Search

CN-121980588-A - Network security data privacy protection management system

CN121980588ACN 121980588 ACN121980588 ACN 121980588ACN-121980588-A

Abstract

The invention relates to the technical field of network security, in particular to a network security data privacy protection management system which comprises an execution semantic modeling module, a privacy violation existence judging module, a privacy violation existence proving construction module, an execution structure digestion module, a re-judging module and an audit data generating module. The method comprises the steps of carrying out semantic analysis on an access request by a system to generate an execution semantic intermediate representation, generating structural constraint based on the execution semantic structural condition and identifying an execution semantic substructure meeting the constraint in the intermediate representation, constructing a proving object associated with the structural condition, locating an associated substructure and modifying the structural relationship of the associated substructure, judging and recording a result again based on the modified intermediate representation, recording the proving object and the judging result and establishing association with the access request to form audit data, thereby realizing judgment, processing and audit management of privacy violation formed by depending on the execution semantic structure.

Inventors

  • ZHANG SHUMIN
  • CHENG HAO
  • LU YUZE
  • HAN FENG
  • WANG PENGFEI
  • LI HAILONG
  • AN HAIPING
  • ZHANG SHUQIANG
  • ZHAO CHUNSHAN
  • YU JIHUI
  • QI CHAO

Assignees

  • 张舒敏

Dates

Publication Date
20260505
Application Date
20260120

Claims (10)

  1. 1. A network security data privacy protection management system, comprising: The execution semantic modeling module is used for carrying out semantic analysis on the access request and generating an execution semantic intermediate representation for representing a semantic structure of the access request in a data execution path; The privacy violation existence judging module is used for analyzing the execution semantic intermediate representation based on a preset privacy violation existence judging model so as to determine whether a situation meeting preset execution semantic structural conditions exists in a data execution path; The privacy violation presence proving construction module is used for generating a privacy violation presence proving object based on the corresponding execution semantic structure when the condition meeting the execution semantic structure condition is determined to exist; the execution structure digestion module is used for carrying out structure adjustment on the execution semantic intermediate representation based on the privacy violation presence proving object; the re-judging module is used for re-executing privacy violation existence judgment based on the execution semantic intermediate representation after the structure adjustment; And the audit data generation module is used for recording the privacy violation existence proving object and the data corresponding to the re-judging process.
  2. 2. The network security data privacy preserving management system of claim 1, wherein the performing semantic modeling step comprises: analyzing the access request by adopting a grammar analysis method to generate an abstract grammar structure of the access request; Extracting field references involved in the access request by adopting an expression structure analysis method based on the abstract grammar structure, and analyzing the dependency relationship of the fields in the expression tree to determine the combination relationship among the fields; and mapping the processing operation in the access request into an execution operator node by adopting an execution operator modeling method, establishing an operator connection structure based on the data dependency relationship, and generating an execution semantic intermediate representation for representing the data execution path semantic structure.
  3. 3. The network security data privacy protection management system of claim 1, wherein the privacy violation presence determining step comprises: Obtaining execution semantic structure conditions for describing a privacy violation execution path structure from a preset privacy rule set by adopting a structure rule matching method; and analyzing the execution semantic structure condition to form a structured judgment condition.
  4. 4. The network security data privacy protection management system of claim 1, wherein the privacy violation presence determining step further comprises: mapping the field relation described in the execution semantic structure condition into connection constraint among field nodes; The execution path structure description is mapped into connection constraints between execution operator nodes, and structure constraints which can be matched in the execution semantic intermediate representation are generated.
  5. 5. The network security data privacy protection management system of claim 1, wherein the privacy violation presence determining step further comprises: traversing the execution semantic intermediate representation by adopting a semantic structure traversing method according to the connection relation among the execution operator nodes; Semantic node combinations that can form the data execution path are extracted during traversal.
  6. 6. The network security data privacy protection management system of claim 1, wherein the privacy violation presence determining step further comprises: In the traversal process, matching the traversed semantic nodes and the connection relations thereof with the structural constraint by adopting a structural mode matching method; And when the matching is successful, determining that the corresponding semantic node sets form an execution semantic substructure.
  7. 7. The network security data privacy protection management system of claim 1, wherein the privacy violation presence proof construction step comprises: selecting the identified execution semantic substructure; And associating the execution semantic substructure with the execution semantic structure condition triggering the identification to form a privacy violation presence proving object.
  8. 8. The network security data privacy protection management system of claim 1, wherein the performing structure resolution step comprises: Locating an execution semantic substructure associated with the privacy violation presence proving object in an execution semantic intermediate representation according to the privacy violation presence proving object; and changing a field combination mode or an execution operator connection mode in the execution semantic substructure to modify the structural relationship of the execution semantic substructure obtained by positioning.
  9. 9. The network security data privacy protection management system of claim 1, wherein the re-determining step comprises: according to the execution semantic intermediate representation after the structure modification is completed, adopting a structure traversal and structure pattern matching method which is the same as that of the first privacy violation existence judgment to execute the privacy violation existence judgment again; Recording a determination result obtained by performing the privacy violation presence determination again.
  10. 10. The network security data privacy protection management system of claim 1, wherein the audit data generating step comprises: recording a privacy violation presence proving object in a structured data form; and recording a judging result corresponding to the privacy violation existence proving object.

Description

Network security data privacy protection management system Technical Field The invention relates to the technical field of network security, in particular to a network security data privacy protection management system. Background The network security data privacy protection management system is a system for managing and controlling data access behaviors related to personal privacy or sensitive information in the process of network data access and processing. Such systems are typically deployed in data access portals or data processing links for analyzing access requests and restricting or recording data processing actions that may involve privacy risks. Along with the popularization of centralized data storage and multi-service system cooperative processing, the network security data privacy protection management system gradually becomes an important technical means for guaranteeing the compliance of data, and the management object not only comprises the data field, but also comprises the use mode of the data in the processing process. Existing network security data privacy protection management systems typically determine data access requests based on field level rules or access policies, and in use determine whether there is a privacy risk by identifying whether the access request contains predefined sensitive fields. However, in practical applications, the partial access request does not directly include a single sensitive field, but through the combined use of multiple non-sensitive fields and structural relationships in the data processing path, it is still possible to form a data result of privacy violation during execution. Because the prior art lacks analysis capability of a data execution path structure, privacy violations formed by the execution semantic structure are difficult to identify, so that privacy risks cannot be effectively discovered. Disclosure of Invention In order to make up for the defects, the invention provides a network security data privacy protection management system, which aims to solve the problems that in the prior art, a data access request is judged only based on field level rules, and privacy violation formed by depending on a data execution path structure is difficult to identify. The invention provides a network security data privacy protection management system, which comprises the following technical scheme: The execution semantic modeling module is used for carrying out semantic analysis on the access request and generating an execution semantic intermediate representation for representing a semantic structure of the access request in a data execution path; The privacy violation existence judging module is used for analyzing the execution semantic intermediate representation based on a preset privacy violation existence judging model so as to determine whether a situation meeting preset execution semantic structural conditions exists in a data execution path; The privacy violation presence proving construction module is used for generating a privacy violation presence proving object based on the corresponding execution semantic structure when the condition meeting the execution semantic structure condition is determined to exist; the execution structure digestion module is used for carrying out structure adjustment on the execution semantic intermediate representation based on the privacy violation presence proving object; the re-judging module is used for re-executing privacy violation existence judgment based on the execution semantic intermediate representation after the structure adjustment; And the audit data generation module is used for recording the privacy violation existence proving object and the data corresponding to the re-judging process. Preferably, the performing semantic modeling step includes: analyzing the access request by adopting a grammar analysis method to generate an abstract grammar structure of the access request; Extracting field references involved in the access request by adopting an expression structure analysis method based on the abstract grammar structure, and analyzing the dependency relationship of the fields in the expression tree to determine the combination relationship among the fields; and mapping the processing operation in the access request into an execution operator node by adopting an execution operator modeling method, establishing an operator connection structure based on the data dependency relationship, and generating an execution semantic intermediate representation for representing the data execution path semantic structure. Preferably, the privacy violation presence determining step includes: Obtaining execution semantic structure conditions for describing a privacy violation execution path structure from a preset privacy rule set by adopting a structure rule matching method; and analyzing the execution semantic structure condition to form a structured judgment condition. Preferably, the privacy violation presenc