CN119696850A - Distributed multi-mode data cross-trust domain data sharing method and system - Google Patents
Distributed multi-mode data cross-trust domain data sharing method and system Download PDFInfo
- Publication number
- CN119696850A CN119696850A CN202411775518.2A CN202411775518A CN119696850A CN 119696850 A CN119696850 A CN 119696850A CN 202411775518 A CN202411775518 A CN 202411775518A CN 119696850 A CN119696850 A CN 119696850A
- Authority
- CN
- China
- Prior art keywords
- data
- access
- trust
- domain
- cross
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Storage Device Security (AREA)
- Hardware Redundancy (AREA)
Abstract
本发明提供分布式多模数据跨信任域数据共享方法及系统,涉及数据共享技术领域,包括对多个数据源节点提供的异构数据进行类型识别和格式标准化处理;基于安全级别、授权范围和保护策略将数据源节点划分为不同信任域;构建跨信任域数据映射模型建立数据同步通道;通过智能合约验证访问权限并记录访问日志;采用基于拜占庭容错算法的分布式共识机制同步数据状态,通过版本控制解决数据冲突。本发明实现了异构数据的安全共享和状态一致性维护,提高了跨信任域数据共享的可靠性和容错性。
The present invention provides a distributed multi-mode data cross-trust domain data sharing method and system, which relates to the field of data sharing technology, including type identification and format standardization processing of heterogeneous data provided by multiple data source nodes; dividing data source nodes into different trust domains based on security level, authorization scope and protection strategy; constructing a cross-trust domain data mapping model to establish a data synchronization channel; verifying access rights through smart contracts and recording access logs; synchronizing data status using a distributed consensus mechanism based on a Byzantine fault-tolerant algorithm, and resolving data conflicts through version control. The present invention realizes the secure sharing and state consistency maintenance of heterogeneous data, and improves the reliability and fault tolerance of cross-trust domain data sharing.
Description
Technical Field
The invention relates to the technical field of data sharing, in particular to a distributed multi-mode data cross-trust-domain data sharing method and system.
Background
With the rapid development of distributed systems and data sharing requirements, data collaboration across organizations and departments is becoming increasingly common. Different organizations often adopt different data storage formats and management modes to form heterogeneous data source nodes. These data source nodes constitute independent trust domains based on their respective security requirements and data protection policies. On the premise of ensuring data security and privacy, realizing heterogeneous data efficient sharing across trust domains becomes a technical problem to be solved currently.
The prior art lacks a unified management mechanism for heterogeneous data sources, and the data formats are inconsistent, so that the sharing efficiency is low. The traditional centralized data sharing mode is difficult to adapt to a multi-trust domain scene and has single-point fault risk, and the existing data synchronization scheme cannot effectively process node faults and malicious behaviors and is difficult to ensure data consistency. These problems severely restrict the popularization of applications across trust domain data sharing.
Therefore, there is a need for a data sharing method and system that can solve the problems of data standardization, secure sharing and consistency maintenance in heterogeneous data sharing across trust domains.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a distributed multi-mode data cross-trust domain data sharing method and system, which realize safe and reliable data sharing among multiple trust domains by constructing a data access control mechanism, a cross-domain data mapping model and a Bayesian fault-tolerant consensus mechanism based on intelligent contracts, and simultaneously ensure the normal operation of the system when part of nodes are in fault or malicious behaviors.
The technical scheme of the invention is as follows:
the invention provides a distributed multi-mode data cross-trust-domain data sharing method, which comprises the following steps:
Receiving heterogeneous data provided by a plurality of data source nodes, and carrying out data type identification and format standardization processing on the heterogeneous data; dividing the plurality of data source nodes into different trust domains based on the security level of a data provider, the data use authorization range and the data protection policy, wherein each trust domain comprises at least one data source node and is assigned with a unique domain identifier;
Constructing a cross-trust domain data mapping model, wherein the data mapping model comprises a data field mapping relation, a data format conversion rule and a data consistency check rule; based on the data mapping model, establishing a data synchronization channel between different trust domains, wherein the data synchronization channel adopts an end-to-end encryption mode to transmit data;
When a data requesting party initiates a cross-domain data access request, verifying the access authority of the data requesting party through the intelligent contract, and recording a data access log;
And a distributed consensus mechanism and a version control mechanism based on a Bayesian fault tolerance algorithm are adopted to synchronize data between different trust domains.
According to a preferred embodiment of the invention, heterogeneous data provided by a plurality of data source nodes are received, data type identification and format standardization processing are carried out on the heterogeneous data, the plurality of data source nodes are divided into different trust domains based on the security level of a data provider, the data use authorization range and the data protection policy, each trust domain comprises at least one data source node and is assigned with a unique domain identifier, and intelligent contracts are deployed in each trust domain and used for managing data access rights and data sharing rules in the domain, wherein the intelligent contracts comprise:
The method comprises the steps of receiving heterogeneous data provided by a plurality of data source nodes, analyzing the heterogeneous data through a feature extraction algorithm to obtain heterogeneous features, specifically structural features, content features and metadata features, carrying out data type identification on the heterogeneous data based on the heterogeneous features, dividing the heterogeneous data into structured data, semi-structured data and unstructured data according to the data type identification result, constructing a unified data representation model based on a graph data model, converting the structured data, the semi-structured data and the unstructured data into standardized formats corresponding to the graph data model by adopting a data conversion adapter, and storing the standardized formats;
The method comprises the steps of analyzing the security level of each data source node, wherein the security level comprises a data security protection capability index, a historical credit record index and a technical guarantee level index, acquiring a data use authorization range of each data source node, wherein the data use authorization range comprises a data sharable user group, a permission use scene and a time limit, extracting a data protection strategy of each data source node, wherein the data protection strategy comprises a data desensitization level, an access frequency limit and a transmission encryption requirement;
And deploying an intelligent contract in each trust domain, wherein the intelligent contract is realized based on HYPERLEDGER FABRIC framework, the intelligent contract comprises an access right management module, a data sharing rule module and an access audit module, the access right management module is used for realizing fine-grained access control of data in the domains based on RBAC model, the data sharing rule module is used for configuring and executing data sharing strategies, and the access audit module is used for recording data access operation.
As a preferred implementation mode of the invention, a data mapping model crossing trust domains is constructed, the data mapping model comprises a data field mapping relation, a data format conversion rule and a data consistency check rule, a data synchronization channel is established between different trust domains based on the data mapping model, and the data synchronization channel adopts an end-to-end encryption mode to transmit data and comprises the following steps:
Analyzing the data modes of a source trust domain and a target trust domain, extracting field characteristic information, inputting the field characteristic information into a deep learning model to generate a field similarity matrix, constructing a data field mapping relation based on the field similarity matrix, formulating a data format conversion rule according to the type difference in the data field mapping relation, establishing a data consistency check rule based on the data field mapping relation, and combining the data field mapping relation, the data format conversion rule and the data consistency check rule to generate the data mapping model;
The method comprises the steps of analyzing data transmission requirements based on a data mapping model, determining a communication link specification, establishing a special communication link between trust domains according to the communication link specification, generating an asymmetric encryption key pair for the special communication link, carrying out end-to-end encryption on the special communication link by using the asymmetric encryption key pair to form the data synchronization channel, and configuring transmission parameters of the data synchronization channel according to the data scale of the data mapping model;
processing source data by adopting the data field mapping relation to complete field mapping, performing format conversion on the mapped data by using the data format conversion rule, verifying a conversion result by applying the data consistency check rule, taking the verified data as data to be transmitted, and transmitting the data to be transmitted to a target trust domain through the data synchronization channel;
receiving encrypted data in a target trust domain, decrypting the received data by using the asymmetric encryption key pair, performing data reverse conversion according to the data mapping model, verifying the integrity and consistency of the converted data, writing the verified data into a target trust domain storage system, generating a data synchronization status report, and realizing data synchronization processing;
Analyzing abnormal conditions in the data synchronization status report, correcting a data field mapping relation and a data format conversion rule of the data mapping model according to the abnormal conditions, monitoring performance indexes of the data synchronization channel, optimizing transmission parameters of the data synchronization channel based on the performance indexes, updating configuration of the data mapping model and the data synchronization channel, and optimizing a synchronization mechanism.
As a preferred embodiment of the present invention, a data flow control module is disposed in the data synchronization channel, and the data flow control module dynamically adjusts a data transmission rate according to real-time network conditions and data priorities, including:
The method comprises the steps of setting a data flow control module in a data synchronization channel, wherein the data flow control module comprises a network monitoring unit, a data grading unit and a rate adjusting unit, wherein the network monitoring unit deploys network detection points at the receiving and transmitting ends of the data synchronization channel, and the network detection points periodically send detection packets to acquire round trip delay, packet loss rate, available bandwidth and link jitter data;
The data classifying unit divides the data into core service data, general service data and non-key data according to the service importance degree of the data, and divides the data into real-time data, quasi-real-time data and offline data according to the timeliness requirement of the data;
The rate adjusting unit calculates a current network load coefficient based on the network condition evaluation matrix, wherein the network load coefficient is determined by a round trip delay change rate, a packet loss rate and a bandwidth utilization rate, calculates a reference transmission rate by adopting an improved addition increasing multiplication decreasing algorithm according to the network load coefficient, and distributes the reference transmission rate to data streams with different priorities according to the resource distribution weight so as to realize dynamic adjustment of the data transmission rate.
As a preferred embodiment of the invention, when a data requesting party initiates a cross-domain data access request, the access authority of the data requesting party is verified through the intelligent contract, and a data access log is recorded:
Receiving a cross-domain data access request initiated by a data requester, wherein the cross-domain data access request comprises an access target, a requester identity credential and a data use purpose;
The verification result is matched with a preset access control strategy matrix, wherein the access control strategy matrix comprises an authority level matching rule and a usage field Jing Ge rule, and whether the access authority level of the data requester meets the access requirement of the access target or not is judged based on the matching result, and whether the data usage purpose accords with the usage field Jing Ge rule or not;
When the access permission level meets the access requirement and the data use purpose accords with a use field Jing Ge rule, acquiring a historical access record of the data requester, and calculating a credit score based on the historical access record; generating an access transaction identifier, and recording the identity credentials of the requesting party, the access time, the access target, the data use purpose and the credit score in an access log, wherein the access log adopts a chained storage structure and is stored in an encrypted manner through a cryptographic hash function;
When the credit score is higher than a preset credit threshold, acquiring data to be accessed corresponding to the access target, identifying a sensitive field in the data to be accessed, and setting a differential privacy budget parameter based on the sensitivity of the sensitive field and the data use purpose;
selecting a differential privacy processing mode according to the data type of the data to be accessed, adding random noise conforming to Laplacian distribution to the digital data, carrying out randomization processing on the classified data by adopting an exponential mechanism, replacing sensitive information by using a desensitization algorithm with semantic retention to the text data, and generating privacy-processed data;
acquiring historical data distribution characteristics of the data to be accessed, constructing a noise compensation model based on the historical data distribution characteristics, optimizing noise in the privacy-treated data to obtain optimized data;
And when the privacy protection intensity and the data utility index meet the requirement of a preset privacy threshold, returning the optimized data to the data requester as an access result, and recording the return state of the access result in the access log.
As a preferred embodiment of the present invention, a distributed consensus mechanism and a version control mechanism based on a bayer fault tolerance algorithm are adopted, and synchronizing data between different trust domains includes:
The method comprises the steps of constructing a distributed consensus network crossing trust domains, deploying state synchronization nodes in different trust domains, dividing the state synchronization nodes into a consensus node group and a verification node group, calculating trust scores based on node historical behaviors, and selecting a node with the highest trust score as a master node;
receiving a data state change request in a trust domain, wherein the data state change request comprises a data content hash value, a change time stamp, an operation sequence and a version number, verifying the validity of the data state change request by the master node, and generating a state synchronous proposal;
The consensus node group votes the state synchronous proposal based on a Bayesian fault tolerance algorithm; when the number of votes exceeds the fault tolerance threshold, broadcasting a pre-submitted message to a state synchronization node of a trust domain outside the current trust domain;
a version control mechanism is established among all trust domains, and comprises a version tree structure, a branch version is created in the version tree structure when cross-domain concurrent modification is detected, and a main version is determined through Bayesian fault-tolerant consensus;
The method comprises the steps of analyzing concurrent operation sequences of different trust domains, identifying compatible operation and conflict operation, merging the compatible operation into a main version for the compatible operation, determining a final operation sequence for the conflict operation through cross-domain Bayesian-vestibule fault-tolerant consensus, submitting the merged state update to each trust domain for synchronization;
The method comprises the steps of monitoring the running states of nodes in each trust domain, including response time delay, message integrity and consensus participation degree, eliminating abnormal nodes from the consensus process when node faults or malicious behaviors are detected, and recalculating fault tolerance threshold values to ensure that the number of the remaining normal nodes meets the Bayesian fault tolerance requirement.
The invention also provides a distributed multi-mode data cross-trust domain data sharing system, which comprises a data access and trust management unit, a cross-domain data mapping and synchronizing unit, an access control and privacy protection unit and a consensus achievement and version management unit, wherein:
The data access and trust management unit receives heterogeneous data provided by a plurality of data source nodes, performs data type identification and format standardization processing on the heterogeneous data, divides the plurality of data source nodes into different trust domains based on the security level of a data provider, the data use authorization range and the data protection policy, and distributes a unique domain identifier for each trust domain, deploys an intelligent contract in each trust domain, wherein the intelligent contract is used for managing data access authority and data sharing rules in the trust domain;
a cross-trust domain data mapping model is built in the cross-domain data mapping and synchronizing unit, and the data mapping model comprises a data field mapping relation, a data format conversion rule and a data consistency check rule; based on the data mapping model, establishing a data synchronization channel between different trust domains, wherein the data synchronization channel adopts an end-to-end encryption mode to transmit data;
When the data request party initiates a cross-domain data access request, the access control and privacy protection unit verifies the access authority of the data request party through the intelligent contract and records a data access log;
the consensus achieving and version management unit adopts a distributed consensus mechanism and a version control mechanism based on a Bayesian fault tolerance algorithm to synchronize data among different trust domains.
The invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the distributed multi-mode data cross-trust domain data sharing method according to any one of the embodiments when executing the program.
The present invention also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor implements a distributed multi-mode data cross-trust domain data sharing method according to any of the embodiments.
The beneficial effects of the application are as follows:
1. By the technical means of dividing trust domain, deploying intelligent contract, end-to-end encryption transmission, differential privacy processing and the like, sensitive data is effectively protected, data leakage is prevented, and data sharing safety is enhanced.
2. By constructing a data mapping model and a data synchronization channel which cross the trust domain, standardization and efficient transmission of heterogeneous data are realized, and the data transmission rate is dynamically regulated through a data flow control module, so that the efficiency of cross-domain data sharing is improved.
3. By adopting a distributed consensus mechanism and a version control mechanism, the data state synchronization and the data consistency among different trust domains are ensured, and the stable operation and the data reliability of the system can be ensured even if part of nodes have faults or malicious behaviors.
Drawings
FIG. 1 is a flow chart of a distributed multi-mode data cross-trust domain data sharing method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a distributed multi-mode data cross-trust domain data sharing system according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The technical scheme of the invention is described in detail below by specific examples. The following embodiments may be combined with each other, and some embodiments may not be repeated for the same or similar concepts or processes.
Example 1:
Fig. 1 is a flow chart of a distributed multi-mode data cross-trust domain data sharing method according to embodiment 1 of the present invention, as shown in fig. 1, the method includes:
The method comprises the steps of S1, receiving heterogeneous data provided by a plurality of data source nodes, carrying out data type identification and format standardization processing on the heterogeneous data, dividing the plurality of data source nodes into different trust domains based on the security level of a data provider, the data use authorization range and the data protection policy, wherein each trust domain comprises at least one data source node, and distributing a unique domain identifier for each trust domain;
s11, receiving heterogeneous data provided by a plurality of data source nodes, for example, a medical data sharing platform, and receiving patient electronic medical records, medical image data and clinical study data from different hospitals;
Analyzing the heterogeneous data through a feature extraction algorithm to obtain heterogeneous features, wherein the heterogeneous features are specifically structural features, content features and metadata features (such as data tags, data descriptions and the like), and carrying out data type identification on the heterogeneous data based on the heterogeneous features; dividing the heterogeneous data into structured data (e.g., table data in a relational database), semi-structured data (e.g., JSON, XML formatted data) and unstructured data (e.g., text, image, audio video data) according to the result of the data type recognition, e.g., by analyzing whether the data has a fixed pattern and field, determining whether it is structured data;
And constructing a unified data representation model based on the graph data model, converting the structured data, the semi-structured data and the unstructured data into standardized formats corresponding to the graph data model by adopting a data conversion adapter, and storing the standardized formats, particularly converting different types of data into node and edge forms for storage so as to facilitate subsequent processing and analysis. For example, each index in the patient electronic medical record is taken as a node, and the relation among the indexes is taken as an edge, so that a knowledge graph of the health condition of the patient is constructed;
S12, analyzing the security level of each data source node, wherein the data source node essentially abstracts a data provider as one node in a graph data model, and essentially describes the same object, but is expressed differently in different scenes, so the analysis of the security level of each data source node is to analyze the security level of the data provider in the step S1, and the security level comprises a data security protection capability index (such as whether the security authentication, the perfection degree of a security policy) and a historical credit record index (such as the historical record of data leakage and the reliability of data quality) and a technical assurance level index (such as the security of data storage and transmission, the data backup and recovery mechanism), and the data use authorization range of each data source node is obtained, wherein the data use authorization range comprises a data sharable user group, a permission use scene (such as scientific research and medical diagnosis) and a time limit;
the content in the above step S12 is further specifically illustrated as follows:
The data security protection capability of the hospital is strong, the history credit record is good, the technical guarantee level is high, the data use authorization range is limited to scientific research institutions, and the data protection strategy requires desensitization treatment. The data security level of the hospital B is relatively low, the data use authorization range is wider, and the data protection strategy requires encrypting and transmitting the data;
S13, dividing the plurality of data source nodes into different trust domains by adopting a hierarchical clustering algorithm based on the security level, the data use authorization range and the data protection policy, wherein each trust domain comprises at least one data source node, and the intra-domain nodes have similar security level, data use authorization range and data protection policy. For example, hospital a and a hospital similar to its security level are divided into one trust domain, and hospital B and a hospital similar to its security level are divided into another trust domain;
assigning a unique Domain identifier, such as "domain_1", "domain_2", to each of the trust domains using a distributed hash algorithm;
And S14, deploying an intelligent contract in each trust domain, wherein the intelligent contract is realized based on a HYPERLEDGER FABRIC framework, the intelligent contract comprises an access right management module, a data sharing rule module and an access auditing module, the access right management module is used for realizing fine-grained access control of data in the domain based on an RBAC (role-based access control) model, the data sharing rule module is used for configuring and executing a data sharing strategy, such as defining which users can access which data and the use mode of the data, and the access auditing module is used for recording data access operation so as to facilitate tracking and auditing. For example, the smart contracts deployed in "domain_1" specify that only authorized users of the research institution have access to the data in the Domain and are available for research purposes only;
In summary, based on step S1, the embodiment achieves fine management of data with different security levels by dividing trust domains and deploying intelligent contracts, effectively prevents data leakage and abuse, simplifies data sharing flow and improves data sharing efficiency by designing standardized data formats and unified data sharing rules, and further sets an access audit module to record all data access operations, ensures traceability of data sources and use processes, and improves data reliability.
S2, constructing a data mapping model crossing trust domains, wherein the data mapping model comprises a data field mapping relation, a data format conversion rule and a data consistency check rule;
S21, analyzing data modes of a source trust domain and a target trust domain, extracting field characteristic information, wherein the source trust domain is a sender/provider of data and is a safety boundary environment where original data is located, the target trust domain is a receiver/user of the data and is a safety boundary environment where the data needs to be acquired and used, and further illustrating:
The table storing user information in the source domain database contains fields such as "user name", "user ID", "mailbox address", "telephone number", and the user information table of the destination domain contains fields such as "name", "ID", "mail", "cell phone number", and the like. Extracting field characteristic information, such as semantic similarity of field names, compatibility of data types and the like, by analyzing field names, data types and meanings of the two tables;
The field characteristic information is input into a deep learning model, such as a BERT model, and the extracted field characteristic information is taken as input to generate a field similarity matrix which reflects the similarity degree between each field of the source domain and the target domain. For example, the similarity of "user name" and "name" is 0.9, the similarity of "user ID" and "ID" is 0.95, the similarity of "mailbox address" and "mail" is 0.92, and the similarity of "phone number" and "cell phone number" is 0.88;
And constructing a data field mapping relation based on the field similarity matrix, specifically, mapping the source field to the target field according to the similarity score. A threshold value, e.g. 0.8, is set, only fields with a similarity higher than the threshold value will be mapped. For example, "user name" maps to "name", "user ID" maps to "ID", "mailbox address" maps to "mail", "phone number" maps to "cell phone number";
according to the type difference in the data field mapping relation, a data format conversion rule is formulated, for example, the "phone number" field storage format of the source domain is "+86-12345678901", and the "phone number" field storage format of the target domain is "12345678901". A conversion rule is required to be formulated, and the prefix of +86-' is removed;
data consistency check rules are established based on the data field mapping relationship, for example, the "user ID" field of the source domain is unique, and the "ID" field of the target domain must also be unique. The check rule can ensure that the data still keeps consistency after mapping and conversion;
combining the data field mapping relation, the data format conversion rule and the data consistency check rule to generate the data mapping model;
s22, establishing a data synchronization channel:
Analyzing data transmission requirements, such as data volume, transmission frequency, security requirements, etc., based on the data mapping model, determining communication link specifications, such as bandwidth, delay, encryption algorithm, etc.;
Establishing a dedicated communication link between trust domains according to the communication link specification, for example, establishing a point-to-point connection using VPN or SDN technology;
generating an asymmetric encryption key pair for the dedicated communication link, comprising a public key and a private key, wherein the public key is used for encrypting data and the private key is used for decrypting data;
Performing end-to-end encryption on the special communication link by using the asymmetric encryption key to form the data synchronization channel, so that only a target domain with a private key can decrypt data;
configuring transmission parameters of the data synchronization channel, such as data packet size, transmission rate, retransmission mechanism, etc., according to the data scale of the data mapping model;
s23, performing data mapping conversion:
Processing the source data by adopting the data field mapping relation to finish field mapping, for example, mapping a 'user name' field value in the source data to a 'name' field in the target data;
performing format conversion on the mapped data by using the data format conversion rule, for example, converting "+86-12345678901" in the source data into "12345678901";
verifying the conversion result by applying the data consistency check rule, for example, checking whether an 'ID' field in the target data is unique;
Transmitting the data to be transmitted to a target trust domain through the data synchronization channel;
s24, realizing data synchronization processing:
receiving encrypted data in a target trust domain, decrypting the received data by using the asymmetric encryption key pair, performing data reverse conversion according to the data mapping model, verifying the integrity and consistency of the converted data, and writing the verified data into a target trust domain storage system;
Generating a data synchronization state report, and recording various indexes in the synchronization process, such as transmission data quantity, transmission time, error quantity and the like;
s25, optimizing a synchronization mechanism:
Analyzing abnormal conditions in the data synchronization status report, such as data errors, transmission delays, etc.;
Correcting a data field mapping relation and a data format conversion rule of the data mapping model according to the abnormal condition, for example, if some field mapping is found to be inaccurate, a field similarity threshold value needs to be adjusted or the mapping relation needs to be modified;
monitoring performance indexes of the data synchronization channel, such as bandwidth utilization rate, delay, packet loss rate and the like;
Optimizing transmission parameters of the data synchronization channel based on the performance index, such as adjusting data packet size, transmission rate, etc.;
Updating the data mapping model and the configuration of the data synchronization channel to adapt to the changing data synchronization requirements;
The embodiment is based on the step S2, adopts an end-to-end encryption technology, ensures that data is not stolen or tampered in the transmission process, effectively protects the safety of sensitive data, reduces manual intervention through automatic data mapping and conversion, improves the data synchronization efficiency, reduces the data synchronization cost, ensures that the designed data consistency check rule ensures that the data keeps integrity and consistency in the synchronization process, improves the quality of target domain data, and provides a reliable data base for subsequent data analysis and application.
S3, setting a data flow control module in the data synchronization channel, wherein the data flow control module dynamically adjusts the data transmission rate according to the real-time network condition and the data priority, and the data transmission rate comprises the following steps:
S31, setting a data flow control module in a data synchronization channel, wherein the data flow control module comprises a network monitoring unit, a data grading unit and a rate adjusting unit;
S311, the network monitoring unit deploys network detection points at the receiving and transmitting ends of the data synchronization channel, the network detection points periodically (for example, every 50 milliseconds) send detection packets, acquire round trip delay, packet loss rate, available bandwidth and link jitter data, for example, the detection points send a detection packet with the size of 1KB, a receiving end replies immediately after receiving, a sending end records the time difference between sending and receiving, calculates the round trip delay, counts the number of detection packets which are successfully sent and received within a period of time, calculates the packet loss rate, calculates the available bandwidth by measuring the data quantity transmitted within a period of time, records the change of the round trip delay of a plurality of continuous detection packets, and calculates the link jitter;
And smoothing the round trip delay, the packet loss rate, the available bandwidth and the link jitter data by adopting a sliding time window to generate a network condition evaluation matrix, for example, a window with the length of 1 second, and carrying out average or weighted average calculation on the acquired round trip delay, packet loss rate, available bandwidth and link jitter data to generate the network condition evaluation matrix. For example, 10 round trip delay values, namely 10ms, 12ms, 11ms, 13ms, 10ms, 9ms, 11ms, 12ms, 10ms and 11ms, are acquired in the last 1 second, and the average round trip delay is 10.9ms;
S312, the data grading unit divides the data into core service data, general service data and non-key data according to the service importance degree of the data, for example, order data related to transactions is the core service data, users browse and record the data as the general service data, and advertisement recommendation data is the non-key data;
dividing the data into real-time data, quasi-real-time data and offline data according to the timeliness requirement of the data, for example, video conference data is real-time data, e-mails are quasi-real-time data, and log data is offline data;
orthogonal combination is carried out on data divided according to the importance degree of the service and data divided according to the timeliness requirement to form a data priority matrix, such as core service real-time data, core service quasi-real-time data, general service real-time data and the like;
And setting a resource allocation weight for each priority in the data priority matrix, for example, the real-time data weight of the core service is 0.5, the real-time data weight of the general service is 0.3, and the non-critical data weight is 0.1. The larger the weight value, the more preferred the data representing the priority in network resource competition;
s313, the rate adjustment unit calculates a current network load factor based on the network condition evaluation matrix, where the network load factor is determined by a round trip delay change rate, a packet loss rate, and a bandwidth utilization rate, for example, if the round trip delay change rate is higher, the packet loss rate is higher, and the bandwidth utilization rate is higher, the network load factor is higher;
And calculating the reference transmission rate by adopting an improved addition increasing multiplication decreasing algorithm according to the network load coefficient, wherein the reference transmission rate is increased according to a certain proportion when the network load coefficient is lower, and the reference transmission rate is decreased according to a certain proportion when the network load coefficient is higher. For example, the initial reference transmission rate is 1Mbps, increasing by 0.1Mbps each time when the network load factor is lower than 0.5, decreasing by 0.1Mbps each time when the network load factor is higher than 0.7;
s32, distributing the reference transmission rate to data streams with different priorities according to the resource distribution weight, so as to realize dynamic regulation of the data transmission rate, for example, the reference transmission rate is 1Mbps, the real-time data weight of the core service is 0.5Mbps, and the transmission rate of the real-time data of the core service is 0.5Mbps;
Further, the network load factor calculation formula is as follows:
Wherein, α represents a network load factor, w 1、w2 and w 3 represent preset weight factors, Δrtt represents a round trip delay variation, RTT base represents a reference round trip delay, PLR represents a packet loss rate, BW used represents an used bandwidth, and BW total represents a total available bandwidth;
The formula for calculating the reference transmission rate is as follows:
wherein R (t) represents the transmission rate at time t, beta represents a growth factor, gamma represents a reduction factor, and alpha threshold represents a load threshold;
The embodiment is based on the step S3, can fully utilize network bandwidth, avoid network congestion and improve network resource utilization rate by dynamically adjusting the data transmission rate, can preferentially ensure the transmission of core service data and real-time data and avoid important data transmission delay or loss by data classification and resource allocation weight;
S4, when a data requesting party initiates a cross-domain data access request, verifying the access authority of the data requesting party through the intelligent contract and recording a data access log;
S41, a data requesting party initiates a cross-domain data access request through a unified access gateway, receives the cross-domain data access request initiated by the data requesting party, wherein the cross-domain data access request comprises an access target identifier, a requesting party identity credential extracted from a digital certificate and an explicit data use purpose, verifies a digital signature of the requesting party identity credential through an asymmetric encryption algorithm to obtain a verification result, and particularly verifies the digital certificate, verifies the validity of the digital signature through a public key infrastructure and extracts identity attribute information contained in the digital signature. For example, the requestor is a medical research institution, accesses a clinical dataset targeted to a hospital, uses data analysis targeted to new drug development;
The verification result is matched with a preset access control strategy matrix, wherein the access control strategy matrix comprises an authority level matching rule and a usage field Jing Ge rule, and whether the access authority level of the data requester meets the access requirement of the access target or not and whether the data usage purpose meets the usage field Jing Ge rule or not is judged based on the matching result;
When the access authority level meets the access requirement and the data use purpose accords with the use field Jing Ge rule, acquiring a historical access record of the data requester, including dimensions such as access frequency, data use compliance and the like, calculating a credit score based on the historical access record, for example, no illegal use record can obtain a higher score in the past year;
S42, when the credit score is higher than a preset credit threshold, acquiring data to be accessed corresponding to the access target, and identifying sensitive fields in the data to be accessed, such as a patient identification card number, a diagnosis result and the like;
Selecting a differential privacy processing mode according to the data types of the data to be accessed, adding random noise conforming to Laplace distribution to numerical data such as age, carrying out randomization processing on the data such as sex class by adopting an exponential mechanism, replacing sensitive information by using a desensitization algorithm which is kept by meaning to text data such as medical record description, taking outpatient medical record data as an example, wherein the original data comprises basic information of a patient and a treatment record, changing an age field into a fuzzy section by adding random noise conforming to Laplace distribution;
Generating privacy-processed data;
S43, acquiring historical data distribution characteristics of the data to be accessed, including distribution rules of various fields, constructing a noise compensation model based on the historical data distribution characteristics, optimizing noise in the data after privacy treatment, keeping statistical characteristics of the data as much as possible while protecting privacy, obtaining optimized data, measuring privacy protection intensity by calculating epsilon-difference privacy, and evaluating availability indexes of the data;
And S44, when the privacy protection intensity and the data utility index meet the requirement of a preset privacy threshold, returning the optimized data to the data requesting party as an access result, recording the return state of the access result in the access log, and forming a complete access audit trail. In the whole process, all operations such as access control judgment, data processing, log recording and the like are executed through intelligent contracts, so that transparency and non-tamper property of the flow are ensured.
And for the acquired private data, the requester needs to carry out subsequent processing according to the agreed use standard. The system keeps track of data usage and periodically updates the credit score of the requestor. If illegal use is found, the credit score is reduced and recorded to the blockchain, and subsequent access requests are affected. In this way, the data sharing requirement is met, and meanwhile, the effective protection of sensitive data is realized.
The access control and data processing parameters of each link can be configured and adjusted according to the actual application scene. For example, the authority requirements and privacy protection strength can be improved for more sensitive data, and the access limit can be properly relaxed for a requester with higher credibility. The whole mechanism realizes automatic execution through intelligent contracts and provides a safe, transparent and auditable cross-domain data sharing environment.
S5, synchronizing data among different trust domains by adopting a distributed consensus mechanism and a version control mechanism based on a Bayesian fault-tolerant algorithm;
S51, constructing a distributed consensus network crossing trust domains, deploying state synchronization nodes in different trust domains, dividing the state synchronization nodes into a consensus node group and a verification node group, for example, assuming three trust domains A, B, C, deploying three nodes in each trust domain, wherein two nodes are used as consensus nodes and one node is used as verification node;
The method comprises the steps of calculating trust scores based on historical behaviors (such as timeliness of message transmission, enthusiasm of participation in consensus and the like) of nodes, selecting a node with the highest trust score as a master node to be responsible for coordinating a data state synchronization process, and selecting a node A1 of an A domain as the master node on the assumption that the historical behaviors are good. The distributed consensus network is realized based on a Bayesian fault tolerance algorithm, so that the system can keep normal operation even if no more than one third of nodes have faults or malicious behaviors;
s52, the distributed consensus network is realized based on a Bayesian fault-tolerant algorithm;
Receiving a data state change request in a trust domain, wherein the data state change request comprises a data content hash value, a change time stamp, an operation sequence and a version number, and when the data state in a certain trust domain is changed, for example, the data in an A domain is changed from 'value 1' to 'value 2', a data state change request is generated. The request contains a data content hash value (e.g., "hash_value 2"), a change timestamp (e.g., "2024-07-27:00:00"), an operation sequence (e.g., "update"), a version number (e.g., change from 1 to 2);
The master node verifies the validity of the data state change request, for example, checks whether the hash values match, whether the time stamp is valid, etc.; after the verification is passed, the master node generates a generated state synchronous proposal which contains all the information;
The consensus node group performs voting on the state synchronous proposal based on a Bayesian fault tolerance algorithm, broadcasts a pre-submitted message to state synchronous nodes of trust domains outside a current trust domain when the voting number exceeds a fault tolerance threshold, receives a confirmation message returned by the trust domains outside the current trust domain, wherein the confirmation message comprises a node signature and a state verification result, and further comprises the following steps:
The consensus node group votes on the state synchronous proposal based on the Bayesian fault tolerance algorithm. Assume that the consensus node begins voting after receiving the proposal. When the number of votes exceeds a fault tolerance threshold (e.g., two-thirds), the set of consensus nodes broadcasts a pre-commit message to the state synchronization nodes of the other trust domains. For example, if both consensus nodes of the a-domain and consensus nodes of other domains vote, then the fault tolerance threshold is met.
After receiving the pre-commit message, the state synchronization nodes of other trust domains verify the data state change request and return a confirmation message. The acknowledgement message contains the node signature and the status verification result. For example, the nodes in the B domain and the C domain verify the hash value and version number of "value2", and return a confirmation message after confirming that there is no error.
And when cross-domain concurrent modification is detected, creating a branch version in the version tree structure, for example, the A domain modifies the data into 'value 2', and the B domain modifies the data into 'value 3', and creating the branch version in the version tree structure. Assuming "value1" is version 1, "value2" is version 2, and "value3" is version 3, the version tree will show that version 1 derives both version 2 and version 3 branches;
Determining a main version through Bayesian fault-tolerant consensus, and assuming that the consensus result is that 'value 2' is selected as the main version;
Analyzing concurrent operation sequences of different trust domains, and identifying compatible operation and conflict operation, wherein if the operation of the A domain is adding one field and the operation of the B domain is modifying the other field, the two operations are compatible;
For conflict operations, determining a final sequence of operations by cross-domain Bayesian fault-tolerant consensus, e.g., assuming that both the A-domain and the B-domain modify the same field, the final consensus result is a modification with the A-domain;
submitting the merged state updates to each trust domain for synchronization, and updating the data of all the trust domains to be 'value 2' according to the above example;
The method comprises the steps of monitoring the running states of nodes in each trust domain, including response time delay, message integrity and consensus participation degree, removing abnormal nodes from the consensus process when a node fault or malicious behavior is detected, for example, a certain node is continuously unresponsive, and recalculating a fault tolerance threshold value to ensure that the number of the remaining normal nodes meets the Bayesian fault tolerance requirement.
The method and the system are based on step S5, the data states among different trust domains are ensured to be consistent through a distributed consensus and version control mechanism, the problems of data conflict and inconsistency are avoided, the system can normally operate even if part of nodes are in fault or malicious behavior based on a Bayesian fault-tolerant algorithm, the data safety and the system stability are ensured, the data synchronization is carried out across a plurality of trust domains, the system expansion and the upgrading are facilitated, and the method and the system are suitable for more complex application scenes.
Example 2:
Fig. 2 is a schematic structural diagram of a distributed multi-mode data cross-trust domain data sharing system according to embodiment 2 of the present invention, as shown in fig. 2, where the system includes a data access and trust management unit, a cross-domain data mapping and synchronization unit, an access control and privacy protection unit, and a consensus achievement and version management unit, where:
The data access and trust management unit receives heterogeneous data provided by a plurality of data source nodes, performs data type identification and format standardization processing on the heterogeneous data, divides the plurality of data source nodes into different trust domains based on the security level of a data provider, the data use authorization range and the data protection policy, and distributes a unique domain identifier for each trust domain, deploys an intelligent contract in each trust domain, wherein the intelligent contract is used for managing data access authority and data sharing rules in the trust domain;
a cross-trust domain data mapping model is built in the cross-domain data mapping and synchronizing unit, and the data mapping model comprises a data field mapping relation, a data format conversion rule and a data consistency check rule; based on the data mapping model, establishing a data synchronization channel between different trust domains, wherein the data synchronization channel adopts an end-to-end encryption mode to transmit data;
When the data request party initiates a cross-domain data access request, the access control and privacy protection unit verifies the access authority of the data request party through the intelligent contract and records a data access log;
the consensus achieving and version management unit adopts a distributed consensus mechanism and a version control mechanism based on a Bayesian fault tolerance algorithm to synchronize data among different trust domains.
Example 3:
the embodiment provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the distributed multi-mode data cross-trust domain data sharing method according to any one of embodiment 1 when executing the program.
Example 4:
The present embodiment also provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the distributed multi-mode data cross-trust domain data sharing method according to any one of embodiment 1.
It should be noted that, the system, the electronic device and the computer readable storage medium according to the present invention are based on the same inventive concept as the method according to embodiment 1, and are not described herein.
It should be noted that the above embodiments are merely for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those skilled in the art that the technical solution described in the above embodiments may be modified or some or all of the technical features may be equivalently replaced, and these modifications or substitutions do not make the essence of the corresponding technical solution deviate from the scope of the technical solution of the embodiments of the present invention.
Claims (9)
1. The distributed multi-mode data cross-trust domain data sharing method is characterized by comprising the following steps of:
Receiving heterogeneous data provided by a plurality of data source nodes, and carrying out data type identification and format standardization processing on the heterogeneous data; dividing the plurality of data source nodes into different trust domains based on the security level of a data provider, the data use authorization range and the data protection policy, wherein each trust domain comprises at least one data source node and is assigned with a unique domain identifier;
Constructing a cross-trust domain data mapping model, wherein the data mapping model comprises a data field mapping relation, a data format conversion rule and a data consistency check rule; based on the data mapping model, establishing a data synchronization channel between different trust domains, wherein the data synchronization channel adopts an end-to-end encryption mode to transmit data;
When a data requesting party initiates a cross-domain data access request, verifying the access authority of the data requesting party through the intelligent contract, and recording a data access log;
And a distributed consensus mechanism and a version control mechanism based on a Bayesian fault tolerance algorithm are adopted to synchronize data between different trust domains.
2. The method of claim 1, wherein heterogeneous data provided by a plurality of data source nodes is received, the heterogeneous data is subjected to data type identification and format standardization, the plurality of data source nodes are divided into different trust domains based on security levels of data providers, data use authorization ranges and data protection strategies, each trust domain comprises at least one data source node and is assigned with a unique domain identifier, and intelligent contracts are deployed in each trust domain, and are used for managing data access rights and data sharing rules in the domain, wherein the intelligent contracts comprise:
The method comprises the steps of receiving heterogeneous data provided by a plurality of data source nodes, analyzing the heterogeneous data through a feature extraction algorithm to obtain heterogeneous features, specifically structural features, content features and metadata features, carrying out data type identification on the heterogeneous data based on the heterogeneous features, dividing the heterogeneous data into structured data, semi-structured data and unstructured data according to the data type identification result, constructing a unified data representation model based on a graph data model, converting the structured data, the semi-structured data and the unstructured data into standardized formats corresponding to the graph data model by adopting a data conversion adapter, and storing the standardized formats;
The method comprises the steps of analyzing the security level of each data source node, wherein the security level comprises a data security protection capability index, a historical credit record index and a technical guarantee level index, acquiring a data use authorization range of each data source node, wherein the data use authorization range comprises a data sharable user group, a permission use scene and a time limit, extracting a data protection strategy of each data source node, wherein the data protection strategy comprises a data desensitization level, an access frequency limit and a transmission encryption requirement;
And deploying an intelligent contract in each trust domain, wherein the intelligent contract is realized based on HYPERLEDGER FABRIC framework, the intelligent contract comprises an access right management module, a data sharing rule module and an access audit module, the access right management module is used for realizing fine-grained access control of data in the domains based on RBAC model, the data sharing rule module is used for configuring and executing data sharing strategies, and the access audit module is used for recording data access operation.
3. The distributed multi-mode data cross-trust-domain data sharing method according to claim 1, wherein constructing a cross-trust-domain data mapping model, the data mapping model comprising a data field mapping relationship, a data format conversion rule and a data consistency check rule, establishing a data synchronization channel between different trust domains based on the data mapping model, the data synchronization channel transmitting data in an end-to-end encryption manner comprises:
Analyzing the data modes of a source trust domain and a target trust domain, extracting field characteristic information, inputting the field characteristic information into a deep learning model to generate a field similarity matrix, constructing a data field mapping relation based on the field similarity matrix, formulating a data format conversion rule according to the type difference in the data field mapping relation, establishing a data consistency check rule based on the data field mapping relation, and combining the data field mapping relation, the data format conversion rule and the data consistency check rule to generate the data mapping model;
The method comprises the steps of analyzing data transmission requirements based on a data mapping model, determining a communication link specification, establishing a special communication link between trust domains according to the communication link specification, generating an asymmetric encryption key pair for the special communication link, carrying out end-to-end encryption on the special communication link by using the asymmetric encryption key pair to form the data synchronization channel, and configuring transmission parameters of the data synchronization channel according to the data scale of the data mapping model;
processing source data by adopting the data field mapping relation to complete field mapping, performing format conversion on the mapped data by using the data format conversion rule, verifying a conversion result by applying the data consistency check rule, taking the verified data as data to be transmitted, and transmitting the data to be transmitted to a target trust domain through the data synchronization channel;
receiving encrypted data in a target trust domain, decrypting the received data by using the asymmetric encryption key pair, performing data reverse conversion according to the data mapping model, verifying the integrity and consistency of the converted data, writing the verified data into a target trust domain storage system, generating a data synchronization status report, and realizing data synchronization processing;
Analyzing abnormal conditions in the data synchronization status report, correcting a data field mapping relation and a data format conversion rule of the data mapping model according to the abnormal conditions, monitoring performance indexes of the data synchronization channel, optimizing transmission parameters of the data synchronization channel based on the performance indexes, updating configuration of the data mapping model and the data synchronization channel, and optimizing a synchronization mechanism.
4. The distributed multi-mode data cross-trust domain data sharing method of claim 1, wherein setting a data flow control module in the data synchronization channel, the data flow control module dynamically adjusting a data transmission rate according to real-time network conditions and data priorities comprises:
The method comprises the steps of setting a data flow control module in a data synchronization channel, wherein the data flow control module comprises a network monitoring unit, a data grading unit and a rate adjusting unit, wherein the network monitoring unit deploys network detection points at the receiving and transmitting ends of the data synchronization channel, and the network detection points periodically send detection packets to acquire round trip delay, packet loss rate, available bandwidth and link jitter data;
The data classifying unit divides the data into core service data, general service data and non-key data according to the service importance degree of the data, and divides the data into real-time data, quasi-real-time data and offline data according to the timeliness requirement of the data;
The rate adjusting unit calculates a current network load coefficient based on the network condition evaluation matrix, wherein the network load coefficient is determined by a round trip delay change rate, a packet loss rate and a bandwidth utilization rate, calculates a reference transmission rate by adopting an improved addition increasing multiplication decreasing algorithm according to the network load coefficient, and distributes the reference transmission rate to data streams with different priorities according to the resource distribution weight so as to realize dynamic adjustment of the data transmission rate.
5. The method of claim 1, wherein when the data requester initiates the cross-domain data access request, verifying the access rights of the data requester by the intelligent contract and recording the data access log:
Receiving a cross-domain data access request initiated by a data requester, wherein the cross-domain data access request comprises an access target, a requester identity credential and a data use purpose;
The verification result is matched with a preset access control strategy matrix, wherein the access control strategy matrix comprises an authority level matching rule and a usage field Jing Ge rule, and whether the access authority level of the data requester meets the access requirement of the access target or not is judged based on the matching result, and whether the data usage purpose accords with the usage field Jing Ge rule or not;
When the access permission level meets the access requirement and the data use purpose accords with a use field Jing Ge rule, acquiring a historical access record of the data requester, and calculating a credit score based on the historical access record; generating an access transaction identifier, and recording the identity credentials of the requesting party, the access time, the access target, the data use purpose and the credit score in an access log, wherein the access log adopts a chained storage structure and is stored in an encrypted manner through a cryptographic hash function;
When the credit score is higher than a preset credit threshold, acquiring data to be accessed corresponding to the access target, identifying a sensitive field in the data to be accessed, and setting a differential privacy budget parameter based on the sensitivity of the sensitive field and the data use purpose;
selecting a differential privacy processing mode according to the data type of the data to be accessed, adding random noise conforming to Laplacian distribution to the digital data, carrying out randomization processing on the classified data by adopting an exponential mechanism, replacing sensitive information by using a desensitization algorithm with semantic retention to the text data, and generating privacy-processed data;
acquiring historical data distribution characteristics of the data to be accessed, constructing a noise compensation model based on the historical data distribution characteristics, optimizing noise in the privacy-treated data to obtain optimized data;
And when the privacy protection intensity and the data utility index meet the requirement of a preset privacy threshold, returning the optimized data to the data requester as an access result, and recording the return state of the access result in the access log.
6. The method of claim 1, wherein synchronizing data between different trust domains using a distributed consensus mechanism and a version control mechanism based on a bayer fault-tolerant algorithm comprises:
The method comprises the steps of constructing a distributed consensus network crossing trust domains, deploying state synchronization nodes in different trust domains, dividing the state synchronization nodes into a consensus node group and a verification node group, calculating trust scores based on node historical behaviors, and selecting a node with the highest trust score as a master node;
receiving a data state change request in a trust domain, wherein the data state change request comprises a data content hash value, a change time stamp, an operation sequence and a version number, verifying the validity of the data state change request by the master node, and generating a state synchronous proposal;
The consensus node group votes the state synchronous proposal based on a Bayesian fault tolerance algorithm; when the number of votes exceeds the fault tolerance threshold, broadcasting a pre-submitted message to a state synchronization node of a trust domain outside the current trust domain;
a version control mechanism is established among all trust domains, and comprises a version tree structure, a branch version is created in the version tree structure when cross-domain concurrent modification is detected, and a main version is determined through Bayesian fault-tolerant consensus;
The method comprises the steps of analyzing concurrent operation sequences of different trust domains, identifying compatible operation and conflict operation, merging the compatible operation into a main version for the compatible operation, determining a final operation sequence for the conflict operation through cross-domain Bayesian-vestibule fault-tolerant consensus, submitting the merged state update to each trust domain for synchronization;
The method comprises the steps of monitoring the running states of nodes in each trust domain, including response time delay, message integrity and consensus participation degree, eliminating abnormal nodes from the consensus process when node faults or malicious behaviors are detected, and recalculating fault tolerance threshold values to ensure that the number of the remaining normal nodes meets the Bayesian fault tolerance requirement.
7. A distributed multi-mode data cross-trust domain data sharing system for implementing the distributed multi-mode data cross-trust domain data sharing method according to any one of the preceding claims 1-6, characterized by comprising a data access and trust management unit, a cross-domain data mapping and synchronization unit, an access control and privacy protection unit and a consensus achievement and version management unit, wherein:
The data access and trust management unit receives heterogeneous data provided by a plurality of data source nodes, performs data type identification and format standardization processing on the heterogeneous data, divides the plurality of data source nodes into different trust domains based on the security level of a data provider, the data use authorization range and the data protection policy, and distributes a unique domain identifier for each trust domain, deploys an intelligent contract in each trust domain, wherein the intelligent contract is used for managing data access authority and data sharing rules in the trust domain;
a cross-trust domain data mapping model is built in the cross-domain data mapping and synchronizing unit, and the data mapping model comprises a data field mapping relation, a data format conversion rule and a data consistency check rule; based on the data mapping model, establishing a data synchronization channel between different trust domains, wherein the data synchronization channel adopts an end-to-end encryption mode to transmit data;
When the data request party initiates a cross-domain data access request, the access control and privacy protection unit verifies the access authority of the data request party through the intelligent contract and records a data access log;
the consensus achieving and version management unit adopts a distributed consensus mechanism and a version control mechanism based on a Bayesian fault tolerance algorithm to synchronize data among different trust domains.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the distributed multi-mode data cross-trust domain data sharing method of any one of claims 1 to 6 when the program is executed by the processor.
9. A computer readable storage medium having stored thereon a computer program, which when executed by a processor implements a distributed multi-mode data cross-trust domain data sharing method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411775518.2A CN119696850B (en) | 2024-12-05 | 2024-12-05 | Distributed multi-mode data cross-trust-domain data sharing method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411775518.2A CN119696850B (en) | 2024-12-05 | 2024-12-05 | Distributed multi-mode data cross-trust-domain data sharing method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN119696850A true CN119696850A (en) | 2025-03-25 |
| CN119696850B CN119696850B (en) | 2025-09-23 |
Family
ID=95034351
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411775518.2A Active CN119696850B (en) | 2024-12-05 | 2024-12-05 | Distributed multi-mode data cross-trust-domain data sharing method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119696850B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119946076A (en) * | 2025-04-07 | 2025-05-06 | 深圳创拓佳科技有限公司 | A cross-platform communication sharing synchronization method and system |
| CN120091429A (en) * | 2025-04-27 | 2025-06-03 | 浙江数汉科技有限公司 | A medical data sharing method based on blockchain |
| CN120086291A (en) * | 2025-04-30 | 2025-06-03 | 清枫(北京)科技有限公司 | Multi-platform data real-time synchronization method, device, electronic device and storage medium |
| CN120371487A (en) * | 2025-06-27 | 2025-07-25 | 北京科杰科技有限公司 | Container cluster-oriented big data operation intelligent submitting method and system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8843997B1 (en) * | 2009-01-02 | 2014-09-23 | Resilient Network Systems, Inc. | Resilient trust network services |
| CN113132103A (en) * | 2021-03-11 | 2021-07-16 | 西安电子科技大学 | Data cross-domain security sharing system and method |
| CN113946857A (en) * | 2021-12-20 | 2022-01-18 | 太极计算机股份有限公司 | Distributed cross-link scheduling method and device based on data routing |
| CN114024686A (en) * | 2021-11-03 | 2022-02-08 | 北京邮电大学 | Blockchain-based smart community IoT information sharing model |
| CN118157840A (en) * | 2024-04-01 | 2024-06-07 | 同济大学 | A data interaction method for cross-domain collaboration between cloud, edge and end |
| CN118250012A (en) * | 2024-03-12 | 2024-06-25 | 北京市农林科学院信息技术研究中心 | Cross-trust-domain supervision data sharing method and device based on blockchain |
-
2024
- 2024-12-05 CN CN202411775518.2A patent/CN119696850B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8843997B1 (en) * | 2009-01-02 | 2014-09-23 | Resilient Network Systems, Inc. | Resilient trust network services |
| CN113132103A (en) * | 2021-03-11 | 2021-07-16 | 西安电子科技大学 | Data cross-domain security sharing system and method |
| CN114024686A (en) * | 2021-11-03 | 2022-02-08 | 北京邮电大学 | Blockchain-based smart community IoT information sharing model |
| CN113946857A (en) * | 2021-12-20 | 2022-01-18 | 太极计算机股份有限公司 | Distributed cross-link scheduling method and device based on data routing |
| CN118250012A (en) * | 2024-03-12 | 2024-06-25 | 北京市农林科学院信息技术研究中心 | Cross-trust-domain supervision data sharing method and device based on blockchain |
| CN118157840A (en) * | 2024-04-01 | 2024-06-07 | 同济大学 | A data interaction method for cross-domain collaboration between cloud, edge and end |
Non-Patent Citations (1)
| Title |
|---|
| 周云;: "基于区块链的信息网络信任支撑环境构建研究", 信息安全与通信保密, no. 04, 10 April 2020 (2020-04-10) * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119946076A (en) * | 2025-04-07 | 2025-05-06 | 深圳创拓佳科技有限公司 | A cross-platform communication sharing synchronization method and system |
| CN120091429A (en) * | 2025-04-27 | 2025-06-03 | 浙江数汉科技有限公司 | A medical data sharing method based on blockchain |
| CN120086291A (en) * | 2025-04-30 | 2025-06-03 | 清枫(北京)科技有限公司 | Multi-platform data real-time synchronization method, device, electronic device and storage medium |
| CN120371487A (en) * | 2025-06-27 | 2025-07-25 | 北京科杰科技有限公司 | Container cluster-oriented big data operation intelligent submitting method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN119696850B (en) | 2025-09-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN119696850B (en) | Distributed multi-mode data cross-trust-domain data sharing method and system | |
| US9569634B1 (en) | Fine-grained structured data store access using federated identity management | |
| CN106503574B (en) | Block chain safe storage method | |
| CN114363352B (en) | Cross-chain interaction method of Internet of things system based on block chain | |
| US9817703B1 (en) | Distributed lock management using conditional updates to a distributed key value data store | |
| US12182254B2 (en) | Method and system for providing an electronic credential associated with electronic identification information | |
| KR20200115514A (en) | Systems and methods for privacy management using digital ledger | |
| US20210391992A1 (en) | Managing client authorisation | |
| Konashevych | Cross-blockchain protocol for public registries | |
| EP3744071B1 (en) | Data isolation in distributed hash chains | |
| CN105991596B (en) | An access control method and system | |
| CN114239043B (en) | A shared encrypted storage system based on blockchain technology | |
| CN113011960A (en) | Block chain-based data access method, device, medium and electronic equipment | |
| CN111353172A (en) | Hadoop cluster big data access method and system based on block chain | |
| CN119720256A (en) | A distributed storage method and system for data security | |
| KR20210056744A (en) | External information recognizing and information providing method using blockchain | |
| CN119046377A (en) | Cloud storage data synchronization method, cloud storage data synchronization equipment and storage medium | |
| Ni et al. | A trust aware access control in service oriented grid environment | |
| CN117692520A (en) | Data asset identification processing method | |
| CN117640774A (en) | Data asset identification processing system | |
| CN117171812A (en) | Multi-source trusted data production method based on blockchain, blockchain node and system | |
| Wang et al. | Distributed Electronic Data Storage and Proof System Based on Blockchain | |
| Khera et al. | Application design for privacy and security in healthcare | |
| Zhou et al. | A Federated Blockchain-Enabled 6G Streaming Architecture: Protocol Innovation and Trusted Ecology | |
| Ehsan et al. | A semantic-based access control mechanism using semantic technologies |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |