CN-122001583-A - Quantum encryption transmission and knowledge-graph fusion data security system

Abstract

The application discloses a data security system integrating quantum encryption transmission and knowledge maps, which relates to the technical field of data processing, and aims to realize accurate control of data access rights, real-time perception of security risks and quantum level security guarantee of data transmission by acquiring enterprise multi-source data and constructing an enterprise data knowledge map, then responding to real-time data access requests, carrying out path reasoning and risk assessment in the knowledge map, generating a dynamic data response strategy, then distributing a quantum symmetric key to a data receiving end through a quantum channel, carrying out differential encryption transmission on target data according to the response strategy and the quantum key, combining the refined authority reasoning of the knowledge map with absolute security of quantum encryption, and introducing an intelligent risk assessment model based on a neighborhood order response optimization algorithm, thereby remarkably improving the security protection capability of enterprise core data.

Inventors

• LI YINGBIN
• ZHANG BING
• WANG WENDI
• SHI CHUNHUA

Assignees

• 海天地数码科技（北京）有限公司

Dates

Publication Date

20260508

Application Date

20260407

Claims (10)

1. 1. A data security system for quantum cryptography transmission and knowledge-graph fusion, comprising: the knowledge graph construction module is used for collecting enterprise multi-source data and constructing an enterprise data knowledge graph according to the enterprise multi-source data; The dynamic encryption engine module is used for responding to a real-time data access request generated by a user, carrying out path reasoning and risk assessment in the enterprise data knowledge graph according to the real-time data access request, and generating a data response strategy corresponding to the real-time data access request; the quantum key distribution module is used for distributing quantum symmetric keys to the data receiving end through a quantum channel; And the quantum encryption transmission module is used for encrypting and transmitting target data corresponding to the real-time data access request to a user according to the data response strategy and the quantum symmetric key, so as to complete data security interaction.
2. 2. The quantum cryptography transmission and knowledge-graph fusion data security system of claim 1 wherein collecting enterprise multisource data and constructing an enterprise data knowledge-graph from the enterprise multisource data comprises: Acquiring the relationship between personnel and departments, the relationship between data and departments and the relationship between the data and the corresponding access strategy of the data of the enterprise to obtain multi-source data of the enterprise; and constructing an enterprise data knowledge graph according to the enterprise multi-source data.
3. 3. The quantum cryptography transmission and knowledge-graph-fusion data security system of claim 1, wherein generating a data response policy corresponding to a real-time data access request in response to a real-time data access request generated by a user and performing path reasoning and risk assessment in the enterprise data knowledge graph according to the real-time data access request, comprises: responding to a real-time data access request generated by a user, wherein the real-time data access request comprises target data which the user needs to access; Taking the target data as an entity, carrying out path reasoning in the enterprise data knowledge graph, and determining a first target department and a target access strategy corresponding to the target data; Determining a second target department corresponding to the user, judging whether the user, the first target department and the second target department corresponding to the user meet the target access policy, if so, determining that the data permission requirement is met, otherwise, determining that the data permission requirement is not met; Acquiring network flow data of a user in a data access process, and carrying out risk assessment on the user by adopting a network security detection model which is deployed in advance through a neighborhood order response optimization algorithm to determine a risk assessment result, wherein the risk assessment result comprises risk or non-risk; Under the condition that the data authority requirements are met and the risk assessment result is that no risk exists, generating a data response strategy corresponding to the real-time data access request as a quantum encryption response strategy; under the condition that the data authority requirements are met and the risk assessment result is that the risk exists, generating a data response strategy corresponding to the real-time data access request as a quantum reinforcement response strategy; And under the condition that the data authority is not met and the risk assessment result is that the risk exists or the risk does not exist, generating a data response strategy corresponding to the real-time data access request as a refusing request response strategy.
4. 4. A data security system fused with knowledge-graph for quantum cryptography transmission as claimed in claim 3 wherein the method of pre-deploying a network security detection model by a neighborhood order response optimization algorithm comprises: Constructing a network security detection model through a CNN-LSTM model, and carrying out initial coding on super parameters of the network security detection model to obtain a population for training; Aiming at any individual in the population, acquiring the fitness corresponding to the individual, and determining the individual with the largest fitness as the global optimal individual; Generating an adaptive exploration range for an individual based on the global optimal individual, and carrying out neighborhood exploration on the individual by adopting a dynamic region exploration strategy according to the adaptive exploration range to obtain a first target individual; Aiming at any first target individual, adopting a double-strategy solution space exploration strategy controlled by a dynamic switching mechanism to perform self-adaptive position exploration on the first target individual to obtain a second target individual; Aiming at any second target individual, adopting a greedy segmentation disturbance strategy to perform self-adaptive global exploration on the second target individual to obtain a third target individual; Judging whether the current training times is greater than or equal to the preset maximum training times, if so, re-determining a global optimal individual according to a third target individual, otherwise, returning to the step of acquiring the global optimal individual based on the third target individual, and entering the next training process; And taking the hyper-parameters in the redetermined global optimal individual as the hyper-parameters of the network security detection model, and deploying the hyper-parameters to a server where the dynamic encryption engine module is located.
5. 5. The data security system of claim 4, wherein generating an adaptive exploration scope for an individual based on the globally optimal individual, and performing neighborhood exploration for the individual by using a dynamic region exploration policy according to the adaptive exploration scope to obtain a first target individual comprises: acquiring current training times, and determining dynamic selection factors according to the current training times; Based on the dynamic selection factors and the global optimal individuals, generating a self-adaptive exploration range by combining an upper-limit individual consisting of an upper limit of the super-parameters and a lower-limit individual consisting of a lower limit of the super-parameters; And aiming at any individual, adopting the upper limit and the lower limit of the self-adaptive exploration range to explore the dynamic region of the individual, and obtaining a first target individual.
6. 6. The quantum cryptography transmission and knowledge-graph-fusion data security system of claim 5, wherein, for any first target individual, a dual-strategy solution space exploration strategy controlled by a dynamic switching mechanism is adopted to perform adaptive position exploration on the first target individual to obtain a second target individual, comprising: Aiming at any first target individual, acquiring the adaptability of the first target individual, and determining a dynamic switching factor according to the adaptability of the first target individual; based on the dynamic switching factors, selecting a group information reference fusion strategy or a global optimal guide variation updating strategy to perform self-adaptive position exploration on the first target individual to obtain a second target individual; The group information reference fusion strategy comprises the following steps: Acquiring average individuals corresponding to all first target individuals, and determining an individual with the nearest Euclidean distance with the average individuals as a reference individual; based on the reference individuals and the average individuals, performing self-adaptive position exploration on the first target individuals to obtain second target individuals; the global optimal guide variation update strategy comprises the following steps: acquiring a random control factor, and generating a guide variation vector according to the random control factor and a global optimal individual; And according to the global optimal individual and the guiding mutation vector, performing self-adaptive position exploration on the first target individual to obtain a second target individual.
7. 7. The quantum cryptography transmission and knowledge-graph-fusion data security system of claim 6, wherein, for any one second target individual, a greedy segmented perturbation strategy is adopted to perform adaptive global exploration on the second target individual to obtain a third target individual, comprising: acquiring current training times, and acquiring a segmented disturbance factor according to the current training times and a preset maximum training time; according to the sectional disturbance factor, a normal distribution function is adopted to conduct mutation treatment on the second target individual, and the mutated second target individual is obtained; judging whether the fitness of the second target individual after the mutation treatment is larger than that of the original second target individual, if so, taking the second target individual after the mutation treatment as a third target individual, otherwise, taking the original second target individual as the third target individual.
8. 8. The data security system of claim 3 wherein distributing the quantum symmetric key over the quantum channel to the data receiving end comprises distributing the quantum symmetric key over the quantum channel and to the data receiving end using a QKD algorithm.
9. 9. The quantum cryptography transmission and knowledge-graph-fusion data security system of claim 8 wherein cryptographically transmitting target data corresponding to a real-time data access request to a user in accordance with the data response policy and quantum symmetric key comprises: Under the condition that the data response strategy is a quantum encryption response strategy, encrypting target data corresponding to the real-time data access request by adopting a quantum symmetric key and transmitting the target data to a user; under the condition that the data response strategy is a quantum reinforcement response strategy, generating an independent secondary encryption key, encrypting target data corresponding to the real-time data access request by adopting the secondary encryption key and transmitting the target data to a user, and transmitting the secondary encryption key to the user by adopting a fusion algorithm of key segmentation and QKD so as to facilitate the user to decrypt; and under the condition that the data response strategy is a request rejection response strategy, generating access rejection information, encrypting the access rejection information by adopting a quantum symmetric key and transmitting the access rejection information to a user.
10. 10. The quantum cryptography transmission and knowledge-graph fusion data security system of claim 8 wherein transmitting the secondary cryptography key to the user using a key segmentation and QKD fusion algorithm includes: generating a secondary encryption key by adopting a symmetric key algorithm, and randomly dividing the secondary encryption key into a plurality of key fragments; And generating a plurality of shared keys by adopting a QKD algorithm, encrypting the key fragments by adopting a mode of encrypting the shared keys and the key fragments in a one-to-one correspondence manner, and transmitting the encrypted key fragments to a user.

Description

Quantum encryption transmission and knowledge-graph fusion data security system Technical Field The application relates to the technical field of data processing, in particular to a data security system integrating quantum encryption transmission and knowledge graph fusion. Background With the penetration of digital transformation, data has become a core asset for enterprises. However, data is faced with a double threat from external network attacks and internal malicious leakage during transmission. Traditional data security schemes, such as firewalls, intrusion detection systems, and traditional encryption techniques (e.g., RSA, AES), increasingly expose their limitations in dealing with increasingly complex and hidden means of attack. First, traditional encryption techniques rely on computational complexity, facing the potential risk of being hacked. Secondly, the existing encryption strategy is usually static and coarse-grained, for example, the whole database or the file is uniformly encrypted, and dynamic and fine adjustment cannot be performed according to factors such as data content, visitor identity, access context and the like, so that the security and the efficiency are difficult to balance. Furthermore, existing security systems lack awareness of data flow, have difficulty understanding deep semantic relationships between data entities, users, operations, and lack detection and response capabilities for internal threats (e.g., advanced persistent threat APT) and complex data abuse behavior disguised as legitimate users. Disclosure of Invention The application provides a data security system integrating quantum encryption transmission and a knowledge graph, which aims to solve the problem of low data transmission security in the prior art. The application provides a data security system integrating quantum encryption transmission and knowledge graph, which comprises: the knowledge graph construction module is used for collecting enterprise multi-source data and constructing an enterprise data knowledge graph according to the enterprise multi-source data; The dynamic encryption engine module is used for responding to a real-time data access request generated by a user, carrying out path reasoning and risk assessment in the enterprise data knowledge graph according to the real-time data access request, and generating a data response strategy corresponding to the real-time data access request; the quantum key distribution module is used for distributing quantum symmetric keys to the data receiving end through a quantum channel; And the quantum encryption transmission module is used for encrypting and transmitting target data corresponding to the real-time data access request to a user according to the data response strategy and the quantum symmetric key, so as to complete data security interaction. In one possible implementation, collecting enterprise multi-source data and constructing an enterprise data knowledge graph from the enterprise multi-source data includes: Acquiring the relationship between personnel and departments, the relationship between data and departments and the relationship between the data and the corresponding access strategy of the data of the enterprise to obtain multi-source data of the enterprise; and constructing an enterprise data knowledge graph according to the enterprise multi-source data. In one possible implementation manner, responding to a real-time data access request generated by a user, and performing path reasoning and risk assessment in the enterprise data knowledge graph according to the real-time data access request, generating a data response strategy corresponding to the real-time data access request includes: responding to a real-time data access request generated by a user, wherein the real-time data access request comprises target data which the user needs to access; Taking the target data as an entity, carrying out path reasoning in the enterprise data knowledge graph, and determining a first target department and a target access strategy corresponding to the target data; Determining a second target department corresponding to the user, judging whether the user, the first target department and the second target department corresponding to the user meet the target access policy, if so, determining that the data permission requirement is met, otherwise, determining that the data permission requirement is not met; Acquiring network flow data of a user in a data access process, and carrying out risk assessment on the user by adopting a network security detection model which is deployed in advance through a neighborhood order response optimization algorithm to determine a risk assessment result, wherein the risk assessment result comprises risk or non-risk; Under the condition that the data authority requirements are met and the risk assessment result is that no risk exists, generating a data response strategy corresponding to the real-time data access req