CN106487775B

Movatterモバイル変換

Info

Publication number: CN106487775B
Application number: CN201510555904.5A
Authority: CN
Inventors: 宋百灵
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2015-09-01
Filing date: 2015-09-01
Publication date: 2020-01-21
Anticipated expiration: 2035-09-01
Also published as: CN106487775A; WO2017036336A1

Abstract

The embodiment of the application provides a service data processing method and device based on a cloud platform, wherein the method comprises the following steps: carrying out security detection based on a cloud platform on the submitted application object; when the application object passes the security detection, searching the service data matched with the application object; carrying out safety processing on the service data based on a cloud platform; and calling the application object in the specified container, and performing service processing on the service data after the safety processing. In addition, the cloud platform integrates the computing capability of big data, can provide the mining function of the big data for the users of the third party, improves the development capability, the big data processing capability and the big data exploration capability of the users of the third party, and accordingly produces effective products or analysis reports.

Description

Translated fromChinese

一种基于云平台的业务数据的处理方法和装置A method and device for processing business data based on a cloud platform

技术领域technical field

本申请涉及云计算技术领域，特别是涉及一种基于云平台的业务数据的处理方法和一种基于云平台的业务数据的处理装置。The present application relates to the technical field of cloud computing, and in particular, to a method for processing business data based on a cloud platform and a device for processing business data based on a cloud platform.

背景技术Background technique

大数据的爆炸式增长在大容量、多样性和高增速方面，全面考验着现代企业的数据处理和分析能力；同时，也为企业带来了获取更丰富、更深入和更准确地洞察市场行为的大量机会。The explosive growth of big data has comprehensively tested the data processing and analysis capabilities of modern enterprises in terms of large capacity, diversity and high growth rate; Plenty of opportunities for behavior.

通常，大数据的采集需要一个宽广的平台，因此，只有少量的企业可以采集。Usually, the collection of big data requires a broad platform, so only a small number of enterprises can collect it.

若科研机构等大数据的使用方对大数据进行挖掘，则需要向该平台请求大数据的使用。If users of big data such as scientific research institutions mine big data, they need to request the use of big data from the platform.

目前，某些大数据的提供方对大数据的使用方所需要的原始数据提供在一个开放平台。At present, some big data providers provide the raw data required by big data users on an open platform.

大数据的使用方再接入开放平台后，调用接口，从而进行大数据的使用。After the big data user accesses the open platform, it calls the interface to use the big data.

但是，这些数据为用户或业务隐私类数据，同时科研机构没有用户相关的授权，不可直接获得，需要进行一系列处理，导致最后提供的数据多样性少、基本不可用，价值大大降低。However, these data are user or business privacy data, and at the same time, scientific research institutions do not have user-related authorization and cannot be obtained directly. A series of processing is required, resulting in the final data provided with little diversity, basically unusable, and greatly reduced value.

此外，大数据的使用方只得到接口输出的结果，处理能力低下，难以对大数据进行挖掘。In addition, the user of big data only gets the results output by the interface, and the processing capability is low, making it difficult to mine big data.

再者，大数据的提供方仅仅能在接口的调用处进行监控、审计，安全性差。Furthermore, the provider of big data can only monitor and audit at the calling site of the interface, and the security is poor.

发明内容SUMMARY OF THE INVENTION

鉴于上述问题，提出了本申请实施例以便提供一种克服上述问题或者至少部分地解决上述问题的一种基于云平台的业务数据的处理方法和相应的一种基于云平台的业务数据的处理装置。In view of the above problems, the embodiments of the present application are proposed to provide a cloud platform-based business data processing method and a corresponding cloud platform-based business data processing device that overcomes the above problems or at least partially solves the above problems .

为了解决上述问题，本申请实施例公开了一种基于云平台的业务数据的处理方法，包括：In order to solve the above problems, an embodiment of the present application discloses a method for processing business data based on a cloud platform, including:

对提交的应用对象进行基于云平台的安全检测；Perform cloud platform-based security detection on submitted application objects;

当通过安全检测时，查找与所述应用对象匹配的业务数据；When passing the security detection, search for business data matching the application object;

对所述业务数据进行基于云平台的安全处理；Perform cloud platform-based security processing on the business data;

在指定的容器中调用所述应用对象，对安全处理之后的业务数据进行业务处理。The application object is called in the specified container to perform business processing on the business data after security processing.

可选地，所述对提交的应用对象进行基于云平台的安全检测的步骤包括：Optionally, the step of performing cloud platform-based security detection on the submitted application object includes:

判断提交的应用对象是否进行以下的至少一项操作：Determine whether the submitted application object performs at least one of the following operations:

查询敏感的业务数据、跨业务数据所属的业务对象进行操作、导出业务数据、聚合业务数据；Query sensitive business data, operate across business objects to which business data belongs, export business data, and aggregate business data;

若是，则确认不通过安全检测；If so, confirm that it does not pass the security test;

若否，则确认通过安全检测。If not, confirm to pass the security check.

可选地，所述对所述业务数据进行基于云平台的安全处理的步骤包括：Optionally, the step of performing cloud platform-based security processing on the business data includes:

判断所述业务数据是否为开放的业务数据；若是，则查询所述业务数据的开放内容和开放形式；Determine whether the business data is open business data; if so, query the open content and open form of the business data;

按照所述开放形式，对属于开放内容的业务数据进行基于云平台的脱敏处理。According to the open form, cloud platform-based desensitization processing is performed on the business data belonging to the open content.

可选地，所述脱敏处理包括以下的一种或多种：Optionally, the desensitization treatment includes one or more of the following:

加密处理、模糊处理、类目对比排名、统计指标归一化。Encryption processing, obfuscation processing, category comparison ranking, statistical index normalization.

对所述业务数据进行抽样处理；Sampling the business data;

和/或，and / or,

对所述业务数据进行风险控制处理；Perform risk control processing on the business data;

和/或，and / or,

按照所述业务数据的敏感程度查询处理所述业务数据的容器。The container for processing the business data is queried according to the sensitivity of the business data.

可选地，所述在指定的容器中调用所述应用对象，对安全处理之后的业务数据进行业务处理的步骤包括：Optionally, the step of invoking the application object in a specified container, and performing business processing on the business data after security processing includes:

将所述应用对象、安全处理之后的业务数据输出至指定的容器；Outputting the application object and the business data after security processing to a designated container;

接收处理请求；receive processing requests;

调用所述应用对象，按照所述处理请求对安全处理之后的业务数据进行业务处理。The application object is called, and the business data after security processing is processed according to the processing request.

可选地，所述容器为云平台内网中的远程虚拟机，或者，为云平台认证的系统中的远程虚拟机；Optionally, the container is a remote virtual machine in the intranet of the cloud platform, or a remote virtual machine in a system certified by the cloud platform;

所述远程虚拟机通过指定的方式访问、不对外网开放；The remote virtual machine is accessed through a specified method and is not open to the external network;

所述业务数据禁止从所述远程虚拟机导出；The business data is prohibited from being exported from the remote virtual machine;

所述远程虚拟机提供业务数据的处理权限、不提供业务数据的管理权限。The remote virtual machine provides the processing authority of the business data, but does not provide the management authority of the business data.

可选地，还包括：Optionally, also include:

对所述业务处理进行监测；monitoring said business processing;

判断所述业务处理是否为风险处理；若是，则生成警报信息。Determine whether the business process is a risk process; if so, generate alarm information.

可选地，所述对所述业务处理进行监测的步骤包括：Optionally, the step of monitoring the service processing includes:

对安全处理之后的业务数据的使用信息进行监测，其中，所述使用信息包括应用程序编程接口的调用数量和/或调用次数；Monitoring the usage information of the business data after the secure processing, wherein the usage information includes the number and/or the number of invocations of the application programming interface;

和/或，and / or,

对指定的容器的存储信息进行监测。Monitor the storage information of the specified container.

可选地，所述判断所述业务处理是否为风险处理的步骤包括：Optionally, the step of judging whether the business processing is risk processing includes:

当所述使用信息与预设的样本使用信息之间的差异超过预设的差异阈值时，判定为风险处理；When the difference between the usage information and the preset sample usage information exceeds a preset difference threshold, it is determined as risk processing;

和/或，and / or,

当所述存储信息超过预设的存储阈值时，判定为风险处理。When the stored information exceeds a preset storage threshold, it is determined as risk processing.

可选地，还包括：Optionally, also include:

对所述容器进行云安全检测；Perform cloud security detection on the container;

其中，所述云安全检测包括如下的一种或多种：Wherein, the cloud security detection includes one or more of the following:

DDos防御、主机密码破解防御、网站后门检测、异地登录提醒、端口安全检查。DDos defense, host password cracking defense, website backdoor detection, remote login reminder, port security check.

可选地，还包括：Optionally, also include:

对所述容器中安全处理之后的业务数据的工作流进行监测。The workflow of the business data after being securely processed in the container is monitored.

可选地，还包括：Optionally, also include:

通过预设的应用程序编程接口输出处理报告。Process reports are output through a preset application programming interface.

本申请实施例还公开了一种基于云平台的业务数据的处理装置，包括：The embodiment of the present application also discloses a device for processing business data based on a cloud platform, including:

安全检测模块，用于对提交的应用对象进行基于云平台的安全检测；The security detection module is used to perform security detection based on the cloud platform on the submitted application objects;

业务数据查找模块，用于在通过安全检测时，查找与所述应用对象匹配的业务数据；a business data search module, configured to search for business data matching the application object when passing the security detection;

安全处理模块，用于对所述业务数据进行基于云平台的安全处理；a security processing module for performing cloud platform-based security processing on the business data;

业务处理模块，用于在指定的容器中调用所述应用对象，对安全处理之后的业务数据进行业务处理。The business processing module is used for invoking the application object in the specified container, and performing business processing on the business data after security processing.

可选地，所述安全检测模块包括：Optionally, the security detection module includes:

操作判断子模块，用于判断提交的应用对象是否进行以下的至少一项操作：The operation judgment submodule is used to judge whether the submitted application object performs at least one of the following operations:

若是，则调用第一确认子模块，若否，则调用第二确认子模块；If so, call the first confirmation sub-module, if not, call the second confirmation sub-module;

第一确认子模块，用于确认不通过安全检测；The first confirmation sub-module is used to confirm that the safety test is not passed;

第二确认子模块，用于确认通过安全检测。The second confirmation sub-module is used to confirm that the security detection is passed.

可选地，所述安全处理模块包括：Optionally, the security processing module includes:

开放类型判断子模块，用于判断所述业务数据是否为开放的业务数据；若是，则开放信息查询子模块；an open type judgment submodule for judging whether the service data is open service data; if so, an open information query submodule;

开放信息查询子模块，用于查询所述业务数据的开放内容和开放形式；an open information query sub-module for querying the open content and open form of the business data;

脱敏子模块，用于按照所述开放形式，对属于开放内容的业务数据进行基于云平台的脱敏处理。The desensitization sub-module is used to perform cloud platform-based desensitization processing on the business data belonging to the open content according to the open form.

在具体实现中，所述脱敏处理可以包括以下的一种或多种：In a specific implementation, the desensitization treatment can include one or more of the following:

可选地，所述业务处理模块包括：Optionally, the business processing module includes:

抽样子模块，用于对所述业务数据进行抽样处理；a sampling sub-module for sampling the business data;

和/或，and / or,

风控子模块，用于对所述业务数据进行风险控制处理；a risk control sub-module for performing risk control processing on the business data;

和/或，and / or,

容器查询子模块，用于按照所述业务数据的敏感程度查询处理所述业务数据的容器。The container query submodule is used to query the container for processing the business data according to the sensitivity of the business data.

输出子模块，用于将所述应用对象、安全处理之后的业务数据输出至指定的容器；An output submodule, used for outputting the application object and the business data after security processing to a designated container;

请求接收子模块，用于接收处理请求；The request receiving sub-module is used to receive and process requests;

请求响应子模块，用于调用所述应用对象，按照所述处理请求对安全处理之后的业务数据进行业务处理。The request-response sub-module is used for invoking the application object, and performing business processing on the business data after security processing according to the processing request.

可选地，还包括：Optionally, also include:

处理监测模块，用于对所述业务处理进行监测；a processing monitoring module for monitoring the business processing;

风险判断模块，用于判断所述业务处理是否为风险处理；若是，则调用警报模块；a risk judgment module for judging whether the business processing is risk processing; if so, calling an alarm module;

警报模块，用于生成警报信息。Alert module, used to generate alert information.

可选地，所述处理监测模块包括块：Optionally, the process monitoring module includes the blocks:

第一监测子模块，用于对安全处理之后的业务数据的使用信息进行监测，其中，所述使用信息包括应用程序编程接口的调用数量和/或调用次数；a first monitoring submodule, configured to monitor the usage information of the business data after security processing, wherein the usage information includes the number of calls and/or the number of calls of the application programming interface;

和/或，and / or,

第二监测子模块，用于对指定的容器的存储信息进行监测。The second monitoring submodule is used to monitor the storage information of the specified container.

可选地，所述风险判断模块包括：Optionally, the risk judgment module includes:

第一判定子模块，用于在所述使用信息与预设的样本使用信息之间的差异超过预设的差异阈值时，判定为风险处理；a first determination sub-module, configured to determine risk processing when the difference between the usage information and the preset sample usage information exceeds a preset difference threshold;

和/或，and / or,

第二判定子模块，用于在所述存储信息超过预设的存储阈值时，判定为风险处理。The second determination sub-module is configured to determine that the stored information is risk processing when the stored information exceeds a preset storage threshold.

可选地，还包括：Optionally, also include:

云检测模块，用于对所述容器进行云安全检测；A cloud detection module, configured to perform cloud security detection on the container;

可选地，还包括：Optionally, also include:

工作流监测模块，用于对所述容器中安全处理之后的业务数据的工作流进行监测。The workflow monitoring module is used for monitoring the workflow of the business data after safe processing in the container.

可选地，还包括：Optionally, also include:

处理报告输出模块，用于通过预设的应用程序编程接口输出处理报告。The processing report output module is used to output the processing report through the preset application programming interface.

本申请实施例包括以下优点：The embodiments of the present application include the following advantages:

本申请实施例对通过安全检测的应用对象，查找相应的业务数据，对业务数据进行安全处理之后，在一个可控的容器进行业务处理，由于云平台的用户在先已经对云平台授权，因此，可大大提高业务数据的多样性及更高的价值，此外，云平台本身已经集成了大数据的运算能力，可以向第三方的使用者提供大数据的挖掘功能，提高了第三方的使用者的开发能力、大数据处理能力、大数据探索能力，从而产出有效的产品或分析报告。The embodiment of the present application searches for the corresponding business data for the application objects that have passed the security detection, and after the business data is securely processed, the business processing is performed in a controllable container. Since the user of the cloud platform has previously authorized the cloud platform, therefore , which can greatly improve the diversity and higher value of business data. In addition, the cloud platform itself has integrated the computing power of big data, which can provide third-party users with the function of mining big data, improving third-party users. development capabilities, big data processing capabilities, and big data exploration capabilities, so as to produce effective products or analysis reports.

本申请实施例从业务数据的输入、业务数据的处理和处理结果的输出这一链路中，通过业务处理监测、云安全检测、工作流监测等措施，在保证整个链路的业务数据的开放的同时，保证了业务数据的安全。This embodiment of the present application ensures the openness of the service data of the entire link through measures such as service processing monitoring, cloud security detection, and workflow monitoring from the link of service data input, service data processing, and processing result output. At the same time, the security of business data is guaranteed.

附图说明Description of drawings

图1是本申请的一种基于云平台的业务数据的处理方法方法实施例的步骤流程图；1 is a flow chart of steps of a method embodiment of a method for processing business data based on a cloud platform of the present application;

图2是本申请实施例的一种云平台的架构示例图；FIG. 2 is an exemplary diagram of the architecture of a cloud platform according to an embodiment of the present application;

图3是本申请的一种基于云平台的业务数据的处理装置实施例的结构框图。FIG. 3 is a structural block diagram of an embodiment of an apparatus for processing business data based on a cloud platform of the present application.

具体实施方式Detailed ways

为使本申请的上述目的、特征和优点能够更加明显易懂，下面结合附图和具体实施方式对本申请作进一步详细的说明。In order to make the above objects, features and advantages of the present application more clearly understood, the present application will be described in further detail below with reference to the accompanying drawings and specific embodiments.

参照图1，示出了本申请的一种基于云平台的业务数据的处理方法实施例的步骤流程图，具体可以包括如下步骤：Referring to FIG. 1 , a flow chart of steps of an embodiment of a method for processing business data based on a cloud platform of the present application is shown, which may specifically include the following steps:

步骤101，对提交的应用对象进行基于云平台的安全检测；Step 101, performing cloud platform-based security detection on the submitted application object;

需要说明的是，本申请实施例可以应用于云平台中，即计算机集群，如分布式系统等。It should be noted that the embodiments of the present application may be applied to a cloud platform, that is, a computer cluster, such as a distributed system.

以某个分布式系统为例，该分布式系统可以分为以下几部分：Taking a distributed system as an example, the distributed system can be divided into the following parts:

分布式系统底层服务：提供分布式环境下所需要的协调服务、远程过程调用、安全管理和资源管理的服务。这些底层服务为上层的分布式文件系统、任务调度等模块提供支持。Distributed system underlying services: provide coordination services, remote procedure calls, security management and resource management services required in a distributed environment. These underlying services provide support for the upper-layer distributed file system, task scheduling and other modules.

分布式文件系统：提供一个海量的、可靠的、可扩展的数据存储服务，将集群中各个节点的存储能力聚集起来，并能够自动屏蔽软硬件故障，为用户提供不间断的数据访问服务；支持增量扩容和数据的自动平衡，提供用户空间文件访问API(Application ProgramInterface，应用程序编程接口)，支持随机读写和追加写的操作。Distributed file system: Provides a massive, reliable, and scalable data storage service, aggregates the storage capabilities of each node in the cluster, and can automatically shield software and hardware failures to provide users with uninterrupted data access services; support Incremental expansion and automatic data balance, provide user space file access API (Application Program Interface, application programming interface), support random read and write and additional write operations.

任务调度：为集群系统中的任务提供调度服务，同时支持强调响应速度的在线服务(Online Service)和强调处理数据吞吐量的离线任务(Batch Processing Job)；自动检测系统中故障和热点，通过错误重试、针对长尾作业并发备份作业等方式，保证作业稳定可靠地完成。Task scheduling: Provide scheduling services for tasks in the cluster system, and support online services that emphasize response speed (Online Service) and offline tasks (Batch Processing Job) that emphasize processing data throughput; automatically detect faults and hot spots in the system, and pass errors Retry, concurrent backup jobs for long-tail jobs, etc., ensure that jobs are completed stably and reliably.

集群监控和部署：对集群的状态和上层应用服务的运行状态和性能指标进行监控，对异常事件产生警报和记录；为运维人员提供整个分布式系统以及上层应用的部署和配置管理，支持在线集群扩容、缩容和应用服务的在线升级。Cluster monitoring and deployment: monitor the status of the cluster and the running status and performance indicators of upper-layer application services, generate alarms and records for abnormal events; provide deployment and configuration management of the entire distributed system and upper-layer applications for operation and maintenance personnel, and support online Cluster expansion, reduction and online upgrade of application services.

如图2所示，在本申请实施例中，云平台作为大数据的提供者(Data Provider，DP)，提供大数据开放、计算和分析的功能，集成大数据计算容器(如HiveSQL/MapReduce)、大数据挖掘平台(如R/Python/Xlab/MySQL)等功能，对接ODPS(Open Data ProcessingService，开放数据处理服务)、云盾、RDS(Relational Database Service，关系型数据库服务)/OTS(Open Table Service，开放结构化数据服务)、UMP(Unified MySQL Platform，数据库存储服务)等各种云的基础设施。As shown in FIG. 2 , in the embodiment of the present application, the cloud platform, as a big data provider (Data Provider, DP), provides the functions of big data opening, computing and analysis, and integrates big data computing containers (such as HiveSQL/MapReduce) , big data mining platform (such as R/Python/Xlab/MySQL) and other functions, docking ODPS (Open Data Processing Service, open data processing service), cloud shield, RDS (Relational Database Service, relational database service)/OTS (Open Table Service, open structured data service), UMP (Unified MySQL Platform, database storage service) and other cloud infrastructures.

大数据的使用者，如科研机构、ISV(Independent Software Vendors，独立软件开发商)，通过资质审核及协议签署后，即可进入云平台，获得PaaS(Platform as a Service)云服务，使用这些资源和服务。Users of big data, such as scientific research institutions and ISVs (Independent Software Vendors), can enter the cloud platform after passing the qualification review and signing the agreement, obtain PaaS (Platform as a Service) cloud services, and use these resources and service.

其中，通过网络进行程序提供的服务称之为SaaS(Software as a Service)，而云计算时代相应的服务器平台或者开发环境作为服务进行提供就成为了PaaS云服务。Among them, the service provided by the program through the network is called SaaS (Software as a Service), and the corresponding server platform or development environment provided as a service in the cloud computing era becomes the PaaS cloud service.

应用对象由大数据的使用者提交给云平台，为承接业务处理的程序，一般分为两种：The application object is submitted to the cloud platform by the user of big data. It is generally divided into two types in order to undertake the business processing program:

一、应用；1. Application;

即APP(Application)，直接通过数据加工做成产品，可以上架到服务市场。That is, APP (Application), which is directly processed into products through data processing, and can be put on the service market.

二、分析程序；2. Analysis procedures;

通过数据分析处理，直接生成分析报告。Through data analysis and processing, analysis reports can be generated directly.

如图2所示，由于应用对象为大数据的使用者提交的，进入应用对象容器，因此，监控系统可以对其进行安全检测，保证云平台设备本身及其业务数据的安全。As shown in Figure 2, since the application object is submitted by the user of big data and enters the application object container, the monitoring system can perform security detection on it to ensure the security of the cloud platform device itself and its business data.

在本申请的一个实施例中，步骤101可以包括如下子步骤：In an embodiment of the present application,step 101 may include the following sub-steps:

子步骤S11，判断提交的应用对象是否进行以下的至少一项操作：若是，则执行子步骤S12，若否，则执行子步骤S13；Sub-step S11, determine whether the submitted application object performs at least one of the following operations: if so, execute sub-step S12; if not, execute sub-step S13;

子步骤S12，确认不通过安全检测；Sub-step S12, confirming that the safety test is not passed;

子步骤S13，确认通过安全检测。Sub-step S13, confirming that the security detection is passed.

大数据的使用者开发的应用对象，检测系统通过代码静态检查，如SQL(Structured Query Language，结构化查询语言)检测，在ODPS的JVM和Python安全沙箱(即虚拟机VM)试运行应用对象，通过安全检测后，再通过ODPS的CMD命令实现应用对象的运行。Application objects developed by users of big data, the detection system passes code static inspection, such as SQL (Structured Query Language, Structured Query Language) detection, and trial-runs application objects in ODPS JVM and Python security sandbox (that is, virtual machine VM). , After passing the security detection, the application object can be run through the CMD command of ODPS.

这一过程中可以应用以下规则：The following rules apply during this process:

1、查询敏感的业务数据；1. Query sensitive business data;

云平台可以基于数据的安全规范对业务数据划分不同的等级，例如，开放的业务数据、内部的业务数据、敏感的业务数据、机密的业务数据等等。The cloud platform can classify business data into different levels based on data security specifications, for example, open business data, internal business data, sensitive business data, confidential business data, and so on.

若应用对象试图查询敏感的业务数据，例如，用户所在地、交易金额等，则可能造成用户隐私泄露。If the application object attempts to query sensitive business data, such as the user's location, transaction amount, etc., user privacy may be leaked.

2、跨业务数据所属的业务对象进行操作；2. Operate across business objects to which business data belongs;

在电子商务领域中，业务数据所属的业务对象可以为店铺，每个店铺是一个个体，跨店铺进行分析，可能造成隐私泄露。In the field of e-commerce, the business object to which business data belongs can be a store, and each store is an individual. Analysis across stores may result in privacy leakage.

3、导出业务数据；3. Export business data;

导出业务数据会造成业务数据泄露，风险不可控；Exporting business data will cause business data leakage and the risk is uncontrollable;

4、聚合业务数据；4. Aggregate business data;

不同的大数据的提供者有不同的业务安全原则，一个开发者获得的授权的业务数据的量足够大，当进行数据整体聚合时，例如，全部加和、全部平均等等，可能会泄露业务敏感的数据，例如，业务方行业维度的数据、类目成交等等。Different big data providers have different business security principles. The amount of authorized business data obtained by a developer is large enough. When the data is aggregated as a whole, for example, all sums, all averages, etc., may leak business Sensitive data, such as business-side industry-dimension data, category transactions, etc.

若涉及上述的操作，则认为危险等级较高，可以拒绝为该应用对象提供业务数据，若未涉及上述的操作，则认为安全等级较高，可以为该应用对象提供业务数据。If the above operations are involved, the risk level is considered high, and the application object can be refused to provide business data. If the above operations are not involved, the security level is considered high, and the application object can be provided with business data.

当然，上述操作只是作为示例，在实施本申请实施例时，可以根据实际情况设置其他操作，本申请实施例对此不加以限制。另外，除了上述操作外，本领域技术人员还可以根据实际需要采用其它操作，本申请实施例对此也不加以限制。Of course, the above operations are only examples. When implementing the embodiments of the present application, other operations may be set according to actual situations, which are not limited in the embodiments of the present application. In addition, in addition to the above operations, those skilled in the art can also adopt other operations according to actual needs, which are not limited in the embodiments of the present application.

步骤102，当通过安全检测时，查找与所述应用对象匹配的业务数据；Step 102, when passing the security detection, search for business data matching the application object;

对于不同业务领域而言，可以具有不同的业务数据，即具有业务领域特征的数据。For different business domains, there may be different business data, that is, data with business domain characteristics.

例如，对于新闻媒体领域而言，业务数据可以为新闻数据；对于移动通信领域而言，业务数据可以为移动通信数据；对于电子商务(Electronic Commerce，EC)领域而言，业务数据可以为交易数据，等等。For example, in the field of news media, the business data can be news data; in the field of mobile communication, the business data can be mobile communication data; in the field of electronic commerce (Electronic Commerce, EC), the business data can be transaction data ,and many more.

业务数据虽然承载不同的业务特性，但其本质仍然是数据，例如，文本、图像数据、音频数据、视频数据等等。Although service data carries different service characteristics, its essence is still data, such as text, image data, audio data, video data, and so on.

对业务数据进行的业务处理，实质上也是对数据的处理。The business processing of business data is essentially the processing of data.

为使本领域技术人员更好地理解本申请实施例，在本申请实施例中，将交易数据作为业务数据的一种示例进行说明。In order for those skilled in the art to better understand the embodiments of the present application, in the embodiments of the present application, transaction data is used as an example of business data for description.

在本申请实施例中，由于应用对象的属性不同，所需的业务数据也不同。In the embodiment of the present application, due to the different attributes of the application objects, the required service data are also different.

例如，某个科研机构通过用户对含有“舌尖”的商品的购买行为进行分析，分析F2O(Focus to Online，傍焦营销)的案例，即某个热播的美食节目对电子商务的影响及关联度。For example, a scientific research institution analyzes the purchase behavior of products containing "the tip of the tongue" by users, and analyzes the case of F2O (Focus to Online, focusing on marketing), that is, the influence and correlation of a popular food program on e-commerce Spend.

在此示例中，交易数据可以分为三种类型：In this example, transaction data can be divided into three types:

1、用户(买家)属性数据；1. User (buyer) attribute data;

例如，用户ID、性别、年龄段、学历等等。For example, user ID, gender, age group, education, etc.

2、用户(买家)行为数据；2. User (buyer) behavior data;

例如，在云平台(购物平台)上的浏览、收藏、购买等行为。For example, browsing, collecting, purchasing and other behaviors on the cloud platform (shopping platform).

3、订单数据；3. Order data;

例如，用户ID、含某个关键字(如“舌尖”)的订单、商品ID、商品评分、来源等等。For example, user ID, orders with a certain keyword (eg "tip of the tongue"), item ID, item rating, source, etc.

需要说明的是，大数据的使用者(如科研机构)提出需求，承接的云平台进行需求的梳理，主要是将其文字性或按对方理解的数据格式转化为云平台标准的数据格式。It should be noted that when users of big data (such as scientific research institutions) put forward requirements, the cloud platform that undertakes them sorts out the requirements, mainly by converting the textual or data format understood by the other party into the standard data format of the cloud platform.

此外，云平台还可以从业务合作的角度进行价值判断，确认需求。In addition, the cloud platform can also make value judgments and confirm needs from the perspective of business cooperation.

比如，对业务是否有积极的影响力，如锤炼云平台的功能，提升品牌影响力等等。For example, whether it has a positive influence on the business, such as tempering the functions of the cloud platform, enhancing brand influence, etc.

若价值较高，则可以进行合作，若价值较低，则可以拒绝合作。If the value is high, cooperation can be carried out, and if the value is low, cooperation can be refused.

步骤103，对所述业务数据进行基于云平台的安全处理；Step 103, performing cloud platform-based security processing on the business data;

由于业务数据为第三方的使用者所使用的，因此，可以对其进行安全处理，保证云平台中业务数据的安全。Since the business data is used by third-party users, it can be safely processed to ensure the security of the business data in the cloud platform.

在本申请的一个实施例中，步骤103可以包括如下子步骤：In an embodiment of the present application,step 103 may include the following sub-steps:

子步骤S21，判断所述业务数据是否为开放的业务数据；若是，则执行子步骤S22；Sub-step S21, determine whether the service data is open service data; if so, execute sub-step S22;

子步骤S22，查询所述业务数据的开放内容和开放形式；Sub-step S22, query the open content and open form of the business data;

子步骤S23，按照所述开放形式，对属于开放内容的业务数据进行基于云平台的脱敏处理。Sub-step S23, performing cloud platform-based desensitization processing on the business data belonging to the open content according to the open form.

经过需求梳理，业务价值判断及初步的安全检测后，确定具体可提供的业务数据，及对业务处理进行什么样的安全手段，保证安全的同时又能保证业务数据是可用的。After sorting out the requirements, judging the business value, and performing preliminary security testing, determine the specific business data that can be provided, and what security methods are used for business processing, so as to ensure security and ensure that business data is available.

例如，若业务数据为表结构，则可以确认开放表结构的哪些字段，这些字段要经过哪些脱敏处理。For example, if the business data is in a table structure, you can confirm which fields of the open table structure are to be desensitized.

脱敏处理，指对某些敏感信息通过脱敏规则进行数据的变形，实现敏感隐私数据的可靠保护。Desensitization processing refers to the transformation of some sensitive information through desensitization rules to achieve reliable protection of sensitive private data.

这样，在开发、测试和其它非生产环境以及外包环境中安全地使用脱敏后的业务数据，在保留业务数据的意义和有效性的同时，保持数据的安全性并遵从数据隐私规范。In this way, desensitized business data can be safely used in development, testing, and other non-production environments, as well as in outsourcing environments, while preserving the meaning and validity of business data while maintaining data security and compliance with data privacy regulations.

借助脱敏处理，业务数据依旧可以被使用并与业务相关联，不会违反相关规定，而且也避免了业务数据泄露的风险。With desensitization processing, business data can still be used and associated with the business, without violating relevant regulations, and avoiding the risk of business data leakage.

通过统一的脱敏处理对即将给大数据的使用者提供的原本敏感的业务数据进行动态脱敏、静态脱敏，在业务可行的同时保障数据安全。Through unified desensitization processing, dynamic desensitization and static desensitization of the originally sensitive business data that will be provided to users of big data are performed to ensure data security while the business is feasible.

其中，动态脱敏为既针对特定应用对象屏蔽业务数据的方法。Among them, dynamic masking is a method of masking business data for specific application objects.

动态脱敏可随时对敏感字段进行脱敏，针对不用的大数据的使用者呈现不同的状态或数值，以保证数据在不同用户之间是隔离的。Dynamic desensitization can desensitize sensitive fields at any time, and present different states or values for users of unused big data to ensure that data is isolated between different users.

例如，对于统一的业务数据，包括A字段和B字段，但用户甲可能看到脱敏处理后的A字段，用户乙可能看到的是脱敏处理后的B字段。For example, for unified business data, including fields A and B, but user A may see field A after desensitization processing, and user B may see field B after desensitization processing.

静态数据脱敏(或“持久数据脱敏”)既在来源处永久修改业务数据。Data masking at rest (or "persistent data masking") modifies business data permanently at the source.

即在业务数据提供给大数据的使用者前，对业务数据进行脱敏，所有用户看到的是相同的。That is, before the business data is provided to the big data users, the business data is desensitized, and all users see the same.

如图2所示，云平台所提供的业务数据的容器中的大数据，底层基于标准的、体系化的数据仓库，业务数据对外开放使用时，由安全审核引擎进行安全处理，进行静态脱敏处理后，变成可对大数据的使用者开放的业务数据主题。As shown in Figure 2, the big data in the business data container provided by the cloud platform is based on a standard and systematic data warehouse at the bottom. When the business data is open to the outside world, it is processed safely by the security audit engine and statically desensitized After processing, it becomes a business data subject open to users of big data.

根据数据安全策略的不同，业务数据针对开放的大数据的使用者的不同进行动态脱敏后，通过合法授权后(即样本授权，比如获取用户授权、云平台官方授权)，变为大数据的使用者可见可使用的业务数据。According to different data security policies, after business data is dynamically desensitized for different users of open big data, it becomes a big data through legal authorization (that is, sample authorization, such as obtaining user authorization and cloud platform official authorization). The user can see the available business data.

在具体实现中，脱敏处理(即数据脱敏)包括以下的一种或多种：In a specific implementation, desensitization processing (ie data desensitization) includes one or more of the following:

1、加密处理；1. Encryption processing;

例如，对用户昵称、商品名称进行加密。For example, encrypt user nicknames and commodity names.

在加密处理中应用的加密算法可以包括对称加密算法、非对称加密算法和HASH算法等等。The encryption algorithm applied in the encryption process may include a symmetric encryption algorithm, an asymmetric encryption algorithm, a HASH algorithm, and the like.

其中，对称加密算法包括：DES、3DES、Blowfish、IDEA、RC4、RC5、RC6和AES等等；Among them, symmetric encryption algorithms include: DES, 3DES, Blowfish, IDEA, RC4, RC5, RC6 and AES, etc.;

非对称加密算法包括：RSA、ECC(移动设备用)、Diffie-Hellman、El Gamal、DSA(数字签名用)等等Asymmetric encryption algorithms include: RSA, ECC (for mobile devices), Diffie-Hellman, El Gamal, DSA (for digital signatures), etc.

HASH算法包括：MD2、MD4、MD5、HAVAL、SHA等等。HASH algorithms include: MD2, MD4, MD5, HAVAL, SHA, and more.

2、模糊处理；2. Fuzzy processing;

例如，购买时间从精确到毫秒模糊到小时或分，购买来源从街道模糊到市等等。For example, the time of purchase varies from precise to milliseconds to hours or minutes, the source of purchases varies from street to city, and so on.

3、类目对比排名；3. Category comparison ranking;

针对要进行的类目相关对比度分析，若大数据的使用者需求原始类目的业务数据，云平台可以不直接提供真实数据，而是提供排名。For the category-related contrast analysis to be performed, if the user of big data needs business data of the original category, the cloud platform may not directly provide real data, but provide rankings.

4、统计指标归一化。4. Normalization of statistical indicators.

归一化是数据标准手段之一，在此处可以用来进行数值变换。Normalization is one of the standard means of data, which can be used to perform numerical transformation here.

例如，大数据的使用者需求一个店铺或类目的流量，云平台可以不直接提供真实值，而提供一个经过数据函数或是归一化处理的变化值，如将真实值变成1-100之间或是0-1之间的值。For example, if the user of big data needs the traffic of a store or category, the cloud platform can not directly provide the real value, but provide a change value through data function or normalization processing, such as changing the real value into 1-100 or a value between 0 and 1.

相同指标间是可以对比的，保留对比的属性，但去掉真实值，以保证业务数据的安全。The same indicators can be compared, and the properties of comparison are retained, but the real value is removed to ensure the security of business data.

当然，上述脱敏处理只是作为示例，在实施本申请实施例时，可以根据实际情况设置其他脱敏处理，本申请实施例对此不加以限制。另外，除了上述脱敏处理外，本领域技术人员还可以根据实际需要采用其它脱敏处理，本申请实施例对此也不加以限制。Of course, the above desensitization treatment is only an example, and other desensitization treatments may be set according to actual conditions when implementing the embodiments of the present application, which are not limited in the embodiments of the present application. In addition, in addition to the above-mentioned desensitization treatment, those skilled in the art can also adopt other desensitization treatments according to actual needs, which are not limited in the embodiments of the present application.

在本申请的另一个实施例中，步骤103可以包括如下子步骤：In another embodiment of the present application,step 103 may include the following sub-steps:

子步骤S31，对所述业务数据进行抽样处理；Sub-step S31, performing sampling processing on the service data;

抽样处理，是指不提供全量的业务数据，而提供部分的业务数据，包括有代表性的业务数据，例如，选取过去某段时间内的业务数据、选取某类目排序最高的业务数据、选取部分店铺的业务数据等等。Sampling processing refers to providing partial business data instead of the full amount of business data, including representative business data, for example, selecting business data within a certain period of time in the past, selecting business data with the highest ranking of Business data of some stores, etc.

和/或，and / or,

子步骤S32，对所述业务数据进行风险控制处理；Sub-step S32, performing risk control processing on the business data;

风险控制处理，可以判断所提供的业务数据小于对应类目或行业的一定值，若是，则不提供。否则，所提供的业务数据的量可能被不法分子能定位个人，导致个人隐私泄露。In risk control processing, it can be judged that the provided business data is less than a certain value of the corresponding category or industry, and if so, it is not provided. Otherwise, the amount of business data provided may be able to locate individuals by criminals, resulting in leakage of personal privacy.

和/或，and / or,

子步骤S33，按照所述业务数据的敏感程度查询处理所述业务数据的容器。Sub-step S33, query the container for processing the business data according to the sensitivity of the business data.

如图2所示，在数据安全中的环境管控，对数据分级，根据业务数据的安全等级及数据的处理的方式，选取不同的运行环境，对其进行权限分级管理。As shown in Figure 2, in the environmental management and control of data security, the data is graded, and different operating environments are selected according to the security level of the business data and the way of processing the data, and the permissions are graded management.

若数据敏感度很高，要求在全部可控的环境中进行，如云平台本身，业务数据不可导出。If the data sensitivity is very high, it is required to be carried out in a fully controllable environment, such as the cloud platform itself, and business data cannot be exported.

数据敏感度很高，要求在云平台中加工，由云平台直接对接云平台认证可靠的终端环境。The data sensitivity is very high, and it is required to be processed in the cloud platform, and the cloud platform can directly connect to the terminal environment certified and reliable by the cloud platform.

比如对接云平台认可的广告投放平台，或是直接对接云平台认可的应用容器端。For example, it can connect to an advertising delivery platform approved by the cloud platform, or directly connect to an application container terminal approved by the cloud platform.

步骤104，在指定的容器中调用所述应用对象，对安全处理之后的业务数据进行业务处理。Step 104: Invoke the application object in a designated container to perform business processing on the business data after security processing.

在一个安全、可控的容器中，可以按照业务特性，调用应用对象对业务数据进行处理。In a safe and controllable container, application objects can be called to process business data according to business characteristics.

在实际应用中，大数据的使用者在云平台中可进行开发的任务可分为SQL、MR和Xlib等等。In practical applications, the tasks that big data users can develop in the cloud platform can be divided into SQL, MR, and Xlib, etc.

这些任务均可以运行在云平台的ODPS集群上，其是一个内网环境下的专用ODPS集群，大数据的使用者可以通过云平台的网站以安全可控的方式访问ODPS集群，不能通过其他方式直接访问ODPS集群。These tasks can all run on the ODPS cluster of the cloud platform, which is a dedicated ODPS cluster in the intranet environment. Big data users can access the ODPS cluster in a safe and controllable way through the website of the cloud platform. Direct access to the ODPS cluster.

同时，ODPS集群也没有对外网暴露访问的IP地址。At the same time, the ODPS cluster has no IP address exposed to the Internet.

在本申请的一个实施例中，步骤104可以包括如下子步骤：In an embodiment of the present application,step 104 may include the following sub-steps:

子步骤S41，将所述应用对象、安全处理之后的业务数据输出至指定的容器；Sub-step S41, outputting the application object and the business data after security processing to a designated container;

子步骤S42，接收处理请求；Sub-step S42, receiving a processing request;

子步骤S43，调用所述应用对象，按照所述处理请求对安全处理之后的业务数据进行业务处理。Sub-step S43, calling the application object, and performing business processing on the business data after security processing according to the processing request.

在本申请实施例中，确认要提供的业务数据，输出至加工的容器，比如云平台中的开发平台、大数据挖掘平台。In the embodiment of the present application, the business data to be provided is confirmed and output to a processing container, such as a development platform and a big data mining platform in a cloud platform.

在具体实现中，大数据挖掘平台提供挖掘能力的模块，以容器的方式提供。In the specific implementation, the big data mining platform provides modules with mining capabilities, which are provided in the form of containers.

该容器为云平台内网中的远程虚拟机(Virtual Manufacturing，VM)，或者，为云平台认证的系统中的远程虚拟机；The container is a remote virtual machine (Virtual Manufacturing, VM) in the intranet of the cloud platform, or a remote virtual machine in a system certified by the cloud platform;

该远程虚拟机通过指定的方式访问、不对外网开放；The remote virtual machine is accessed through a specified method and is not open to the Internet;

大数据的使用者在云平台上进行业务数据进行业务处理，如图2所示，业务数据的访问方式不是由使用者接到数据库中进行操作，而在数据服务层(包括调度、查询层)中提供调度和查询权限，在网站上通过云平台包装的功能界面间接对数据进行使用及操作。Users of big data process business data on the cloud platform. As shown in Figure 2, the access method of business data is not connected to the database by the user for operation, but in the data service layer (including scheduling and query layer) Provide scheduling and query permissions in the website, and use and operate data indirectly through the functional interface packaged by the cloud platform on the website.

该业务数据禁止从该远程虚拟机导出；The business data is prohibited from being exported from the remote virtual machine;

远程虚拟机提供业务数据的处理权限、不提供业务数据的管理权限，如数据库的管理权限。The remote virtual machine provides business data processing rights, but does not provide business data management rights, such as database management rights.

在本申请的一个实施例中，该方法还可以如下步骤：In an embodiment of the present application, the method may also perform the following steps:

步骤105，对所述业务处理进行监测；Step 105, monitoring the service processing;

在一个可控的容器中进行业务处理，云平台是可以监控可探视的，也就意味的可以发现或进行预警及事后取证。Business processing is performed in a controllable container, and the cloud platform can be monitored and visited, which means that it can be discovered or carried out early warning and forensics afterwards.

如图2所示，在本申请实施例中，可以对用户资源的使用情况进行整体监控记录(即资源监控、行为监控)，以避免出现大量的业务数据导出的情况。As shown in FIG. 2 , in this embodiment of the present application, overall monitoring and recording (ie, resource monitoring and behavior monitoring) may be performed on the usage of user resources, so as to avoid a situation in which a large amount of business data is exported.

其中包括：These include:

对安全处理之后的业务数据的使用信息进行监测，其中，该使用信息包括应用程序编程接口(API)的调用数量和/或调用次数；Monitoring the usage information of the business data after the secure processing, wherein the usage information includes the number and/or the number of invocations of an application programming interface (API);

和/或，and / or,

对指定的容器的存储信息(如数据库存储情况、数据存储量级)进行监测。Monitor the storage information (such as database storage status and data storage level) of the specified container.

步骤106，判断所述业务处理是否为风险处理；若是，则执行步骤107；Step 106, determine whether the business processing is risk processing; if so, go to Step 107;

步骤107，生成警报信息。Step 107, generating alarm information.

在检测风险处理时，生成警报信息提示云平台中的技术人员进行处理。When detecting risk handling, an alarm message is generated to prompt the technicians in the cloud platform to handle it.

其中包括：These include:

当使用信息与预设的样本使用信息之间的差异超过预设的差异阈值时，判定为风险处理；When the difference between the usage information and the preset sample usage information exceeds the preset difference threshold, it is determined as risk processing;

如平时是万级的API调用量(样本使用信息)，而突然是百万级API调用量(使用信息)，API调用异常。For example, the usual API call volume (sample usage information) is 10,000-level, but suddenly it is a million-level API call volume (use information), and the API call is abnormal.

和/或，and / or,

当存储信息超过预设的存储阈值时，表示资源占用异常，操作的数据量过大，有导出风险，判定为风险处理。When the stored information exceeds the preset storage threshold, it indicates that the resource occupation is abnormal, the amount of data being operated is too large, and there is a risk of exporting, and it is determined as risk processing.

步骤108，对所述容器进行云安全检测；Step 108, performing cloud security detection on the container;

如图2所示，在云平台中的云盾，可以提供云安全检测。As shown in Figure 2, the cloud shield in the cloud platform can provide cloud security detection.

其中，云安全检测可以包括如下的一种或多种：The cloud security detection may include one or more of the following:

1、DDos防御；1. DDos defense;

部署专业防Ddos设备来限量抵御SYN flood拒绝服务攻击，并时时通知用户网站被攻击的状态。Deploy professional anti-Ddos equipment to limit SYN flood denial of service attacks, and constantly notify users of the status of the website being attacked.

2、主机密码破解防御；2. Host password cracking defense;

暴力破解对服务器的危害很大，如果被破解成功，会窃取管理员权限，从而极大危害网站及网站用户信息和权益。Brute-force cracking is very harmful to the server. If it is successfully cracked, it will steal administrator rights, which will greatly harm the information and rights of the website and its users.

主机密码暴力破解防御通过扫描访问日志实时发现不法入侵，并封禁入侵的IP地址，以短信或邮件的方式通知用户，用户可登录查看时间、不法IP、目标云服务器和拦截的次数等入侵信息。The host password brute force cracking defense detects illegal intrusions in real time by scanning access logs, blocks the intrusion IP addresses, and notifies users by SMS or email. Users can log in to view intrusion information such as time, illegal IP, target cloud server, and the number of interceptions.

3、网站后门检测；3. Website backdoor detection;

网站后门是植入网站的一段代码，运行在web段，通常隐蔽性较好，管理员较难实时发现，植入后门的网站会被窃取网站信息，甚至丢失网站控制权，同时会侵害网站用户的隐私信息，给网站造成不可挽回的损失。A website backdoor is a piece of code implanted in a website. It runs on the web segment and is usually concealed. It is difficult for administrators to find out in real time. Websites with backdoors will steal website information, or even lose website control, and will harm website users at the same time. privacy information, causing irreparable damage to the website.

后门检测通过扫描访问URL实时发现网站后门，以短信或邮件的方式通知用户，用户可登录查看网站后门隶属的云主机及地址等信息，以便及时删除后门消除隐患。Backdoor detection detects website backdoors in real time by scanning and visiting URLs, and notifies users by SMS or email. Users can log in to view information such as cloud hosts and addresses to which website backdoors belong, so as to delete backdoors in time to eliminate hidden dangers.

4、异地登录提醒；4. Remote login reminder;

根据网站用户的登录习惯进行分析并建立模型，异地提醒通过扫描访问日志实时发现异常登录行为，以短信或邮件的方式通知用户，用户可登录查看用户登录的时间、地点和目标服务器进行确认，避免非授权登录可能造成的损害。Analyze and build models according to website users’ login habits, and remind users in different places to detect abnormal login behaviors in real time by scanning access logs, and notify users by SMS or email. Possible damage caused by unauthorized login.

5、端口安全检查。5. Port security check.

定期扫描服务器开放的高危端口，降低系统被入侵的风险，并将端口开放列表定期报告用户。Regularly scan the high-risk ports opened by the server to reduce the risk of system intrusion, and regularly report the open port list to users.

当然，上述云安全检测只是作为示例，在实施本申请实施例时，可以根据实际情况设置其他云安全检测，本申请实施例对此不加以限制。另外，除了上述云安全检测外，本领域技术人员还可以根据实际需要采用其它云安全检测，本申请实施例对此也不加以限制。Of course, the above cloud security detection is only an example. When implementing the embodiments of the present application, other cloud security detections may be set according to actual situations, which are not limited in the embodiments of the present application. In addition, in addition to the above cloud security detection, those skilled in the art may also adopt other cloud security detections according to actual needs, which are not limited in this embodiment of the present application.

步骤109，通过预设的应用程序编程接口输出处理报告。Step 109 , output a processing report through a preset application programming interface.

根据不同的需求，若是进行报告产出，业务数据在指定的容器中运行，最后以API的形式输出，然后为其报告提供原材料。According to different needs, if the report is output, the business data is run in the specified container, and finally output in the form of API, and then the raw material is provided for its report.

如果业务数据相对敏感，在完全可控的容器中进行业务处理，用户直接进行完分析，由云平台直接对接到其认证的系统，如广告投放系统，那这个业务处理结果不可导出甚至不可见。If the business data is relatively sensitive, the business processing is carried out in a fully controllable container, the user directly completes the analysis, and the cloud platform directly connects to its certified system, such as an advertisement delivery system, then the business processing result cannot be exported or even visible.

步骤110，对所述容器中安全处理之后的业务数据的工作流(Workflow)进行监测。Step 110: Monitor the workflow (Workflow) of the business data after security processing in the container.

在本申请实施例中，基于业务数据的工作流对业务数据进行全面监控，从业务数据在平台上的处理日志、业务数据从API输出的日志、数据在VM机器上的日志，整个链接进行日志采集分析，设置规则。In the embodiment of this application, the business data is comprehensively monitored based on the workflow of the business data, from the processing log of the business data on the platform, the log of the business data output from the API, and the log of the data on the VM machine, the entire link is logged. Collect and analyze, and set rules.

例如，若针对订单相关的数据进行监控，则可以对某用户访问订单量激增进行报警，发生订单泄露进行追踪定位，等等。For example, if order-related data is monitored, an alarm can be issued for a user's surge in access orders, and order leakage can be tracked and located, and so on.

需要说明的是，对于方法实施例，为了简单描述，故将其都表述为一系列的动作组合，但是本领域技术人员应该知悉，本申请实施例并不受所描述的动作顺序的限制，因为依据本申请实施例，某些步骤可以采用其他顺序或者同时进行。其次，本领域技术人员也应该知悉，说明书中所描述的实施例均属于优选实施例，所涉及的动作并不一定是本申请实施例所必须的。It should be noted that, for the sake of simple description, the method embodiments are expressed as a series of action combinations, but those skilled in the art should know that the embodiments of the present application are not limited by the described action sequence, because According to the embodiments of the present application, certain steps may be performed in other sequences or simultaneously. Secondly, those skilled in the art should also know that the embodiments described in the specification are all preferred embodiments, and the actions involved are not necessarily required by the embodiments of the present application.

参照图3，示出了本申请的一种基于云平台的业务数据的处理装置实施例的结构框图，具体可以包括如下模块：Referring to FIG. 3 , a structural block diagram of an embodiment of an apparatus for processing business data based on a cloud platform of the present application is shown, which may specifically include the following modules:

安全检测模块301，用于对提交的应用对象进行基于云平台的安全检测；A security detection module 301, configured to perform cloud platform-based security detection on the submitted application object;

业务数据查找模块302，用于在通过安全检测时，查找与所述应用对象匹配的业务数据；a business data search module 302, configured to search for business data matching the application object when the security detection is passed;

安全处理模块303，用于对所述业务数据进行基于云平台的安全处理；a security processing module 303, configured to perform cloud platform-based security processing on the business data;

业务处理模块304，用于在指定的容器中调用所述应用对象，对安全处理之后的业务数据进行业务处理。The business processing module 304 is configured to call the application object in a specified container, and perform business processing on the business data after security processing.

在本申请的一个实施例中，所述安全检测模块301可以包括如下子模块：In an embodiment of the present application, the security detection module 301 may include the following sub-modules:

在本申请的一个实施例中，所述安全处理模块303可以包括如下子模块：In an embodiment of the present application, the security processing module 303 may include the following sub-modules:

在本申请的一个实施例中，所述业务处理模块304可以包括如下子模块：In an embodiment of the present application, the service processing module 304 may include the following sub-modules:

和/或，and / or,

在实际应用中，所述容器为云平台内网中的远程虚拟机，或者，为云平台认证的系统中的远程虚拟机；In practical applications, the container is a remote virtual machine in the intranet of the cloud platform, or a remote virtual machine in a system certified by the cloud platform;

在本申请的一个实施例中，该装置还可以包括如下模块：In an embodiment of the present application, the device may further include the following modules:

在本申请的一个实施例中，所述处理监测模块可以包括如下子模块：In an embodiment of the present application, the processing monitoring module may include the following sub-modules:

和/或，and / or,

在本申请的一个实施例中，所述风险判断模块可以包括如下子模块：In an embodiment of the present application, the risk judgment module may include the following sub-modules:

和/或，and / or,

对于装置实施例而言，由于其与方法实施例基本相似，所以描述的比较简单，相关之处参见方法实施例的部分说明即可。As for the apparatus embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and reference may be made to the partial description of the method embodiment for related parts.

本说明书中的各个实施例均采用递进的方式描述，每个实施例重点说明的都是与其他实施例的不同之处，各个实施例之间相同相似的部分互相参见即可。The various embodiments in this specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments, and the same and similar parts between the various embodiments may be referred to each other.

本领域内的技术人员应明白，本申请实施例的实施例可提供为方法、装置、或计算机程序产品。因此，本申请实施例可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且，本申请实施例可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the embodiments of the present application may be provided as methods, apparatuses, or computer program products. Accordingly, the embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

在一个典型的配置中，所述计算机设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。内存可能包括计算机可读介质中的非永久性存储器，随机存取存储器(RAM)和/或非易失性内存等形式，如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括，但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带，磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质，可用于存储可以被计算设备访问的信息。按照本文中的界定，计算机可读介质不包括非持续性的电脑可读媒体(transitory media)，如调制的数据信号和载波。In a typical configuration, the computer device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory. Memory may include non-persistent memory in computer readable media, random access memory (RAM) and/or non-volatile memory in the form of, for example, read only memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium. Computer-readable media includes both persistent and non-permanent, removable and non-removable media, and storage of information may be implemented by any method or technology. Information may be computer readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), Flash Memory or other memory technology, Compact Disc Read Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic tape cassettes, magnetic tape magnetic disk storage or other magnetic storage devices or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer-readable media does not include non-persistent computer-readable media (transitory media), such as modulated data signals and carrier waves.

本申请实施例是参照根据本申请实施例的方法、终端设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理终端设备的处理器以产生一个机器，使得通过计算机或其他可编程数据处理终端设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The embodiments of the present application are described with reference to the flowcharts and/or block diagrams of the methods, terminal devices (systems), and computer program products according to the embodiments of the present application. It will be understood that each flow and/or block in the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing terminal equipment to produce a machine that causes the instructions to be executed by the processor of the computer or other programmable data processing terminal equipment Means are created for implementing the functions specified in the flow or flows of the flowcharts and/or the blocks or blocks of the block diagrams.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理终端设备以特定方式工作的计算机可读存储器中，使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品，该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer readable memory capable of directing a computer or other programmable data processing terminal equipment to operate in a particular manner, such that the instructions stored in the computer readable memory result in an article of manufacture comprising instruction means, the The instruction means implement the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.

这些计算机程序指令也可装载到计算机或其他可编程数据处理终端设备上，使得在计算机或其他可编程终端设备上执行一系列操作步骤以产生计算机实现的处理，从而在计算机或其他可编程终端设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing terminal equipment, so that a series of operational steps are performed on the computer or other programmable terminal equipment to produce a computer-implemented process, thereby executing on the computer or other programmable terminal equipment The instructions executed on the above provide steps for implementing the functions specified in the flowchart or blocks and/or the block or blocks of the block diagrams.

尽管已描述了本申请实施例的优选实施例，但本领域内的技术人员一旦得知了基本创造性概念，则可对这些实施例做出另外的变更和修改。所以，所附权利要求意欲解释为包括优选实施例以及落入本申请实施例范围的所有变更和修改。Although the preferred embodiments of the embodiments of the present application have been described, those skilled in the art may make additional changes and modifications to these embodiments once the basic inventive concepts are known. Therefore, the appended claims are intended to be construed to include the preferred embodiments as well as all changes and modifications that fall within the scope of the embodiments of the present application.

最后，还需要说明的是，在本文中，诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来，而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且，术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含，从而使得包括一系列要素的过程、方法、物品或者终端设备不仅包括那些要素，而且还包括没有明确列出的其他要素，或者是还包括为这种过程、方法、物品或者终端设备所固有的要素。在没有更多限制的情况下，由语句“包括一个……”限定的要素，并不排除在包括所述要素的过程、方法、物品或者终端设备中还存在另外的相同要素。Finally, it should also be noted that in this document, relational terms such as first and second are used only to distinguish one entity or operation from another, and do not necessarily require or imply these entities or that there is any such actual relationship or sequence between operations. Moreover, the terms "comprising", "comprising" or any other variation thereof are intended to encompass non-exclusive inclusion, such that a process, method, article or terminal device comprising a list of elements includes not only those elements, but also a non-exclusive list of elements. other elements, or also include elements inherent to such a process, method, article or terminal equipment. Without further limitation, an element defined by the phrase "comprises a..." does not preclude the presence of additional identical elements in the process, method, article or terminal device comprising said element.

以上对本申请所提供的一种基于云平台的业务数据的处理方法和一种基于云平台的业务数据的处理装置，进行了详细介绍，本文中应用了具体个例对本申请的原理及实施方式进行了阐述，以上实施例的说明只是用于帮助理解本申请的方法及其核心思想；同时，对于本领域的一般技术人员，依据本申请的思想，在具体实施方式及应用范围上均会有改变之处，综上所述，本说明书内容不应理解为对本申请的限制。A method for processing business data based on a cloud platform and a device for processing business data based on a cloud platform provided by the present application have been described in detail above. Specific examples are used in this paper to describe the principles and implementations of the present application. For elaboration, the description of the above embodiment is only used to help understand the method and the core idea of the application; meanwhile, for those of ordinary skill in the art, according to the idea of the application, there will be changes in the specific implementation and application scope. In conclusion, the content of this specification should not be construed as a limitation on this application.