[go: up one dir, main page]

CN105844166B - A kind of sensitive data recognition methods and device - Google Patents

A kind of sensitive data recognition methods and device Download PDF

Info

Publication number
CN105844166B
CN105844166B CN201510015353.3A CN201510015353A CN105844166B CN 105844166 B CN105844166 B CN 105844166B CN 201510015353 A CN201510015353 A CN 201510015353A CN 105844166 B CN105844166 B CN 105844166B
Authority
CN
China
Prior art keywords
sensitive data
data
operation object
data table
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510015353.3A
Other languages
Chinese (zh)
Other versions
CN105844166A (en
Inventor
陆琰
陈劼
王鑫
陈后鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Group Jiangsu Co Ltd
Original Assignee
China Mobile Group Jiangsu Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Group Jiangsu Co Ltd filed Critical China Mobile Group Jiangsu Co Ltd
Priority to CN201510015353.3A priority Critical patent/CN105844166B/en
Publication of CN105844166A publication Critical patent/CN105844166A/en
Application granted granted Critical
Publication of CN105844166B publication Critical patent/CN105844166B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • User Interface Of Digital Computer (AREA)

Abstract

本发明实施例涉及信息安全领域,尤其涉及一种敏感数据识别方法和装置,用以高效识别敏感数据。本发明实施例中,接收数据操作指令,数据操作指令用于指示根据第一操作对象生成第二操作对象;获取第一操作对象中的敏感数据的第一位置信息;根据第二操作对象的数据结构以及第一位置信息,确定第二操作对象中的敏感数据的第二位置信息。由于第二操作对象由第一操作对象生成,从而可追踪到第一操作对象中的数据在第二操作对象中的相应位置信息;进一步由于获取了第一操作对象中的第一位置信息,因此可确定出第一操作对象中的敏感数据在第二操作对象中相对应的第二位置信息,进一步提高了识别敏感数据的效率。

The embodiments of the present invention relate to the field of information security, and in particular, to a sensitive data identification method and device for efficiently identifying sensitive data. In the embodiment of the present invention, a data operation instruction is received, and the data operation instruction is used to instruct to generate a second operation object according to the first operation object; obtain the first position information of the sensitive data in the first operation object; The structure and the first location information determine the second location information of the sensitive data in the second operation object. Since the second operation object is generated by the first operation object, the corresponding position information of the data in the first operation object in the second operation object can be traced; furthermore, since the first position information in the first operation object is obtained, The second position information corresponding to the sensitive data in the first operation object in the second operation object can be determined, further improving the efficiency of identifying sensitive data.

Description

一种敏感数据识别方法和装置A sensitive data identification method and device

技术领域technical field

本发明实施例涉及信息安全领域,尤其涉及一种敏感数据识别方法和装置。The embodiments of the present invention relate to the field of information security, and in particular, to a sensitive data identification method and device.

背景技术Background technique

敏感数据一般指用户的隐私信息,电信运营商拥有大量用户的隐私信息,不同用户对敏感数据进行操作时,经常会造成敏感数据的泄露,这不仅对运营商自身的核心机密、同行业竞争力和市场声誉造成了严重的影响,也对用户的隐私和个人信息安全造成不同程度的危害。因此,在整个数据生命周期中,识别敏感数据,以便对敏感数据进行模糊化处理成为重中之重。Sensitive data generally refers to the private information of users. Telecom operators have a large number of private information of users. When different users operate on sensitive data, sensitive data will often be leaked. It has seriously affected the reputation of the market and the market, and also caused varying degrees of harm to the privacy and personal information security of users. Therefore, identifying sensitive data so that it can be obfuscated becomes a top priority throughout the data life cycle.

目前针对数据库数据进行敏感识别,主要采用内容特征匹配方式,即根据预先设置的关键字,对待识别数据进行匹配,识别出敏感数据后对敏感数据进行加密或模糊化处理,以预防敏感数据的泄露。At present, the sensitive identification of database data mainly adopts the content feature matching method, that is, according to the preset keywords, the data to be identified is matched, and after the sensitive data is identified, the sensitive data is encrypted or fuzzy to prevent the leakage of sensitive data. .

在具体实施过程中,数据表处于经常被访问状态,且会经常基于已有数据表产生新数据表,当基于已有数据表产生新的数据表时,对新产生的数据表进行敏感数据识别时,仍旧需要将新产生的数据表中的数据内容与关键字一个个进行匹配;若同时产生几百个新的数据表,则以现有技术的内容特征匹配的方式识别敏感数据的方式效率较低。In the specific implementation process, the data table is frequently accessed, and a new data table is often generated based on the existing data table. When a new data table is generated based on the existing data table, sensitive data identification is performed on the newly generated data table At the same time, it is still necessary to match the data content in the newly generated data table with the keywords one by one; if hundreds of new data tables are generated at the same time, the efficiency of identifying sensitive data in the way of content feature matching in the prior art lower.

综上所述,亟需一种敏感数据识别方法和装置,用以高效识别敏感数据。To sum up, there is an urgent need for a sensitive data identification method and device to efficiently identify sensitive data.

发明内容Contents of the invention

本发明实施例提供一种敏感数据识别方法和装置,用以高效识别敏感数据。Embodiments of the present invention provide a sensitive data identification method and device for efficiently identifying sensitive data.

本发明实施例提供的终端侧实现的一种敏感数据识别方法,包括以下步骤:A sensitive data identification method implemented on the terminal side provided by an embodiment of the present invention includes the following steps:

接收数据操作指令,数据操作指令用于指示根据第一操作对象生成第二操作对象;receiving a data operation instruction, where the data operation instruction is used to instruct to generate a second operation object according to the first operation object;

获取第一操作对象中的敏感数据的第一位置信息;Acquiring first location information of the sensitive data in the first operation object;

执行数据操作指令得到第二操作对象,并根据第二操作对象的数据结构以及第一位置信息,确定第二操作对象中的敏感数据的第二位置信息;Execute the data operation instruction to obtain the second operation object, and determine the second location information of the sensitive data in the second operation object according to the data structure of the second operation object and the first location information;

根据第二位置信息,将第二操作对象中相应位置的数据确定为敏感数据。According to the second location information, the data at the corresponding location in the second operation object is determined as sensitive data.

较佳的,第一位置信息为第一操作对象中的敏感数据所在位置的位置编码;Preferably, the first location information is the location code of the location where the sensitive data in the first operation object is located;

获取第一操作对象中的敏感数据的第一位置信息,具体包括:Acquiring the first location information of the sensitive data in the first operation object, specifically including:

将第一操作对象中所有数据的位置按预设规则转换为对应的位置编码;converting the positions of all data in the first operation object into corresponding position codes according to preset rules;

查询预先设置的敏感数据表;其中,敏感数据表中包含第一操作对象的标识信息以及第一操作对象中的N个敏感数据所在位置的N个位置编码,N个位置编码按照预设规则由N个敏感数据所在的位置转换得到,N为大于等于1的整数;Query the preset sensitive data table; wherein, the sensitive data table contains the identification information of the first operation object and the N position codes of the locations of the N sensitive data in the first operation object, and the N position codes are assigned according to the preset rules The location of N sensitive data is converted, and N is an integer greater than or equal to 1;

判断转换后的位置编码中是否存在与敏感数据表中第一操作对象对应的位置编码匹配的位置编码,若是,则将与敏感数据表匹配的位置编码确定为第一操作对象中的敏感数据所在位置的位置编码。Determine whether there is a position code matching the position code corresponding to the first operation object in the sensitive data table in the converted position code, and if so, determine the position code matching the sensitive data table as the location of the sensitive data in the first operation object The location code of the location.

较佳的,与敏感数据表匹配的位置编码,是指:Preferably, the location code matching the sensitive data table refers to:

第一位置信息对应的位置编码与敏感数据表的位置编码完全匹配,或者,第一位置信息对应的位置编码与敏感数据表的位置编码部分匹配。The position code corresponding to the first position information completely matches the position code of the sensitive data table, or the position code corresponding to the first position information partially matches the position code of the sensitive data table.

较佳的,针对敏感数据表中包含的第一操作对象中的N个敏感数据所在位置的N个位置编码,敏感数据表中还包括每个位置编码所对应的多个操作码;Preferably, for the N position codes at the positions of the N sensitive data in the first operation object included in the sensitive data table, the sensitive data table also includes a plurality of operation codes corresponding to each position code;

根据第二操作对象的数据结构以及第一位置信息,确定第二操作对象中的敏感数据的第二位置信息,具体包括:According to the data structure of the second operation object and the first location information, determine the second location information of the sensitive data in the second operation object, specifically including:

根据数据操作指令中第一操作对象的标识信息和操作指令的操作码,查询敏感数据表;Querying the sensitive data table according to the identification information of the first operation object in the data operation instruction and the operation code of the operation instruction;

根据查询结果判断敏感数据表中与第一位置信息匹配的位置编码对应的操作码中是否存在数据操作指令中包含的操作码;According to the query result, it is judged whether the operation code contained in the data operation instruction exists in the operation code corresponding to the position code matching the first position information in the sensitive data table;

若是,则根据第二操作对象的数据结构以及第一位置信息,确定第二操作对象中的敏感数据的第二位置信息。If so, determine the second location information of the sensitive data in the second operation object according to the data structure of the second operation object and the first location information.

较佳的,根据第二位置信息,将第二操作对象中相应位置的数据确定为敏感数据之后,还包括:Preferably, after determining the data at the corresponding position in the second operation object as sensitive data according to the second position information, the method further includes:

在敏感数据表中查询第一位置信息所对应的操作码;Querying the opcode corresponding to the first location information in the sensitive data table;

在敏感数据表中添加第二操作对象的标识信息、第二位置信息,以及查询到的第一位置信息所对应的操作码,并建立三者的对应关系。The identification information of the second operation object, the second location information, and the operation code corresponding to the queried first location information are added to the sensitive data table, and a corresponding relationship among the three is established.

较佳的,第一操作对象为第一数据表,第二操作对象为第二数据表;Preferably, the first operation object is the first data table, and the second operation object is the second data table;

数据操作指令为以下几项中的一种:Data manipulation instructions are one of the following:

将第一数据表复制为第二数据表;Copy the first data table as the second data table;

将第一数据表剪切为第二数据表;Cut the first data table into the second data table;

将第一数据表另存为第二数据表。Save the first data table as the second data table.

本发明实施例中由于数据操作指令用于指示根据第一操作对象生成第二操作对象,因此第二操作对象由第一操作对象生成,从而可追踪到第一操作对象中的数据在第二操作对象中的相应位置信息;进一步由于获取了第一操作对象中的敏感数据的第一位置信息,因此结合追踪到的第一操作对象中的数据在第二操作对象中的相应位置信息,可确定出第一操作对象中的敏感数据在第二操作对象中相对应的位置,该位置即为第二操作对象中的敏感数据的第二位置信息,可见,通过位置特征匹配的方式可快速识别出新生成的第二操作对象中的敏感数据,进一步提高了识别敏感数据的效率。In the embodiment of the present invention, since the data operation instruction is used to instruct to generate the second operation object according to the first operation object, the second operation object is generated by the first operation object, so that it can be traced that the data in the first operation object is generated in the second operation The corresponding location information in the object; furthermore, because the first location information of the sensitive data in the first operation object is obtained, combined with the tracked corresponding location information of the data in the first operation object in the second operation object, it can be determined The corresponding position of the sensitive data in the first operation object in the second operation object is obtained, which is the second position information of the sensitive data in the second operation object. It can be seen that the position feature matching method can quickly identify The newly generated sensitive data in the second operation object further improves the efficiency of identifying sensitive data.

本发明实施例提供一种敏感数据识别装置,包括接收单元、处理单元:An embodiment of the present invention provides a sensitive data identification device, including a receiving unit and a processing unit:

接收单元,用于接收数据操作指令,数据操作指令用于指示根据第一操作对象生成第二操作对象;a receiving unit, configured to receive a data operation instruction, and the data operation instruction is used to instruct to generate a second operation object according to the first operation object;

处理单元,用于获取第一操作对象中的敏感数据的第一位置信息;执行数据操作指令得到第二操作对象,并根据第二操作对象的数据结构以及第一位置信息,确定第二操作对象中的敏感数据的第二位置信息;根据第二位置信息,将第二操作对象中相应位置的数据确定为敏感数据。The processing unit is configured to obtain the first location information of the sensitive data in the first operation object; execute the data operation instruction to obtain the second operation object, and determine the second operation object according to the data structure of the second operation object and the first location information The second position information of the sensitive data in the second operation object; according to the second position information, the data at the corresponding position in the second operation object is determined as the sensitive data.

较佳的,第一位置信息为第一操作对象中的敏感数据所在位置的位置编码;Preferably, the first location information is the location code of the location where the sensitive data in the first operation object is located;

处理单元,具体用于:Processing unit, specifically for:

将第一操作对象中所有数据的位置按预设规则转换为对应的位置编码;converting the positions of all data in the first operation object into corresponding position codes according to preset rules;

查询预先设置的敏感数据表;其中,敏感数据表中包含第一操作对象的标识信息以及第一操作对象中的N个敏感数据所在位置的N个位置编码,N个位置编码按照预设规则由N个敏感数据所在的位置转换得到,N为大于等于1的整数;Query the preset sensitive data table; wherein, the sensitive data table contains the identification information of the first operation object and the N position codes of the locations of the N sensitive data in the first operation object, and the N position codes are assigned according to the preset rules The location of N sensitive data is converted, and N is an integer greater than or equal to 1;

判断转换后的位置编码中是否存在与敏感数据表中第一操作对象对应的位置编码匹配的位置编码,若是,则将与敏感数据表匹配的位置编码确定为第一操作对象中的敏感数据所在位置的位置编码。Determine whether there is a position code matching the position code corresponding to the first operation object in the sensitive data table in the converted position code, and if so, determine the position code matching the sensitive data table as the location of the sensitive data in the first operation object The location code of the location.

较佳的,与敏感数据表匹配的位置编码,是指:Preferably, the location code matching the sensitive data table refers to:

第一位置信息对应的位置编码与敏感数据表的位置编码完全匹配,或者,第一位置信息对应的位置编码与敏感数据表的位置编码部分匹配。The position code corresponding to the first position information completely matches the position code of the sensitive data table, or the position code corresponding to the first position information partially matches the position code of the sensitive data table.

较佳的,针对敏感数据表中包含的第一操作对象中的N个敏感数据所在位置的N个位置编码,敏感数据表中还包括每个位置编码所对应的多个操作码;Preferably, for the N position codes at the positions of the N sensitive data in the first operation object included in the sensitive data table, the sensitive data table also includes a plurality of operation codes corresponding to each position code;

处理单元,具体用于:Processing unit, specifically for:

根据数据操作指令中第一操作对象的标识信息和操作指令的操作码,查询敏感数据表;Querying the sensitive data table according to the identification information of the first operation object in the data operation instruction and the operation code of the operation instruction;

根据查询结果判断敏感数据表中与第一位置信息匹配的位置编码对应的操作码中是否存在数据操作指令中包含的操作码;According to the query result, it is judged whether the operation code contained in the data operation instruction exists in the operation code corresponding to the position code matching the first position information in the sensitive data table;

若是,则根据第二操作对象的数据结构以及第一位置信息,确定第二操作对象中的敏感数据的第二位置信息。If so, determine the second location information of the sensitive data in the second operation object according to the data structure of the second operation object and the first location information.

较佳的,处理单元,还用于:Preferably, the processing unit is also used for:

在敏感数据表中查询第一位置信息所对应的操作码;Querying the opcode corresponding to the first location information in the sensitive data table;

在敏感数据表中添加第二操作对象的标识信息、第二位置信息,以及查询到的第一位置信息所对应的操作码,并建立三者的对应关系。The identification information of the second operation object, the second location information, and the operation code corresponding to the queried first location information are added to the sensitive data table, and a corresponding relationship among the three is established.

较佳的,第一操作对象为第一数据表,第二操作对象为第二数据表;Preferably, the first operation object is the first data table, and the second operation object is the second data table;

数据操作指令为以下几项中的一种:Data manipulation instructions are one of the following:

将第一数据表复制为第二数据表;Copy the first data table as the second data table;

将第一数据表剪切为第二数据表;Cut the first data table into the second data table;

将第一数据表另存为第二数据表。Save the first data table as the second data table.

本发明实施例中,接收数据操作指令,数据操作指令用于指示根据第一操作对象生成第二操作对象;获取第一操作对象中的敏感数据的第一位置信息;执行数据操作指令得到第二操作对象,并根据第二操作对象的数据结构以及第一位置信息,确定第二操作对象中的敏感数据的第二位置信息;根据第二位置信息,将第二操作对象中相应位置的数据确定为敏感数据。In the embodiment of the present invention, a data operation instruction is received, and the data operation instruction is used to instruct to generate a second operation object according to the first operation object; obtain the first location information of the sensitive data in the first operation object; execute the data operation instruction to obtain the second operation object The operation object, and according to the data structure of the second operation object and the first location information, determine the second location information of the sensitive data in the second operation object; according to the second location information, determine the data of the corresponding location in the second operation object for sensitive data.

由于数据操作指令用于指示根据第一操作对象生成第二操作对象,因此第二操作对象由第一操作对象生成,从而可追踪到第一操作对象中的数据在第二操作对象中的相应位置信息;进一步由于获取了第一操作对象中的敏感数据的第一位置信息,因此结合追踪到的第一操作对象中的数据在第二操作对象中的相应位置信息,可确定出第一操作对象中的敏感数据在第二操作对象中相对应的位置,该位置即为第二操作对象中的敏感数据的第二位置信息,可见,通过位置特征匹配的方式可快速识别出新生成的第二操作对象中的敏感数据,进一步提高了识别敏感数据的效率。Since the data operation instruction is used to instruct the generation of the second operation object based on the first operation object, the second operation object is generated by the first operation object, so that the corresponding position of the data in the first operation object in the second operation object can be traced information; furthermore, since the first location information of the sensitive data in the first operation object is obtained, the first operation object can be determined in combination with the corresponding location information of the tracked data in the first operation object in the second operation object The corresponding position of the sensitive data in the second operation object is the second position information of the sensitive data in the second operation object. It can be seen that the newly generated second Sensitive data in the operation object further improves the efficiency of identifying sensitive data.

附图说明Description of drawings

为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简要介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present invention. For Those of ordinary skill in the art can also obtain other drawings based on these drawings without any creative effort.

图1为本发明实施例提供的一种敏感数据识别方法流程示意图;Fig. 1 is a schematic flowchart of a sensitive data identification method provided by an embodiment of the present invention;

图2为本发明实施例提供的一种敏感数据识别装置的结构示意图。Fig. 2 is a schematic structural diagram of a sensitive data identification device provided by an embodiment of the present invention.

具体实施方式Detailed ways

为了使本发明的目的、技术方案及有益效果更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。In order to make the purpose, technical solutions and beneficial effects of the present invention more clear, the present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention.

本发明实施例所适用的应用场景可为多种,本发明实施例不做限制。本发明实施例中以下应用场景为例进行介绍,如根据第一操作对象生成第二操作对象,即第一操作对象中的数据需迁移、或发生改变之后迁移至第二操作对象中。较佳的,第一操作对象中的数据可部分或全部迁移、或发生改变之后迁移至第二操作对象中。There may be various application scenarios applicable to the embodiments of the present invention, which are not limited in the embodiments of the present invention. In the embodiment of the present invention, the following application scenarios are introduced as examples. For example, the second operation object is generated according to the first operation object, that is, the data in the first operation object needs to be migrated or migrated to the second operation object after being changed. Preferably, the data in the first operation object can be partially or completely migrated, or migrated to the second operation object after being changed.

本发明实施例中以下述假设为前提进行介绍,本领域技术人员可知,不限于此。The embodiments of the present invention are introduced on the premise of the following assumptions, which are understood by those skilled in the art and are not limited thereto.

本发明实施例中的“多个”可为一个或多个。"Multiple" in the embodiments of the present invention may be one or more.

较佳的,本发明实施例中基于当前数据库中的全部已有数据设置敏感数据表,本发明实施例中假设数据库中存储数据表,已知所有数据表中每个数据表中的敏感数据的位置信息,且通过人工判断该每个数据表中的每个敏感数据所对应的操作码,即该数据表中的哪些数据在哪些对应的操作码下才为敏感数据。此时,基于此信息设置该敏感数据表,该敏感数据表包括多个操作对象标识,该不同操作对象标识对应不同的数据表,每个操作对象标识对应多个该操作对象中的敏感数据的位置信息,且每个操作对象标识所对应的每个该操作对象中的敏感数据对应多个操作码。Preferably, in the embodiment of the present invention, sensitive data tables are set based on all existing data in the current database. In the embodiment of the present invention, it is assumed that data tables are stored in the database, and the sensitive data in each data table in all data tables is known. Position information, and manually judge the operation code corresponding to each sensitive data in each data table, that is, which data in the data table is sensitive data under which corresponding operation code. At this time, the sensitive data table is set based on this information, the sensitive data table includes a plurality of operation object identifiers, the different operation object identifiers correspond to different data tables, and each operation object identifier corresponds to a plurality of sensitive data in the operation object location information, and each sensitive data in the operation object corresponding to each operation object identifier corresponds to a plurality of operation codes.

举个例子,示例一,假设数据库中包括三个数据表,已知数据表1中对应第一列的“身份证号”信息在“复制”操作码的作用下为敏感数据,表示表1中的“身份证号”信息在进行“复制”操作时,比较重要,或容易发生泄漏,因此需将“身份证号”信息在对应“复制”操作码时设置为敏感数据,以便于后期在对表1进行“复制”操作时,将敏感数据“身份证号”识别出来,并将该敏感数据进行加密或模糊化处理,以提高该数据的安全性。For example, example 1, assuming that the database includes three data tables, it is known that the "ID card number" information corresponding to the first column in data table 1 is sensitive data under the action of the "copy" operation code, which means that in table 1 The "ID card number" information of the "copy" operation is more important, or it is easy to leak, so the "ID card number" information needs to be set as sensitive data when corresponding to the "copy" operation code, so that it can be used later. When the "copy" operation is performed in Table 1, the sensitive data "ID card number" is identified, and the sensitive data is encrypted or obfuscated to improve the security of the data.

同样的,假设数据表1中对应第二列的“电话号码”信息在“复制”和“剪切”操作码的作用下为敏感数据;数据表2中对应的二列“姓名”信息在“另存为”操作码的作用下为敏感数据;数据表3中对应的第一列的第二行至第五行的“地址”信息在“另存为”操作码的作用下为敏感数据。Similarly, assume that the "telephone number" information corresponding to the second column in data table 1 is sensitive data under the action of the "copy" and "cut" operation codes; the corresponding two column "name" information in data table 2 is in the " The "save as" operation code is sensitive data; the "address" information in the second row to the fifth row of the corresponding first column in data table 3 is sensitive data under the operation code of "save as".

将该示例一中的敏感数据表在表1中列出,如下:List the sensitive data table in Example 1 in Table 1, as follows:

表1示例一中的敏感数据表Sensitive data table in Example 1 of Table 1

基于上述内容,图1示出了本发明实施例提供的终端侧实现的一种敏感数据识别方法,包括以下步骤:Based on the above content, Fig. 1 shows a sensitive data identification method implemented on the terminal side provided by the embodiment of the present invention, including the following steps:

步骤101,接收数据操作指令,数据操作指令用于指示根据第一操作对象生成第二操作对象;Step 101, receiving a data operation instruction, the data operation instruction is used to instruct to generate a second operation object according to the first operation object;

步骤102,获取第一操作对象中的敏感数据的第一位置信息;Step 102, acquiring the first location information of the sensitive data in the first operation object;

步骤103,执行数据操作指令得到第二操作对象,并根据第二操作对象的数据结构以及第一位置信息,确定第二操作对象中的敏感数据的第二位置信息;Step 103, execute the data operation instruction to obtain the second operation object, and determine the second location information of the sensitive data in the second operation object according to the data structure of the second operation object and the first location information;

步骤104,根据第二位置信息,将第二操作对象中相应位置的数据确定为敏感数据。Step 104, according to the second location information, determine the data at the corresponding location in the second operation object as sensitive data.

较佳的,本发明实施例中第一操作对象中的敏感数据的第一位置信息为第一操作对象中的敏感数据所在位置的位置编码,该位置编码通过将第一操作对象中所有数据的位置按所述预设规则转换得到。同样的,本发明实施例中第二操作对象中的敏感数据的第二位置信息为第二操作对象中的敏感数据所在位置的位置编码,该位置编码通过将第二操作对象中所有数据的位置按所述预设规则转换得到。基于前述内容可知,敏感数据中存储也为敏感数据对应的位置信息,该位置信息为该敏感数据所在的位置按所述预设规则转换得到的位置编码。Preferably, the first location information of the sensitive data in the first operation object in the embodiment of the present invention is the location code of the location of the sensitive data in the first operation object, and the location code is obtained by combining all the data in the first operation object The position is converted according to the preset rule. Similarly, the second location information of the sensitive data in the second operation object in the embodiment of the present invention is the location code of the location of the sensitive data in the second operation object. Converted according to the preset rules. Based on the foregoing content, it can be seen that the sensitive data stores location information corresponding to the sensitive data, and the location information is a location code obtained by converting the location of the sensitive data according to the preset rules.

较佳的,本发明实施例中根据数据的具体位置,将其位置转换为位置编码的“预设规则”应一致,且将任一数据根据该“预设规则”转换得到该数据的位置编码后,该位置编码应能唯一确定出该数据的位置。本发明实施例对“预设规则”的具体内容不做限制。Preferably, according to the specific location of the data in the embodiment of the present invention, the "preset rule" for converting its position into a position code should be consistent, and any data can be converted according to the "preset rule" to obtain the position code of the data Afterwards, the location code should be able to uniquely determine the location of the data. The embodiment of the present invention does not limit the specific content of the "preset rule".

举一个例子,介绍本发明实施例中将数据对应位置信息按照“预设规则”转换为位置编码的过程。As an example, the process of converting data-corresponding location information into location codes according to "preset rules" in the embodiment of the present invention is introduced.

假设预设规则为通过一个20位的整数定义某个敏感数据所在的位置,分四段,第一段表示该敏感数据所在的域,第二段表示该敏感数据所在的库,第三段表示该敏感数据所在的表,第四段表示该敏感数据所在的该表中的具体位置。Assume that the default rule is to define the location of a certain sensitive data through a 20-digit integer, divided into four sections, the first section indicates the domain where the sensitive data is located, the second section indicates the database where the sensitive data is located, and the third section indicates The table where the sensitive data is located, the fourth paragraph indicates the specific location in the table where the sensitive data is located.

例如:该敏感数据位于CRM系统CRMDB11库中Customer表的第一列,For example: the sensitive data is located in the first column of the Customer table in the CRM system CRMDB11 library,

预设规则为中,CRM系统用10001表示,CRDB11库用9273表示,Customer表用89表示,第一列用1表示,则该敏感数据可用以下位置编码唯一指定该敏感数据的位置:The default rule is medium, the CRM system is represented by 10001, the CRDB11 library is represented by 9273, the Customer table is represented by 89, and the first column is represented by 1, then the sensitive data can be uniquely specified by the following location code:

10001*103*5+9273*102*5+89*101*5+1*100*5=1000109273000890000110001*10 3*5 +9273*10 2*5 +89*10 1*5 +1*10 0*5 =10001092730008900001

通过上述示例详细介绍了将数据根据预设规则转换为该数据对应的数据的位置。The position where the data is converted into the data corresponding to the data according to the preset rules is introduced in detail through the above example.

较佳的,第一位置信息为第一操作对象中的敏感数据所在位置的位置编码。将第一操作对象中所有数据的位置按预设规则转换为对应的位置编码;查询预先设置的敏感数据表;其中,敏感数据表中包含第一操作对象的标识信息以及第一操作对象中的N个敏感数据所在位置的N个位置编码,N个位置编码按照预设规则由N个敏感数据所在的位置转换得到,N为大于等于1的整数;判断转换后的位置编码中是否存在与敏感数据表中第一操作对象对应的位置编码匹配的位置编码,若是,则将与敏感数据表匹配的位置编码确定为第一操作对象中的敏感数据所在位置的位置编码。Preferably, the first location information is a location code of the location of the sensitive data in the first operation object. Convert the positions of all data in the first operation object to corresponding position codes according to preset rules; query the preset sensitive data table; wherein, the sensitive data table contains the identification information of the first operation object and the The N position codes of the positions where N sensitive data are located, and the N position codes are converted from the positions where N sensitive data are located according to the preset rules, and N is an integer greater than or equal to 1; determine whether there is a sensitive data in the converted position codes The position code corresponding to the position code corresponding to the first operation object in the data table matches the position code, and if so, the position code matching the sensitive data table is determined as the position code of the position where the sensitive data in the first operation object is located.

具体来说,获取第一操作对象中的敏感数据的第一位置信息时,可根据预先设置的敏感数据表获取。本发明实施例中的第一操作对象的敏感数据对应的位置信息已经预设在敏感数据表中,即敏感数据表中包含第一操作对象的标识信息以及第一操作对象中的N个敏感数据所在位置的N个位置编码,N个位置编码按照预设规则由N个敏感数据所在的位置转换得到,N为大于等于1的整数。Specifically, when obtaining the first location information of the sensitive data in the first operation object, it may be obtained according to a preset sensitive data table. In the embodiment of the present invention, the location information corresponding to the sensitive data of the first operation object has been preset in the sensitive data table, that is, the sensitive data table contains the identification information of the first operation object and N pieces of sensitive data in the first operation object The N location codes of the location, the N location codes are converted from the location of the N sensitive data according to preset rules, and N is an integer greater than or equal to 1.

首先将第一操作对象中所有数据的位置按预设规则转换为对应的位置编码,该预设规则与敏感数据表中所提及的预设规则为同一规则。查询并判断第一操作对象的转换后的位置编码中是否存在与敏感数据表中第一操作对象对应的位置编码匹配的位置编码,即判断敏感数据表中是否定义了第一操作对象的某些位置为敏感数据所在的位置。若是,则将与敏感数据表匹配的位置编码确定为第一操作对象中的敏感数据所在位置的位置编码。First, the positions of all data in the first operation object are converted into corresponding position codes according to a preset rule, which is the same rule as the preset rule mentioned in the sensitive data table. Query and judge whether there is a position code in the converted position code of the first operation object that matches the position code corresponding to the first operation object in the sensitive data table, that is, determine whether some of the first operation object is defined in the sensitive data table The location is where the sensitive data resides. If yes, determine the location code matching the sensitive data table as the location code of the location where the sensitive data in the first operation object is located.

由于数据在经常访问的过程中,可能会改变内容特征,如某一敏感数据经常被访问,因此该敏感数据的内容被重新组织,该敏感数据可能被加密,但该敏感数据的位置并未发生变化,此时,若使用现有技术中的内容匹配的方式来识别该敏感数据,则由于该敏感数据内容已发生变化,因此不能识别出。但使用本发明实施例所提供的方法就可迅速识别出即使内容发生变化的敏感数据。Because data may change content characteristics during frequent access, for example, a certain sensitive data is frequently accessed, so the content of the sensitive data is reorganized and the sensitive data may be encrypted, but the location of the sensitive data has not occurred At this time, if the content matching method in the prior art is used to identify the sensitive data, the sensitive data cannot be identified because the content of the sensitive data has changed. However, using the method provided by the embodiment of the present invention can quickly identify sensitive data even if the content changes.

举一个例子,由于本发明实施例中已经预先设置某个字段为敏感字段,且在敏感数据表中将该敏感字段对应的位置信息进行存储,当后续对该敏感数据进行访问时,由于该敏感数据的位置未发生变化,因此可查询敏感数据表,从而快速确定该敏感数据所在的位置为已定义过的敏感数据对应的位置,因此将该位置对应的数据确定为敏感数据。可见,本发明实施例中根据敏感数据的位置特征对敏感数据进行匹配,即使敏感数据的内容发生改变,本发明实施例也可高效识别敏感数据。To give an example, since a certain field has been preset as a sensitive field in the embodiment of the present invention, and the location information corresponding to the sensitive field is stored in the sensitive data table, when the sensitive data is subsequently accessed, due to the sensitive The location of the data has not changed, so the sensitive data table can be queried to quickly determine that the location of the sensitive data is the location corresponding to the defined sensitive data, so the data corresponding to the location is determined as sensitive data. It can be seen that, in the embodiment of the present invention, the sensitive data is matched according to the location characteristics of the sensitive data, even if the content of the sensitive data changes, the embodiment of the present invention can also efficiently identify the sensitive data.

通过上述示例可见,本发明实施例也适用于另一种情况,即仅对第一操作对象进行一些操作,并未根据第一操作对象生成第二操作对象,此时也可查询敏感数据表中预先设置的敏感数据的对应的位置信息,并根据敏感数据表中预先设置的敏感数据,确定第一操作对象中是否存在敏感数据。仅对第一操作对象进行一些操作,并未根据第一操作对象生成第二操作对象的操作有很多,例如:查询、修改、删除等。It can be seen from the above examples that the embodiment of the present invention is also applicable to another situation, that is, only some operations are performed on the first operation object, and the second operation object is not generated according to the first operation object. At this time, the sensitive data table can also be queried The location information corresponding to the preset sensitive data, and according to the preset sensitive data in the sensitive data table, determine whether there is sensitive data in the first operation object. There are many operations that only perform some operations on the first operation object and do not generate the second operation object according to the first operation object, such as query, modification, deletion, and so on.

较佳的,第一操作对象为第一数据表,第二操作对象为第二数据表。较佳的,本发明实施例中所定义的第一操作对象的敏感数据可为第一数据表中某一列,或为第一数据表中的几列、几列的几行、几行,或为第一数据表中某几列的某几个字段,同样的,本发明实施例中所定义的第二操作对象的敏感数据可为第二数据表中某一列,或为第二数据表中的几列、几列的几行、几行,或为第二数据表中某几列的某几个字段。Preferably, the first operation object is the first data table, and the second operation object is the second data table. Preferably, the sensitive data of the first operation object defined in the embodiment of the present invention may be a certain column in the first data table, or several columns, several rows of several columns, or several rows in the first data table, or It is certain fields of certain columns in the first data table. Similarly, the sensitive data of the second operation object defined in the embodiment of the present invention can be a certain column in the second data table, or a certain field in the second data table. Several columns, several rows of several columns, several rows, or certain fields of certain columns in the second data table.

较佳的,本发明实施例中的数据操作指令为以下几项中的一种:将第一数据表复制为第二数据表;将第一数据表剪切为第二数据表;将第一数据表另存为第二数据表。本发明实施例中的第二操作对象为对第一操作对象执行数据操作指令所得到的。Preferably, the data operation instruction in the embodiment of the present invention is one of the following items: copy the first data table into the second data table; cut the first data table into the second data table; The data table is saved as a second data table. The second operation object in the embodiment of the present invention is obtained by executing a data operation instruction on the first operation object.

较佳的,与敏感数据表匹配的位置编码,是指:第一位置信息对应的位置编码与敏感数据表的位置编码完全匹配,或者,第一位置信息对应的位置编码与敏感数据表的位置编码部分匹配。Preferably, the position code matching the sensitive data table means: the position code corresponding to the first position information completely matches the position code of the sensitive data table, or the position code corresponding to the first position information matches the position code of the sensitive data table Encodings partially match.

具体来说,本发明实施例中的位置编码为分段的编码,不同的段代表不同的数据范围级别,为了扩大搜索范围,可确定出第一操作对象中的第一位置信息与敏感数据表部分匹配的数据,并将该与敏感数据表部分匹配的数据确定为敏感数据。Specifically, the location code in the embodiment of the present invention is a segmented code, and different segments represent different data range levels. In order to expand the search range, the first location information and sensitive data table in the first operation object can be determined partially matching data, and determine the data partially matching the sensitive data table as sensitive data.

举一个例子,假设第一位置信息为位于CRM系统CRMDB11库中Customer表的第一列,CRM系统用10001表示,CRDB11库用9273表示,Customer表用89表示,第一列用1表示,则该第一位置信息可用以下位置编码唯一指定该敏感数据的位置:10001 09273 0008900001。此时需要查询CRM系统中的所有库的Customer表的敏感数据,此时将10001 0927300089 00001中代表库的9273忽略,例如,可通过掩码将9273掩去,此时敏感数据表中的CRM系统所有库中Customer表的第一列的位置码为10001 00000 00089 00001,所有库00000即表示该敏感数据的位置码中的库不做限定,此时该位置码10001 00000 00089 00001可用于匹配CRM系统中的所有库的Customer表的第一列的敏感数据。To give an example, assume that the first location information is the first column of the Customer table in the CRMDB11 database of the CRM system, the CRM system is represented by 10001, the CRDB11 database is represented by 9273, the Customer table is represented by 89, and the first column is represented by 1, then the The first location information may uniquely specify the location of the sensitive data with the following location code: 10001 09273 0008900001. At this time, it is necessary to query the sensitive data of the Customer table of all libraries in the CRM system. At this time, the 9273 representing the library in 10001 0927300089 00001 is ignored. For example, 9273 can be masked by a mask. At this time, the CRM system in the sensitive data table The location code of the first column of the Customer table in all libraries is 10001 00000 00089 00001, and all libraries 00000 means that the library in the location code of the sensitive data is not limited. At this time, the location code 10001 00000 00089 00001 can be used to match the CRM system Sensitive data in the first column of the Customer table in all libraries.

可见,第一位置信息对应的位置编码与敏感数据表的位置编码部分匹配时,可扩大搜索范围,较佳的,可迅速确定同样数据结构的数据表中的敏感数据。第一位置信息对应的位置编码与敏感数据表的位置编码完全匹配,则可提高匹配精度。It can be seen that when the position code corresponding to the first position information matches the position code part of the sensitive data table, the search range can be expanded, and preferably, the sensitive data in the data table with the same data structure can be quickly determined. If the position code corresponding to the first position information completely matches the position code of the sensitive data table, the matching accuracy can be improved.

本发明实施例中所提到的用掩码方式将位置编码中的某一段掩去,为现有技术,在此做简略介绍。掩码即使用一段位数相同的字符替代原位置编码的某一段,例如将原位置编码中的代表库的某一段字符更换为掩码,则在匹配过程中,会忽略待匹配字符中代表库的那段字符。例如,上述示例中敏感数据表中的位置编码10001 00000 00089 00001可与待匹配数据的位置编码为10001 02101 00089 00001匹配,此时即确定10001 02101 0008900001所对应的数据为敏感数据。The use of a mask to mask a segment of the position code mentioned in the embodiment of the present invention is a prior art and will be briefly introduced here. A mask is to use a character with the same number of digits to replace a certain segment of the original position code. For example, if a certain character representing the library in the original position code is replaced with a mask, the character representing the library in the character to be matched will be ignored during the matching process. the character of the . For example, the position code 10001 00000 00089 00001 in the sensitive data table in the above example can be matched with the position code 10001 02101 00089 00001 of the data to be matched. At this time, it is determined that the data corresponding to 10001 02101 0008900001 is sensitive data.

较佳的,针对敏感数据表中包含的第一操作对象中的N个敏感数据所在位置的N个位置编码,敏感数据表中还包括每个位置编码所对应的多个操作码;Preferably, for the N position codes at the positions of the N sensitive data in the first operation object included in the sensitive data table, the sensitive data table also includes a plurality of operation codes corresponding to each position code;

根据第二操作对象的数据结构以及第一位置信息,确定第二操作对象中的敏感数据的第二位置信息,具体过程如下:According to the data structure of the second operation object and the first location information, determine the second location information of the sensitive data in the second operation object, the specific process is as follows:

根据数据操作指令中第一操作对象的标识信息和操作指令的操作码,查询敏感数据表;根据查询结果判断敏感数据表中与第一位置信息匹配的位置编码对应的操作码中是否存在数据操作指令中包含的操作码;若是,则根据第二操作对象的数据结构以及第一位置信息,确定第二操作对象中的敏感数据的第二位置信息。According to the identification information of the first operation object in the data operation instruction and the operation code of the operation instruction, query the sensitive data table; judge whether there is a data operation in the operation code corresponding to the position code matching the first position information in the sensitive data table according to the query result The operation code included in the instruction; if yes, then determine the second location information of the sensitive data in the second operation object according to the data structure of the second operation object and the first location information.

具体来说,本发明实施例中敏感数据表中包含的第一操作对象中的N个敏感数据所在位置的N个位置编码,敏感数据表中还包括每个位置编码所对应的多个操作码,具体来说,多个操作码可为一个或多个。Specifically, in the embodiment of the present invention, the N position codes of the positions of the N sensitive data in the first operation object included in the sensitive data table, and the sensitive data table also includes a plurality of operation codes corresponding to each position code , specifically, there may be one or more opcodes.

较佳的,根据查询结果判断敏感数据表中与第一位置信息匹配的位置编码对应的操作码中是否存在数据操作指令中包含的操作码,也可依据其它操作指令的相关参数来进行辅助判定。例如,其它操作指令的相关参数可为数据操作指令主体、操作码参数、数据操作指令的处理通道、数据操作指令中多个操作码的前后关联性、数据操作指令所处的时间、数据操作指令所对应的操作行为持续时间等。Preferably, according to the query result, it is judged whether the operation code contained in the data operation instruction exists in the operation code corresponding to the position code matching the first position information in the sensitive data table, and the auxiliary judgment can also be made based on the relevant parameters of other operation instructions . For example, the relevant parameters of other operation instructions can be the body of the data operation instruction, the operation code parameter, the processing channel of the data operation instruction, the contextual relevance of multiple operation codes in the data operation instruction, the time of the data operation instruction, the data operation instruction The duration of the corresponding operation behavior, etc.

通过这些其它操作指令的相关参数可帮助更加精确的判断该数据操作指令所对应的操作码,较佳的,在敏感数据的中预先为敏感数据的位置编码对应设置操作码时,可增加该操作码相关的辅助参数信息。The relevant parameters of these other operation instructions can help to judge the operation code corresponding to the data operation instruction more accurately. Preferably, when the operation code is set in advance for the position code of the sensitive data in the sensitive data, this operation can be added Code-related auxiliary parameter information.

较佳的,本发明实施例中的操作对象的标识信息即为数据操作指令中的被执行对象的标识,例如数据操作指令中对CRM系统CRMDB11库中Customer表进行操作,则CRM系统CRMDB11库中Customer表即为操作对象的标识信息,根据该操作对象的标识信息进一步确定该操作对象在敏感数据表中所对应的敏感数据信息的位置编码。Preferably, the identification information of the operation object in the embodiment of the present invention is the identification of the executed object in the data operation instruction. For example, in the data operation instruction, the Customer table in the CRM system CRMDB11 library is operated, and the CRM system CRMDB11 library The Customer table is the identification information of the operation object, and the location code of the sensitive data information corresponding to the operation object in the sensitive data table is further determined according to the identification information of the operation object.

较佳的,本发明实施例中可将每次数据操作指令对应的标识号,以及该数据操作指令所对应的敏感数据的位置编码,以及该数据操作示例对应的操作码均记录到实时活动表中,通过实时活动表能够实时管理掌握当前正在执行的数据操作指令,以及该数据操作指令的执行过程中需要关注的敏感数据,当用户执行该数据操作指令结束时,将该次数据操作指令从实时活动表中删除。Preferably, in the embodiment of the present invention, the identification number corresponding to each data operation instruction, the location code of the sensitive data corresponding to the data operation instruction, and the operation code corresponding to the data operation example can be recorded in the real-time activity table In the real-time activity table, the data operation instruction currently being executed and the sensitive data that need to be paid attention to during the execution of the data operation instruction can be managed in real time. When the user finishes executing the data operation instruction, the data operation instruction will be removed from Deleted in real-time activity table.

实时活动表如表2所示。The real-time activity table is shown in Table 2.

表2实时活动表示例Table 2 Example of real-time activity table

较佳的,在根据第一操作对象生成第二操作对象之后,确定第二操作对象中的敏感数据所在位置对应的位置编码之后,在敏感数据表中查询第一位置信息所对应的操作码;在敏感数据表中添加第二操作对象的标识信息、第二位置信息,以及查询到的第一位置信息所对应的操作码,并建立三者的对应关系。Preferably, after the second operation object is generated according to the first operation object, after determining the location code corresponding to the location of the sensitive data in the second operation object, query the operation code corresponding to the first location information in the sensitive data table; The identification information of the second operation object, the second location information, and the operation code corresponding to the queried first location information are added to the sensitive data table, and a corresponding relationship among the three is established.

具体来说,由于第二操作对象为新增的数据,因此较佳的,将其添加到敏感数据表中,在敏感数据表中添加第二操作对象的标识信息,以及第二操作对象对应的第二位置信息,即第二操作对象对应的敏感数据所在位置对应的位置编码。进一步由于第二操作对象中的敏感数据为第一操作对象上的敏感数据转移而来,因此第一操作对象中与第二操作对象的第二位置信息所匹配的第一位置信息所对应的操作码同样也对应第二操作对象中的第二位置信息,因此,对应的在敏感数据表中将第一位置信息所对应的操作码对应配置为第二位置信息所对应的操作码。Specifically, since the second operation object is newly added data, it is preferable to add it to the sensitive data table, add the identification information of the second operation object to the sensitive data table, and the corresponding The second location information is the location code corresponding to the location of the sensitive data corresponding to the second operation object. Further, since the sensitive data in the second operation object is transferred from the sensitive data on the first operation object, the operation corresponding to the first location information in the first operation object that matches the second location information of the second operation object The code also corresponds to the second position information in the second operation object, therefore, correspondingly, in the sensitive data table, the operation code corresponding to the first position information is correspondingly configured as the operation code corresponding to the second position information.

下面举一个具体的实施例用以阐述上述过程:Give a specific embodiment below in order to illustrate the above-mentioned process:

假设数据操作指令为将第一操作对象复制为第二操作对象,第一操作对象为第1域的第2库的数据表1,第二操作对象为第1域的第2库的数据表2。数据操作指令中的操作码为“复制”。假设第一操作对象中的第一列“姓名”为敏感数据,即第一操作对象在敏感数据中的位置为“第1域的第2库的数据表1第一列”,编码假设为00001 00002 00001 00001。Assume that the data operation instruction is to copy the first operation object to the second operation object, the first operation object is data table 1 of the second library of the first domain, and the second operation object is data table 2 of the second library of the first domain . The opcode in the data manipulation instruction is "copy". Assume that the first column "name" in the first operation object is sensitive data, that is, the position of the first operation object in the sensitive data is "the first column of data table 1 of the second database in the first domain", and the encoding assumption is 00001 00002 00001 00001.

具体识别过程为,接收数据操作指令,确定该数据操作指令的对象“第一操作对象”,将该第一操作对象中的数据的位置对应转换为位置编码,确定敏感数据表中第一操作对象标识为第1域的第2库的数据表1的位置编码,即为00001 00002 00001 00000,根据该第一操作对象标识确定该第一操作对象标识所对应的敏感数据的位置编码。根据上述假设,确定出敏感数据表中,第一操作对象对应的敏感数据的位置编码为00001 00002 0000100001。The specific identification process is to receive a data operation instruction, determine the object "first operation object" of the data operation instruction, convert the position of the data in the first operation object into a position code, and determine the first operation object in the sensitive data table The location code of the data table 1 of the second library identified as the first domain is 00001 00002 00001 00000, and the location code of the sensitive data corresponding to the first operation object identifier is determined according to the first operation object identifier. According to the above assumption, it is determined that in the sensitive data table, the location code of the sensitive data corresponding to the first operation object is 00001 00002 0000100001.

将第一操作对象中数据的位置按预设规则转换后位置编码与敏感数据表中第一操作对象对应的敏感数据的位置编码进行匹配,将匹配成功的第一操作对象中位置编码00001 00002 00001 00001确定出来;Match the location of the data in the first operation object with the position code of the sensitive data corresponding to the first operation object in the sensitive data table according to the preset rules, and match the location code of the first operation object that is successfully matched to 00001 00002 00001 00001 determined;

进一步确定敏感数据表中改第一操作对象对应的敏感数据的位置编码所对应的操作码为“复制”,而本数据操作指令中的操作码也为“复制”。It is further determined that the operation code corresponding to the position code of the sensitive data corresponding to the first operation object in the sensitive data table is "copy", and the operation code in this data operation instruction is also "copy".

因此,将匹配成功的第一操作对象中位置编码00001 00002 00001 00001确定为第一位置信息;Therefore, the location code 00001 00002 00001 00001 in the successfully matched first operation object is determined as the first location information;

执行所述数据操作指令得到第二操作对象,即将第一操作对象复制为第二操作对象,在此过程中可追踪到第一操作对象中各个位置的数据在第二操作对象中对应的位置,例如,第一操作对象中的第一列对应复制到第二操作对象的第一列。Execute the data operation instruction to obtain the second operation object, that is, copy the first operation object as the second operation object, and trace the corresponding position of the data at each position in the first operation object in the second operation object during this process, For example, the first column in the first operand corresponds to the first column copied to the second operand.

此时根据第一位置信息00001 00002 00001 00001现迁移至第二操作对象的第二位置信息,第二位置信息即为第二操作对象的第一列,因此,第二位置信息对应的位置编码为“第1域的第2库的数据表2第一列”的位置编码00001 00002 00002 00001,进一步将第二位置信息00001 00002 00002 00001所对应的数据确定为敏感数据。At this time, according to the first position information 00001 00002 00001 00001, it is now migrated to the second position information of the second operation object. The second position information is the first column of the second operation object. Therefore, the position code corresponding to the second position information is The location code 00001 00002 00002 00001 of "the first column of the data table 2 of the second database of the first domain" further determines the data corresponding to the second location information 00001 00002 00002 00001 as sensitive data.

之后将新生的第二操作对象添加至敏感数据库中,将第二操作对象标识“第1域的第2库的数据表2”添加至敏感数据表,并对应为该第二操作对象标识配置第二操作对象中的敏感数据对应的第二位置信息的位置编码00001 00002 00002 00001,并未第二位置信息对应配置第一位置信息所对应的操作码“复制”。Then add the newly-born second operation object to the sensitive database, add the second operation object identifier "data table 2 of the second library in the first domain" to the sensitive data table, and configure the second operation object identifier correspondingly The sensitive data in the second operation object corresponds to the position code of the second position information 00001 00002 00002 00001, and the operation code "copy" corresponding to the first position information is configured corresponding to the second position information.

综上所述,本发明实施例中由于数据操作指令用于指示根据第一操作对象生成第二操作对象,因此第二操作对象由第一操作对象生成,从而可追踪到第一操作对象中的数据在第二操作对象中的相应位置信息;进一步由于获取了第一操作对象中的敏感数据的第一位置信息,因此结合追踪到的第一操作对象中的数据在第二操作对象中的相应位置信息,可确定出第一操作对象中的敏感数据在第二操作对象中相对应的位置,该位置即为第二操作对象中的敏感数据的第二位置信息,可见,通过位置特征匹配的方式可快速识别出新生成的第二操作对象中的敏感数据,进一步提高了识别敏感数据的效率。To sum up, in the embodiment of the present invention, since the data operation instruction is used to instruct the generation of the second operation object based on the first operation object, the second operation object is generated by the first operation object, so that it can be traced to the The corresponding location information of the data in the second operation object; furthermore, since the first location information of the sensitive data in the first operation object is obtained, combined with the traced data in the first operation object The location information can determine the corresponding location of the sensitive data in the first operation object in the second operation object, and this location is the second location information of the sensitive data in the second operation object. It can be seen that the location feature matching The method can quickly identify sensitive data in the newly generated second operation object, further improving the efficiency of identifying sensitive data.

基于相同构思,如图2所示,本发明实施例提供一种敏感数据识别装置,包括接收单元201、处理单元202:Based on the same idea, as shown in FIG. 2, an embodiment of the present invention provides a sensitive data identification device, including a receiving unit 201 and a processing unit 202:

接收单元201,用于接收数据操作指令,数据操作指令用于指示根据第一操作对象生成第二操作对象;The receiving unit 201 is configured to receive a data operation instruction, and the data operation instruction is used to instruct to generate a second operation object according to the first operation object;

处理单元202,用于获取第一操作对象中的敏感数据的第一位置信息;执行数据操作指令得到第二操作对象,并根据第二操作对象的数据结构以及第一位置信息,确定第二操作对象中的敏感数据的第二位置信息;根据第二位置信息,将第二操作对象中相应位置的数据确定为敏感数据。The processing unit 202 is configured to obtain the first location information of the sensitive data in the first operation object; execute the data operation instruction to obtain the second operation object, and determine the second operation according to the data structure of the second operation object and the first location information Second location information of the sensitive data in the object; according to the second location information, the data at the corresponding location in the second operation object is determined as the sensitive data.

较佳的,第一位置信息为第一操作对象中的敏感数据所在位置的位置编码;Preferably, the first location information is the location code of the location where the sensitive data in the first operation object is located;

处理单元202,具体用于:The processing unit 202 is specifically used for:

将第一操作对象中所有数据的位置按预设规则转换为对应的位置编码;converting the positions of all data in the first operation object into corresponding position codes according to preset rules;

查询预先设置的敏感数据表;其中,敏感数据表中包含第一操作对象的标识信息以及第一操作对象中的N个敏感数据所在位置的N个位置编码,N个位置编码按照预设规则由N个敏感数据所在的位置转换得到,N为大于等于1的整数;Query the preset sensitive data table; wherein, the sensitive data table contains the identification information of the first operation object and the N position codes of the locations of the N sensitive data in the first operation object, and the N position codes are assigned according to the preset rules The location of N sensitive data is converted, and N is an integer greater than or equal to 1;

判断转换后的位置编码中是否存在与敏感数据表中第一操作对象对应的位置编码匹配的位置编码,若是,则将与敏感数据表匹配的位置编码确定为第一操作对象中的敏感数据所在位置的位置编码。Determine whether there is a position code matching the position code corresponding to the first operation object in the sensitive data table in the converted position code, and if so, determine the position code matching the sensitive data table as the location of the sensitive data in the first operation object The location code of the location.

较佳的,与敏感数据表匹配的位置编码,是指:Preferably, the location code matching the sensitive data table refers to:

第一位置信息对应的位置编码与敏感数据表的位置编码完全匹配,或者,第一位置信息对应的位置编码与敏感数据表的位置编码部分匹配。The position code corresponding to the first position information completely matches the position code of the sensitive data table, or the position code corresponding to the first position information partially matches the position code of the sensitive data table.

较佳的,针对敏感数据表中包含的第一操作对象中的N个敏感数据所在位置的N个位置编码,敏感数据表中还包括每个位置编码所对应的多个操作码;Preferably, for the N position codes at the positions of the N sensitive data in the first operation object included in the sensitive data table, the sensitive data table also includes a plurality of operation codes corresponding to each position code;

处理单元202,具体用于:The processing unit 202 is specifically used for:

根据数据操作指令中第一操作对象的标识信息和操作指令的操作码,查询敏感数据表;Querying the sensitive data table according to the identification information of the first operation object in the data operation instruction and the operation code of the operation instruction;

根据查询结果判断敏感数据表中与第一位置信息匹配的位置编码对应的操作码中是否存在数据操作指令中包含的操作码;According to the query result, it is judged whether the operation code contained in the data operation instruction exists in the operation code corresponding to the position code matching the first position information in the sensitive data table;

若是,则根据第二操作对象的数据结构以及第一位置信息,确定第二操作对象中的敏感数据的第二位置信息。If so, determine the second location information of the sensitive data in the second operation object according to the data structure of the second operation object and the first location information.

较佳的,处理单元202,还用于:Preferably, the processing unit 202 is also used for:

在敏感数据表中查询第一位置信息所对应的操作码;Querying the opcode corresponding to the first location information in the sensitive data table;

在敏感数据表中添加第二操作对象的标识信息、第二位置信息,以及查询到的第一位置信息所对应的操作码,并建立三者的对应关系。The identification information of the second operation object, the second location information, and the operation code corresponding to the queried first location information are added to the sensitive data table, and a corresponding relationship among the three is established.

较佳的,第一操作对象为第一数据表,第二操作对象为第二数据表;Preferably, the first operation object is the first data table, and the second operation object is the second data table;

数据操作指令为以下几项中的一种:Data manipulation instructions are one of the following:

将第一数据表复制为第二数据表;Copy the first data table as the second data table;

将第一数据表剪切为第二数据表;Cut the first data table into the second data table;

将第一数据表另存为第二数据表。Save the first data table as the second data table.

从上述内容可以看出:本发明实施例中由于数据操作指令用于指示根据第一操作对象生成第二操作对象,因此第二操作对象由第一操作对象生成,从而可追踪到第一操作对象中的数据在第二操作对象中的相应位置信息;进一步由于获取了第一操作对象中的敏感数据的第一位置信息,因此结合追踪到的第一操作对象中的数据在第二操作对象中的相应位置信息,可确定出第一操作对象中的敏感数据在第二操作对象中相对应的位置,该位置即为第二操作对象中的敏感数据的第二位置信息,可见,通过位置特征匹配的方式可快速识别出新生成的第二操作对象中的敏感数据,进一步提高了识别敏感数据的效率。It can be seen from the above that in the embodiment of the present invention, since the data operation instruction is used to instruct the generation of the second operation object based on the first operation object, the second operation object is generated by the first operation object, so that it can be traced to the first operation object The corresponding location information of the data in the second operation object; further, because the first location information of the sensitive data in the first operation object is obtained, combined with the tracked data in the first operation object in the second operation object The corresponding location information of the first operation object can determine the corresponding location of the sensitive data in the second operation object, which is the second location information of the sensitive data in the second operation object. It can be seen that through the location feature The matching method can quickly identify sensitive data in the newly generated second operation object, further improving the efficiency of identifying sensitive data.

本领域内的技术人员应明白,本发明的实施例可提供为方法、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present invention may be provided as methods or computer program products. Accordingly, the present invention can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

尽管已描述了本发明的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。While preferred embodiments of the invention have been described, additional changes and modifications to these embodiments can be made by those skilled in the art once the basic inventive concept is appreciated. Therefore, it is intended that the appended claims be construed to cover the preferred embodiment as well as all changes and modifications which fall within the scope of the invention.

显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and equivalent technologies thereof, the present invention also intends to include these modifications and variations.

Claims (12)

1. a kind of sensitive data recognition methods, which is characterized in that include the following steps:
Data manipulation instruction is received, the data manipulation instruction is used to indicate generates the second operation pair according to the first operation object As;
Obtain the first position information of the sensitive data in first operation object;
Execute the data manipulation instruction and obtain second operand, and according to the data structure of the second operand and The first position information determines the second position information of the sensitive data in the second operand;
According to the second position information, the data of corresponding position in the second operand are determined as sensitive data.
2. the method as described in claim 1, which is characterized in that the first position information is the sensitivity in the first operation object Data position it is position encoded;
The first position information for obtaining the sensitive data in first operation object, specifically includes:
The position of all data in first operation object is converted to by preset rules corresponding position encoded;
Inquire pre-set sensitive data table;Wherein, the mark of first operation object is included in the sensitive data table N number of sensitive data position in information and first operation object it is N number of position encoded, it is described N number of position encoded It is converted to as the position where N number of sensitive data according to preset rules, N is the integer more than or equal to 1;
Judge it is transformed it is position encoded in whether there is position corresponding with the first operation object described in the sensitive data table The position encoded of codes match is set, if so, position corresponding with the first operation object described in the sensitive data table is compiled The matched position encoded sensitive data position being determined as in first operation object of code it is position encoded.
3. method as claimed in claim 2, which is characterized in that it is described matched position encoded with the sensitive data table, be Refer to:
The corresponding position encoded position corresponding with the first operation object described in the sensitive data table of the first position information Coding is set to exactly match, alternatively, the first position information it is corresponding it is position encoded with the sensitive data table described in first The corresponding position encoded part matching of operation object.
4. method as claimed in claim 2, which is characterized in that for first operation for including in the sensitive data table N number of sensitive data position in object it is N number of position encoded, further include each position encoded institute in the sensitive data table Corresponding multiple operation codes;
The data structure according to the second operand and the first position information determine second operation pair The second position information of the sensitive data as in, specifically includes:
According to the operation code of the identification information and operational order of the first operation object described in the data manipulation instruction, institute is inquired State sensitive data table;
Judge the position encoded corresponding behaviour in the sensitive data table with the first position information matches according to query result Make in code with the presence or absence of the operation code for including in the data manipulation instruction;
If so, according to the data structure of the second operand and the first position information, second behaviour is determined Make the second position information of the sensitive data in object.
5. method as claimed in claim 4, which is characterized in that it is described according to the second position information, described second is grasped The data for making corresponding position in object are determined as after sensitive data, further include:
The operation code corresponding to the information of first position is inquired in sensitive data table;
The identification information of the second operand, the second position information, Yi Jicha are added in the sensitive data table The operation code corresponding to the information of first position ask, and establish the correspondence of three.
6. the method as described in any one of claim 1 to 5, which is characterized in that first operation object is the first data Table, the second operand are the second tables of data;
The data manipulation instruction is one kind in following items:
First tables of data is copied as into the second tables of data;
First tables of data is cut into the second tables of data;
First tables of data is saved as into the second tables of data.
7. a kind of sensitive data identification device, which is characterized in that including:
Receiving unit, for receiving data manipulation instruction, the data manipulation instruction is used to indicate gives birth to according to the first operation object At second operand;
Processing unit, the first position information for obtaining the sensitive data in first operation object;Execute the data Operational order obtains second operand, and is believed according to the data structure of the second operand and the first position Breath, determines the second position information of the sensitive data in the second operand;It, will according to the second position information The data of corresponding position are determined as sensitive data in the second operand.
8. device as claimed in claim 7, which is characterized in that the first position information is the sensitivity in the first operation object Data position it is position encoded;
The processing unit, is specifically used for:
The position of all data in first operation object is converted to by preset rules corresponding position encoded;
Inquire pre-set sensitive data table;Wherein, the mark of first operation object is included in the sensitive data table N number of sensitive data position in information and first operation object it is N number of position encoded, it is described N number of position encoded It is converted to as the position where N number of sensitive data according to preset rules, N is the integer more than or equal to 1;
Judge it is transformed it is position encoded in whether there is position corresponding with the first operation object described in the sensitive data table The position encoded of codes match is set, if so, position corresponding with the first operation object described in the sensitive data table is compiled The matched position encoded sensitive data position being determined as in first operation object of code it is position encoded.
9. device as claimed in claim 8, which is characterized in that it is described matched position encoded with the sensitive data table, be Refer to:
The corresponding position encoded position corresponding with the first operation object described in the sensitive data table of the first position information Coding is set to exactly match, alternatively, the first position information it is corresponding it is position encoded with the sensitive data table described in first The corresponding position encoded part matching of operation object.
10. device as claimed in claim 8, which is characterized in that for first behaviour for including in the sensitive data table Make the N number of position encoded of N number of sensitive data position in object, further includes each position encoded in the sensitive data table Corresponding multiple operation codes;
The processing unit, is specifically used for:
According to the operation code of the identification information and operational order of the first operation object described in the data manipulation instruction, institute is inquired State sensitive data table;
Judge the position encoded corresponding behaviour in the sensitive data table with the first position information matches according to query result Make in code with the presence or absence of the operation code for including in the data manipulation instruction;
If so, according to the data structure of the second operand and the first position information, second behaviour is determined Make the second position information of the sensitive data in object.
11. device as claimed in claim 10, which is characterized in that the processing unit is additionally operable to:
The operation code corresponding to the information of first position is inquired in sensitive data table;
The identification information of the second operand, the second position information, Yi Jicha are added in the sensitive data table The operation code corresponding to the information of first position ask, and establish the correspondence of three.
12. the device as described in any one of claim 7 to 11, which is characterized in that first operation object is the first number According to table, the second operand is the second tables of data;
The data manipulation instruction is one kind in following items:
First tables of data is copied as into the second tables of data;
First tables of data is cut into the second tables of data;
First tables of data is saved as into the second tables of data.
CN201510015353.3A 2015-01-12 2015-01-12 A kind of sensitive data recognition methods and device Active CN105844166B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510015353.3A CN105844166B (en) 2015-01-12 2015-01-12 A kind of sensitive data recognition methods and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510015353.3A CN105844166B (en) 2015-01-12 2015-01-12 A kind of sensitive data recognition methods and device

Publications (2)

Publication Number Publication Date
CN105844166A CN105844166A (en) 2016-08-10
CN105844166B true CN105844166B (en) 2018-11-02

Family

ID=57178007

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510015353.3A Active CN105844166B (en) 2015-01-12 2015-01-12 A kind of sensitive data recognition methods and device

Country Status (1)

Country Link
CN (1) CN105844166B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106254226B (en) * 2016-09-14 2019-10-25 Oppo广东移动通信有限公司 Information synchronization method and device
CN111291044A (en) * 2020-01-14 2020-06-16 中移(杭州)信息技术有限公司 Sensitive data identification method, device, electronic device and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1246008A (en) * 1998-08-26 2000-03-01 英业达股份有限公司 Security Method of Multimedia Data
CN101183415A (en) * 2007-12-19 2008-05-21 腾讯科技(深圳)有限公司 Method and device for preventing sensitive information from leakage
CN101779436A (en) * 2007-08-15 2010-07-14 国际商业机器公司 Tracking the origins of data and controlling data transmission
CN104254858A (en) * 2011-10-31 2014-12-31 国际商业机器公司 Protecting sensitive data in a transmission

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8719233B2 (en) * 2008-06-24 2014-05-06 Emc Corporation Generic method and apparatus for database sanitizing

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1246008A (en) * 1998-08-26 2000-03-01 英业达股份有限公司 Security Method of Multimedia Data
CN101779436A (en) * 2007-08-15 2010-07-14 国际商业机器公司 Tracking the origins of data and controlling data transmission
CN101183415A (en) * 2007-12-19 2008-05-21 腾讯科技(深圳)有限公司 Method and device for preventing sensitive information from leakage
CN104254858A (en) * 2011-10-31 2014-12-31 国际商业机器公司 Protecting sensitive data in a transmission

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"云环境下的敏感数据保护技术研究";刘明辉等;《电信科学》;20141130;全文 *

Also Published As

Publication number Publication date
CN105844166A (en) 2016-08-10

Similar Documents

Publication Publication Date Title
CN106503558B (en) An Android malicious code detection method based on community structure analysis
US10489591B2 (en) Detection system and method thereof
CN103473346B (en) A kind of Android based on application programming interface beats again bag applying detection method
Crussell et al. Andarwin: Scalable detection of android application clones based on semantics
GB2589793A (en) Open-source software vulnerability analysis
CN101840352B (en) Method and device for monitoring database connection pool
CN103500191B (en) Flow table configuration, query and table item deleting method and device
TW201629832A (en) Method and device for identifying computer virus variants
US9389852B2 (en) Technique for plagiarism detection in program source code files based on design pattern
RU2008138700A (en) CREATING DISABLED RESOURCE TEMPLATES
CN105607986A (en) Acquisition method and device of user behavior log data
Mercaldo et al. Hey malware, i can find you!
CN104717085A (en) Log parsing method and device
US20170169069A1 (en) Data integrity checking in a distributed filesystem using object versioning
CN108319858A (en) For the data dependence graph construction method and device of uneasy total function
CN104516864A (en) Report generating method and report generating device
CN105825137B (en) A kind of method and device of determining sensitive data dispersal behavior
EP2951680B1 (en) Acquiring identification of an application lifecycle management entity associated with similar code
CN102981956B (en) Method, device and program modulating system that overlay symbol table is set up and searched
CN105512276B (en) Method and device for constructing junk file and electronic equipment
CN105844166B (en) A kind of sensitive data recognition methods and device
CN110555185A (en) Page customization method and system based on PC client
US8782090B2 (en) Aiding report construction based on inference of implicit application level relationships
CN111221690B (en) Model determination method and device for integrated circuit design and terminal
US20130318501A1 (en) Capturing domain validations and domain element initializations

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant