Disclosure of Invention
The embodiment of the invention provides a system and equipment for protecting information leakage of a user database based on big data, which can improve the information security.
In a first aspect of an embodiment of the present invention, there is provided a security disclosure protection apparatus for user database information based on big data, including:
The data acquisition module is used for acquiring current data to be transmitted;
the importance analysis module is used for determining the importance of the current data to be transmitted according to the current data type of the current data to be transmitted;
the necessity degree analysis module is used for determining the key updating necessity degree of the current data to be transmitted according to the data importance degree and each key history updating moment;
and the key updating module is used for updating the key of the data to be transmitted currently under the condition that the key updating necessity degree is larger than a preset necessity degree threshold value.
In some possible implementations, the importance analysis module specifically includes the following units:
The first type importance determining unit is used for determining the importance of the target type corresponding to the current data type of the current data to be transmitted based on the target matching relationship, wherein the target matching relationship is used for representing the matching relationship between various data types and the corresponding type importance;
the element acquisition unit is used for acquiring a first transmission data amount of the current data to be transmitted and type difference degree between the current data to be transmitted and the corresponding first historical transmission data in the historical time window, wherein the type difference degree is used for representing the difference condition between the current data type and the first historical data type of the first historical transmission data in the historical time window;
and the data importance determining unit is used for determining the data importance of the data to be transmitted currently by utilizing the target type importance, the first transmission data quantity and the type difference.
In some possible implementations, the importance analysis module further includes the following units:
a data acquisition unit configured to acquire second history transmission data in a target history period;
the second type importance determining unit is used for determining the type importance corresponding to the second historical data type of each batch of second historical transmission data according to the second historical transmission data in the target historical time period;
and the relation generating unit is used for generating a target matching relation based on the type importance degree corresponding to each second historical data type.
In some possible implementations, the second type of importance determining unit specifically includes the following sub-units:
The transmission performance determining subunit is used for determining the transmission performance of each second historical data type according to the starting transmission time and the ending transmission time of each batch of second historical transmission data in the target historical time period;
The type importance determining subunit is configured to determine, for each second historical data type, a type importance of the target historical data type according to a transmission performance of the target historical data type, a single transmission duration of data of the target second historical transmission data, and a second transmission data amount, where the target historical data type is any one second historical data type, and the target second historical transmission data is each batch of second historical transmission data corresponding to the target historical data type.
In some possible implementations, the transmission performance determining subunit is specifically configured to:
Determining the total data transmission time length of the target historical data type and the transmission interval time length between every two adjacent target second historical transmission data according to the starting transmission time and the ending transmission time of each batch of second historical transmission data in the target historical time period;
And determining the transmission performance of the target historical data type by using the total data transmission time length of the target historical data type, the transmission interval time length between every two adjacent target second historical transmission data and the historical total time length of the target historical time period.
In some possible implementations, the type importance determination subunit is specifically configured to:
Determining the calling frequency of the target historical data type according to the single data transmission time length and the second data transmission amount of the target second historical transmission data;
And determining the type importance of the target historical data type by using the transmission expressive degree and the call frequency of the target historical data type.
In some possible implementations, the necessity degree analysis module specifically includes the following units:
The interval duration determining unit is used for determining the average interval duration of updating the key according to each key history updating moment;
The necessity determining unit is used for determining the key updating necessity of the current data to be transmitted according to the data importance and the size relation between the current interval duration and the average interval duration of the current data to be transmitted, wherein the current interval duration is the interval duration between the current time and the time of updating the last key.
In some possible implementations, the interval duration determining unit is specifically configured to:
Determining the duration weight of the key updating time period based on the third transmission data amount in the key updating time period and the type importance of each data type in the key updating time period, wherein the key updating time period is a time period formed between adjacent key history updating moments;
And determining the average interval duration of updating the key by using the time period duration of each key updating time period and the corresponding duration weight.
In some possible implementations, the necessity determining unit is specifically configured to:
determining the necessity degree weight of the current data to be transmitted according to the size relation between the current interval duration and the average interval duration of the current data to be transmitted;
And determining the key updating necessity of the data to be transmitted currently by using the data importance, the necessity weight and the abnormal data duty ratio between the current time and the time of updating the key last time.
In a second aspect of the embodiment of the present invention, a system for protecting information of a user database from disclosure based on big data is provided, including:
the data encryption subsystem is used for encrypting the data to be transmitted of the user database;
the behavior detection subsystem is used for detecting health and abnormality of the data transmission behavior of the user database;
The right control subsystem is used for managing the access right of the data to be transmitted of the user database;
The above-mentioned user database information anti-disclosure protection device based on big data provided in any aspect communicates with the data encryption subsystem, the behavior detection subsystem and the authority control subsystem, respectively.
The beneficial effects of the invention are as follows:
In the user database information anti-disclosure protection device based on big data provided by the embodiment of the invention, the data importance of the current data to be transmitted is analyzed according to the current data type of the current data to be transmitted. And then, determining the key updating necessity of the current data to be transmitted according to the transmission importance of the current data to be transmitted and each key history updating moment. And under the condition that the key updating necessity degree is larger than a preset necessity degree threshold, updating the key of the data to be transmitted currently. In this way, the invention determines the transmission importance of the current data to be transmitted according to the current data type of the current data to be transmitted, and analyzes the necessity of key update at the current time by combining the interval duration of key update under the history condition, thereby determining whether to perform key update according to the necessity of key update. Therefore, the eavesdropping risk and the cracking risk of key updating under the set time period can be avoided, and the information security is improved.
Detailed Description
In order to further describe the technical means and effects adopted by the invention to achieve the preset aim, the following detailed description is given below of a system and a device for protecting the information leakage of the user database based on big data according to the invention, which are specific implementation, structure, characteristics and effects thereof, with reference to the accompanying drawings and preferred embodiments. In the following description, different "one embodiment" or "another embodiment" means that the embodiments are not necessarily the same. Furthermore, the particular features, structures, or characteristics of one or more embodiments may be combined in any suitable manner.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.
It should be noted that, in the technical scheme of the invention, the acquisition, storage, use, processing and the like of the data all conform to the relevant regulations of laws and regulations.
The current mainstream solution focuses on constructing a data protection barrier by encrypted transmission, while key management is a key element of the system, and the update mechanism directly affects the protection efficiency. Although the conventional periodic key update strategy has implementation convenience, the update mode of the fixed time window objectively forms a predictable security rhythm. The deterministic mode provides a potential breach for an attacker, and the attacker is expected to implement accurate attack at night before the key is invalid through long-term monitoring and mode analysis, so that a periodic fragile window period of a protection system appears, and the risk of data leakage is obviously increased.
The invention aims to provide a system and equipment for preventing leakage of user database information based on big data. In the user database information anti-disclosure protection device based on big data provided by the embodiment of the invention, the data importance of the current data to be transmitted is analyzed according to the current data type of the current data to be transmitted. And then, determining the key updating necessity of the current data to be transmitted according to the transmission importance of the current data to be transmitted and each key history updating moment. And under the condition that the key updating necessity degree is larger than a preset necessity degree threshold, updating the key of the data to be transmitted currently. In this way, the invention determines the transmission importance of the current data to be transmitted according to the current data type of the current data to be transmitted, and analyzes the necessity of key update at the current time by combining the interval duration of key update under the history condition, thereby determining whether to perform key update according to the necessity of key update. Therefore, the eavesdropping risk and the cracking risk of key updating under the set time period can be avoided, and the information security is improved.
The following describes a specific embodiment of a system and a device for protecting user database information from disclosure based on big data.
As shown in fig. 1, a schematic structural diagram of a user database information anti-disclosure protection device based on big data is provided. The big data-based user database information anti-disclosure protection apparatus 100 includes a data acquisition module 110, an importance analysis module 120, a necessity analysis module 130, and a key update module 140.
The data acquisition module 110 is configured to acquire data to be transmitted currently.
In this embodiment, the data to be transmitted currently may come from various sources, such as environmental data collected by the sensor (e.g. temperature, humidity, pressure, etc.), business data generated by the business system (e.g. transaction records, customer information, etc.), file data uploaded by the user, etc.
The current data to be transmitted can be acquired in any one of real-time acquisition, periodic acquisition and event-triggered acquisition. The data acquisition module 110 acquires data with high real-time requirements, such as equipment running state data in industrial production, through a sensor, periodically collects data, such as daily sales data, the data acquisition module 110 can set a timing task and collect the data at a specific time point, and the event trigger collection comprises the step of triggering the data acquisition module 110 to collect the data when a specific event occurs, such as after a user completes a transaction, the system automatically collects related data of the transaction.
The data to be transmitted acquired by the data acquisition module 110 is usually stored in a temporary buffer or data queue, and waits for subsequent processing. This buffer may be a data structure in memory or may be a temporary table in a database.
The importance analysis module 120 is configured to determine the importance of the data to be transmitted according to the current data type of the data to be transmitted.
In this embodiment, the current data type is used to characterize the type to which the data currently to be transmitted belongs. By way of example, the data types may include sensitive data types, general traffic data types, and non-critical data types. The sensitive data types may include personal identity information (name, identification card number, bank card number, etc.), medical data, enterprise core confidential data (business plan, research and development results, etc.), which may cause serious loss to individuals or enterprises once leaked, the general business data types may include general business report forms, daily operation records, etc., which have a certain reference value to business but have relatively low leakage risk, and the non-critical data types may include temporary data for testing, log data with less influence to business, etc.
The importance of the data is used to characterize the importance of the data. For example, the importance analysis module 120 may preset the corresponding importance level according to various data types. For example, the data importance of a sensitive data type is specified as 3 (highest level), the data importance of a general traffic data type as 2, and the data importance of a non-critical data type as 1.
Thus, after the data obtaining module 110 obtains the current data to be transmitted, the importance analyzing module 120 may directly determine the importance of the current data to be transmitted according to the preset matching relationship according to the current data type of the current data to be transmitted.
The necessity degree analysis module 130 is configured to determine the necessity degree of updating the key of the data to be transmitted currently according to the importance degree of the data and each key history updating time.
In this embodiment, the key history update time is used to characterize the time of updating the key in the history process, and the key update necessity is used to characterize the necessity of updating the key corresponding to the data to be transmitted currently.
As one example, the desirability analysis module 130 calculates an average interval duration for updating the keys based on each key history update time. Then, dividing the interval duration between the current time and the time of the last key update by the average interval duration to obtain a target ratio. And calculating a quantized value of the key update necessity through weighted summation according to the target ratio and the data importance.
And the key updating module 140 is configured to update the key of the data to be transmitted currently, if the key updating necessity is greater than a preset necessity threshold.
In this embodiment, the key update module 140 sets the threshold of necessity for key update in advance based on factors such as security requirements and service characteristics. For example, the threshold is set to 0.7, and when the calculated key update necessity is greater than 0.7, the key update operation is triggered.
Specifically, a secure key generation algorithm is first employed, such as generating a new key based on a random number generator, a cryptographic hash function, and the like. The new key should have sufficient randomness and complexity to ensure its security. The new key is then securely distributed to the data sender and receiver. The distribution process can adopt encryption channels, digital certificate authentication and other technologies to ensure confidentiality and integrity of the key in the transmission process. After the data sender and receiver successfully acquire the new key, the old key is replaced with the new key. For the data to be transmitted currently, a key smooth transition mechanism can be adopted to ensure the continuity of data transmission. For example, both old and new key decryption are supported for a period of time, gradually transitioning to using only the new key. Finally, after confirming that the new key is normally used and the old key is no longer needed, the old key is safely destroyed, and the old key is prevented from being maliciously utilized. The destroying mode may be to physically destroy the storage medium (e.g. destroy the hardware security module containing the old key), or to ensure that the old key cannot be recovered by covering, clearing, etc. operations in the software layer.
As an alternative embodiment, the importance analysis module 120 specifically includes the following units:
The first type importance determining unit is used for determining the importance of the target type corresponding to the current data type of the current data to be transmitted based on the target matching relationship, wherein the target matching relationship is used for representing the matching relationship between various data types and the corresponding type importance;
the element acquisition unit is used for acquiring a first transmission data amount of the current data to be transmitted and type difference degree between the current data to be transmitted and the corresponding first historical transmission data in the historical time window, wherein the type difference degree is used for representing the difference condition between the current data type and the first historical data type of the first historical transmission data in the historical time window;
and the data importance determining unit is used for determining the data importance of the data to be transmitted currently by utilizing the target type importance, the first transmission data quantity and the type difference.
In the present embodiment, the target matching relationship is a matching relationship describing various data types and corresponding type importance degrees. For example, the data type and the corresponding type importance may be stored using a hash table structure, where the key is the data type and the value is the corresponding type importance.
The first transmission data amount is used for representing the total amount of data which needs to be transmitted in the user database, namely the total amount of data contained in the current data to be transmitted.
The first historical transmission data is used for representing the historical transmission data in the historical time window, and the first historical data type is used for representing the data type corresponding to the first historical transmission data.
The type difference degree is the difference condition between the current data type of the current data to be transmitted and the first historical data type of the first historical transmission data in the corresponding historical time window. For example, the size of the historical time window may be 5 batches of data to be transmitted before the current data to be transmitted.
As an example, the first type importance determining unit searches the hash table for a corresponding value by using the current data type as a key by using the constructed object matching relationship, thereby the object type importance.
And simultaneously, acquiring 5 batches of data to be transmitted (namely first historical transmission data) before the current data to be transmitted from the user database, determining the number of coincidence types which are the same as the current data type of the current data to be transmitted in the data types (namely first historical data types) of the 5 batches of data to be transmitted, and dividing the number of coincidence types by 5 to obtain the type difference between the current data to be transmitted and the first historical transmission data in the historical time window.
Finally, the data importance determining unit determines the data importance of the current data to be transmitted by using the target type importance, the first transmission data amount, and the type difference through the following formula 1:
Equation 1
In the formula 1 of the present invention,For characterizing the importance of the data to be transmitted for the jth batch,For characterizing the importance of the type of data to be transmitted in the jth batch,A first amount of transmission data for characterizing a j-th batch of data to be transmitted,And the type difference degree between the j-th batch of data to be transmitted and the first historical transmission data in the corresponding historical time window is represented.
The formula 1 mainly utilizes the type importance of the current data to be transmitted in the user database, and combines the first transmission data amount of the current data to be transmitted and whether the type data is transmitted at the moment before the current data to be transmitted, so as to comprehensively determine the data importance of the current data to be transmitted. The greater the importance of the type of the data currently to be transmitted, or the greater the first transmission data amount of the data currently to be transmitted, or the less the data of this type is transmitted at the previous time of the data currently to be transmitted, the greater the importance of the data currently to be transmitted.
According to the method and the device for determining the data importance of the current data to be transmitted, the first data transmission quantity of the current data to be transmitted, the type difference degree between the current data to be transmitted and the first historical transmission data in the corresponding historical time window and the target type importance corresponding to the current data type are combined, the data importance of the current data to be transmitted is comprehensively determined, and the accuracy of the data importance of the current data to be transmitted can be improved, so that the information security is improved.
As an alternative embodiment, the importance analysis module 120 further includes the following units:
a data acquisition unit configured to acquire second history transmission data in a target history period;
the second type importance determining unit is used for determining the type importance corresponding to the second historical data type of each batch of second historical transmission data according to the second historical transmission data in the target historical time period;
and the relation generating unit is used for generating a target matching relation based on the type importance degree corresponding to each second historical data type.
In this embodiment, the target historical time period may be determined according to a service requirement, a data feature analysis, a related rule, or the like. For example, the target history period may be set to last one month if the reference meaning of the recent data transmission pattern to the current data processing is to be analyzed, and to last one year if the long-term trend is concerned.
The second historical transmission data is used for representing the historical transmission data in the target historical time period, and the second historical data type is used for representing the data type corresponding to the second historical transmission data.
As an example, the data acquisition unit acquires the second historical transmission data from the user database using the corresponding query statement or data extraction tool according to the target historical time period.
Then, the second-type importance determining unit analyzes each batch of the second historical transmission data to identify the data type thereof. In particular, this may involve data parsing, e.g., for structured data (e.g., tabular data in a database), the data type may be determined by looking at field definitions and data content, and for unstructured data (e.g., text, images, audio), feature extraction and classification may be required using specific algorithms or tools, e.g., using natural language processing techniques to identify the subject type of the text data, and image recognition techniques to determine the category of the image data.
Then, the second type importance determining unit assigns type importance to different data types according to the service requirement and the importance evaluation criteria. For example, in a medical data transmission scenario, the patient's medical record information data type importance may be set to 9 (full scale 10), while the general health promotion data type importance may be set to 3.
Finally, the relationship generating unit selects the appropriate data structure to store the target matching relationship, thereby storing each second historical data type and its corresponding type importance into the selected data structure. In particular, common data structures may include hash tables, dictionaries, or tables in relational databases.
Through the embodiment, second historical transmission data in a target historical time period is acquired, the type importance of each data type is determined, and a target matching relationship for representing the matching relationship between the data type and the type importance is generated. Therefore, the importance of the target type corresponding to the current data type of the current data to be transmitted can be determined directly according to the target matching relationship, and the determination efficiency of the importance of the target type can be improved.
As an alternative embodiment, the second type of importance determining unit specifically comprises the following sub-units:
The transmission performance determining subunit is used for determining the transmission performance of each second historical data type according to the starting transmission time and the ending transmission time of each batch of second historical transmission data in the target historical time period;
The type importance determining subunit is configured to determine, for each second historical data type, a type importance of the target historical data type according to a transmission performance of the target historical data type, a single transmission duration of data of the target second historical transmission data, and a second transmission data amount, where the target historical data type is any one second historical data type, and the target second historical transmission data is each batch of second historical transmission data corresponding to the target historical data type.
In this embodiment, the transmission performance level is used to characterize the overall transmission performance of the second historical data type over the target historical period. For example, the transmission performance may comprehensively consider factors such as stability, timeliness, and the like of the transmission. For example, the transmission performance may be defined as the ratio of the standard deviation of the transmission duration to the average transmission duration to measure the stability of the transmission, while the timeliness is evaluated in connection with whether the transmission is completed within a specified time.
The single transmission duration of the data is used for representing the duration required for transmitting a batch of target second historical transmission data, and the second transmission data quantity is used for representing the total data quantity contained in the target second historical transmission data.
As one example, the transmission performance determining subunit first obtains a start transmission time and an end transmission time of each batch of second historical transmission data in the target historical period, and calculates a transmission duration of each batch of second historical transmission data.
Then, the average transmission duration and the standard deviation of the transmission durations of all the second historical transmission data of the same data type in the target historical time period are calculated. And calculating the transmission expressive degree of the corresponding second historical data type by utilizing the average transmission time length and the standard deviation of the transmission time length of the second historical transmission data of the same data type according to the defined index.
And the type importance determining subunit acquires the corresponding second historical transmission data amount of each batch of target second historical transmission data according to the target historical data type, calculates the single transmission time length average value of the data, and calculates the corresponding second transmission data amount of each batch of target second historical transmission data to obtain the second transmission data amount average value.
And finally, calculating the type importance of the target historical data type through weighted summation based on the transmission expressive degree of the target historical data type, the average value of the single transmission time length of the data and the average value of the second transmission data quantity.
According to the embodiment, the type importance of the target historical data type is accurately determined according to the transmission performance of the target historical data type, the single data transmission duration of the target second historical transmission data and the second transmission data quantity. Thus, the type importance of each data type can be accurately calculated, and the information security is further improved.
As an alternative embodiment, the transmission performance determining subunit is specifically configured to:
Determining the total data transmission time length of the target historical data type and the transmission interval time length between every two adjacent target second historical transmission data according to the starting transmission time and the ending transmission time of each batch of second historical transmission data in the target historical time period;
And determining the transmission performance of the target historical data type by using the total data transmission time length of the target historical data type, the transmission interval time length between every two adjacent target second historical transmission data and the historical total time length of the target historical time period.
In this embodiment, the total data transmission duration is used to represent the sum of transmission durations of the second historical transmission data of each batch of targets of the target historical data type, and the total historical duration is used to represent the time length of the target historical time period.
The transmission interval duration is used to characterize the duration of the interval between adjacent target second historical transmission data. For example, the transmission interval duration between the target second historical transmission data of the a+1st batch and the target second historical transmission data of the a+1st batch is obtained by subtracting the end transmission time of the target second historical transmission data of the a batch from the start transmission time of the target second historical transmission data of the a batch.
As an example, the transmission performance of the target history data type may be determined specifically by the following equation 2:
Equation 2
In the formula 2 of the present invention,For characterizing the transmission expressive degree of the data type corresponding to the j-th batch of data to be transmitted,For characterizing the total transmission time length of the data corresponding to the data type of the j-th batch of data to be transmitted,A historical total duration for characterizing the target historical time period,And the average value is used for representing the transmission interval duration between the second historical transmission data of each adjacent target of the data type corresponding to the j-th batch of data to be transmitted.
Wherein, theThe time length ratio of the total data transmission time length of the data types corresponding to the j-th batch of data to be transmitted to the total historical time length is used for representing, the larger the time length ratio is, or the shorter the time interval of data transmission of the same data type is, the more frequently the data of the type are called in a user database, namely the larger the corresponding transmission expressive degree is.
According to the method and the device, the transmission performance of the target historical data type can be accurately determined by using the total data transmission time length of the target historical data type, the transmission interval time length between every two adjacent target second historical transmission data and the total historical time length of the target historical time period, so that the calculation accuracy of the type importance can be improved.
As an alternative embodiment, the type importance determination subunit is specifically configured to:
Determining the calling frequency of the target historical data type according to the single data transmission time length and the second data transmission amount of the target second historical transmission data;
And determining the type importance of the target historical data type by using the transmission expressive degree and the call frequency of the target historical data type.
In the present embodiment, the type importance of the target history data type can be determined specifically by the following formula 3:
Equation 3
In the formula 3 of the present invention,For characterizing the type importance of the data type corresponding to the j-th batch of data to be transmitted,And the transmission expressive degree is used for representing the transmission expressive degree of the data type corresponding to the j-th batch of data to be transmitted.The batch number of the target second historical transmission data for representing the corresponding data type of the j-th batch of the data to be transmitted,A data single transmission time length for representing the ith batch of target second historical transmission data of the data type corresponding to the jth batch of data to be transmitted,And the second transmission data quantity is used for representing the second historical transmission data of the ith batch of targets of the data type corresponding to the jth batch of data to be transmitted.
Wherein, theThe method is used for representing the calling frequency of the data type corresponding to the j-th batch of data to be transmitted, namely when data of a certain data type is transmitted for a plurality of times in the transmission process, the time for transmitting the data each time is long, and the data transmission quantity is large, the data of the type is indicated to be called frequently. The greater the call frequency, or the greater the transmission performance, the greater the type importance.
According to the method and the device, the type importance of the target historical data type can be accurately determined by utilizing the transmission performance of the target historical data type and the calling frequency of the target historical data type, so that the calculation accuracy of the type importance is improved, and the information security can be further improved.
As an alternative embodiment, as shown in fig. 2, the necessity degree analysis module 130 specifically includes the following units:
An interval duration determining unit 131, configured to determine an average interval duration of updating the key according to each key history updating time;
the necessity determining unit 132 is configured to determine, according to the data importance, the size relationship between the current interval duration of the current data to be transmitted and the average interval duration, the key update necessity of the current data to be transmitted, where the current interval duration is an interval duration between the current time and the time at which the key is updated last time.
In the embodiment, the average interval duration is used for representing the average interval duration between adjacent updating moments of the key in the history updating process, and the current interval duration is used for representing the interval duration between the current moment and the moment of the last key updating.
As one example, the interval duration determination unit 131 acquires the history update time information of the key from the log record, sorts the collected history update time information, and arranges in time order for subsequent calculation.
Then, the sorted historical update time information is traversed, and the time interval between every two adjacent updates is calculated. And adding the time intervals between all adjacent updates, and dividing the time intervals by the number of the intervals to obtain the average interval duration of updating the key.
Then, the necessity determining unit 132 acquires the current interval duration of the current data to be transmitted, and compares the magnitude relation between the current interval duration and the average interval duration. And determining a calculation rule of the key updating necessity according to the size relation between the current interval duration and the average interval duration.
And finally, determining the key updating necessity degree of the current data to be transmitted by utilizing the data importance degree of the current data to be transmitted according to the calculation rule of the key updating necessity degree.
According to the key updating method and device, the key updating necessity of the current data to be transmitted is accurately calculated by utilizing the data importance of the current data to be transmitted and combining the size relation between the current interval duration and the average interval duration of the current data to be transmitted. Therefore, the calculation accuracy of the key updating necessity degree of the data to be transmitted at present can be improved, so that whether the key is updated or not can be accurately judged according to the key updating necessity degree, and the information security can be improved.
As an alternative embodiment, the interval duration determining unit 131 is specifically configured to:
Determining the duration weight of the key updating time period based on the third transmission data amount in the key updating time period and the type importance of each data type in the key updating time period, wherein the key updating time period is a time period formed between adjacent key history updating moments;
and determining the average interval duration of updating the key by using the time period duration of each key updating time period and the corresponding time duration weight.
In this embodiment, the third transmission data amount is used to characterize the total amount of data transmitted in the key update period, that is, the total amount of data included in the key update period.
The key updating time period is a time period formed between adjacent key history updating moments, and the time period duration of the key updating time period is that the last key history updating moment corresponding to the key updating time period subtracts the previous key history updating moment.
As an example, the duration weight of the key update period may be determined specifically by the following equation 4:
Equation 4
In the formula 4 of the present invention,The duration weight used to characterize the c-th key update period,For characterizing a third amount of transmission data in a c-th key update period,For characterizing the type importance of the data type corresponding to the j-th batch of data to be transmitted,For characterizing the number of data types in the c-th key update period.
The more the transmission data amount in the key updating time period is, or the more the type importance average value in the key updating time period is, the more the duration weight of the key updating time period is. That is, as for the duration weight of the key update period, the greater the amount of data transmitted in the key update period, the greater the importance of the type in the key update period, the weight value of the greater the amount of the key update period is given.
Further, the average interval duration for updating the key may be determined specifically by the following equation 5:
Equation 5
In the formula 5 of the present invention,The average interval duration for characterizing the key updates,The period duration used to characterize the c-th key update period,The duration weight used to characterize the c-th key update period,For characterizing the number of key update time periods,For characterizing the accumulation of the duration weights of the respective key update periods,I.e. the duty cycle of the duration weight characterizing the c-th key update period to the duration weight accumulation value of the respective key update period. According to the embodiment, the average interval duration of updating the key is determined by using the time period duration of each key updating time period and the corresponding duration weight. Therefore, based on the scale of data transmission and the importance degree of the data type in each key updating time period as weights, the average interval duration of updating the key can be more accurately determined, and the accuracy of the follow-up key updating necessity degree can be improved.
As an alternative embodiment, the necessity determining unit 132 is specifically configured to:
determining the necessity degree weight of the current data to be transmitted according to the size relation between the current interval duration and the average interval duration of the current data to be transmitted;
And determining the key updating necessity of the data to be transmitted currently by using the data importance, the necessity weight and the abnormal data duty ratio between the current time and the time of updating the key last time.
In the present embodiment, the abnormal data duty is used to characterize the proportion of the total transmission data in the period constituted at the present time and the time at which the key is updated last. The abnormal data is the data with abnormal phenomena such as data stealing and the like.
As an example, the necessity degree weight of the current data to be transmitted may be determined specifically by the following equation 6:
Equation 6
In the formula 6 of the present invention,For characterizing the necessity weight of the data currently to be transmitted,For characterizing the current interval duration of the current data to be transmitted,The average interval duration used to characterize the key update. s is used to characterize a predetermined constant parameter to avoid zero denominator.
Setting the necessary degree weight of the current data to be transmitted as the difference value between the current interval duration and the average interval duration when the current interval duration is longer than the average interval duration, and setting the necessary degree weight of the current data to be transmitted as the inverse of the sum of the absolute value of the difference value between the current interval duration and the average interval duration and the preset constant parameter when the current interval duration is smaller than or equal to the average interval duration.
The key update necessity of the data to be transmitted currently can be determined specifically by the following formula 7:
Equation 7
In the formula 7 of the present invention,The key update necessary for characterizing the data currently to be transmitted,For characterizing the importance of the data currently to be transmitted,The norm is used for representing the degree of necessity weight of the current data to be transmitted and the norm is used for representing the normalization operation.For characterizing the amount of abnormal data between the current time and the time of last key update,For characterizing the total amount of transmitted data between the current time and the time of last key update,And the abnormal data duty ratio is used for representing the abnormal data duty ratio between the current time and the time of updating the key last time. It should be noted that, in order to ensure that the calculation result is significant, when the denominator is 0 during the calculation of the embodiment of the present application, a parameter adjustment factor greater than 0 needs to be added to the denominator to prevent the denominator from being 0, and the numerical value of the parameter adjustment factor is set by the practitioner according to the actual situation, which is not particularly limited.
According to the key updating method and device, the key updating necessity degree of the data to be transmitted currently can be accurately determined by utilizing the data importance degree, the necessity degree weight and the abnormal data duty ratio between the current time and the time of key updating last time, and therefore whether key updating is performed or not is determined according to the key updating necessity degree. Therefore, the eavesdropping risk and the cracking risk of key updating under the set time period can be avoided, and the information security is improved.
The invention provides a user database information anti-disclosure protection device based on big data. Correspondingly, the invention also provides a specific embodiment of the anti-disclosure protection system for the user database information based on big data.
As shown in fig. 3, a schematic structural diagram of a system for protecting user database information from disclosure based on big data is provided. The system for protecting the information of the user database from disclosure based on big data comprises:
a data encryption subsystem 310, configured to encrypt data to be transmitted in the user database;
The behavior detection subsystem 320 is used for detecting health and abnormality of the data transmission behavior of the user database;
The rights control subsystem 330 is configured to manage access rights of data to be transmitted in the user database;
The big data based user database information anti-disclosure protection device 100 provided in any of the above aspects, where the big data based user database information anti-disclosure protection device 100 communicates with the data encryption subsystem 310, the behavior detection subsystem 320, and the rights control subsystem 330, respectively.
In this embodiment, the data encryption subsystem 310 employs advanced encryption algorithms to encrypt sensitive data in the user database. The choice of encryption algorithm should be based on the importance of the data, the transmission requirements, and the availability of computing resources.
The behavior detection subsystem 320 monitors the data transmission behavior of the user database, including time, frequency, etc., of data transmissions, using big data analysis and machine learning techniques.
The rights control subsystem 330 assigns specific roles for different users or groups of users, each role having different data access rights, thereby enabling fine-grained control of data access, such as read-only, write-in, delete-out, etc., rights, ensuring that only authorized users can perform specific operations. And simultaneously, dynamically adjusting the user permission according to the service requirements, the analysis result of the user behavior or the change of the security policy.
The big data based user database information anti-disclosure protection device 100 is used as a central control node, and communicates with the data encryption subsystem 310, the behavior detection subsystem 320 and the authority control subsystem 330 through a safe and efficient communication protocol, so as to execute the user database information anti-disclosure protection process in the big data based user database information anti-disclosure protection device 100 provided in any aspect.
In the user database information anti-disclosure protection system based on big data provided by the embodiment of the invention, the data importance of the current data to be transmitted is analyzed according to the current data type of the current data to be transmitted. And then, determining the key updating necessity of the current data to be transmitted according to the transmission importance of the current data to be transmitted and each key history updating moment. And under the condition that the key updating necessity degree is larger than a preset necessity degree threshold, updating the key of the data to be transmitted currently. In this way, the invention determines the transmission importance of the current data to be transmitted according to the current data type of the current data to be transmitted, and analyzes the necessity of key update at the current time by combining the interval duration of key update under the history condition, thereby determining whether to perform key update according to the necessity of key update. Therefore, the eavesdropping risk and the cracking risk of key updating under the set time period can be avoided, and the information security is improved.
It should be understood that the invention is not limited to the particular arrangements and instrumentality described above and shown in the drawings. For the sake of brevity, a detailed description of known methods is omitted here. In the above embodiments, several specific steps are described and shown as examples. The method processes of the present invention are not limited to the specific steps described and shown, but various changes, modifications and additions, or the order between steps may be made by those skilled in the art after appreciating the spirit of the present invention.