜湊函數完成確認。If the distributed environment data query system based on user privacy mentioned in item 5 of the application scope considers the transmission and the efficiency of the judgment, and the result of the return is expressed in the Bloom filter structure, the hash of the existence verification can be used. The function completes the confirmation. 如申請專利範圍第3項所述基於使用者隱私之分散式環境資料詢問系統,其中搜尋結果過濾輔助模組可協助過濾由資料過濾分析子系統取得之搜尋結果,以減少資料分析處理子系統的運算需要。The distributed environment data query system based on user privacy, as described in claim 3, wherein the search result filtering auxiliary module can assist in filtering the search results obtained by the data filtering analysis subsystem to reduce the data analysis processing subsystem. The operation needs. 如申請範圍第7項所述基於使用者隱私之分散式環境資料詢問系統,其中搜尋結果過濾輔助模組利用快速過濾識別單元模組之密文串流識別值與搜尋結果識別值之布隆過濾器進行運算,初步確認搜尋結果的存在性,隨後再將運算結果傳送至資料分析處理子系統。The distributed environment data query system based on user privacy, as described in claim 7, wherein the search result filtering auxiliary module utilizes the ciphertext stream identification value of the fast filter identification unit module and the Blom filter of the search result identification value. The operation is performed to initially confirm the existence of the search result, and then the operation result is transmitted to the data analysis processing subsystem. 如申請範圍第4項所述基於使用者隱私之分散式環境資料詢問系統,其中搜尋比對模組在有效性確認中,需將密文串流表示亂數的資訊帶進採用的雜湊函數,並且比對運算後的值是否與密文串流內表示雜湊函數值的欄位相等,若相等則表示此內容為候選結果,並進行後續收集處理。For example, in the decentralized environmental data inquiry system based on user privacy described in item 4 of the application scope, in the validity verification of the search comparison module, the information of the ciphertext stream indicating the random number is brought into the hash function used. And whether the value after the comparison operation is equal to the field indicating the value of the hash function in the ciphertext stream. If they are equal, the content is a candidate result, and subsequent collection processing is performed. 如申請範圍第4項所述基於使用者隱私之分散式環境資料詢問系統,其中搜尋結果收集處理模組所收集到的識別值集合使用布隆過濾器資料結構加以存放。The decentralized environmental data query system based on user privacy according to item 4 of the application scope, wherein the set of identification values collected by the search result collection processing module is stored by using a Bloom filter data structure. 如申請範圍第4項所述基於使用者隱私之分散式環境資料詢問系統,其中當搜尋結果收集處理模組確認搜尋比對模組完成搜尋比對後,將收集之搜尋結果傳送至個人運算輔助子系統。The distributed environment data query system based on user privacy, as described in claim 4, wherein when the search result collection processing module confirms that the search comparison module completes the search comparison, the collected search result is transmitted to the personal operation assistant. Subsystem. 如申請範圍第4項所述基於使用者隱私之分散式環境資料詢問系統,其中搜尋比對值模組若比對確定資料為候選結果後,提供原始資料與密文串流內的識別值於以彙整。The decentralized environmental data query system based on user privacy according to item 4 of the application scope, wherein the search comparison value module provides the original data and the identification value in the ciphertext stream if the comparison data is a candidate result. Take the consolidation.
TW100139514A 2011-10-31 2011-10-31 A decentralized environmental information inquiry system based on user privacy TWI453621B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW100139514A TWI453621B (en) 2011-10-31 2011-10-31 A decentralized environmental information inquiry system based on user privacy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW100139514A TWI453621B (en) 2011-10-31 2011-10-31 A decentralized environmental information inquiry system based on user privacy

Publications (2)

Publication Number Publication Date
TW201317824A TW201317824A (en) 2013-05-01
TWI453621B true TWI453621B (en) 2014-09-21

Family

ID=48871932

Family Applications (1)

Application Number Title Priority Date Filing Date
TW100139514A TWI453621B (en) 2011-10-31 2011-10-31 A decentralized environmental information inquiry system based on user privacy

Country Status (1)

Country Link
TW (1) TWI453621B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI747274B (en) * 2019-11-26 2021-11-21 大陸商支付寶(杭州)信息技術有限公司 Data query method, device, equipment and system based on privacy information protection

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070204022A1 (en) * 2006-02-24 2007-08-30 Acer Inc. Method for acquiring information, and hand-held mobile communications device for implementing the method
CN100375094C (en) * 2005-08-23 2008-03-12 萧学文 System and method for implementing network resource search by mobile terminal
CN101561815B (en) * 2009-05-19 2010-10-13 华中科技大学 Distributed cryptograph full-text retrieval system
CN101938565A (en) * 2010-09-10 2011-01-05 中兴通讯股份有限公司 Short message processing method and mobile terminal
TW201113719A (en) * 2009-10-14 2011-04-16 Chunghwa Telecom Co Ltd Characteristic value comparison based content analysis method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100375094C (en) * 2005-08-23 2008-03-12 萧学文 System and method for implementing network resource search by mobile terminal
US20070204022A1 (en) * 2006-02-24 2007-08-30 Acer Inc. Method for acquiring information, and hand-held mobile communications device for implementing the method
CN101561815B (en) * 2009-05-19 2010-10-13 华中科技大学 Distributed cryptograph full-text retrieval system
TW201113719A (en) * 2009-10-14 2011-04-16 Chunghwa Telecom Co Ltd Characteristic value comparison based content analysis method
CN101938565A (en) * 2010-09-10 2011-01-05 中兴通讯股份有限公司 Short message processing method and mobile terminal

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI747274B (en) * 2019-11-26 2021-11-21 大陸商支付寶(杭州)信息技術有限公司 Data query method, device, equipment and system based on privacy information protection

Also Published As

Publication number Publication date
TW201317824A (en) 2013-05-01

Similar Documents

Publication Publication Date Title
US11200615B2 (en) Order clustering and malicious information combating method and apparatus
US11429625B2 (en) Query engine for remote endpoint information retrieval
US10771963B2 (en) Method and browser for browsing web page, and storage medium
TWI678616B (en) File detection method, device and system
US9877283B2 (en) Method and terminal for reporting sensor data and terminal
US8407789B1 (en) Method and system for dynamically optimizing multiple filter/stage security systems
US11671461B1 (en) Apparatus and methods thereof for inspecting events in a computerized environment respective of a unified index for granular access control
WO2015014189A1 (en) Method and device for accessing website
WO2015131434A1 (en) Multithread software plagiarism detection method based on thread slice birthmark
CN110032321B (en) Application processing method and device, electronic equipment and computer readable storage medium
WO2017019717A1 (en) Dynamic attachment delivery in emails for advanced malicious content filtering
CN115757545A (en) Ciphertext retrieval method, ciphertext storage method, ciphertext retrieval device, electronic equipment and ciphertext storage medium
CN114996675A (en) Data query method and device, computer equipment and storage medium
WO2020061731A1 (en) Resource processing method, electronic device, and computer-readable storage medium
TWI453621B (en) A decentralized environmental information inquiry system based on user privacy
CN109871685B (en) RTF file analysis method and device
WO2023061267A1 (en) Personal information display method and apparatus, and device and storage medium
WO2022198996A1 (en) Data updating method, apparatus, and system, device, storage medium and program
CN115544558A (en) Sensitive information detection method and device, computer equipment and storage medium
CN102790799B (en) Resource downloading method based on cloud security service
TWI758632B (en) Data collection system for efficient processing of massive data
CN109766501B (en) Crawler protocol management method and device and crawler system
CN110149246B (en) Shared internet access detection method and system, electronic equipment and storage medium
CN106716970A (en) Information interaction processing method, system and terminal
Jeong et al. Fast Fourier transform based efficient data processing technique for big data processing speed enhancement in P2P computing environment

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees