CN117313122A - Data sharing and exchanging management system based on block chain - Google Patents
Data sharing and exchanging management system based on block chain Download PDFInfo
- Publication number
- CN117313122A CN117313122A CN202311224219.5A CN202311224219A CN117313122A CN 117313122 A CN117313122 A CN 117313122A CN 202311224219 A CN202311224219 A CN 202311224219A CN 117313122 A CN117313122 A CN 117313122A
- Authority
- CN
- China
- Prior art keywords
- data
- module
- management
- sharing
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000006399 behavior Effects 0.000 claims abstract description 39
- 238000000586 desensitisation Methods 0.000 claims abstract description 34
- 238000003860 storage Methods 0.000 claims abstract description 32
- 238000013475 authorization Methods 0.000 claims abstract description 19
- 230000006870 function Effects 0.000 claims abstract description 19
- 238000007726 management method Methods 0.000 claims description 100
- 238000012550 audit Methods 0.000 claims description 22
- 230000007246 mechanism Effects 0.000 claims description 21
- 238000004458 analytical method Methods 0.000 claims description 20
- 238000000034 method Methods 0.000 claims description 20
- 238000005516 engineering process Methods 0.000 claims description 14
- 230000005540 biological transmission Effects 0.000 claims description 13
- 230000008569 process Effects 0.000 claims description 13
- 238000012545 processing Methods 0.000 claims description 13
- 238000002955 isolation Methods 0.000 claims description 12
- 238000013499 data model Methods 0.000 claims description 10
- 238000013523 data management Methods 0.000 claims description 9
- 238000007781 pre-processing Methods 0.000 claims description 9
- 238000012544 monitoring process Methods 0.000 claims description 7
- 238000013500 data storage Methods 0.000 claims description 6
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 5
- 238000001514 detection method Methods 0.000 claims description 5
- 230000036541 health Effects 0.000 claims description 4
- 238000011084 recovery Methods 0.000 claims description 4
- 230000006835 compression Effects 0.000 claims description 3
- 238000007906 compression Methods 0.000 claims description 3
- 238000013461 design Methods 0.000 claims description 3
- 230000001066 destructive effect Effects 0.000 claims description 3
- 238000009792 diffusion process Methods 0.000 claims description 3
- 230000002427 irreversible effect Effects 0.000 claims description 3
- 238000012935 Averaging Methods 0.000 claims description 2
- 238000013145 classification model Methods 0.000 claims description 2
- 238000013508 migration Methods 0.000 claims description 2
- 230000005012 migration Effects 0.000 claims description 2
- 238000012558 master data management Methods 0.000 claims 1
- 238000000926 separation method Methods 0.000 abstract description 4
- 230000006872 improvement Effects 0.000 description 6
- 238000004519 manufacturing process Methods 0.000 description 5
- 238000012795 verification Methods 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 238000009826 distribution Methods 0.000 description 3
- 238000013474 audit trail Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000035945 sensitivity Effects 0.000 description 2
- 238000007619 statistical method Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013524 data verification Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003032 molecular docking Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of block chains, in particular to a block chain-based data sharing and exchanging management system, which comprises: the data behavior safety module is used for managing user identity, roles and authorities, managing network behaviors and unifying user information; the data security management module is used for providing functions of data encryption, desensitization, asset management, classification marking and hierarchical management and control and preventing data from being tampered or leaked; and the data sharing and exchanging module is used for realizing the safe sharing and exchanging of data between different platforms and different systems. The invention is oriented to the requirements of data behavior safety, data content safety, data sharing and exchange, and the like, and ensures the safe access, safe exchange and network access, safe storage, safe use, safe sharing and exchange of data through the technical means of strict data admission control, data identity and authentication management, data asset identification and classification marking, data domain separation storage, data authorization and domain separation management and control, data safe exchange and the like.
Description
Technical Field
The invention relates to the technical field of blockchains, in particular to a blockchain-based data sharing and exchanging management system.
Background
In modern society, various organizations and individuals produce large amounts of data that contain a lot of valuable information. Through data sharing and exchange, cooperation and collaboration among different organizations can be realized, and innovation and development are promoted.
However, data sharing and exchange also face some challenges and problems. First, data security is an important issue. Data may be subject to risks of tampering, leakage, misuse, etc. during sharing and exchange, and thus a secure and reliable system is needed to manage and protect the data.
Second, data sharing and exchange involves multiple systems and multiple platforms, requiring an efficient mechanism to manage access rights and usage rules for the data. Multiple systems and multiple platforms have different needs and configurations, requiring a flexible system to meet various needs.
Furthermore, data sharing and exchange requires an efficient system for processing and transmitting large amounts of data. The huge amount of data and slow transmission speed may result in inefficient sharing and exchange, and thus an efficient system is needed to manage and optimize the transmission and processing of data.
Disclosure of Invention
The invention aims to establish a safe, transparent and efficient data sharing and exchanging management system through technical means such as decentralization of a block chain, cryptography, a consensus mechanism, intelligent contracts and the like.
In order to achieve the purpose of the invention, the following technical scheme is adopted:
a blockchain-based data sharing and exchange management system, comprising:
the data behavior safety module is used for realizing authentication, preprocessing, authorization and behavior analysis of data through user identity management, role and authority management, network behavior management and unified user information management;
the data security management module is used for providing functions of data encryption, desensitization, asset management, classification marking and hierarchical management and control, ensuring the security of data transmission and storage and preventing data from being tampered or leaked;
and the data sharing and exchanging module is used for realizing the safe sharing and exchanging of the data between different platforms and different systems and protecting the integrity and confidentiality of the data.
A further improvement is that the data behavior security module comprises:
the data authentication management module is used for verifying the real information of the access data equipment through a multi-layer authentication mode and ensuring the source credibility and legality of the data;
the data preprocessing module is used as a data inlet of the whole system, processes and processes mass data by using a distributed computing engine and a message queue technology, and improves the data processing rate and the compression resistance of the system;
the data authorization module is used for realizing small granularity authorization of the data through a unified access control mechanism and ensuring that the access rights of different roles and users to the data accord with the safety specification;
the behavior analysis module is used for carrying out deep analysis on the collected data in a behavior portrait mode and identifying abnormal behaviors of internal threat and external attack;
and the basic platform module is used for providing an operating system, a blockchain network, a consensus mechanism, an intelligent contract, an IPFS file system, a password device and a storage device as basic supports.
A further improvement is that the data security management module comprises:
the data encryption module is used for providing an encryption scheme for the transmitted and stored data and guaranteeing confidentiality and integrity of the data;
the data desensitization module is used for realizing desensitization of sensitive data through various desensitization mechanisms;
the data asset management module is used for realizing management functions, safety guarantee, automatic asset scanning and asset importing functions;
the data classification marking module is used for classifying and marking the data, so that the data can be conveniently inquired, identified, managed and protected;
and the data grading management and control module is used for carrying out grading treatment on the transmitted and stored data, realizing accurate positioning of the data and providing basis for data storage.
The data encryption module provides a data model and a feature library of an encryption object, in the data transmission process, the data conforming to the feature library is signed and encrypted, an asymmetric encryption mode is adopted, an irreversible encryption algorithm is used for signing, the data is landed, a symmetric or asymmetric encryption mode is adopted for protection, and the key file is controlled at the highest level.
A further improvement is that the desensitization of sensitive data by a plurality of desensitization mechanisms comprises:
adopting a shielding desensitization, alternative desensitization, anonymization and difference scheme for the text types;
adopting a face replacement and Gaussian blur scheme for the picture types;
adopting a blank audio replacement scheme for the audio type;
and adopting a shielding replacement, data migration and data rounding and averaging scheme for the storage content of the database.
A further improvement is that the management functions comprise data standard management, data quality detection, data model management, data model design, metadata management, main data management, data statistical analysis, workflow management and unstructured data management; the security assurance comprises user authentication and authorization service and audit monitoring; the automatic asset scanning is based on automatic scanning of a data interface, an IP, a port and a resource model feature library, and the automatic asset scanning is used for automatically inputting and registering assets meeting the features, and the asset importing supports importing of multiple file formats.
The data classification marking module classifies the data with the same attribute or characteristic according to the data service field dimension, the data source dimension, the sharing dimension and the data opening dimension.
The data classification management and control module adopts a partial reading technology, only reads key parts of data, performs comparison processing by using a classification model according to different types of the data and different data identities, restores service definitions by field keywords and remark keywords, restores service by a data dictionary, and classifies according to industry specifications.
A further improvement is that the data sharing and exchanging module comprises:
the data acquisition authentication module is used for performing authority control on data acquisition by the technical means of identity management authentication and data management authentication, and laying a foundation for data security sharing and exchange;
the data domain-division storage module is used for realizing the safe storage and isolation of different types and different security data through a multi-tenant safe isolation technology, ensuring the safety and confidentiality of the data and avoiding the attack of malicious tenants on other tenants;
the data software security module is used for auditing a terminal, a server, a database, an application, network flow and a cloud platform through a comprehensive audit monitoring technology, ensuring the health of an infrastructure, the compliance of personnel operation, providing data security backup and ensuring the normal operation of a service system and the integrity of data;
the data security exchange module is used for encrypting certificates and secret keys of the client, ensuring data security exchange between different networks and different systems, preventing leakage, tampering and security risk diffusion of malicious code propagation, and providing secure data cross-network cross-domain or external network access exchange service.
A further improvement is that the data software security module collects, stores and analyzes through continuous audit and performs audit trail on suspicious nodes or users to provide evidence which is beneficial to determining destructive behaviors; the data software security module can automatically backup and self-define the parameter configuration, the strategy and the data, and supports the rapid recovery of full and incremental backups.
The invention has the beneficial effects that:
the data sharing and exchanging management system based on the blockchain is oriented to the requirements of data behavior safety, data content safety, data sharing and exchanging and the like, and ensures the safety access, safety exchanging and networking, safety storing, safety use and safety sharing and exchanging of data through strict technical means of data admission control, data identity and authentication management, data asset identification and classification marking, data domain separation storage, data authorization and domain separation management and data safety exchanging and the like.
The invention stores the data on a plurality of nodes by the cryptographic techniques such as data encryption, data desensitization and the like and the distributed account book technique based on the blockchain, and each node has complete data copy and no single point of failure, so that even if one node fails or is attacked, other nodes can still keep the integrity and availability of the data.
In addition, the blockchain also adopts a consensus mechanism, and the consistency of data is ensured through negotiation and verification among nodes. When new data needs to be added into the blockchain, nodes need to agree through a consensus algorithm, and the validity and consistency of the data are ensured. Thus, even if a malicious node tries to tamper with the data, it is rejected by other nodes.
Drawings
FIG. 1 is a flow chart of a data behavior security module;
FIG. 2 is a block chain data uplink flow diagram;
FIG. 3 is a flow chart of data security management;
FIG. 4 is a flow chart of a data sharing and exchanging module.
Detailed Description
In order that the manner in which the invention may be better understood, a more particular description of the invention, briefly summarized above, may be had by reference to embodiments, some of which are illustrated in the appended drawings. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The embodiment of the invention provides a data sharing and exchanging management system based on a block chain, which comprises a data behavior safety module, a data safety management module and a data sharing and exchanging module, wherein:
the data behavior safety module is used for realizing the authentication, preprocessing, authorization and behavior analysis of data through four elements of user identity management, role and authority management, network behavior management and unified user information management, namely unified user account management, unified authentication management, unified authorization management and unified security audit.
The data security management module is used for providing functions of data encryption, desensitization, asset management, classification marking and hierarchical management and control, ensuring the security of data transmission and storage and preventing data from being tampered or leaked.
And the data sharing and exchanging module is used for realizing the safe sharing and exchanging of the data between different platforms and different systems and protecting the integrity and confidentiality of the data.
Specifically, in this embodiment, the data behavior security module includes a data authentication management module, a data preprocessing module, a data authorization module, a behavior analysis module, and a base platform module, where:
and the data authentication management module is used for verifying the real information of the access data equipment through a multi-layer authentication mode and ensuring the source credibility and the legality of the data. Firstly, the SSL certificate authentication mechanism is used for verification, secondly, in the authentication information input stage, the system records and verifies related information such as IP, and the like, and the step can help the system to confirm the authenticity of a data source and eliminate the risk of counterfeiting identity possibly existing. In addition, different data docking modes adopt different authentication modes, such as SYSLOG sending adopts an authentication IP mode, and a message queue adopts a certificate+secret key+IP mode.
The data preprocessing module is used as a data inlet of the whole system, and processes mass data by using a distributed computing engine and a message queue technology, so that the data processing rate and the compression resistance of the system are improved. The distributed computing engine may employ a flank distributed computing engine and the message queue may employ a Kafka message queue.
And the data authorization module is used for realizing small granularity authorization of the data through a unified access control mechanism and ensuring that the access rights of different roles and users to the data accord with the safety specifications. It should be understood that the small granularity authorization mechanism of the data ensures the isolation security of the data, different roles have corresponding rights to different data types, and support the authorized access control of attributes such as table, field, value and the like.
The behavior analysis module is used for carrying out deep analysis on the collected data in a behavior portrait mode and identifying abnormal behaviors of internal threat and external attack.
It should be appreciated that user identity rights may be stolen, but the behavior pattern is difficult to imitate. Internal threats, external attacks, are therefore difficult to completely hide, bypass or escape in behavior-based analysis, with behavioral anomalies being the primary threat signal. The collected data is deeply analyzed in a behavior representation mode, and a foundation is laid for finding abnormal behaviors such as transverse movement, data transmission, continuous reconnection and the like.
And the basic platform module is used for providing an operating system, a blockchain network, a consensus mechanism, an intelligent contract, an IPFS file system, a password device and a storage device as basic supports.
It can be understood that the blockchain network is one of the cores of the basic platform and is used for realizing distributed data storage and management, ensuring the consistency between network nodes through a consensus mechanism and providing support services such as audit log certification, file transmission and the like; the block chain records file Hash and data Hash values; the intelligent contract is an automatic combination contract code executed on a blockchain network, and can realize automatic execution and verification of logic and business rules; the IPFS file system is a distributed file storage and is used for storing file bodies, and the IPFS locates files by using unique file Hash to realize decentralised file storage and sharing; the password equipment is used for providing encryption support for the system and comprises encryption and decryption, transmission encryption, audit log encryption and decryption and the like; through the combination and cooperative work of the foundation platform modules, the system can provide stable, safe and efficient foundation supporting functions.
Specifically, in this embodiment, the data is stored based on the blockchain distributed ledger without a centralization or data center, and the data is highly transparent, so that the data can be prevented from being tampered or falsified after the authority is verified. The security of the data is protected by adopting a cryptography technology, the data is verified and recorded by using a distributed consensus algorithm, and the complex data synchronization and consistency problems of the traditional centralized database are avoided. The data security management module specifically comprises a data encryption module, a data desensitization module, a data asset management module, a data classification marking module and a data classification management and control module, wherein:
and the data encryption module is used for providing an encryption scheme for the transmitted and stored data and ensuring confidentiality and integrity of the data. Specifically, the data encryption module provides a data model and a feature library of an encryption object, in the data transmission process, the data conforming to the feature library is signed and encrypted, an asymmetric encryption mode is adopted, an irreversible encryption algorithm is used for signing, the data is landed, a symmetric or asymmetric encryption mode is adopted for protection, and the key file is controlled at the highest level.
And the data desensitization module is used for realizing desensitization of sensitive data through various desensitization mechanisms. It should be appreciated that the stored data may be simply classified into normal data and sensitive data according to data confidentiality. For sensitive data, various algorithm techniques are required to realize the desensitization of the data. For confidentiality of sensitive data, desensitization of sensitive data can be achieved by a variety of desensitization mechanisms, including: adopting schemes of shielding desensitization, replacement desensitization, anonymization, difference and the like for the text types; adopting face replacement, gaussian blur and other schemes for the picture types; blank audio replacement and other schemes are adopted for the audio types; and adopting schemes such as shielding replacement, data offset, data rounding, average value and the like for the storage content of the database.
And the data asset management module is used for realizing management functions, safety guarantee, automatic asset scanning and asset importing functions. Specifically, the management functions include data standard management, data quality detection, data model management, data model design, metadata management, main data management, data statistical analysis, workflow management, unstructured data management and the like; the security assurance comprises aspects of user authentication, authorization service, audit monitoring and the like; the automatic asset scanning is based on automatic scanning of a data interface, an IP, a port and a resource model feature library, and the automatic asset scanning is used for automatically recording and registering assets conforming to the features, wherein the asset importing supports various file format importing formats such as txt, excel, csv and the like.
And the data classification marking module is used for classifying and marking the data, so that the data can be conveniently inquired, identified, managed and protected.
It will be appreciated that effective data classification is a primary task whether cataloging, standardizing, or validating, managing data, or providing data asset services. Data with the same attribute or characteristic are collected together to form different categories, so that people can conveniently inquire, identify, manage, protect and use the data through the categories. The data classification marking module classifies the data with the same attribute or characteristic according to a certain principle and method according to the dimension of the data service field, the dimension of the data source, the dimension of sharing and the dimension of data opening. The results of the classification marks may provide a basis for subsequent data asset management and utilization.
And the data grading management and control module is used for carrying out grading treatment on the transmitted and stored data, realizing accurate positioning of the data and providing basis for data storage. The data grading management and control module adopts a partial reading technology, only reads key parts of data, performs comparison processing by using a grading model according to different types and different data identities of the data, restores service definition by field keywords and remark keywords, restores service by a data dictionary, and then grades according to industry specifications.
It should be appreciated that the ranking of data is different from the classification of data, and for most data resources is more from the standpoint of meeting regulatory requirements. And the data classification belongs to the field of data security, or may be called as a sensitivity level. The data security level is high, low, public and unpublishable, the protection strategy received when the data with different sensitivity levels are used in the pair is different, and the degree of external sharing opening is also different.
Specifically, in this embodiment, the data sharing and exchanging module includes a data acquisition authentication module, a data domain storage module, a data software security module, and a data security exchanging module, where:
the data acquisition authentication module is designed for solving the risks of identity spoofing and illegal acquisition in the data acquisition process, and is used for performing authority control on data acquisition through the technical means of identity management authentication and data management authentication, thereby laying a foundation for data security sharing and exchange.
The data domain-division storage module has the characteristics of safe storage and safe isolation of data with different types and different security levels, is in face of the risk of data leakage caused by stronger access and the like in the data, realizes the safe storage and isolation of the data with different types and different security levels through a multi-tenant safe isolation technology, ensures the safety and confidentiality of the data, avoids the attack of malicious tenants on other tenants, and provides safer, more convenient and efficient service for users.
The data software security module integrates functions such as database audit and data security backup. The system is used for auditing a terminal, a server, a database, an application, network traffic and a cloud platform through a comprehensive audit monitoring technology, ensuring the health of an infrastructure, the compliance of personnel operation, providing data security backup and ensuring the normal operation of a service system and the integrity of data.
Specifically, the data software security module collects, stores and analyzes through continuous audit and performs audit trail on suspicious nodes or users to provide evidence which is beneficial to determining destructive behaviors; the data software security module can automatically backup and self-define the parameter configuration, the strategy and the data, and supports the rapid recovery of full and incremental backups.
By applying the data software security module, the infrastructure operation health and personnel operation compliance of the data center can be ensured, and the possible abnormal problems can be timely found and solved. The data software security module provides a comprehensive audit monitoring and backup recovery mechanism and provides powerful guarantee for data security.
The data security exchange module is used for encrypting certificates and keys of the client when facing transmission risks of mutual communication of different networks, different application systems and different regions, ensuring data security exchange between the different networks and the different systems, preventing security risk diffusion of leakage, tampering and malicious code propagation, and providing secure data cross-network cross-domain or external network access exchange service.
The data sharing and exchanging system in the prior art has security risk, and centralized storage can lead to larger and larger data volume and influence query performance. The distributed account book technology based on the blockchain realizes data security sharing and exchanging through a visual security management means on the premise of realizing safe and reliable node and chain access audit management and control, and provides responsibility tracing of abnormal behaviors and illegal behaviors.
Embodiments of the present invention are described in further detail below with reference to fig. 1-4:
FIG. 1 is a flow chart of a data behavior security module. Because of the large number of hardware devices to be docked and the large amount of device data to be judged and processed, extremely high requirements are placed on the acquisition and processing performance and the expandability of the system. Firstly, from the perspective of technicians, due to huge amount of butting equipment, all analysis and processing functions cannot be packaged into a platform during development, so that pluggable analysis and processing modules need to be reserved in the platform to ensure high expandability of the platform, and the difficulty of secondary development can be greatly simplified.
The access device types of the system of the invention are diversified, such as vulnerability scanning, firewall, router, switch, etc. The access equipment is used as a data source supporting layer of the system, the access equipment firstly needs to mutually authenticate identity with the data identity management module, after the data identity management module inputs information, the data authentication management module performs information authentication, and after the information authentication is successful, the data is transmitted to the data preprocessing module to perform data filling, de-duplication and merging. To this end, the data is formatted and device information association is performed.
After the integrated data with uniform format are converged, the basic platform module can carry out classified authorization on different types of data according to users, user groups, roles, departments and the like, so that fine granularity management and control of the data and authority isolation are realized. The behavior analysis module is interdependent with the basic platform module, rules of the behavior analysis module are provided by analysis rules of the basic platform management module, and user portrait data of the basic platform module are provided by the behavior analysis module.
FIG. 2 is a block chain data uplink flow diagram. The data uplink is a process that the data is agreed through a consensus mechanism of a network node through technical means such as encryption, verification, distributed storage and the like, and is recorded on a blockchain. First, the data needs to be encrypted and verified to ensure the security and integrity of the data. The data is then added to a new block of the blockchain by the network node's consensus mechanism. This process typically requires a certain amount of time and computation to pass. Once the data is successfully added to the blockchain, it is permanently stored and non-falsely recorded for subsequent querying and verification. The whole process pays attention to decentralization, security and transparency, so that the blockchain becomes a reliable data storage and transmission mode.
The base platform module provides interfacing services and provides a data interface for interaction with the interface. The data identity management module, the data authentication management module, the data preprocessing module, the data authorization module and the behavior analysis module depend on the basic platform module. The modules perform their own roles, and protect the data behavior.
FIG. 3 is a flow chart of data security management. Starting from the access source, the user or the accessed application system enters the system portal with different parameters. Aiming at different access modes, the access terminal presents different interfaces and different functions, and the efficiency of man-machine interaction is greatly improved.
After a user or an application system is accessed, before data is transmitted to the system, an access terminal firstly acquires a public key from the system, encrypts the data by using the public key, and then sends the encrypted data to the system from the access terminal. The system receives the data sent by the access terminal, and uses the corresponding private key to perform basic processing such as data decryption and data verification on the data. After the operation is finished, the data enters a data classification marking module, a plurality of characteristic values such as content attributes and data sources of the data are read in a partial reading mode, and matching classification is carried out by a data model characteristic library in the data classification marking module. The data flows through the data grading management and control module, the grading characteristics of the data are read in a partial reading mode, and the characteristics are matched and graded by the characteristic library in the data grading management and control module. Before data is put into storage, encryption processing is needed to be carried out on the data, the data flows into a data encryption module, and besides the characteristics of the data, the data can be classified and graded according to the classification of the data to be matched with the characteristic library.
When a user or an application system needs to acquire data, the data is taken out from the data storage module, flows through the data encryption module and is decrypted according to the encryption mode adopted by the data encryption module. After the decrypted data carries the characteristics, the type label and the security information, the data is transmitted into the data desensitization module, and the sensitive data is desensitized by the feature library matched with the data desensitization module, so that the key information is prevented from being revealed, the original data structure is not damaged, and the application system is not in the embarrassment that the data cannot be used.
When the user uses the system, the data resources conforming to the authority can be managed, and the autonomous import of the data resources is supported. The imported data is subjected to feature classification by the data classification marking module, and then is subjected to feature classification by the data classification management and control module. Then the data is encrypted after being passed through the data encryption module to match the feature library, and finally the data is stored in different storage units.
The system supports automatic scanning of data, not only scans, classifies and classifies the data transmitted by the accessed application, but also supports automatic scanning and classifying of newly accessed equipment or resource library. The data classification management and control module not only classifies the data resources, but also provides management and control functions. And the fine granularity management and control of the data resources are supported, and the data resources are effectively supervised in the full life cycle.
The data desensitization module processes the data in different desensitization modes in order to effectively and comprehensively desensitize the sensitive data in the production process or in the actual environment. In the production process, the access frequency of research personnel and testers to the database is higher, the extraction of data is more comprehensive, and aiming at the phenomenon, the system adopts a static desensitization method, and the data required in the production process is extracted in a targeted manner, so that the key data leakage is more comprehensively prevented. In an actual use environment, the application system has more concentrated use time period and single function call, so the access to the data surface is relatively narrow, the dynamic desensitization mode is adopted for the system, the dynamic desensitization can be carried out on the data for multiple times, the system is more applied to the scene of directly connecting production data, when a user accesses the production environment sensitive data, the desensitization conditions such as user IP or MAC address are matched, the desensitized data is acquired from the blockchain node according to the user authority in a mode of rewriting query SQL sentences and the like, the acquisition speed of the data is improved, and the key data is also effectively desensitized.
Fig. 4 is a flow chart of a data sharing and exchanging module, which includes a data acquisition authentication module, a data security exchanging module, a data domain storage module and a data software security module, wherein each module is closely connected and cooperatively processed.
The data acquisition authentication module is one of main sources of data, the types of system acquisition logs are classified into Syslog, webService, http/https, ODBC and other protocols for acquisition, and the acquired logs are subjected to formatting, classification, filtering and merging and other processes and original logs are recorded for investigation and evidence collection.
After the data acquisition authentication module acquires the data, data audit is carried out, the acquired operation and the acquired type are recorded, and then the data are stored into the corresponding blockchain account book according to the security class, the type and the like divided by an administrator. When a user wants to request data or request other systems in a cross-domain manner, the data security exchange module is required to request the data domain storage module to acquire corresponding security and type data from the blockchain to respond after successful authentication and authority detection according to the request, and operation log data audit is carried out according to the operation flow before the response.
When the data required by the user is too large or too many in types, the data security exchange module responds successfully after detecting identity and authority, the data security exchange module accesses the data isolation distribution module, the data isolation distribution module accesses the data domain storage module after receiving the data isolation distribution module, the data domain storage module acquires data from the chain nodes according to different security classes and different types, and after data is summarized, the data security exchange module responds to the user information, and operation audit can be carried out in the operation flow. When the user accesses other systems, the user can transfer the data through the data security exchange module, and after the detection of identity authentication, authority and the like is successful, the user request is forwarded to the appointed system, the system response is waited, and the audit log is recorded.
The data software security module (data software platform) can count according to the audit log of the modules, then summarize and display, and conduct database audit through the operation behavior of the data domain storage module.
The above embodiments are only for illustrating the technical solution of the present application, and are not limiting; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.
Claims (10)
1. A blockchain-based data sharing and exchange management system, comprising:
the data behavior safety module is used for realizing authentication, preprocessing, authorization and behavior analysis of data through user identity management, role and authority management, network behavior management and unified user information management;
the data security management module is used for providing functions of data encryption, desensitization, asset management, classification marking and hierarchical management and control, ensuring the security of data transmission and storage and preventing data from being tampered or leaked;
and the data sharing and exchanging module is used for realizing the safe sharing and exchanging of the data between different platforms and different systems and protecting the integrity and confidentiality of the data.
2. The blockchain-based data sharing and exchange management system of claim 1, wherein the data behavior security module includes:
the data authentication management module is used for verifying the real information of the access data equipment through a multi-layer authentication mode and ensuring the source credibility and legality of the data;
the data preprocessing module is used as a data inlet of the whole system, processes and processes mass data by using a distributed computing engine and a message queue technology, and improves the data processing rate and the compression resistance of the system;
the data authorization module is used for realizing small granularity authorization of the data through a unified access control mechanism and ensuring that the access rights of different roles and users to the data accord with the safety specification;
the behavior analysis module is used for carrying out deep analysis on the collected data in a behavior portrait mode and identifying abnormal behaviors of internal threat and external attack;
and the basic platform module is used for providing an operating system, a blockchain network, a consensus mechanism, an intelligent contract, an IPFS file system, a password device and a storage device as basic supports.
3. The blockchain-based data sharing and exchange management system of claim 1, wherein the data security management module includes:
the data encryption module is used for providing an encryption scheme for the transmitted and stored data and guaranteeing confidentiality and integrity of the data;
the data desensitization module is used for realizing desensitization of sensitive data through various desensitization mechanisms;
the data asset management module is used for realizing management functions, safety guarantee, automatic asset scanning and asset importing functions;
the data classification marking module is used for classifying and marking the data, so that the data can be conveniently inquired, identified, managed and protected;
and the data grading management and control module is used for carrying out grading treatment on the transmitted and stored data, realizing accurate positioning of the data and providing basis for data storage.
4. A blockchain-based data sharing and exchange management system according to claim 3, wherein the data encryption module provides a data model and a feature library of an encrypted object, and in the data transmission process, signs and encrypts data conforming to the feature library, signs by adopting an asymmetric encryption mode and an irreversible encryption algorithm, protects data by adopting a symmetric or asymmetric encryption mode, and manages and controls a key file at the highest level.
5. A blockchain-based data sharing and exchange management system as in claim 3, wherein said desensitizing sensitive data by a plurality of desensitizing mechanisms comprises:
adopting a shielding desensitization, alternative desensitization, anonymization and difference scheme for the text types;
adopting a face replacement and Gaussian blur scheme for the picture types;
adopting a blank audio replacement scheme for the audio type;
and adopting a shielding replacement, data migration and data rounding and averaging scheme for the storage content of the database.
6. A blockchain-based data sharing and exchange management system as in claim 3 wherein the management functions include data standard management, data quality detection, data model management, data model design, metadata management, master data management, data statistics analysis, workflow management, unstructured data management; the security assurance comprises user authentication and authorization service and audit monitoring; the automatic asset scanning is based on automatic scanning of a data interface, an IP, a port and a resource model feature library, and the automatic asset scanning is used for automatically inputting and registering assets meeting the features, and the asset importing supports importing of multiple file formats.
7. The blockchain-based data sharing and exchange management system of claim 3, wherein the data classification tagging module classifies data having the same attributes or characteristics according to a data traffic domain dimension, a data source dimension, a sharing dimension, and a data open dimension.
8. The blockchain-based data sharing and exchanging management system according to claim 3, wherein the data classification management module uses a partial reading technology to read only a key part of data, performs comparison processing by using a classification model according to different types of data and different data identities, restores service definitions by field keywords and remark keywords, restores service by a data dictionary, and classifies according to industry specifications.
9. The blockchain-based data sharing and exchange management system of any of claims 1-8, wherein the data sharing and exchange module includes:
the data acquisition authentication module is used for performing authority control on data acquisition by the technical means of identity management authentication and data management authentication, and laying a foundation for data security sharing and exchange;
the data domain-division storage module is used for realizing the safe storage and isolation of different types and different security data through a multi-tenant safe isolation technology, ensuring the safety and confidentiality of the data and avoiding the attack of malicious tenants on other tenants;
the data software security module is used for auditing a terminal, a server, a database, an application, network flow and a cloud platform through a comprehensive audit monitoring technology, ensuring the health of an infrastructure, the compliance of personnel operation, providing data security backup and ensuring the normal operation of a service system and the integrity of data;
the data security exchange module is used for encrypting certificates and secret keys of the client, ensuring data security exchange between different networks and different systems, preventing leakage, tampering and security risk diffusion of malicious code propagation, and providing secure data cross-network cross-domain or external network access exchange service.
10. The blockchain-based data sharing and exchange management system of claim 9, wherein the data software security module provides evidence to facilitate determining destructive behavior by continuous audit acquisition, storage and analysis, and audit tracking of suspicious nodes or users; the data software security module can automatically backup and self-define the parameter configuration, the strategy and the data, and supports the rapid recovery of full and incremental backups.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311224219.5A CN117313122A (en) | 2023-09-21 | 2023-09-21 | Data sharing and exchanging management system based on block chain |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311224219.5A CN117313122A (en) | 2023-09-21 | 2023-09-21 | Data sharing and exchanging management system based on block chain |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117313122A true CN117313122A (en) | 2023-12-29 |
Family
ID=89259559
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311224219.5A Pending CN117313122A (en) | 2023-09-21 | 2023-09-21 | Data sharing and exchanging management system based on block chain |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117313122A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117910012A (en) * | 2024-01-24 | 2024-04-19 | 中智薪税技术服务有限公司 | Block chain-based salary confidentiality method and system |
| CN117951724A (en) * | 2024-03-26 | 2024-04-30 | 济南云小兵信息技术有限公司 | Cloud data secure storage management system based on artificial intelligence |
| CN118018326A (en) * | 2024-04-08 | 2024-05-10 | 深圳众投互联信息技术有限公司 | Data security encryption method and system based on distributed storage |
| CN118133356A (en) * | 2024-05-10 | 2024-06-04 | 山东省计算中心(国家超级计算济南中心) | Evidence obtaining method and system for network transaction behavior data |
-
2023
- 2023-09-21 CN CN202311224219.5A patent/CN117313122A/en active Pending
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117910012A (en) * | 2024-01-24 | 2024-04-19 | 中智薪税技术服务有限公司 | Block chain-based salary confidentiality method and system |
| CN117951724A (en) * | 2024-03-26 | 2024-04-30 | 济南云小兵信息技术有限公司 | Cloud data secure storage management system based on artificial intelligence |
| CN118018326A (en) * | 2024-04-08 | 2024-05-10 | 深圳众投互联信息技术有限公司 | Data security encryption method and system based on distributed storage |
| CN118018326B (en) * | 2024-04-08 | 2024-06-07 | 深圳众投互联信息技术有限公司 | Data security encryption method and system based on distributed storage |
| CN118133356A (en) * | 2024-05-10 | 2024-06-04 | 山东省计算中心(国家超级计算济南中心) | Evidence obtaining method and system for network transaction behavior data |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Ryu et al. | A blockchain-based decentralized efficient investigation framework for IoT digital forensics | |
| JP6736657B2 (en) | A computerized system that securely delivers and exchanges cyber threat information in a standardized format | |
| CN112507391B (en) | Block chain-based electronic signature method, system, device and readable storage medium | |
| US20170149819A1 (en) | Resisting replay attacks efficiently in a permissioned and privacy- preserving blockchain network | |
| CN117313122A (en) | Data sharing and exchanging management system based on block chain | |
| CN113495920B (en) | Content auditing system, method and device based on blockchain and storage medium | |
| CN111934879A (en) | Data transmission encryption method, device, equipment and medium for internal and external network system | |
| CN109104284A (en) | A kind of block chain anonymity transport protocol based on ring signatures | |
| CN117040896A (en) | Internet of things management method and Internet of things management platform | |
| CN114254269B (en) | System and method for determining rights of biological digital assets based on block chain technology | |
| Tyagi | Blockchain and Artificial Intelligence for Cyber Security in the Era of Internet of Things and Industrial Internet of Things Applications | |
| CN116170143A (en) | Intelligent community data safe transmission, storage and fusion use system based on national encryption algorithm | |
| CN102509057B (en) | Mark-based method for safely filtering unstructured data | |
| Feng et al. | Autonomous vehicles' forensics in smart cities | |
| CN113849797A (en) | Method, device, equipment and storage medium for repairing data security vulnerability | |
| CN113872751A (en) | Service data monitoring method, device, equipment and storage medium | |
| CN106529216B (en) | Software authorization system and software authorization method based on public storage platform | |
| CN112417473A (en) | Big data security management system | |
| CN116980175A (en) | Enterprise privacy analysis and anomaly discovery method, device, equipment and storage medium | |
| Shahin et al. | Big data platform privacy and security, a review | |
| CN115022044A (en) | Storage method and system based on multi-cloud architecture | |
| CN114861144A (en) | Data authority processing method based on block chain | |
| CN114429279A (en) | Method and system for tracing vaccine based on encryption technology | |
| CN113935874A (en) | District chain-based book management system for studying income | |
| Karlzén | An Analysis of Security Information and Event Management Systems-The Use or SIEMs for Log Collection, Management and Analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |