A method for improving security of data exchange

By configuring firewalls, data routing security parameters, and encryption measures in the data exchange intermediate system, the problems of low security and high risk of data leakage during data exchange between business systems are solved, and comprehensive security control and monitoring are achieved.

CN116781357BActive Publication Date: 2026-06-12FKHWL COM

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
FKHWL COM
Filing Date
2023-06-27
Publication Date
2026-06-12

AI Technical Summary

Technical Problem

In the current technology, the data exchange process between various business systems has low system security, high risk of data leakage, and lacks effective security control measures.

Method used

By connecting two external application systems through a data exchange intermediary system, and configuring security control functions such as firewall, data routing security parameters, application access authentication, data routing call authorization, and data encryption, security control is achieved at the application layer, transport layer, network layer, and data link layer.

Benefits of technology

It enhances the security of the data exchange process, prevents network attacks, data tampering, and server IP exposure risks, provides data encryption and decryption mechanisms and system access restrictions, ensures process recording and monitoring, and solves the problem of insufficient system security.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116781357B_ABST
    Figure CN116781357B_ABST
Patent Text Reader

Abstract

The application discloses a kind of methods for improving the security of data exchange, comprising the following steps: step S1, login data exchange system, step S2, configure firewall;Step S3, data routing security parameter configuration;Step S4, application access authentication;Step S5, data routing call authentication;Step S6, data encryption;Step S7, security audit;Step S8, complete data exchange.The application provides a kind of methods for improving the security of data exchange, different from the direct docking exchange data between traditional two application systems, the application connects two external application systems through data exchange intermediate system, realizes the data exchange between two applications, in actual data exchange process, these configured security control measures are applied, make up the short board that original system cannot provide security control measures, solve the problem that network attack, tamper data risk, server IP exposure risk between two systems when data exchange.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of computer security technology, specifically a method for improving the security of data exchange. Background Technology

[0002] With the popularization of computer and internet technologies, enterprises establish business application systems adapted to various business scenarios and to solve different needs through different suppliers or service providers. As business develops, the need for data exchange between these application systems becomes increasingly frequent. However, in the process of enterprise informatization construction, there is a lack of effective overall planning and a lack of predictive design for system security and data exchange security. Furthermore, with the development of internet and security technologies in recent years, hacker attacks and malicious attacks have increased, and existing systems lack data exchange security measures and functions. Therefore, during data exchange between systems, there are problems such as low system security and a high risk of data leakage.

[0003] In existing technologies, various business systems are provided by different vendors, and due to the age of these systems, the vendors may no longer provide system maintenance. Furthermore, outdated programming languages ​​and limited functional architectures prevent effective upgrades and iterations of existing systems at the application, transport, network, and data link layers, including system security control, data transmission encryption, process logging, and monitoring. Summary of the Invention

[0004] The purpose of this invention is to provide a method for improving the security of data exchange, so as to solve the problems of low system security and high risk of data leakage in the prior art as mentioned in the background.

[0005] To solve the above-mentioned technical problems, the technical solution adopted by the present invention is as follows:

[0006] A method for improving the security of data exchange includes the following steps:

[0007] Step S1: Log in to the data exchange system and connect application system A and application system B. Application system A is the upstream request system, and application system B is the downstream response system.

[0008] Step S2, Configure the firewall;

[0009] Step S3, Configure data routing security parameters;

[0010] Step S4, application access authentication;

[0011] Step S5, data routing call authentication;

[0012] Step S6: Data encryption;

[0013] The specific process of data encryption is as follows:

[0014] Step S601: After the request from application system A passes through the firewall, access authentication, and data routing call authentication, the request from application system A then performs data decryption and verification based on the data decryption algorithm and key generated during the data routing configuration for application system A.

[0015] Step S602: After successful verification, the decrypted data is re-encrypted using the data encryption algorithm and key configured for application system B in the data routing configuration.

[0016] Step S603: After the data is successfully encrypted, it is sent to application system B. At this time, application system B performs logical processing and data response on the received request data and generates response data.

[0017] Step S604: The response data is sent to the data exchange system. The data exchange system decrypts and verifies the data according to the data encryption algorithm and key configured for application system B in the data routing.

[0018] Step S605: After successful verification, the encrypted data is sent back to application system A. Application system A then decrypts the data according to the decryption algorithm and key configured in the data routing. The application system receives the decrypted data and utilizes it.

[0019] Step S7, security audit;

[0020] Step S8: Complete the data exchange.

[0021] According to the above technical solution, in step S2, the specific configuration of the firewall includes: configuring the list of applications allowed to access the system and the blacklist and whitelist of IP addresses that can access the applications;

[0022] According to the above technical solution, the firewall configuration also includes database firewall configuration. The specific configuration of the database firewall includes configuring legal SQL operations and illegal SQL operations. Legal operations include allowing viewing the database, viewing data tables, updating data, and querying views; illegal operations include deleting the database, deleting data tables, and deleting data definitions.

[0023] According to the above technical solution, in step S3, the data routing security parameter configuration specifically includes: configuring the applications of application system A and application system B; configuring the application app-key of application system B; configuring the application app-key of application system A; configuring the application data routing encoding of application system A; configuring the application data routing encoding of application system B; configuring the application decryption algorithm and key of application system A; configuring the application decryption algorithm and key of application system B.

[0024] According to the above technical solution, step S4 specifically includes the following steps:

[0025] Application system A accesses the data exchange system through the entry address. The data exchange system identifies the specific initiating object of the request by using the app-key of application system A generated during data routing configuration. Then, it authenticates the initiating object using the app-key to determine whether the request is legitimate. If the object has been authenticated by the app-key, the request is legitimate; otherwise, the request is illegitimate.

[0026] The system identifies the application by matching the application identifier in the request parameters of application system A with the configured application system A identifier. If the identifiers match, the identification is correct and the request is allowed; if the identifiers do not match, the request is not allowed.

[0027] The configured application system A identifier is the one used in step S3, when configuring data routing security parameters;

[0028] The entry address is an accessible IP address formed by combining the IP address of the data exchange system with a port prefix. It is used to provide a unified address for external applications to access the data exchange system.

[0029] According to the above technical solution, in step S5, the data routing call authentication is specifically as follows:

[0030] The system determines the data routing permissions of application system A by using the routing code generated during data routing configuration. If the system has the permissions, it allows application system A to access and invoke the data routing, and allows application system A to communicate and transmit data to application system B. If the system does not have the permissions, it does not allow application system A to communicate.

[0031] According to the above technical solution, step S7, the security audit specifically includes the following steps:

[0032] Step S701: Collect system logs, security logs, application logs, firewall logs, and network data of the data exchange system, and process the collected data into a unified format.

[0033] Step S702: The collected logs are processed and analyzed in real time, corresponding alarms are generated according to the rule base, and message reminders are sent in the system;

[0034] Step S703: Process and analyze the collected logs, generate reports, and provide a download function.

[0035] Compared with the prior art, the present invention has the following beneficial effects:

[0036] This invention provides a method to enhance data exchange security. Unlike traditional methods where two application systems directly connect and exchange data, this invention uses a data exchange intermediary system to connect two external application systems, enabling data exchange between them. The system has built-in security control functions for the application layer, transport layer, network layer, and data link layer, allowing for flexible configuration and selection of data exchange security controls during the exchange process. In actual data exchange, these configured security controls address the shortcomings of existing systems, resolving issues such as network attacks, data tampering risks, server IP exposure risks, lack of data encryption / decryption mechanisms, lack of system access security restrictions, and lack of process logging, monitoring, and security auditing during data exchange between the two systems. Attached Figure Description

[0037] Figure 1 This is a schematic diagram of the system of the present invention;

[0038] Figure 2 This is a system flowchart of the present invention. Detailed Implementation

[0039] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0040] Example 1

[0041] like Figure 1 As shown, a method for improving the security of data exchange includes the following steps:

[0042] Step S1: Log in to the data exchange system and connect application system A and application system B. Application system A is the upstream request system, and application system B is the downstream response system.

[0043] Step S2, Configure the firewall;

[0044] Step S3, Configure data routing security parameters;

[0045] Step S4, application access authentication;

[0046] Step S5, data routing call authentication;

[0047] Step S6: Data encryption;

[0048] like Figure 2 As shown, the specific process of data encryption is as follows:

[0049] Step S601: After the request from application system A passes through the firewall, access authentication, and data routing call authentication, the request from application system A then performs data decryption and verification based on the data decryption algorithm and key generated during the data routing configuration for application system A.

[0050] Step S602: After successful verification, the decrypted data is re-encrypted using the data encryption algorithm and key configured for application system B in the data routing configuration.

[0051] Step S603: After the data is successfully encrypted, it is sent to application system B. At this time, application system B performs logical processing and data response on the received request data and generates response data.

[0052] Step S604: The response data is sent to the data exchange system. The data exchange system decrypts and verifies the data according to the data encryption algorithm and key configured for application system B in the data routing.

[0053] Step S605: After successful verification, the encrypted data is sent back to application system A. Application system A then decrypts the data according to the decryption algorithm and key configured in the data routing. The application system receives the decrypted data and utilizes it.

[0054] Step S7, security audit;

[0055] Step S8: Complete the data exchange.

[0056] This invention provides a method to enhance data exchange security. Unlike traditional methods where two application systems directly connect and exchange data, this invention uses a data exchange intermediary system to connect two external application systems, enabling data exchange between them. The system has built-in security control functions for the application layer, transport layer, network layer, and data link layer, allowing for flexible configuration and selection of data exchange security controls during the exchange process. In actual data exchange, these configured security controls address the shortcomings of existing systems, resolving issues such as network attacks, data tampering risks, server IP exposure risks, lack of data encryption / decryption mechanisms, lack of system access security restrictions, and lack of process logging, monitoring, and security auditing during data exchange between the two systems.

[0057] Example 2

[0058] This embodiment is a further refinement of Embodiment 1. In step S2, the firewall configuration specifically includes: configuring a list of applications allowed to access the system and a blacklist / whitelist of IP addresses that can access these applications;

[0059] Firewall configuration also includes database firewall configuration. Specific database firewall configuration includes configuring legal and illegal SQL operations. Legal operations include allowing viewing of databases, tables, data updates, and view queries; illegal operations include deleting databases, tables, and data definitions.

[0060] In step S3, the data routing security parameter configuration specifically includes: configuring and adding application system A and application system B. On the system's data routing security parameter configuration function page, select the already added application name and save.

[0061] Configure the application app-key for application system B. In step S3, configure the data routing security parameters. On the system's data routing security parameter configuration page, fill in the pre-prepared app-key code and save it. This code is a unique number composed of numbers and letters. Configure the application app-key for application system A. Configure the application data routing code for application system A. In step S3, configure the data routing security parameters. On the system's data routing security parameter configuration page, fill in the data routing code and save it. This code is a unique number composed of numbers and letters. Configure the application data routing code for application system B. Configure the application decryption algorithm and key for application system A. In step S3, configure the data routing security parameters. On the system's data routing security parameter configuration page, select the required decryption algorithm type and key and save it. Configure the application decryption algorithm and key for application system B. After completing all configurations and saving the data, step S3 will generate a data routing code. This code is a unique number composed of numbers and letters, used to uniquely identify the data route.

[0062] In step S4, the authentication specifically includes the following steps:

[0063] Application system A uses a unified IP address and port. The entry address is an accessible IP address composed of the IP address, port, and prefix, which is used by external applications to access the data exchange system. The data exchange system identifies the specific initiator of the request by using the app-key of application system A generated during data routing configuration. Then, it authenticates the initiator by the app-key to determine whether the request is legitimate. If the object is authenticated by the app-key, the request is legitimate; otherwise, it is illegitimate. The system matches the application identifier in the application system A's request parameters with the application system A identifier configured in the data exchange system during step S3, when configuring data routing security parameters. If the identifiers match, the identification is correct, and the request is allowed.

[0064] For example: E4yL3E0LDmrl4ABpD7dxbFRh4Blrlx8g.

[0065] In step S5, the data routing call authentication is specifically as follows:

[0066] The data routing permissions of the current application system A are determined by the routing code generated during data routing configuration. Specifically, the unique data routing code generated in step S3 contains unique upstream and downstream applications. This code is used to determine which upstream and downstream applications configured in the data routes match the current requesting application. If they match, the application system is deemed to have permission. If the application system has permission, the data exchange system allows application system A to access and invoke the data routes and allows application system A to communicate and transmit data to application system B. If the application system system does not have permission, communication by application system A is not allowed.

[0067] In step S7, the security audit specifically includes the following steps:

[0068] Step S701 involves collecting system logs, security logs, application logs, firewall logs, and network data from the data exchange system. The collected data is then processed into a unified format, and the information is archived and stored according to operation type, log content, IP address of the log generator, time of generation, and account used for the operation. This unified format refers to processing and storing log information generated by various services according to the same data field types and specifications to facilitate subsequent data analysis and application.

[0069] Step S702: The collected logs are processed and analyzed in real time. Corresponding alarms are generated according to the rule base. The information contained in the logs is matched one by one in the rule base. If a match is found, an alarm is issued in the system. The rule base refers to the rule repository that triggers alarms. Each warning rule specifically includes the rule name, rule code, rule trigger threshold, rule trigger condition, applicable operation type, and applicable IP.

[0070] Step S703: Process and analyze the collected logs, generate reports, and provide a download function.

[0071] Example 3

[0072] The inventive concept of this invention is as follows:

[0073] Step N1: Log in to the data exchange system. Enterprise users log in with their accounts to access the data exchange system.

[0074] Step N2: Configure the firewall. The data exchange system has a built-in firewall function, including a network layer firewall and a database firewall. The administrator configures the firewall parameters on the data exchange system.

[0075] A network layer firewall is an IP packet filter that operates on the underlying TCP / IP protocol stack. It can enumerate packets that meet specific rules to allow them to pass through, while blocking all others.

[0076] The specific configuration includes: configuring a list of applications allowed to access the system, and a blacklist and whitelist of IP addresses that can access the applications.

[0077] A database firewall is a database security protection system based on database protocol analysis and control technology. Based on a proactive defense mechanism, it controls database access behavior, blocks dangerous operations, and audits suspicious behavior. According to predefined prohibition and permission policies, it allows legitimate SQL operations to pass while blocking illegal and unauthorized operations, forming an outer defense perimeter for the database and achieving proactive prevention and real-time auditing of dangerous SQL operations.

[0078] The specific configuration includes configuring legal and illegal SQL operations. Legal operations include allowing viewing the database, viewing data tables, updating data, and querying views. Illegal operations include deleting the database, deleting data tables, and defining data.

[0079] The core function of a firewall is to establish a single communication channel between one application system and another through a data exchange system. It allows only authorized applications to access the data exchange platform, further preventing dangerous operations at the database level and ensuring the database security of both the external application system and the data exchange system. When the external system lacks full firewall functionality, the data exchange system provided by this invention can be used to configure firewall parameters and apply firewall control measures to enhance the security of system communication.

[0080] Step N3: Configure data routing security parameters. Data routing is a data exchange path and interface capability between upstream and downstream applications. It can be defined and added through various parameter configurations, ultimately manifesting as a rule-based data entry stored on the data exchange platform. This is used to receive data requests from application system A and send response data from application system B back to application system A. The configuration parameters for data exchange security are as follows: Configure upstream and downstream applications; Configure the downstream application's app-key; Configure the upstream application's app-key; Configure the upstream application's data routing encoding; Configure the downstream application's data routing encoding; Configure the upstream application's decryption algorithm and key; Configure the downstream application's decryption algorithm and key.

[0081] Each data routing code corresponds to a unique upstream and downstream application. When multiple data routes are configured, one application can correspond to multiple different data routing codes.

[0082] Step N4, Application Access Authentication: At the application access authentication level, application system A accesses the data exchange system through a unified IP address and port. The data exchange system identifies which application initiated the request by using the app-key of application system A (the upstream application) generated during data routing configuration. Only applications authenticated via their app-keys are authorized to make legitimate requests. This enhances system access security and prevents malicious access.

[0083] Step N5, Data Routing Invocation Authentication, has the core function of determining which applications, authenticated by the system, are allowed to request and invoke which data routes to achieve data exchange. Specifically, it uses a routing code generated during data routing configuration. This code uniquely corresponds to upstream and downstream applications. The system then determines which data routes the requesting application has permission to access and invoke. If so, the system allows the application to communicate and transmit data to downstream applications, thereby ensuring the overall security and stability of the system and guaranteeing secure data routing invocation.

[0084] Step N6: Data Encryption. For the data exchange process, the method of this invention can encrypt and decrypt data, improving data exchange security. The specific process is as follows:

[0085] After application system A's request passes through the firewall, access authentication, and data routing call authorization, the request from application system A is then decrypted and verified using the data decryption algorithm and key generated during the data routing configuration for application system A. After successful verification, the decrypted data is re-encrypted using the data encryption algorithm and key configured for application system B. Once the data encryption is successful, it is sent to application system B. At this point, application system B performs logical processing on the received request data, generates a data response, and produces response data.

[0086] The response data is then sent to the data exchange system. The data exchange system decrypts and verifies the data according to the data encryption algorithm and key configured for application system B in the data routing configuration. After successful verification, the encrypted data is returned to application system A. Application system A then decrypts the data according to the decryption algorithm and key configured in the data routing configuration. The application system receives the decrypted data and utilizes it.

[0087] Step N7, Security Audit: This invention provides a security audit function for global data exchange security.

[0088] Security auditing refers to the process of recording and analyzing historical operational events and data according to certain security strategies to identify areas for improvement in system performance and security. Its purpose is to ensure the secure operation of network systems, protect the confidentiality, integrity, and availability of data from damage, prevent intentional or unintentional human errors, and prevent and detect computer network crimes. In addition to other security measures, auditing mechanisms can be used to specifically record, track, and review the status and processes of network operations to identify security issues.

[0089] The method and system of this invention: for the data exchange process between upstream and downstream applications in a data exchange system, events occurring on the computer network are continuously recorded, and data mining and data warehouse technologies are used to realize terminal-to-terminal monitoring and management in different network environments.

[0090] The main process of the security audit function is as follows:

[0091] 1) Collect system logs, security logs, application logs, firewall logs, network data, etc. from the data exchange system, and process the collected data in a unified format.

[0092] 2) The logs collected from the system are processed and analyzed in real time, and then corresponding alarms are generated according to the rule base and message reminders are sent in the system.

[0093] 3) Perform post-processing analysis on the logs collected from the system, generate reports, and provide a download function.

[0094] 4) Security audit function module, and supports efficient combination of conditions for querying inventory logs.

[0095] 5) Audit results can record intrusion and illegal activities and can be reproduced at any time.

[0096] It should be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such process, method, article, or apparatus.

[0097] Finally, it should be noted that the above descriptions are merely preferred embodiments of the present invention and are not intended to limit the present invention. Although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art can still modify the technical solutions described in the foregoing embodiments or make equivalent substitutions for some of the technical features. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the protection scope of the present invention.

Claims

1. A method for improving the security of data exchange, characterized in that: Includes the following steps: Step S1: Log in to the data exchange system and connect application system A and application system B. Application system A is the upstream request system, and application system B is the downstream response system. Step S2, Configure the firewall; Step S3, Configure data routing security parameters; Step S4, Application Access Authentication; the authentication process includes the following steps: Application system A accesses the data exchange system through the entry address. The data exchange system identifies the specific initiating object of the request by using the app-key of application system A generated during data routing configuration. Then, it authenticates the initiating object using the app-key to determine whether the request is legitimate. If the object has been authenticated by the app-key, the request is legitimate; otherwise, the request is illegitimate. The system identifies the application by matching the application identifier in the request parameters of application system A with the configured application system A identifier. If the identifiers match, the identification is correct and the request is allowed; if the identifiers do not match, the request is not allowed. The configured application system A identifier is the one used in step S3, when configuring data routing security parameters; The entry address is an accessible IP address formed by combining the IP address of the data exchange system with a port prefix. It is used to provide a unified address for external applications to access the data exchange system. Step S5, data routing call authentication; Step S6: Data encryption; The specific process of data encryption is as follows: Step S601: After the request from application system A passes through the firewall, access authentication, and data routing call authentication, the request from application system A then performs data decryption and verification based on the data decryption algorithm and key generated during the data routing configuration for application system A. Step S602: After successful verification, the decrypted data is re-encrypted using the data encryption algorithm and key configured for application system B in the data routing configuration. Step S603: After the data is successfully encrypted, it is sent to application system B. At this time, application system B performs logical processing and data response on the received request data and generates response data. Step S604: The response data is sent to the data exchange system. The data exchange system decrypts and verifies the data according to the data encryption algorithm and key configured for application system B in the data routing. Step S605: After successful verification, the encrypted data is sent back to application system A. Application system A then decrypts the data according to the decryption algorithm and key configured in the data routing. The application system receives the decrypted data and utilizes it. Step S7, Security Audit; The security audit specifically includes the following steps: Step S701: Collect system logs, security logs, application logs, firewall logs, and network data from the data exchange system, process the collected data into a unified format, and archive and store the collected information according to operation type, log content, IP address of log generation, generation time, and operation account. Step S702: The collected logs are processed and analyzed in real time, and corresponding alarms are generated according to the rule base. The information contained in the logs is matched one by one in the rule base. If a match is found, an alarm is triggered in the system. Step S703: Process and analyze the collected logs and generate reports; Step S8: Complete the data exchange.

2. The method for improving data exchange security according to claim 1, characterized in that: In step S2, the specific firewall configuration includes: configuring a list of applications allowed to access the system and a blacklist and whitelist of IP addresses that can access the applications.

3. The method for improving data exchange security according to claim 2, characterized in that: Firewall configuration also includes database firewall configuration. Specific database firewall configuration includes configuring legal and illegal SQL operations. Legal operations include allowing viewing of databases, tables, data updates, and view queries; illegal operations include deleting databases, tables, and data definitions.

4. The method for improving data exchange security according to claim 1, characterized in that: In step S3, the data routing security parameter configuration specifically includes: configuring and adding application system A and application system B; configuring the application app-key of application system B; configuring the application app-key of application system A; configuring the application data routing code of application system A; configuring the application data routing code of application system B; configuring the application decryption algorithm and key of application system A; configuring the application decryption algorithm and key of application system B. After completing all the configurations and saving the data, a data routing code is generated. This code is represented by a unique number composed of numbers and letters, used to uniquely identify the data route.

5. The method for improving data exchange security according to claim 1, characterized in that: In step S5, the data routing call authentication is specifically as follows: The data routing permissions of application system A are determined by the routing code generated during data routing configuration. If the application system A has the permissions, the data exchange system allows application system A to access and invoke the data routing, and allows application system A to communicate and transmit data to application system B. If the application system A does not have the permissions, communication by application system A is not allowed.