This is the multi-page printable view of this section. Click here to print.
Data Discovery
- 1: Introduction
- 2: What's New
- 3: General Architecture
- 4: APIs
- 4.1: Classify
- 4.1.1: Classify Text API
- 4.1.2: Classify CSV API
- 4.2: Transform
- 4.2.1: Label Text API
- 4.2.1.1: Handling Overlapping Conflicts
- 4.2.1.2: Sample Response Default
- 4.2.1.3:
- 4.2.1.4:
- 4.3: Input Validation
- 4.4: Harmonizing Provider Outputs
- 4.5: Supported Classification Entities
- 4.6:
- 4.7:
- 4.8:
- 4.9:
- 5: Performance and Accuracy
1 - Introduction
In an era where data privacy is paramount, safeguarding sensitive information in unstructured data has become critical—especially for organizations leveraging AI and machine learning technologies. Data Discovery is a powerful, developer-friendly product designed specifically to address this challenge.
Data Discovery’s Classification Service specializes in the detection of Personally Identifiable Information (PII), Protected Health Information (PHI), Payment Card Information (PCI) within free-text (unstructured) and table-based (structured. CSV) inputs. Unlike traditional data tools, it excels in dynamic, unstructured environments such as chatbot conversations, call transcripts, and Generative AI (Gen AI) outputs.
Harnessing a hybrid detection engine that combines machine learning and rule-based algorithms, Data Discovery offers unparalleled accuracy and flexibility. It empowers teams to perform the following:
Automate chatbot redaction to ensure compliance with privacy regulations.
Perform transcript cleanup for customer service, healthcare, and financial industries.
Enhance GenAI applications by proactively mitigating the risks associated with leaking sensitive information.
Built for developers, architects, and privacy engineers, Data Discovery seamlessly integrates into AI/ML pipelines and Gen AI workflows. Deployment is fast and flexible, with support for both Docker containers and AWS EKS clusters, and interaction via robust, intuitive REST APIs.
Whether you’re building next-generation AI applications or enhancing existing systems to meet evolving data privacy standards, Data Discovery equips you with the tools to discover, classify, and protect sensitive information at scale.
2 - What's New
| Feature | Description | References (if any) |
|---|---|---|
| Structured Data Classification | Classify data in CSV content by analyzing and assigning classifications to each column. | Classify CSV API |
| Harmonize Classification Responses | Standardize classification outputs from multiple providers by mapping them to a unified set of conventional categories. | Harmonize Responses |
| Transformation - Label | Replace sensitive text with corresponding entity labels (e.g., | Label Text API |
| Terraform and Helm Deployment | Support deployment on EKS using Terraform and Helm Charts. | EKS Deployment |
| Registry Hosted Product Images | Product images used in this deployment are available on Protegrity’s public Image Registry at registry.protegrity.com. | Obtaining Package |
| Performance Improvement | General performance improvements. | NA |
| Accuracy Improvements | General accuracy improvements. | NA |
| Bug Fixes | Various bug fixes. | NA |
3 - General Architecture
The main components of the Protegrity Data Discovery product are as follows:
Classification service: The Classification Service serves as the primary access point for all classification-related interactions. It orchestrates various back-end components known as Providers, which are responsible for executing the actual classification tasks.
Pattern and Context classification providers: The Providers function as specialized modules in identifying and classifying Personally Identifiable Information (PII). They analyze input data to detect, classify, and locate sensitive information.
The Pattern classification provider is a rule-based system that identifies PII using predefined patterns and heuristics. It is fast, customizable, and suitable for structured data with known formats.
The Context classification provider is an LLM based designed within Protegrity. A machine learning model that detects PII using context and semantics. It is flexible, effective with unstructured data, and adapts to varied patterns.
The general architecture is illustrated in the following figure.
| Callout | Description |
|---|---|
| 1 | The user enters the data to be classified for sensitive data as text body and sends the request to the Classification service. |
| 2 | This Classification service then distributes the request to the Pattern and Context classification service providers to process the data. |
| 3 | The Pattern and Context classification providers process the data based on their logic and classify them in the form of a response to the Classification service. |
| 4 | The Classification service then aggregates the responses from the service providers and sends it to the user. |
4 - APIs
4.1 - Classify
4.1.1 - Classify Text API
POST http://{Host Address}/pty/data-discovery/v1.1/classify
Query Parameters
score_threshold
- Type:
float - Description: Optional. Exclude results with a score lower than this threshold.
- Values: Minimum 0, Maximum 1.0
- Default: 0.00
Body
Content type must be a plain text and in an UTF-8 format.
Length of the body is limited to 10K Bytes.
Sample Request
curl -X POST "http://<SERVER_IP>/pty/data-discovery/v1.1/classify?score_threshold=0.85" \
-H "Content-Type: text/plain" \
--data "You can reach Dave Elliot by phone 203-555-1286"import requests
url = "http://<SERVER_IP>/pty/data-discovery/v1.1/classify"
params = {"score_threshold": 0.85}
headers = {"Content-Type": "text/plain"}
data = "You can reach Dave Elliot by phone 203-555-1286"
response = requests.post(url, params=params, headers=headers, data=data, verify=False)
print("Status code:", response.status_code)
print("Response JSON:", response.json())URL: POST `http://<SERVER_IP>/pty/data-discovery/v1.1/classify`
Query Parameters:
-score_threshold (optional), float between 0.0 and 1.0, default: 0.
Headers:
-Content-Type: text/plain
Body:
-You can reach Dave Elliot by phone 203-555-1286Sample Response
{
"providers": [
{
"name": "Pattern Classification Provider",
"version": "1.1.1",
"status": 200,
"elapsed_time": 0.028261899948120117,
"config_provider": {
"name": "Pattern",
"address": "http://pattern_provider_service:8051",
"supported_content_types": []
}
},
{
"name": "Context Classification Provider",
"version": "1.1.1",
"status": 200,
"elapsed_time": 0.040960073471069336,
"config_provider": {
"name": "Context",
"address": "http://context_provider_service:8052",
"supported_content_types": []
}
}
],
"classifications": {
"PERSON": [
{
"score": 0.9238499879837037,
"location": {
"start_index": 14,
"end_index": 25
},
"classifiers": [
{
"provider_index": 0,
"name": "SpacyRecognizer",
"score": 0.85,
"original_entity": "PERSON",
"details": {}
},
{
"provider_index": 1,
"name": "context",
"score": 0.9976999759674072,
"original_entity": "NAME",
"details": {}
}
]
}
],
"PHONE_NUMBER": [
{
"score": 0.9995999932289124,
"location": {
"start_index": 35,
"end_index": 47
},
"classifiers": [
{
"provider_index": 1,
"name": "context",
"score": 0.9995999932289124,
"original_entity": "PHONE",
"details": {}
}
]
}
]
}
}Response Fields Description
Providers Section
| Name | Example Response | Description |
|---|---|---|
| providers | Array | Array of provider objects that participated in the request, including their respective success or failure codes. |
| providers[n].name | Pattern Classification Provider | Product name of the provider. |
| providers[n].version | 1.0.0 | Version of the provider. |
| providers[n].status | 200 | HTTP response code returned by the provider. |
| providers[n].elapsed_time | 0.028 | Time, in seconds, taken by the provider to process the request. |
| providers[n].config_provider | Object | Object containing configuration details for each provider. |
| providers[n].config_provider.name | Pattern | Internal name of the provider. |
| providers[n].config_provider.address | http://pattern_provider_service:8051 | Network address or endpoint of the provider. |
| providers[n].config_provider.supported_content_types | [] | Array of supported content types. An empty array indicates support for all content types. |
Classifications Section
| Name | Example Response | Description |
|---|---|---|
| classifications | Dictionary | A dictionary mapping entity types (e.g., “PERSON”, “PHONE_NUMBER”) to arrays of occurrence objects. Each key is an entity type, and its value is a list of detected occurrences, each containing location and classifier details. |
| classifications[’entity’][n].score | 0.9238 | The confidence score for the detected entity, aggregated from all contributing classifiers. |
| classifications[’entity’][n].location | Object | An object specifying the location of the entity within the input text. |
| classifications[’entity’][n].location.start_index | 14 | The starting index of the entity in the input text. |
| classifications[’entity’][n].location.end_index | 25 | The ending index of the entity in the input text. |
| classifications[’entity’][n].classifiers | Array | An array of classifier objects that contributed to the entity detection. |
| classifications[’entity’][n].classifiers[m].provider_index | 0 | The index of the provider in the top-level providers array. |
| classifications[’entity’][n].classifiers[m].name | SpacyRecognizer | The name of the classifier. A provider may have multiple classifiers. |
| classifications[’entity’][n].classifiers[m].score | 0.85 | The score assigned by the classifier for the entity detection. |
| classifications[’entity’][n].classifiers[m].original_entity | PERSON | The original entity type detected by the classifier. See Harmonization for details. |
| classifications[’entity’][n].classifiers[m].details | Object | Optional. Additional key-value details provided by the classifier. |
Response Codes
| Response Code | Description |
|---|---|
| 200 | Successful Response. |
| 206 | Partial Content. Only some providers classifed data successfully. |
| 400 | Bad Request. Invalid input parameters or content. |
| 413 | Payload too large. |
| 415 | Unsupported media type. |
| 422 | Untrusted input. For more information, refer to Input Validation |
| 502 | Bad Gateway. All upstream providers failed; no successful data aggregation possible. |
| 598 | Unexpected internal server error. Check server logs. |
| 599 | Internal server error. Check server logs. |
4.1.2 - Classify CSV API
POST http://{Host Address}/pty/data-discovery/v1.1/classify
Query Parameters
score_threshold
- Type:
float - Description: Optional. Exclude results with a score lower than this threshold.
- Values: Minimum 0, Maximum 1.0
- Default: 0.00
has_headers
- Type:
boolean - Description: Optional. Indicates whether the first row represents the column header.
- Values: true/false
- Default: true
column_delimiter
- Type:
char - Description: Optional. Delimiter to separate the columns.
- Values: , |
- Default: ,
quote_char
- Type:
char - Description: Optional. Character to quote fields containing special characters, such as, the column_delimiter or new-line characters.
- Values: ""
Body
Content type should be
text/csvand in UTF-8 format.Body size is limited to 10K Bytes
Sample Request
curl -X POST "http://<SERVER_IP>/pty/data-discovery/v1.1/classify?score_threshold=0.85" \
--header 'Content-Type: text/csv' \
--data-raw 'Social Security Number,Credit Card Number,IBAN,Phone Number
589-25-1068,349384370543801,FR43 9255 4858 47BG 3EBG U4OK O18,(483) 9440301
636-36-3077,4041594844904,AL50 8947 4215 KAEY GAPM NLYC FNZG,(113) 5143119
748-82-2375,3558175715821800,AT34 4082 9269 0841 5702,(763) 5136237
516-62-9861,560221027976015000,FR22 0068 7181 11FB UG8H ECEM 306,(726) 6031636
121-49-9409,374283320982549,DK37 5687 8459 8060 79,(624) 9205200
838-73-3299,5558216060144900,CR54 8952 8144 6403 4765 0,(356) 9479541
439-11-5310,5048376143641900,RS76 6213 4824 0184 8983 74,(544) 5623326
564-06-8466,3543299511845640,EE51 6882 3443 7863 4703,(702) 6093849
518-54-5443,3543019452249540,IT65 D000 3874 2801 Z15I LNLL OOX,(584) 8618371'import requests
url = "http://<SERVER_IP>/pty/data-discovery/v1.1/classify"
params = {"score_threshold": 0.85}
headers = {"Content-Type": "text/csv"}
data = """Social Security Number,Credit Card Number,IBAN,Phone Number
589-25-1068,349384370543801,FR43 9255 4858 47BG 3EBG U4OK O18,(483) 9440301
636-36-3077,4041594844904,AL50 8947 4215 KAEY GAPM NLYC FNZG,(113) 5143119
748-82-2375,3558175715821800,AT34 4082 9269 0841 5702,(763) 5136237
516-62-9861,560221027976015000,FR22 0068 7181 11FB UG8H ECEM 306,(726) 6031636
121-49-9409,374283320982549,DK37 5687 8459 8060 79,(624) 9205200
838-73-3299,5558216060144900,CR54 8952 8144 6403 4765 0,(356) 9479541
439-11-5310,5048376143641900,RS76 6213 4824 0184 8983 74,(544) 5623326
564-06-8466,3543299511845640,EE51 6882 3443 7863 4703,(702) 6093849
518-54-5443,3543019452249540,IT65 D000 3874 2801 Z15I LNLL OOX,(584) 8618371
"""
response = requests.post(url, params=params, headers=headers, data=data, verify=False)
print("Status code:", response.status_code)
try:
print("Response JSON:", response.json())
except ValueError:
print("Response Text:", response.text)
URL: POST `http://<SERVER_IP>/pty/data-discovery/v1.1/classify`
Query Parameters:
-score_threshold (optional), float between 0.0 and 1.0, default: 0.
-has_headers (optional), Indicates whether the first row represents the column header.
-column_delimiter (optional), Delimiter to separate the columns.
-quote_char (optional), Character to quote fields containing special characters, such as, the column_delimiter or new-line characters.
Headers:
-Content-Type: text/csv
Body:
-Social Security Number,Credit Card Number,IBAN,Phone Number
589-25-1068,349384370543801,FR43 9255 4858 47BG 3EBG U4OK O18,(483) 9440301
636-36-3077,4041594844904,AL50 8947 4215 KAEY GAPM NLYC FNZG,(113) 5143119
748-82-2375,3558175715821800,AT34 4082 9269 0841 5702,(763) 5136237
516-62-9861,560221027976015000,FR22 0068 7181 11FB UG8H ECEM 306,(726) 6031636
121-49-9409,374283320982549,DK37 5687 8459 8060 79,(624) 9205200
838-73-3299,5558216060144900,CR54 8952 8144 6403 4765 0,(356) 9479541
439-11-5310,5048376143641900,RS76 6213 4824 0184 8983 74,(544) 5623326
564-06-8466,3543299511845640,EE51 6882 3443 7863 4703,(702) 6093849
518-54-5443,3543019452249540,IT65 D000 3874 2801 Z15I LNLL OOX,(584) 8618371
Sample Response
{
"providers": [
{
"name": "Pattern Classification Provider",
"version": "1",
"status": 200,
"elapsed_time": 0.31273603439331055,
"config_provider": {
"name": "Pattern",
"address": "http://pattern_provider_service:8051",
"supported_content_types": []
}
},
{
"name": "Context Classification Provider",
"version": "1.1.1",
"status": 200,
"elapsed_time": 1.1383004188537598,
"config_provider": {
"name": "Context",
"address": "http://context_provider_service:8052",
"supported_content_types": []
}
}
],
"classifications": {
"SOCIAL_SECURITY_ID": [
{
"score": 0.9994888835483127,
"rows_processed": 9,
"location": {
"column_name": "Social Security Number",
"column_index": 0
},
"classifiers": [
{
"provider_index": 1,
"name": "context",
"rows_with_classification": 9,
"total_classifications": 9,
"score": 0.9994888835483127,
"details": {}
}
]
}
],
"CREDIT_CARD": [
{
"score": 0.9986333317226834,
"rows_processed": 9,
"location": {
"column_name": "Credit Card Number",
"column_index": 1
},
"classifiers": [
{
"provider_index": 1,
"name": "context",
"rows_with_classification": 9,
"total_classifications": 9,
"score": 0.9986333317226834,
"details": {}
}
]
}
],
"BANK_ACCOUNT": [
{
"score": 0.7901234567901234,
"rows_processed": 9,
"location": {
"column_name": "IBAN",
"column_index": 2
},
"classifiers": [
{
"provider_index": 0,
"name": "IbanRecognizer",
"rows_with_classification": 8,
"total_classifications": 8,
"score": 0.8888888888888888,
"details": {}
}
]
}
],
"PHONE_NUMBER": [
{
"score": 0.9961333341068692,
"rows_processed": 9,
"location": {
"column_name": "Phone Number",
"column_index": 3
},
"classifiers": [
{
"provider_index": 1,
"name": "context",
"rows_with_classification": 9,
"total_classifications": 9,
"score": 0.9961333341068692,
"details": {}
}
]
}
]
}
}Response Fields Description
Providers Section
| Name | Example Response | Description |
|---|---|---|
| providers | Array | Array of provider objects that participated in the request, including their respective success or failure codes. |
| providers[n].name | Pattern Classification Provider | Product name of the provider. |
| providers[n].version | 1.0.0 | Version of the provider. |
| providers[n].status | 200 | HTTP response code returned by the provider. |
| providers[n].elapsed_time | 0.028 | Time, in seconds, taken by the provider to process the request. |
| providers[n].config_provider | Object | Object containing configuration details for each provider. |
| providers[n].config_provider.name | Pattern | Internal name of the provider. |
| providers[n].config_provider.address | http://pattern_provider_service:8051 | Network address or endpoint of the provider. |
| providers[n].config_provider.supported_content_types | [] | Array of supported content types. An empty array indicates support for all content types. |
Classifications Section
| Name | Example Response | Description |
|---|---|---|
| classifications | Dictionary | A dictionary mapping entity types (e.g., “SOCIAL_SECURITY_ID”, “CREDIT_CARD”) to arrays of occurrence objects. Each key is an entity type, and its value is a list of detected occurrences, each containing location, classifier, and row details. |
| classifications[’entity’][n].score | 0.9995 | The confidence score for the detected entity, aggregated and calculated from all contributing classifiers and their |
| reported scores. | ||
| classifications[’entity’][n].rows_processed | 9 | The number of rows passed to and processed by the classification request. |
| classifications[’entity’][n].location | Object | An object specifying the location of the entity within the CSV data. |
| classifications[’entity’][n].location.column_name | Social Security Number | The name of the column in which the entity was detected. |
| classifications[’entity’][n].location.column_index | 0 | The index of the column in which the entity was detected. |
| classifications[’entity’][n].classifiers | Array | An array of classifier objects that contributed to the entity detection. |
| classifications[’entity’][n].classifiers[m].provider_index | 1 | The index of the provider in the top-level providers array. |
| classifications[’entity’][n].classifiers[m].name | context | The name of the classifier. A provider may have multiple classifiers. |
| classifications[’entity’][n].classifiers[m].score | 0.9995 | The score assigned by the classifier for the entity detection. |
| classifications[’entity’][n].classifiers[m].rows_with_classification | 9 | The number of rows in which the entity was classified by this classifier. |
| classifications[’entity’][n].classifiers[m].total_classifications | 9 | The total number of classifications made by this classifier in this location. it is possible to find multiple entities within a single column, e.g., date and time, complex address, etc'. |
| classifications[’entity’][n].classifiers[m].details | Object | Optional. Additional key-value details provided by the classifier. |
Response Codes
| Response Code | Description |
|---|---|
| 200 | Successful Response. |
| 206 | Partial Content. Only some providers classifed data successfully. |
| 400 | Bad Request. Invalid input parameters or content. |
| 413 | Payload too large. |
| 415 | Unsupported media type. |
| 422 | Untrusted input. For more information, refer to Input Validation |
| 502 | Bad Gateway. All upstream providers failed; no successful data aggregation possible. |
| 598 | Unexpected internal server error. Check server logs. |
| 599 | Internal server error. Check server logs. |
4.2 - Transform
4.2.1 - Label Text API
POST http://{Host Address}/pty/data-discovery/v1.1/transform/label
Query Parameters
score_threshold
- Type:
float - Description: Optional. Label results where the score is greater than this threshold.
- Values: Minimum 0, Maximum 1.0
- Default: 0.7
include_providers
- Type:
binary - Description: Optional. Include details of the service providers in the response.
- Values: Yes / No
- Default: No
include_classification_details
- Type:
binary - Description: Optional. Include classification details in the response.
- Values: Yes / No
- Default: No
Body
Content type must be
text/plainand in UTF-8 format.Body size is limited to 10K Bytes
Sample Request
curl -X POST "http://<SERVER_IP>/pty/data-discovery/v1.1/transform/label?score_threshold=0.85" \
-H "Content-Type: text/plain" \
--data "Jake lives at 15 Main st, Hamden 06517, Connecticut."import requests
url = "http://<SERVER_IP>/pty/data-discovery/v1.1/transform/label"
params = {"score_threshold": 0.85}
headers = {"Content-Type": "text/plain"}
data = "Jake lives at 15 Main st, Hamden 06517, Connecticut."
response = requests.post(url, params=params, headers=headers, data=data, verify=False)
print("Status code:", response.status_code)
print("Response JSON:", response.json())URL: POST `http://<SERVER_IP>/pty/data-discovery/v1.1/transform/label`
Query Parameters:
-score_threshold (optional), float between 0.0 and 1.0, default: 0.
Headers:
-Content-Type: text/plain
Body:
-Jake lives at 15 Main st, Hamden 06517, Connecticut.Sample Responses
{
"transform": {
"text": "[PERSON] lives at [LOCATION] [LOCATION], [LOCATION] [LOCATION], [LOCATION]."
},
"providers": [
{
"name": "Pattern Classification Provider",
"version": "1.1.1",
"status": 200,
"elapsed_time": 0.011328935623168945,
"config_provider": {
"name": "Pattern",
"address": "http://pattern_provider_service:8051",
"supported_content_types": []
}
},
{
"name": "Context Classification Provider",
"version": "1.1.1",
"status": 200,
"elapsed_time": 0.03895401954650879,
"config_provider": {
"name": "Context",
"address": "http://context_provider_service:8052",
"supported_content_types": []
}
}
],
"classifications": {
"LOCATION": [
{
"score": 0.85,
"location": {
"start_index": 17,
"end_index": 24
},
"classifiers": [
{
"provider_index": 0,
"name": "SpacyRecognizer",
"score": 0.85,
"original_entity": "LOCATION",
"details": {}
}
]
},
{
"score": 0.9240000128746033,
"location": {
"start_index": 26,
"end_index": 32
},
"classifiers": [
{
"provider_index": 0,
"name": "SpacyRecognizer",
"score": 0.85,
"original_entity": "LOCATION",
"details": {}
},
{
"provider_index": 1,
"name": "context",
"score": 0.9980000257492065,
"original_entity": "CITY",
"details": {}
}
]
},
{
"score": 0.9244499981403351,
"location": {
"start_index": 40,
"end_index": 51
},
"classifiers": [
{
"provider_index": 0,
"name": "SpacyRecognizer",
"score": 0.85,
"original_entity": "LOCATION",
"details": {}
},
{
"provider_index": 1,
"name": "context",
"score": 0.9988999962806702,
"original_entity": "STATE",
"details": {}
}
]
},
{
"score": 0.9958999752998352,
"location": {
"start_index": 14,
"end_index": 16
},
"classifiers": [
{
"provider_index": 1,
"name": "context",
"score": 0.9958999752998352,
"original_entity": "BUILDING",
"details": {}
}
]
},
{
"score": 0.9983999729156494,
"location": {
"start_index": 33,
"end_index": 38
},
"classifiers": [
{
"provider_index": 1,
"name": "context",
"score": 0.9983999729156494,
"original_entity": "ZIPCODE",
"details": {}
}
]
}
],
"PERSON": [
{
"score": 0.8819000124931335,
"location": {
"start_index": 0,
"end_index": 4
},
"classifiers": [
{
"provider_index": 1,
"name": "context",
"score": 0.8819000124931335,
"original_entity": "NAME",
"details": {}
}
]
}
]
}
}| Name | Example Response | Description |
|---|---|---|
| transform.text | [PERSON] lives at [LOCATION].. | The labed input text with classified entities listed by name in place of the original sensitive data |
| Name | Example Response | Description |
|---|---|---|
| providers | Array | Array of provider objects that participated in the request, including their respective success or failure codes. |
| providers[n].name | Pattern Classification Provider | Product name of the provider. |
| providers[n].version | 1.0.0 | Version of the provider. |
| providers[n].status | 200 | HTTP response code returned by the provider. |
| providers[n].elapsed_time | 0.028 | Time, in seconds, taken by the provider to process the request. |
| providers[n].config_provider | Object | Object containing configuration details for each provider. |
| providers[n].config_provider.name | Pattern | Internal name of the provider. |
| providers[n].config_provider.address | http://pattern_provider_service:8051 | Network address or endpoint of the provider. |
| providers[n].config_provider.supported_content_types | [] | Array of supported content types. An empty array indicates support for all content types. |
| Name | Example Response | Description |
|---|---|---|
| classifications | Dictionary | A dictionary mapping entity types (e.g., “PERSON”, “PHONE_NUMBER”) to arrays of occurrence objects. Each key is an entity type, and its value is a list of detected occurrences, each containing location and classifier details. |
| classifications[’entity’][n].score | 0.9238 | The confidence score for the detected entity, aggregated from all contributing classifiers. |
| classifications[’entity’][n].location | Object | An object specifying the location of the entity within the input text. |
| classifications[’entity’][n].location.start_index | 14 | The starting index of the entity in the input text. |
| classifications[’entity’][n].location.end_index | 25 | The ending index of the entity in the input text. |
| classifications[’entity’][n].classifiers | Array | An array of classifier objects that contributed to the entity detection. |
| classifications[’entity’][n].classifiers[m].provider_index | 0 | The index of the provider in the top-level providers array. |
| classifications[’entity’][n].classifiers[m].name | SpacyRecognizer | The name of the classifier. A provider may have multiple classifiers. |
| classifications[’entity’][n].classifiers[m].score | 0.85 | The score assigned by the classifier for the entity detection. |
| classifications[’entity’][n].classifiers[m].original_entity | PERSON | The original entity type detected by the classifier. See Harmonization for details. |
| classifications[’entity’][n].classifiers[m].details | Object | Optional. Additional key-value details provided by the classifier. |
Response Codes
| Response Code | Description |
|---|---|
| 200 | Successful Response. |
| 206 | Partial Content. Only some providers classifed data successfully. |
| 400 | Bad Request. Invalid input parameters or content. |
| 413 | Payload too large. |
| 415 | Unsupported media type. |
| 422 | Untrusted input. For more information, refer to Input Validation |
| 502 | Bad Gateway. All upstream providers failed; no successful data aggregation possible. |
| 598 | Unexpected internal server error. Check server logs. |
| 599 | Internal server error. Check server logs. |
4.2.1.1 - Handling Overlapping Conflicts
While classifying data, the providers may label an identical text under two different entities. This distinction arises from the detection strategies the classifiers adopt. Data Discovery handles these conflicts by applying certain rules on these conflicting entities.
The rules for handling the conflicting entities are as follows:
No overlap: If the two entities do not conflict, retain the results in the original form.
For example,
Jake Filbert lives in Connecticut. If only Jake Filbert is identified, the result will be labeled as[NAME] lives in Connecticut.Full overlap: If both the entities overlap, the following logic will be applied:
- Select the entity with a higher confidence score.
- If both the entities contain the same confidence score, select the first entity.
For example,
Jake Filbert lives in Connecticut. Here, the name is recognized as [USER] with a score 0.7 and [NAME] with a score 0.9. As [NAME] has a higher score, the result will be labeled as[NAME] lives in Connecticut.One entity contained in other: If one entity is completely contained in the other, select the entity with the longer text.
For example,
jake@email.com. Here, the classifiers may recognize the text as [NAME] and [EMAIL]. As [EMAIL] is the longer text, the result will be labeled as[EMAIL].Partial intersection. If the two entities overlap partially, the result will be a combination of both.
For example,
092-33445. Here, the classifiers may recognize the text as [PHONE_NUMBER] and [SSN]. The result will be labeled as [PHONE_NUMBER&SSN].
4.2.1.2 - Sample Response Default
The fields are described as follows:
| Name | Example Response | Description |
|---|---|---|
| transform.text | [PERSON] lives at [LOCATION].. | The labed input text with classified entities listed by name in place of the original sensitive data |
4.2.1.3 -
| Name | Example Response | Description |
|---|---|---|
| transform.text | [PERSON] lives at [LOCATION].. | The labed input text with classified entities listed by name in place of the original sensitive data |
4.2.1.4 -
4.3 - Input Validation
The Classification service in Data Discovery offers an input validation security feature that rejects invalid input data. Data that is malformed, non-normalized, containing homoglyphs, hieroglyphs, mixed Unicode variants, or control characters is considered as unsanitized or invalid data. These are rejected and will not be classified.
The following are few examples of data that will be rejected:
- Ⅷ
- 𝓉𝑒𝓍𝓉
- Pep
Before invoking the Classification endpoint, ensure that the input text is normalized. Replace invalid characters by their corresponding normalized plaintext characters. If the input text contains any invalid character, a status code of 422 and a message Untrusted input is returned.
For security purposes, the application rejects unsanitized data by default. It is recommended that this feature remains enabled. However, to override this feature, perform the following steps.
Navigate to the
docker_composedirectory.Edit the
docker-compose.yamlfile.Under the
environmentsection ofclassification_service, append the security parameter as follows.
- SECURITY_SETTINGS={"ENABLE_ALL_SECURITY_CONTROLS":false}
Save the changes.
If the application is already running, stop the containers first:
docker compose down
- Start the application with your configuration changes following the Docker Compose deployment guide:
docker compose up -d
Navigate to the
/eks/helm/classification_appdirectory.Create a
values-override.yamlfile with the required custom configuration.
securitySettings:
ENABLE_ALL_SECURITY_CONTROLS: false
Save the changes.
If the application is already deployed, uninstall using the following command.
helm uninstall data-discovery-classification --namespace default --wait
- Run the following installation command.
helm install data-discovery-classification . \
--namespace default \
--create-namespace \
--wait \
--wait-for-jobs \
--timeout 900s \
-f values-override.yaml
4.4 - Harmonizing Provider Outputs
Based on the detection logic, the Pattern and Context classification providers might classify the same data in different labels. The classification service standardizes provider outputs into a unified response.
Consider the example, You can visit our office located in New York City.
- Context provider might categorize New York City as CITY.
- Pattern provider might categorize New York City as LOCATION.
This can cause an inconsistency in the outputs generated across the providers.
Data Discovery ensures standardization of responses by aggregating similar outputs of the providers under a common classification name. In the example shown, the classification service will categorize New York City under the category LOCATION.
For a complete reference, see the supported classification entities and their harmonization categories.
Harmonization Process
The following pointers illustrate the harmonization process in detail.
Providers Mapping Entities
Each provider is responsible for mapping its identified entities to harmonized classification entities that are consistent with those used by other providers. This ensures that the classification service can accurately aggregate and interpret responses across multiple providers. When a provider’s classification is harmonized, the response must include the originally identified entity alongside the harmonized classification.
The following snippet shows how the Context classification provider initially classified the entity as CITY, which was then harmonized into the category LOCATION.
{
"providers": "...",
"classifications": {
"LOCATION": [
{
"score": 0.9222000122070313,
"location": {
"start_index": 36,
"end_index": 49
},
"classifiers": [
{
"provider_index": 0,
"name": "SpacyRecognizer",
"score": 0.85,
"original_entity": "LOCATION",
"details": {}
},
{
"provider_index": 1,
"name": "context",
"score": 0.9944000244140625,
"original_entity": "CITY",
"details": {}
}
]
}
]
}
}
Grouping by Matching Indexes
The entities are grouped together only if the responses shared by the providers contain the same start_index, end_index, and similar classification entity. If the start_index and end_index differ, the entities will not be grouped together.
As shown in the following snippet, the Context and Pattern providers classify the data as IT_IDENTITY_CARD and ID_CARD respectively. These are then grouped under the NATIONAL_ID category by the classification service.
{
"providers": ...,
"classifications": {
"NATIONAL_ID": [
{
"score": 0.9236000061035157,
"location": {
"start_index": 14,
"end_index": 25
},
"classifiers": [
{
"provider_index": 0,
"name": "pattern_classification",
"score": 0.85,
"original_entity": "IT_IDENTITY_CARD"
}, {
"provider_index": 1,
"name": "context_classification",
"score": 0.9972000122070312,
"original_entity": "ID_CARD"
}
]
}
]
}
}
Non-Matching Indexes
If the responses for start_index and end_index differ, the entities will not be grouped together. However, the entities will appear under a common classification name.
The following table illustrates a common classification name for multiple providers.
| Provider | Original Entity Labels | Common Classification Name |
|---|---|---|
| Pattern Provider | LOCATION | LOCATION |
| Context Provider | CITY, STATE, COUNTRY, COUNTY, ZIP_CODE, STREET, BUILDING, GEO_COORDINATE | LOCATION |
The following snippet illustrates the sample.
{
"providers": "...",
"classifications": {
"LOCATION": [
{
"score": 0.9236000061035157,
"location": {
"start_index": 0,
"end_index": 35
},
"classifiers": [
{
"provider_index": 0,
"name": "pattern_provider",
"score": 0.85,
"original_entity": "LOCATION"
}
]
},
{
"score": 0.9236000061035157,
"location": {
"start_index": 0,
"end_index": 17
},
"classifiers": [
{
"provider_index": 1,
"name": "context_provider",
"score": 0.9972000122070312,
"original_entity": "STREET"
}
]
},
{
"score": 0.9236000061035157,
"location": {
"start_index": 20,
"end_index": 22
},
"classifiers": [
{
"provider_index": 1,
"name": "context_provider",
"score": 0.9972000122070312,
"original_entity": "BUILDING"
}
]
},
{
"score": 0.9236000061035157,
"location": {
"start_index": 25,
"end_index": 31
},
"classifiers": [
{
"provider_index": 1,
"name": "context_provider",
"score": 0.9972000122070312,
"original_entity": "ZIP_CODE"
}
]
}
]
}
}
4.5 - Supported Classification Entities
Supported Entity Types
PII entities supported by Data Discovery with their Harmonized Categories.
| Harmonized Category | Entity Name | Description |
|---|---|---|
| ABA_ROUTING_NUMBER | BANK_ACCOUNT | Routing number used to identify financial institutions in the United States. |
| ACCOUNT_NAME | ACCOUNT_NAME | Name associated with a financial account. |
| ACCOUNT_NAME | ACCOUNTNAME | Name associated with a financial account. |
| ACCOUNT_NUMBER | ACCOUNT_NUMBER | Bank account number used to identify financial accounts. |
| ACCOUNT_NUMBER | ACCOUNTNUMBER | Bank account number used to identify financial accounts. |
| AGE | AGE | Age information used to identify individuals. |
| AMOUNT | AMOUNT | Specific amount of money, which can be linked to financial transactions. |
| BANK_ACCOUNT | BIC | Bank Identifier Code used to identify financial institutions. |
| BANK_ACCOUNT | IBAN | International Bank Account Number used to identify bank accounts globally. |
| BANK_ACCOUNT | IBAN_CODE | International Bank Account Number used to identify bank accounts globally. |
| BANK_ACCOUNT | US_BANK_NUMBER | Bank account number used to identify financial accounts in the United States. |
| CREDIT_CARD | CCN | Credit card number used for financial transactions. |
| CREDIT_CARD | CREDIT_CARD | Credit card number used for financial transactions. |
| CRYPTO_ADDRESS | BITCOIN_ADDRESS | Bitcoin wallet address used for digital transactions. |
| CRYPTO_ADDRESS | BITCOINADDRESS | Bitcoin wallet address used for digital transactions. |
| CRYPTO_ADDRESS | CRYPTO | Cryptocurrency wallet address used for digital transactions. |
| CRYPTO_ADDRESS | ETHEREUM_ADDRESS | Ethereum wallet address used for digital transactions. |
| CRYPTO_ADDRESS | ETHEREUMADDRESS | Ethereum wallet address used for digital transactions. |
| CRYPTO_ADDRESS | LITECOIN_ADDRESS | Litecoin wallet address used for digital transactions. |
| CRYPTO_ADDRESS | LITECOINADDRESS | Litecoin wallet address used for digital transactions. |
| CURRENCY | CURRENCY | Currency information used in financial transactions. |
| CURRENCY_CODE | CURRENCY_CODE | Code representing currency used in financial transactions. |
| CURRENCY_CODE | CURRENCYCODE | Code representing currency used in financial transactions. |
| CURRENCY_NAME | CURRENCY_NAME | Name of currency used in financial transactions. |
| CURRENCY_NAME | CURRENCYNAME | Name of currency used in financial transactions. |
| CURRENCY_SYMBOL | CURRENCY_SYMBOL | Symbol representing currency, sometimes linked to financial transactions. |
| CURRENCY_SYMBOL | CURRENCYSYMBOL | Symbol representing currency, sometimes linked to financial transactions. |
| DATETIME | DATE | Specific date that can be linked to personal activities. |
| DATETIME | DATE_TIME | Specific date and time that can be linked to personal activities. |
| DATETIME | TIME | Specific time that can be linked to personal activities. |
| DATE_OF_BIRTH | DATE_OF_BIRTH | Date of birth used to identify individuals. |
| DRIVER_LICENSE | DRIVER_LICENSE | Driver’s license number used to identify individuals. |
| DRIVER_LICENSE | DRIVERLICENSE | Driver’s license number used to identify individuals. |
| DRIVER_LICENSE | IT_DRIVER_LICENSE | Driver’s license number used to identify individuals in Italy. |
| DRIVER_LICENSE | US_DRIVER_LICENSE | Driver’s license number used to identify individuals in the United States. |
| EMAIL_ADDRESS | Email address used for communication and identification. | |
| EMAIL_ADDRESS | EMAIL_ADDRESS | Email address used for communication and identification. |
| GENDER | GENDER | Gender information used to identify individuals. |
| HEALTH_CARE_ID | AU_MEDICARE | Medicare number used to identify individuals for healthcare services in Australia. |
| HEALTH_CARE_ID | MEDICAL_LICENSE | License number used to identify medical professionals. |
| HEALTH_CARE_ID | UK_NHS | National Health Service number used to identify individuals for healthcare services in the United Kingdom. |
| IN_VEHICLE_REGISTRATION | IN_VEHICLE_REGISTRATION | Vehicle registration number used to identify vehicles in India. |
| IN_VOTER | IN_VOTER | Voter ID number used to identify registered voters in India. |
| IP_ADDRESS | IP | Internet Protocol address used to identify devices on a network. |
| IP_ADDRESS | IP_ADDRESS | Internet Protocol address used to identify devices on a network. |
| IP_ADDRESS | IPV4 | IPv4 address used to identify devices on a network. |
| IP_ADDRESS | IPV6 | IPv6 address used to identify devices on a network. |
| LOCATION | BUILDING | Building information used to identify specific locations. |
| LOCATION | CITY | City information used to identify geographic locations. |
| LOCATION | COUNTRY | Country information used to identify geographic locations. |
| LOCATION | COUNTY | County information used to identify geographic locations. |
| LOCATION | GEO_CCORDINATE | Geographic coordinates used to identify specific locations. |
| LOCATION | GEOCOORD | Geographic coordinates used to identify specific locations. |
| LOCATION | LOCATION | Specific location or address that can be linked to an individual. |
| LOCATION | SECADDRESS | Additional address information used to identify locations. |
| LOCATION | SECONDARY_ADDRESS | Additional address information used to identify locations. |
| LOCATION | SECONDARYADDRESS | Additional address information used to identify locations. |
| LOCATION | STATE | State information used to identify geographic locations. |
| LOCATION | STREET | Street address used to identify specific locations. |
| LOCATION | ZIP_CODE | Postal code used to identify specific geographic areas. |
| LOCATION | ZIPCODE | Postal code used to identify specific geographic areas. |
| MAC_ADDRESS | MAC | Media Access Control address used to identify devices on a network. |
| NATIONAL_ID | AU_ACN | Australian Company Number used to identify businesses in Australia. |
| NATIONAL_ID | ES_NIE | Foreigner Identification Number used to identify non-residents in Spain. |
| NATIONAL_ID | FI_PERSONAL_IDENTITY_CODE | Personal identity code used to identify individuals in Finland. |
| NATIONAL_ID | ID_CARD | Identity card number used to identify individuals. |
| NATIONAL_ID | IDCARD | Identity card number used to identify individuals. |
| NATIONAL_ID | IN_AADHAAR | Unique identification number used to identify residents in India. |
| NATIONAL_ID | IT_IDENTITY_CARD | Identity card number used to identify individuals in Italy. |
| NATIONAL_ID | PL_PESEL | Personal Identification Number used to identify individuals in Poland. |
| NATIONAL_ID | SG_NRIC_FIN | National Registration Identity Card number used to identify residents in Singapore. |
| NATIONAL_ID | SG_UEN | Unique Entity Number used to identify businesses in Singapore. |
| NRP | NRP | National Registration Number used to identify individuals. |
| ORGANIZATION | COMPANY_NAME | Name of a company used to identify businesses. |
| ORGANIZATION | COMPANYNAME | Name of a company used to identify businesses. |
| ORGANIZATION | ORGANIZATION | Name or identifier used to identify an organization. |
| PASSWORD | CREDIT_CARD_CVV | Card Verification Value used to secure credit card transactions. |
| PASSWORD | CREDITCARDCVV | Card Verification Value used to secure credit card transactions. |
| PASSWORD | PASSWORD | Password used to secure access to personal accounts. |
| PASSWORD | PIN | Personal Identification Number used to secure access to accounts. |
| PASSPORT | IN_PASSPORT | Passport number used to identify individuals in India. |
| PASSPORT | IT_PASSPORT | Passport number used to identify individuals in Italy. |
| PASSPORT | PASSPORT | Passport number used to identify individuals. |
| PASSPORT | US_PASSPORT | Passport number used to identify individuals in the United States. |
| PERSON | NAME | Name or identifier used to identify an individual. |
| PERSON | PERSON | Name or identifier used to identify an individual. |
| PHONE_NUMBER | PHONE | Number used to contact or identify an individual. |
| PHONE_NUMBER | PHONE_NUMBER | Number used to contact or identify an individual. |
| SOCIAL_SECURITY_ID | SOCIAL_SECURITY_NUMBER | Social Security Number used to identify individuals. |
| SOCIAL_SECURITY_ID | SSN | Social Security Number used to identify individuals. |
| SOCIAL_SECURITY_ID | UK_NINO | National Insurance Number used to identify individuals in the United Kingdom. |
| SOCIAL_SECURITY_ID | US_SSN | Social Security Number used to identify individuals in the United States. |
| TAX_ID | AU_ABN | Australian Business Number used to identify businesses in Australia. |
| TAX_ID | AU_TFN | Tax File Number used to identify taxpayers in Australia. |
| TAX_ID | ES_NIF | Tax Identification Number used to identify taxpayers in Spain. |
| TAX_ID | IN_PAN | Permanent Account Number used to identify taxpayers in India. |
| TAX_ID | IT_FISCAL_CODE | Fiscal code used to identify taxpayers in Italy. |
| TAX_ID | IT_VAT_CODE | VAT code used to identify taxpayers in Italy. |
| TAX_ID | US_ITIN | Individual Taxpayer Identification Number used to identify taxpayers in the United States. |
| TITLE | TITLE | Title or honorific used to identify individuals. |
| URL | URL | Web address that can sometimes contain personal information. |
| USERNAME | USERNAME | Username used to identify individuals in online systems. |
4.6 -
| Response Code | Description |
|---|---|
| 200 | Successful Response. |
| 206 | Partial Content. Only some providers classifed data successfully. |
| 400 | Bad Request. Invalid input parameters or content. |
| 413 | Payload too large. |
| 415 | Unsupported media type. |
| 422 | Untrusted input. For more information, refer to Input Validation |
| 502 | Bad Gateway. All upstream providers failed; no successful data aggregation possible. |
| 598 | Unexpected internal server error. Check server logs. |
| 599 | Internal server error. Check server logs. |
4.7 -
| Name | Example Response | Description |
|---|---|---|
| providers | Array | Array of provider objects that participated in the request, including their respective success or failure codes. |
| providers[n].name | Pattern Classification Provider | Product name of the provider. |
| providers[n].version | 1.0.0 | Version of the provider. |
| providers[n].status | 200 | HTTP response code returned by the provider. |
| providers[n].elapsed_time | 0.028 | Time, in seconds, taken by the provider to process the request. |
| providers[n].config_provider | Object | Object containing configuration details for each provider. |
| providers[n].config_provider.name | Pattern | Internal name of the provider. |
| providers[n].config_provider.address | http://pattern_provider_service:8051 | Network address or endpoint of the provider. |
| providers[n].config_provider.supported_content_types | [] | Array of supported content types. An empty array indicates support for all content types. |
4.8 -
Navigate to the
docker_composedirectory.Edit the
docker-compose.yamlfile.Under the
environmentsection ofclassification_service, append the security parameter as follows.
- SECURITY_SETTINGS={"ENABLE_ALL_SECURITY_CONTROLS":false}
Save the changes.
If the application is already running, stop the containers first:
docker compose down
- Start the application with your configuration changes following the Docker Compose deployment guide:
docker compose up -d
4.9 -
Navigate to the
/eks/helm/classification_appdirectory.Create a
values-override.yamlfile with the required custom configuration.
securitySettings:
ENABLE_ALL_SECURITY_CONTROLS: false
Save the changes.
If the application is already deployed, uninstall using the following command.
helm uninstall data-discovery-classification --namespace default --wait
- Run the following installation command.
helm install data-discovery-classification . \
--namespace default \
--create-namespace \
--wait \
--wait-for-jobs \
--timeout 900s \
-f values-override.yaml
5 - Performance and Accuracy
Introduction
Performance and accuracy are critical metrics for data discovery tools. These ensure that large datasets can be processed swiftly and sensitive information is correctly identified. High performance minimizes latency and maximizes productivity, while accuracy reduces the risk of data breaches and ensures compliance with regulatory standards like GDPR and CCPA.
Together, these qualities are essential for maintaining data integrity and security in environments where unstructured data flows through various systems..
Performance Evaluation
The evaluation included Data Discovery deployed on Amazon EKS using a Helm Chart. The primary goal was to validate the application’s scalability and the infrastructure’s ability to handle varying loads under real-world conditions. Nevertheless, performance will vary between applications due to confounding variations in customer use cases. The key findings are as follows:
Scalability: The application and infrastructure configurations can efficiently scale to meet usage demands and support parallel service calls.
Instance Type: The m5.large8 instance was identified as a well-balanced choice for performance and cost.
- If the priority is Faster Response Times: Splitting messages into smaller chunks and processing them in parallel is more cost-effective with multiple weaker instance types.
- If the priority is Maximizing Processing Efficiency: Merging content into a single, larger request and using more powerful instance types is better for maximizing Processing Efficiency (characters processed per second).
EKS Auto Mode: Running EKS in auto mode offers a fully managed Kubernetes cluster with minimal maintenance. This enables the service to self-regulate by automatically scaling up or down based on demand.
Optimized CPU Usage: Maintain low CPU reservation for accurate measurement and effective self-regulation via the Horizontal Pod Autoscaler (HPA) that adjusts based on CPU usage percentage, balancing throughput, and idle time.
Detection Accuracy
Protegrity Data Discovery employs sophisticated Machine Learning (ML) and Natural Language Processing (NLP) technologies to achieve high accuracy in identifying sensitive data. The system processes English text inputs, with an NLP model pinpointing text spans within the document that correspond to various PII elements. The output includes text span as a PII entity, along with the entity type, entity position (start and end), and a confidence score. This confidence score reflects the likelihood of the text span being a PII entity, ensuring precise detection.
Dataset
Diverse datasets containing PII data, which differ based on demographic composition (volume and diversity), variations in data characteristics, types of labels, and other influencing factors were utilized. For example, labels such as “PERSON” and “PHONE_NUMBER” are used. The overall accuracy for detecting various PII data combinations in the dataset was measured with detection rate exceeding 96%.
Accuracy
Defined as an average of detection rates across sentences in a given text data.
Detection Rate = Valid Detections/Ground Truth
Where, Valid Detections is the number of correctly detected PII and Ground Truth is the total number of PIIs.
The variability in customer applications introduces differences in performance, meaning detection accuracy may fluctuate based on the quality of input text. Error rates in identifying PII are influenced not just by the detection service but also by customer workflows and evaluation datasets. It is recommended that customers assess and validate accuracy according to their specific use cases and requirements. It is also pertinent to note that the detected score of the input text may vary negligibly from user to user based on their underlying hardware configuration.