Disclosure of Invention
The invention aims to provide a data security system based on access rights.
The aim of the invention can be achieved by the following technical scheme:
a data security system based on access rights, comprising:
the WEB front-end page display module is used for displaying WEB front-end page data to an access user, and comprises a WEB temporary text memory and a rollback unit, wherein the WEB temporary text memory is used for temporarily storing basic layout and text data of a system WEB front-end page in a text form, and setting expiration time 23:59:59, the WEB temporary text storage generates outdated text data according to the basic layout of the outdated WEB front-end page and the text data and transmits the outdated text data to the log module;
the log module is used for recording logs of the WEB front-end page, and comprises a second processor, an expiration log unit and an operation log unit, wherein the operation log unit is used for recording operation data of a basic layout and text data of the WEB front-end page of an access user at fixed time; the expiration log unit generates an expiration text log after receiving the expiration text data and stores the expiration text log in the expiration log unit according to the expiration time;
the verification module is used for recording and accessing the basic layout and text data operation of the WEB front page by the user, and the verification module is used for verifying the expired text log transmitted by the expired log unit and the basic layout and text data of the WEB front page transmitted by the WEB front page display module to generate verification file data;
the access right judging module is used for storing and updating the right grade of access data of an access user, and comprises a right database, and the access right judging module receives the risk coefficient average value g of the data to be sampled, which is transmitted by the data acquisition and analysis module, carries out right judgment on the risk coefficient average value g to generate an access right cooperative instruction and transmits the access right cooperative instruction to the right database;
the data protection module carries out safety protection on the data according to the access authority level of the data.
Further, the step of generating the collation file data is as follows:
SS1: firstly, selecting an expiration text log of a certain day as a log to be checked;
SS2: the verification module compares basic layout and text data of the WEB front-end page with the log to be verified and generates verification data according to a certain rule, wherein the specific rule is as follows:
SSS1: taking out the data which are different from the basic layout and the text data of the WEB front-end page in the log to be checked;
SSS2: cutting the extracted data into a plurality of modified data according to the rendering form of the extracted data in the log to be checked;
SS3: the correction module is used for summarizing and storing the plurality of modified data to generate correction file data and naming the correction file data by the expiration time of the log to be corrected;
SS4: collation file data named after expiration dates is sequentially generated in accordance with the steps SS1 to SS 3.
Further, the data acquisition and analysis module generates a risk coefficient average value g of the data to be sampled,
the method comprises the following specific steps:
step one: firstly, selecting one rendering form data in the calibration data as data to be sampled;
step two: dividing the data segment, dividing the time of one data period into n data segments with equal duration, and marking the n data segments of one data period as L1, L2 and Ln in sequence;
taking a data segment as an example, sequentially obtaining the modification times of data to be sampled in the data segment in t data periods and marking the modification times as M1, M2 and Mt,
in one embodiment of the present invention, where t data periods refer to t data periods back in the past starting from the current data period, in one embodiment of the present invention, one data period is 1 day and one data segment is 1 hour;
step three: using the formulaCalculating and obtaining standard deviation Q,1 of data modification times Mi to be sampled in the data segment of t data periods<i<t;
When Q is greater than a preset Q1 value, sequentially deleting corresponding Mi values according to the sequence of |Mi-M| from large to small, and calculating residual Q until Q is smaller than the preset Q1 value, wherein M is an average value of the number of times of modification of data to be sampled in the data segment in t data periods, and Mi is the number of times of modification of the data to be sampled in the data segment in t data periods participating in calculation of the residual average value M;
step four: screening an average value of effective modification frequencies of data modification times to be sampled in the data segment of t data periods;
taking the number of data modification times to be sampled as Mi times as an example, sequentially obtaining modification interval time when the data to be sampled is modified for Mi times and marking the modification interval time as Ta, wherein a=1, 2,..Mi-1; sequentially obtaining ip values corresponding to each modification when data to be sampled in the data segment of t data periods are modified for Mi times;
calculating and obtaining effective modification interval time T by using a formula T= |Tb-T0|, when T is more than 0, deleting corresponding Ta values in sequence from large to small according to the|Ta-T0|, and calculating the rest T until T is less than 0, wherein T0 is an interval time threshold value of preset twice modification times, tb is more than or equal to 1 and less than or equal to Mi-1, and the effective interval time Tb of which the data to be sampled in the data section is subjected to modification times Mi times in T data periods;
calculating and obtaining effective modification frequency Vc with the number of data modification times to be sampled in the data segment of T data periods being Mi times by using a formula Vc=Mb/(T1+T2+ & gt, +Tb), wherein Vc is not less than 1 and not more than i, and the number of data modification times to be sampled in the data segment of T data periods being Mi times;
sequentially obtaining effective modification frequency Vi of data modification times Mi to be sampled in the data segment of t data periods;
calculating and obtaining an average value V of effective modification frequencies of data modification times to be sampled in the data segment of t data periods by using a formula V=Vi/i;
step five: acquiring the weight D1 of data to be sampled in the data segment of t data periods:
acquiring the size D1 of data to be sampled, and acquiring the overall size D of the proofreading data;
using the formula d1= (D1/D) ×100%;
step six: using the formula g1=v x d1 x f,f is a preset coefficient, and the data segment to be detected in t data periods is calculated and acquiredSampling a risk coefficient g1 of the data;
step seven: sequentially obtaining risk coefficients gn of data to be sampled in n data segments of t data periods according to the second step to the sixth step;
step eight: and calculating and obtaining a risk coefficient average value g of data to be sampled in n data segments of the t data periods by using a formula g= (g1+g2+) +gn/n.
Further, the access right judging module generates an access right cooperative instruction, and the specific judging steps are as follows:
if G-20% < G, judging that the access authority of the data is level 1, generating an access authority cooperative instruction by the access authority judging module and transmitting the access authority cooperative instruction to an authority database, inquiring the data by the authority database and changing the access authority of the data to level 1, and transmitting the access authority level of the data to the data protection module by the access authority judging module;
if G-20% is more than or equal to g+20% and less than or equal to G+20%, judging that the access authority of the data is level 2, generating an access authority cooperative instruction by an access authority judging module and transmitting the access authority cooperative instruction to an authority database, inquiring the data by the authority database and changing the access authority of the data to level 2, and transmitting the access authority level of the data to a data protection module by the access authority judging module;
if G+20% < G, judging that the access authority of the data is level 3, generating an access authority cooperative instruction by the access authority judging module and transmitting the access authority cooperative instruction to an authority database, inquiring the data by the authority database and changing the access authority of the data to level 3, and transmitting the access authority level of the data to the data protection module by the access authority judging module;
and G is a data risk coefficient threshold value.
Further, the data protection module comprises a locking unit, and the specific steps of the data protection module for carrying out safety protection on data are as follows:
SSSS1: when the data access authority level received by the data protection module is 1 level, the data protection module does not perform any processing;
SSSS2: when the data access authority level received by the data protection module is 2, the data protection module generates a locking instruction and transmits the locking instruction to a locking unit, the locking unit locks and protects the data to avoid modification of access users to the data, the data protection module transmits the locked data to a rollback unit, and the rollback unit replaces the locked data and the original stored data;
SSSS3: when the data access authority level received by the data protection module is 3, the data protection module generates a locking instruction and transmits the locking instruction to a locking unit, the locking unit locks and protects the data to prevent an access user from modifying the data or inserting other data into the data, the data protection module transmits the locked data to a rollback unit, and the rollback unit replaces the locked data and the original stored data.
Furthermore, the rollback unit is used for permanently storing basic layout and text data of the WEB front-end page and regularly rollback, and specifically comprises the following steps:
s1: the rollback time is set, preferably at 00 per day: 00;
s2: the first processor generates a rollback instruction and transmits the rollback instruction to a rollback unit;
s3: the rollback unit generates front-end text data according to basic layout and text data of a WEB front-end page permanently stored in the rollback unit after receiving a rollback instruction transmitted by the first processor, and transmits the front-end text data to the WEB temporary text memory;
s4: and the WEB temporary text memory temporarily stores the front-end text data transmitted by the rollback unit in the WEB temporary text memory after receiving the front-end text data.
The invention has the beneficial effects that:
(1) According to the invention, the access right judging module judges the access right grade of the data of the front-end page, and the access right grade data protecting module judges the data to lock the data, so that the modification and addition of the access user to the data of the front-end page of the system are avoided, and the safety protection of the data is improved;
(2) According to the invention, the data sampling analysis module is used for sampling and analyzing the label data and the text data of the front page to obtain the risk coefficient of the data, and the risk coefficient of the data is compared with the preset risk coefficient to judge the risk level of the data, so that the condition that the data access authority level is inaccurately classified is avoided.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in FIG. 1, the data security system based on access rights comprises a WEB front-end page display module, a log module, a checking module, a data acquisition and analysis module, an access rights judging module and a data protection module.
The WEB front page display module is used for displaying WEB front page data to an access user, the WEB front page display module comprises a first processor, a WEB temporary text memory and a rollback unit, the WEB temporary text memory is used for temporarily storing basic layout and text data of a system WEB front page in a text form, and setting expiration time 23:59:59, the WEB temporary text storage generates outdated text data according to the basic layout of the outdated WEB front-end page and the text data and transmits the outdated text data to the first processor, and the first processor receives the outdated text data transmitted by the WEB temporary text storage and transmits the outdated text data to the log module;
the first processor receives a user access request, generates a front-end data acquisition instruction and transmits the front-end data acquisition instruction to the WEB temporary text memory, the WEB temporary text memory receives the front-end data acquisition instruction transmitted by the first processor and transmits basic layout and text data of a WEB front-end page stored in a text form to the first processor, and the first processor renders and displays the basic layout and text data to an access user according to the data transmitted to the WEB temporary text memory;
the rollback unit is used for permanently storing basic layout and text data of the WEB front-end page and regularly rollback, and comprises the following specific steps of:
s1: the rollback time is set, preferably at 00 per day: 00;
s2: the first processor generates a rollback instruction and transmits the rollback instruction to a rollback unit;
s3: the rollback unit generates front-end text data according to basic layout and text data of a WEB front-end page permanently stored in the rollback unit after receiving a rollback instruction transmitted by the first processor, and transmits the front-end text data to the WEB temporary text memory;
s4: and the WEB temporary text memory temporarily stores the front-end text data transmitted by the rollback unit in the WEB temporary text memory after receiving the front-end text data.
The log module is used for recording logs of the WEB front-end pages and comprises a second processor, an expiration log unit and an operation log unit.
The second processor receives the expiration text data transmitted by the WEB front-end page display module and then transmits the expiration text data to the expiration log unit, and the expiration log unit generates an expiration text log after receiving the expiration text data transmitted by the second processor and stores the expiration text log in the expiration log unit according to expiration time;
the operation log unit is used for regularly recording and accessing operation data of a user on basic layout and text data of the WEB front-end page.
The correction module is used for recording and accessing basic layout and text data operation of a user on a WEB front-end page, the correction module generates a correction instruction and transmits the correction instruction to the WEB front-end page display module and the log module respectively, the first processor receives the correction instruction transmitted by the correction module, generates a basic data acquisition instruction and transmits the basic data acquisition instruction to the rollback unit, and the rollback unit receives the basic data acquisition instruction transmitted by the first processor and transmits basic layout and text data of the WEB front-end page to the correction module;
the second processor receives the checking instruction transmitted by the checking module, generates an instruction for acquiring the outdated text data, and transmits the instruction to the outdated log unit, and the outdated log unit transmits the outdated text log to the checking module;
the verification module receives the basic layout and text data of the WEB front-end page transmitted by the WEB front-end page display module and the outdated text log transmitted by the log module, and then compares the basic layout and text data with the outdated text log to generate front-end modification data, and the specific steps are as follows:
SS1: firstly, selecting an expiration text log of a certain day as a log to be checked;
SS2: the verification module compares basic layout and text data of the WEB front-end page with the log to be verified and generates verification data according to a certain rule, wherein the specific rule is as follows:
SSS1: taking out the data which are different from the basic layout and the text data of the WEB front-end page in the log to be checked;
SSS2: cutting the extracted data into a plurality of modified data according to the rendering form of the extracted data in the log to be checked;
SS3: the correction module is used for summarizing and storing the plurality of modified data to generate correction file data and naming the correction file data by the expiration time of the log to be corrected;
SS4: collation file data named after expiration dates is sequentially generated in accordance with the steps SS1 to SS 3.
The data acquisition and analysis module is used for acquiring and accessing the operation of the user on the basic layout and text data of the WEB front-end page, the data acquisition and analysis module generates a data acquisition instruction and respectively transmits the data acquisition instruction to the log module and the checking module, the log module receives the data acquisition instruction transmitted by the data acquisition and analysis module and then transmits the data acquisition instruction to the operation log unit, and the operation log unit receives the data acquisition instruction transmitted by the data acquisition and analysis module and then transmits the operation data which is recorded and accessed by the user on the basic layout and text data of the WEB front-end page in a timing mode to the data acquisition and analysis module;
the data acquisition and analysis module is used for acquiring data of the stored calibration file;
the data acquisition and analysis module receives operation data of the basic layout and text data of the WEB front-end page transmitted by the log module and the correction file data transmitted by the correction module, and then carries out sampling analysis on the operation data and the correction file data, and the specific steps are as follows:
step one: firstly, selecting one rendering form data in the calibration data as data to be sampled;
step two: dividing the data segment, dividing the time of one data period into n data segments with equal duration, and marking the n data segments of one data period as L1, L2 and Ln in sequence;
taking a data segment as an example, sequentially obtaining the modification times of data to be sampled in the data segment in t data periods and marking the modification times as M1, M2 and Mt,
in one embodiment of the present invention, where t data periods refer to t data periods back in the past starting from the current data period, in one embodiment of the present invention, one data period is 1 day and one data segment is 1 hour;
step three: using the formulaCalculating and obtaining standard deviation Q,1 of data modification times Mi to be sampled in the data segment of t data periods<i<t;
When Q is greater than a preset Q1 value, sequentially deleting corresponding Mi values according to the sequence of |Mi-M| from large to small, and calculating residual Q until Q is smaller than the preset Q1 value, wherein M is an average value of the number of times of modification of data to be sampled in the data segment in t data periods, and Mi is the number of times of modification of the data to be sampled in the data segment in t data periods participating in calculation of the residual average value M;
step four: screening an average value of effective modification frequencies of data modification times to be sampled in the data segment of t data periods;
taking the number of data modification times to be sampled as Mi times as an example, sequentially obtaining modification interval time when the data to be sampled is modified for Mi times and marking the modification interval time as Ta, wherein a=1, 2,..Mi-1; sequentially obtaining ip values corresponding to each modification when data to be sampled in the data segment of t data periods are modified for Mi times;
calculating and obtaining effective modification interval time T by using a formula T= |Tb-T0|, when T is more than 0, deleting corresponding Ta values in sequence from large to small according to the|Ta-T0|, and calculating the rest T until T is less than 0, wherein T0 is an interval time threshold value of preset twice modification times, tb is more than or equal to 1 and less than or equal to Mi-1, and the effective interval time Tb of which the data to be sampled in the data section is subjected to modification times Mi times in T data periods;
calculating and obtaining effective modification frequency Vc with the number of data modification times to be sampled in the data segment of T data periods being Mi times by using a formula Vc=Mb/(T1+T2+ & gt, +Tb), wherein Vc is not less than 1 and not more than i, and the number of data modification times to be sampled in the data segment of T data periods being Mi times;
sequentially obtaining effective modification frequency Vi of data modification times Mi to be sampled in the data segment of t data periods;
calculating and obtaining an average value V of effective modification frequencies of data modification times to be sampled in the data segment of t data periods by using a formula V=Vi/i;
step five: acquiring the weight D1 of data to be sampled in the data segment of t data periods;
acquiring the size D1 of data to be sampled, and acquiring the overall size D of the proofreading data;
using the formula d1= (D1/D) ×100%;
step six: using the formula g1=v x d1 x f,f is a preset coefficient, and calculating and obtaining a risk coefficient g1 of data to be sampled in the data segment of t data periods;
step seven: sequentially obtaining risk coefficients gn of data to be sampled in n data segments of t data periods according to the second step to the sixth step;
step eight: calculating and obtaining a risk coefficient average value g of data to be sampled in n data segments of t data periods by using a formula g= (g1+g2+) +gn/n;
the data acquisition analysis module generates an access right instruction according to a risk coefficient average value g of data to be sampled and transmits the access right instruction to the access right judgment module, the access right judgment module is used for storing and updating the right grade of access data of an access user, the access right judgment module comprises a right database, the right database stores data in various rendering forms in a WEB front-end page, the right grade of the data in all rendering forms is 1 grade by default, 3 types of the right grade of the data stored in the right database are respectively 1 grade, 2 grade and 3 grade, the 1 grade is freely modifiable, the 2 grade is data non-modifiable, and the 3 grade is data non-modifiable and inserted.
The access right judging module receives the risk coefficient average value g of the data to be sampled transmitted by the data acquisition and analysis module, judges the right of the risk coefficient average value g, and judges the risk coefficient average value g as follows:
if G-20% < G, judging that the access authority of the data is level 1, generating an access authority cooperative instruction by the access authority judging module and transmitting the access authority cooperative instruction to an authority database, inquiring the data by the authority database and changing the access authority of the data to level 1, and transmitting the access authority level of the data to the data protection module by the access authority judging module;
if G-20% is more than or equal to g+20% and less than or equal to G+20%, judging that the access authority of the data is level 2, generating an access authority cooperative instruction by an access authority judging module and transmitting the access authority cooperative instruction to an authority database, inquiring the data by the authority database and changing the access authority of the data into level 2, and transmitting the access authority level of the data to a data protection module by the access authority judging module;
if G+20% < G, judging that the access authority of the data is level 3, generating an access authority cooperative instruction by the access authority judging module and transmitting the access authority cooperative instruction to an authority database, inquiring the data by the authority database and changing the access authority of the data to level 3, and transmitting the access authority level of the data to the data protection module by the access authority judging module;
and G is a data risk coefficient threshold value.
The data protection module carries out safety protection on data according to the access authority level of the data, the data protection module comprises a locking unit, and the data protection module carries out safety protection on the data transmitted by the access authority judging module after receiving the access authority level of the data, and the specific steps are as follows:
SSSS1: when the data access authority level received by the data protection module is 1 level, the data protection module does not perform any processing;
SSSS2: when the data access authority level received by the data protection module is 2, the data protection module generates a locking instruction and transmits the locking instruction to a locking unit, the locking unit locks and protects the data to avoid modification of access users to the data, the data protection module transmits the locked data to a rollback unit, and the rollback unit replaces the locked data and the original stored data;
SSSS3: when the data access authority level received by the data protection module is 3, the data protection module generates a locking instruction and transmits the locking instruction to a locking unit, the locking unit locks and protects the data to prevent an access user from modifying the data or inserting other data into the data, the data protection module transmits the locked data to a rollback unit, and the rollback unit replaces the locked data and the original stored data.
In the description of the present specification, the descriptions of the terms "one embodiment," "example," "specific example," and the like, mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The foregoing is merely illustrative and explanatory of the invention, as various modifications and additions may be made to the particular embodiments described, or in a similar manner, by those skilled in the art, without departing from the scope of the invention or exceeding the scope of the invention as defined in the claims.
The foregoing describes one embodiment of the present invention in detail, but the description is only a preferred embodiment of the present invention and should not be construed as limiting the scope of the invention. All equivalent changes and modifications within the scope of the present invention are intended to be covered by the present invention.