CN117454408A - Data sharing security verification method and system based on differential privacy - Google Patents

Data sharing security verification method and system based on differential privacy Download PDF

Info

Publication number
CN117454408A
CN117454408A CN202311640367.5A CN202311640367A CN117454408A CN 117454408 A CN117454408 A CN 117454408A CN 202311640367 A CN202311640367 A CN 202311640367A CN 117454408 A CN117454408 A CN 117454408A
Authority
CN
China
Prior art keywords
data
differential
sharing
target
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311640367.5A
Other languages
Chinese (zh)
Inventor
马平
徐兵
王磊
兰春嘉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Lingshuzhonghe Information Technology Co ltd
Original Assignee
Shanghai Lingshuzhonghe Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Lingshuzhonghe Information Technology Co ltd filed Critical Shanghai Lingshuzhonghe Information Technology Co ltd
Priority to CN202311640367.5A priority Critical patent/CN117454408A/en
Publication of CN117454408A publication Critical patent/CN117454408A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a data sharing security verification method and system based on differential privacy, and relates to the technical field of data processing, wherein the method comprises the following steps: identifying sensitive information, extracting data reference characteristics, and outputting differential conversion data through a target differential algorithm; based on the trusted data center, carrying out operation encryption processing on the differential conversion data, determining conversion encryption data and storing the conversion encryption data in an edge server; reading a data sharing task, matching a target server, and determining target sharing data; and recording a data sharing live condition, and carrying out transmission loss evaluation by combining a target loss function to evaluate a sharing risk coefficient. The invention solves the technical problems of single traditional data sharing security verification method and poor data protection effect in the prior art, and achieves the technical effects of carrying out data encryption storage and data sharing security assessment based on differential privacy and improving the data sharing security verification level.

Description

Data sharing security verification method and system based on differential privacy
Technical Field
The invention relates to the technical field of data processing, in particular to a data sharing security verification method and system based on differential privacy.
Background
The data sharing technology creates great value in aspects of data mining, cognitive computing, artificial intelligence and the like, and provides convenient and efficient data storage and sharing service for users by combining with the cloud storage technology, however, as the data sharing is popularized, the network security problem is increasingly prominent, and the prior art generally provides a certain degree of security assurance measures such as data encryption, system audit and the like, but the security assurance measures are single and have poor protection effect.
Disclosure of Invention
The application provides a data sharing security verification method and system based on differential privacy, which are used for solving the technical problems of single traditional data sharing security verification method and poor data protection effect in the prior art.
In a first aspect of the present application, there is provided a differential privacy-based data sharing security verification method, the method comprising: identifying sensitive information based on source data, and extracting data reference features including type features and quantity features; configuring a target differential algorithm based on the data reference characteristics, preprocessing the sensitive information by combining a differential conversion module, and outputting differential conversion data; based on a trusted data center, combining a homomorphic encryption algorithm, carrying out operation encryption processing on the differential conversion data, determining conversion encryption data and storing the conversion encryption data in an edge server; reading a data sharing task, matching and locking a target server based on the edge server, and determining target sharing data to be shared based on the converted encrypted data; the target servers are integrated, and a bidirectional check channel is established between each target server and each data sharing end; taking the bidirectional check channel as a data sharing limit checkpoint, performing data fidelity check and risk countermeasure check, and determining a data check result; performing stream transmission and dynamic monitoring of the target sharing data, and recording a data sharing live condition; carrying out transmission loss evaluation of the data sharing live state by combining a target loss function, and evaluating a sharing risk coefficient; and determining data sharing security based on the data verification result and the sharing risk coefficient.
In a second aspect of the present application, there is provided a differential privacy-based data sharing security verification system, the system comprising: the conversion encryption data determining module is used for carrying out operation encryption processing on the differential conversion data based on a trusted data middle station and combining a homomorphic encryption algorithm, determining conversion encryption data and storing the conversion encryption data in an edge server; the target shared data determining module is used for reading a data sharing task, matching and locking a target server based on the edge server, and determining target shared data to be shared based on the converted encrypted data; the bidirectional checking channel establishing module is used for comprehensively planning the target servers and establishing bidirectional checking channels between each target server end and each data sharing end; the data verification result determining module is used for performing data fidelity verification and risk countermeasure verification by taking the bidirectional verification channel as a data sharing limit checkpoint and determining a data verification result; the data sharing live recording module is used for orchestrating the target server, carrying out circulation transmission and dynamic monitoring on the target sharing data and recording the data sharing live; the shared risk coefficient evaluation module is used for carrying out transmission loss evaluation of the data sharing live by combining a target loss function and evaluating a shared risk coefficient; and the data sharing security determination module is used for determining the data sharing security based on the data verification result and the sharing risk coefficient.
Third aspect of the present application: an electronic device, comprising: a processor coupled to a memory for storing a program that, when executed by the processor, causes the system to perform the method of any of the first aspects.
One or more technical solutions provided in the present application have at least the following technical effects or advantages:
the data sharing security verification method based on differential privacy, which is provided by the application, relates to the technical field of data processing, and outputs differential conversion data by extracting data reference characteristics of sensitive information and combining a target differential algorithm; based on a trusted data center, the differential conversion data is operated and encrypted, the conversion encrypted data is confirmed and stored in an edge server, a data sharing task is read, a target server and target sharing data are matched, the data sharing live condition is recorded, transmission loss evaluation is carried out in combination with a target loss function, and a sharing risk coefficient is obtained, so that the technical problems of single traditional data sharing safety verification method and poor data protection effect in the prior art are solved, the technical effects of carrying out data encryption storage and data sharing safety evaluation based on differential privacy are realized, and the data sharing safety verification level is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a data sharing security verification method based on differential privacy according to an embodiment of the present application;
fig. 2 is a schematic flow chart of extracting data reference features in a data sharing security verification method based on differential privacy according to an embodiment of the present application;
fig. 3 is a schematic flow chart of recording a data sharing live in the data sharing security verification method based on differential privacy according to the embodiment of the present application;
fig. 4 is a schematic structural diagram of a data sharing security verification system based on differential privacy according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device provided in the present application.
Reference numerals illustrate: the system comprises a data reference characteristic extraction module 11, a differential conversion data output module 12, a conversion encryption data determination module 13, a target sharing data determination module 14, a bidirectional checking channel establishment module 15, a data checking result determination module 16, a data sharing live recording module 17, a sharing risk coefficient evaluation module 18, a data sharing security determination module 19, an electronic device 300, a memory 301, a processor 302, a communication interface 303 and a bus architecture 304.
Detailed Description
The application provides a data sharing security verification method based on differential privacy, which is used for solving the technical problems of single traditional data sharing security verification method and poor data protection effect in the prior art.
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or server that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or modules not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
As shown in fig. 1, the present application provides a data sharing security verification method based on differential privacy, the method comprising:
p10: identifying sensitive information based on source data, and extracting data reference features including type features and quantity features;
further, as shown in fig. 2, step P10 in the embodiment of the present application specifically includes:
p11: setting a multi-level differential conversion interval;
p12: determining the sharing wind control level of the sensitive information, carrying out attribution of the multi-level differential conversion interval, and determining a plurality of differential attribution classes;
p13: and identifying the data reference characteristic based on the differential attribution class.
It should be appreciated that the source data to be stored is received and sensitive information in the source data, such as personal information, enterprise reports, confidential data, etc., is extracted and data reference features, including type features and quantity features of the extracted data, are extracted from the sensitive information. Further, the sensitive information is processed by adopting a differential privacy method, wherein the differential privacy method is a method for ensuring individual-level privacy by adding random noise into data to change two determined values of a query result into two random variables obeying similar probability distribution, namely, performing differential conversion on the data to improve the concealment of the data. Firstly, setting a multi-level differential conversion section, wherein the multi-level differential conversion section is a plurality of different differential algorithms which are set for data of different sensitive levels, namely different noise adding schemes.
Further, according to the user requirement and the security property of the sensitive information, a sharing wind control level of the sensitive information, namely a risk control level of the sensitive information during sharing, is determined, and then the multi-level differential conversion interval is matched according to the sharing wind control level, so that the differential attribution class of each sensitive information, namely the differential conversion interval, is determined, and further, the data reference feature is identified by using the differential attribution class, so that the subsequent differential algorithm configuration is facilitated.
P20: configuring a target differential algorithm based on the data reference characteristics, preprocessing the sensitive information by combining a differential conversion module, and outputting differential conversion data;
further, step P20 in the embodiment of the present application specifically includes:
p21: setting a data confidentiality level and a data availability level in a multi-metadata sharing scene;
p22: mapping and associating the data confidentiality level and the data availability level, and determining a multi-level differential level, wherein the multi-level differential level corresponds to the multi-level differential conversion section one by one;
p23: and configuring a differential relaxation mechanism based on the multi-level differential degree to construct the differential conversion module.
Specifically, acquiring a multi-element data sharing scene based on big data, such as personal homepage information viewing on social software, enterprise operation data transmission and the like, and setting a data confidentiality level and a data availability level under the multi-element data sharing scene according to data types, quantity and confidentiality degree, wherein the data confidentiality level is the encryption level of private data, the higher the level is, the larger the noise of the data is, the smaller the availability is, and the better the privacy protection is; the data availability level refers to the level at which data can be viewed and used, and the higher the level, the less noise the data is, the greater the availability and the worse the privacy protection is. The data confidentiality level is inversely proportional to the data availability level.
Further, under different data sharing scenes, the data confidentiality level and the data availability level are mapped and associated, a multi-level difference level, namely, a data differential conversion level is determined, and a differential relaxation mechanism corresponding to the multi-level difference level one by one is configured, wherein the differential relaxation mechanism is an adaptive mechanism for balancing the data confidentiality and the availability, for example, the data noise adding is taken as an example, random noise standards under different data sharing scenes are different, and the noise adding modes, the noise adding degree and the like are different. And acquiring a plurality of sample differential degrees and a plurality of differential relaxation mechanisms as training data by using big data, constructing the differential conversion module by combining a neural network algorithm, and performing supervised training by using the training data until the output of the differential conversion module reaches convergence and meets the preset accuracy requirement, so that the differential conversion module is obtained and can be used for performing differential conversion processing on the sensitive information, thereby improving the privacy of the data.
Further, step P20 in the embodiment of the present application further includes:
p24: identifying the type features based on the data reference features, matching, traversing a differential factor algorithm library, and matching to obtain the target differential algorithm;
p25: identifying the differential attribution class, and matching and determining target differential degree;
p26: and combining the differential conversion module, performing differential conversion processing on the sensitive information based on the target differential algorithm and the target differential degree, and outputting the differential conversion data.
Optionally, identifying the type features of the sensitive information, performing traversal matching in a differential factor algorithm library to obtain the target differential algorithm suitable for the sensitive information, wherein the differential factor algorithm library contains a plurality of differential algorithms aiming at data of different types of features, and the differential algorithm can be searched and constructed through big data. Further, the differential attribution class of the sensitive information is identified, a target differential level, namely the encryption degree of data, is determined according to the differential attribution class matching, the differential conversion module is further used for matching a target differential relaxation mechanism by combining the target differential algorithm with the target differential level, differential conversion processing is performed on the sensitive information by using the target differential relaxation mechanism, and the differential conversion data is output.
P30: based on a trusted data center, combining a homomorphic encryption algorithm, carrying out operation encryption processing on the differential conversion data, determining conversion encryption data and storing the conversion encryption data in an edge server;
specifically, based on a trusted data center, namely a trusted third party platform, the differential conversion data is subjected to operation encryption processing by combining a homomorphic encryption algorithm, the homomorphic encryption algorithm is that after the data is homomorphic encrypted, specific calculation is performed on ciphertext, the plaintext obtained by performing corresponding homomorphic decryption on the ciphertext calculation result is equivalent to directly performing the same calculation on plaintext data, so that the "computable invisibility" of the data is realized, and further processing is performed on the ciphertext data on the third party platform under the condition that no additional data is leaked.
After homomorphic encryption, deep and infinite analysis of data can be realized on the basis of not affecting data confidentiality, a specific database is not needed, the data is stored in an edge server of a data deriving end, and when the data sharing and the like are executed, overall scheduling processing is directly carried out on the basis of the edge server(s) so as to improve the data sharing rate and save the storage space.
Further, the embodiment of the present application further includes a step P30a, where the step P30a further includes:
p3 1a: acquiring newly added sensitive information, executing homologous analysis of the newly added sensitive information and the converted encrypted data, and determining a mapping newly added sequence;
p32a: traversing the mapping newly added sequence, evaluating the newly added influence degree, and determining a newly added influence coefficient;
p33a: and executing adaptive conversion output and encryption storage processing based on the mapping new sequence based on the new influence coefficient.
And receiving newly-added sensitive information, and executing homology analysis of the newly-added sensitive information and the converted encrypted data, namely comparing the similarity of the newly-added sensitive information and the converted encrypted data, judging whether the newly-added sensitive information and the converted encrypted data can be stored together or not through the type characteristics of the newly-added sensitive information, and if so, generating a mapping newly-added sequence of the newly-added sensitive information, wherein the data in the mapping newly-added sequence and the data information in the converted encrypted data have a mapping relation.
Further, the mapping new sequence is traversed to evaluate the new influence degree, that is, determine the influence degree of the new sensitive information on the existing privacy of the converted encrypted data, and generate a new influence coefficient according to the influence degree, if the converted encrypted data has 10 pieces of user information, 2 pieces of user information are unmarked, and if the new information is 1 person and unmarked, and if the unmarked number is 3, the privacy state of the new information can be intuitively guessed to be unmarked, so that the influence of the new information is too high, and when differential conversion is performed, conversion output can be performed based on other modes of obeying distribution, that is, a new differential relaxation mechanism is selected to perform differential conversion, so that the privacy of the data is improved.
P40: reading a data sharing task, matching a target server based on the edge server, and determining target sharing data to be shared based on the converted encrypted data;
in one possible embodiment of the application, a data sharing task is read, a server code in the data sharing task is obtained, matching is performed in the edge server according to the server code, a target server is locked, and target sharing data to be shared is determined through the converted encrypted data corresponding to the target server, so that target data sharing is realized.
P50: the target servers are integrated, and a bidirectional check channel is established between each target server and each data sharing end;
p60: taking the bidirectional check channel as a data sharing limit checkpoint, performing data fidelity check and risk countermeasure check, and determining a data check result;
further, step P60 in the embodiment of the present application specifically includes:
p61: setting up a bidirectional check channel which is configured on a data communication interface, wherein the bidirectional check channel is used for performing data fidelity check and risk countermeasure check;
p62: synchronously activating the bidirectional check channel along with data sharing;
p63: based on a delivery end interface, combining the bidirectional checking channel to perform fidelity checking and transmission of shared data;
p64: based on the receiving end interface, combining the bidirectional check channel to perform information intrusion identification of shared data in the channel, performing data fidelity check and risk countermeasure check, and performing data interface admission if the data fidelity check and the risk countermeasure check meet the wind control standard.
Optionally, a bidirectional check channel is set up and configured on a data communication interface, where the data communication interface includes a data transmission end interface and a data receiving end interface, the bidirectional check channel is used for performing data fidelity check and risk countermeasure check on shared data in a data transmission link, the data fidelity check refers to performing authenticity verification on the shared data, determining availability of the data, and the risk countermeasure check refers to verification of risk countermeasure results such as loss and leakage in a data transmission process.
Specifically, along with implementation of the data sharing process, the bidirectional check channel is synchronously activated to perform data security check, first, based on a delivery end interface, the bidirectional check channel is used to perform fidelity check of shared data, for example, through integrity verification of data and the like, whether data to be transmitted is valid data is judged, if yes, data transmission is performed, and if not, transmission is not performed. Further, based on a receiving end interface, information intrusion recognition of shared data is performed by using the bidirectional checking channel, secondary fidelity checking is performed on the transmitted data through data fidelity checking, a transmission process is dynamically tracked through risk countermeasure checking, further evaluation of data safety is performed based on channel network countermeasure, namely, risk countermeasure records in the data transmission process are checked, the risk countermeasure records are divided, in the risk countermeasure records, network attacks which cannot be processed based on active protection are screened based on protection system functions, namely, network attacks which cause data tampering and leakage risks are judged, whether the shared data is abnormal or not is judged, if not, the shared data is proved to be in accordance with sharing standards, risk prevention capability is further improved, and data sharing safety is improved.
P70: performing stream transmission and dynamic monitoring of the target sharing data, and recording a data sharing live condition;
further, as shown in fig. 3, step P70 in the embodiment of the present application specifically includes:
p71: determining a target shared path based on the data sharing task, and identifying a monitoring path node, wherein the monitoring path node is determined based on a wind control record of the target shared path;
p72: based on the monitoring path node, performing state monitoring and synchronous feedback of node data flow, and determining shared monitoring information;
p73: and executing key feature extraction and normalization of the shared monitoring information, and mapping and correlating with the monitoring path nodes to serve as the data sharing live condition.
Optionally, the target server is monitored for data transmission to record sharing live of each data sharing task. Firstly, a target shared path, namely a data transmission path, is determined based on the data sharing task, and a monitoring path node is identified, wherein the monitoring path node is determined according to a wind control record of the target shared path, and the frequency of risk control is determined through the wind control record, so that the path node with attack and countermeasure is screened out, and the monitoring path node is identified.
Further, based on the monitoring path nodes, state monitoring and synchronous returning of node data circulation are performed, namely, the data circulation state of each risk node is monitored, and the data circulation state is synchronously returned to the safety monitoring module as shared monitoring information, and further key feature extraction and normalization of the shared monitoring information are performed through the safety monitoring module, for example, key features such as attack types, times, intensity, loss and the like received in the data sharing process are extracted, classified and sorted, and mapping association is performed one by one with the monitoring path nodes, and the data circulation state is used as the data sharing live condition, so that the real-time safety condition in the data sharing process can be reflected.
P80: and carrying out transmission loss evaluation of the data sharing live state by combining with a target loss function, and evaluating a sharing risk coefficient.
Further, step P80 in the embodiment of the present application specifically includes:
p81: identifying the data sharing live condition, and extracting sharing wind control characteristics;
p82: building the target loss function, and executing transmission loss analysis based on the shared wind control characteristic;
wherein the target loss function expression is as follows:
wherein R is a shared risk coefficient, f i Alpha for the ith attack type present in the data sharing i Configuration weight for ith attack type, x i The i attack type attack intensity is n, the number of attack types is n, and P is channel transmission loss.
It should be understood that the data sharing live condition is identified, the sharing wind control characteristics are extracted from the data sharing live condition, the key characteristics comprise attack types, times, strength, losses and the like received in the data sharing process, loss influence parameters are extracted according to the sharing wind control characteristics, and the target loss function is built according to the loss influence parameters:wherein R is a shared risk coefficient, f i For the ith attack type existing in data sharing, e.g. differential attack, information tampering, etc., α i Configuration weight for ith attack type, x i The i attack type attack intensity is n, the number of attack types is n, and P is channel transmission loss.
Further, by using the target loss function, transmission loss analysis based on the shared wind control feature is executed, the shared wind control feature is substituted into the target loss function to calculate, the shared risk coefficient is obtained, the safety of data sharing can be reflected in real time, and the shared risk coefficient is used as a data safety early warning reference, so that the safety protection capability of shared data is improved.
P90: and determining data sharing security based on the data verification result and the sharing risk coefficient.
The data sharing security assessment is performed by integrating the data verification result and the sharing risk coefficient, and the data sharing security is determined.
In summary, the embodiments of the present application have at least the following technical effects:
according to the method, the differential conversion data are output by extracting the data reference characteristics of the sensitive information and combining a target differential algorithm; based on a trusted data center, carrying out operation encryption processing on the differential conversion data, determining conversion encryption data, storing the conversion encryption data in an edge server, reading a data sharing task, matching a target server with target sharing data, recording a data sharing live condition, carrying out transmission loss evaluation by combining a target loss function, obtaining a sharing risk coefficient, and carrying out data sharing safety early warning.
The technical effects of carrying out data encryption storage and data sharing security assessment based on differential privacy and improving the data sharing security verification level are achieved.
Example two
Based on the same inventive concept as the data sharing security verification method based on differential privacy in the foregoing embodiments, as shown in fig. 4, the present application provides a data sharing security verification system based on differential privacy, and the system and method embodiments in the embodiments of the present application are based on the same inventive concept. Wherein the system comprises:
a data reference feature extraction module 11, where the data reference feature extraction module 11 is configured to identify sensitive information based on source data, and extract data reference features, including type features and quantity features;
the differential conversion data output module 12 is used for configuring a target differential algorithm based on the data reference characteristics, preprocessing the sensitive information by combining with the differential conversion module, and outputting differential conversion data;
the conversion encryption data determining module 13 is used for carrying out operation encryption processing on the differential conversion data based on a trusted data middle station and combining a homomorphic encryption algorithm, determining conversion encryption data and storing the conversion encryption data in an edge server;
a target shared data determining module 14, where the target shared data determining module 14 is configured to read a data sharing task, match and lock a target server based on the edge server, and determine target shared data to be shared based on the transformed encrypted data;
the bidirectional checking channel establishing module 15 is used for comprehensively planning the target servers, and establishing bidirectional checking channels between each target server end and each data sharing end;
the data verification result determining module 16, where the data verification result determining module 16 is configured to perform data fidelity verification and risk countermeasure verification by using the bidirectional verification channel as a data sharing restriction checkpoint, and determine a data verification result;
the data sharing live recording module 17 is used for orchestrating the target server, carrying out circulation transmission and dynamic monitoring on the target sharing data, and recording the data sharing live;
the shared risk coefficient evaluation module 18 is used for carrying out transmission loss evaluation of the data sharing live by combining a target loss function, and evaluating a shared risk coefficient;
the data sharing security determining module 19 is configured to determine data sharing security based on the data verification result and the sharing risk coefficient by using the data sharing security determining module 19.
Further, the data reference feature extraction module 11 is further configured to perform the following steps:
setting a multi-level differential conversion interval;
determining the sharing wind control level of the sensitive information, carrying out attribution of the multi-level differential conversion interval, and determining a plurality of differential attribution classes;
and identifying the data reference characteristic based on the differential attribution class.
Further, the differential conversion data output module 12 is further configured to perform the following steps:
setting a data confidentiality level and a data availability level in a multi-metadata sharing scene;
mapping and associating the data confidentiality level and the data availability level, and determining a multi-level differential level, wherein the multi-level differential level corresponds to the multi-level differential conversion section one by one;
and configuring a differential relaxation mechanism based on the multi-level differential degree to construct the differential conversion module.
Further, the differential conversion data output module 12 is further configured to perform the following steps:
identifying the type features based on the data reference features, matching, traversing a differential factor algorithm library, and matching to obtain the target differential algorithm;
identifying the differential attribution class, and matching and determining target differential degree;
and combining the differential conversion module, performing differential conversion processing on the sensitive information based on the target differential algorithm and the target differential degree, and outputting the differential conversion data.
Further, the transformed encrypted data determining module 13 is further configured to perform the following steps:
acquiring newly added sensitive information, executing homologous analysis of the newly added sensitive information and the converted encrypted data, and determining a mapping newly added sequence;
traversing the mapping newly added sequence, evaluating the newly added influence degree, and determining a newly added influence coefficient;
and executing adaptive conversion output and encryption storage processing based on the mapping new sequence based on the new influence coefficient.
Further, the data verification result determining module 16 is further configured to perform the following steps:
setting up a bidirectional check channel which is configured on a data communication interface, wherein the bidirectional check channel is used for performing data fidelity check and risk countermeasure check;
synchronously activating the bidirectional check channel along with data sharing;
based on a delivery end interface, combining the bidirectional checking channel to perform fidelity checking and transmission of shared data;
based on the receiving end interface, combining the bidirectional check channel to perform information intrusion identification of shared data in the channel, performing data fidelity check and risk countermeasure check, and performing data interface admission if the data fidelity check and the risk countermeasure check meet the wind control standard.
Further, the data sharing live recording module 17 is further configured to perform the following steps:
determining a target shared path based on the data sharing task, and identifying a monitoring path node, wherein the monitoring path node is determined based on a wind control record of the target shared path;
based on the monitoring path node, performing state monitoring and synchronous feedback of node data flow, and determining shared monitoring information;
and executing key feature extraction and normalization of the shared monitoring information, and mapping and correlating with the monitoring path nodes to serve as the data sharing live condition.
Further, the shared risk factor evaluation module 18 is further configured to perform the following steps:
identifying the data sharing live condition, and extracting sharing wind control characteristics;
building the target loss function, and executing transmission loss analysis based on the shared wind control characteristic;
wherein the target loss function expression is as follows:
wherein R is a shared risk coefficient, f i Alpha for the ith attack type present in the data sharing i Configuration weight for ith attack type, x i The i attack type attack intensity is n, the number of attack types is n, and P is channel transmission loss.
Exemplary electronic device
An electronic device of an embodiment of the present application is described below with reference to fig. 5.
Based on the same inventive concept as the data sharing security verification method based on differential privacy in the foregoing embodiments, the present application further provides a data sharing security verification system based on differential privacy, including an electronic device: a processor coupled to a memory for storing a program that, when executed by the processor, causes the system to perform the steps of the method of embodiment one.
The electronic device 300 includes: a processor 302, a communication interface 303, a memory 301. Optionally, the electronic device 300 may also include a bus architecture 304. Wherein the communication interface 303, the processor 302 and the memory 301 may be interconnected by a bus architecture 304; the bus architecture 304 may be a peripheral component interconnect (peripheral component interconnect, PCI) bus, or an extended industry standard architecture (extended industry Standard architecture, EISA) bus, among others. The bus architecture 304 may be divided into address buses, data buses, control buses, and the like. For ease of illustration, only one thick line is shown in fig. 5, but not only one bus or one type of bus.
Processor 302 may be a CPU, microprocessor, ASIC, or one or more integrated circuits for controlling the execution of the programs of the present application.
The communication interface 303 uses any transceiver-like means for communicating with other devices or communication networks, such as ethernet, radio access network (radio access network, RAN), wireless local area network (wireless local area networks, WLAN), wired access network, etc.
The memory 301 may be, but is not limited to, ROM or other type of static storage device that may store static information and instructions, RAM or other type of dynamic storage device that may store information and instructions, or may be an EEPROM (electrically erasable Programmable read-only memory), a compact disc-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory may be self-contained and coupled to the processor through bus architecture 304. The memory may also be integrated with the processor.
The memory 301 is used for storing computer-executable instructions for executing the embodiments of the present application, and is controlled by the processor 302 to execute the instructions. The processor 302 is configured to execute computer-executable instructions stored in the memory 301, thereby implementing the data sharing security verification method based on differential privacy provided in the above embodiments of the present application.
It should be noted that the sequence of the embodiments of the present application is merely for description, and does not represent the advantages and disadvantages of the embodiments. And the foregoing description has been directed to specific embodiments of this specification. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
The foregoing description of the preferred embodiments of the present application is not intended to limit the invention to the particular embodiments of the present application, but to limit the scope of the invention to the particular embodiments of the present application.
The specification and drawings are merely exemplary of the application and are to be regarded as covering any and all modifications, variations, combinations, or equivalents that are within the scope of the application. It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the present application and the equivalents thereof, the present application is intended to cover such modifications and variations.

Claims (10)

1. A method for verifying security of data sharing based on differential privacy, the method comprising:
identifying sensitive information based on source data, and extracting data reference features including type features and quantity features;
configuring a target differential algorithm based on the data reference characteristics, preprocessing the sensitive information by combining a differential conversion module, and outputting differential conversion data;
based on a trusted data center, combining a homomorphic encryption algorithm, carrying out operation encryption processing on the differential conversion data, determining conversion encryption data and storing the conversion encryption data in an edge server;
reading a data sharing task, matching and locking a target server based on the edge server, and determining target sharing data to be shared based on the converted encrypted data;
the target servers are integrated, and a bidirectional check channel is established between each target server and each data sharing end;
taking the bidirectional check channel as a data sharing limit checkpoint, performing data fidelity check and risk countermeasure check, and determining a data check result;
performing stream transmission and dynamic monitoring of the target sharing data, and recording a data sharing live condition;
carrying out transmission loss evaluation of the data sharing live state by combining a target loss function, and evaluating a sharing risk coefficient;
and determining data sharing security based on the data verification result and the sharing risk coefficient.
2. The method of claim 1, wherein the identifying sensitive information based on the source data, the method of extracting data reference features comprises:
setting a multi-level differential conversion interval;
determining the sharing wind control level of the sensitive information, carrying out attribution of the multi-level differential conversion interval, and determining a plurality of differential attribution classes;
and identifying the data reference characteristic based on the differential attribution class.
3. The method of claim 2, wherein the method of constructing the differential conversion module comprises:
setting a data confidentiality level and a data availability level in a multi-metadata sharing scene;
mapping and associating the data confidentiality level and the data availability level, and determining a multi-level differential level, wherein the multi-level differential level corresponds to the multi-level differential conversion section one by one;
and configuring a differential relaxation mechanism based on the multi-level differential degree to construct the differential conversion module.
4. The method of claim 3, wherein the configuring a target differential algorithm based on the data reference feature, preprocessing the sensitive information in conjunction with a differential conversion module, and outputting differential conversion data comprises:
identifying the type features based on the data reference features, matching, traversing a differential factor algorithm library, and matching to obtain the target differential algorithm;
identifying the differential attribution class, and matching and determining target differential degree;
and combining the differential conversion module, performing differential conversion processing on the sensitive information based on the target differential algorithm and the target differential degree, and outputting the differential conversion data.
5. The method of claim 1, wherein after determining to transform the encrypted data and storing it at the edge server, the method further comprises:
acquiring newly added sensitive information, executing homologous analysis of the newly added sensitive information and the converted encrypted data, and determining a mapping newly added sequence;
traversing the mapping newly added sequence, evaluating the newly added influence degree, and determining a newly added influence coefficient;
and executing adaptive conversion output and encryption storage processing based on the mapping new sequence based on the new influence coefficient.
6. The method of claim 1, wherein the method of performing the streaming and dynamic monitoring of the target shared data, recording the data sharing live comprises:
determining a target shared path based on the data sharing task, and identifying a monitoring path node, wherein the monitoring path node is determined based on a wind control record of the target shared path;
based on the monitoring path node, performing state monitoring and synchronous feedback of node data flow, and determining shared monitoring information;
and executing key feature extraction and normalization of the shared monitoring information, and mapping and correlating with the monitoring path nodes to serve as the data sharing live condition.
7. The method of claim 1, wherein the method of performing the transmission loss assessment of the data sharing live in conjunction with a target loss function comprises:
identifying the data sharing live condition, and extracting sharing wind control characteristics;
building the target loss function, and executing transmission loss analysis based on the shared wind control characteristic;
wherein the target loss function expression is as follows:
wherein R is a shared risk coefficient, f i Alpha for the ith attack type present in the data sharing i Configuration weight for ith attack type, x i The i attack type attack intensity is n, the number of attack types is n, and P is channel transmission loss.
8. The method of claim 1, wherein the method for performing data fidelity verification and risk challenge verification using the bidirectional verification channel as a data sharing restriction checkpoint comprises:
setting up a bidirectional check channel which is configured on a data communication interface, wherein the bidirectional check channel is used for performing data fidelity check and risk countermeasure check;
synchronously activating the bidirectional check channel along with data sharing;
based on a delivery end interface, combining the bidirectional checking channel to perform fidelity checking and transmission of shared data;
based on the receiving end interface, combining the bidirectional check channel to perform information intrusion identification of shared data in the channel, performing data fidelity check and risk countermeasure check, and performing data interface admission if the data fidelity check and the risk countermeasure check meet the wind control standard.
9. A differential privacy-based data sharing security verification system, the system comprising:
the data reference feature extraction module is used for identifying sensitive information based on source data and extracting data reference features, including type features and quantity features;
the differential conversion data output module is used for configuring a target differential algorithm based on the data reference characteristics, preprocessing the sensitive information by combining with the differential conversion module and outputting differential conversion data;
the conversion encryption data determining module is used for carrying out operation encryption processing on the differential conversion data based on a trusted data middle station and combining a homomorphic encryption algorithm, determining conversion encryption data and storing the conversion encryption data in an edge server;
the target shared data determining module is used for reading a data sharing task, matching and locking a target server based on the edge server, and determining target shared data to be shared based on the converted encrypted data;
the bidirectional checking channel establishing module is used for comprehensively planning the target servers and establishing bidirectional checking channels between each target server end and each data sharing end;
the data verification result determining module is used for performing data fidelity verification and risk countermeasure verification by taking the bidirectional verification channel as a data sharing limit checkpoint and determining a data verification result;
the data sharing live recording module is used for carrying out circulation transmission and dynamic monitoring on the target sharing data and recording the data sharing live;
the shared risk coefficient evaluation module is used for carrying out transmission loss evaluation of the data sharing live by combining a target loss function and evaluating a shared risk coefficient;
and the data sharing security determination module is used for determining the data sharing security based on the data verification result and the sharing risk coefficient.
10. An electronic device, comprising: a processor coupled to a memory for storing a program which, when executed by the processor, causes the system to perform the steps of the method of any one of claims 1 to 8.
CN202311640367.5A 2023-12-01 2023-12-01 Data sharing security verification method and system based on differential privacy Pending CN117454408A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311640367.5A CN117454408A (en) 2023-12-01 2023-12-01 Data sharing security verification method and system based on differential privacy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311640367.5A CN117454408A (en) 2023-12-01 2023-12-01 Data sharing security verification method and system based on differential privacy

Publications (1)

Publication Number Publication Date
CN117454408A true CN117454408A (en) 2024-01-26

Family

ID=89593101

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311640367.5A Pending CN117454408A (en) 2023-12-01 2023-12-01 Data sharing security verification method and system based on differential privacy

Country Status (1)

Country Link
CN (1) CN117454408A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117892357A (en) * 2024-03-15 2024-04-16 大连优冠网络科技有限责任公司 Energy big data sharing and distribution risk control method based on differential privacy protection
CN117892357B (en) * 2024-03-15 2024-05-31 国网河南省电力公司经济技术研究院 Energy big data sharing and distribution risk control method based on differential privacy protection

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117892357A (en) * 2024-03-15 2024-04-16 大连优冠网络科技有限责任公司 Energy big data sharing and distribution risk control method based on differential privacy protection
CN117892357B (en) * 2024-03-15 2024-05-31 国网河南省电力公司经济技术研究院 Energy big data sharing and distribution risk control method based on differential privacy protection

Similar Documents

Publication Publication Date Title
US20210328969A1 (en) Systems and methods to secure api platforms
Gao et al. Ontology-based model of network and computer attacks for security assessment
CN115168888B (en) Service self-adaptive data management method, device and equipment
CN116776386B (en) Cloud service data information security management method and system
Saravanan et al. Privacy Preserving using Enhanced Shadow Honeypot technique for Data Retrieval in Cloud Computing
Qatawneh et al. Dfim: A New digital forensics investigation model for internet of things
Ageyev et al. Traffic monitoring and abnormality detection methods analysis
Agrafiotis et al. Image-based neural network models for malware traffic classification using pcap to picture conversion
CN116915515B (en) Access security control method and system for industrial control network
CN113918977A (en) User information transmission device based on Internet of things and big data analysis
CN115987687B (en) Network attack evidence obtaining method, device, equipment and storage medium
CN117113199A (en) File security management system and method based on artificial intelligence
CN116506206A (en) Big data behavior analysis method and system based on zero trust network user
CN117454408A (en) Data sharing security verification method and system based on differential privacy
El-Abed et al. Towards the security evaluation of biometric authentication systems
CN115640581A (en) Data security risk assessment method, device, medium and electronic equipment
Jo et al. A blockchain-based trusted security zone architecture
Nokovic et al. API security risk assessment based on dynamic ML models
CN113076531A (en) Identity authentication method and device, computer equipment and storage medium
Zabrodina et al. Development of a model of cyberattacks identification based on the analysis of device states in the network of a telecommunications service provider
Kanth et al. Enhanced capsule generative adversarial network with Blockchain fostered Intrusion Detection System for Enhancing Cyber security in Cloud
Berenjestanaki et al. Application detection in anonymous communication networks
CN117349900B (en) Intelligent prediction system and prediction method based on data mining
Pierrot et al. Hybrid intrusion detection in information systems
CN117896186B (en) Vulnerability scanning method, system and storage medium based on log analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination