WO2016034068A1 - 一种敏感信息处理方法、装置、服务器及安全判定*** - Google Patents
一种敏感信息处理方法、装置、服务器及安全判定*** Download PDFInfo
- Publication number
- WO2016034068A1 WO2016034068A1 PCT/CN2015/088214 CN2015088214W WO2016034068A1 WO 2016034068 A1 WO2016034068 A1 WO 2016034068A1 CN 2015088214 W CN2015088214 W CN 2015088214W WO 2016034068 A1 WO2016034068 A1 WO 2016034068A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- sensitive information
- information
- processed
- unit
- variable
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/04—Masking or blinding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Definitions
- the present application belongs to the field of information communication, and in particular relates to a sensitive information processing method, device, server and security determination system for computer page information interaction.
- the main method includes sending an HTTP page request to the server through the client browser, and the server responds to the HTTP request and returns the requested page information to the client for browsing by the client user.
- the page returned by the server often contains sensitive information related to the user, such as the user's account name, communication address, mobile phone number, ID card information, and the like.
- the illegal user can obtain sensitive information on the page by viewing the source code of the page, the network capture packet, and the like, and the user information is leaked.
- the information behind the "mailto:" in the page information or the information before and after the "@” can be extracted by the network tool to achieve the purpose of extracting the email information in the page.
- a commonly used method for processing sensitive information includes encrypting, masking, or blocking an illegal user from capturing a page returned by a server by embedding a JavaScript script in a page.
- the email sensitive information can be converted into an ASCII encoded string form, and then written into the page by the document.write method in the JavaScript scripting language to complete the processing of the sensitive information of the email.
- the sensitive information in the page returned by the server is often the original sensitive information that has not been processed by the JavaScript script. Further, even if the sensitive information in the page is processed by the JavaScript script, the illegal user can pass the client. It is difficult to remove sensitive information in the page by deleting JavaScript scripts or preventing the corresponding JavaScript script from running. Therefore, the method for processing page sensitive information commonly used in the prior art leads to low security of sensitive information in the page.
- the purpose of the present application is to provide a method, device, server and security determination system for sensitive information processing, which can improve the security of sensitive information in a page.
- a method of sensitive information processing comprising:
- processing is performed according to a preset sensitive information processing policy to form processed sensitive information
- the processed sensitive information is replaced with corresponding pending information in the page to form a page after the sensitive information is processed.
- An apparatus for implementing sensitive information processing comprising:
- An information acquiring unit configured to acquire information to be processed in the page
- a sensitive information base for storing sensitive information
- a sensitive information identifying unit configured to determine, according to the sensitive information stored in the sensitive information base, whether the to-be-processed information is sensitive information
- An information processing unit configured to: when the sensitive information identifying unit determines that the to-be-processed information is sensitive information, process the to-be-processed information based on a sensitive information processing policy stored by the processing policy unit to form processed sensitive information .
- a server for implementing sensitive information processing comprising:
- the MVC target system is configured to receive an HTTP request sent by the client, and generate a page template ModelMap according to the HTTP request; and further, send the to-be-processed information to the generated page template ModelMap, and complete the HTTP request phase And corresponding to the rendering of the page; the method is further configured to: send the rendered page to the client; and receive the processed sensitive information sent by the sensitive information processing module, and replace the processed sensitive information with the page template Corresponding pending information;
- An interceptor configured to acquire the to-be-processed information in the page template ModelMap, and send the to-be-processed information to the sensitive information processing module; and further, receive the processed sensitive information sent by the sensitive information processing module, and The processed sensitive information is sent to the MVC target system;
- the sensitive information processing module is configured to receive and determine whether the to-be-processed information is sensitive information, and is further configured to process the to-be-processed that is determined to be sensitive information according to a preset sensitive information processing policy, to form processed sensitive information;
- the sensitive information processing module includes:
- An information receiving unit configured to receive information to be processed
- a first sensitive information base for storing sensitive information
- a first sensitive information identifying unit configured to determine, according to the sensitive information stored in the first sensitive information database, whether the to-be-processed information is sensitive information
- a first processing policy unit configured to store a sensitive information processing policy
- a first information processing unit configured to: when the first sensitive information identifying unit determines that the to-be-processed information is sensitive information, process the to-be-processed information based on a sensitive information processing policy stored by the first processing policy unit Forming processed sensitive information;
- the first backhaul unit is configured to send the processed sensitive information to the interceptor.
- a security determination system comprising:
- a second sensitive information base for storing sensitive information; and configured to receive a variable name sent by the second to-be-processed sensitive information unit, and determine whether the stored variable information includes the received variable name; If the result of the determination is that the variable name is not included in the sensitive information database, the variable name is stored as newly added sensitive information;
- a second sensitive information identifying unit configured to acquire information to be processed in the page; and configured to determine, according to the sensitive information stored in the second sensitive information database, whether the to-be-processed information is sensitive information;
- a second information processing unit configured to store a sensitive information processing policy, and configured to: when the second sensitive information identifying unit determines that the to-be-processed information is sensitive information, based on the stored sensitive information processing policy Processing information for processing to form processed sensitive information;
- a monitoring unit configured to store a pre-set sensitive information monitoring policy; and configured to determine, according to the stored sensitive information monitoring policy, whether the value of the variable information of the ModelMap in the MVC framework structure of the page server is sensitive information to be processed; When determining that the value of the variable information is sensitive information to be processed, sending a variable name corresponding to the value of the variable information to the second sensitive information database;
- the sensitive information log unit is configured to generate a log of the sensitive information to be processed, where the to-be-processed sensitive information log includes the number of sensitive information to be processed that is determined by the monitoring unit;
- a first security determining unit configured to acquire the newly added sensitive information log of the first target system or the data of the to-be-processed sensitive information log or the second sensitive information database, and determine the according to a predetermined determination rule The security level to which the first target system belongs.
- the method, device, server and security determination system for sensitive information processing can obtain information to be processed on the page server side, and determine whether the to-be-processed information is sensitive information according to a predetermined sensitive information identification policy.
- the sensitive information may be processed according to a preset sensitive information processing policy, and then the processed sensitive information is returned to the page to form a page after the sensitive information is processed.
- the page received by the client is a page that is processed by sensitive information on the server side. Even if the illegal user of the client uses the capture data packet or deletes the JavaScript script, the real sensitive information on the page cannot be obtained, and the security of the sensitive information in the page is improved. .
- FIG. 1 is a schematic diagram of an interaction process between a user and a server in which the server of the present application adopts an MVC frame page structure
- FIG. 2 is a flowchart of a method of an embodiment of a method for processing sensitive information according to the present application
- FIG. 3 is a schematic flow chart of another embodiment of a method for processing sensitive information according to the present application.
- FIG. 4 is a schematic structural diagram of a module for implementing an embodiment of a sensitive information processing apparatus according to the present application
- FIG. 5 is a schematic structural diagram of a module for implementing a sensitive information identifying unit in a sensitive information processing apparatus according to the present application
- FIG. 6 is a schematic structural diagram of a module for implementing a processing policy unit in a sensitive information processing apparatus according to the present application
- FIG. 7 is a schematic structural diagram of a module of another embodiment of an apparatus for implementing sensitive information processing according to the present application.
- FIG. 8 is a schematic structural diagram of a module of another apparatus for implementing sensitive information processing according to the present application.
- FIG. 9 is a schematic structural diagram of a module of another embodiment of an apparatus for implementing sensitive information processing according to the present application.
- FIG. 10 is a schematic structural diagram of a module of another embodiment of a server for implementing sensitive information processing according to the present application.
- FIG. 11 is a block diagram showing the structure of an embodiment of a security determination system of the present application.
- FIG. 12 is a block diagram showing another embodiment of a security determination system of the present application.
- the MVC framework is a design creation mode of a web application commonly used by a web server to separate software business logic, data, and interface display using MVC (Model View Controller Model-View-Controller).
- the Model can be used to encapsulate the data related to the business logic of the application and the processing method of the data, usually having direct access to the data, such as access to the database.
- Views can be used for the display of data, usually the parts of the application that are relevant to the user interface, such as the page interface that users can browse and interact with.
- the view can be created from the model data.
- the Controller acts as an organization between different layers and can be used to handle events and respond.
- the three modules of the MVC framework mode can be independent of each other, and one of them can be changed.
- the MVC framework design pattern can be adopted on the server side.
- the model can respond to the user's request and return response data.
- the view can format the data and can be presented to the user interface's Internet interface and WAP interface.
- FIG. 1 is a schematic diagram of an interaction process between a user and a server using a page structure of an MVC framework.
- the user can send an HTTP request to the server through the client's browser.
- the web server adopting the MVC framework mode When obtaining the HTTP request sent by the user through the browser, the web server adopting the MVC framework mode generates a corresponding page model according to the HTTP request, and then renders the generated page model.
- the page model can generally be a pre-designed or system-stored page template (ModelMap), which can include variable information in the page template.
- the rendering of the page model may include finding a variable information in the page template by a controller, and replacing the variable in the page module with the corresponding real data according to the HTTP request of the user.
- the rendered page can be transmitted back to the user, and the view module can control the rendered interface on the display interface of the user client.
- the present invention provides a method for processing sensitive information, which can process sensitive information of a user before the server returns a page to the user, so that the sensitive information contained in the page received by the user client is corresponding to the server. Handling sensitive information.
- 2 is a flow chart of a method of an embodiment of a method for processing sensitive information according to the present application. As shown in FIG. 2, the method for processing sensitive information may include:
- the to-be-processed information may be set according to a frame structure of the page server.
- the to-be-processed information in this embodiment may include variable information of the ModelMap in the MVC framework structure of the page server.
- the page server may create an empty ModelMap page template when receiving the HTTP request sent by the client.
- the page template ModelMap can be a storage structure in the MVC framework structure, and can be used to store information that needs to be returned to the client in the page.
- the page template ModelMap may include a variable, and the data format of the variable is usually a map (key: value) key-value pair data format including a variable name (key) and a value, wherein the value of the variable “value” is generally The null value or the default string is used to represent the initial value.
- a variable set in ModelMap is (name1:value), and the value of the variable can be stored in the "name1" variable in the ModelMap by an operation such as ModelMap.put("name1", "Zhangsan”). three".
- the data of the ModelMap can be obtained.
- the variable information of the ModelMap in the MVC frame structure of the page server can be obtained, and the variable information in the ModelMap is obtained.
- the variable information can be obtained while the page server stores the data in the variable in the page, or the variable information in the page can be obtained after the page server stores all the variables in the page.
- the variable information may be obtained after the MVC framework stores the data of all the variables in the ModelMap, and the variable information is used as the information to be processed.
- FIG. 3 is a schematic flowchart of another embodiment of a method for processing sensitive information according to the present application.
- the obtaining information to be processed in the page in the method for processing sensitive information may include acquiring variable information in an MVC framework by using a postHandle handler of the interceptor, and the obtained variable information is to be processed. information. Specific can include:
- the page server stores variable information in variables of ModelMap in the form of (variable name: value).
- the MVC framework can send the ModelMap data to the interceptor, and the PostHandle handler of the interceptor receives the ModelMap data sent by the MVC framework.
- the postHandle handler may traverse the variable information in the ModelMap, obtain a variable in the ModelMap, and use the acquired variable information as the information to be processed.
- the interceptor can generally include means for intercepting an access source before an execution step or field of the application is accessed, and performing specific processing steps before or after the interception.
- the interceptor can include three processing methods:
- preHandle()--called before the Controller is called can be used to initialize the operation or pre-process the request;
- postHandle()--called before rendering the view after the Controller is called can be used to process model data or views;
- afterCompletion()--called after the view is rendered can be used for resource cleanup.
- each processing method of the interceptor may be implemented by a corresponding processing unit.
- the preHandle processing stage may be implemented by an entity device preHandler of the interceptor.
- the postHandle processing stage may be implemented by an entity device postHandler of the interceptor.
- the to-be-processed information that is, the variable information in the MVC frame structure ModelMap in this embodiment may be acquired in the postHandle or afterCompletion stage.
- the preferred mode in this embodiment is that the information to be processed in the page can be acquired by the interceptor after the Controller is called in the MVC framework structure, and the discrimination processing of the sensitive information is involved.
- the variable information in the ModelMap can be obtained by the interceptor's postHandle handler.
- the information to be processed in the page may also be acquired by the interceptor after the rendering (Velocity) call in the MVC framework structure, that is, in the afterCompletion stage of the interceptor. Obtaining the to-be-processed information.
- the method for acquiring and subsequently modifying the variable information in the ModelMap by the interceptor in this embodiment is applicable to other framework structures based on the MVC framework, such as a webx framework structure.
- the corresponding interceptor may acquire and process the page before the page rendering (Velocity) and after the Controller is called.
- the information to be processed may also be acquired and processed by the corresponding interceptor after the page rendering (Velocity).
- a preferred embodiment is that the to-be-processed information is acquired and processed by the corresponding interceptor before the page is rendered (Velocity) and after the Controller is called.
- variable information in the ModelMap in the page server MVC frame structure is obtained, and the variable information is used as the to-be-processed information in the page.
- S2 Determine whether the to-be-processed information is sensitive information according to a preset sensitive information identification policy.
- the sensitive information identification policy may be a preset set of discriminative rules or methods for determining whether the acquired information to be processed is sensitive information.
- the sensitive information identification policy may include setting a sensitive information base for storing sensitive information.
- the determining whether the to-be-processed information is sensitive information according to the pre-set sensitive information identification policy may include:
- S202 Compare the variable name of the variable information in the acquired ModelMap with the sensitive information stored in the sensitive information base, and determine whether the variable name is in the sensitive information base;
- S203 Determine whether the to-be-processed information is sensitive information according to whether the variable name is in the sensitive information database.
- a sensitive information base including pre-defined sensitive information can be set.
- the user's username, phone number, email, and ID number information may be pre-defined as sensitive information, and the corresponding variable names (User), "Tel_Num", and "" in the ModelMap may be used. E-Mail" and "ID_Num” are stored in advance in a sensitive information base.
- the obtained variable name may be compared with the sensitive information stored in the sensitive information base. If the sensitive information database includes the same sensitive information as the obtained variable name, the information to be processed may be represented as sensitive information, that is, the variable information in the ModelMap corresponding to the variable name in the embodiment may be represented.
- the information to be processed is not sensitive information, that is, it can be represented in the embodiment.
- the variable information in the ModelMap corresponding to the variable name is not sensitive information.
- the sensitive information stored in the sensitive information base described above can be added or deleted or modified according to requirements.
- the acquired to-be-processed information may be other data formats corresponding to the server framework structure, and the sensitive information identification policy may also be based on the to-be-processed information and the server.
- the framework performs corresponding settings, for example, whether the entire data of the to-be-processed information is sensitive information or whether the information to be encrypted is sensitive information based on the specified data.
- the determining whether the to-be-processed information is sensitive information according to a preset sensitive information identification policy.
- the information may be processed according to a preset sensitive information processing policy to form processed sensitive information.
- the information to be processed may be processed according to a preset sensitive information processing policy.
- the sensitive information processing policy may include a preset set of processing rules or methods for the information to be processed that are determined to be sensitive information.
- the processing according to the preset sensitive information processing policy may include corresponding to the variable name in the variable information.
- the value is processed.
- the specific sensitive information processing strategy may include at least one of the following:
- the non-processing may include not masking, transforming, or replacing the value corresponding to the variable name, and the value corresponding to the variable name is changed.
- the predetermined portion of the presentation may include displaying a particular field of the value corresponding to the variable name according to a predetermined presentation rule.
- a predetermined presentation rule For example, when the to-be-processed information is (Tel_Num: 15912344321), the predetermined display rule may include replacing the fourth to eighth bits of the value corresponding to the variable name "Tel: Num" with the character "*".
- the above-mentioned to-be-processed information (Tel_Num: 15912344321) can be processed according to the processing strategy shown in the above predetermined part to form the processed sensitive information (Tel_Num: 159*****321).
- the full masking may include masking all fields of the value corresponding to the variable name according to a predetermined masking rule.
- the value corresponding to the variable name "Tel:Num” can be replaced by one or more "*" characters, and the processed sensitive information can be (Tel_Num:*) or (Tel_Num:******** ***).
- the masking by the permission may include processing the value corresponding to the variable name according to the authority of the specified field.
- the known field is the obtained user name of the client user, and the corresponding processing method may be set according to the permission of the different domain group where the user name is located.
- the sensitive information may be processed according to the received authority of the user of the client that sent the HTTP request. For example, when the user name of the received HTTP request belongs to the super administrator domain group, all the sensitive information may not be processed; when the user name of the HTTP request belongs to the administrator domain group, the specified sensitive information may be set. Partially masked; the username for sending an HTTP request belongs to the user When you are in a domain group, you can set all or part of the specified sensitive information to be masked.
- Table 1 Schematic diagram of the policy for processing policies by permission
- variable name value Domain group Processing strategy Processed value Name1 Zhang San Super administrator Not processed Zhang San Name2 Li Si administrator Partial display Li* Name3 Wang Wu user shield ** Tel_Num 15912344321 user Partial display 159*****321 E-Mail [email protected] user Partial display Use**@163.com ID_Num 320322198708081234 administrator shield 320**** Add_ID Hangzhou, Zhejiang user Partial display Zhejiang province Gender Female user Not processed Female
- the transformed display may include transforming a value corresponding to the variable name according to a predetermined transformation rule, and using the transformed value as the value of the variable name.
- a predetermined transformation rule For example, the value "evil” in the fourth variable (Name4:evil) in the ModelMap is converted to "live” according to a predetermined rule as the value of the processed fourth variable, that is, the processed sensitive information can be (Name4:live).
- the false alarm may be expressed as an abnormality in the identification rule of the sensitive information or the determined sensitive information does not meet the sensitivity information determination standard set according to other conditions, and the value corresponding to the variable name is not processed.
- a false positive log can be generated.
- the false alarm log may store the number of times the false alarm is generated and the target source of each false alarm (for example, the original variable name and value), the cause of the false alarm, the log generation time, and the like. In the embodiment, the generated false alarm log may be stored, which may be used for subsequent behavior statistics.
- the sensitive information processing strategy may be set or nested according to requirements.
- the processing according to the preset sensitive information processing policy may include:
- a sensitive information processing policy is set on the value corresponding to the same variable name according to the authority of the specified field information in the same variable name of the variable information.
- the user name, phone number, email, and ID number information of the user may be pre-defined as sensitive information, and the corresponding variable names (User), "Tel_Num” in the ModelMap, "E-Mail", "ID_Num”.
- the value corresponding to the variable name "User” of the user name may be displayed according to the predetermined part of the processing policy setting according to the security level of the pre-set sensitive information, and only the first two characters are displayed, and the rest is used.
- *" character substitution display the value corresponding to the variable name "E-Mail” of the user's email address according to the predetermined part
- the processing policy setting only displays characters after the characters "@" and "@”.
- the value corresponding to the variable name "ID_Num” of the ID number can be replaced by the 4-digit "*" character according to the full masking processing policy.
- the sensitive information processing policy may also be set to the corresponding value of the same variable name according to the authority of the specified field information set in the same variable of the variable information.
- the specified field may include specific field information in the acquired page, such as the username of the user who sent the HTTP request.
- the sensitive information may be processed according to the acquired authority of the user who sends the HTTP request. For example, when the user who sends the HTTP request is an administrator authority, the value corresponding to the variable name "Tel_Num" of the user's phone number can be left unprocessed, and the administrator can view the complete phone number information in the final returned page.
- the value corresponding to the variable name "Tel_Num" of the user's phone number may be displayed only according to the predetermined display rule, and only the first three digits and the last three digits of the phone number are displayed. The "*" character is substituted.
- the information may be processed according to at least one sensitive information processing policy set in advance to form processed sensitive information.
- the processed sensitive information may be sent to a corresponding location of the to-be-processed information corresponding to the page, replacing the original in the page. Pending information.
- the value-replaced variable may be returned to the ModelMap of the MVC server framework structure, and the value is replaced in the MVC framework.
- the variables are rendered on the page. Specifically, for example, when the VM page template is rendered, the value of the variable name of the variable information in the ModelMap and the variable information of the processed sensitive information variable name may be replaced with the variable name of the processed sensitive information. Value.
- the value "Li*" of the processed sensitive information can be replaced by the value "Li Si" of the variable (Name2: Li Si) in the ModelMap.
- the information to be encrypted may not need to be processed. Specifically, it may not be needed in this embodiment. Replace the value of the variable in the ModelMap.
- the sensitive information processed page can be transmitted back to the client browser.
- the client receives the sensitive information processed page, it displays to the user a page that has processed sensitive information. For example, in the module display area displaying the currently logged-in user name, the user name "Li Si" originally to be displayed may be displayed as "Li*" after the sensitive information is processed to the client user.
- the method for processing sensitive information may obtain the information to be processed on the page server side, and determine whether the to-be-processed information is sensitive information according to a predetermined sensitive information identification policy. Sensitive to the information to be processed When the information is sensed, the sensitive information can be processed according to the pre-set sensitive information processing strategy, and then the processed sensitive information is returned to the page, and the sensitive information processed page can be formed.
- the sensitive information included in the processed page after the sensitive information is the corresponding processed information on the server side, and even if the illegal user of the client uses the captured data packet or deletes the JavaScript script, the real sensitive information in the page cannot be obtained, and the improved information is improved. The security of sensitive information on the page.
- the HTTP request page sent by the client user may include multiple sensitive information to be identified and processed.
- the sensitive information may appear in different locations of different request pages, and may also correspond to different variables in the MVC framework structure ModelMap.
- the sensitive information processing increases the difficulty of identifying sensitive information.
- Different page servers or different design developers based on the MVC framework can set different variable names in the ModelMap for the same sensitive information, such as the user's email address and ID number.
- the variable corresponding to the ID number variable information is named “ID_Num”
- the variable name corresponding to the ID number variable information in the ModelMap may be “Num_001”.
- the present application provides another embodiment of a dynamic sensitive information processing method.
- the sensitive information identification policy can be dynamically adjusted according to a preset sensitive information monitoring policy.
- the method for processing sensitive information may further include:
- variable name corresponding to the value of the variable information is sent to the sensitive information database.
- whether the value of the variable information in the ModelMap is sensitive information to be processed may be determined according to a preset sensitive information monitoring policy.
- the sensitive information usually has a certain data structure format.
- the mobile phone number can usually be a combination of numbers of 11 digits starting with a non-zero, and the email address can include the "@" character.
- the sensitive information monitoring strategy may match whether the value of the variable information in the ModelMap conforms to a preset number combination of 11 digits by a regular matching method, or determine whether the value of the variable information in the ModelMap contains the “@” character. And there is at least one non-empty character before "@".
- the variable name “Phone_Num” or “First_Contact” corresponding to the value of the variable information may be sent to the sensitive In the information library.
- the sensitive information base may receive the variable name "Phone_Num” or “First_Contact” corresponding to the value of the variable information, and compare whether the sensitive information in the sensitive information base is the same as the variable name. If the sensitive information database does not have the same sensitive information as the variable name, the variable name not included in the sensitive information database but corresponding to the sensitive information to be processed may be stored as new sensitive information. In the sensitive information base.
- variable name “Phone_Num” or “First_Contact” may be used by the sensitive information monitoring policy.
- Handling sensitive information Add new sensitive information to the sensitive repository. The next time the user HTTP request is responded, the sensitive information with the variable name "Phone_Num” or “First_Contact” can be identified, and the value corresponding to the variable name "Phone_Num” or "First_Contact” can be processed according to the sensitive information processing policy. .
- a corresponding log of sensitive information to be processed may also be generated.
- the to-be-processed sensitive information log may include the number of sensitive information to be processed, the value of the sensitive information to be processed, the variable name corresponding to the value, whether it has been sent to the sensitive information database, and the processing time of each sensitive information to be processed. Handling sensitive information log generation time, etc., can be used for data processing in subsequent system security decisions.
- the corresponding new sensitive information log may also be generated.
- the newly added sensitive information log may include the number of newly added sensitive information, the value of the newly added sensitive information, the variable name corresponding to the value, whether it is already stored in the sensitive information base, and the storage time, adding sensitive information. Log generation time, etc., can be used for data processing in subsequent system security decisions.
- a sensitive information processing method including a sensitive information monitoring process can implement dynamic update of a sensitive information base, which can more accurately identify sensitive information in the information to be processed, complete processing of sensitive information, and improve page sensitivity. Information security.
- FIG. 4 is a schematic structural diagram of a module for implementing an embodiment of a sensitive information processing apparatus according to the present application. As shown in FIG. 4, the apparatus may include:
- the information obtaining unit 101 may be configured to acquire information to be processed in the page;
- the sensitive information base 102 can be used to store sensitive information
- the sensitive information identifying unit 103 may be configured to determine, according to the sensitive information stored in the sensitive information base 102, whether the to-be-processed information is sensitive information;
- the processing policy unit 104 can be configured to store a sensitive information processing policy.
- the information processing unit 105 may be configured to process the to-be-processed information based on the sensitive information processing policy stored by the processing policy unit 104 when the sensitive information identifying unit 103 determines that the to-be-processed information is sensitive information. Sensitive information has been processed.
- the information to be processed acquired by the information acquiring unit 101 may include:
- ModelMap in the page server MVC framework structure.
- the specific information processing policy that the processing policy unit 104 stores may include:
- a sensitive information processing policy is set on the value corresponding to the same variable name according to the authority of the specified field information in the same variable name of the variable information.
- FIG. 5 is a block diagram showing a structure of an embodiment of a sensitive information identifying unit 103 in a sensitive information processing apparatus according to the present application.
- the sensitive information identifying unit 103 may include:
- the key value obtaining unit 1031 may be configured to obtain a variable name of the variable information in the page server MVC frame structure ModelMap;
- the comparing unit 1032 is configured to compare whether the variable name of the variable information in the acquired ModelMap is the same as the sensitive information stored in the sensitive information base 102;
- the first determining unit 1033 may be configured to determine, according to the comparison result of the comparing unit 1032, whether the to-be-processed information is sensitive information.
- the first determining unit 1033 may determine the information acquiring unit 101.
- the obtained information to be processed is sensitive information.
- the comparison unit 1032 traverses the sensitive information stored in the sensitive information base 102 and does not query the same sensitive information as the variable name, the comparison result is different.
- the first determining unit 1033 may determine that the to-be-processed information acquired by the information acquiring unit 101 is not sensitive information.
- FIG. 6 is a schematic structural diagram of a module of an embodiment of a processing policy unit in an apparatus for implementing sensitive information processing according to the present disclosure.
- the processing policy unit 104 may include at least one of the following units:
- the predetermined part display unit 1041 may be configured to display a specific field of the value corresponding to the variable name according to a predetermined display rule
- the full masking unit 1042 can be configured to mask all fields of the value corresponding to the variable name according to a predetermined masking rule
- the privilege masking unit 1043 may be configured to process the value corresponding to the variable name according to the privilege of the specified field. Specifically, for example, the user with high authority may be unmasked or partially shielded from the specified sensitive information, and the user with relatively low authority may be partially shielded or completely shielded from the specified sensitive information.
- the transformation display unit 1044 may be configured to transform the value corresponding to the variable name according to a predetermined transformation rule, and use the transformed value as the value of the variable name.
- the false alarm unit 1045 may be configured to: when an abnormality occurs in any one of the structural modules in the sensitive information processing device or the sensitive information determined by the sensitive information identifying unit 103 does not meet the sensitive information determination standard set by the third party module, The value corresponding to the variable name is not processed, and a false alarm log is generated.
- the third-party module setting may include other modules disposed in or outside the sensitive information processing device to determine whether the to-be-processed information is sensitive information. If the method for identifying sensitive information by the device for implementing sensitive information processing conflicts with the method for identifying sensitive information by other modules, the sensitive information may be set as a false alarm, and the data processing of the sensitive information may not be performed.
- the character “@” is included to determine that the corresponding to-be-processed information is the sensitivity of the user's email.
- the information is sensed, and according to the third-party module, the information to be processed corresponding to the variable is determined to be a comment of the seller input by the user in the text box, which is not the set sensitive information.
- the false alarm unit 1045 of the sensitive information processing apparatus may perform processing such as masking, transforming, and the like on the to-be-processed information, and may record the log of the false alarm.
- the apparatus for implementing sensitive information processing in the embodiment may obtain the to-be-processed information in the page, and determine whether the to-be-processed information is sensitive information according to a preset sensitive information identification policy. If yes, the to-be-processed information may be processed according to a preset sensitive information processing policy, and the identification and processing of the sensitive information is completed.
- the apparatus for implementing sensitive information processing may further include means for maintaining sensitive information in the sensitive information base.
- FIG. 7 is a schematic structural diagram of another embodiment of an apparatus for implementing sensitive information processing according to the present application. As shown in FIG. 7, the apparatus may include:
- the monitoring policy unit 106 can be configured to store a preset sensitive information monitoring policy.
- the to-be-processed sensitive information unit 107 may be configured to determine, according to a preset sensitive information monitoring policy, whether the value of the variable information of the ModelMap in the MVC framework structure of the page server is sensitive information to be processed;
- the sending unit 108 may be configured to: when the to-be-processed sensitive information unit 107 determines that the value of the variable information is the sensitive information to be processed, send a variable name corresponding to the value of the variable information to the sensitive information base 102. .
- the sensitive information base 102 can receive a variable name corresponding to the value of the variable information, and compare whether the sensitive information in the sensitive information base 102 is the same as the variable name. If the sensitive information base 102 does not have the same sensitive information as the variable name, the variable name may be stored.
- FIG. 8 is another embodiment of a device for implementing a sensitive information according to the present application. As shown in FIG. 8, the device may further include:
- the replacing unit 109 may replace the corresponding pending information in the page with the processed sensitive information.
- the device for implementing sensitive information processing may replace the processed sensitive information in the device with corresponding pending information in the page.
- the processed sensitive information may be sent to a server, and the processed sensitive information is replaced by the server to replace the corresponding pending information in the page to form a page after the sensitive information is processed.
- FIG. 9 is another embodiment of a device for implementing a sensitive information according to the present application. As shown in FIG. 9, the device may further include:
- the backhaul unit 110 can be configured to send the processed sensitive information to the server or to the processed sensitive information receiving unit of the server through the interceptor.
- the present application further provides a server for implementing sensitive information processing, and the server may include the apparatus for implementing sensitive information processing according to any one of the above embodiments.
- a server for implementing sensitive information processing may include:
- a first MVC target system configured to receive an HTTP request sent by the client, and according to the HTTP request Generating a page template ModelMap; can also be used to pass the to-be-processed information to the generated page template ModelMap, complete rendering of the HTTP request page; and can also be used to send the rendered page to the client; And receiving the processed sensitive information sent by the sensitive information processing module, and replacing the processed sensitive information with the corresponding pending information in the page template ModelMap;
- the first sensitive information processing module may be configured to obtain the to-be-processed information in the page template ModelMap, and determine whether the to-be-processed information is sensitive information according to a preset sensitive information identification policy; When the processing information is sensitive information, it is processed according to a preset sensitive information processing policy to form processed sensitive information; and may also be used to send the processed sensitive information to the MVC target system.
- FIG. 10 is a schematic structural diagram of a module of another embodiment of a server for implementing sensitive information processing according to the present application.
- the server may include an MVC framework structure.
- a server for implementing sensitive information processing as described in the present application may include the implementation of the sensitive information processing apparatus according to any one of the preceding claims, and the preferred embodiment may include an interceptor.
- the server may include:
- the MVC target system 1 may be configured to receive an HTTP request sent by the client, and generate a page template ModelMap according to the HTTP request, and may further be configured to: pass the to-be-processed information into the generated page template ModelMap, and complete the The rendering of the HTTP request page; can also be used to send the rendered page to the client; and can also be used to receive the processed sensitive information sent by the sensitive information processing module, and replace the processed sensitive information with the page template ModelMap Corresponding pending information;
- the interceptor 2 is configured to obtain the to-be-processed information in the page template ModelMap, and send the to-be-processed information to the sensitive information processing module 3; and may also be configured to receive the processed sensitive information sent by the sensitive information processing module 3, And sending the processed sensitive information to the MVC target system 1;
- the sensitive information processing module 3 can be configured to receive and determine whether the to-be-processed information is sensitive information, and is further configured to process the to-be-processed information that is determined to be sensitive information according to a preset sensitive information processing policy, to form a processed sensitive information.
- the sensitive information processing module may include:
- An information receiving unit configured to receive information to be processed
- a first sensitive information base that can be used to store sensitive information
- the first sensitive information identifying unit may be configured to determine, according to the sensitive information stored in the first sensitive information database, whether the to-be-processed information is sensitive information;
- the first processing policy unit can be used to store a sensitive information processing strategy
- the first information processing unit may be configured to: when the first sensitive information identifying unit determines that the to-be-processed information is sensitive information, perform the to-be-processed information based on a sensitive information processing policy stored by the first processing policy unit Processing to form processed sensitive information;
- the first backhaul unit can be configured to send the processed sensitive information to the interceptor.
- the MVC target system 1 described above may specifically include:
- the ModelMap module 11 can be configured to receive an HTTP request sent by the client, and generate a page template ModelMap according to the HTTP request;
- the controller module 12 may be configured to: forward the to-be-processed information to the generated page template ModelMap; and may further be configured to receive the processed sensitive information sent by the interceptor;
- the Velocity module 12 may be configured to replace the processed sensitive information received by the Controller module 12 with the corresponding pending information in the page template ModelMap; and may also be used to complete rendering of the corresponding page of the HTTP request;
- the passback module 14 can be used to send the rendered page to the client.
- the interceptor can typically include preHandler (21), postHandler (22), and afterCompletion (23).
- the interceptor 2 obtains the to-be-processed information in the page template ModelMap, which may include:
- the to-be-processed information in the page template ModelMap is obtained by the postHandle or afterCompletion handler of the interceptor.
- the to-be-processed information may include variable information of the ModelMap.
- the first processing policy unit includes at least one of the following units:
- a first predetermined part display unit configured to display a specific field of a value corresponding to the variable name according to a predetermined display rule
- a first complete masking unit configured to mask all fields of the value corresponding to the variable name according to a predetermined masking rule
- the first authority screening unit may be configured to process the value corresponding to the variable name according to the authority of the specified field;
- a first transformation display unit configured to convert a value corresponding to the variable name according to a predetermined transformation rule, and use the transformed value as a value of the variable name
- the first false alarm unit may be configured to: when an abnormality occurs in any one of the structural modules in the sensitive information processing device or the sensitive information determined by the sensitive information identifying unit does not meet the sensitive information judgment standard set by the third party module, The value corresponding to the variable name is not processed, and a false alarm log is generated.
- the server for implementing sensitive information processing, the first sensitive information identifying unit includes:
- a first key value obtaining unit configured to acquire a variable name of the variable information in the ModelMap in the MVC target system
- a first comparison unit configured to compare whether a variable name of the variable information in the acquired ModelMap is the same as a sensitive information stored in the first sensitive information repository
- the second determining unit may be configured to determine, according to the comparison result of the first comparing unit, whether the to-be-processed information is sensitive information.
- the server that implements the sensitive information processing described above may further include:
- the first monitoring policy unit can be used to store a preset sensitive information monitoring policy
- the first to-be-processed sensitive information unit may be configured to determine, according to a preset sensitive information monitoring policy, whether the value of the variable information of the ModelMap in the MVC target system is sensitive information to be processed;
- the first sending unit may be configured to: when the first to-be-processed sensitive information unit determines that the value of the variable information is the sensitive information to be processed, send a variable name corresponding to the value of the variable information to the first Sensitive information base.
- the MVC target system 1 can generate a page template ModelMap by the ModelMap module after receiving the HTTP request of the user, and then the Controller module 12 in the MVC target system generates the template.
- the variable information in the ModelMap can be obtained by the postHandle handler in the postHandler of the interceptor 2. Further, the interceptor may send the acquired variable information to the sensitive information processing module 3, and the sensitive information processing module 3 may determine whether the variable information is sensitive information, and process the sensitive information according to a predetermined sensitive information processing policy. Forming processed sensitive information.
- the MVC target system may receive the processed sensitive information sent by the sensitive information processing module 3, and replace the processed sensitive information with the corresponding pending information in the page template ModelMap to complete rendering of the page.
- the server can then pass the sensitive information processed page back to the user's client through the backhaul module 14.
- the MVC framework described in this application includes various spring mvc frameworks for creating web application patterns based on MVC (Model View Controller Model-View-Controller) design, such as mvc framework structures such as sofa2, sofa3 or webx.
- MVC Model View Controller Model-View-Controller
- the server for implementing sensitive processing can implement the identification of sensitive information on the server side, and process the information determined to be sensitive information on the server side according to the preset sensitive information processing policy, so that the server sends the information to the user.
- the sensitive information included in the client browser's page is sensitive information that has been processed. Illegal users cannot obtain real sensitive information through data interception, local web page modification, etc., and provide security for sensitive information on the page.
- the method for identifying and processing the sensitive information the application further provides a security determination system, which can be used to determine whether the page server is secure and determine the page.
- Server security performance can also be used to compare security between multiple server systems, maintain servers with lower security in time, and improve server security.
- 11 is a block diagram of a security judgment system according to the present application. As shown in FIG. 11, the security determination system may include:
- the second sensitive information database 201 may be configured to store the sensitive information; and may be further configured to receive the variable name sent by the second to-be-processed sensitive information unit 205, and determine whether the stored variable information includes the received variable name; The method may further be configured to store the variable name as the newly added sensitive information when the determination result is that the received variable name is not included in the sensitive information base;
- the second sensitive information identifying unit 202 may be configured to obtain the to-be-processed information in the page; and may be further configured to determine, according to the sensitive information stored in the second sensitive information database 201, whether the to-be-processed information is sensitive information;
- the second information processing unit 203 may be configured to store the sensitive information processing policy, and may be further configured to: when the second sensitive information identifying unit 202 determines that the to-be-processed information is sensitive information, based on the stored sensitive information processing strategy Processing the to-be-processed information to form processed sensitive information;
- the monitoring unit 204 may be configured to store a pre-set sensitive information monitoring policy.
- the method may further be configured to determine, according to the stored sensitive information monitoring policy, whether the value of the variable information of the ModelMap in the MVC framework structure of the page server is sensitive information to be processed. And when it is determined that the value of the variable information is to be processed sensitive information, the variable name corresponding to the value of the variable information is sent to the second sensitive information database 201;
- the new sensitive information log unit 205 may be configured to generate a new sensitive information log, where the newly added sensitive information log may include the number of the newly added sensitive information in the second sensitive information database 201;
- the to-be-processed sensitive information log unit 206 may be configured to generate a to-be-processed sensitive information log, where the to-be-processed sensitive information log may include the number of sensitive information to be processed determined by the monitoring unit 204;
- the first security determining unit 207 may be configured to obtain the newly added sensitive information log of the first target system or the data of the to-be-processed sensitive information log or the second sensitive information database, and determine according to a predetermined determination rule. The security level to which the first target system belongs.
- the first security determining unit 207 may include at least one of the following units:
- the first number determining unit may be configured to determine a security level of the first target system according to the number of the newly added sensitive information in the first time window/the number of sensitive information stored in the second sensitive information database;
- the first ratio determining unit may determine the security level of the first target system according to a ratio of the number of the newly added sensitive information in the second time window to the number of the sensitive information to be processed.
- the security level of the first target system when the security level of the first target system is determined according to the number of the newly added sensitive information in the first time window, the number of new sensitive information corresponding to different security levels may be pre-division, for example, the fourth.
- the security level includes 100 or less.
- the third security level can be 100 to 1000.
- the second security level can be 100 to 5000.
- the first security level is 5000 or more.
- the security level of the first target system may be determined according to a ratio of the number of the newly added sensitive information in the second time window to the number of the sensitive information to be processed.
- the ratio the more sensitive information to be processed in the newly discovered sensitive information to be processed More or more timely, it can be used to indicate that the security of the system is higher; correspondingly, the smaller the ratio, the more sensitive information that can be processed without being processed, the lower the security of the system can be expressed.
- the corresponding security level may be divided according to the ratio.
- FIG. 12 is a schematic structural diagram of another preferred embodiment of a security determination system according to the present application.
- the security determination system may further include a multi-system determination unit 208, and may also be used according to FIG.
- the predetermined determination rule compares the security levels of the first target system and the second target system; correspondingly, the first security determining unit 207 may obtain the newly added sensitive information log of the second target system or the to-be-processed Sensitive information log or data in the second sensitive information base.
- the multi-system determination unit 208 can include at least one of the following units:
- the second number determining unit may be configured to compare the number of new sensitive information of the first target system and the second target system/the number of sensitive information stored in the second sensitive information database in the first time window.
- the second ratio determining unit may compare the first target system with the ratio of the number of new sensitive information of the first target system and the second target system to the number of the sensitive information to be processed in the second time window.
- the security level of the second target system may be used to determine whether the second target system has a security level.
- the number of new sensitive information added by the first target system in one week is greater than the number of new sensitive information in the second target system, which may indicate that the security of the second target system is higher than the first A target system.
- the ratio of the number of new sensitive information added by the first target system to the number of sensitive information to be processed in the statistical period is greater than the number of new sensitive information in the second target system and the sensitivity to be processed.
- the ratio of the number of information may indicate that the first target processes the sensitive information in time and has higher security. It should be noted that the above two methods are to determine the security level of the system from different dimensions. For example, the same system may include more new sensitive information but the ratio is larger, which may indicate that the initial security of the system is lower. However, due to timely maintenance, the safety growth is higher.
- the security determination system provided by the present application discards the system vulnerabilities existing in the target system and the number of patches that need to be updated in the prior art to determine whether the system is safe and high.
- the system for determining system security from the perspective of sensitive information provided by the present application can determine the security performance of the target system from the sensitive information data that can be identified in the target system and the processing of the identified sensitive information in time. From the nature of assessing the security of the system, a more accurate security decision is made on the target system.
- the target system can identify and process all of the total sensitive information of 100,000 pieces of sensitive information, or 99 of the newly discovered 100 pieces of pending sensitive information are added to the second sensitive information base by operation, Even in the prior art, since the target system has M patches that are not hit or there are N vulnerabilities, the security of the target system is low, but the target system is determined from the essential level of the identification and processing of sensitive information.
- the security of the target system described above is high. Utilizing a security determination system described in the present application More accurate determination of the security of the target system. With this application, the security of different target systems can be compared from different latitudes. For a target system with lower security, the sensitive information can be processed in time or other measures can be taken to maintain the target system, which can improve the security of the system.
- the present application is not limited to the case of a protocol which must be a fully compliant HTTP.
- the slightly modified transmission mechanism based on some protocols may also implement the above embodiments of the present application, such as HTTPS or HTTP 2.0 version transmission protocol.
- HTTPS HyperText Transfer Protocol
- HTTP 2.0 version transmission protocol a protocol which must be a fully compliant HTTP.
- the same application can be implemented as long as the page information interaction and the information judgment feedback mode are consistent with the foregoing embodiments of the present application, and details are not described herein again.
- the apparatus or module illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product having a certain function.
- the above devices are described as being separately divided into various modules by function.
- the functions of the modules may be implemented in the same software or software and/or hardware when implementing the present application, or the modules implementing the same functions may be implemented by multiple sub-modules or a combination of sub-units.
- the controller can be logically programmed by means of logic gates, switches, ASICs, programmable logic controllers, and embedding.
- the application can be described in the general context of computer-executable instructions executed by a computer, such as a program module.
- program modules include routines, programs, objects, components, data structures, classes, and the like that perform particular tasks or implement particular abstract data types.
- the present application can also be practiced in distributed computing environments where tasks are performed by remote processing devices that are connected through a communication network.
- program modules can be located in both local and remote computer storage media including storage devices.
- the present application can be implemented by means of software plus a necessary general hardware platform. Based on such understanding, the technical solution of the present application may be embodied in the form of a software product in essence or in the form of a software product, which may be stored in a storage medium such as a ROM/RAM or a disk. , an optical disk, etc., includes instructions for causing a computer device (which may be a personal computer, mobile terminal, server, or network device, etc.) to perform the methods described in various embodiments of the present application or portions of the embodiments.
- a computer device which may be a personal computer, mobile terminal, server, or network device, etc.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Storage Device Security (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
- User Interface Of Digital Computer (AREA)
- Telephonic Communication Services (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Description
变量名 | 值 | 所属域组 | 处理策略 | 处理后值 |
Name1 | 张三 | 超级管理员 | 不处理 | 张三 |
Name2 | 李四 | 管理员 | 部分展示 | 李* |
Name3 | 王五 | 用户 | 屏蔽 | ** |
Tel_Num | 15912344321 | 用户 | 部分展示 | 159*****321 |
[email protected] | 用户 | 部分展示 | use**@163.com | |
ID_Num | 320322198708081234 | 管理员 | 屏蔽 | 320**** |
Add_ID | 浙江省杭州市 | 用户 | 部分展示 | 浙江省 |
Gender | 女 | 用户 | 不处理 | 女 |
Claims (24)
- 一种敏感信息处理的方法,其特征在于,所述方法包括:获取页面中的待处理信息;根据预先设置的敏感信息识别策略判断所述待处理信息是否为敏感信息;在所述待处理信息为敏感信息时,按照预先设置的敏感信息处理策略进行处理,形成已处理敏感信息;将所述已处理敏感信息替换所述页面中相应的待处理信息,形成敏感信息处理后的页面。
- 如权利要求1所述的一种敏感信息处理的方法,其特征在于,所述获取页面中的待处理信息包括:在MVC框架结构中Controller被调用之后、视图渲染之前通过***获取所述页面中的待处理信息;或者,在MVC框架结构中Velocity调用之后通过***获取所述页面中的待处理信息。
- 如权利要求1所述的一种敏感信息处理的方法,其特征在于,所述待处理信息包括:页面服务器MVC框架结构中ModelMap的变量信息。
- 如权利要求3所述的一种敏感信息处理的方法,其特征在于,所述根据预先设置的敏感信息识别策略判断所述待处理信息是否为敏感信息包括:获取页面服务器MVC框架结构ModelMap中变量信息的变量名;将所述获取的ModelMap中变量信息的变量名与敏感信息库中存储的敏感信息相比较,判断所述变量名是否在所述敏感信息库中;根据所述变量名是否在所述敏感信息库中的判断结果判断所述待处理信息是否为敏感信息。
- 如权利要求4所述的一种敏感信息处理的方法,其特征在于,所述方法还包括:根据预先设置的敏感信息监控策略判断所述页面服务器MVC框架结构中ModelMap的变量信息的值是否为待处理敏感信息;在所述根据敏感信息监控策略判断所述变量信息的值为待处理敏感信息时,将与所述变量信息的值相对应的变量名发送至所述敏感信息库。
- 如权利要求3所述的一种敏感信息处理的方法,其特征在于,所述按照预先设置的敏感信息处理策略进行处理包括:根据所述变量信息中不同的变量名对所述不同变量名所对应的值设置敏感信息处理策略;或者,在所述变量信息的同一变量名中根据指定字段信息的权限对所述同一变量名所对应的值设置敏感信息处理策略。
- 如权利要求6所述的一种敏感信息处理的方法,其特征在于,所述敏感信息处理策略包括下述中的至少一种:不处理、预定部分展示、完全屏蔽、按权限屏蔽、变换后展示、误报。
- 一种实现敏感信息处理的装置,其特征在于,所述装置包括:信息获取单元,用于获取页面中的待处理信息;敏感信息库,用于存储敏感信息;敏感信息识别单元,用于基于所述敏感信息库中存储的敏感信息判断所述待处理信息是否为敏感信息;处理策略单元,用于存储敏感信息处理策略;信息处理单元,用于在所述敏感信息识别单元判断所述待处理信息为敏感信息时,基于所述处理策略单元存储的敏感信息处理策略对所述待处理信息进行处理,形成已处理敏感信息。
- 如权利要求8所述的一种实现敏感信息处理的装置,其特征在于,所述信息获取单元获取的待处理信息可以包括:页面服务器MVC框架结构中ModelMap的变量信息。
- 如权利要求9所述的一种实现敏感信息处理的装置,其特征在于,所述处理策略单元存储的敏感信息处理策略包括:根据所述变量信息中不同的变量名对所述不同变量名所对应的值设置敏感信息处理策略;或者,在所述变量信息的同一变量名中根据指定字段信息的权限对所述同一变量名所对应的值设置敏感信息处理策略。
- 如权利要求9所述的一种实现敏感信息处理的装置,其特征在于,所述处理策略单元包括下述单元中的至少一种:预定部分展示单元,用于根据预定的展示规则展示所述变量名所对应的值的特定字段;完全屏蔽单元,用于根据预定的屏蔽规则屏蔽所述变量名所对应的值的所有字段;权限屏蔽单元,用于根据指定字段的权限对所述变量名所对应的值进行处理;变换展示单元,用于将所述变量名所对应的值按照预定变换规则进行变换,以所述变换后的值作为所述变量名的值;误报单元,用于在所述敏感信息处理装置中所述的任意一个结构模块出现异常或所述敏感信息识别单元所判断的敏感信息不符合第三方模块设置的敏感信息判断标准时,对所述变量名所对应的值不进行处理,并生成误报日志。
- 如权利要求9所述的一种实现敏感信息处理的装置,其特征在于,所述敏感信息识别单元包括:键值获取单元,用于获取页面服务器MVC框架结构ModelMap中变量信息的变量名;比较单元,用于比较所述获取的ModelMap中变量信息的变量名与所述敏感信息库存储的敏感信息是否相同;第一判断单元,用于根据所述比较单元的比较结果判断所述待处理信息是否为敏感信息。
- 如权利要求9所述的一种实现敏感信息处理的装置,其特征在于,还包括:监控策略单元,用于存储预先设置的敏感信息监控策略;待处理敏感信息单元,用于根据预先设置的敏感信息监控策略判断所述页面服务器MVC框架结构中ModelMap的变量信息的值是否为待处理敏感信息;发送单元,用于所述待处理敏感信息单元判断所述变量信息的值为待处理敏感信息时,将与所述变量信息的值相对应的变量名发送至所述敏感信息库。
- 如权利要求9所述的一种实现敏感信息处理的装置,其特征在于,还包括:回传单元,用于将所述已处理敏感信息直接发送至服务器或通过***发送至服务器的已处理敏感信息接收单元。
- 如权利要求9所述的一种实现敏感信息处理的装置,其特征在于,还包括:替换单元,用于将所述已处理敏感信息替换所述页面中相应的待处理信息。
- 一种实现敏感信息处理的服务器,其特征在于,所述服务器包括:MVC目标***,用于接收客户端发送的HTTP请求,并根据所述HTTP请求生成页面模版ModelMap;还用于向所述生成的页面模版ModelMap中传入待处理信息,完成对所述HTTP请求相对应的页面的渲染;还用于将渲染后的页面发送至客户端;还用于接收敏感信息处理模块发送的已处理敏感信息,并将所述已处理敏感信息替换所述页面模版ModelMap中相对应的待处理信息;***,用于获取所述页面模版ModelMap中的待处理信息,并将所述待处理信息发送 至敏感信息处理模块;还用于接收敏感信息处理模块发送的已处理敏感信息,并将所述已处理敏感信息发送至所述MVC目标***;敏感信息处理模块,用于接收并判断所述待处理信息是否为敏感信息;还用于按照预先设置的敏感信息处理策略对所述判断为敏感信息的待处理进行处理,形成已处理敏感信息;所述敏感信息处理模块包括:信息接收单元,用于接收待处理信息;第一敏感信息库,用于存储敏感信息;第一敏感信息识别单元,用于基于所述第一敏感信息库中存储的敏感信息判断所述待处理信息是否为敏感信息;第一处理策略单元,用于存储敏感信息处理策略;第一信息处理单元,用于在所述第一敏感信息识别单元判断所述待处理信息为敏感信息时,基于所述第一处理策略单元存储的敏感信息处理策略对所述待处理信息进行处理,形成已处理敏感信息;第一回传单元,用于将所述已处理敏感信息发送至***。
- 如权利要求16所述的一种实现敏感信息处理的服务器,其特征在于,所述***获取所述页面模版ModelMap中的待处理信息包括:通过所述***的postHandle或afterCompletion的处理程序获取所述页面模版ModelMap中的待处理信息。
- 如权利要求16所述的一种实现敏感信息处理的服务器,其特征在于,所述第一处理策略单元包括下述单元中的至少一种:第一预定部分展示单元,用于根据预定的展示规则展示所述变量名所对应的值的特定字段;第一完全屏蔽单元,用于根据预定的屏蔽规则屏蔽所述变量名所对应的值的所有字段;第一权限屏蔽单元,用于根据指定字段的权限对所述变量名所对应的值进行处理;第一变换展示单元,用于对所述变量名所对应的值按照预定变换规则进行变换,以所述变换后的值作为所述变量名的值;第一误报单元,用于在所述敏感信息处理装置中所述的任意一个结构模块出现异常或所述敏感信息识别单元所判断的敏感信息不符合第三方模块设置的敏感信息判断标准时,对所述变量名所对应的值不进行处理,并生成误报日志。
- 如权利要求16所述的一种实现敏感信息处理的服务器,其特征在于,所述第一敏感信息识别单元包括:第一键值获取单元,用于获取所述MVC目标***中ModelMap中变量信息的变量名;第一比较单元,用于比较所述获取的ModelMap中变量信息的变量名与所述第一敏感信息库存储的敏感信息是否相同;第二判断单元,用于根据所述第一比较单元的比较结果判断所述待处理信息是否为敏感信息。
- 如权利要求16所述的一种实现敏感信息处理的服务器,其特征在于,还包括:第一监控策略单元,用于存储预先设置的敏感信息监控策略;第一待处理敏感信息单元,用于根据预先设置的敏感信息监控策略判断所述MVC目标***中ModelMap的变量信息的值是否为待处理敏感信息;第一发送单元,用于所述第一待处理敏感信息单元判断所述变量信息的值为待处理敏感信息时,将与所述变量信息的值相对应的变量名发送至所述第一敏感信息库。
- 一种安全判定***,其特征在于,所述***包括:第二敏感信息库,用于存储敏感信息;还用于接收第二待处理敏感信息单元发送的变量名,并判断所述存储的敏感信息中是否包括所述接收的变量名;还用于在所述判断结果为所述敏感信息库中不包括所述接收的变量名时,将所述变量名作为新增敏感信息进行存储;第二敏感信息识别单元,用于获取页面中的待处理信息;还用于基于所述第二敏感信息库中存储的敏感信息判断所述待处理信息是否为敏感信息;第二信息处理单元,用于存储敏感信息处理策略;还用于在所述第二敏感信息识别单元判断所述待处理信息为敏感信息时,基于所述存储的敏感信息处理策略对所述待处理信息进行处理,形成已处理敏感信息;监控单元,用于存储预先设置的敏感信息监控策略;还用于根据所述存储的敏感信息监控策略判断所述页面服务器MVC框架结构中ModelMap的变量信息的值是否为待处理敏感信息;还用于在判断所述变量信息的值为待处理敏感信息时,将与所述变量信息的值相对应的变量名发送至所述第二敏感信息库;新增敏感信息日志单元,用于生成新增敏感信息日志,所述新增敏感信息日志包括所述第二敏感信息库中新增敏感信息的数目;待处理敏感信息日志单元,用于生成待处理敏感信息日志,所述待处理敏信息日志包括监控单元判断的待处理敏感信息的数目;第一安全判定单元,用于获取第一目标***的所述新增敏感信息日志或所述待处理敏感信息日志或所述第二敏感信息库中的数据,并根据预定的判定规则判定所述第一目标***的所属的安全级别。
- 如权利要求21所述的一种安全判定***,其特征在于,所述第一安全判断单元包括下述单元中的至少一种:第一数目判定单元,用于根据第一时间窗内所述新增敏感信息的数目/第二敏感信息库中存储的敏感信息数目判定所述第一目标***的安全级别;第一比值判定单元,根据第二时间窗内所述新增敏感信息的数目与所述待处理敏感信息的数目的比值判定所述第一目标***的安全级别。
- 如权利要求21或22所述的一种安全判定***,其特征在于,还包括第二多***判定单元,用于根据预定的判定规则比较所述第一目标***与第二目标***的安全级别;相应的,所述第一安全判定单元获取第二目标***的所述新增敏感信息日志或所述待处理敏感信息日志或所述第二敏感信息库中的数据。
- 如权利要求23所述的一种安全判定***,其特征在于,所述多***判定单元包括下述单元中的至少一种:第二数目判定单元,用于根据所述第一时间窗内所述第一目标***与第二目标***的新增敏感信息的数目/第二敏感信息库中存储的敏感信息数目比较所述第一目标***与第二目标***的安全级别;第二比值判定单元,根据第二时间窗内所述第一目标***与第二目标***新增敏感信息的数目与所述待处理敏感信息的数目的比值比较所述第一目标***与第二目标***的安全级别。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2017512318A JP6626095B2 (ja) | 2014-09-03 | 2015-08-27 | 機密情報処理方法、装置、及び、サーバ、ならびに、セキュリティ決定システム |
SG11201701586RA SG11201701586RA (en) | 2014-09-03 | 2015-08-27 | Sensitive information processing method, device, server and security determination system |
EP15837690.5A EP3190765A4 (en) | 2014-09-03 | 2015-08-27 | Sensitive information processing method, device, server and security determination system |
US15/448,504 US10505934B2 (en) | 2014-09-03 | 2017-03-02 | Sensitive information processing method, device and server, and security determination system |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410446695.6 | 2014-09-03 | ||
CN201410446695.6A CN105471823B (zh) | 2014-09-03 | 2014-09-03 | 一种敏感信息处理方法、装置、服务器及安全判定*** |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/448,504 Continuation US10505934B2 (en) | 2014-09-03 | 2017-03-02 | Sensitive information processing method, device and server, and security determination system |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016034068A1 true WO2016034068A1 (zh) | 2016-03-10 |
Family
ID=55439121
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2015/088214 WO2016034068A1 (zh) | 2014-09-03 | 2015-08-27 | 一种敏感信息处理方法、装置、服务器及安全判定*** |
Country Status (6)
Country | Link |
---|---|
US (1) | US10505934B2 (zh) |
EP (1) | EP3190765A4 (zh) |
JP (2) | JP6626095B2 (zh) |
CN (1) | CN105471823B (zh) |
SG (2) | SG10201901732UA (zh) |
WO (1) | WO2016034068A1 (zh) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106487806A (zh) * | 2016-11-17 | 2017-03-08 | 上海斐讯数据通信技术有限公司 | 一种mvc架构中页面支持多用户登录的方法和装置 |
CN108270735A (zh) * | 2016-12-31 | 2018-07-10 | ***通信集团陕西有限公司 | 一种数据防泄漏方法及设备 |
CN110866108A (zh) * | 2019-11-20 | 2020-03-06 | 满江(上海)软件科技有限公司 | 一种敏感数据检测***及其检测方法 |
CN111832070A (zh) * | 2020-06-12 | 2020-10-27 | 北京百度网讯科技有限公司 | 数据的掩码方法、装置、电子设备和存储介质 |
CN113488127A (zh) * | 2021-07-28 | 2021-10-08 | 中国医学科学院医学信息研究所 | 一种人口健康数据集敏感度处理方法及*** |
CN114745305A (zh) * | 2022-06-15 | 2022-07-12 | 中邮消费金融有限公司 | 一种基于用户行为识别的动态交互方法及*** |
Families Citing this family (27)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
MA41350A (fr) * | 2015-01-14 | 2017-11-21 | Janssen Pharmaceutica Nv | Synthèse d'un inhibiteur de la tyrosine kinase de bruton |
CN106202562B (zh) * | 2016-07-29 | 2020-01-31 | 厦门天锐科技股份有限公司 | 一种降低敏感信息误判率的方法 |
CN106203145A (zh) * | 2016-08-04 | 2016-12-07 | 北京网智天元科技股份有限公司 | 数据脱敏方法及相关设备 |
CN106295400A (zh) * | 2016-08-04 | 2017-01-04 | 北京网智天元科技股份有限公司 | 蒙版式数据脱敏方法及相关设备 |
CN107766365A (zh) * | 2016-08-18 | 2018-03-06 | 北京京东尚科信息技术有限公司 | 网页生成方法和装置 |
CN106330958B (zh) * | 2016-09-29 | 2020-07-07 | 上海创功通讯技术有限公司 | 一种安全访问方法及装置 |
CN108229968B (zh) * | 2016-12-08 | 2021-11-09 | 爱信诺征信有限公司 | 征信数据采集***及方法 |
CN107665313B (zh) * | 2017-05-19 | 2019-08-09 | 平安科技(深圳)有限公司 | 敏感信息展示方法、装置、存储介质和计算机设备 |
CN107526842A (zh) * | 2017-09-22 | 2017-12-29 | 深圳互联先锋科技有限公司 | 一种批量监控多个网站页面方法及装置 |
CN107798250B (zh) * | 2017-10-13 | 2021-08-24 | 平安科技(深圳)有限公司 | 敏感信息屏蔽规则的下发方法、应用服务器及计算机可读存储介质 |
CN107871086A (zh) * | 2017-10-13 | 2018-04-03 | 平安科技(深圳)有限公司 | 敏感信息屏蔽方法、应用服务器及计算机可读存储介质 |
CN107958161A (zh) * | 2017-11-30 | 2018-04-24 | 维沃移动通信有限公司 | 一种多任务显示方法及移动终端 |
CN108363717B (zh) * | 2017-12-29 | 2021-03-12 | 天津南大通用数据技术股份有限公司 | 一种数据安全级别的识别检测方法及装置 |
CN108829789A (zh) * | 2018-06-01 | 2018-11-16 | 平安普惠企业管理有限公司 | 日志处理方法、装置、计算机设备和存储介质 |
CN109408247A (zh) * | 2018-09-17 | 2019-03-01 | 天津龙拳风暴科技有限公司 | 交互数据处理方法及装置 |
CN109492423A (zh) * | 2018-09-26 | 2019-03-19 | 中国平安人寿保险股份有限公司 | 敏感信息过滤的方法、装置、计算机设备及存储介质 |
CN111241133A (zh) * | 2018-11-29 | 2020-06-05 | ***通信集团重庆有限公司 | 敏感数据识别方法、装置、设备及计算机存储介质 |
JP7275698B2 (ja) * | 2019-03-19 | 2023-05-18 | 富士フイルムビジネスイノベーション株式会社 | 情報処理装置及びプログラム |
CN110188578A (zh) * | 2019-05-27 | 2019-08-30 | 上海上湖信息技术有限公司 | 一种自动屏蔽信息的方法及设备 |
CN110377848A (zh) * | 2019-06-21 | 2019-10-25 | 深圳壹账通智能科技有限公司 | 页面访问方法、装置、设备及计算机可读存储介质 |
CN110262787B (zh) * | 2019-06-21 | 2022-12-13 | 北京搜房科技发展有限公司 | 语句替换方法、装置和电子设备 |
CN110460583B (zh) * | 2019-07-15 | 2022-06-03 | 中国平安人寿保险股份有限公司 | 一种敏感信息记录方法及装置、电子设备 |
CN110826319A (zh) * | 2019-10-30 | 2020-02-21 | 维沃移动通信有限公司 | 应用信息的处理方法及终端设备 |
CN111131183B (zh) * | 2019-12-05 | 2022-05-31 | 任子行网络技术股份有限公司 | 网络安全监控方法、计算机设备及计算机可读存储介质 |
CN112052364A (zh) * | 2020-09-27 | 2020-12-08 | 深圳前海微众银行股份有限公司 | 敏感信息检测方法、装置、设备与计算机可读存储介质 |
CN112398860A (zh) * | 2020-11-17 | 2021-02-23 | 珠海大横琴科技发展有限公司 | 一种安全控制的方法和装置 |
CN113783849B (zh) * | 2021-08-25 | 2023-07-11 | 福建天泉教育科技有限公司 | 一种敏感信息的检测方法及终端 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101814118A (zh) * | 2009-07-02 | 2010-08-25 | 西安电子科技大学 | 基于图片的网页文本保护方法 |
CN102467628A (zh) * | 2010-11-12 | 2012-05-23 | 深圳市虹安信息技术有限公司 | 一种基于浏览器内核拦截技术的数据保护方法 |
CN102594557A (zh) * | 2012-01-10 | 2012-07-18 | 深圳市汉普电子技术开发有限公司 | 对url加密的方法及装置、url验证的方法及装置 |
CN103929407A (zh) * | 2013-01-15 | 2014-07-16 | 腾讯科技(深圳)有限公司 | 一种木马拦截方法、装置和*** |
Family Cites Families (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6615258B1 (en) * | 1997-09-26 | 2003-09-02 | Worldcom, Inc. | Integrated customer interface for web based data management |
US20100287458A1 (en) * | 2002-02-01 | 2010-11-11 | Providian Financial Corporation | Method, system and computer program for furnishing information to customer representatives |
US7437752B2 (en) * | 2002-09-23 | 2008-10-14 | Credant Technologies, Inc. | Client architecture for portable device with security policies |
US20040117501A1 (en) * | 2002-12-12 | 2004-06-17 | International Business Machines Corporation | Apparatus and method for correction of textual information based on locale of the recipient |
US8078481B2 (en) * | 2003-12-05 | 2011-12-13 | John Steinbarth | Benefits administration system and methods of use and doing business |
JP2005092891A (ja) * | 2004-10-06 | 2005-04-07 | Toyo Commun Equip Co Ltd | アクセス制御エージェントシステム、秘匿情報の漏洩及び改竄防止方法、ネットワークシステムプログラム、及び記録媒体 |
US7979457B1 (en) * | 2005-03-02 | 2011-07-12 | Kayak Software Corporation | Efficient search of supplier servers based on stored search results |
US8347396B2 (en) * | 2007-11-30 | 2013-01-01 | International Business Machines Corporation | Protect sensitive content for human-only consumption |
US20120102414A1 (en) * | 2010-10-21 | 2012-04-26 | Hilmar Demant | Distributed controller of a user interface framework for web applications |
CN102169610A (zh) * | 2010-12-24 | 2011-08-31 | 广州广电运通金融电子股份有限公司 | 交易信息的保密显示方法及其显示*** |
JP5679327B2 (ja) * | 2011-05-31 | 2015-03-04 | 楽天株式会社 | 情報処理システム、情報処理方法、情報処理装置、プログラム及び記録媒体 |
GB2509709A (en) * | 2013-01-09 | 2014-07-16 | Ibm | Transparent encryption/decryption gateway for cloud storage services |
CN106605220A (zh) * | 2014-07-02 | 2017-04-26 | 道库门特公司Ip信托单位 | 用于选择性文档修订的方法及*** |
US10462135B2 (en) * | 2015-10-23 | 2019-10-29 | Intel Corporation | Systems and methods for providing confidentiality and privacy of user data for web browsers |
-
2014
- 2014-09-03 CN CN201410446695.6A patent/CN105471823B/zh active Active
-
2015
- 2015-08-27 EP EP15837690.5A patent/EP3190765A4/en active Pending
- 2015-08-27 WO PCT/CN2015/088214 patent/WO2016034068A1/zh active Application Filing
- 2015-08-27 SG SG10201901732UA patent/SG10201901732UA/en unknown
- 2015-08-27 SG SG11201701586RA patent/SG11201701586RA/en unknown
- 2015-08-27 JP JP2017512318A patent/JP6626095B2/ja active Active
-
2017
- 2017-03-02 US US15/448,504 patent/US10505934B2/en active Active
-
2019
- 2019-11-28 JP JP2019215830A patent/JP7018920B2/ja active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101814118A (zh) * | 2009-07-02 | 2010-08-25 | 西安电子科技大学 | 基于图片的网页文本保护方法 |
CN102467628A (zh) * | 2010-11-12 | 2012-05-23 | 深圳市虹安信息技术有限公司 | 一种基于浏览器内核拦截技术的数据保护方法 |
CN102594557A (zh) * | 2012-01-10 | 2012-07-18 | 深圳市汉普电子技术开发有限公司 | 对url加密的方法及装置、url验证的方法及装置 |
CN103929407A (zh) * | 2013-01-15 | 2014-07-16 | 腾讯科技(深圳)有限公司 | 一种木马拦截方法、装置和*** |
Non-Patent Citations (1)
Title |
---|
See also references of EP3190765A4 * |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106487806A (zh) * | 2016-11-17 | 2017-03-08 | 上海斐讯数据通信技术有限公司 | 一种mvc架构中页面支持多用户登录的方法和装置 |
CN106487806B (zh) * | 2016-11-17 | 2020-11-03 | 上海斐讯数据通信技术有限公司 | 一种mvc架构中页面支持多用户登录的方法和装置 |
CN108270735A (zh) * | 2016-12-31 | 2018-07-10 | ***通信集团陕西有限公司 | 一种数据防泄漏方法及设备 |
CN110866108A (zh) * | 2019-11-20 | 2020-03-06 | 满江(上海)软件科技有限公司 | 一种敏感数据检测***及其检测方法 |
CN111832070A (zh) * | 2020-06-12 | 2020-10-27 | 北京百度网讯科技有限公司 | 数据的掩码方法、装置、电子设备和存储介质 |
CN111832070B (zh) * | 2020-06-12 | 2024-02-27 | 北京百度网讯科技有限公司 | 数据的掩码方法、装置、电子设备和存储介质 |
CN113488127A (zh) * | 2021-07-28 | 2021-10-08 | 中国医学科学院医学信息研究所 | 一种人口健康数据集敏感度处理方法及*** |
CN113488127B (zh) * | 2021-07-28 | 2023-10-20 | 中国医学科学院医学信息研究所 | 一种人口健康数据集敏感度处理方法及*** |
CN114745305A (zh) * | 2022-06-15 | 2022-07-12 | 中邮消费金融有限公司 | 一种基于用户行为识别的动态交互方法及*** |
CN114745305B (zh) * | 2022-06-15 | 2022-09-09 | 中邮消费金融有限公司 | 一种基于用户行为识别的动态交互方法及*** |
Also Published As
Publication number | Publication date |
---|---|
US20170180376A1 (en) | 2017-06-22 |
JP7018920B2 (ja) | 2022-02-14 |
JP6626095B2 (ja) | 2019-12-25 |
EP3190765A1 (en) | 2017-07-12 |
JP2017532649A (ja) | 2017-11-02 |
CN105471823B (zh) | 2018-10-26 |
CN105471823A (zh) | 2016-04-06 |
EP3190765A4 (en) | 2018-05-02 |
US10505934B2 (en) | 2019-12-10 |
SG11201701586RA (en) | 2017-05-30 |
JP2020030866A (ja) | 2020-02-27 |
SG10201901732UA (en) | 2019-03-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2016034068A1 (zh) | 一种敏感信息处理方法、装置、服务器及安全判定*** | |
JP7279227B2 (ja) | コンピューティング環境における特権ユーザの監視および異常なアクティビティの検出の手法 | |
US11171925B2 (en) | Evaluating and modifying countermeasures based on aggregate transaction status | |
US10193909B2 (en) | Using instrumentation code to detect bots or malware | |
US10496994B2 (en) | Enhanced authentication with dark web analytics | |
US10432644B2 (en) | Access control system for enterprise cloud storage | |
US11907366B2 (en) | Introspection driven by incidents for controlling infiltration | |
JP2018049602A (ja) | ネットワークの異常検出システムのためのグラフ・データベース分析 | |
US20140380475A1 (en) | User centric fraud detection | |
US10248797B1 (en) | Systems and methods for zero-day DLP protection having enhanced file upload processing | |
US20210004492A1 (en) | Data breach prevention and remediation | |
US11310282B1 (en) | Scoring confidence in user compliance with an organization's security policies | |
CN111382422B (zh) | 在非法访问用户数据的威胁下更改账户记录的密码的***和方法 | |
JP2024521121A (ja) | 組織のセキュリティポリシーに対するユーザコンプライアンスの信頼度のスコアリング | |
US20220067097A1 (en) | Evaluation of security policies in real-time for entities using graph as datastore | |
US11582250B2 (en) | Scanning of content in weblink | |
Kaneko et al. | Detection of Cookie Bomb Attacks in Cloud Computing Environment Monitored by SIEM | |
Latha et al. | Secure cloud web application in an industrial environment: a study | |
Mostafa et al. | A Proposed Logical Framework For Enhance Website's Security Fromthe Attacks | |
Moss | Advanced Image Authentication Level: Technical Report | |
Elbialy et al. | A PROPOSED LOGICAL FRAMEWORK FOR ENHANCE WEBSITE'S SECURITY FROM THE ATTACKS. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15837690 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2017512318 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
REEP | Request for entry into the european phase |
Ref document number: 2015837690 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2015837690 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 11201701586R Country of ref document: SG |