[go: up one dir, main page]

CN112347497A - Data security processing method - Google Patents

Data security processing method Download PDF

Info

Publication number
CN112347497A
CN112347497A CN202011331336.8A CN202011331336A CN112347497A CN 112347497 A CN112347497 A CN 112347497A CN 202011331336 A CN202011331336 A CN 202011331336A CN 112347497 A CN112347497 A CN 112347497A
Authority
CN
China
Prior art keywords
unit
data
error
encryption
processing method
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011331336.8A
Other languages
Chinese (zh)
Inventor
杨恒翔
王燕军
杨大伟
杨柳
胡美慧
温刚
李凯
何伟
刘昆
孙若寒
向志威
马斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information and Telecommunication Branch of State Grid Xinjiang Electric Power Co Ltd
State Grid Corp of China SGCC
Original Assignee
Information and Telecommunication Branch of State Grid Xinjiang Electric Power Co Ltd
State Grid Corp of China SGCC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information and Telecommunication Branch of State Grid Xinjiang Electric Power Co Ltd, State Grid Corp of China SGCC filed Critical Information and Telecommunication Branch of State Grid Xinjiang Electric Power Co Ltd
Priority to CN202011331336.8A priority Critical patent/CN112347497A/en
Publication of CN112347497A publication Critical patent/CN112347497A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

本发明涉及数据处理方法技术领域,是一种数据安全处理方法,其通过加密认证模块和内部容忍模块对数据进行处理。本发明通过加密认证模块和内部容忍模块实现数据安全处理,通过加密认证模块的加密单元、解密单元和认证单元实现加密认证功能,确保数据的完整性、机密性和安全性,同时保证了数据源的合法性和真实性,另外通过内部容忍模块容忍在数据传输过程中的错误,实现了数据库的外部级入侵容忍。The invention relates to the technical field of data processing methods, and relates to a data security processing method, which processes data through an encryption authentication module and an internal tolerance module. The invention realizes data security processing through the encryption authentication module and the internal tolerance module, and realizes the encryption authentication function through the encryption unit, decryption unit and authentication unit of the encryption authentication module, so as to ensure the integrity, confidentiality and security of the data, and at the same time ensure the data source In addition, through the internal tolerance module to tolerate errors in the data transmission process, the external-level intrusion tolerance of the database is realized.

Description

Data security processing method
Technical Field
The invention relates to the technical field of data processing methods, in particular to a data security processing method.
Background
Nowadays, the application of world databases is more and more extensive and deeper, for example, the fields of management and control of enterprises, electronic commerce, bank systems and the like all require a large amount of confidential information stored in the databases. Database security has become an important and not negligible issue. Database security refers to the inability of any portion of any database to be accessed or modified by malicious acts or unauthorized persons. Its main connotation includes 4 aspects: confidentiality, integrity, validity, and legitimacy.
The database security technology adopted at present mainly comprises: multi-level security databases, access control, intrusion detection, authentication, encryption, etc. The introduction of the intrusion tolerance technology provides a new approach for database security. Intrusion tolerant systems are able to continuously provide timely service to intended users even in the face of an attack.
This mainly includes 3 levels of meaning: firstly, a system is admitted to have certain loopholes; secondly, the invasion of the sub-component can be admitted and can be successfully implemented; the safety and the availability of the whole system can be still ensured; this means that the intrusion tolerance system can detect information attacks that cannot be detected by attack avoidance and prevention means and take necessary measures to ensure that critical applications can continue to be correct. The previous intrusion tolerance database only provides an internal intrusion tolerance function, which is far from enough for the field with high confidentiality requirement.
An effective solution to the problems in the related art has not been proposed yet.
Disclosure of Invention
The invention provides a data security processing method, which overcomes the defects of the prior art, realizes data security processing through an encryption authentication module and an internal tolerance module, realizes an encryption authentication function through the encryption authentication module, ensures the integrity, confidentiality and security of data, simultaneously ensures the legality and authenticity of a data source, can tolerate errors in the data transmission process, and realizes the external level intrusion tolerance of a database.
The technical scheme of the invention is realized by the following measures: a data security processing method processes data through an encryption authentication module and an internal tolerance module, wherein the encryption authentication module comprises an encryption unit, a decryption unit and an authentication unit;
authenticating the data through an authentication unit, determining that each field of the i records is not modified, and determining the integrity and the validity of the data, wherein the authentication unit comprises:
structure XiThe value:
Figure BDA0002795913090000011
in the formula (1), the reaction mixture is,
Figure BDA0002795913090000012
satisfy the requirement of
Figure BDA0002795913090000013
j=1,2,…,n+2;
Encrypting data by an encryption unit, the encryption unit comprising:
defining the ith record of a table in the database as (x)i1,xi2,xi3,…,xin),
Selecting n modulus values, where Xi∈[0,M],
XiExpressed as:
Figure BDA0002795913090000021
in the formula (2), M ═ M1m2…mn
Figure BDA0002795913090000022
xij<mj,
Denote the ith record as xi=CRT(xi1,xi2,xi3,…,xin),
Expanding the N modular values into N +2 modular values, and determining the other two modular values as:
xn+k>Mj (3),
in equation (3), j is 1,2.. n, and k is 1,2, and the extension fields of these two modulus values are represented as:
xin+1=Ximodmn+1
xin+2=Ximodmn+2
decrypting the data by a decryption unit, the decryption unit comprising:
the receive field is recorded as:
Figure BDA0002795913090000023
the decryption field is:
Figure BDA0002795913090000024
in the formulae (4) to (5),
Figure BDA0002795913090000025
Figure BDA0002795913090000026
1≤j≤n+1,1≤i≤p。
the following is further optimization or/and improvement of the technical scheme of the invention:
the internal tolerance module comprises an agent service unit, an error repair unit, an error isolation unit, an event management unit and an intrusion detection unit, wherein the agent service unit, the error repair unit, the error isolation unit and the intrusion detection unit are respectively in communication connection with the event management unit.
The proxy service unit comprises more than one heterogeneous proxy server.
The error recovery unit includes an error evaluation subcomponent and an error recovery subcomponent.
The invention realizes data safety processing through the encryption authentication module and the internal tolerance module, realizes the encryption authentication function through the encryption unit, the decryption unit and the authentication unit of the encryption authentication module, ensures the integrity, the confidentiality and the safety of data, simultaneously ensures the legality and the authenticity of a data source, and realizes the external level intrusion tolerance of a database through the tolerance of the internal tolerance module to errors in the data transmission process.
Drawings
FIG. 1 is a schematic block diagram of a data security processing method according to an embodiment of the present invention.
Fig. 2 is a schematic view of a scene application of the data security processing method according to the embodiment of the present invention.
Detailed Description
The present invention is not limited by the following examples, and specific embodiments may be determined according to the technical solutions and practical situations of the present invention.
The invention is further described below with reference to the following examples:
example 1: as shown in fig. 1, the data security processing method processes data through an encryption authentication module and an internal tolerance module, wherein the encryption authentication module comprises an encryption unit, a decryption unit and an authentication unit;
authenticating the data through an authentication unit, determining that each field of the i records is not modified, and determining the integrity and the validity of the data, wherein the authentication unit comprises:
structure XiThe value:
Figure BDA0002795913090000031
in the formula (1), the reaction mixture is,
Figure BDA0002795913090000032
satisfy the requirement of
Figure BDA0002795913090000033
j=1,2,…,n+2;
The data is encrypted by an encryption unit, as shown in fig. 2, the encryption unit includes:
defining the ith record of a table in the database as (x)i1,xi2,xi3,…,xin),
Select n modulus values (m)1m2…mn) Wherein X isi∈[0,M],
XiExpressed as:
Figure BDA0002795913090000034
in the formula (2), M ═ M1m2…mn
Figure BDA0002795913090000035
xij<mj,
Record the ith as xi=CRT(xi1,xi2,xi3,…,xin),
Expanding the N modular values into N +2 modular values, and determining the other two modular values as:
xn+k>Mj (3),
in equation (3), j is 1,2.. n, and k is 1,2, and the extension fields of these two modulus values are represented as:
xin+1=Ximodmn+1
xin+2=Ximodmn+2
decrypting the data by a decryption unit, the decryption unit comprising:
the receive field is recorded as:
Figure BDA0002795913090000041
the decryption field is:
Figure BDA0002795913090000042
in the formulae (4) to (5),
Figure BDA0002795913090000043
Figure BDA0002795913090000044
1≤j≤n+1,1≤i≤p。
the invention realizes data safety processing through the encryption authentication module and the internal tolerance module, realizes the encryption authentication function through the encryption unit, the decryption unit and the authentication unit of the encryption authentication module, ensures the integrity, the confidentiality and the safety of data, simultaneously ensures the legality and the authenticity of a data source, and can tolerate errors in the data transmission process through the internal tolerance module to realize the external level intrusion tolerance of the database.
Example 2: as an optimization of the above embodiment, the internal tolerance module includes an agent service unit, an error repairing unit, an error isolating unit, an event management unit, and an intrusion detection unit, and the agent service unit, the error repairing unit, the error isolating unit, and the intrusion detection unit are respectively in communication connection with the event management unit.
Example 3: as an optimization of the above embodiment, the proxy service unit includes more than one heterogeneous proxy server.
Example 4: as an optimization of the above embodiment, the error repair unit includes an error evaluation subcomponent and an error repair subcomponent.
The proxy service unit comprises a plurality of heterogeneous proxy servers, and is used for filtering and purifying service requests of clients. Specifically, the first defense line for blocking intrusion by the internal tolerance module is a first barrier for realizing internal tolerance. Because the proxy server group is positioned at the outermost layer of the internal tolerance module and is easy to become one of the important targets of external attacks, a plurality of proxy servers are adopted, so that the system has certain tolerance capability.
And the error repairing unit is used for determining and repairing the damaged part and determining the integrity of the database. Specifically, after the database is invaded, the damaged part can be found out, and the damaged part can be repaired as soon as possible, so that the whole database can still be used even under the condition of facing attack. Thus, the error recovery unit is an indispensable component of the intrusion tolerant database. The biggest challenge for damage repair is malicious transactions, which may also directly or indirectly affect other normal transactions, so the error repair unit may set two subcomponents: an error evaluation subcomponent and an error repair subcomponent. The role of the error evaluation subcomponent is to find all transactions affected by this malicious transaction, and transaction tracking techniques can be employed to find a series of all subsequent transactions affected by the malicious transaction. The role of the error repair subcomponent is to restore the correctness of the database. All transactions affected by malicious transactions can be cleared by setting a specific clearing transaction. The simpler way to clean up the transaction is: the data of the affected transaction is restored to the original data that was not corrupted the last time.
The error isolation unit is used for calling the error repair unit and carrying out re-judgment on the suspicious transaction. Specifically, direct invocation of the damage repair module (error repair unit) requires the event manager (event management unit) to make a long time to re-determine the suspicious transaction. In the response time of the judgment, many normal programs may be executed after the malicious transaction and affected, so that the malicious program spreads to a wide range. We therefore introduce an error isolation unit to reduce the impact of malicious transactions on normal transactions.
First, the event manager sets two abnormal transaction limits. According to the report of an intrusion detection system (intrusion detection unit), directly judging, when the degree of non-normality of a certain abnormal transaction exceeds the limit of a first level, directly judging the abnormal transaction as a malicious transaction, and then directly calling a damage repair module to process the malicious transaction; and when the degree of abnormality of an abnormal transaction exceeds the limit of the second level, the transaction is defined as a suspicious transaction, and the transaction needs to be taken out of the main database and put into the virtual isolation database to perform the limiting operation on the suspicious transaction. The event manager then starts to re-check the suspicious transaction and determines in detail the nature of this transaction: when the event is judged to be a normal event, the transaction returns to the original main database to continue operation; and if the suspicious transaction is judged to be a malicious transaction, the damage repair module is called again to process the malicious transaction. This can greatly reduce the extent of the spread of malicious transactions.
The event management unit is used for connecting the internal database group and the external agent server group, and taking certain measures to control and manage other components (namely other units) on the basis of the detection result of the intrusion detection unit. Specifically, as a core component of the internal tolerance module, the internal tolerance module is responsible for connecting an internal database group and an external agent server group, plays a role of a central bridge, and is communicated with an intrusion detection unit, so that certain measures are taken to control and manage other components on the basis of an intrusion detection result. The agent server at the outmost layer is easy to be attacked, the event manager can continuously send detection signals to the intrusion detection unit, then detect the state of the agent server according to the response signals, judge the damage degree of the agent server according to the signals, then reduce the service priority of the agent, even stop the working capacity of the agent, and ensure the safety of internal systems (computer systems and the like). When an intrusion bypasses the proxy server group and enters the system, the intrusion detection system (intrusion detection unit) first detects the abnormal behavior of the proxy server and reports the detection result to the event manager, and the intrusion detection system cannot report errors 100% correctly. In order to reduce the false alarm rate of the intrusion detection system, the event manager analyzes the intrusion again and according to the analysis result: and (4) carrying out no treatment on the normal event, calling an error isolation unit for the suspicious event to isolate the event, and calling the error isolation unit for the malicious event to repair the event. In addition, the event manager is also a medium for the mutual communication of the distributed databases, a safe communication channel is provided, the overall safety of the transaction is enhanced, and meanwhile, the event manager is combined with an intrusion detection system to carry out detection control on the distributed databases.
The intrusion detection unit is used for collecting information of a plurality of key points and analyzing the information to determine whether behaviors violating the security policy and signs of attack exist. Specifically, it collects information from several key points in a computer network or computer system and analyzes it to find out whether there is a behavior violating security policy and a sign of attack in the network or system. An IDS (intrusion detection system) monitors the entire activity of tolerant databases, tolerant agents and systems. The IDS may run on a dedicated platform alone or may be embedded into a particular module of the system. Compared with an intrusion tolerance system, the intrusion detection system is developed more mature.
The technical characteristics form an embodiment of the invention, which has strong adaptability and implementation effect, and unnecessary technical characteristics can be increased or decreased according to actual needs to meet the requirements of different situations.

Claims (5)

1.一种数据安全处理方法,其特征在于通过加密认证模块和内部容忍模块对数据进行处理,加密认证模块包括加密单元、解密单元和认证单元;1. a data security processing method is characterized in that data is processed by an encryption authentication module and an internal tolerance module, and the encryption authentication module comprises an encryption unit, a decryption unit and an authentication unit; 通过认证单元对数据进行认证,认证单元包括:The data is authenticated through the authentication unit, which includes: 构造Xi值:
Figure FDA0002795913080000011
Construct the X i value:
Figure FDA0002795913080000011
 式(1)中,
Figure FDA0002795913080000012
In formula (1),
Figure FDA0002795913080000012
 满足
Figure FDA0002795913080000013
Satisfy
Figure FDA0002795913080000013
 j=1,2,…,n+2;j=1,2,...,n+2; 通过加密单元对数据进行加密,加密单元包括:The data is encrypted by the encryption unit, and the encryption unit includes: 定义数据库中某表的第i个记录为(xi1,xi2,xi3,…,xin),Define the ith record of a table in the database as (x i1 , x i2 , x i3 , ..., x in ), 选择n个模值,其中Xi∈[0,M],Choose n modulo values, where X i ∈ [0, M], Xi表示为:
Figure FDA0002795913080000014
X i is expressed as:
Figure FDA0002795913080000014
 式(2)中,M=m1m2…mnIn formula (2), M=m 1 m 2 ... m n ,
Figure FDA0002795913080000015
xij<mj,
Figure FDA0002795913080000015
x ij < mj, 把第i个记录表示为xi=CRT(xi1,xi2,xi3,…,xin),Denote the i-th record as x i =CRT(x i1 , x i2 , x i3 , . . . , x in ), 将N个模值扩展为N+2个模值,确定另两个模值为:Expand N modular values to N+2 modular values, and determine the other two modular values: xn+k>Mj (3),x n+k >M j (3), 式(3)中,j=1,2...n,k=1,2,这两个模值的扩展字段表示为:In formula (3), j=1, 2...n, k=1, 2, the extended fields of these two modulo values are expressed as: xin+1=Ximodmn+1x in+1 =X i modm n+1 , xin+2=Ximodmn+2x in+2 =X i modm n+2 ; 通过解密单元对数据进行解密,解密单元包括:The data is decrypted by the decryption unit, and the decryption unit includes: 接收字段记录为:The receive field is recorded as:
Figure FDA0002795913080000016
Figure FDA0002795913080000016
 解密字段为:The decrypted fields are:
Figure FDA0002795913080000017
Figure FDA0002795913080000017
 式(4)至(5)中,
Figure FDA0002795913080000018
In formulas (4) to (5),
Figure FDA0002795913080000018
Figure FDA0002795913080000021
1≤j≤n+1,1≤i≤p。
Figure FDA0002795913080000021
1≤j≤n+1, 1≤i≤p. 2.根据权利要求1所述的数据安全处理方法,其特征在于内部容忍模块包括代理服务单元、错误修复单元、错误隔离单元、事件管理单元和入侵检测单元,代理服务单元、错误修复单元、错误隔离单元和入侵检测单元分别与事件管理单元通信连接。2. The data security processing method according to claim 1, wherein the internal tolerance module comprises an agent service unit, an error repair unit, an error isolation unit, an event management unit and an intrusion detection unit, and an agent service unit, an error repair unit, an error The isolation unit and the intrusion detection unit are respectively connected in communication with the event management unit. 3.根据权利要求1或2所述的数据安全处理方法,其特征在于代理服务单元包括一个以上异构的代理服务器。3. The data security processing method according to claim 1 or 2, wherein the proxy service unit comprises more than one heterogeneous proxy server. 4.根据权利要求1或2所述的数据安全处理方法,其特征在于错误修复单元包括错误评估子部件和错误修复子部件。4. The data security processing method according to claim 1 or 2, characterized in that the error repair unit comprises an error evaluation sub-component and an error repair sub-component. 5.根据权利要求3所述的数据安全处理方法,其特征在于错误修复单元包括错误评估子部件和错误修复子部件。5. The data security processing method according to claim 3, wherein the error recovery unit comprises an error evaluation sub-component and an error repair sub-component.
CN202011331336.8A 2020-11-24 2020-11-24 Data security processing method Pending CN112347497A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011331336.8A CN112347497A (en) 2020-11-24 2020-11-24 Data security processing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011331336.8A CN112347497A (en) 2020-11-24 2020-11-24 Data security processing method

Publications (1)

Publication Number Publication Date
CN112347497A true CN112347497A (en) 2021-02-09

Family

ID=74364740

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011331336.8A Pending CN112347497A (en) 2020-11-24 2020-11-24 Data security processing method

Country Status (1)

Country Link
CN (1) CN112347497A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020188870A1 (en) * 2001-06-11 2002-12-12 Mcnc Intrusion tolerant server system
CN1819583A (en) * 2005-10-20 2006-08-16 北京邮电大学 Hierarchical tolerant invading scheme based on threshold
CN101159003A (en) * 2007-11-16 2008-04-09 中国科学院软件研究所 Database malicious transaction processing method and system
CN108197496A (en) * 2018-01-18 2018-06-22 成都博睿德科技有限公司 Data safety Enhancement Method under cloud computing environment
CN109691016A (en) * 2016-07-08 2019-04-26 卡列普顿国际有限公司 Distributed transaction processing and authentication system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020188870A1 (en) * 2001-06-11 2002-12-12 Mcnc Intrusion tolerant server system
CN1819583A (en) * 2005-10-20 2006-08-16 北京邮电大学 Hierarchical tolerant invading scheme based on threshold
CN101159003A (en) * 2007-11-16 2008-04-09 中国科学院软件研究所 Database malicious transaction processing method and system
CN109691016A (en) * 2016-07-08 2019-04-26 卡列普顿国际有限公司 Distributed transaction processing and authentication system
CN108197496A (en) * 2018-01-18 2018-06-22 成都博睿德科技有限公司 Data safety Enhancement Method under cloud computing environment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李方涛等: "基于入侵容忍的集成数据库安全结构", 《计算机工程与设计》 *

Similar Documents

Publication Publication Date Title
US20130086685A1 (en) Secure integrated cyberspace security and situational awareness system
CN118631552B (en) A computer network security protection method
US20130086376A1 (en) Secure integrated cyberspace security and situational awareness system
CN103051707A (en) Dynamic user behavior-based cloud forensics method and dynamic user behavior-based cloud forensics system
EP1573545A1 (en) System and method to proactively detect software tampering
CN119397599A (en) A security protection method, system and storage medium for information management system
CN116527299A (en) Network-based safety protection method and dynamic defense system
CN115499166A (en) Cyberspace Defense System
CN112347497A (en) Data security processing method
CN117439823B (en) Cloud data intelligent authority authentication safety protection method and system
CN119728287A (en) A network security-based intelligence management method and system
CN120017380A (en) A power information security system and method
KR102086375B1 (en) System and method for real time prevention and post recovery for malicious software
CN118748604A (en) A method for constructing a network security defense system for a remotely operated ship lock
Liu Data Security Threats of Log Aggregation
CN114265832A (en) Multifunctional database maintenance management system
Zhang Analysis of Information Security Processing Technology Based on Computer Big Data
Abbas et al. A state of the art security taxonomy of internet security: threats and countermeasures
CN112000953A (en) Big data terminal safety protection system
KR102679732B1 (en) Machine learning analysis method for detecting new threats through web log data analysis
RU2824732C1 (en) Information security incident response system and method
US20040250121A1 (en) Assessing security of information technology
Lu et al. A Design of Solution to Database Security Based on Multi-Layer Intrusion Tolerance
Bowles et al. Threat effects analysis: Applying FMEA to model computer system threats
MOSTAFA et al. FALSE ALARM REDUCTION SCHEME FOR DATABASE INTRUSION DETECTION SYSTEM.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210209