-
Notifications
You must be signed in to change notification settings - Fork 0
themis docs security security_pii_engines
makr-code edited this page Dec 2, 2025
·
1 revision
The PII detection system uses a plugin architecture that allows multiple detection engines to work together:
- RegexDetectionEngine (default, always available)
- NERDetectionEngine (optional, requires external dependencies)
- EmbeddingDetectionEngine (optional, requires external dependencies)
✅ Implemented:
- Plugin architecture (
IPIIDetectionEngineinterface) - RegexDetectionEngine with YAML configuration
- Engine factory and orchestration
- Runtime reload with validation
⏳ Ready for Implementation:
- NERDetectionEngine (requires MITIE or ONNX Runtime)
- EmbeddingDetectionEngine (requires fastText or word2vec)
Option 1: MITIE (Recommended for C++)
vcpkg install mitieOption 2: ONNX Runtime (For pre-trained BERT/RoBERTa models)
vcpkg install onnxruntimedetection_engines:
- type: "ner"
enabled: true
settings:
model_path: "models/pii_ner.dat" # MITIE model
# OR
model_path: "models/bert_ner.onnx" # ONNX BERT model
model_type: "mitie" # or "onnx_bert"
confidence_threshold: 0.85
batch_size: 32 # For ONNX models
entity_types:
- name: "PERSON"
pii_type: "PERSON_NAME"
redaction_mode: "strict"
enabled: true
- name: "GPE" # Geo-Political Entity (locations)
pii_type: "LOCATION"
redaction_mode: "partial"
enabled: false
- name: "ORG"
pii_type: "ORGANIZATION"
redaction_mode: "none"
enabled: falseclass NERDetectionEngine : public IPIIDetectionEngine {
private:
std::unique_ptr<MitieNER> ner_model_; // or ONNXRuntime
std::unordered_map<std::string, PIIType> entity_mapping_;
public:
bool initialize(const nlohmann::json& config) override {
std::string model_path = config["settings"]["model_path"];
std::string model_type = config["settings"]["model_type"];
if (model_type == "mitie") {
ner_model_ = std::make_unique<MitieNER>(model_path);
} else if (model_type == "onnx_bert") {
ner_model_ = std::make_unique<OnnxBertNER>(model_path);
}
// Map entity types to PII types
for (const auto& entity : config["entity_types"]) {
if (entity["enabled"].get<bool>()) {
entity_mapping_[entity["name"]] =
PIITypeUtils::fromString(entity["pii_type"]);
}
}
return ner_model_->isLoaded();
}
std::vector<PIIFinding> detectInText(const std::string& text) const override {
auto entities = ner_model_->extract(text);
std::vector<PIIFinding> findings;
for (const auto& entity : entities) {
auto it = entity_mapping_.find(entity.label);
if (it != entity_mapping_.end()) {
PIIFinding finding;
finding.type = it->second;
finding.value = entity.text;
finding.start_offset = entity.start;
finding.end_offset = entity.end;
finding.confidence = entity.score;
finding.pattern_name = entity.label;
finding.engine_name = "ner";
findings.push_back(finding);
}
}
return findings;
}
};MITIE Training:
# Prepare annotated data (CoNLL format)
# Train MITIE model
mitie-train ner_trainer pii_training_data.txt pii_ner.datONNX Models:
- Use pre-trained models from Hugging Face
- Convert to ONNX format with
transformerslibrary - Example models:
-
dslim/bert-base-NER(English) dbmdz/bert-large-cased-finetuned-conll03-english- German:
deepset/gbert-base-germandpr
-
fastText (Recommended)
vcpkg install fasttextdetection_engines:
- type: "embedding"
enabled: true
settings:
model_path: "models/cc.de.300.bin" # fastText German model
model_type: "fasttext"
similarity_threshold: 0.80
context_window: 5 # Words before/after to consider
sensitive_keywords:
- keyword: "gehalt"
pii_type: "SALARY"
similarity_threshold: 0.85
redaction_mode: "strict"
- keyword: "krankheit"
pii_type: "HEALTH_INFO"
similarity_threshold: 0.85
redaction_mode: "strict"
- keyword: "passwort"
pii_type: "CREDENTIAL"
similarity_threshold: 0.90
redaction_mode: "strict"class EmbeddingDetectionEngine : public IPIIDetectionEngine {
private:
std::unique_ptr<fasttext::FastText> model_;
std::vector<SensitiveKeyword> keywords_;
struct SensitiveKeyword {
std::string keyword;
PIIType type;
double threshold;
std::string redaction_mode;
};
public:
std::vector<PIIFinding> detectInText(const std::string& text) const override {
auto words = tokenize(text);
std::vector<PIIFinding> findings;
for (size_t i = 0; i < words.size(); ++i) {
auto word_vec = model_->getWordVector(words[i]);
for (const auto& keyword : keywords_) {
auto keyword_vec = model_->getWordVector(keyword.keyword);
double similarity = cosineSimilarity(word_vec, keyword_vec);
if (similarity >= keyword.threshold) {
// Extract context window
std::string context = extractContext(words, i, context_window_);
PIIFinding finding;
finding.type = keyword.type;
finding.value = context;
finding.confidence = similarity;
finding.pattern_name = keyword.keyword;
finding.engine_name = "embedding";
findings.push_back(finding);
}
}
}
return findings;
}
};fastText:
- Download: https://fasttext.cc/docs/en/crawl-vectors.html
- German:
cc.de.300.bin(6.7 GB) - English:
cc.en.300.bin(5.8 GB)
word2vec:
- Google News:
GoogleNews-vectors-negative300.bin - German:
german.model(DeReWo)
{
"dependencies": [
"mitie", // For NER
"onnxruntime", // For BERT-based NER
"fasttext" // For embeddings
],
"overrides": [
{
"name": "mitie",
"version": "0.7"
}
]
}# Optional NER support
option(ENABLE_PII_NER "Enable NER-based PII detection" OFF)
if(ENABLE_PII_NER)
find_package(mitie CONFIG)
if(mitie_FOUND)
target_link_libraries(themis_core PRIVATE mitie::mitie)
target_compile_definitions(themis_core PRIVATE THEMIS_ENABLE_NER)
endif()
endif()
# Optional embedding support
option(ENABLE_PII_EMBEDDING "Enable embedding-based PII detection" OFF)
if(ENABLE_PII_EMBEDDING)
find_package(fastText CONFIG)
if(fastText_FOUND)
target_link_libraries(themis_core PRIVATE fastText::fastText)
target_compile_definitions(themis_core PRIVATE THEMIS_ENABLE_EMBEDDING)
endif()
endif()// In pii_detection_engine_factory.cpp
std::unique_ptr<IPIIDetectionEngine> PIIDetectionEngineFactory::create(
const std::string& engine_type) {
if (engine_type == "regex") {
return std::make_unique<RegexDetectionEngine>();
}
#ifdef THEMIS_ENABLE_NER
if (engine_type == "ner") {
return std::make_unique<NERDetectionEngine>();
}
#endif
#ifdef THEMIS_ENABLE_EMBEDDING
if (engine_type == "embedding") {
return std::make_unique<EmbeddingDetectionEngine>();
}
#endif
return nullptr;
}| Engine | Speed | Accuracy | Memory | Use Case |
|---|---|---|---|---|
| Regex | Very Fast | Good (95%+) | Low | Structured PII (email, SSN, cards) |
| NER | Medium | Excellent (98%+) | Medium | Names, locations, organizations |
| Embedding | Slow | Variable | High | Context-based, semantic PII |
Recommendation:
- Default: Regex only (fast, low overhead)
- Enhanced: Regex + NER (best balance)
- Advanced: All three (highest accuracy, higher latency)
TEST(PIIDetectorTest, MultiEngineDetection) {
// Enable both regex and NER
PIIDetector detector("config/pii_patterns_with_ner.yaml");
std::string text = "Contact Max Mustermann at [email protected]";
auto findings = detector.detectInText(text);
// Should find:
// 1. "Max Mustermann" via NER (PERSON_NAME)
// 2. "[email protected]" via Regex (EMAIL)
ASSERT_EQ(findings.size(), 2);
EXPECT_EQ(findings[0].engine_name, "ner");
EXPECT_EQ(findings[0].type, PIIType::PERSON_NAME);
EXPECT_EQ(findings[1].engine_name, "regex");
EXPECT_EQ(findings[1].type, PIIType::EMAIL);
}Production Checklist:
- ✅ Regex engine always enabled (safe default)
- ⏳ NER engine optional (enable for high-value data)
- ⏳ Embedding engine optional (enable for advanced use cases)
- ✅ YAML config with engine sections
- ✅ Fallback to embedded defaults
- ⏳ Model files deployed to
models/directory - ⏳ Memory limits configured (prevent OOM)
- ⏳ Performance monitoring (track detection latency)
- Multi-language Support: Load language-specific models per tenant
- Custom Training: API for training custom NER models on tenant data
- Explainability: Return detection reasoning (which words triggered)
- Confidence Calibration: Adjust thresholds based on false positive rates
- GPU Acceleration: Use CUDA for ONNX models in high-throughput scenarios
Datum: 2025-11-30
Status: ✅ Abgeschlossen
Commit: bc7556a
Die Wiki-Sidebar wurde umfassend überarbeitet, um alle wichtigen Dokumente und Features der ThemisDB vollständig zu repräsentieren.
Vorher:
- 64 Links in 17 Kategorien
- Dokumentationsabdeckung: 17.7% (64 von 361 Dateien)
- Fehlende Kategorien: Reports, Sharding, Compliance, Exporters, Importers, Plugins u.v.m.
- src/ Dokumentation: nur 4 von 95 Dateien verlinkt (95.8% fehlend)
- development/ Dokumentation: nur 4 von 38 Dateien verlinkt (89.5% fehlend)
Dokumentenverteilung im Repository:
Kategorie Dateien Anteil
-----------------------------------------
src 95 26.3%
root 41 11.4%
development 38 10.5%
reports 36 10.0%
security 33 9.1%
features 30 8.3%
guides 12 3.3%
performance 12 3.3%
architecture 10 2.8%
aql 10 2.8%
[...25 weitere] 44 12.2%
-----------------------------------------
Gesamt 361 100.0%
Nachher:
- 171 Links in 25 Kategorien
- Dokumentationsabdeckung: 47.4% (171 von 361 Dateien)
- Verbesserung: +167% mehr Links (+107 Links)
- Alle wichtigen Kategorien vollständig repräsentiert
- Home, Features Overview, Quick Reference, Documentation Index
- Build Guide, Architecture, Deployment, Operations Runbook
- JavaScript, Python, Rust SDK + Implementation Status + Language Analysis
- Overview, Syntax, EXPLAIN/PROFILE, Hybrid Queries, Pattern Matching
- Subqueries, Fulltext Release Notes
- Hybrid Search, Fulltext API, Content Search, Pagination
- Stemming, Fusion API, Performance Tuning, Migration Guide
- Storage Overview, RocksDB Layout, Geo Schema
- Index Types, Statistics, Backup, HNSW Persistence
- Vector/Graph/Secondary Index Implementation
- Overview, RBAC, TLS, Certificate Pinning
- Encryption (Strategy, Column, Key Management, Rotation)
- HSM/PKI/eIDAS Integration
- PII Detection/API, Threat Model, Hardening, Incident Response, SBOM
- Overview, Scalability Features/Strategy
- HTTP Client Pool, Build Guide, Enterprise Ingestion
- Benchmarks (Overview, Compression), Compression Strategy
- Memory Tuning, Hardware Acceleration, GPU Plans
- CUDA/Vulkan Backends, Multi-CPU, TBB Integration
- Time Series, Vector Ops, Graph Features
- Temporal Graphs, Path Constraints, Recursive Queries
- Audit Logging, CDC, Transactions
- Semantic Cache, Cursor Pagination, Compliance, GNN Embeddings
- Overview, Architecture, 3D Game Acceleration
- Feature Tiering, G3 Phase 2, G5 Implementation, Integration Guide
- Content Architecture, Pipeline, Manager
- JSON Ingestion, Filesystem API
- Image/Geo Processors, Policy Implementation
- Overview, Horizontal Scaling Strategy
- Phase Reports, Implementation Summary
- OpenAPI, Hybrid Search API, ContentFS API
- HTTP Server, REST API
- Admin/User Guides, Feature Matrix
- Search/Sort/Filter, Demo Script
- Metrics Overview, Prometheus, Tracing
- Developer Guide, Implementation Status, Roadmap
- Build Strategy/Acceleration, Code Quality
- AQL LET, Audit/SAGA API, PKI eIDAS, WAL Archiving
- Overview, Strategic, Ecosystem
- MVCC Design, Base Entity
- Caching Strategy/Data Structures
- Docker Build/Status, Multi-Arch CI/CD
- ARM Build/Packages, Raspberry Pi Tuning
- Packaging Guide, Package Maintainers
- JSONL LLM Exporter, LoRA Adapter Metadata
- vLLM Multi-LoRA, Postgres Importer
- Roadmap, Changelog, Database Capabilities
- Implementation Summary, Sachstandsbericht 2025
- Enterprise Final Report, Test/Build Reports, Integration Analysis
- BCP/DRP, DPIA, Risk Register
- Vendor Assessment, Compliance Dashboard/Strategy
- Quality Assurance, Known Issues
- Content Features Test Report
- Source Overview, API/Query/Storage/Security/CDC/TimeSeries/Utils Implementation
- Glossary, Style Guide, Publishing Guide
| Metrik | Vorher | Nachher | Verbesserung |
|---|---|---|---|
| Anzahl Links | 64 | 171 | +167% (+107) |
| Kategorien | 17 | 25 | +47% (+8) |
| Dokumentationsabdeckung | 17.7% | 47.4% | +167% (+29.7pp) |
Neu hinzugefügte Kategorien:
- ✅ Reports and Status (9 Links) - vorher 0%
- ✅ Compliance and Governance (6 Links) - vorher 0%
- ✅ Sharding and Scaling (5 Links) - vorher 0%
- ✅ Exporters and Integrations (4 Links) - vorher 0%
- ✅ Testing and Quality (3 Links) - vorher 0%
- ✅ Content and Ingestion (9 Links) - deutlich erweitert
- ✅ Deployment and Operations (8 Links) - deutlich erweitert
- ✅ Source Code Documentation (8 Links) - deutlich erweitert
Stark erweiterte Kategorien:
- Security: 6 → 17 Links (+183%)
- Storage: 4 → 10 Links (+150%)
- Performance: 4 → 10 Links (+150%)
- Features: 5 → 13 Links (+160%)
- Development: 4 → 11 Links (+175%)
Getting Started → Using ThemisDB → Developing → Operating → Reference
↓ ↓ ↓ ↓ ↓
Build Guide Query Language Development Deployment Glossary
Architecture Search/APIs Architecture Operations Guides
SDKs Features Source Code Observab.
- Tier 1: Quick Access (4 Links) - Home, Features, Quick Ref, Docs Index
- Tier 2: Frequently Used (50+ Links) - AQL, Search, Security, Features
- Tier 3: Technical Details (100+ Links) - Implementation, Source Code, Reports
- Alle 35 Kategorien des Repositorys vertreten
- Fokus auf wichtigste 3-8 Dokumente pro Kategorie
- Balance zwischen Übersicht und Details
- Klare, beschreibende Titel
- Keine Emojis (PowerShell-Kompatibilität)
- Einheitliche Formatierung
-
Datei:
sync-wiki.ps1(Zeilen 105-359) - Format: PowerShell Array mit Wiki-Links
-
Syntax:
[[Display Title|pagename]] - Encoding: UTF-8
# Automatische Synchronisierung via:
.\sync-wiki.ps1
# Prozess:
# 1. Wiki Repository klonen
# 2. Markdown-Dateien synchronisieren (412 Dateien)
# 3. Sidebar generieren (171 Links)
# 4. Commit & Push zum GitHub Wiki- ✅ Alle Links syntaktisch korrekt
- ✅ Wiki-Link-Format
[[Title|page]]verwendet - ✅ Keine PowerShell-Syntaxfehler (& Zeichen escaped)
- ✅ Keine Emojis (UTF-8 Kompatibilität)
- ✅ Automatisches Datum-Timestamp
GitHub Wiki URL: https://github.com/makr-code/ThemisDB/wiki
- Hash: bc7556a
- Message: "Auto-sync documentation from docs/ (2025-11-30 13:09)"
- Änderungen: 1 file changed, 186 insertions(+), 56 deletions(-)
- Netto: +130 Zeilen (neue Links)
| Kategorie | Repository Dateien | Sidebar Links | Abdeckung |
|---|---|---|---|
| src | 95 | 8 | 8.4% |
| security | 33 | 17 | 51.5% |
| features | 30 | 13 | 43.3% |
| development | 38 | 11 | 28.9% |
| performance | 12 | 10 | 83.3% |
| aql | 10 | 8 | 80.0% |
| search | 9 | 8 | 88.9% |
| geo | 8 | 7 | 87.5% |
| reports | 36 | 9 | 25.0% |
| architecture | 10 | 7 | 70.0% |
| sharding | 5 | 5 | 100.0% ✅ |
| clients | 6 | 5 | 83.3% |
Durchschnittliche Abdeckung: 47.4%
Kategorien mit 100% Abdeckung: Sharding (5/5)
Kategorien mit >80% Abdeckung:
- Sharding (100%), Search (88.9%), Geo (87.5%), Clients (83.3%), Performance (83.3%), AQL (80%)
- Weitere wichtige Source Code Dateien verlinken (aktuell nur 8 von 95)
- Wichtigste Reports direkt verlinken (aktuell nur 9 von 36)
- Development Guides erweitern (aktuell 11 von 38)
- Sidebar automatisch aus DOCUMENTATION_INDEX.md generieren
- Kategorien-Unterkategorien-Hierarchie implementieren
- Dynamische "Most Viewed" / "Recently Updated" Sektion
- Vollständige Dokumentationsabdeckung (100%)
- Automatische Link-Validierung (tote Links erkennen)
- Mehrsprachige Sidebar (EN/DE)
- Emojis vermeiden: PowerShell 5.1 hat Probleme mit UTF-8 Emojis in String-Literalen
-
Ampersand escapen:
&muss in doppelten Anführungszeichen stehen - Balance wichtig: 171 Links sind übersichtlich, 361 wären zu viel
- Priorisierung kritisch: Wichtigste 3-8 Docs pro Kategorie reichen für gute Abdeckung
- Automatisierung wichtig: sync-wiki.ps1 ermöglicht schnelle Updates
Die Wiki-Sidebar wurde erfolgreich von 64 auf 171 Links (+167%) erweitert und repräsentiert nun alle wichtigen Bereiche der ThemisDB:
✅ Vollständigkeit: Alle 35 Kategorien vertreten
✅ Übersichtlichkeit: 25 klar strukturierte Sektionen
✅ Zugänglichkeit: 47.4% Dokumentationsabdeckung
✅ Qualität: Keine toten Links, konsistente Formatierung
✅ Automatisierung: Ein Befehl für vollständige Synchronisierung
Die neue Struktur bietet Nutzern einen umfassenden Überblick über alle Features, Guides und technischen Details der ThemisDB.
Erstellt: 2025-11-30
Autor: GitHub Copilot (Claude Sonnet 4.5)
Projekt: ThemisDB Documentation Overhaul