CN117494163A

Movatterモバイル変換

Info

Publication number: CN117494163A
Application number: CN202311462586.9A
Authority: CN
Inventors: 吴毅君
Original assignee: Shenzhen Dr Ma Network Technology Co ltd
Current assignee: Shenzhen Dr Ma Network Technology Co ltd
Priority date: 2023-11-06
Filing date: 2023-11-06
Publication date: 2024-02-02
Anticipated expiration: 2043-11-06
Also published as: CN117494163B

Abstract

The invention discloses a method and a device for data service based on security rules, comprising the following steps: defining a series of security rules, wherein the security rules comprise access control rules and data encryption rules; receiving a data service request of a user, wherein the data service request comprises operations of data query and data modification; according to the security rule, verifying the data service request, wherein the verification comprises user identity verification, access right verification and data encryption and decryption, and obtaining a verification result; according to the verification result, executing the corresponding data service request, obtaining an execution result, and performing data access control and data encryption and decryption according to the security rule in the execution process; and returning the execution result to the user, and recording the related security log and audit information. The safety protection and control of the user data are realized.

Description

Data service method and device based on security rules

Technical Field

The present invention relates to the field of computer networks, and in particular, to a method and apparatus for data services based on security rules.

Background

With the development of the internet and big data technology, data services are widely used in various fields. However, due to the sensitivity and importance of data, data services face security risks and threats of privacy disclosure. To protect the security of user data, one typically defines a series of security rules, such as access control rules, data encryption rules, and the like. However, existing data service methods often fail to effectively apply and execute these security rules.

Patent application document with application number of CN201110362878 discloses a data service request response method and a design method of a data service protocol stack, wherein the method comprises the following steps: the service requester encapsulates the service index parameters into a SOAP data packet; the service request party sends the encapsulated SOAP data packet to the service provider, so that the service provider can obtain a service inquiry instruction after analyzing and processing the SOAP data packet or the HTTP data packet, and obtain service data from the database. Drawbacks of this approach include: SOAP is a relatively complex protocol that requires parsing and generating XML structures, which can lead to increased complexity in development and maintenance; since SOAP messages are typically XML-based, they are larger than other lightweight formats (e.g., JSON), resulting in greater network transport overhead and parsing time; debugging may be more difficult due to the complexity of SOAP messages, especially when complex data structures and namespaces are involved.

Accordingly, there is a need for a method and apparatus for providing a security rule-based data service.

Disclosure of Invention

The invention provides a method and a device for data service based on a security rule, which are used for solving the problem that the data service is widely applied in various fields along with the development of the Internet and big data technology in the prior art. However, due to the sensitivity and importance of data, data services face security risks and threats of privacy disclosure. To protect the security of user data, one typically defines a series of security rules, such as access control rules, data encryption rules, and the like. However, existing data service methods often fail to effectively apply and implement the above-described problems of these security rules.

In order to achieve the above purpose, the present invention provides the following technical solutions:

a method of security rule based data services, comprising:

s101: defining a series of security rules, wherein the security rules comprise access control rules and data encryption rules;

s102: receiving a data service request of a user, wherein the data service request comprises operations of data query and data modification;

s103: according to the security rule, verifying the data service request, wherein the verification comprises user identity verification, access right verification and data encryption and decryption, and obtaining a verification result;

s104: according to the verification result, executing the corresponding data service request, obtaining an execution result, and performing data access control and data encryption and decryption according to the security rule in the execution process;

s105: and returning the execution result to the user, and recording the related security log and audit information.

Wherein, the step S101 includes:

s1011: extracting a first security feature from the security requirement, classifying the first security feature, and obtaining a plurality of security categories;

s1012: constructing a class-rule template library, determining a corresponding rule template according to the security class, and associating with the first security feature;

S1013: customizing a first security rule for the first security feature according to the associated rule template, wherein the first security rule comprises: access control rules and data encryption rules;

s1014: configuring an access control rule, determining the access authority of a specific user or user group in a set range, configuring a data encryption rule, and determining a data encryption method and a key management strategy;

s1015: and integrating the customized and configured first security rules to form a complete security rule set, and executing corresponding access control and data encryption operations according to the security rule set when the system performs security verification.

Wherein receiving a data service request of a user comprises:

receiving a data service request of a user, and analyzing query parameters submitted by the user to obtain a plurality of first query features when the data service request is a data query request;

inquiring a preset data-feature library, determining a first data item corresponding to a first inquiring feature, and associating with a data inquiring request;

returning a query result to the user according to the associated first data item;

when the data service request is a data modification request, analyzing modification parameters submitted by a user to obtain a plurality of first modification features and modification values corresponding to the first modification features;

Inquiring a preset data-feature library, determining a second data item corresponding to the first modification feature, and associating with the data modification request;

performing an update operation on the second data item according to the associated second data item and the modification value;

in the data updating process, based on a preset data integrity checking model, carrying out integrity checking on updating operation, and ensuring the consistency and accuracy of data;

taking the updated second data item as a modification result, and returning modification feedback to the user;

for each data service request, a request log of the user is recorded, including request type, request time and request result, for subsequent data service analysis and optimization.

Wherein verifying the data service request according to the security rules comprises:

acquiring user identity information of a user, wherein the user identity information comprises: a user ID and a user password;

inquiring a preset user-identity library, and determining a preset password corresponding to the user ID;

comparing the user password with a preset password, if the user password is consistent with the preset password, passing the authentication of the user, otherwise, rejecting the data service request;

when the identity of the user passes the authentication, the request type corresponding to the data service request is acquired, wherein the request type comprises: a data query request and a data modification request;

Inquiring a preset user-authority library, and determining the authority type corresponding to the user, wherein the authority type comprises the following steps: querying rights and modifying rights;

comparing the request type with the permission type, if the request type is consistent with the permission type, verifying the access permission of the user, otherwise, rejecting the data service request;

when the access authority of the user passes the verification, acquiring the data content in the data service request;

according to a preset data encryption and decryption rule, performing decryption operation on the data content to obtain decrypted data;

in the data decryption process, based on a preset data integrity check model, carrying out integrity check on decryption operation, and ensuring consistency and accuracy of data;

taking the decrypted data as a verification result, and returning verification feedback to the user;

for each data service request, a request log of the user is recorded, including request type, request time and verification result, for subsequent data service analysis and optimization.

And executing the corresponding data service request according to the verification result, wherein the method comprises the following steps:

receiving a verification result of a user, wherein the verification result comprises: an authentication state and an access right authentication state;

when the authentication state is passed and the access right authentication state is passed, acquiring a data service request of the user, wherein the data service request comprises: a data query request and a data modification request;

Acquiring a preset execution rule set, wherein the execution rule set comprises: a plurality of first execution rules;

determining a corresponding first execution rule according to the data service request;

acquiring at least one execution scene and a plurality of first historical execution records corresponding to a first execution rule;

determining a first safety value corresponding to an execution scene based on a preset execution scene-safety value library, and associating with a first execution rule;

accumulating and calculating a first safety value associated with the first execution rule to obtain a first safety value sum;

pre-screening the data content in the data service request to obtain second data content;

extracting a plurality of first features of the second data content;

acquiring a preset data security feature library, matching the first feature with a second feature in the data security feature library, and taking the matched second feature as a third feature if the matching is met;

determining a second safety value corresponding to a third feature based on a preset feature-safety value library, and associating with the first execution rule;

accumulating and calculating a second safety value associated with the first execution rule to obtain a second safety value sum;

if the sum of the first safety value is greater than or equal to a preset first safety value and a preset threshold value and the sum of the second safety value is greater than or equal to a preset second safety value and a preset threshold value, allowing the execution of the data service request;

In the process of executing the data service request, performing data access control operation according to a preset data access control rule;

meanwhile, according to a preset data encryption and decryption rule, encrypting or decrypting the data content;

and completing the execution of the data service request and obtaining an execution result.

Wherein, return the execution result to the user, including:

analyzing an execution result based on a preset result analysis model to obtain key execution information;

returning the execution result to the user;

screening the key execution information to obtain safety key information;

based on a preset safety log model, converting the safety key information into safety log entries, and storing the safety log entries in a preset safety log database;

meanwhile, converting key execution information into audit information items based on a preset audit information model;

acquiring the current execution time, the identity information of the user and the execution environment information, and correlating with the audit information items to form a complete audit record;

storing the complete audit record in a preset audit database;

in the storage process, according to a preset data protection strategy, encrypting and protecting the safety log entry and the audit record;

And (3) finishing the recording of the security log and the audit information, and ensuring the transparency and traceability of the execution process.

Wherein obtaining a plurality of first query features comprises:

receiving a data service request of a user, and determining the request as a data query request;

based on a preset request analysis model, carrying out deep analysis on the data query request to obtain key query information;

splitting the key query information into a plurality of query parameter items;

carrying out attribute identification on the query parameter items, and determining the data type, the data range and the data source of each query parameter item;

performing feature extraction on the query parameter items based on a preset feature extraction model to obtain a plurality of first query features;

meanwhile, a preset feature association library is obtained, and the first query feature is matched with the second query feature in the feature association library;

if the matching is successful, associating the corresponding first query feature with the second query feature to form an associated feature group;

optimizing the associated feature group, removing redundant features and ensuring query efficiency;

and taking the optimized association feature set as a final query feature to finish the feature acquisition process.

The method for screening the key execution information to obtain the safety key information comprises the following steps:

Screening the key execution information based on a preset second feature extraction template to obtain safety key information, and storing the screened safety key information in a safety database for subsequent inquiry and analysis when the screened safety key information meets preset safety standards.

An apparatus for a security rule-based data service, comprising:

the security rule definition module is used for defining a series of security rules, wherein the security rules comprise access control rules and data encryption rules;

the data service request receiving module is used for receiving a data service request of a user, wherein the data service request comprises operations of data query and data modification;

the security rule verification module is used for verifying the data service request according to the security rule, wherein the verification comprises user identity verification, access right verification and data encryption and decryption, and a verification result is obtained;

the data service execution module is used for executing the corresponding data service request according to the verification result, acquiring an execution result, and performing data access control and data encryption and decryption according to the security rule in the execution process;

and the response module is used for returning the execution result to the user and recording related security logs and audit information.

Wherein the security rule definition module comprises:

the security rule defines a first sub-module, which is used for extracting a first security feature from security requirements, classifying the first security feature and obtaining a plurality of security categories;

the security rule definition second sub-module is used for constructing a category-rule template library, determining a corresponding rule template according to the security category and correlating with the first security feature;

the security rule defines a third sub-module for customizing a first security rule for the first security feature according to the associated rule template, wherein the first security rule comprises: access control rules and data encryption rules;

the security rule definition fourth sub-module is used for configuring the access control rule, determining the access authority of a specific user or user group in a set range, configuring the data encryption rule and determining the encryption method and key management strategy of the data;

and the security rule definition fifth submodule is used for integrating the customized and configured first security rules to form a complete security rule set, and when the system performs security verification, corresponding access control and data encryption operations are executed according to the security rule set.

Compared with the prior art, the invention has the following advantages:

A method of security rule based data services, comprising: defining a series of security rules, wherein the security rules comprise access control rules and data encryption rules; receiving a data service request of a user, wherein the data service request comprises operations of data query and data modification; according to the security rule, verifying the data service request, wherein the verification comprises user identity verification, access right verification and data encryption and decryption, and obtaining a verification result; according to the verification result, executing the corresponding data service request, obtaining an execution result, and performing data access control and data encryption and decryption according to the security rule in the execution process; and returning the execution result to the user, and recording the related security log and audit information. The method and the device have the advantages that safety protection and control of user data are realized, an administrator and a user can define and configure safety rules according to specific requirements, safety and reliability of data service are ensured, and meanwhile, the method and the device have flexibility and expandability and are suitable for various data service scenes and requirements.

Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.

The technical scheme of the invention is further described in detail through the drawings and the embodiments.

Drawings

The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate the invention and together with the embodiments of the invention, serve to explain the invention. In the drawings:

FIG. 1 is a flow chart of a method for a security rule based data service in an embodiment of the present invention;

FIG. 2 is a flow chart of defining a series of security rules in an embodiment of the present invention;

fig. 3 is a block diagram of an apparatus for a data service based on security rules in an embodiment of the present invention.

Detailed Description

The preferred embodiments of the present invention will be described below with reference to the accompanying drawings, it being understood that the preferred embodiments described herein are for illustration and explanation of the present invention only, and are not intended to limit the present invention.

The embodiment of the invention provides a data service method based on a security rule, which comprises the following steps:

The working principle of the technical scheme is as follows: defining a series of security rules, including access control rules and data encryption rules, wherein the security rules are customized and configured according to specific requirements, such as limiting specific users to access specific data only, requiring sensitive data to be encrypted, and the like; receiving a data service request of a user, wherein the data service request comprises operations of data query and data modification, and the user sends the data service request to a system through an interface provided by the system; according to the security rules, the data service request is verified, wherein the verification comprises user identity verification, access right verification and data encryption and decryption, for example, the user is subjected to identity verification, and the legality of the user is ensured; verifying the access right of the user to ensure that the user is authorized to perform corresponding operation; the related data is encrypted and decrypted, so that the safety of the data is ensured;

Acquiring a verification result, executing a corresponding data service request according to the verification result, wherein the verification result comprises verification passing or verification failure, and executing data service operation requested by a user if the verification passing; if the verification fails, refusing to execute the data service operation requested by the user, and returning corresponding error information;

executing a data service request, and performing data access control and data encryption and decryption according to a security rule, for example, limiting the access authority of a user to data according to the access control rule to ensure that only an authorized user can access specific data; the sensitive data is encrypted and decrypted according to the data encryption rule, so that the confidentiality of the data is ensured; and returning the execution result to the user, and recording the related security log and audit information. And returning the execution result to the user to enable the user to know the operation result. Meanwhile, security logs and audit information are recorded, including operation behaviors, access time, access results and the like of the user, so that subsequent security monitoring and audit analysis can be facilitated.

Assuming that the security rule requires access control to a specific data table, only an administrator user can perform data modification operation, other users can only perform data query operation, and meanwhile, sensitive fields in the data table are required to be encrypted and stored; the user A sends a data query request to query the data in the data table, the system firstly performs identity verification on the user, confirms that the user A is a legal user, then verifies the access authority of the user, judges that the user A only has the data query authority according to the security rule, and after the verification passes, the system executes the data query operation to obtain a query result and returns the result to the user A; the user B sends a data modification request to request for modifying the data in the data table, the system performs identity verification on the user, confirms that the user B is a legal user, then verifies the access authority of the user, judges that the user B does not have the data modification authority according to the security rule, fails in verification, refuses to execute the data modification request of the user B, and returns corresponding error information; in the process of executing the data service request, the system performs data access control and data encryption and decryption operations according to the security rule, for example, the system limits the access authority of the user according to the access control rule, so that only the administrator user can perform data modification operation; the system encrypts and stores the sensitive fields according to the data encryption rule, so that the confidentiality of the data is ensured; by recording the security log and audit information, the system can monitor the user's operational behavior and discover timely abnormal behavior or security events, for example, the system records the data query operation of user a, including access time, data range of query, etc., for subsequent security audit and analysis.

The beneficial effects of the technical scheme are as follows: the security rules are defined, and corresponding verification, control and encryption operations are carried out, so that the security of the data and the system of the user is protected; through user identity verification and access authority verification, it is ensured that only legal users and persons with corresponding authorities can perform data service operation, and unauthorized access and data leakage are prevented; the sensitive data is encrypted and stored through a data encryption rule, so that the confidentiality of the data is ensured, and the sensitive data is prevented from being illegally acquired; the security log and audit information are recorded, so that the security of the system can be monitored and tracked, security events can be found and dealt with in time, and the security of the system is improved.

In another embodiment, the step S101 includes:

The working principle of the technical scheme is as follows: extracting a first security feature from the security requirements, classifying the first security feature to obtain a plurality of security categories, wherein the security feature is data, functions or other security requirements to be protected in the system; constructing a class-rule template library, determining a corresponding rule template according to the security class, and associating with the first security feature; the rule template is a predefined set of security rules for meeting specific security requirements; customizing a first security rule for a first security feature according to an associated rule template, wherein the first security rule comprises an access control rule and a data encryption rule, the access control rule is used for limiting the access authority of a specific user or a user group, and the data encryption rule is used for determining an encryption method and a key management strategy of data; configuring an access control rule, and determining the access authority of a specific user or user group in a set range, for example, only distributing the modification authority of a certain data table to an administrator user group; configuring a data encryption rule, determining an encryption method and a key management strategy of data, for example, encrypting sensitive data by using an AES encryption algorithm, and periodically replacing a key by adopting a key rotation strategy; and integrating the customized and configured first security rules to form a complete security rule set, and executing corresponding access control and data encryption operations according to the security rule set when the system performs security verification.

Assuming that the first security feature extracted from the security requirement is access control and data encryption of a certain data table, the security feature can be classified into an access control class and a data encryption class according to the classification of the security class; when a class-rule template library is constructed, the rule templates of the access control class can be defined as 'only allowing the administrator user group to carry out data modification operation', and the rule templates of the data encryption class are defined as 'carrying out AES encryption storage on sensitive fields'; the first security rule is customized for the first security feature according to the associated rule template. For example, according to the rule template of the access control class, the modification authority of the data table is only allocated to the administrator user group; AES encryption storage is carried out on the sensitive fields according to the rule templates of the data encryption categories; when the access control rule is configured, the access authority of a specific user or user group in the range can be set, for example, the modification authority of the data table is only allocated to the user group named as 'admin'; when the data encryption rule is configured, the encryption method and the key management strategy of the data can be determined, for example, an AES encryption algorithm is used for encrypting the sensitive field, and a strategy of replacing the key once every month is adopted; and integrating the customized and configured first security rules to form a complete security rule set, and executing corresponding access control and data encryption operations according to the security rule set when the system performs security verification.

The beneficial effects of the technical scheme are as follows: by classifying and associating the security features, corresponding security rules can be customized and configured according to specific security requirements, so that the requirements of different security requirements are met; by constructing a category-rule template library, a corresponding rule template can be determined according to the security category, so that the reusability and expandability of the security rule are improved; by configuring the access control rule and the data encryption rule, the access authority of a specific user or a user group, the encryption method of the data and the key management strategy can be determined, and the configuration process of the security rule is simplified; by executing access control and data encryption operation in the security rule set, data and functions in the system can be protected, and the security of the system is improved.

In another embodiment, receiving a data service request of a user includes:

The working principle of the technical scheme is as follows: receiving a data service request of a user, judging the request type, and if the request type is a data query request, analyzing query parameters submitted by the user to obtain a plurality of first query features; inquiring a preset data-feature library, determining a first data item corresponding to a first inquiring feature, and correlating with a data inquiring request, wherein the data-feature library is a pre-defined mapping relation library of data and features; according to the associated first data item, a query result is returned to the user, wherein the query result can be the data item meeting the query condition or related data information; if the data modification request is the data modification request, analyzing modification parameters submitted by a user to obtain a plurality of first modification features and corresponding modification values; inquiring a preset data-feature library, determining a second data item corresponding to the first modification feature, and associating with the data modification request; performing an update operation on the second data item according to the associated second data item and the modification value, wherein the update operation may be modifying a certain attribute of the data item or replacing the content of the data item in its entirety; in the data updating process, based on a preset data integrity checking model, carrying out integrity checking on updating operation, wherein the data integrity checking model is a model defining data updating rules and constraints and is used for ensuring the consistency and accuracy of data; taking the updated second data item as a modification result, and returning modification feedback for the user, wherein the modification feedback can be prompt information or error prompt information of successful update; for each data service request, recording a request log of the user, including a request type, a request time and a request result, wherein the request log can be used for subsequent data service analysis and optimization so as to improve the performance and user experience of the system.

Assuming that a user initiates a data query request, wherein the query parameter is 'name=Zhang Sanling', analyzing according to the query parameter to obtain a first query characteristic which is 'name', querying a first data item corresponding to the 'name' in a data-feature library as a user table, querying a data item meeting the query condition according to the associated first data item, and returning a query result which is 'user information with the name of Zhang Sanling'; then, assuming that a user initiates a data modification request, the modification parameters are 'name=Zhang Sanand age=25', according to the analysis of the modification parameters, obtaining first modification characteristics of 'name' and 'age', corresponding modification values of 'Zhang Sanand' 25 ', inquiring second data items corresponding to' name 'in a data-feature library as' user table ', according to the associated second data items and modification values, updating the' name 'and' age 'in the' user table ', and modifying the' name 'to' Zhang Sanand 'age' to '25'; in the data updating process, based on a preset data integrity checking model, checking the updating operation, for example, a checking rule can be that the age is more than or equal to 18 years old, and if the modified value does not meet the rule, an error prompt message is returned; finally, the updated user table is used as a modification result, and modification feedback, such as successful modification of the user information, is returned to the user.

The beneficial effects of the technical scheme are as follows: by analyzing the data service request of the user and associating the data service request with a specific data item, the query and the modification operation of the user can be responded quickly and accurately; the updating operation of the data can be ensured to accord with rules and constraints through a preset data-feature library and a data integrity check model, and the consistency and the accuracy of the data are ensured; by recording the request log of the user, data service analysis and optimization can be performed, the performance and user experience of the system are improved, for example, hot query and modification operations can be found according to the request log, and related data access and processing flows are optimized.

In another embodiment, validating the data service request according to the security rules includes:

The working principle of the technical scheme is as follows: acquiring user identity information of a user, wherein the user identity information comprises a user ID and a user password; inquiring a preset user-identity library, and determining a preset password corresponding to the user ID, wherein the user-identity library is a database or a data structure storing the user ID and the corresponding password; comparing the user password with a preset password, if the user password is consistent with the preset password, passing the authentication of the user, otherwise, rejecting the data service request; when the identity verification of the user passes, acquiring a request type corresponding to the data service request, wherein the request type comprises a data query request and a data modification request; inquiring a preset user-authority library to determine the authority type corresponding to the user, wherein the authority type comprises inquiry authority and modification authority, and the user-authority library is a database or data structure storing user IDs and corresponding authorities; comparing the request type with the permission type, if the request type is consistent with the permission type, verifying the access permission of the user, otherwise, rejecting the data service request; when the access authority of the user passes the verification, acquiring the data content in the data service request; according to a preset data encryption and decryption rule, performing decryption operation on data content to obtain decrypted data, wherein the data encryption and decryption rule is a set of rule sets defining data encryption and decryption algorithms; in the data decryption process, carrying out integrity check on decryption operation based on a preset data integrity check model, so as to ensure consistency and accuracy of data, wherein the data integrity check model is a set of models defining data integrity check rules; taking the decrypted data as a verification result, and returning verification feedback for the user, wherein the verification feedback can be the content of the decrypted data or prompt information of verification failure; for each data service request, recording a request log of the user, including a request type, a request time and a verification result, wherein the request log can be used for subsequent data service analysis and optimization so as to improve the performance and user experience of the system.

Assuming that the user identity information of the user is user ID of 12345, the user password of the user is password123, inquiring a preset user-identity library, determining that the preset password corresponding to the user ID of 12345 is password123, comparing the user password with the preset password, and if the user passwords are consistent, passing the authentication of the user; assuming that the data service request is a data query request, and the authority type corresponding to the user is a query authority, comparing the request type with the authority type, and if the request type is consistent with the authority type, verifying the access authority of the user; assuming that the data content in the data service request is encrypted, performing decryption operation on the data content according to a preset data encryption and decryption rule, and obtaining decrypted data; in the data decryption process, based on a preset data integrity check model, performing integrity check on the decryption operation, for example, a check rule may be to check whether a hash value of the data is consistent with a preset hash value, so as to ensure the integrity and accuracy of the data; finally, the decrypted data is used as a verification result, and verification feedback, such as the decrypted data content, is returned to the user.

The beneficial effects of the technical scheme are as follows: through verifying the user identity and the authority, the data service operation can be ensured only by legal users, and the safety and the credibility of the data are improved; the data is safely transmitted and processed through a data encryption and decryption rule and a data integrity check model, so that the consistency and accuracy of the data are ensured; by recording the request log of the user, the data service analysis and optimization can be performed, the performance and user experience of the system are improved, for example, abnormal access behaviors or permission abuse conditions can be found according to the request log, and corresponding security measures can be timely taken.

In another embodiment, executing the corresponding data service request according to the verification result includes:

extracting a plurality of first features of the second data content;

Meanwhile, according to a preset data encryption and decryption rule, the data content is encrypted or decrypted, and the data encryption and decryption rule defines a mode and an algorithm for encrypting and decrypting the data, for example, for sensitive data, a symmetric encryption algorithm can be used for encrypting; the execution of the data service request is completed, and an execution result is obtained, wherein the execution result can be the execution state of the queried data record or the modification operation, for example, success or failure information of returning the queried data record or the modification operation.

The beneficial effects of the technical scheme are as follows: by adopting the method, the safety and the legality of the data service can be improved, and only legal users can access and operate the data by verifying the identity and the access authority of the users and associating the execution rules with the safety values; through pre-screening and feature matching, the data content can be subjected to security check, illegal data access and tampering are prevented, and the integrity and the credibility of the data are protected; the application of the data access control and the data encryption and decryption rules can further protect the privacy and confidentiality of data and prevent data leakage and unauthorized access; the safety value sum is calculated in an accumulated mode, so that the safety threshold value can be dynamically adjusted according to the history execution record and the safety event condition, and the self-adaptability and the safety of the system are improved; according to the method, personalized security control can be carried out on different types of data service requests according to preset execution rules and security values, and the flexibility and expandability of the system are improved.

In another embodiment, returning the execution result to the user includes:

returning the execution result to the user;

screening the key execution information to obtain safety key information;

storing the complete audit record in a preset audit database;

The working principle of the technical scheme is as follows: analyzing an execution result based on a preset result analysis model to obtain key execution information, wherein the result analysis model is a model for defining analysis rules and key information, for example, key information such as an execution state, execution time, an executor and the like is extracted from the execution result; returning the execution result to the user, and returning the analyzed execution result to the user so that the user can know the result of the execution operation; screening the key execution information to obtain safety key information, and screening information related to safety from the key execution information according to a preset screening rule, for example, screening information related to sensitive data access or authority change; based on a preset safety log model, converting the safety key information into safety log entries and storing the safety log entries in a preset safety log database, wherein the safety log model defines the structure and format of a safety log, for example, the safety key information is converted into the safety log entries comprising fields of time stamps, executors, operation types and the like; meanwhile, key execution information is converted into audit information items based on a preset audit information model, wherein the audit information model defines the structure and format of the audit information, for example, the key execution information is converted into the audit information items comprising fields of time stamps, executors, operation types, execution environments and the like; acquiring the current execution time, the identity information of the user and the execution environment information, associating with an audit information item to form a complete audit record, associating the current execution time, the user identity information and the execution environment information with the audit information item so as to facilitate subsequent audit analysis and tracing, for example, associating the execution time and the executor with the audit information item; storing the complete audit record in a preset audit database, and storing the formed complete audit record in the preset audit database so as to facilitate subsequent audit inquiry and analysis; in the storage process, encrypting and protecting the safety log entries and the audit records according to a preset data protection strategy, and encrypting the safety log entries and the audit records according to the preset data protection strategy to protect confidentiality, for example, encrypting the safety log and the audit records by using a symmetric encryption algorithm; and the record of the safety log and the audit information is completed, the transparency and the traceability of the execution process are ensured, and the transparency and the traceability of the execution process can be ensured by recording the safety log and the audit information, so that the subsequent safety analysis and audit are facilitated.

The beneficial effects of the technical scheme are as follows: by adopting the method, the execution result and key information can be recorded, the transparency and traceability of the execution process are reserved, and safety events can be found and safety analysis can be carried out conveniently; through the storage and encryption protection of the security log and the audit record, the confidentiality of the security information can be protected, and unauthorized access and tampering are prevented; the records and the storage of the security log and the audit record can meet the compliance requirement, and the security audit and compliance check can be conveniently carried out; the tracing and analysis of the security event can be carried out through the association and inquiry of the audit record, so that the security and the response capability of the system are improved; the method can help the organization to discover and deal with the security threat in time, and improves the security and the credibility of the system.

In another embodiment, obtaining a plurality of first query features includes:

splitting the key query information into a plurality of query parameter items;

The working principle of the technical scheme is as follows: receiving a data service request of a user, determining the request as a data query request, and judging whether the request of the user is the data query request according to the type and the format of the request; and carrying out deep analysis on the data query request based on a preset request analysis model to acquire key query information. The request analysis model defines a model for analyzing rules and key information, for example, key information such as query conditions, query targets and the like is extracted from a query request; splitting the key query information into a plurality of query parameter items, and splitting the key query information into a plurality of query parameter items according to the structure and the semantics of the query information, for example, splitting the query condition into a plurality of independent query parameter items; carrying out attribute identification on the query parameter items, determining the data type, the data range and the data source of each query parameter item, carrying out attribute identification on each query parameter item according to a preset attribute identification rule, and determining the data type (such as character strings, numbers, dates and the like), the data range (such as minimum values and maximum values) and the data source (such as user input and system configuration) of each query parameter item;

Performing feature extraction on the query parameter item based on a preset feature extraction model to obtain a plurality of first query features, wherein the feature extraction model defines feature extraction rules and methods, for example, for the query parameter item 'age', a first query feature 'age' can be extracted; meanwhile, a preset feature association library is obtained, the first query feature is matched with the second query feature in the feature association library, the feature association library is a predefined feature association mapping table, for example, the first query feature 'age' is matched with the second query feature 'age' in the feature association library; if the matching is successful, associating the corresponding first query feature with the second query feature to form an associated feature group, for example, associating the first query feature "age" with the second query feature "age" to form an associated feature group "age"; optimizing the associated feature group, removing redundant features, ensuring the query efficiency, optimizing the associated feature group according to a preset optimizing rule, and removing the redundant features so as to improve the query efficiency; and taking the optimized association feature set as a final query feature, completing a feature acquisition process, and taking the association feature set subjected to optimization as a final query feature for subsequent data query operation.

The beneficial effects of the technical scheme are as follows: by adopting the method, the data query request of the user can be deeply analyzed, and the query intention of the user can be accurately understood; through feature extraction and association, the query feature set can be optimized, redundant features are removed, and the query efficiency is improved; the characteristic acquisition process can help the system to better understand the query requirement of the user and provide more accurate and efficient data query service; through optimization processing, the number of query features can be reduced, the complexity of query is reduced, and the performance and response speed of the system are improved; the method can improve the accuracy and efficiency of data query, promote user experience and enhance the usability and competitiveness of the system.

In another embodiment, filtering the key execution information to obtain safety key information includes:

The working principle of the technical scheme is as follows: firstly, the system uses a preset characteristic extraction template which contains specific rules and conditions about the security information and is used for extracting key information from the original data; the system screens the original data according to templates, and only retains data meeting specific characteristics or conditions, wherein the characteristics may include keywords, pattern matching or other structural characteristics of information; in the screening process, the system can identify information meeting specific conditions as safety key information, wherein the information can relate to safety related events such as network attack, abnormal activities, potential threats and the like; the screened safety critical information needs to meet a predetermined safety standard or rule to ensure the authenticity and importance thereof, which may include verifying the source, relevance, risk level, etc. of the information; once the information passes the security criteria check it will be stored in a secure database for subsequent querying, analysis and monitoring, this database typically being subject to strict security control and access rights management.

The beneficial effects of the technical scheme are as follows: the method can help the organization to timely identify and respond to potential security threats, and reduce data leakage, network attack and other security risks; by using a preset template and an automatic flow, manual operation can be reduced, the working efficiency is improved, and the safety analysis is more efficient; information stored in the security database can be traced and audited, which is helpful for understanding the history and evolution of security events; this approach helps organizations meet security compliance requirements, such as GDPR, HIPAA, etc., by recording and monitoring security events and taking appropriate measures to protect sensitive information.

In another embodiment, an apparatus for a security rule based data service, comprises:

The working principle of the technical scheme is as follows: the security rule definition module in the system is used for defining a series of security rules, including access control rules and data encryption rules, and the rules can be customized according to the security requirements and policies of organizations; a data service request receiving module: the system receives data service requests of users, including data inquiry and data modification operations, wherein the requests possibly contain user identity information, operation types, target data and the like; and a security rule verification module: according to the security rule, the system verifies the data service request, the verification process comprises user identity verification, access right verification, data encryption and decryption and the like, and the verification result can determine whether the user is authorized to execute the request operation; and the data service execution module is used for: according to the verification result, the system executes the corresponding data service request, and in the execution process, the system performs data access control and data encryption and decryption operations according to the security rule so as to ensure the security and the integrity of the data; and a response module: the system returns the execution results to the user and records the relevant security logs and audit information, which can be used for subsequent security analysis, traceability and compliance auditing.

The beneficial effects of the technical scheme are as follows: by defining and verifying security rules, the system can ensure that only authorized users can access and modify data, thereby protecting the security and privacy of the data; the system can verify the access authority of the user according to the security rule, prevent unauthorized access and operation, and reduce the risks of data leakage and abuse; through the security rule definition and verification module, the system can encrypt and decrypt sensitive data, so as to protect confidentiality of the data and prevent the data from being stolen or tampered in the transmission and storage processes; the system records the security log and the audit information, can help the organization to trace and analyze the security event, timely discover and deal with the security threat, and simultaneously meet the compliance requirement.

In another embodiment, the security rule definition module includes:

The working principle of the technical scheme is as follows: the security rules define a first sub-module that extracts and classifies a first security feature from the security requirements to obtain a plurality of security categories, which may involve analyzing the security requirements of the system or application, identifying security features related to access control and data encryption; the security rules define a second sub-module: constructing a class-rule template library, determining a corresponding rule template according to the security class, and associating with the first security feature; this step helps the system build a basic framework of security rules; the security rules define a third sub-module: customizing first security rules for the first security feature, including access control rules and data encryption rules, according to an associated rule template, which rules will define how access and data for the particular security feature is protected and managed; the security rules define a fourth sub-module: configuring an access control rule, determining the access authority of a specific user or user group in a set range, configuring a data encryption rule, and determining a data encryption method and a key management strategy, wherein the configuration defines a security strategy according to specific requirements; the security rules define a fifth sub-module: the customized and configured first security rules are integrated to form a complete security rule set, and when the system performs security verification, corresponding access control and data encryption operations are performed according to the security rule set, which ensures that the system processes security features according to predetermined rules at runtime.

The beneficial effects of the technical scheme are as follows: this system allows organizations to customize security rules to meet the requirements of different security categories according to their specific security needs and characteristics; by establishing a rule template library, the system can realize unified management and association security rules, and ensure consistency and maintainability; the configuration and customization module of the system allows accurate control of access rights and data encryption, and improves confidentiality and integrity of data; by executing the security rules, the system can monitor and strengthen security in real time during operation, which is helpful for preventing unauthorized access and data leakage; such a system helps an organization to meet security compliance requirements, such as GDPR, HIPAA, etc., by defining and enforcing standard-compliant security rules.

It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims

1. A method of security rule based data services, comprising:

2. The method of claim 1, wherein the step S101 comprises:

3. A method of security rule based data service according to claim 1, wherein receiving a user's data service request comprises:

4. A method of data service based on security rules as claimed in claim 1, wherein validating a request for data service in accordance with the security rules comprises:

5. The method of claim 1, wherein executing the corresponding data service request according to the verification result comprises:

extracting a plurality of first features of the second data content;

6. The method of claim 1, wherein returning the execution result to the user comprises:

returning the execution result to the user;

screening the key execution information to obtain safety key information;

storing the complete audit record in a preset audit database;

7. A method of security rule based data service according to claim 3, wherein obtaining a plurality of first query features comprises:

splitting the key query information into a plurality of query parameter items;

8. The method of claim 6, wherein filtering the key execution information to obtain the security key information, comprises:

9. An apparatus for a security rule-based data service, comprising:

10. The apparatus for a security rule-based data service of claim 9, wherein the security rule definition module comprises: