TWI539323B - Personal data inventory system and method - Google Patents

Description

Personal data inventory system and method

The invention relates to a personal data inventory system and method, which has high efficiency and high precision for searching personal data, and can strengthen the internal knowledge of personal data in the organization, and can be applied to the information security industry, such as data protection system and personal data. Inventory system, etc.

Modern business operations and the use of personal data are very close, regardless of personnel, customer service, sales, marketing, planning, etc., in their daily activities, it is possible to use personal data, in addition to the company's own employee personal information, for the service industry, In the case of trading in the circulation industry or the retail industry, there will be a large number of customer data. Others, such as the telecommunications service industry or the medical industry, will certainly have more customer data, so one is more efficient and more accurate. The inventory system is very important for enterprises in the work of personal data management.

The technical field of a personal data inventory system mainly includes content analysis of archive files, personal data inventory system architecture and its extended data confidentiality and data de-identification technology.

In the aspect of content analysis of archive files, the conventional technology mostly determines the file type by the name of the auxiliary file. When the file to be analyzed containing the identity identification data is falsified, the file content cannot be analyzed, and the content of the file is not included. The identification data of the identity can not be analyzed. The file will become a fish of the net, and the misjudgment will occur. In terms of Chinese name recognition, the conventional technology lacks easy mixing. Confusing daily word recognition and the filtering mechanism of title and title can easily lead to misjudgment.

Regarding the system architecture, the conventional technology is mostly based on the standard master-slave architecture, that is, the user collects the data and uploads it to the server, and then performs centralized operation analysis on the server side. This method is indeed available when the number of users is small. Solution, but when the number of users increases, the over-concentrated operation will greatly increase the load on the server.

For the confidentiality of data, when the personal computer is transmitted to the central server, the conventional technology adopts the method of "concentrating and processing the data first". After collecting the file containing the personal data on the personal computer, it is transmitted through the physical line or wireless communication. To the central server; once this process is blocked by the packet monitoring, security and confidentiality will disappear. Furthermore, the data uploaded to the server is saved in the original file format, waiting for the analysis module to perform statistics. At this time, the central server contains a large amount of identity identification data, which will become a high-risk asset.

It can be seen that there are still many shortcomings in the above-mentioned conventional technology, which is not a good designer, but needs to be improved.

In view of the shortcomings derived from the above-mentioned conventional methods, the inventor of the present invention succeeded in researching and developing a personal data inventory system and method after painstaking research and development.

The invention provides a personal data inventory system and method. The system provides identification technology for identity identification data, which can automatically find the file containing the identification data of the operation system, match the data to identify the technology, and add the identification data to the mask to comply with the current regulations. The information that is counted out will be centralized to the central server for classification and statistics, providing conditionalization. Query method Production report, assist enterprises or organizations to master the internal computer, whether the distribution and application of files containing personal data conform to the standard.

A personal data inventory system and method for achieving the above object, a method for reading all electronic file files on an electronic computer or the equivalent carrier, analyzing the contents of the file, and searching through a predefined identification data category, which may include Identity card number, Chinese name, Taiwan address, telephone number, birthday, and other personal privacy information such as credit card number, supplemented by the Taiwan Personal Data Protection Act to reduce the chance of misjudgment of search; the searched data results are identified according to different identity Category, separately count the quantity and record the supporting information, and at the same time, in a more confidential manner, prevent the theft of data in a two-stage manner without affecting the availability of the results: one stage is to reduce the supporting information. Identifyively, remove some of the keywords in the supporting data in a masked manner. The masking action replaces some of the text in the original string with a fixed special character symbol (for example, ○●* but not limited to) (for example, "Wang Xiaoming" is replaced by " Wang ○ ming"), to achieve the purpose of identification of information, not to leak Personal data. The second stage is to encrypt the inventory result by using the encryption algorithm, to ensure that the transmission process is not recorded by the third party, and the data cannot be used. The encryption algorithm is not limited to specific methods, such as MD5, DES, Algorithms such as RSA, character confusion, and the like are well known to those skilled in the art, and therefore will not be described again. The results of the inventory include personal basic information and inventory result information. After the file is uploaded to the central server, it is decrypted and stored. The administrator can view the type of personal data stored on the statistical personal computer through the customized condition query result. With the quantity, and available for production reports, the results of this query are retained by way of file or paper printing. This more efficient system architecture, the data search, classification and masking actions, when the data is collected at the user end, the operation is completed, the server only needs to save the classified data in a centralized manner, which greatly reduces The amount of calculation, reduce the server negative Loaded.

The present invention provides a personal data inventory system, comprising: a client and a server, wherein the client further comprises: a content analysis unit, which performs identity identification data analysis on any file to be analyzed to generate an inventory result; a recording unit that accepts the result and record of the inventory and encrypts the result of the inventory; a transmission unit transmits the encrypted result of the inventory of the recording unit to the server; wherein the server further includes: a setting unit Set a unit of information and personal data level; a receiving unit receives and decrypts the encrypted result of the counting of the client; a storage unit stores the unit information and personal data level, and the decrypted inventory Resulting; a query unit queries the unit information and personal data level and the inventory result; and a statistical unit performs statistics on the unit information and personal data level and the inventory result.

One or more of the files to be analyzed. The identification of the identity identification data includes analyzing the identity card number, Chinese name, birthday, telephone number, Taiwan address, and credit card number in the document to be analyzed. The identity card number and credit card number are judged by the concept of verification code to avoid misjudgment; the Chinese name verifies the common surname of the whole Taiwan, and filters the confusing daily words, and identifies the title and title to reduce The misjudgment of Chinese names; and the address part of Taiwan can identify the address of Chinese characters inclusive to reduce the misjudgment of Taiwan addresses. The result of the inventory includes a plurality of basic information of employees and a plurality of employees. Inventory information. The basic information of each employee includes the name of the unit, the name of the computer, the number of counts, the employee's account number, the employee's name, and the system name. The employee inventory information includes the file name, the total number of pens, the number of the number of the identity card, the number of the number of the number of the number of the phone, the number of the number of the phone, the number of the number of the number of the birthday, the number of the number of the credit card, the number of the credit card, the level of the personal data, and the supporting information. The transmission unit is transmitted using a network communication protocol. The unit information and personal data level include the unit number, unit name and personal information of the high, medium and low levels.

The invention provides a personal data inventory method, comprising the following steps: one of the clients to be analyzed to enter a content analysis unit, in order to determine the file type of the file to be analyzed, obtain the text content of the file to be analyzed, analyze the Determining the identity of the file to be analyzed, determining whether the file to be analyzed is an alert file, and generating an inventory result; sending the inventory result and related data including the number of occurrences and the supporting information to a recording unit, the recording unit And the related data includes the number of occurrences and the supporting data for encryption; a transmission unit uploads the encrypted result of the counting to a server; the server provides a unit information and a personal data level through a setting unit; Receiving and decrypting the encrypted inventory result from the client by using a network communication protocol; a storage unit stores the unit information and the personal data level and the decrypted result of the inventory; and an inquiry unit uses the unit in the storage unit Information and personal data levels and results of the inventory, providing computer name , Employee accounts, employee name, profile items, the system name of the query filtering criteria; and a statistical unit by using the unit level information and personal data and the results of the inventory within the storage unit, the unit provides a statistical inventory information.

The detailed description of the preferred embodiments of the present invention is intended to be limited to the scope of the invention, and is not intended to limit the scope of the invention. The patent scope of this case.

In summary, this case is not only innovative in terms of space type, but also can enhance the above-mentioned multiple functions compared with the customary items. It should fully meet the statutory invention patent requirements of novelty and progressiveness, and apply for it according to law. This invention patent application, in order to invent invention, to the sense of virtue.

100‧‧‧Client

101‧‧‧ Documents to be analysed

110‧‧‧Content Analysis Unit

120‧‧‧recording unit

121‧‧‧ inventory results file

130‧‧‧Transportation unit

140‧‧‧ server end

210‧‧‧Setting unit

220‧‧‧ receiving unit

230‧‧‧Statistics unit

240‧‧‧Query unit

250‧‧‧ storage unit

260‧‧‧Manager

270‧‧‧ Unit information and personal data level setting

Figure 1 is a schematic diagram of a client of the personal data inventory system of the present invention.

Figure 2 is a schematic diagram of the server end of the personal data inventory system of the present invention.

Figure 3 is a schematic diagram of the server end of the personal data inventory system of the present invention.

Figure 4 is a schematic diagram of the server end of the personal data inventory system of the present invention.

Figure 5 is a schematic diagram of the server end of the personal data inventory system of the present invention.

Figure 6 is a schematic diagram of the server end of the personal data inventory system of the present invention.

Figure 7 is a schematic diagram of the server end of the personal data inventory system of the present invention.

The technical features, contents, and advantages of the present invention, as well as the advantages thereof, can be understood by the reviewing committee, and the present invention will be described in detail with reference to the accompanying drawings. The subject matter is only for the purpose of illustration and description. It is not intended to be a true proportion and precise configuration after the implementation of the present invention. Therefore, the scope and configuration relationship of the attached drawings should not be interpreted or limited. First described.

Please refer to FIG. 1 , which is a client flowchart of the personal data inventory system of the present invention. After the client 100 enters the to-be-analyzed file 101 into the content analysis unit 110 , the content analysis unit 110 performs file type determination on the file 101 to be analyzed. Judging, the decision process includes analyzing the file header and the file end, and confirming the file type after comparing the format of the file header and the file end. After confirming the type of the file, the text content of the file is obtained for the different file types to the corresponding blocks in the file. After the text content is obtained, the content analysis of the identity identification data is performed. The prior art does not detect the true file type for the file to be analyzed, such as an embedded identity identification. If the file name is to be analyzed, if the file name is changed, the file content cannot be analyzed, and the identity identification data cannot be analyzed, and a misjudgment occurs. However, the present invention detects the real file type, and even if the ad file name is arbitrarily changed, the content of the file and the identity identification data therein will still be analyzed, and no misjudgment will occur.

The content analysis part of the identity identification data includes analysis functions for various identification data, including identity card number, Chinese name, birthday, telephone number, Taiwan address, and credit card number: where the identity card number and credit card number are supplemented by the verification code. The concept is judged to avoid the misjudgment of the two; the partial revision of the Chinese name and the Taiwan address is mostly based on the formal expression analysis, and the Taiwan Personal Data Protection Law is adjusted: the Chinese name part verifies the common surname of the whole Taiwan And filter the confusing daily words, and identify the title and title (such as "Wang Xiaoming Director" or "Wang Director Xiao Ming") to reduce the misjudgment of Chinese names; Taiwan address part can identify the address with Chinese characters (for example) "No. 12 of Section 5 of National Road" or "No. 12 of Section 5 of National Road" to reduce the misjudgment of Taiwan's address.

After the analysis file 101 completes the content analysis of the identity identification data in the content analysis unit 110, the number of occurrences of each type of identity identification data in the file is obtained, and if the document has an identity card number or a certain number of Chinese names, and If other types of identity identification data appear, the file is considered to be a sensitive file containing identity identification data. The number of occurrences of each type of identity identification data is collected, and the supporting information of each type of identity identification data is collected and sent to the recording unit 120.

After the relevant data is included in the number of occurrences and the supporting information is sent to the recording unit 120, it is provided to ensure the security of the data transmitted after the result is not affected, and the data is stolen and stolen in a two-stage manner: To support the identification of the data, the part of the supporting data is masked, and the action of the mask is fixed. The special character symbol (for example, ○●*, etc.) replaces some of the text in the original string (for example, "Wang Xiaoming" is replaced by "Wang ○ Ming"), and the purpose of identifying the data is achieved, so as to avoid the data collection at the server end. Risk of leakage of personal data that may result. The second stage is to encrypt the inventory result file 121. This encryption operation is to avoid the leakage of data caused by interception in the middle of transmission when the relevant data is transmitted to the server at that time, wherein the encryption algorithm is not limited to a specific method. For example, MD5, DES, RSA, character confusion and other algorithms, the implementation manners of which are well known to those skilled in the art, and therefore will not be described again. After all the files to be analyzed 101 complete the content analysis and are encrypted and recorded in the same file, the file whose content is encrypted is the inventory result file 121.

After the inventory result file 121 is obtained, the connection unit 121 is established through the transmission unit 130 of the client 100, and the encrypted result file 121 of the encrypted interface is uploaded to the server end 140, and the process of the client 100 is completed. At the same time, data search, classification and masking operations have been processed at the user end, which greatly reduces the amount of computation on the server side and reduces the load on the server.

Please refer to the second to seventh embodiments, which are schematic diagrams of the server end of the personal data inventory system of the present invention. As shown in the figure, the main steps include: the user 260 uses the setting unit 210 of the server terminal 140 to perform unit information and The personal data level setting 270 is stored in the storage unit 250, and the unit information content in the unit information and personal data level setting 270 includes: a unit number and a unit name (as shown in FIG. 3), used as a unit statistical, personal data level. The content includes: high, medium and low information (as shown in Figure 4) as the basis for the judgment of individual assets.

The receiving unit 220 is responsible for receiving the inventory result file 121 and decrypting it and storing it in the storage unit 250. The content of the inventory result file 121 is the employee basic information and the employee inventory information, as the personal data quantity statistics, as shown in FIG. 5, Basic employee information includes: Information such as the name of the bit, the name of the computer, the number of counts, the employee's account number, the name of the employee, and the name of the system. As shown in Figure 6, the employee's inventory information includes: file name, total number of pens, number of identity cards, number of names, Information such as the number of telephones, the number of addresses, the number of birthdays, the number of credit card numbers, the level of personal data, and supporting information.

Thereafter, the statistical unit 230 performs statistical operations on the employee basic information stored in the storage unit 250 and the employee inventory information according to the unit. As shown in FIG. 7, the statistical result is the inventory count of the unit, and the content includes: counting the number of computers, including personal data. The number of files, the total number of personal data files, the total number of personal data, the number of files of high concern, the number of files of moderate concern, the number of files of low concern, the number of identity cards, the number of names, the number of birthdays, the number of calls, Information such as the number of addresses and the number of credit card numbers.

The query unit 240 performs the query according to the computer name, the employee account number, the employee name, the number of personal data, the system name, and the like, and the query result content is the employee's inventory information.

At this point, with the above process, it is finally possible to find out all the personal data inside the company in order to fulfill the responsibility of the good custodian. Enterprises can arrange for each department to conduct personal data inventory for personal computers or servers according to their own needs, find out the documents, inventory, etc. that may store personal data, and then produce production reports, so that each department can check them one by one. In addition, it can be combined with the data loss protection endpoint system to provide complete data leakage prevention monitoring of the user terminal, thereby preventing personal data leakage, avoiding legal events arising from the outflow of customer personal data, and protecting the business interests and image of the enterprise.

The personal data inventory system and method provided by the present invention have the following advantages when compared with other conventional technologies:

1. The personal data inventory system and method of the present invention provides a more efficient system architecture, Data search, classification, and masking are processed at the user end, which greatly reduces the amount of computation on the server side and reduces the load on the server.

2. The personal data inventory system and method of the present invention can determine the true type of the file by analyzing the manner of the file header and the file end, and is not affected by the file name.

3. The personal data inventory system and method of the present invention provides a daily confusing and confusing term for Chinese names, and identifies titles and titles to reduce the misjudgment of Chinese names.

4. The personal data inventory system and method of the present invention cooperate with the action of masking and encrypting, so that the counting result not only has the effect of de-identifying, but also can be transmitted to the server end in a low-risk manner, thereby avoiding the problem of data leakage. .

5. The present invention can set different personal data levels according to the number of personal data, and provide managers with flexible settings for personal data levels.

6. The invention can perform the function of counting for the counting result, and according to the unit information and the personal data level setting, the manager can quickly obtain the personal data level distribution of the personal data file of the unit or the employee.

7. The invention can query the inventory information by using special query conditions, and provides convenience for the administrator to search and query the inventory information. The special query conditions include: computer name, employee account number, employee name, number of personal data, system name, etc. .

8. The invention can provide detailed information of employee inventory information, including: file name, total number of pens, number of identity card numbers, number of names, number of birthdays, number of telephones, number of addresses, number of credit card numbers, Personal information level, supporting information and other information.

9. The supporting inventory information of the present invention can provide supporting information for the identity identification data in the file, and provide a manager's judgment reference.

To sum up, this case is not only innovative in terms of technical thinking, but also has many of the above-mentioned functions that are not in the traditional methods of the past. It has fully complied with the statutory invention patent requirements of novelty and progressiveness, and applied for it according to law. Approved this invention patent application, in order to invent invention, to the sense of virtue.

100‧‧‧Client

101‧‧‧ Documents to be analysed

110‧‧‧Content Analysis Unit

120‧‧‧recording unit

121‧‧‧ inventory results file

130‧‧‧Transportation unit

140‧‧‧ server end

Claims (8)

A personal data inventory system includes: a client and a server, wherein the client further includes: a content analysis unit that performs identity identification data analysis on any file to be analyzed to generate an inventory result; Receiving the result and record of the inventory, and encrypting the result of the inventory; a transmission unit transmits the encrypted result of the inventory of the recording unit to the server; wherein the server further includes: a setting unit, which is set a unit information and personal data level; a receiving unit receives and decrypts the encrypted result of the counting of the client; a storage unit stores the unit information and personal data level, and the decrypted result of the counting; The query unit queries the unit information and the personal data level and the inventory result; a statistical unit performs statistics on the unit information and personal data level and the inventory result; wherein the content analysis unit is for the to-be-analyzed file Perform identity identification data analysis, including the body within the file to be analyzed The certificate number, Chinese name, birthday, telephone number, Taiwan address, and credit card number are analyzed; the identity card number and credit card number are all judged by the concept of verification code to avoid misjudgment; Chinese name verification is common in Taiwan. Surname, and filter the confusing daily words, identify the title and title to reduce the misjudgment of Chinese names; and Taiwan Address Department The scores can identify the address of the Chinese number in order to reduce the misjudgment of the Taiwan address. The personal data inventory system of claim 1, wherein the document to be analyzed is one or more. For example, in the personal data inventory system described in claim 1, wherein the inventory result includes a plurality of employee basic information and a plurality of employee inventory information. For example, in the personal data inventory system described in claim 3, the basic information of the employee includes the name of the unit, the name of the computer, the number of counts, the employee account number, the employee name, and the system name. For example, in the personal data inventory system described in claim 3, the employee inventory information includes the file name, the total number of pens, the number of the identity card number, the number of the number of the number of the phone, the number of the phone, the number of the address, the birthday pen. Number, credit card number, personal data level, supporting information. The personal data inventory system of claim 1, wherein the transmission unit transmits using a network communication protocol. For example, in the personal data inventory system described in claim 1, wherein the unit information and personal data level include the unit number, the unit name, and the high, medium, and low levels of the personal data. A personal data inventory method includes the following steps: one of the clients to be analyzed enters a content analysis unit, and the content analysis unit performs identity identification data analysis on any of the files to be analyzed, and sequentially determines the file to be analyzed. File type, obtaining the text content of the file to be analyzed, analyzing the identity identification data of the file to be analyzed, determining whether the file to be analyzed is a smart file, and generating an inventory result; the counting result and related data include the number of occurrences and supporting evidence The data is sent to a recording unit, and the recording unit encrypts the counting result and the related data with the number of occurrences and the supporting data; a transmission unit uploads the encrypted result of the inventory to a server; the server provides a unit information and a personal data level through a setting unit; and a receiving unit receives and decrypts the client from the network protocol The encrypted result of the inventory; a storage unit stores the unit information and the personal data level and the decrypted result of the inventory; and an inquiry unit provides the computer by using the unit information and the personal data level and the inventory result in the storage unit Query of the name, employee account number, employee name, number of personal data, and system name screening conditions; a statistical unit uses the unit information and personal data level in the storage unit and the result of the inventory to provide a unit of inventory information statistics; The content analysis unit analyzes the identity identification data of the to-be-analyzed file, and includes analyzing the identity card number, Chinese name, birthday, telephone number, Taiwan address, and credit card number in the file to be analyzed; wherein the identity card number and the credit card are included. No., all of which are judged by the concept of verification code. Avoid false positives; Chinese names verify the common surnames of the whole Taiwan, and filter the confusing daily words, identify the title and title to reduce the misjudgment of Chinese names; and the address part of Taiwan can identify the address of the Chinese characters. In order to reduce the misjudgment of Taiwan's address.