Data desensitization method and device based on message analysis
阅读说明:本技术 一种基于报文解析的数据脱敏方法及装置 (Data desensitization method and device based on message analysis ) 是由 陈磊 黄秀丽 石聪聪 来骥 刘辉舟 陈涛 李峰 于鹏飞 沈文 徐相森 于 2020-05-14 设计创作,主要内容包括:本发明涉及一种基于报文解析的数据脱敏方法及装置,包括:获取应用系统与目标数据服务器之间传输链路上的IP报文并进行解析,解析后IP报文信息包括源IP和目的IP;通过比较源IP和目的IP的来源,识别IP报文的传输目的;根据识别结果对IP报文进行封装传输,或者进行数据脱敏处理后封装传输;本发明利用报文解析通用性强的优点,使实际部署简单化,并发处理能力强,适用于海量数据请求的应用场景,且不需要直接操作数据库和获取用户的数据访问权限,降低了数据库和用户隐私泄露的风险。(The invention relates to a data desensitization method and a device based on message analysis, which comprises the following steps: acquiring and analyzing an IP message on a transmission link between an application system and a target data server, wherein the analyzed IP message information comprises a source IP and a target IP; identifying the transmission destination of the IP message by comparing the source of the source IP and the destination IP; packaging and transmitting the IP message according to the identification result, or packaging and transmitting after performing data desensitization treatment; the method and the device have the advantages of strong universality of message analysis, simplify actual deployment, have strong concurrent processing capability, are suitable for application scenes of massive data requests, do not need to directly operate the database and acquire the data access permission of the user, and reduce the risk of privacy disclosure of the database and the user.)
1. A data desensitization method based on message parsing is characterized in that the method comprises the following steps:
acquiring and analyzing an IP message on a transmission link between an application system and a target data server, wherein the analyzed IP message information comprises a source IP and a target IP;
identifying the transmission destination of the IP message by comparing the source of the source IP and the destination IP;
and performing encapsulation transmission on the IP message according to the identification result, or performing encapsulation transmission after data desensitization processing.
2. The method of claim 1, wherein identifying the destination of the transmission of the IP message by comparing the source IP and the destination IP comprises:
searching the source IP and the target IP in a pre-established application system IP set and a target data server IP set;
if the source IP exists in the IP set of the application system and the target IP exists in the IP set of the target data server, the transmission destination of the IP message is that the application system sends a data access request to the target data server;
and if the source IP exists in the IP set of the target data server and the target IP exists in the IP set of the application system, the transmission destination of the IP message is that the target data server returns data to the application system according to the data access request of the application system.
3. The method according to claim 1, wherein the encapsulating transmission of the IP packet according to the recognition result or the encapsulating transmission after the data desensitization processing includes:
if the transmission destination of the IP message is that the application system sends a data request to the target data server, the message is packaged according to the transmission protocol of the target data server and then transmitted to the target data server;
and if the transmission destination of the IP message is that the target data server returns data to the application system according to the data access request of the application system, performing data desensitization processing on the message, packaging the message after the data desensitization processing according to a transmission protocol of the application system, and transmitting the message to the application system.
4. The method of claim 3, wherein the parsed IP packet information further comprises sequence number information of the IP packet;
the data desensitization processing of the message comprises the following steps:
recombining the IP message based on the serial number information to obtain the return data of the target data server;
identifying sensitive data in the returned data based on a preset sensitive data type;
desensitizing sensitive data in the returned data by using a preset desensitizing algorithm;
wherein the preset sensitive data types include: name, telephone number, identification card number, license plate number and bank card number.
5. A method according to claim 4, wherein the desensitization algorithm includes any to all of:
random mapping algorithms, fixed mapping algorithms, masking algorithms, and in-range random algorithms.
6. A data desensitization apparatus based on message parsing, the apparatus comprising:
the system comprises an acquisition unit, a transmission link control unit and a target data server, wherein the acquisition unit is used for acquiring and analyzing an IP message on the transmission link between an application system and the target data server, and the analyzed IP message information comprises a source IP and a target IP;
the identification unit is used for identifying the transmission destination of the IP message by comparing the source of the source IP and the source of the destination IP;
and the desensitization unit is used for packaging and transmitting the IP message according to the identification result or packaging and transmitting the IP message after performing data desensitization treatment.
7. The apparatus according to claim 6, wherein the identification unit is specifically configured to:
searching the source IP and the target IP in a pre-established application system IP set and a target data server IP set;
if the source IP exists in the IP set of the application system and the target IP exists in the IP set of the target data server, the transmission destination of the IP message is that the application system sends a data access request to the target data server;
and if the source IP exists in the IP set of the target data server and the target IP exists in the IP set of the application system, the transmission destination of the IP message is that the target data server returns data to the application system according to the data access request of the application system.
8. The apparatus according to claim 6, wherein the desensitization unit is specifically configured to:
if the transmission destination of the IP message is that the application system sends a data request to the target data server, the message is packaged according to the transmission protocol of the target data server and then transmitted to the target data server;
and if the transmission destination of the IP message is that the target data server returns data to the application system according to the data access request of the application system, performing data desensitization processing on the message, packaging the message after the data desensitization processing according to a transmission protocol of the application system, and transmitting the message to the application system.
9. The apparatus of claim 8, wherein the parsed IP packet information further comprises sequence number information of an IP packet;
the data desensitization processing of the message comprises the following steps:
recombining the IP message based on the serial number information to obtain the return data of the target data server;
identifying sensitive data in the returned data based on a preset sensitive data type;
desensitizing sensitive data in the returned data by using a preset desensitizing algorithm;
wherein the preset sensitive data types include: name, telephone number, identification card number, license plate number and bank card number.
10. An apparatus according to claim 9, wherein the desensitization algorithm includes any to all of:
random mapping algorithms, fixed mapping algorithms, masking algorithms, and in-range random algorithms.
Technical Field
The invention relates to the technical field of information security, in particular to a data desensitization method and device based on message analysis.
Background
With the steady development of the construction work of the ubiquitous power internet of things, in the development period of the digital economy market, data sharing and circulation are more frequent, and the rigid business requirement is met. Along with centralized processing, wide sharing and cross use of data, the big data security problem will become more and more prominent, and the data security faces a serious challenge. In order to ensure the safe and compliant use of the data, the sensitive information related to each link in the whole life cycle of the data is desensitized, so that the method is an effective safety control means.
At present, a common data desensitization method in the market is to logically and serially deploy desensitization gateways between an application and a database, intercept SQL statements requested by the application to the database by using the desensitization gateways, complete analysis and modification, and then resend the desensitization statements to the database to realize desensitization. The method has certain disadvantages, mainly as follows: firstly, when the logic serial deployment is carried out, once the desensitization gateway is abnormal, the safe and stable operation of a service system is influenced, and the safety is insufficient; secondly, the SQL sentence is intercepted, analyzed and modified, the method belongs to an invasive method, potential safety hazards exist, and misoperation is easy to occur; thirdly, deployment and implementation are difficult, and due to different architectures and implementation languages of different applications, a large amount of compatibility debugging needs to be carried out on site, so that universality cannot be achieved; and fourthly, the complexity of the analysis process is limited, the desensitization gateway has limited capability of processing SQL in parallel, and the processing efficiency is low when the data volume is large.
Disclosure of Invention
Aiming at the defects of the prior art, the invention aims to provide a data desensitization method and a data desensitization device based on message analysis.
The invention provides a data desensitization method based on message analysis, and the improvement is that the method comprises the following steps:
acquiring and analyzing an IP message on a transmission link between an application system and a target data server, wherein the analyzed IP message information comprises a source IP and a target IP;
identifying the transmission destination of the IP message by comparing the source of the source IP and the destination IP;
and performing encapsulation transmission on the IP message according to the identification result, or performing encapsulation transmission after data desensitization processing.
Preferably, the identifying the transmission destination of the IP packet by comparing the source IP and the destination IP includes:
searching the source IP and the target IP in a pre-established application system IP set and a target data server IP set;
if the source IP exists in the IP set of the application system and the target IP exists in the IP set of the target data server, the transmission destination of the IP message is that the application system sends a data access request to the target data server;
and if the source IP exists in the IP set of the target data server and the target IP exists in the IP set of the application system, the transmission destination of the IP message is that the target data server returns data to the application system according to the data access request of the application system.
Preferably, the encapsulating and transmitting the IP packet according to the identification result, or the encapsulating and transmitting after the data desensitization processing, includes:
if the transmission destination of the IP message is that the application system sends a data request to the target data server, the message is packaged according to the transmission protocol of the target data server and then transmitted to the target data server;
and if the transmission destination of the IP message is that the target data server returns data to the application system according to the data access request of the application system, performing data desensitization processing on the message, packaging the message after the data desensitization processing according to a transmission protocol of the application system, and transmitting the message to the application system.
Further, the analyzed IP packet information further includes serial number information of the IP packet;
the data desensitization processing of the message comprises the following steps:
recombining the IP message based on the serial number information to obtain the return data of the target data server;
identifying sensitive data in the returned data based on a preset sensitive data type;
desensitizing sensitive data in the returned data by using a preset desensitizing algorithm;
wherein the preset sensitive data types include: name, telephone number, identification card number, license plate number and bank card number.
Further, the desensitization algorithm includes any to all of:
random mapping algorithms, fixed mapping algorithms, masking algorithms, and in-range random algorithms.
Based on the same inventive concept, the invention also provides a data desensitization device based on message analysis, and the improvement is that the device comprises:
the system comprises an acquisition unit, a transmission link control unit and a target data server, wherein the acquisition unit is used for acquiring and analyzing an IP message on the transmission link between an application system and the target data server, and the analyzed IP message information comprises a source IP and a target IP;
the identification unit is used for identifying the transmission destination of the IP message by comparing the source of the source IP and the source of the destination IP;
and the desensitization unit is used for packaging and transmitting the IP message according to the identification result or packaging and transmitting the IP message after performing data desensitization treatment.
Preferably, the identification unit is specifically configured to:
searching the source IP and the target IP in a pre-established application system IP set and a target data server IP set;
if the source IP exists in the IP set of the application system and the target IP exists in the IP set of the target data server, the transmission destination of the IP message is that the application system sends a data access request to the target data server;
and if the source IP exists in the IP set of the target data server and the target IP exists in the IP set of the application system, the transmission destination of the IP message is that the target data server returns data to the application system according to the data access request of the application system.
Preferably, the desensitization unit is specifically for:
if the transmission destination of the IP message is that the application system sends a data request to the target data server, the message is packaged according to the transmission protocol of the target data server and then transmitted to the target data server;
and if the transmission destination of the IP message is that the target data server returns data to the application system according to the data access request of the application system, performing data desensitization processing on the message, packaging the message after the data desensitization processing according to a transmission protocol of the application system, and transmitting the message to the application system.
Further, the analyzed IP packet information further includes serial number information of the IP packet;
the data desensitization processing of the message comprises the following steps:
recombining the IP message based on the serial number information to obtain the return data of the target data server;
identifying sensitive data in the returned data based on a preset sensitive data type;
desensitizing sensitive data in the returned data by using a preset desensitizing algorithm;
wherein the preset sensitive data types include: name, telephone number, identification card number, license plate number and bank card number.
Further, the desensitization algorithm includes any to all of:
random mapping algorithms, fixed mapping algorithms, masking algorithms, and in-range random algorithms.
Compared with the closest prior art, the invention has the following beneficial effects:
the invention relates to a data desensitization method and a device based on message analysis, which comprises the following steps: acquiring and analyzing an IP message on a transmission link between an application system and a target data server, wherein the analyzed IP message information comprises a source IP and a target IP; identifying the transmission destination of the IP message by comparing the source of the source IP and the destination IP; packaging and transmitting the IP message according to the identification result, or packaging and transmitting after performing data desensitization treatment; the method analyzes the message to obtain the source IP and the target IP of the message, simplifies the actual deployment by utilizing the advantage of strong universality of message analysis, has strong concurrent processing capability and is suitable for application scenes of mass data requests; and performing data desensitization processing on the message according to the identification result of the IP message transmission purpose without directly operating a database and acquiring the data access authority of the user, thereby reducing the risk of privacy disclosure of the database and the user.
Drawings
FIG. 1 is a flow chart of a data desensitization method based on message parsing according to the present invention;
fig. 2 is a schematic diagram of a data desensitization apparatus based on message parsing according to the present invention.
Detailed Description
The following describes embodiments of the present invention in further detail with reference to the accompanying drawings.
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention provides a data desensitization method based on message analysis, as shown in figure 1, the method comprises the following steps:
acquiring and analyzing an IP message on a transmission link between an application system and a target data server, wherein the analyzed IP message information comprises a source IP and a target IP;
identifying the transmission destination of the IP message by comparing the source of the source IP and the destination IP;
and performing encapsulation transmission on the IP message according to the identification result, or performing encapsulation transmission after data desensitization processing.
In order to more clearly illustrate the objects of the present invention, the following embodiments are further described.
In an embodiment of the present invention, the identifying the transmission destination of the IP packet by comparing the source of the source IP and the source of the destination IP includes:
searching the source IP and the target IP in a pre-established application system IP set and a target data server IP set;
if the source IP exists in the IP set of the application system and the target IP exists in the IP set of the target data server, the transmission destination of the IP message is that the application system sends a data access request to the target data server;
and if the source IP exists in the IP set of the target data server and the target IP exists in the IP set of the application system, the transmission destination of the IP message is that the target data server returns data to the application system according to the data access request of the application system.
In the embodiment of the present invention, the encapsulating transmission of the IP packet according to the identification result, or the encapsulating transmission after performing the data desensitization processing includes:
if the transmission destination of the IP message is that the application system sends a data request to the target data server, the message is packaged according to the transmission protocol of the target data server and then transmitted to the target data server;
and if the transmission destination of the IP message is that the target data server returns data to the application system according to the data access request of the application system, performing data desensitization processing on the message, packaging the message after the data desensitization processing according to a transmission protocol of the application system, and transmitting the message to the application system.
Specifically, the analyzed IP packet information further includes serial number information of the IP packet;
the data desensitization processing of the message comprises the following steps:
recombining the IP message based on the serial number information to obtain the return data of the target data server;
identifying sensitive data in the returned data based on a preset sensitive data type;
desensitizing sensitive data in the returned data by using a preset desensitizing algorithm;
wherein the preset sensitive data types include: name, telephone number, identification card number, license plate number and bank card number.
In the embodiment of the invention, desensitization processing is performed on sensitive data in return data by using a preset desensitization algorithm, and the desensitization processing comprises the following steps:
hiding partial data in the sensitive data by adopting a desensitization algorithm according to a preset desensitization rule, and replacing the partial data by using a star;
desensitization rules include:
name: hiding the 1 st word within 3 words, hiding the first 2 words from 4-6 words, and hiding the 3 rd-6 th words from more than 6 words;
telephone number: the first 3 bits and the last 3 bits are reserved, and the rest are hidden;
identification card number: reserving the first 6 bits and the last 4 bits, and hiding the rest bits;
license plate number: reserving the last 2 bits of the regional code and serial number, and hiding the rest;
bank card number: the first 4 bits and the last 4 bits are reserved, and the rest is hidden.
Specifically, the desensitization algorithm includes: random mapping algorithms, fixed mapping algorithms, masking algorithms, and in-range random algorithms.
Based on the same inventive concept, the present invention further provides a data desensitization apparatus based on message parsing, as shown in fig. 2, the apparatus includes:
the system comprises an acquisition unit, a transmission link control unit and a target data server, wherein the acquisition unit is used for acquiring and analyzing an IP message on the transmission link between an application system and the target data server, and the analyzed IP message information comprises a source IP and a target IP;
the identification unit is used for identifying the transmission destination of the IP message by comparing the source of the source IP and the source of the destination IP;
and the desensitization unit is used for packaging and transmitting the IP message according to the identification result or packaging and transmitting the IP message after performing data desensitization treatment.
Preferably, the identification unit is specifically configured to:
searching the source IP and the target IP in a pre-established application system IP set and a target data server IP set;
if the source IP exists in the IP set of the application system and the target IP exists in the IP set of the target data server, the transmission destination of the IP message is that the application system sends a data access request to the target data server;
and if the source IP exists in the IP set of the target data server and the target IP exists in the IP set of the application system, the transmission destination of the IP message is that the target data server returns data to the application system according to the data access request of the application system.
Preferably, the desensitization unit is specifically for:
if the transmission destination of the IP message is that the application system sends a data request to the target data server, the message is packaged according to the transmission protocol of the target data server and then transmitted to the target data server;
and if the transmission destination of the IP message is that the target data server returns data to the application system according to the data access request of the application system, performing data desensitization processing on the message, packaging the message after the data desensitization processing according to a transmission protocol of the application system, and transmitting the message to the application system.
Further, the analyzed IP packet information further includes serial number information of the IP packet;
the data desensitization processing of the message comprises the following steps:
recombining the IP message based on the serial number information to obtain the return data of the target data server;
identifying sensitive data in the returned data based on a preset sensitive data type;
desensitizing sensitive data in the returned data by using a preset desensitizing algorithm;
wherein the preset sensitive data types include: name, telephone number, identification card number, license plate number and bank card number.
Further, the desensitization algorithm includes any to all of:
random mapping algorithms, fixed mapping algorithms, masking algorithms, and in-range random algorithms.
In summary, the data desensitization method and apparatus based on message analysis according to the present invention obtains and analyzes an IP message on a transmission link between an application system and a target data server, where the analyzed IP message information includes a source IP and a target IP; identifying the transmission destination of the IP message by comparing the source of the source IP and the destination IP; packaging and transmitting the IP message according to the identification result, or packaging and transmitting after performing data desensitization treatment; the method analyzes the message to obtain the source IP and the target IP of the message, simplifies the actual deployment by utilizing the advantage of strong universality of message analysis, has strong concurrent processing capability and is suitable for application scenes of mass data requests; data desensitization processing is carried out on the message according to the identification result of the IP message transmission purpose, a database does not need to be directly operated, and the data access authority of the user does not need to be acquired, so that the risk of privacy disclosure of the database and the user is reduced;
the scheme of the invention belongs to logic bypass deployment when applied to a service system, and does not influence the normal operation of the original service system when the scheme of the invention is abnormal.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.