[go: up one dir, main page]

CN119442324B - Data circulation method and device based on data use control - Google Patents

Data circulation method and device based on data use control Download PDF

Info

Publication number
CN119442324B
CN119442324B CN202411590141.3A CN202411590141A CN119442324B CN 119442324 B CN119442324 B CN 119442324B CN 202411590141 A CN202411590141 A CN 202411590141A CN 119442324 B CN119442324 B CN 119442324B
Authority
CN
China
Prior art keywords
data
requester
access
uploaded
numbers
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202411590141.3A
Other languages
Chinese (zh)
Other versions
CN119442324A (en
Inventor
陶耀东
任浩源
卢冠豪
徐书珩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Shuangpai Zhi'an Technology Co ltd
Beijing Shuangpai Zhian Technology Co ltd
Original Assignee
Shenzhen Shuangpai Zhi'an Technology Co ltd
Beijing Shuangpai Zhian Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Shuangpai Zhi'an Technology Co ltd, Beijing Shuangpai Zhian Technology Co ltd filed Critical Shenzhen Shuangpai Zhi'an Technology Co ltd
Priority to CN202411590141.3A priority Critical patent/CN119442324B/en
Publication of CN119442324A publication Critical patent/CN119442324A/en
Application granted granted Critical
Publication of CN119442324B publication Critical patent/CN119442324B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了一种基于数据使用控制的数据流通方法和装置,本发明通过实施综合分析数据请求者的身份验证信息和数据访问请求,对数据请求者提供的身份验证信息进行验证,验证成功后,根据请求者的位置信息和安全访问范围进行比对,以决定是否授权访问,若数据请求者处于设定的安全访问范围外,则进一步将该数据请求者的所处位置与历史位置信息进行匹配,若匹配失败,则判定为数据请求者为异地访问,若判定为异常访问,则分析该请求者的隐患评估指数,以此作为是否授权访问的最后依据,解决了现有技术中大多采用固定的数据使用和访问策略,导致数据在流通过程中容易受到未授权访问和滥用的风险,精细程度较低的问题。

The present invention discloses a data circulation method and device based on data usage control. The present invention implements comprehensive analysis of the identity authentication information and data access request of the data requester, verifies the identity authentication information provided by the data requester, and after successful verification, compares the location information of the requester with the security access range to determine whether to authorize access. If the data requester is outside the set security access range, the location of the data requester is further matched with the historical location information. If the match fails, it is determined that the data requester is accessing from a different location. If it is determined to be an abnormal access, the hidden danger assessment index of the requester is analyzed, and this is used as the final basis for whether to authorize access. The present invention solves the problem that most of the prior art adopts fixed data usage and access strategies, resulting in the risk of unauthorized access and abuse of data during circulation, and the level of sophistication is low.

Description

Data circulation method and device based on data use control
Technical Field
The present invention relates to the field of data circulation technologies, and in particular, to a data circulation method and apparatus based on data usage control.
Background
In the digital age today, data has become one of the most valuable assets for businesses and individuals. With the rapid development of internet technology, the generation, storage, processing and transmission of data are becoming more frequent, and the problems of data security and privacy protection are becoming more prominent, so how to safely and effectively manage and control data circulation becomes a problem to be solved.
However, the data circulation method in the prior art has the following disadvantages:
In the prior art, fixed data use and access strategies are mostly adopted, so that the data is easy to be subjected to unauthorized access and abuse risks in the circulation process, and the fineness is low;
The data is easy to be hacked and misused by internal personnel in the transmission and storage processes, so that the risk of data leakage is increased, the prior art generally adopts a more conventional encryption mode for encryption, such as AES, DES, 3DES and the like, and the encryption mode has a protection effect, but the security is still not fully ensured.
For this purpose, a data circulation method and device based on data use control are proposed.
Disclosure of Invention
In view of the above, the present invention provides a data circulation method and apparatus based on data usage control to solve the above-mentioned problems of the related art.
The invention can realize the aim by the following technical scheme that the data circulation method based on the data use control comprises the following steps:
the data provider sends the data to the data storage center, defines the data use strategy, associates the uploaded data with the use strategy after the definition is completed, and stores the data in the data storage center;
the data request is that a data requester sends out a data access request and provides identity verification information of the corresponding requester;
The circulation control, which is to comprehensively analyze the identity verification information and the data access request of the data requester and execute corresponding steps to determine whether the data requester is authorized to access;
The storage center is used for encrypting the data based on a preset encryption rule after the data provider sends the data to the data storage center;
the audit is used for recording access related information of each data access, wherein the access related information comprises access time, requester identity and accessed data.
In some embodiments, a data usage policy is defined, specifically:
extracting the property of the data uploaded by the data provider, classifying the data, and presetting a group of basic strategy template sets corresponding to different types of data respectively;
The method comprises the steps of extracting a policy template with the top three using times from a basic policy template set corresponding to uploaded data, pushing the policy template to a data provider corresponding to the current uploaded data, selecting a group of policy templates from the policy templates with the top three using times as basic templates by the data provider, and carrying out self-defining adjustment on the basic templates to serve as a data using policy of the current uploaded data, wherein the data using policy comprises data access authority, a data sharing range and a data retention period.
In some embodiments, the corresponding steps are performed to determine whether to grant the data requester access, specifically:
S1, verifying the identity verification information provided by the data requester, executing a step S2 if verification is successful, and executing a step S3 if verification is failed;
S2, after verification is successful, a position feedback instruction is sent to the data requester, the data requester receives the position feedback instruction and confirms, so that the position where the data requester sends a data access request currently is obtained, the position is compared with a set safe access range, if the position is in the set safe access range, the data requester is judged to be safe access, the data requester is authorized to access, and if the position is outside the set safe access range, the step S2-201 is executed;
And S3, marking the data access request sent by the data requester for the time as an abnormal access request, and simultaneously limiting the data access request of the requester in a set time period.
In some embodiments, the specific implementation steps of steps S2-201 are:
S2-201, matching the position of the data requester with the historical position information, if the matching is successful, determining that the data requester is safe access, if the matching is failed, determining that the data requester is remote access, and executing the step S2-202;
S2-202, acquiring the stay time of the data requester, counting the stay time from the time when the data requester enters a data storage center, ending counting when a data access request is sent, and taking the time of the time interval as the stay time of the data requester;
Marking a time point when the data requester sends a data access request, matching the marked time point with a set conventional time range, and presetting a group of weight coefficients respectively corresponding to the stay time and the access request times when the matching fails and the matching succeeds;
multiplying the stay time and the access request times of the data requester with the corresponding weight coefficients respectively based on the matching result, and then summing to obtain hidden danger assessment indexes of the data requester;
And comparing the hidden danger assessment index of the data requester with the corresponding reference hidden danger assessment index, if the hidden danger assessment index of the data requester is smaller than the corresponding reference hidden danger assessment index, judging that the data requester is safely accessed, otherwise, executing step S3.
In some embodiments, the data is encrypted based on a preset encryption rule, specifically:
m1, setting different key compositions generated by different classifications based on the property classifications of the uploaded data, and randomly generating a corresponding random key for the data uploaded by a data provider;
m2, after the corresponding random key is generated, extracting numbers in the random key as numbers to be processed, and carrying out digital conversion on letters and symbols in the random key based on a preset conversion rule;
M3, after the conversion in the step M2 is completed, randomly scrambling the sequence after combining the sequence with the digits to be processed to obtain a new series of digit combinations, and constructing an encryption graph I and an encryption graph II of the uploaded data based on the digit combinations;
and M4, scanning the uploaded data, extracting all contents except the text contents from the uploaded data, encrypting by using the first encryption graph, and encrypting the text contents in the uploaded data by using the second encryption graph.
In some embodiments, the conversion of the numbers of the letters and the symbols in the random key is performed based on a preset conversion rule, specifically, the numbers corresponding to the different letters and the symbols are set in the preset conversion rule, and the numbers corresponding to the different letters and the symbols are adjusted when the preset adjustment time interval point is reached according to the preset adjustment time interval.
In some embodiments, based on the digital combination, an encryption graphic of the uploaded data is constructed, specifically:
M3-301, extracting the first three groups of numbers from the number combination, substituting the first three groups of numbers into a preset encryption formula for calculation, so as to obtain three groups of calculated numbers, respectively filling the three groups of calculated numbers into a pre-constructed encryption frame, and obtaining an encryption graph I after filling is completed;
M3-302, extracting the residual numbers in the number combination based on the step M3-301, firstly counting the number of the residual numbers, firstly constructing a plane rectangular coordinate system after counting, drawing position points on the x axis of the plane rectangular coordinate system at the corresponding sorting positions of the residual numbers in the number combination, and continuously drawing corresponding numerical points by taking the specific numbers of the position points as numerical values after drawing;
And after all the numerical points are drawn, connecting two adjacent numerical points by using a linear line segment, drawing a circle by using the length of the linear line segment between the two adjacent numerical points as a diameter, randomly cutting off a semicircle by using the linear line segment as a cutting off boundary, and taking the cut-off graph as an encrypted graph II after all the cutting-off is completed.
In some embodiments, a data flow-through device based on data usage control includes:
The data uploading module is used for transmitting the data to the data storage center by the data provider, defining a data use strategy, associating the uploaded data with the use strategy after the definition is completed, and storing the data in the data storage center;
The data access module is used for sending a data access request by a data requester and providing identity verification information of the corresponding requester;
The control access module is used for comprehensively analyzing the identity verification information and the data access request of the data requester and executing corresponding steps to determine whether the data requester is authorized to access;
the data storage module is used for constructing a data storage center and encrypting data according to a preset encryption rule;
and the data auditing module records access related information of each data access, wherein the access related information comprises access time, requester identity and accessed data.
Compared with the prior art, the invention has the beneficial effects that:
According to the invention, through comprehensively analyzing the identity verification information and the data access request of the data requester, the identity verification information provided by the data requester is verified, after the verification is successful, the identity verification information is compared with the safety access range according to the position information of the requester to determine whether the access is authorized, if the data requester is out of the set safety access range, the position of the data requester is further matched with the history position information, if the matching fails, the data requester is judged to be accessed in different places, if the data requester is judged to be accessed in abnormal, the hidden danger assessment index of the data requester is analyzed, and the hidden danger assessment index is taken as the final basis whether the access is authorized, so that the problems that the data is easy to be accessed in unauthorized and abused in the circulation process and the fineness is lower due to the adoption of fixed data use and access strategies in the prior art are solved;
The invention generates the corresponding random key based on the property classification of the uploaded data, and adopts the preset conversion rule to carry out digital conversion on letters and symbols in the key, thereby constructing an encryption graph I and an encryption graph II, carrying out targeted encryption processing on different parts of the uploaded data, solving the problems that the encryption is usually carried out by adopting a more conventional encryption mode in the prior art, the security is still not fully ensured, and improving the security of data storage and transmission;
According to the method, the quality of the uploaded data of the data provider is extracted to classify the uploaded data, different types of data are preset to respectively correspond to a group of basic strategy template sets, strategy templates with top three using times ranking are extracted from the basic strategy template sets corresponding to the uploaded data and are pushed to the data provider, the data provider selects a group of strategy templates as basic templates, and the basic templates are subjected to self-defining adjustment and then serve as data using strategies of the current uploaded data, so that the data is properly protected according to the sensitivity and the application of the data;
The invention can limit the data access request of the requester in a set time period by aiming at the abnormal access request, thereby avoiding frequent operation of the data requester.
Drawings
Further details, features and advantages of the application are disclosed in the following description of exemplary embodiments with reference to the following drawings, in which:
FIG. 1 is a flow chart of the present invention;
FIG. 2 is a diagram of an apparatus of the present invention;
FIG. 3 is a schematic diagram of a first encryption pattern of the present invention;
fig. 4 is a schematic diagram of an encrypted image two in the present invention.
Detailed Description
Several embodiments of the present application will be described in more detail below with reference to the accompanying drawings in order to enable those skilled in the art to practice the application. The present application may be embodied in many different forms and objects and should not be limited to the embodiments set forth herein. These embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the application to those skilled in the art. The examples do not limit the application.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and/or the present specification and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
Example 1
Referring to fig. 1, a data circulation method based on data usage control includes:
The data provider sends the data to the data storage center through a safe data uploading interface, defines a data using strategy, associates the uploaded data with the using strategy after the definition is finished, and stores the data in the data storage center;
the data provider uses a pre-built uploading tool or API to transmit the data file to the data storage center, and simultaneously adopts encryption protocols such as SSL/TLS and the like to ensure the security of data transmission in the data uploading process;
defining a data use strategy, specifically:
extracting the nature of the data uploaded by the data provider to classify the data, such as personal identity information, financial data and the like;
establishing a base strategy template set with different levels according to different types of data, and obtaining the base strategy template set corresponding to the uploaded data based on the classification result of the uploaded data of the current data provider;
extracting a policy template with the top three using times ranking from a basic policy template set corresponding to the uploaded data;
each group of policy templates comprises data access authority setting, data retention deadline range setting and data sharing range setting;
the method comprises the steps of pushing the data to a data provider corresponding to current uploading data, wherein the data provider selects a group of strategy templates from three strategy templates in the ranking as basic templates, and self-defines and adjusts the basic templates to be used as a data use strategy of the current uploading data;
It should be noted that, in summary, the data provider may select the most suitable data usage policy for their uploading data, and may adjust the data usage policy according to the actual situation to ensure the security and compliance of the data.
The data request comprises that a data requester sends a data access request through a request interface and provides identity verification information of the corresponding requester, wherein the identity verification information comprises a user name, a password and an API key;
The circulation control comprises the steps of comprehensively analyzing the identity verification information of the data requester and the data access request, and executing corresponding steps to determine whether the data requester is authorized to access;
The method comprises the following steps:
S1, verifying the identity verification information provided by the data requester, executing a step S2 if verification is successful, and executing a step S3 if verification is failed;
S1-101, receiving a user name, a password and an API key submitted by a data requester, confirming that the submitted user name and password are matched with user credentials stored in a system, and simultaneously, determining whether the authority of the data requester meets the authority range and the sharing range set in the data use policy, wherein the successful matching and the successful verification are judged after the data use policy is met;
S2, after verification is successful, a position feedback instruction is sent to the data requester, the data requester receives the position feedback instruction and confirms, so that the position where the data requester sends a data access request currently is obtained, the position is compared with a set safe access range, if the position is in the set safe access range, the data requester is judged to be safe access, the data requester is authorized to access, and if the position is outside the set safe access range, the step S2-201 is executed;
S2-201, matching the position of the data requester with the historical position information, if the matching is successful, determining that the data requester is safe access, if the matching is failed, determining that the data requester is remote access, and executing the step S2-202;
S2-202, acquiring the residence time of the data requester, wherein the residence time is counted from the time when the data requester enters a data storage center, and the statistics is ended when a data access request is sent, and the time of the time interval is taken as the residence time of the data requester;
Longer dwell times may indicate that they are looking for information or attempting to bypass security measures, the corresponding higher the degree of risk;
counting the access request times of the data requester in a set time period;
Frequent attempts by users to access the system for short periods of time, particularly during non-working hours, may indicate an automated attack or unauthorized access attempt;
Marking a time point when the data requester sends a data access request, matching the marked time point with a set conventional time range, and presetting a group of weight coefficients respectively corresponding to the stay time and the access request times when the matching fails and the matching succeeds;
The retention time length and the weight coefficient of the access request times when the matching is failed are both larger than the retention time length and the weight coefficient of the access request times when the matching is successful;
multiplying the stay time and the access request times of the data requester with the corresponding weight coefficients respectively based on the matching result, and then summing to obtain hidden danger assessment indexes of the data requester;
Comparing the hidden danger assessment index of the data requester with the corresponding reference hidden danger assessment index, if the hidden danger assessment index of the data requester is smaller than the corresponding reference hidden danger assessment index, judging that the data requester is safely accessed, otherwise, executing step S3;
For example, if the access right of the data using policy setting of the access data is higher and the sharing range is smaller, the value setting of the reference hidden danger assessment index representing the data should be lower, so that the safety of the data is improved, and the specific value is set by technicians;
S3, marking the data access request sent by the data requester for the time as an abnormal access request, and simultaneously limiting the data access request of the requester in a set time period;
Limiting the requester from reissuing a data access request to the data for, for example, 60s or 3 minutes;
The storage center is used for encrypting the data based on a preset encryption rule after the data provider sends the data to the data storage center;
The method comprises the following steps:
M1, setting different key compositions generated by different classifications based on the property classification of the uploaded data, and randomly generating a corresponding random key for the data uploaded by a data provider by utilizing a machine learning algorithm, wherein the random key is randomly composed of numbers, symbols and letters;
For example, the personal identity information corresponds to a key composition of numbers plus letters, and the financial data corresponds to a key composition of numbers + letters + symbols;
the length range of the secret key is set to 8-12, and the secret key is randomly generated;
m2, after the corresponding random key is generated, extracting numbers in the random key as numbers to be processed, and carrying out digital conversion on letters and symbols in the random key based on a preset conversion rule;
m2-201, setting numbers corresponding to different letters and symbols in a preset conversion rule, and adjusting the numbers corresponding to the different letters and symbols respectively according to a preset adjustment time interval when the preset adjustment time interval point is reached;
for example, the conversion rule during the last adjustment interval is as follows:
For example, A/a- >1, B/B- > 3, C/C- > 5, etc. # - >14, & gt 15;
The preset adjustment time interval is to adjust the conversion rule once every 24 hours, and after 24 hours, the conversion rule is updated,
For example, A/a- > 7, B/B- >1, C/C- >3, etc., # - >18, & gt 14.
The conversion rule is updated regularly, so that the complexity of the key is increased, and an attacker is difficult to predict and crack;
m3, after the conversion in the step M2 is completed, randomly scrambling the sequence after combining the sequence with the digits to be processed to obtain a new series of digit combinations, and constructing an encryption graph of the uploaded data based on the digit combinations;
M3-301 extracting the first three groups of digits from the digit combination, and substituting the digits into preset encryption formulas to calculate, wherein the preset encryption formulas are set as follows The method comprises the steps of obtaining three groups of calculated numbers, filling the three groups of calculated numbers into a pre-constructed encryption frame respectively, and splicing the encryption frame by three groups of squares;
supplementary instructions, for example,
Extracting the first three groups of numbers in the combination, applying a preset encryption formula and constructing an encryption graph;
extracting the first three digits 5,2,8 and substituting the digits into the encryption formula Calculating to obtain three groups of calculated numbers 12,6,18;
Constructing an encryption frame formed by splicing three groups of squares, wherein the sizes of all squares are consistent, filling 12,6,18 calculated squares into the encryption frame, wherein the first square is filled with numbers 12, the second square is filled with numbers 6, and the third square is filled with numbers 18;
m3-302, based on the step M3-301, extracting the residual numbers in the number combination, firstly counting the number of the residual numbers, after counting, firstly constructing a plane rectangular coordinate system, drawing position points on the x axis of the plane rectangular coordinate system by the corresponding sorting positions of the residual numbers in the number combination, wherein the position points are closer to the original point as the sorting positions are more forward;
Connecting two adjacent numerical points by using a linear line segment after all the numerical points are drawn, drawing a circle by using the length of the linear line segment between the two adjacent numerical points as a diameter, randomly intercepting a semicircle by using the linear line segment as an intercepting boundary line until all the intercepting is finished, and taking the intercepted graph as an encrypted graph II;
supplementary instructions, for example,
Assuming that the remaining digits in the combination of digits are {4,7,2,9,5}, in this example, the number of digits remaining is the total number of digits in the combination, i.e., 5;
Drawing position points on the x-axis according to the ordering position of each digit in the digit combination, wherein the first digit 4 corresponds to the point 1 on the x-axis, the second digit 7 corresponds to the point 2, and so on;
at each position point, the numerical point is plotted on the y-axis according to the actual value of the number, the first number being 4, a point of height 4 is plotted at the position x=1:
A position at x=1, y=4, a position at x=2, y=7, a position at x=3, y=2, a position at 3, 2, a position at x=4, y=9, a position at 4, 9, a position at x=5, y=5, a position at 5;
Connection points (1, 4) and points (2, 7), connection points (2, 7) and points (3, 2), connection points (3, 2) and points (4, 9), connection points (4, 9) and points (5, 5);
drawing a circle by taking the straight line distance between the points (1, 4) and the points (2, 7) as a diameter, and randomly cutting out a semicircle;
Drawing a circle by taking the straight line distance between the points (2, 7) and the points (3, 2) as the diameter, and randomly cutting out a semicircle;
drawing a circle by taking the straight line distance between the points (3, 2) and the points (4, 9) as a diameter, and randomly cutting out a semicircle;
drawing a circle by taking the straight line distance between the points (4, 9) and the points (5, 5) as a diameter, and randomly cutting out a semicircle;
and taking the intercepted graph as an encrypted graph II.
M4, scanning the uploaded data, extracting all contents except text contents from the uploaded data, extracting other contents except text contents from the uploaded data, including digital, picture, video and the like, encrypting by using the first encryption graph, encrypting the text contents in the uploaded data by using the second encryption graph;
recording access related information of each data access, wherein the access related information comprises access time, requester identity and accessed data;
the method is also used for regenerating the encryption graph of the data according to the steps M1-M4 when the corresponding data triggers an abnormal access request, and replacing the old encryption graph for updating;
The method comprises the steps that a data provider is used for receiving a data access request, analyzing the access frequency of uploading data in a set time period, presetting the highest allowed access frequency of the uploading data in the set time period by the data provider, and if the access frequency of the uploading data in a certain set time period is higher than the preset highest allowed access frequency, triggering a strategy adjustment signaling and sending the strategy adjustment signaling to the data provider to adjust a data use strategy;
Example 2
Referring to fig. 2, an embodiment 2 of the present application provides a data flow device based on data usage control according to a data flow method based on data usage control provided in embodiment 1 of the present application. Example 2 is merely a preferred embodiment of example 1, and the implementation of example 2 does not affect the implementation of example 1 alone.
Specifically, the embodiment 2 of the present application provides a data circulation device based on data usage control, which is different in that the device includes a data uploading module, a data accessing module, a control accessing module, a data storage module and a data auditing module;
The data uploading module is used for transmitting the data to the data storage center by the data provider, defining a data use strategy, associating the uploaded data with the use strategy after the definition is completed, and storing the data in the data storage center;
the data access module is used for sending a data access request by a data requester and providing identity verification information of the corresponding requester;
The control access module is used for comprehensively analyzing the identity verification information and the data access request of the data requester and executing corresponding steps to determine whether the data requester is authorized to access;
The data storage module is used for constructing a data storage center and encrypting data according to a preset encryption rule;
the data auditing module is used for recording access related information of each data access, wherein the access related information comprises access time, requester identity and accessed data.
The preferred embodiments of the invention disclosed above are intended only to assist in the explanation of the invention. The preferred embodiments are not intended to be exhaustive or to limit the invention to the precise form disclosed. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, to thereby enable others skilled in the art to best understand and utilize the invention. The invention is limited only by the claims and the full scope and equivalents thereof.

Claims (5)

1.一种基于数据使用控制的数据流通方法,其特征在于,包括:1. A data circulation method based on data usage control, characterized by comprising: 数据提供:数据提供者将数据发送至数据存储中心,并定义数据使用策略,定义完成后将上传的数据与使用策略关联,并存储在数据存储中心内;Data provision: The data provider sends the data to the data storage center and defines the data usage policy. After the definition is completed, the uploaded data is associated with the usage policy and stored in the data storage center; 数据请求:数据请求者发出数据访问请求,并提供对应请求者的身份验证信息;Data request: The data requester issues a data access request and provides the corresponding identity authentication information of the requester; 流通控制:数据请求者的身份验证信息和数据访问请求进行综合分析,并执行相应的步骤决定是否授权该数据请求者进行访问;Circulation control: Comprehensively analyze the data requester's authentication information and data access request, and execute corresponding steps to decide whether to authorize the data requester to access; 存储中心:在数据提供者将数据发送至数据存储中心后,基于预设的加密规则对数据进行加密处理;Storage center: After the data provider sends the data to the data storage center, the data is encrypted based on the preset encryption rules; 基于预设的加密规则对数据进行加密处理,具体为:The data is encrypted based on the preset encryption rules, specifically: M1:基于上传数据的性质分类,设定不同分类所生成的密钥组成不同;随机为数据提供者所上传的数据生成对应的随机密钥;随机密钥由数字、符号以及字母随机组成;M1: Based on the nature of the uploaded data, different keys are generated for different categories; random keys are generated for the data uploaded by the data provider; random keys are composed of numbers, symbols and letters; M2:在生成对应的随机密钥后,提取随机密钥中的数字作为待处理数字,并基于预设的转化规则对随机密钥中的字母和符号进行数字的转化;M2: After generating the corresponding random key, extract the numbers in the random key as the numbers to be processed, and convert the letters and symbols in the random key into numbers based on the preset conversion rules; 预设的转化规则中设定不同字母和符号所分别对应的数字,且根据预设的调整时间间隔,在到达预设调整时间间隔点,对不同字母和符号所分别对应的数字进行调整;The numbers corresponding to different letters and symbols are set in the preset conversion rules, and the numbers corresponding to different letters and symbols are adjusted according to the preset adjustment time interval when the preset adjustment time interval point is reached; M3:基于步骤M2转化完成后,与待处理数字组合后随机打乱顺序,得到一串新的数字组合,基于数字组合,构建上传数据的加密图形一和加密图形二;M3: After the conversion in step M2 is completed, the numbers to be processed are combined and randomly shuffled to obtain a new string of number combinations. Based on the number combinations, encryption graphs 1 and 2 of the uploaded data are constructed; M3-301:从数字组合中提取排列的前三组数字,并分别代入预设的加密公式进行计算,从而得到三组计算过后的数字,将三组计算过后的数字分别填充至预先构建的加密框中,填充完成后得到加密图形一;M3-301: extract the first three groups of numbers from the number combination, and substitute them into the preset encryption formula for calculation, so as to obtain three groups of calculated numbers, and fill the three groups of calculated numbers into the pre-built encryption box respectively, and after filling, obtain the encrypted figure 1; M3-302:基于步骤M3-301后,提取数字组合中的剩余数字,首先统计剩余数字的数量,统计完成后,首先构建平面直角坐标系,以剩余数字在数字组合中的对应排序位置在平面直角坐标系的x轴绘制位置点,绘制完成后继续以各位置点的具体数字为数值绘制对应数值点;M3-302: Based on step M3-301, extract the remaining numbers in the number combination, first count the number of the remaining numbers, and after the counting is completed, first construct a plane rectangular coordinate system, and draw position points on the x-axis of the plane rectangular coordinate system according to the corresponding sorting positions of the remaining numbers in the number combination, and after the drawing is completed, continue to draw corresponding value points with the specific numbers of each position point as the value; 直至对数值点全部绘制完成后,用直线线段相连相邻两组数值点,以相邻两组数值点之间的直线线段长度为直径画圆,并以直线线段为截取分界线,随机截取半圆,直至全部截取完成后,将截取完成后的图形作为加密图形二;After all the numerical points are drawn, two adjacent groups of numerical points are connected by straight line segments, and a circle is drawn with the length of the straight line segment between the two adjacent groups of numerical points as the diameter, and the straight line segment is used as the interception boundary, and a semicircle is randomly intercepted until all the interceptions are completed, and the intercepted figure is used as the encrypted figure 2; M4:对上传数据进行扫描,并从上传数据中提取除文字内容外的所有内容,并利用加密图形一进行加密;对于上传数据中的文字内容利用加密图形二进行加密;M4: Scan the uploaded data, extract all contents except text content from the uploaded data, and encrypt them using encryption pattern 1; encrypt the text content in the uploaded data using encryption pattern 2; 使用审计:记录每次数据访问的访问相关信息;访问相关信息包括访问时间、请求者身份以及访问的数据。Usage audit: records access-related information for each data access; access-related information includes access time, requester identity, and accessed data. 2.根据权利要求1所述的一种基于数据使用控制的数据流通方法,其特征在于,定义数据使用策略,具体为:2. A data circulation method based on data usage control according to claim 1, characterized in that the data usage policy is defined as follows: 提取数据提供者上传数据的性质对其进行分类,预设不同种类数据分别对应一组基础策略模板集合;基于当前数据提供者上传数据的分类结果,得到上传数据所对应的基础策略模板集合;Extract the properties of the data uploaded by the data provider and classify them, and preset a set of basic policy templates corresponding to different types of data; based on the classification results of the data uploaded by the current data provider, obtain the basic policy template set corresponding to the uploaded data; 从上传数据所对应的基础策略模板集合内提取使用次数排名前三的策略模板;并推送给当前上传数据所对应的数据提供者,数据提供者从排名前三的策略模板中选取一组策略模板作为基础模版,并对基础模板进行自定义调整后,作为当前上传数据的数据使用策略;数据使用策略包括数据访问权限、数据共享范围以及数据保留期限。The top three policy templates in terms of usage frequency are extracted from the basic policy template set corresponding to the uploaded data; and pushed to the data provider corresponding to the currently uploaded data. The data provider selects a set of policy templates from the top three policy templates as basic templates, and customizes the basic templates as the data usage policy for the currently uploaded data. The data usage policy includes data access rights, data sharing scope, and data retention period. 3.根据权利要求1所述的一种基于数据使用控制的数据流通方法,其特征在于,执行相应的步骤决定是否授权该数据请求者进行访问,具体为:3. A data circulation method based on data usage control according to claim 1, characterized in that the corresponding steps are executed to determine whether to authorize the data requester to access, specifically: S1:对数据请求者提供的身份验证信息进行验证,验证成功则执行步骤S2,验证失败则执行S3;S1: Verify the identity authentication information provided by the data requester. If the verification succeeds, execute step S2. If the verification fails, execute step S3. S2:验证成功后向数据请求者发送位置反馈指令,数据请求者接收位置反馈指令后进行确认,从而得到数据请求者当前发出数据访问请求的所处位置,将所处位置与设定的安全访问范围进行比对,若处于设定的安全访问范围,则判定数据请求者为安全访问,并授权该数据请求者进行访问,若处于设定的安全访问范围外,则执行步骤S2-201;S2: After successful verification, a location feedback instruction is sent to the data requester. The data requester confirms the location of the data access request issued by the data requester, and compares the location with the set security access range. If the location is within the set security access range, the data requester is determined to have safe access and is authorized to access. If the location is outside the set security access range, step S2-201 is executed; S3:将数据请求者该次发出的数据访问请求标记为异常访问请求,同时限制该请求者在设定时间段内的数据访问请求。S3: Mark the data access request issued by the data requester as an abnormal access request, and restrict the data access request of the requester within a set time period. 4.根据权利要求3所述的一种基于数据使用控制的数据流通方法,其特征在于,步骤S2-201的具体执行步骤为:4. The data circulation method based on data usage control according to claim 3 is characterized in that the specific execution steps of step S2-201 are: S2-201:将该数据请求者的所处位置与历史位置信息进行匹配,若匹配成功,则判定为数据请求者为安全访问,若匹配失败,则判定为数据请求者为异地访问,并执行步骤S2-202;S2-201: Match the location of the data requester with the historical location information. If the match is successful, it is determined that the data requester is accessing securely. If the match fails, it is determined that the data requester is accessing remotely, and step S2-202 is executed; S2-202:获取该数据请求者的停留时长,停留时长从数据请求者进入数据存储中心时开始统计,发出数据访问请求时结束统计,将该时间区间的时长作为该数据请求者的停留时长;统计该数据请求者在设定时间段内的访问请求次数;S2-202: Obtain the length of stay of the data requester, where the length of stay starts from the time the data requester enters the data storage center and ends when the data access request is issued, and the length of the time interval is used as the length of stay of the data requester; count the number of access requests of the data requester within the set time period; 对该数据请求者发出数据访问请求的时间点进行标记,将标记时间点与设定的常规时间范围进行匹配,预设匹配失败和匹配成功分别对应一组停留时长和访问请求次数的权重系数;Mark the time point when the data requester sends the data access request, match the marked time point with the set regular time range, and preset matching failure and matching success to correspond to a set of weight coefficients of the stay time and the number of access requests respectively; 基于匹配的结果,将该数据请求者的停留时长和访问请求次数分别与对应的权重系数相乘,然后求和得到该数据请求者的隐患评估指数;Based on the matching results, the length of stay and the number of access requests of the data requester are multiplied by the corresponding weight coefficients respectively, and then the sum is calculated to obtain the hidden danger assessment index of the data requester; 基于数据请求者访问数据的数据使用策略,预设不同数据在比对过程的参考隐患评估指数;将该数据请求者的隐患评估指数与对应参考隐患评估指数进行比对,若该数据请求者的隐患评估指数小于对应参考隐患评估指数,则判定数据请求者为安全访问,反之则执行步骤S3。Based on the data usage policy of the data requester for accessing data, preset reference hidden danger assessment indexes for different data in the comparison process; compare the hidden danger assessment index of the data requester with the corresponding reference hidden danger assessment index; if the hidden danger assessment index of the data requester is less than the corresponding reference hidden danger assessment index, the data requester is judged to have safe access, otherwise, execute step S3. 5.一种基于数据使用控制的数据流通装置,应用于上述权利要求1-4任一项提出的一种基于数据使用控制的数据流通方法,其特征在于,包括:5. A data circulation device based on data usage control, applied to a data circulation method based on data usage control as claimed in any one of claims 1 to 4, characterized in that it comprises: 数据上传模块:数据提供者将数据发送至数据存储中心,并定义数据使用策略,定义完成后将上传的数据与使用策略关联,并存储在数据存储中心内;Data upload module: The data provider sends the data to the data storage center and defines the data usage policy. After the definition is completed, the uploaded data is associated with the usage policy and stored in the data storage center; 数据访问模块:数据请求者发出数据访问请求,并提供对应请求者的身份验证信息;Data access module: The data requester issues a data access request and provides the corresponding identity authentication information of the requester; 控制访问模块:对数据请求者的身份验证信息和数据访问请求进行综合分析,并执行相应的步骤决定是否授权该数据请求者进行访问;Access control module: conducts a comprehensive analysis of the data requester's identity authentication information and data access request, and executes corresponding steps to decide whether to authorize the data requester to access; 数据存储模块:构建数据存储中心,并于预设的加密规则对数据进行加密处理;Data storage module: build a data storage center and encrypt data according to preset encryption rules; 数据审计模块:记录每次数据访问的访问相关信息;访问相关信息包括访问时间、请求者身份以及访问的数据。Data audit module: records access-related information for each data access; access-related information includes access time, requester identity, and accessed data.
CN202411590141.3A 2024-11-08 2024-11-08 Data circulation method and device based on data use control Active CN119442324B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411590141.3A CN119442324B (en) 2024-11-08 2024-11-08 Data circulation method and device based on data use control

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411590141.3A CN119442324B (en) 2024-11-08 2024-11-08 Data circulation method and device based on data use control

Publications (2)

Publication Number Publication Date
CN119442324A CN119442324A (en) 2025-02-14
CN119442324B true CN119442324B (en) 2025-04-29

Family

ID=94524860

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411590141.3A Active CN119442324B (en) 2024-11-08 2024-11-08 Data circulation method and device based on data use control

Country Status (1)

Country Link
CN (1) CN119442324B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102388387A (en) * 2009-04-10 2012-03-21 日本电气株式会社 Access-control-policy template generating device, and system, method and program thereof
CN112235294A (en) * 2020-10-14 2021-01-15 南京三眼精灵信息技术有限公司 Block chain cooperative authority control method and device
CN118070341A (en) * 2024-04-16 2024-05-24 江苏博士创新大数据有限公司 Big data management method and big data management system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7194618B1 (en) * 2001-03-05 2007-03-20 Suominen Edwin A Encryption and authentication systems and methods
CN116644468B (en) * 2023-05-12 2023-11-21 淮南矿业(集团)有限责任公司煤业分公司 Intelligent information storage system for fault monitoring of mine ventilator
CN118101269B (en) * 2024-02-22 2024-10-18 国网江苏省电力有限公司淮安市洪泽区供电分公司 Network security defense method and system based on data analysis
CN118764240A (en) * 2024-06-27 2024-10-11 广西电网有限责任公司电力科学研究院 A secure and reliable data transmission method and system for new energy stations

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102388387A (en) * 2009-04-10 2012-03-21 日本电气株式会社 Access-control-policy template generating device, and system, method and program thereof
CN112235294A (en) * 2020-10-14 2021-01-15 南京三眼精灵信息技术有限公司 Block chain cooperative authority control method and device
CN118070341A (en) * 2024-04-16 2024-05-24 江苏博士创新大数据有限公司 Big data management method and big data management system

Also Published As

Publication number Publication date
CN119442324A (en) 2025-02-14

Similar Documents

Publication Publication Date Title
CN117371048B (en) Remote access data processing method, device, equipment and storage medium
US11599624B2 (en) Graphic pattern-based passcode generation and authentication
US12306929B2 (en) Graphic pattern-based authentication with adjustable challenge level
TWI592822B (en) Man-machine identification method, network service access method and the corresponding equipment
CN118551416B (en) Protection method and system for preventing file tampering based on self-adaptive security mechanism
CN117216740A (en) Digital identity authentication method based on blockchain technology
CZ2015473A3 (en) The method of authentication security in electronic communication
CN117255341B (en) MIFI-based data encryption transmission protection method and system
CN116861485A (en) Student information privacy protection method based on deep learning fusion
CN118138312A (en) A smart payment port encryption method and system
CN117272349A (en) Method, system and storage medium for protecting security of relational database
CN104881595B (en) The self-help remote unlocking method managed based on PIN code
CN118890223B (en) A single sign-on method and single point management device
CN111553689A (en) Matching correlation method and system based on quadratic hash
CN119442324B (en) Data circulation method and device based on data use control
CN119741745A (en) Information collection and management system based on face recognition technology
CN112417424A (en) Authentication method and system for power terminal
CN117235804B (en) Data set right determining method, system, device and medium
CN120470627B (en) Cross-industry universal data sharing privacy protection method and system
KR101669770B1 (en) Device for authenticating password and operating method thereof
Ilechukwu et al. A Comparative Analysis of Cybersecurity Challenges and Solutions in Electronic Voting Systems
CN119743305B (en) Protocol self-adaptive double-factor authentication method based on Linux system
CN120375497B (en) A method and system for offline password management of smart door locks
CN117688620B (en) Certificate verification optimization method and system based on big data information security
KR20150113366A (en) Device for authenticating password and operating method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant