CN118013557A - File encryption method and device, computer equipment and storage medium - Google Patents
File encryption method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN118013557A CN118013557A CN202410390012.3A CN202410390012A CN118013557A CN 118013557 A CN118013557 A CN 118013557A CN 202410390012 A CN202410390012 A CN 202410390012A CN 118013557 A CN118013557 A CN 118013557A
- Authority
- CN
- China
- Prior art keywords
- file
- user
- data
- sensitive data
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 58
- 230000006399 behavior Effects 0.000 claims abstract description 118
- 238000003909 pattern recognition Methods 0.000 claims abstract description 32
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 18
- 230000035945 sensitivity Effects 0.000 claims abstract description 17
- 238000013475 authorization Methods 0.000 claims abstract description 7
- 238000005516 engineering process Methods 0.000 claims description 25
- 230000007246 mechanism Effects 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 11
- 230000001276 controlling effect Effects 0.000 claims description 9
- 238000013135 deep learning Methods 0.000 claims description 9
- 230000000694 effects Effects 0.000 claims description 8
- 238000012795 verification Methods 0.000 claims description 7
- 239000011159 matrix material Substances 0.000 claims description 6
- 230000008569 process Effects 0.000 claims description 6
- 238000012549 training Methods 0.000 claims description 6
- 230000014509 gene expression Effects 0.000 claims description 5
- 238000010606 normalization Methods 0.000 claims description 4
- 238000012360 testing method Methods 0.000 claims description 4
- 238000012098 association analyses Methods 0.000 claims description 3
- 238000011156 evaluation Methods 0.000 claims description 3
- 230000006870 function Effects 0.000 claims description 3
- 230000001105 regulatory effect Effects 0.000 claims description 3
- 238000010276 construction Methods 0.000 claims description 2
- 238000000586 desensitisation Methods 0.000 description 5
- 238000012544 monitoring process Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 206010000117 Abnormal behaviour Diseases 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000011217 control strategy Methods 0.000 description 2
- 238000007781 pre-processing Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000000873 masking effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a file encryption method, a device, computer equipment and a storage medium, which relate to the technical field of data encryption and comprise the steps of analyzing and learning file operation behaviors of users, constructing a user behavior pattern recognition model, and recognizing and predicting file access patterns and habits of the users; classifying the data in the file according to the behavior pattern recognition result of the user, and identifying a data part with high sensitivity; dynamically generating an encryption strategy based on a behavior mode of a user and a sensitive data classification result; encrypting sensitive data in the file, and storing the encrypted file in a safe and reliable storage medium; and dynamically controlling the access authority to the encrypted file according to the identity authentication and authorization information of the user, so as to ensure that only the authorized user can access and decrypt the file. The invention better adapts to the operation habit and the demand of the user, improves the intelligent level and the user experience of the encryption algorithm, and enhances the flexibility and the adaptability of the system.
Description
Technical Field
The present invention relates to the field of data encryption technologies, and in particular, to a file encryption method, a device, a computer device, and a storage medium.
Background
File encryption technology occupies a vital role in the field of information security nowadays, and with the rapid development of information technology, demands of users for file security and privacy protection are increasing. The traditional encryption method often depends on a fixed key and an algorithm, has the problems of complex key management, limited anti-attack capability and the like, and cannot meet the demands of users on personalized and intelligent encryption. Therefore, how to improve the intelligent level and security of file encryption by using advanced technical means is one of the problems to be solved in the current urgent need.
In the field of file encryption, conventional encryption methods mainly rely on symmetric encryption algorithms and public key encryption algorithms, such as AES, DES, RSA, which ensure confidentiality of data to some extent, but are difficult to cope with dynamic changes and diversity requirements of user behaviors. Meanwhile, because of the fixity of the encryption algorithm and the key management, potential safety hazards such as key leakage, insufficient encryption strength and the like exist.
Disclosure of Invention
The present invention has been made in view of the above-described problems occurring in the conventional encryption method.
The problem underlying the present invention is therefore how to provide a method that provides a more accurate and personalized basis for the generation of encryption policies.
In order to solve the technical problems, the invention provides the following technical scheme:
In a first aspect, an embodiment of the present invention provides a file encryption method, which includes analyzing and learning a file operation behavior of a user by using a deep learning technology, constructing a user behavior pattern recognition model, and recognizing and predicting a file access pattern and habit of the user; classifying the data in the file according to the behavior pattern recognition result of the user, and identifying a data part with high sensitivity; dynamically generating an encryption strategy based on a behavior mode of a user and a sensitive data classification result; encrypting sensitive data in the file by using the generated encryption strategy, and storing the encrypted file in a safe and reliable storage medium; and dynamically controlling the access authority to the encrypted file according to the identity authentication and authorization information of the user, so as to ensure that only the authorized user can access and decrypt the file.
As a preferable scheme of the file encryption method of the present invention, wherein: the construction of the user behavior pattern recognition model comprises the following steps: dividing the preprocessed data into a training set, a verification set and a test set, and converting the data into an input format required by a model; is provided withOperating behavior characteristics of a user i on a file j, wherein i=1, 2,..n, represents a user number; j=1, 2,..m, represents a file number; /(I)The probability distribution vector of file access mode of the user i is represented by the following formula:
Wherein, Representing the operation behavior weight of the user i on the file j; s represents a normalization function for ensuring each probability/>Within the range of [0, 1 ]; Θ represents a parameter set of the user behavior pattern recognition model, which includes all bias terms; /(I)A personalized bias term representing user i.
As a preferable scheme of the file encryption method of the present invention, wherein: classifying the data in the file according to the behavior pattern recognition result of the user, and identifying the data part with high sensitivity comprises the following steps: setting a regular expression recognition rule of the sensitive data, and matching and extracting sensitive information in the file; scanning and matching file contents by using a preset sensitive data identification rule, and marking and classifying sensitive data by using a differential privacy technology to ensure the privacy and safety of the data; marking and classifying sensitive data by utilizing a differential privacy technology; and outputting the identified sensitive data in the file, the position information of the sensitive data and the desensitized data as a structured data format.
As a preferable scheme of the file encryption method of the present invention, wherein: the marking and classifying the sensitive data by utilizing the differential privacy technology comprises the following steps: determining differential privacy parameters: including privacy budgetsAnd sensitivity Δf; let D denote the original dataset, m the total number of sensitive data types, n the total number of data records, let L denote the data marking matrix of differential privacy, wherein each element represents the probability that the ith data record is marked as the jth sensitive data type; let C denote a data classification matrix for differential privacy, where element/>Showing the probability that the ith data record is classified as the jth class, a formula is constructed:
Wherein, Representing differential privacy noise generated using the laplace mechanism for protecting the privacy of data markers and classifications.
As a preferable scheme of the file encryption method of the present invention, wherein: the marking and classifying the sensitive data using the differential privacy technique further includes: the marking and classification results are evaluated, and the privacy protection effect and the data usability of the differential privacy mechanism are checked, wherein the method comprises the following steps: privacy metric indexes under different parameter settings are calculated and compared in size, specifically as follows:
wherein T is a privacy metric index, The differential privacy parameter is used for controlling the addition amount of random noise; /(I)Is a differential privacy parameter and is used for controlling the probability of random noise; alpha, beta, gamma are regulating parameters; if the evaluation result shows that the privacy protection effect or the data availability is not ideal, attempting to adjust parameters of the differential privacy mechanism, and re-evaluating.
As a preferable scheme of the file encryption method of the present invention, wherein: according to the user behavior pattern recognition model, analyzing the file operation behaviors of the user in real time, recognizing the behavior pattern of the user, and setting the risk level of the user behavior pattern; the setting the risk level of the user behavior mode comprises the following steps: if it isExceeds a first threshold and the deviation term Θ i is greater than the historical deviation term mean and the particular behavior pattern/>If the frequency of occurrence of (2) exceeds the average frequency of occurrence, classifying it into a first risk level; if/>Exceeds a first threshold, but the deviation term Θ i is greater than the historical deviation term mean, or a particular behavior pattern/>If the frequency of occurrence of (2) is lower than the average frequency of occurrence, classifying it into a second risk level; or/>Is greater than or equal to a second threshold and less than a first threshold, and the deviation term Θ i is greater than the historical deviation term mean, and the specific behavior pattern/>If the frequency of occurrence of (2) exceeds the average frequency of occurrence, then it is also classified as a second risk level; if/>Less than the second threshold, it is classified as a third risk level.
As a preferable scheme of the file encryption method of the present invention, wherein: the dynamically generating encryption policy includes: performing association analysis on the user behavior mode and the sensitive data classification result to determine which sensitive data are accessed or operated by the user in the specific behavior mode; the encryption strategy is dynamically generated according to the user behavior mode and the sensitive data classification result, and the specific algorithm is as follows:
Wherein U represents a user behavior pattern; e represents a sensitive data classification result; g represents the access requirements for sensitive data in different behavior modes; k represents the sensitivity degree and protection requirement of the data; p represents the strength or level of the dynamic encryption policy generated.
In a second aspect, the present invention provides a file encrypting apparatus, which further solves the problems of the conventional encrypting method, and includes: the user behavior analysis module is used for collecting and analyzing file operation behavior data of the user; the behavior pattern recognition module is used for constructing a model through a deep learning technology, carrying out pattern recognition and learning on file operation behaviors of the user, and predicting and recognizing file access patterns and habits of the user; the sensitive data classification module is used for classifying and marking the data in the file according to the behavior pattern recognition result, and recognizing a data part with high sensitivity; the differential privacy protection module is used for marking and classifying sensitive data by using a differential privacy technology, ensuring the privacy and the safety of the data and keeping the anonymity of the data in the encryption process; the encryption strategy generation module is used for dynamically generating an encryption strategy according to the user behavior mode and the sensitive data classification result; and the file encryption module is used for encrypting the sensitive data in the file according to the generated encryption strategy so as to ensure the security and confidentiality of the data.
In a third aspect, embodiments of the present invention provide a computer apparatus comprising a memory and a processor, the memory storing a computer program, wherein: the computer program when executed by a processor implements any of the steps of the file encryption method according to the first aspect of the invention.
In a fourth aspect, embodiments of the present invention provide a computer-readable storage medium having a computer program stored thereon, wherein: the computer program when executed by a processor implements any of the steps of the file encryption method according to the first aspect of the invention.
The invention has the beneficial effects that through analyzing the operation behaviors of the user file, the monitoring and understanding of the user behaviors are realized, the operation habits and behavior patterns of the user can be accurately captured, basic data is provided for the subsequent encryption strategy generation, and the system is also facilitated to detect and prevent abnormal behaviors; predicting future operation of the user according to the behavior habit of the user, so that an encryption strategy is formulated more intelligently; the user privacy is more accurately protected, the risk of data leakage is reduced, and the data security and confidentiality of the system are improved; the invention better adapts to the operation habit and the demand of the user, improves the intelligent level and the user experience of the encryption algorithm, and enhances the flexibility and the adaptability of the system.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a file encryption method in embodiment 1.
Fig. 2 is a graph showing the risk level determination of the user behavior pattern in embodiment 1.
Detailed Description
In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways other than those described herein, and persons skilled in the art will readily appreciate that the present invention is not limited to the specific embodiments disclosed below.
Further, reference herein to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic can be included in at least one implementation of the invention. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
Example 1
Referring to fig. 1 and 2, a first embodiment of the present invention provides a file encryption method, which includes the steps of:
s1: and analyzing and learning the file operation behaviors of the user by using a deep learning technology, constructing a user behavior pattern recognition model, and recognizing and predicting the file access pattern and habit of the user.
S1.1: and collecting file operation log data of a user, wherein the file operation log data comprises operations such as creation, opening, modification, deletion and the like of a file, and information such as time stamps of the operations, file paths and the like.
And cleaning and preprocessing the collected data, removing invalid or incomplete data, and unifying data formats.
And carrying out normalization processing on the file paths, converting the absolute paths into relative paths, and reducing the diversity of the paths.
S1.2: the characteristics of the user behavior, such as operation type, operation frequency, operation time distribution, etc., are extracted.
Preferably, the file path is encoded, and the character string type path is converted into a numerical type feature vector; encoding the time characteristics, and converting the discretized time period into a numerical characteristic vector; the users are encoded, each user is assigned a unique ID, and the unique ID is converted into a numerical characteristic vector.
S1.3: and constructing a user behavior pattern recognition model according to the characteristics of the task and the scale of the data.
Dividing the preprocessed data into a training set, a verification set and a test set, and converting the data into an input format required by the model.
Constructing a user behavior pattern recognition model, recognizing and predicting file access patterns and habits of users, wherein the operation steps are as follows:
Is provided with Operating behavior characteristics of a user i on a file j, wherein i=1, 2,..n, represents a user number; j=1, 2,..m, represents a file number; /(I)The probability distribution vector of file access mode of the user i is represented by the following formula:
Wherein, Representing the operation behavior weight of the user i on the file j; s represents a normalization function for ensuring each probability/>Within the range of [0, 1 ]; Θ represents a parameter set of the user behavior pattern recognition model, which includes all bias terms; /(I)A personalized bias term representing user i.
Wherein Θ includes one of an access frequency deviation term, a time deviation term, a geographic location deviation term, and a file type deviation term, which can be set according to different parameters, for adjusting overall trend and risk assessment of a user behavior pattern.
Wherein,The closer to 1, the more obvious and frequent the access pattern of user i to the corresponding file, and the closer to 0, the less obvious or infrequent the access pattern of user i to the corresponding file.
Training the model by using training set data, evaluating and optimizing the model by using verification set data, and selecting model parameters with optimal performance.
S2: and classifying the data in the file according to the behavior pattern recognition result of the user, and identifying the data part with high sensitivity.
S2.1: and setting regular expression recognition rules of the sensitive data, and matching and extracting sensitive information in the file.
Different sensitivity levels are set according to different types of sensitive data.
Preferably, the sensitive data of different types are classified and distinguished according to the personal identity information, the type to which the data belongs and the like and the constituent elements and characteristics of the data.
According to the characteristics and formats of the sensitive data, corresponding regular expression patterns are designed, and after design, the bidding relation among different types of sensitive data is analyzed, so that overlapping or collision of the regular expressions is avoided.
Further, the recognition sensitivity threshold of the sensitive data is set according to different conditions to determine the recognition severity, and the specificity threshold of the recognition result is set to control the false alarm rate, so that the accuracy and reliability of the recognition result are ensured.
S2.2: and scanning and matching file contents by using a preset sensitive data identification rule.
S2.3: and marking and classifying the sensitive data by utilizing a differential privacy technology, so that the privacy and the safety of the data are ensured.
Further, the marking and classifying of sensitive data using differential privacy techniques includes the steps of:
First, differential privacy parameters, including privacy budgets, are determined And sensitivity Δf, let D denote the original dataset, m be the total number of sensitive data types, n be the total number of data records, let L denote the data marking matrix of differential privacy, wherein each element represents the probability that the ith data record is marked as the jth sensitive data type; let C denote a data classification matrix for differential privacy, where each element/>Showing the probability that the ith data record is classified as the jth class, a formula is constructed:
Wherein, Representing differential privacy noise generated using the laplace mechanism for protecting the privacy of data markers and classifications.
The marking and classifying process of the differential privacy is incorporated, and the private information of the data marking and classifying is protected by introducing differential privacy noise, and meanwhile, the availability and the effectiveness of the data are maintained; differential privacy marking and classification schemes are designed, so that the availability and effectiveness of data can be maintained while privacy protection of sensitive data is ensured.
The marking and classification results are evaluated, and the privacy protection effect and the data usability of the differential privacy mechanism are checked, wherein the method comprises the following steps:
The privacy metric index is used for evaluating the privacy protection effect of the differential privacy mechanism, the privacy metric indexes under different parameter settings are calculated, and the sizes of the privacy metric indexes are compared, specifically as follows:
wherein T is a privacy metric index, The differential privacy parameter is used for controlling the addition amount of random noise; /(I)Is a differential privacy parameter and is used for controlling the probability of random noise; alpha, beta, gamma are regulatory parameters.
If the evaluation result shows that the privacy protection effect or the data availability is not ideal enough, attempting to adjust parameters of the differential privacy mechanism, and re-evaluating; this step is repeated until the desired privacy preserving effect and data availability is achieved.
And selecting proper desensitization and encryption algorithms according to the type and the level of the sensitive data, so as to ensure the security of the sensitive data.
Specifically, selecting a proper desensitization algorithm according to the type and the level of sensitive data; desensitization algorithms include methods of substitution, perturbation, noise addition, data desensitization, etc., for example, for text data, substitution techniques (e.g., data masking, data desensitization) may be used; for numerical data, perturbation techniques (e.g., data encryption, data salification) may be used.
According to the invention, the data are marked by utilizing the differential privacy mechanism, so that the marking result is ensured not to reveal individual privacy information, classification operation is carried out according to marked sensitive data, the data are grouped or classified according to different types, and the classification result is protected by utilizing the differential privacy mechanism, so that the sensitive information is prevented from revealing.
S2.4: and outputting the sensitive data identified in the file, the position information thereof, the desensitized data and other results into a structured data format, such as JSON, XML and the like.
And storing the output result into a safe database or file system, and setting proper access right control to ensure confidentiality of sensitive data.
S3: and dynamically generating an encryption strategy based on the behavior mode of the user and the classification result of the sensitive data.
S3.1: according to the user behavior pattern recognition model, analyzing the file operation behavior of the user in real time; and identifying a behavior mode of the user, such as frequently accessing sensitive data, abnormal file operation behaviors and the like, and setting a risk level of the behavior mode of the user.
In particular, the method comprises the steps of,Exceeds a first threshold and the deviation term Θ i is greater than the historical deviation term mean and the particular behavior pattern/>If the frequency of occurrence of (2) exceeds the average frequency of occurrence, classifying it into a first risk level;
If it is Exceeds a first threshold, but the deviation term Θ i is less than the historical deviation term mean, or a specific behavior pattern/>If the frequency of occurrence of (2) is lower than the average frequency of occurrence, classifying it into a second risk level; or/>Is greater than or equal to a second threshold and less than a first threshold, and the deviation term Θ i is greater than the historical deviation term mean, and the specific behavior pattern/>If the frequency of occurrence of (2) exceeds the average frequency of occurrence, then it is also classified as a second risk level;
If it is Less than the second threshold, it is classified as a third risk level.
The risk level includes: first risk level: file operation behavior with high risk, which may involve frequent access to sensitive data or abnormal operation behavior, may present security threats or violations; then strict restrictions are immediately taken on users involved in frequent access to sensitive data or unusual behavior, such as suspending user rights, notifying an administrator of further investigation, etc.;
second risk level: file operation behaviors with medium risks can have a certain degree of risks, but are not serious enough, monitoring and early warning measures are adopted, and supervision and examination of user behaviors are enhanced;
third hazard level: the general file operation behavior has low risk and can not obviously influence the system safety, and then the routine monitoring and examination is continued.
S3.2: and dynamically generating an encryption strategy applicable to the current scene by comprehensively considering the user behavior mode and the sensitive data classification result.
Specifically, performing association analysis on the user behavior mode and the sensitive data classification result to determine which sensitive data are accessed or operated by the user in the specific behavior mode; the encryption strategy is dynamically generated according to the user behavior mode and the sensitive data classification result, and the specific algorithm is as follows:
Wherein U represents a user behavior pattern; e represents a sensitive data classification result; g represents the access requirements for sensitive data in different behavior modes; k represents the sensitivity degree and protection requirement of the data; p represents the strength or level of the dynamic encryption policy generated.
Preferably, in consideration of the diversity of the user demands, the encryption strategy can be personalized and customized according to the behavior patterns of different users and the classification result of the sensitive data, so as to improve the intelligent level of encryption.
The execution condition of the encryption strategy is monitored in real time, logs and index data of the encryption operation are collected, the encrypted logs are analyzed, and possible safety risks and abnormal behaviors such as unauthorized encryption operation, encryption failure and the like are identified; the encryption strategy is audited and evaluated regularly, so that the encryption strategy meets the data security requirements and compliance standards of organizations.
S4: and encrypting the sensitive data in the file by using the generated encryption strategy, and storing the encrypted file in a safe and reliable storage medium.
And reading detailed parameters of the encryption strategy from the generated encryption strategy configuration file, and verifying the integrity and validity of the encryption strategy.
And extracting the sensitive data which need to be encrypted from the file according to the sensitive data classification result.
The extracted sensitive data is subjected to necessary format conversion and preprocessing to ensure that the sensitive data is suitable for the input requirement of an encryption algorithm, and the sensitive data is divided into proper encryption units.
And encrypting the extracted sensitive data by using an initialized encryption algorithm and parameters.
And carrying out corresponding encryption operation on the sensitive data according to the encryption granularity specified in the encryption strategy, such as field-level encryption, line-level encryption, file-level encryption and the like.
Integrity verification is performed on the encrypted data and metadata associated with the encrypted data, such as encryption algorithms, key identification, IV, encryption time stamps, etc., are generated.
The encrypted metadata is associated with the encrypted data, such as storing the metadata in a file header, a separate metadata file, etc., and security management is performed on the encrypted metadata.
S5: and dynamically controlling the access authority to the encrypted file according to the identity authentication and authorization information of the user, so as to ensure that only the authorized user can access and decrypt the file.
And establishing a perfect user identity authentication mechanism comprising user name password authentication and biological characteristic authentication.
Before accessing the encrypted file, the user needs to verify the true identity through identity authentication.
Dynamically adjusting the access authority of the user, and updating the authorization information of the user in real time according to the behavior of the user, the change of the security policy and other factors; the access rights of the users are periodically checked and evaluated, unnecessary or expired rights are timely discovered and revoked, and the minimum rights principle is followed.
When the authorized user requests to access the encrypted file, firstly, the identity and the access authority of the user are verified, if the user passes the identity authentication and the authority verification, the corresponding encryption key is dynamically distributed according to the authorization information of the user, the user decrypts the encrypted file by using the obtained encryption key, and the file content is accessed and operated according to the access control strategy.
In the process of accessing the file by the user, continuously monitoring the behavior of the user to ensure that the user always follows an access control strategy and a safety regulation; the detailed log record is carried out on the process of accessing the encrypted file by the user, and the detailed log record comprises information such as user identity, access time, access content, operation type and the like.
And the access log is safely stored and managed, so that the log is prevented from being tampered or deleted, and the integrity and traceability of the log are ensured.
Dynamic access control on the file is realized, and the decryption authority of the file is adjusted according to the real-time behavior and the identity information of the user so as to cope with different access scenes and requirements.
The embodiment also provides a file encrypting device, which comprises: the user behavior analysis module is used for collecting and analyzing file operation behavior data of a user, including information such as file access frequency, time and size; the behavior pattern recognition module is used for constructing a model through a deep learning technology and carrying out pattern recognition and learning on file operation behaviors of the user so as to predict and recognize file access patterns and habits of the user; the sensitive data classification module is used for classifying and marking the data in the file according to the behavior pattern recognition result, and recognizing a data part with high sensitivity; the differential privacy protection module is used for marking and classifying sensitive data by using a differential privacy technology, ensuring the privacy and the safety of the data and keeping the anonymity of the data in the encryption process; the encryption strategy generation module is used for dynamically generating an encryption strategy according to the user behavior mode and the sensitive data classification result, and comprises the steps of selecting proper parameters such as an encryption algorithm, a key length, encryption strength and the like; and the file encryption module is used for encrypting the sensitive data in the file according to the generated encryption strategy so as to ensure the security and confidentiality of the data.
The embodiment also provides a computer device, which is applicable to the case of the file encryption method, and includes: a memory and a processor; the memory is configured to store computer executable instructions, and the processor is configured to execute the computer executable instructions to implement the file encryption method according to the foregoing embodiments.
The computer device may be a terminal comprising a processor, a memory, a communication interface, a display screen and input means connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, an operator network, NFC (near field communication) or other technologies. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
The present embodiment also provides a storage medium having stored thereon a computer program which, when executed by a processor, implements the file encryption method as set forth in the above embodiments; the storage medium may be implemented by any type or combination of volatile or nonvolatile Memory devices, such as static random access Memory (Static Random Access Memory, SRAM), electrically erasable Programmable Read-Only Memory (ELECTRICALLY ERASABLE PROGRAMMABLE READ-Only Memory, EEPROM), erasable Programmable Read-Only Memory (Erasable Programmable Read Only Memory, EPROM), programmable Read-Only Memory (PROM), read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk, or optical disk.
In summary, the invention realizes the monitoring and understanding of the user behavior through the analysis of the user file operation behavior, can accurately capture the operation habit and behavior pattern of the user, provides basic data for the subsequent encryption strategy generation, and is also beneficial to the detection and prevention of the abnormal behavior by the system; predicting future operation of the user according to the behavior habit of the user, so that an encryption strategy is formulated more intelligently; the user privacy is more accurately protected, the risk of data leakage is reduced, and the data security and confidentiality of the system are improved; the invention better adapts to the operation habit and the demand of the user, improves the intelligent level and the user experience of the encryption algorithm, and enhances the flexibility and the adaptability of the system.
Example 2
Referring to tables 1 and 2, experimental simulation data of the file encryption method are presented for the second embodiment of the present invention, in order to further verify the advancement of the present invention.
Firstly, a batch of data containing user file operation behaviors and file contents is collected and preprocessed, and the data is divided into a training set, a verification set and a test set.
According to the method described in the summary of the invention, a user behavior pattern recognition model is constructed by utilizing a deep learning technology, and the file access pattern and habit of the user are predicted based on the model; next, we classify the data in the file according to the user behavior pattern recognition result, identify the highly sensitive data portion, and dynamically generate the encryption policy.
The generated encryption strategy is used for carrying out encryption processing on sensitive data in the file, and the access authority of the encrypted file is dynamically controlled according to the identity authentication and authorization information of the user, and the specific details are shown in the following table:
TABLE 1 user behavior pattern recognition model parameter Table
| Experimental objects | Encryption time (seconds) | Decryption time (seconds) | CPU utilization (%) | Memory utilization (%) | Security scoring |
| Conventional encryption algorithm AES | 2.5 | 1.2 | 55 | 40 | 6 |
| The method of the invention | 2.0 | 1.1 | 50 | 35 | 9 |
By analyzing the table data, the invention realizes accurate identification and protection of the user behavior mode and the sensitive data by using a deep learning technology and a differential privacy technology; by using the dynamically generated encryption strategy, different files can be flexibly encrypted according to the user behavior mode and the sensitive data classification result, so that the safety and usability of the data are improved.
Table 2 differential privacy technique parameter table
| Sensitive data 1 | Sensitive data 2 | Sensitive data 3 | |
| Differential privacy noise | 0.05 | 0.06 | 0.04 |
In this table we record parameters of the differential privacy technique, including the magnitude of the differential privacy noise; these parameters are key to our realization of data protection and privacy protection, by adjusting these parameters we can preserve the usability of the data while protecting the data privacy.
Compared with the traditional file encryption method, the file encryption method adopts a deep learning technology and a differential privacy technology, and has higher data processing capacity and privacy protection capacity. While conventional file encryption methods generally simply encrypt files, our method dynamically generates encryption policies according to user behavior patterns and features of sensitive data, thereby more effectively protecting the privacy and security of the data.
It should be noted that the above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that the technical solution of the present invention may be modified or substituted without departing from the spirit and scope of the technical solution of the present invention, which is intended to be covered in the scope of the claims of the present invention.
Claims (10)
1. A method for encrypting a file, characterized by: comprising the following steps:
analyzing and learning file operation behaviors of a user by using a deep learning technology, constructing a user behavior pattern recognition model, and recognizing and predicting file access patterns and habits of the user;
Classifying the data in the file according to the behavior pattern recognition result of the user, and identifying a data part with high sensitivity;
dynamically generating an encryption strategy based on a behavior mode of a user and a sensitive data classification result;
encrypting sensitive data in the file by using the generated encryption strategy, and storing the encrypted file in a safe and reliable storage medium;
and dynamically controlling the access authority to the encrypted file according to the identity authentication and authorization information of the user, so as to ensure that only the authorized user can access and decrypt the file.
2. The file encryption method according to claim 1, wherein: the construction of the user behavior pattern recognition model comprises the following steps:
Dividing the preprocessed data into a training set, a verification set and a test set, and converting the data into an input format required by a model;
Is provided with Operating behavior characteristics of a user i on a file j, wherein i=1, 2,..n, represents a user number; j=1, 2,..m, represents a file number; /(I)The probability distribution vector of file access mode of the user i is represented by the following formula:
,
Wherein, Representing the operation behavior weight of the user i on the file j; s represents a normalization function for ensuring each probability/>Within the range of [0, 1 ]; Θ represents a parameter set of the user behavior pattern recognition model, which includes all bias terms; /(I)A personalized bias term representing user i.
3. The file encryption method according to claim 2, wherein: classifying the data in the file according to the behavior pattern recognition result of the user, and identifying the data part with high sensitivity comprises the following steps:
setting a regular expression recognition rule of the sensitive data, and matching and extracting sensitive information in the file;
scanning and matching file contents by using a preset sensitive data identification rule, and marking and classifying sensitive data by using a differential privacy technology to ensure the privacy and safety of the data;
marking and classifying sensitive data by utilizing a differential privacy technology;
and outputting the identified sensitive data in the file, the position information of the sensitive data and the desensitized data as a structured data format.
4. A file encryption method according to claim 3, characterized in that: the marking and classifying the sensitive data by utilizing the differential privacy technology comprises the following steps:
determining differential privacy parameters: including privacy budgets And sensitivity Δf;
Let D denote the original dataset, m the total number of sensitive data types, n the total number of data records, let L denote the data marking matrix of differential privacy, wherein each element represents the probability that the ith data record is marked as the jth sensitive data type;
Let C denote a differential privacy data classification matrix in which the elements Showing the probability that the ith data record is classified as the jth class, a formula is constructed:
,
,
Wherein, Representing differential privacy noise generated using the laplace mechanism for protecting the privacy of data markers and classifications.
5. The file encryption method according to claim 4, wherein: the marking and classifying the sensitive data using the differential privacy technique further includes:
The marking and classification results are evaluated, and the privacy protection effect and the data usability of the differential privacy mechanism are checked, wherein the method comprises the following steps:
privacy metric indexes under different parameter settings are calculated and compared in size, specifically as follows:
,
wherein T is a privacy metric index, The differential privacy parameter is used for controlling the addition amount of random noise; /(I)Is a differential privacy parameter and is used for controlling the probability of random noise; alpha, beta, gamma are regulating parameters;
If the evaluation result shows that the privacy protection effect or the data availability is not ideal, attempting to adjust parameters of the differential privacy mechanism, and re-evaluating.
6. The file encryption method according to claim 5, wherein: according to the user behavior pattern recognition model, analyzing the file operation behaviors of the user in real time, recognizing the behavior pattern of the user, and setting the risk level of the user behavior pattern;
the setting the risk level of the user behavior mode comprises the following steps:
If it is Exceeds a first threshold and the deviation term Θ i is greater than the historical deviation term mean and the particular behavior pattern/>If the frequency of occurrence of (2) exceeds the average frequency of occurrence, classifying it into a first risk level;
If it is Exceeds a first threshold, but the deviation term Θ i is greater than the historical deviation term mean, or a particular behavior pattern/>If the frequency of occurrence of (2) is lower than the average frequency of occurrence, classifying it into a second risk level;
Or (b) Is greater than or equal to a second threshold and less than a first threshold, and the deviation term Θ i is greater than the historical deviation term mean, and the specific behavior pattern/>If the frequency of occurrence of (2) exceeds the average frequency of occurrence, classifying it into a second risk level;
If it is Less than the second threshold, it is classified as a third risk level.
7. The file encryption method according to claim 6, wherein: the dynamically generating encryption policy includes:
Performing association analysis on the user behavior mode and the sensitive data classification result to determine which sensitive data are accessed or operated by the user in the specific behavior mode;
The encryption strategy is dynamically generated according to the user behavior mode and the sensitive data classification result, and the specific algorithm is as follows:
,
Wherein U represents a user behavior pattern; e represents a sensitive data classification result; g represents the access requirements for sensitive data in different behavior modes; k represents the sensitivity degree and protection requirement of the data; p represents the strength or level of the dynamic encryption policy generated.
8. A file encryption device based on the file encryption method according to any one of claims 1 to 7, characterized in that: comprising the following steps:
the user behavior analysis module is used for collecting and analyzing file operation behavior data of the user;
The behavior pattern recognition module is used for constructing a model through a deep learning technology, carrying out pattern recognition and learning on file operation behaviors of the user, and predicting and recognizing file access patterns and habits of the user;
The sensitive data classification module is used for classifying and marking the data in the file according to the behavior pattern recognition result, and recognizing a data part with high sensitivity;
The differential privacy protection module is used for marking and classifying sensitive data by using a differential privacy technology, ensuring the privacy and the safety of the data and keeping the anonymity of the data in the encryption process;
The encryption strategy generation module is used for dynamically generating an encryption strategy according to the user behavior mode and the sensitive data classification result;
and the file encryption module is used for encrypting the sensitive data in the file according to the generated encryption strategy so as to ensure the security and confidentiality of the data.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that: the steps of the file encryption method according to any one of claims 1 to 7 are implemented when the processor executes the computer program.
10. A computer-readable storage medium having stored thereon a computer program, characterized by: the computer program when executed by a processor implements the steps of the file encryption method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410390012.3A CN118013557B (en) | 2024-04-02 | 2024-04-02 | File encryption method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410390012.3A CN118013557B (en) | 2024-04-02 | 2024-04-02 | File encryption method and device, computer equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118013557A true CN118013557A (en) | 2024-05-10 |
| CN118013557B CN118013557B (en) | 2024-06-14 |
Family
ID=90952547
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410390012.3A Active CN118013557B (en) | 2024-04-02 | 2024-04-02 | File encryption method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118013557B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102143158A (en) * | 2011-01-13 | 2011-08-03 | 北京邮电大学 | Data anti-leakage method based on trusted platform module (TPM) |
| US20210319184A1 (en) * | 2020-04-11 | 2021-10-14 | Jefferson Science Associates, Llc | Recognition of sensitive terms in textual content using a relationship graph of the entire code and artificial intelligence on a subset of the code |
| CN115733681A (en) * | 2022-11-14 | 2023-03-03 | 贵州商学院 | Data security management platform for preventing data loss |
-
2024
- 2024-04-02 CN CN202410390012.3A patent/CN118013557B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102143158A (en) * | 2011-01-13 | 2011-08-03 | 北京邮电大学 | Data anti-leakage method based on trusted platform module (TPM) |
| US20210319184A1 (en) * | 2020-04-11 | 2021-10-14 | Jefferson Science Associates, Llc | Recognition of sensitive terms in textual content using a relationship graph of the entire code and artificial intelligence on a subset of the code |
| CN115733681A (en) * | 2022-11-14 | 2023-03-03 | 贵州商学院 | Data security management platform for preventing data loss |
Non-Patent Citations (1)
| Title |
|---|
| 李伟伟;张涛;林为民;马媛媛;邓松;时坚;汪晨;: "电力系统终端敏感数据保护研究与设计", 现代电子技术, no. 15, 1 August 2013 (2013-08-01) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118013557B (en) | 2024-06-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2017065070A1 (en) | Suspicious behavior detection system, information-processing device, method, and program | |
| CN112182519B (en) | Computer storage system security access method and access system | |
| US20160050205A1 (en) | Preventing unauthorized access to an application server | |
| Avalappampatty Sivasamy et al. | A dynamic intrusion detection system based on multivariate Hotelling’s T2 statistics approach for network environments | |
| Kundu et al. | Database intrusion detection using sequence alignment | |
| US11657899B2 (en) | Computing device | |
| Chan et al. | Discovering fuzzy association rule patterns and increasing sensitivity analysis of XML-related attacks | |
| CN100414554C (en) | Electronic data evidence obtaining method and system for computer | |
| Su et al. | Anomadroid: Profiling android applications' behaviors for identifying unknown malapps | |
| CN116962076A (en) | Zero trust system of internet of things based on block chain | |
| Amamra et al. | Generative versus discriminative classifiers for android anomaly‐based detection system using system calls filtering and abstraction process | |
| CN117332433A (en) | Data security detection method and system based on system integration | |
| Kim et al. | Byte frequency based indicators for crypto-ransomware detection from empirical analysis | |
| CN117171787B (en) | Access control method and system for special highway toll collection network mobile storage equipment | |
| CN117708880A (en) | Intelligent security processing method and system for banking data | |
| CN118013557B (en) | File encryption method and device, computer equipment and storage medium | |
| Ghasempour et al. | Permission extraction framework for android malware detection | |
| Nellikar | Insider threat simulation and performance analysis of insider detection algorithms with role based models | |
| Singh et al. | Trust factor-based analysis of user behavior using sequential pattern mining for detecting intrusive transactions in databases | |
| CN116702216A (en) | Multi-level access control method and device for real estate data | |
| CN116595502A (en) | User management method and related device based on intelligent contract | |
| Weng et al. | TLSmell: Direct Identification on Malicious HTTPs Encryption Traffic with Simple Connection-Specific Indicators. | |
| Duessel et al. | Tracing Privilege Misuse Through Behavioral Anomaly Detection in Geometric Spaces | |
| Rajadorai et al. | Data Protection and Data Privacy Act for BIG DATA Governance | |
| KR101660181B1 (en) | Apparatus and method for detecting suspicious behavior of insider based on chain rule method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |