Search

CN-122027180-A - Data service security control method and system

CN122027180ACN 122027180 ACN122027180 ACN 122027180ACN-122027180-A

Abstract

The invention relates to the technical field of data security, in particular to a data service security management and control method and system. The method comprises the steps of obtaining sensitivity labels, role labels and environment parameter information of data requests, constructing a joint risk modeling data structure, generating a dynamic encryption strategy configuration structure body based on risk scores, constructing a parallel encryption path and a layered key structure according to the dynamic encryption strategy configuration structure body, forming a schedulable key strategy execution structure, further completing data encryption and access session encapsulation, updating the modeling structure based on access behavior information, and constructing a feedback record link. According to the invention, the encryption path scheduling and the key refinement control of sensitivity driving are realized through the dynamic weight encryption model and the attribute base key layering mechanism, so that the encryption adaptability and the security robustness of the system under a dynamic authority scene are improved.

Inventors

  • ZHANG MING
  • ZHAO FANGYU

Assignees

  • 北京新涌激算科技有限公司

Dates

Publication Date
20260512
Application Date
20250519

Claims (10)

  1. 1. A data service security control method, comprising the steps of: acquiring sensitivity labels, role labels and environmental parameter information of data requests, and constructing a joint risk modeling data structure; mapping and analyzing the joint risk modeling data structure to generate a dynamic encryption strategy configuration structure body, wherein the strategy configuration structure body is as follows: Φ={R label ,L alg ,K freq ,γ,τ,Tag attr Wherein phi is a dynamic encryption strategy configuration structure body, R label is an access risk grade label, L alg is an encryption algorithm strategy number, K freq is a key update frequency, gamma is an encryption intensity level which is adapted to a current access request, tau is a key update period, and Tag attr is an attribute label set; constructing a parallel encryption path structure according to the dynamic encryption strategy configuration structure body, and generating an encryption execution control signal; Generating a layered key structure body according to a dynamic encryption strategy configuration structure body, and binding the layered key structure body with a schedulable encryption path control structure to form a key strategy execution structure, wherein the key strategy execution structure body has the expression: Wherein, the A key policy execution structure for representing the j-th path key and path control joint weight of the i-th layer, H i,j represents the i-th element and j-th element in the key structure matrix, pi j represents the j-th element in the path scheduling signal vector, i is the structure dimension index; invoking a key strategy execution structure and an encryption execution control signal to complete data encryption and structured encapsulation of access session information, and generating a recordable encrypted data structure; And updating the path state and the modeling structure by combining the recordable encrypted data structure body and the access behavior information to complete a feedback record link.
  2. 2. The data service security management method of claim 1, wherein constructing a joint risk modeling data structure comprises: Acquiring sensitivity labels of data requests, role labels of visitors and environment parameter information of access equipment, and performing standardized processing to obtain a context information set; Extracting sensitivity factors, role factors and environment factors related to security risks from a context information set, and performing feature screening and dimension unification to obtain a context feature set; and carrying out joint modeling processing on the context feature set to construct a joint risk modeling data structure.
  3. 3. The data service security management method of claim 1, wherein mapping the joint risk modeling data structure comprises: And acquiring a joint risk modeling data structure, and constructing a strategy mapping parameter set containing access risk level, encryption strength requirement and key updating requirement.
  4. 4. The data service security management method of claim 3, wherein generating a dynamic encryption policy configuration construct comprises: Determining an encryption algorithm combination mode, a key updating period and an attribute tag set according to the policy mapping parameter set to generate a dynamic encryption policy configuration structure body; and carrying out structured storage processing on the dynamic encryption strategy configuration structure body, and providing the structured storage processing for the parallel encryption path construction and key structure generation flow.
  5. 5. The data service security management method according to claim 1, wherein constructing a parallel encryption path structure and generating an encryption execution control signal comprises: Obtaining an encryption algorithm combination mode in a dynamic encryption strategy configuration structure body, and constructing a corresponding parallel encryption path structure; scheduling configuration is carried out on the parallel encryption path structure, and encryption execution control signals are constructed; and binding the encryption execution control signal with the dynamic encryption strategy configuration structure body to generate the schedulable encryption path control structure.
  6. 6. The data service security management method of claim 1, wherein generating a hierarchical key structure comprises: and acquiring an attribute tag set in the dynamic encryption strategy configuration structure body, and constructing a key attribute mapping structure.
  7. 7. The data service security management method according to claim 6, wherein forming a key policy enforcement structure comprises: Generating a hierarchical key structure comprising a multi-level key hierarchy based on the key attribute mapping structure; binding the hierarchical key structure body with the schedulable encryption path control structure to form a key strategy execution structure.
  8. 8. The data service security management method of claim 1, wherein completing the structured encapsulation of the data encryption and access session information comprises: acquiring a key policy execution structure, and generating a data encryption token and a key distribution token facing an access session; executing a data encryption flow based on the data encryption token and the encryption execution control signal; and carrying out structured encapsulation on the encrypted data and the access session information to generate a recordable encrypted data structure body.
  9. 9. The data service security management method of claim 1, wherein completing the feedback record link comprises: acquiring a recordable encrypted data structure body, and generating access behavior record information by combining access log information; updating access path state information and a key usage record based on the access behavior record information and the key policy execution structure; and using the access path state information and the key usage record to optimize the joint risk modeling data structure to form a feedback record link.
  10. 10. A data service security management and control system, applied to the data service security management and control method according to any one of claims 1 to 9, comprising: the joint risk modeling module is used for acquiring sensitivity labels, role labels and environmental parameter information and constructing a joint risk modeling data structure; The strategy configuration module is used for generating a dynamic encryption strategy configuration structure body according to the joint risk modeling data structure; The encryption path scheduling module is used for constructing a parallel encryption path structure according to the dynamic encryption strategy configuration structure body and generating an encryption execution control signal; The key structure generation module is used for generating a layered key structure body and binding the layered key structure body with the encryption path control structure; The data encryption module is used for completing data encryption and access session information encapsulation based on the key policy execution structure and the encryption execution control signal; And the audit feedback module is used for combining the encrypted data structure body and the access behavior information, updating the path state and the modeling structure and forming a feedback record link.

Description

Data service security control method and system Technical Field The present invention relates to the field of data security technologies, and in particular, to a data service security management and control method and system. Background With the wide deployment of data services in key fields such as finance, medical treatment, government affairs, industrial internet and the like, the access behavior presents the characteristics of high concurrency, multiple roles and multiple environment dynamic switching. In order to ensure the security of sensitive data in the transmission, calling and storage processes, the conventional system generally adopts static key distribution and fixed encryption strategies to carry out access protection. However, in practical applications, it is difficult for the static encryption mechanism to adapt to the access context with complex and varied changes, and especially in the situations of frequent permission change, dynamic role switching, or network environment deterioration, the following problems are easily caused: Firstly, a fixed key strategy lacks flexibility, encryption strength and a key updating period cannot be dynamically adjusted according to the identity grade, data sensitivity and environmental risk of a visitor, so that encryption resource waste or insufficient security strength is caused, secondly, a traditional access control model generally fails to realize joint evaluation of the data sensitivity grade and a role label, and lacks a system modeling and fusion judging mechanism for an access behavior context, so that strategy allocation granularity is rough, security coverage is insufficient, thirdly, a key management mode is based on a uniform key or global authority, a fine granularity layering mechanism is lacking, accurate matching of the visitor and the key label is difficult to realize, and an attack face after key leakage is improved. In addition, the existing data service encryption system lacks a linkage mechanism between an access path and a key policy, and cannot support the real-time adaptation of encryption channel reconfiguration and key distribution under dynamic conditions such as permission change, session migration and the like, so that the application capability of the system in multi-tenant environment and cross-domain data collaboration is restricted. Disclosure of Invention The invention provides a data service security management and control method and a system, which are used for solving the problems of how to construct a joint risk modeling structure based on sensitivity scores, user role information and access environment parameters in data requests, generate a dynamic encryption strategy and a layered key structure through multidimensional mapping, and realize encryption path scheduling and key fine control under a dynamic authority change scene. In order to solve the technical problems, the present invention provides a data service security management and control method, including: acquiring sensitivity labels, role labels and environmental parameter information of data requests, and constructing a joint risk modeling data structure; mapping and analyzing the joint risk modeling data structure to generate a dynamic encryption strategy configuration structure body, wherein the strategy configuration structure body is as follows: Φ={Rlabel,Lalg,Kfreq,γ,τ,Tagattr} Wherein phi is a dynamic encryption strategy configuration structure body, R label is an access risk grade label, L alg is an encryption algorithm strategy number, K freq is a key update frequency, gamma is an encryption intensity level which is adapted to a current access request, tau is a key update period, and Tag attr is an attribute label set; constructing a parallel encryption path structure according to the dynamic encryption strategy configuration structure body, and generating an encryption execution control signal; Generating a layered key structure body according to a dynamic encryption strategy configuration structure body, and binding the layered key structure body with a schedulable encryption path control structure to form a key strategy execution structure, wherein the key strategy execution structure body has the expression: Wherein, the A key policy execution structure for representing the j-th path key and path control joint weight of the i-th layer, H i,j represents the i-th element and j-th element in the key structure matrix, pi j represents the j-th element in the path scheduling signal vector, i is the structure dimension index; invoking a key strategy execution structure and an encryption execution control signal to complete data encryption and structured encapsulation of access session information, and generating a recordable encrypted data structure; And updating the path state and the modeling structure by combining the recordable encrypted data structure body and the access behavior information to complete a feedback record link. Further, construct