CN-121980576-A - Keystone-based deep security heterogeneous data fusion method and system

Abstract

The invention relates to a method and a system for fusing deep secure heterogeneous data based on Keystone, wherein a Keystone trusted execution environment is deployed on a deep edge computing node, a secure enclave is created, encryption access is realized on the basis of remote authentication and key negotiation on multi-source heterogeneous data, space-time alignment and feature extraction after decryption are completed in the enclave, cross-modal correlation analysis and risk assessment are performed on the basis of a preset model or a rule engine, a fusion result is obtained, encryption and signature are performed in the enclave, the fusion result is distributed to an authorized receiver through a secure channel, and disposable task destruction, long-term task period reconstruction and key refreshing are realized by combining enclave full life cycle management. The invention can ensure confidentiality and integrity of deep operation data and improve credibility and instantaneity of heterogeneous data fusion processing in complex scenes.

Inventors

• AN RAN
• JIAN XIA
• MA JIANMIN
• ZHOU YONG
• CHEN ZHIYING

Assignees

• 中铁第一勘察设计院集团有限公司

Dates

Publication Date

20260505

Application Date

20251125

Claims (10)

1. 1. A Keystone-based deep secure heterogeneous data fusion method is characterized by comprising the following steps: the trusted execution environment is constructed by deploying a Keystone trusted execution environment frame on a deep edge computing node, and creating mutually isolated safe enclaves for heterogeneous data fusion tasks to be processed; The secure access and authentication of the multi-source heterogeneous data comprises the steps that the secure enclave generates and provides a remote authentication report, and the heterogeneous data source establishes a secure session with the secure enclave based on the remote authentication report and obtains a shared key through key negotiation; space-time alignment and feature extraction of the heterogeneous data in the enclave, wherein the secure enclave performs space-time alignment and pretreatment on the decrypted multi-source heterogeneous data and extracts feature vectors for association analysis from point cloud, time sequence, images and structured data; The safe enclave carries out cross-modal association analysis on the feature vector, and loads and invokes a preset analysis model or rule engine in the enclave to execute risk assessment, state prediction or abnormality diagnosis; The secure enclave encrypts the fusion analysis result by using a receiver public key and generates a digital signature by using an enclave private key, and then distributes the encryption result and the signature to an authorized receiver through a secure channel; and the whole life cycle management and the safe destruction of the enclave, namely carrying out life cycle management on the safe enclave according to task scheduling, destroying the corresponding enclave and clearing the occupied physical memory of the corresponding enclave after outputting the result for the disposable task, reconstructing the enclave according to the configuration cycle for the long-term running task, and refreshing the secret key.
2. 2. The deep secure heterogeneous data fusion method based on Keystone according to claim 1, wherein in the trusted execution environment construction step, a lightweight operating system is installed on a deep border computing node based on RISC-V architecture, a Keystone trusted execution environment framework is deployed, a secure enclave which is isolated from each other is created for heterogeneous data fusion tasks to be processed on the node, and the memory space of the secure enclave is 1 MB-4 GB.
3. 3. The method for deep security heterogeneous data fusion based on Keystone according to claim 1, wherein in the trusted execution environment construction step, the memory space and the computing resources of the secure enclave are dynamically configured according to a preset strategy according to the type of data to be processed, the data throughput and the computing complexity, and the strategy comprises resource expansion and scheduling triggered by task priority, a resource threshold and a runtime monitoring index.
4. 4. The method according to claim 1, wherein in the secure access and authentication step of the multi-source heterogeneous data, the secure enclave generates and provides a remote authentication report based on a Keystone metric and a remote attestation mechanism, a heterogeneous data source establishes a secure session with the secure enclave based on the remote authentication report and completes key negotiation through public key cryptography, the key negotiation preferably uses elliptic curve key exchange including X25519 or generates a shared key through TLS 1.3 session negotiation, the heterogeneous data source encrypts data to be transmitted using an authentication-based symmetric encryption algorithm including AES-GCM and transmits encrypted data to the secure enclave through a host application program, the secure enclave performs digital signature verification on the data after decrypting the incoming data and calculates a hash value to verify the integrity and authenticity of the data, and the digital signature verification uses an authentication tag of the negotiated session key or uses SHA-256 Ha Xibi pairs.
5. 5. The method according to claim 1, wherein in the step of space-time alignment and feature extraction of the enclave heterogeneous data, the secure enclave performs time and space synchronization processing on the decrypted multi-source heterogeneous data, the space-time alignment includes performing voxel or gridding preprocessing on point cloud data and extracting geometric features, performing time synchronization and necessary interpolation and denoising processing on time sequence data and extracting time sequence features, extracting local or global feature descriptors on image data, and performing field mapping and semantic extraction on structural data, and the various features are converted into feature vectors for cross-modal correlation analysis.
6. 6. The Keystone-based deep security heterogeneous data fusion method according to claim 1, wherein in the cross-modal correlation analysis and model reasoning step, a pre-trained deep learning model or a rule-based reasoning engine is deployed inside the secure enclave to perform cross-modal correlation analysis, risk assessment, state prediction or anomaly diagnosis, and metric verification is performed on model codes and parameters to verify integrity before model loading and running, wherein the metric verification adopts SHA-256 or an equivalent hash algorithm and writes a metric result into a local auditable metric log.
7. 7. The method for deeply and safely fusing heterogeneous data based on Keystone according to claim 1, wherein in the step of safely packaging and distributing the fused result, the secure enclave encrypts the fused analysis result in the enclave by using a public key of a receiver, generates a digital signature by using a private key of the enclave, and distributes the encrypted result and the signature to an authorized receiver through a secure channel, wherein the digital signature adopts an algorithm conforming to a public key signature standard, comprises an elliptic curve digital signature algorithm or RSA-PSS, and records an auditable distribution log for subsequent verification during distribution.
8. 8. The method for deeply and safely fusing heterogeneous data based on Keystone according to claim 1, wherein in the steps of enclave full life cycle management and safe destruction, life cycle management is carried out on the safe enclave according to task scheduling, a memory clearing and resource recycling interface provided by Keystone is called after a result is output for a disposable task to destroy a corresponding enclave and verify a memory clearing result to confirm no sensitive information residue, and the enclave is reconstructed according to a configuration period and a secret key is refreshed for a long-term operation task to reduce side channel and information residue risks, wherein the period is 1-24 hours.
9. 9. Keystone-based deep security heterogeneous data fusion system is characterized by comprising: The trusted execution environment construction module is used for deploying a Keystone trusted execution environment frame on the deep land edge computing node and creating mutually isolated safe enclaves for heterogeneous data fusion tasks to be processed; The secure access and authentication module is used for generating and providing a remote authentication report for the secure enclave, and the heterogeneous data source establishes a secure session with the secure enclave based on the remote authentication report and obtains a shared key through key negotiation; the space-time alignment and feature extraction module is used for performing space-time alignment and pretreatment on the decrypted multi-source heterogeneous data by the secure enclave and extracting feature vectors for association analysis from point cloud, time sequence, images and structured data; The cross-modal correlation analysis and model reasoning module is used for carrying out cross-modal correlation analysis on the feature vector by the safe enclave, and loading and calling a preset analysis model or rule engine in the enclave to execute risk assessment, state prediction or anomaly diagnosis; the secure encapsulation and distribution module of the fusion result is used for encrypting the fusion analysis result by using a receiver public key by the secure enclave and distributing the encryption result and the signature to an authorized receiver through a secure channel after generating a digital signature by using an enclave private key; And the enclave full life cycle management and safety destruction module is used for carrying out life cycle management on the safety enclave according to task scheduling, destroying the corresponding enclave and clearing the occupied physical memory after outputting the result for the disposable task, reconstructing the enclave according to the configuration cycle for the long-term running task and refreshing the secret key.
10. 10. An electronic device, comprising a processor and a memory; The memory is used for storing one or more program instructions; The processor is configured to execute one or more program instructions to perform the Keystone-based deep secure heterogeneous data fusion method according to any one of claims 1-8.

Description

Keystone-based deep security heterogeneous data fusion method and system Technical Field The invention belongs to the technical field of data security and data processing, and particularly relates to a deep security heterogeneous data fusion method and system based on Keystone. Background With the development of the internet of things, big data and artificial intelligence technology, a digital twin technology for supporting operation and maintenance decisions by digitally sensing, modeling and simulating physical entities is becoming an important means for improving the operation safety and management efficiency of deep complex space. In such a scenario, it is necessary to continuously collect a large amount of heterogeneous multi-source data including geological structures, microseismic monitoring, environmental parameters, equipment states, personnel positioning, etc., and implement disaster early warning, ventilation optimization, equipment health management, etc. by means of a fusion analysis model. These shipping data are generally highly sensitive and confidential and may present a significant risk to production safety and economic operation once they are compromised, tampered with or illegally utilized during transport or handling. The existing technical route for deep complex spatially heterogeneous data fusion is mainly concentrated on the system architecture and the software level, and can be divided into two categories in general. The method is based on a data fusion and software encryption scheme of a centralized cloud platform, data generated by subsystems such as microseismic monitoring, environment sensors, video monitoring and personnel positioning are uploaded to a cloud data center through a communication network, and then unified processing is performed by utilizing a data middleware, an ETL tool and a fusion algorithm. Such schemes typically rely on TLS or SSL protocols on the transmission link to ensure link security and protect static storage data by database encryption or file system encryption, but in the cloud application layer and data processing link, data still needs to be accessed in a plaintext manner. The other type is an edge computing scheme based on a traditional trusted execution environment, part of computing tasks are sunk to deep-ground edge computing nodes, for example, a trusted execution environment such as SGX is deployed on a server based on a general processor architecture, and a data fusion program is placed in a safe enclave to run so as to realize inter-program isolation and processing process protection. Although the above-described approach improves the security and performance of deep data processing to some extent, there are still many limitations in practical applications. On one hand, in the process of cloud processing on data, the plaintext exposure risk of the data in the application layer and the calculation process is higher, effective protection is lacking for operation and maintenance personnel with high authority or attackers invading the application system, the large-scale original data is returned to the cloud center, the network bandwidth pressure and decision delay can be increased, and the requirements of rock burst early warning, intelligent ventilation alarm and the like on low time delay are difficult to meet. On the other hand, the edge computing scheme based on the traditional trusted execution environment is usually tightly coupled with a specific commercial hardware architecture, has limitations in terms of openness, autonomous controllability and customization, and also faces performance bottlenecks and potential safety hazards in terms of memory capacity, task scheduling, side channel attack protection and the like. In addition, part of pure software security schemes rely on complex software stacks, and it is difficult to construct a verifiable and measurable complete trusted chain from the hardware level for deep heterogeneous data fusion processing. Disclosure of Invention The invention provides a Keystone-based deep security heterogeneous data fusion method and system, which are used for solving the problems that in the prior art, deep complex scene multi-source heterogeneous data is insufficient in security protection in a fusion processing process, a trusted running environment is difficult to build uniformly and the like. In order to achieve the above purpose, the technical scheme of the invention is as follows: In a first aspect, the invention provides a deep secure heterogeneous data fusion method based on Keystone, which comprises the following steps: the trusted execution environment is constructed by deploying a Keystone trusted execution environment frame on a deep edge computing node, and creating mutually isolated safe enclaves for heterogeneous data fusion tasks to be processed; The secure access and authentication of the multi-source heterogeneous data comprises the steps that the secure enclave generates and provides