CN-121980577-A - Human body posture data access system and method with hierarchical encryption and dynamic access control

Abstract

The application belongs to the technical field of computer information security, and particularly relates to a human body posture data access system and method based on hierarchical encryption and dynamic access control. The method is executed by a data management platform server and specifically comprises the steps of receiving original human body posture data, dynamically dividing the data into a plurality of data layers with different sensitivity levels based on a multidimensional privacy sensitivity quantification result of the data, formulating different access control strategies for each data layer, executing corresponding encryption operation on each layer of data, and executing identity verification and authorization operation based on an access request. The application provides a human body posture data privacy protection management scheme which has balanced control granularity and data utility, balanced authority management and safety requirements and legal compliance.

Inventors

• ZHU XIANG
• CHEN LU
• YE JIANCHENG

Assignees

• 北京连屏科技股份有限公司

Dates

Publication Date

20260505

Application Date

20251213

Claims (10)

1. 1. The human body posture data privacy protection management system based on hierarchical encryption and dynamic access control is characterized by comprising a monitoring device and a user client side which are in data connection with a data management platform server, wherein: the monitoring equipment is configured to collect original human body posture data and send the original human body posture data to the data management platform server; The data management platform server is configured to: Receiving the original human body posture data, executing multidimensional privacy sensitivity quantization operation on the data, and dynamically dividing the data into a plurality of data layers with different sensitivity levels based on quantization results; setting different access control strategies for each data layer, and executing corresponding encryption operation on each layer of data, wherein the data layer with highest sensitivity is encrypted by adopting an attribute-based encryption algorithm, and identification information of a guardian is embedded in the access strategy; Responding to a data access request of a user client, judging the sensitivity level of requested data, if the data layer with highest sensitivity is requested to be accessed, forcedly starting a strong authentication flow for user identity, generating a temporary access credential after authentication, transmitting the temporary access credential and ciphertext generated by an encryption algorithm based on attributes to the user client, and for requests for accessing other data layers, verifying based on the first access control strategy, and transmitting corresponding protected data to the user client after verification; The user client is configured to: sending a data access request to the data management platform server; after the request of accessing the data layer with the highest sensitivity and the strong authentication pass, receiving a ciphertext generated by the temporary access certificate and an encryption algorithm based on attributes from a server, and decrypting the ciphertext based on the temporary access certificate and a locally stored user private key in a local security environment; The protected data is received from a server based on the first access control policy and decrypted or presented when access to other data layers is requested.
2. 2. The system of claim 1, wherein the data management platform server is further configured to: And recording the identity verification operation, access requests and authorization events for all the sensitivity level data, and generating an untampered audit log, wherein for the access of the high-sensitivity level data, the audit log at least records the success or failure state of the identity verification operation and the issuing event of the temporary access certificate.
3. 3. The system of claim 1, wherein the performing a multi-dimensional privacy sensitivity quantization operation on the data comprises: Determining an identification risk score based on a predefined joint point weight table, wherein the joint point weight table divides at least the hip joint, the knee joint, the ankle joint and the pelvic joint into high risk joints and assigns a weight value of 0.9 to 1.0 thereto; Identifying behavior categories based on a lightweight time sequence convolutional network model, and mapping the behavior categories into behavior sensitivity scores according to a predefined behavior sensitivity dictionary, wherein the behavior sensitivity dictionary is used for distributing sensitivity scores of 0.9 to 1.0 for at least falling and toilet behaviors.
4. 4. The system of claim 3, wherein dynamically partitioning the quantization result into a plurality of data layers of different sensitivity levels based on the quantization result comprises: And if the identification risk score reaches more than 0.7 or the behavior sensitivity score reaches more than 0.8, dividing corresponding data into the data layer with the highest sensitivity.
5. 5. The system according to claim 1, wherein: The lightweight time sequence convolution network model at least comprises four layers of one-dimensional causal time sequence convolution layers, the convolution kernel of each layer is 3, and expansion coefficients are sequentially set to be 1,2, 4 and 8 from the bottom layer to the top layer.
6. 6. A human body posture data privacy protection management method based on hierarchical encryption and dynamic access control, executed by the data management platform server, characterized by comprising: receiving original human body posture data, and dynamically dividing the data into a plurality of data layers with different sensitivity levels based on a multidimensional privacy sensitivity quantification result of the data; Setting different access control strategies for each data layer, and executing corresponding encryption operation on each layer of data, wherein the data layer with highest sensitivity is encrypted by adopting an attribute-based encryption algorithm, identification information of a guardian is embedded in the access strategy, and the other data layers except the data layer with highest sensitivity adopt a first access control strategy; The method specifically comprises the steps of responding to a data access request of a user client, judging the sensitivity level of data to be accessed, if the data layer with highest sensitivity is requested to be accessed, forcibly starting a strong authentication flow for user identity, generating a temporary access credential after authentication, sending the temporary access credential and ciphertext generated by an encryption algorithm based on attributes to the user client, if the data layer is requested to be accessed, verifying based on the first access control strategy, and sending the protected data to the user client after verification is passed.
7. 7. The method of claim 6, wherein after receiving the raw human body pose data, further comprising: Performing node coordinate normalization preprocessing on the original human body posture data, wherein the node coordinate normalization preprocessing comprises the following steps: the trunk reference length is calculated based on the neck joint point coordinates and the pelvis joint point coordinates, and the calculation formula is as follows: L ref =||P neck -P pelvis ||, Wherein, P neck is neck joint point coordinate data, and P pelvis is pelvis joint point coordinate data; And determining a scaling factor based on the ratio of the trunk reference length to the preset standard trunk length, and scaling the coordinates of each joint point to eliminate the absolute position, orientation and body type differences of the individual.
8. 8. A human body posture data access method based on hierarchical encryption and dynamic access control, executed by the user client, characterized by comprising: sending an access request for a specific data layer to a data management platform server; After authentication by the data management platform server, receiving corresponding data from the server, wherein: If the data layer with highest access sensitivity is requested, after the identity strong authentication which is forcedly triggered by the server is passed, a temporary access certificate issued by the server and a ciphertext generated by adopting an attribute-based encryption algorithm are received from the server, and if the data layer is requested to be accessed, after the first access control strategy passes the verification, corresponding protected data are received from the server; And processing the received data to realize local presentation, wherein the received ciphertext is synthesized into a decryption attribute set in a local security environment based on the temporary access certificate, and is presented after being decrypted by utilizing a locally stored user private key, and the received protected data is decrypted or directly presented.
9. 9. The method of claim 8, wherein the synthesizing the received ciphertext, in a local secure environment, based on the temporary access credential, into a set of decryption attributes and rendering after decryption using a locally stored user private key comprises: verifying the digital signature of the temporary access ticket to ensure that it is issued by a legitimate data management platform server; Extracting the session information of the authorization from the temporary access certificate which passes the verification, wherein the session information comprises a user identifier and an access target identifier; synthesizing a decryption attribute set containing the user identifier, the role and the access target identifier; And calling a local attribute-based decryption algorithm, and executing decryption operation to obtain plaintext data after verifying that the decryption attribute set meets the access strategy of the ciphertext.
10. 10. The method according to claim 9, wherein: The ciphertext is generated by utilizing an attribute-based encryption algorithm on the human body posture data of the guardian; The verifying that the set of decryption attributes satisfies the access policy of the ciphertext includes: and verifying whether the decryption attribute set meets the condition that the number of the guardian is consistent with the embedded number of the ciphertext.

Description

Human body posture data access system and method with hierarchical encryption and dynamic access control Technical Field The application belongs to the technical field of computer information security, and particularly relates to a human body posture data access system and method based on hierarchical encryption and dynamic access control. Systems and methods. Background The remote monitoring technology is popularized in the scenes of a nursing home, a moon center and the like, so that human body posture data becomes the core of behavior analysis. However, such biometric information-rich data is faced with serious risk of privacy disclosure in collection, storage and use, which poses a significant challenge to the prior art security technologies. The scheme of directly transmitting the original data in early stage ensures the data integrity, but privacy leakage is easy to be caused due to lack of access control, and meanwhile, huge data volume also brings high transmission delay and storage cost. To cope with the above drawbacks, the industry has proposed various improvements, but still faces a number of deep contradictions, which are focused on the imbalance among privacy protection, data utility and system performance: contradiction-control granularity contradiction with data utility. The prior art scheme is rough in access control and lacks fine granularity for differential control according to data sensitivity. For example, depending on the method of data desensitization, a "one-shot" type of oversensitivity to pursue security can irreversibly compromise the original accuracy and utility of the data. Contradiction two, contradiction between the rigid rights management and the dynamic security requirements. The traditional access control adopts a static authority model, the authority is effective for a long time after being granted, and the dynamic adjustment can not be carried out according to the context such as the identity of a visitor, the data sensitivity, the operation emergency degree and the like. This stiffening mechanism results in a double defect: the authority binding is inaccurate, namely temporary authority association (such as direct relative emergency access) between the high-sensitive data and a specific guardian cannot be realized; emergency response is absent, and a dynamic authority lifting mechanism for burst scenes is absent. The essence is structural contradiction between the static property of authority management and the dynamic property of a security scene, and the adaptability and the security of the system in a sensitive data scene are restricted. And thirdly, the technical reliability and legal compliance are contradicted. The existing scheme generally lacks full-link auditability, cannot tamper record the full life cycle of data access, cannot provide a complete evidence chain conforming to GDPR and other regulations, and is insufficient in system transparency and reliability. In summary, the prior art has multiple contradictions in key dimensions such as privacy protection strength, data availability and compliance auditability, and cannot meet comprehensive high requirements on data security, value reservation and compliance management in a sensitive monitoring scene. Disclosure of Invention The embodiment of the application provides a human body posture data privacy protection management system and method based on hierarchical encryption and dynamic access control, aiming at solving the problems of unbalanced control granularity and data utility, unbalanced authority management and safety requirement and unbalanced technical reliability and legal compliance in the prior art. The first aspect of the embodiment of the application provides a human body posture data privacy protection management system based on hierarchical encryption and dynamic access control, which comprises a monitoring device and a user client which are in data connection with a data management platform server, wherein: the monitoring equipment is configured to collect original human body posture data and send the original human body posture data to the data management platform server; The data management platform server is configured to: Receiving the original human body posture data, executing multidimensional privacy sensitivity quantization operation on the data, and dynamically dividing the data into a plurality of data layers with different sensitivity levels based on quantization results; setting different access control strategies for each data layer, and executing corresponding encryption operation on each layer of data, wherein the data layer with highest sensitivity is encrypted by adopting an attribute-based encryption algorithm, and identification information of a guardian is embedded in the access strategy; Responding to a data access request of a user client, judging the sensitivity level of requested data, if the data layer with highest sensitivity is requested to be accessed, forcedly s