A method and device for protecting user information based on dynamic desensitization strategies
The dynamic desensitization strategy addresses the limitations of static methods by adaptively protecting user information, reducing security risks and preserving data availability through scenario-aware desensitization.
Patent Information
- Authority / Receiving Office
- HK · HK
- Patent Type
- Applications
- Current Assignee / Owner
- BEIJING QINGSONG YIKANG INFORMATION TECHNOLOGY CO LTD
- Filing Date
- 2026-05-26
- Publication Date
- 2026-07-10
AI Technical Summary
Existing user information protection methods rely on static desensitization strategies that lack scenario adaptability, are vulnerable to reverse engineering, and cause excessive desensitization, leading to reduced data availability and security risks.
A dynamic desensitization strategy that uses a named entity recognition model to identify sensitive data, determines sensitivity scores through a sensitivity scoring algorithm, extracts scenario parameters with a risk quantification algorithm, and generates a target desensitization strategy via a dynamic desensitization generation algorithm to produce reversible desensitized data identifiers.
This approach enables adaptive desensitization strategies that reduce security risks from rule reverse engineering and excessive desensitization, while maintaining data availability and effectiveness.
Smart Images

Figure 00000000_0000_ABST
Abstract
Description
(19) State Intellectual Property Office (12) Invention Patent Application (10) Application Publication Number (43) Application Publication Date (21) Application Number 202511363477.0 (22) Application Date 2025.09.23 (71) Applicant Beijing Qingsong Yikang Information Technology Co., Ltd. Address Room 716, 7th Floor, Building 2, No. 28, Andingmen East Street, Dongcheng District, Beijing 100007 (72) Inventors Sun Hao, Huang Xiandong, Zhang Da, Gao Yushi (74) Patent Agency Beijing Huaxia Taihe Intellectual Property Agency Co., Ltd. 11662 Patent Attorney Zeng Jun (51) Int.Cl. G06F 21 / 62 (2013.01) G06F 40 / 295 (2020.01) G06F 21 / 60 (2013.01) (54) Invention Title: A User Information Protection Method and Apparatus Based on Dynamic Desensitization Strategy (57) Abstract: This application relates to the field of information security technology, specifically to a user information protection method and apparatus based on a dynamic desensitization strategy. This application determines sensitive data and its sensitivity score through a named entity recognition model and a sensitivity scoring algorithm, extracts scenario parameters and uses a risk quantification algorithm to determine the scenario risk score, then calls a dynamic desensitization strategy generation algorithm to generate a target desensitization strategy, and finally uses this strategy to desensitize and generate a reversible desensitized data identifier. This series of steps realizes the dynamic generation of desensitization strategies according to different usage scenarios, overcoming the problem of lack of scenario adaptability caused by the rigidity of static desensitization strategies. At the same time, reversible desensitization reduces the security risk caused by the reverse engineering of rules, avoids excessive desensitization, and improves data availability. Claims 2 pages, Description 18 pages, Drawings 2 pages, CN 121278766 A 2026.01.06 CN 1 21 27 87 66 A 1. A user information protection method based on a dynamic desensitization strategy, characterized in that it includes: identifying sensitive data in user data to be processed through a named entity recognition model, and calling a sensitivity scoring algorithm to determine the sensitivity score corresponding to the sensitive data, wherein the sensitivity score is used to represent the sensitivity degree of the data; extracting scene parameters of the current usage scenario of the user data, and calling a risk quantification algorithm to determine the scene risk score corresponding to the scene parameters, wherein the scene risk score is used to represent the risk degree of the current usage scenario; calling a dynamic desensitization strategy generation algorithm to generate a target desensitization strategy for the sensitive data based on the scene risk score and the sensitivity score; using the target desensitization strategy to desensitize the sensitive data and generate a reversible desensitized data identifier. 2. The user information protection method based on a dynamic desensitization strategy according to claim 1, characterized in that, calling a sensitivity scoring algorithm to determine the sensitivity score corresponding to the sensitive data includes determining the sensitive data in the following ways.Sensitivity score for each sensitive data: Query a predefined data type weight mapping table to obtain the data type weight corresponding to each sensitive data; Determine the usage frequency coefficient corresponding to each sensitive data based on the historical access count and total access count in the historical access logs of each sensitive data; Determine the leakage risk coefficient corresponding to each sensitive data based on the number of known leakage events, the total amount of similar data, and the severity weight of each sensitive data; Query a predefined compliance requirement coefficient mapping table to obtain the compliance requirement coefficient corresponding to each sensitive data based on the highest compliance requirement applicable to each sensitive data; Weight and sum the data type weight, usage frequency coefficient, leakage risk coefficient, and compliance requirement coefficient corresponding to each sensitive data using the sensitivity scoring algorithm to obtain the sensitivity score corresponding to each sensitive data. 3. The user information protection method based on dynamic desensitization strategy according to claim 1, characterized in that, calling the risk quantification algorithm to determine the scenario risk score corresponding to the scenario parameters includes: Processing the scenario parameters using decision tree rules to determine the risk coefficient corresponding to each scenario parameter; Weighting and summing the risk coefficients corresponding to all scenario parameters using the risk quantification algorithm to obtain the scenario risk score. 4. The user information protection method based on dynamic desensitization strategy according to claim 3, characterized in that, after obtaining the scenario risk score, the method further includes: detecting abnormal user behavior based on the isolated forest algorithm; when abnormal user behavior is detected, adjusting the scenario risk score according to a preset score adjustment rule, wherein the abnormal behavior includes: abnormal time access, frequent permission switching, large amount of data export, and cross-regional access. 5. The user information protection method based on dynamic desensitization strategy according to claim 1, characterized in that, a dynamic desensitization strategy generation algorithm is invoked to generate a target desensitization strategy for the sensitive data based on the scenario risk score and the sensitivity score, including determining the target desensitization strategy corresponding to each sensitive data in the sensitive data through the following methods: Invoking a comprehensive risk assessment algorithm to determine the comprehensive risk level corresponding to each sensitive data based on the scenario risk score and the sensitivity score corresponding to each sensitive data; Selecting a corresponding basic desensitization strategy from a predefined desensitization strategy rule base based on the data type corresponding to each sensitive data and the comprehensive risk level, wherein the desensitization strategy rule base defines basic desensitization strategies for desensitized data of different data types under different comprehensive risk levels; Based on the Q-Learning algorithm, the basic desensitization strategy is optimized and adjusted according to the characteristics of the current usage scenario to obtain an optimized desensitization strategy;The basic desensitization strategy and the optimized desensitization strategy are fused according to a preset fusion rule to obtain the target desensitization strategy. 6. The user information protection method based on a dynamic desensitization strategy according to claim 1, characterized in that the scenario parameters include user permissions, network environment type, access time, and data usage purpose; the user permissions include: temporary visitors, ordinary users, business employees, management personnel, and system administrators; the network environment type includes: public network, private network, and intranet; the access time includes: working hours, non-working hours, and holidays; the data usage purpose includes: statistical analysis, business processing, system maintenance, and data backup. 7. The user information protection method based on a dynamic desensitization strategy according to claim 1, characterized in that, after generating a reversible desensitized data identifier, the method further includes: encrypting the sensitive data to obtain ciphertext; mapping and storing the reversible desensitized data identifier and ciphertext corresponding to the sensitive data; and returning the reversible desensitized data identifier and the desensitization result. 8. A user information protection device based on a dynamic desensitization strategy, characterized in that it comprises: a sensitive data identification module, used to identify sensitive data in user data to be processed through a named entity recognition model, and call a sensitivity scoring algorithm to determine the sensitivity score corresponding to the sensitive data, wherein the sensitivity score is used to represent the sensitivity level of the data; a risk level determination module, used to extract scenario parameters of the current usage scenario of the user data, and call a risk quantification algorithm to determine the scenario risk score corresponding to the scenario parameters, wherein the scenario risk score is used to represent the risk level of the current usage scenario; a desensitization strategy generation module, used to call a dynamic desensitization strategy generation algorithm to generate a target desensitization strategy for the sensitive data based on the scenario risk score and the sensitivity score; and a data desensitization processing module, used to perform desensitization processing on the sensitive data using the target desensitization strategy and generate a reversible desensitized data identifier. 9. An electronic device comprising a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory communicate with each other via the communication bus, characterized in that: the memory is used to store a computer program; the processor is used to execute the steps of the user information protection method based on a dynamic de-identification strategy according to any one of claims 1 to 7 by running the computer program stored in the memory. 10. A computer-readable storage medium, characterized in that the storage medium stores a computer program, wherein the computer program is configured to execute the steps of the user information protection method based on a dynamic de-identification strategy according to any one of claims 1 to 7 when running. Claims 2 / 2 Page 3 CN 121278766 A User Information Protection Method and Apparatus Based on Dynamic De-identification Strategy Technical Field
[0001] This application relates to the field of information security technology, specifically to a user information protection method and device based on a dynamic desensitization strategy. Background Art
[0002] In the context of the digital age, user information protection faces severe challenges. Traditional static desensitization strategies process sensitive data through fixed rules (such as global field replacement or encryption). Although they can provide basic protection, their core defect is that they cannot dynamically adapt to the security needs of different scenarios. For example, the security levels of internal business analysis and third-party data sharing scenarios are significantly different. Static strategies lack scenario awareness and can only adopt a conservative "one-size-fits-all" desensitization approach, making it difficult to balance data availability and security.
[0003] Existing technologies attempt to optimize desensitization through hierarchical rules or simple condition judgments, but they still have essential limitations: on the one hand, fixed rules are easily reverse-engineered by attackers, and long-term use of the same pattern exposes data regularity; on the other hand, excessive desensitization seriously damages data value (such as the loss of regional and age information in ID card numbers after masking), and existing methods fail to establish a dynamic correlation between scenario characteristics and desensitization intensity, and cannot respond to real-time risk changes (such as high-risk access outside of working hours).
[0004] As can be seen, existing technologies suffer from problems such as the lack of scenario adaptability due to the rigidity of static desensitization strategies, the possibility of rules being reverse-engineered leading to security risks, and excessive desensitization reducing data availability. Summary of the Invention
[0005] The purpose of this application is to provide a user information protection method and apparatus based on a dynamic desensitization strategy to solve the problems of the lack of scenario adaptability due to the rigidity of static desensitization strategies, the possibility of rules being reverse-engineered leading to security risks, and excessive desensitization reducing data availability in existing technologies.
[0006] To achieve the above objectives, the technical solution adopted in this application is as follows: According to one aspect of the embodiments of this application, a user information protection method based on a dynamic desensitization strategy is provided, comprising: identifying sensitive data in user data to be processed through a named entity recognition model, and calling a sensitivity scoring algorithm to determine the sensitivity score corresponding to the sensitive data, wherein the sensitivity score is used to represent the sensitivity of the data; extracting scene parameters of the current usage scenario of the user data, and calling a risk quantification algorithm to determine the scene risk score corresponding to the scene parameters, wherein the scene risk score is used to represent the risk level of the current usage scenario; calling a dynamic desensitization strategy generation algorithm to generate a target desensitization strategy for the sensitive data based on the scene risk score and the sensitivity score; using the target desensitization strategy to desensitize the sensitive data and generate a reversible desensitized data identifier.
[0007] According to the above technical means, sensitive data and its sensitivity score are determined through a named entity recognition model and a sensitivity scoring algorithm, scene parameters are extracted and the scene risk score is determined using a risk quantification algorithm, then a target desensitization strategy is generated by calling a dynamic desensitization strategy generation algorithm, and finally the strategy is used to desensitize and generate a reversible desensitized data identifier. This series of stepsThis system enables dynamic generation of desensitization strategies based on different usage scenarios, overcoming the lack of scenario adaptability caused by the rigidity of static desensitization strategies. At the same time, reversible desensitization reduces the security risks caused by the reverse engineering of rules, avoids excessive desensitization, and improves data availability.
[0008] Further, the sensitivity scoring algorithm is invoked to determine the sensitivity score corresponding to the sensitive data, including determining the sensitivity score corresponding to each sensitive data in the sensitive data using the following formula: querying a predefined data type weight mapping table to obtain the data type weight corresponding to each sensitive data; determining the usage frequency coefficient corresponding to each sensitive data based on the historical access count and total access count in the historical access log of each sensitive data; determining the leakage risk coefficient corresponding to each sensitive data based on the number of known leakage events of each sensitive data, the total amount of similar data of each sensitive data, and the severity weight of each sensitive data; querying a predefined compliance requirement coefficient mapping table based on the highest compliance requirement applicable to each sensitive data to obtain the compliance requirement coefficient corresponding to each sensitive data; and weighting and summing the data type weight, usage frequency coefficient, leakage risk coefficient, and compliance requirement coefficient corresponding to each sensitive data using the sensitivity scoring algorithm to obtain the sensitivity score corresponding to each sensitive data.
[0009] According to the above technical means, the data type weight and compliance requirement coefficient are obtained by querying a predefined table, the usage frequency coefficient is determined by combining historical access logs, the leakage risk coefficient is determined based on leakage events, and finally the sensitivity score is obtained by weighted summation. This method can comprehensively consider multiple dimensions of sensitive data such as type, usage, leakage risk and compliance requirements, accurately assess its sensitivity, provide a reliable basis for subsequent targeted desensitization strategies, and effectively improve the effectiveness and rationality of user information protection.
[0010] Further, the risk quantification algorithm is called to determine the scenario risk score corresponding to the scenario parameters, including: using decision tree rules to process the scenario parameters, determining the risk coefficient corresponding to each scenario parameter; and using the risk quantification algorithm to weighted summation of the risk coefficients corresponding to all scenario parameters to obtain the scenario risk score.
[0011] According to the above technical means, firstly, the decision tree rules are used to process the scenario parameters to accurately determine the risk coefficient corresponding to each scenario parameter, which can fully explore the impact characteristics of different scenario parameters on risk; secondly, the risk quantification algorithm is used to weighted summation of all risk coefficients to obtain the scenario risk score, which can comprehensively, objectively and comprehensively measure the risk level of the current usage scenario. This helps to dynamically adjust the desensitization strategy according to the actual scenario risk, improve the adaptability of user information protection strategy to the scenario, and enhance the information protection effect.
[0012] Furthermore, after obtaining the scenario risk score, the method also includes: using the isolated forest algorithm to analyze user anomalies.Behavior is detected; when abnormal user behavior is detected, the scenario risk score is adjusted according to a preset score adjustment rule. Abnormal behavior includes: abnormal time access, frequent permission switching, large amount of data export, and cross-regional access.
[0013] According to the above technical means, after obtaining the scenario risk score, the isolated forest algorithm is used to effectively detect abnormal user behavior, which can capture potential security threats in the early stage; when abnormal behavior (such as abnormal time access) is detected, the scenario risk score is adjusted according to the preset rule, so that the score can more accurately reflect the current actual risk situation, thereby providing a more reliable basis for dynamically adjusting the desensitization strategy, enhancing the user information protection system's ability to respond to abnormal situations, and improving the security and effectiveness of information protection.
[0014] Further, a dynamic desensitization strategy generation algorithm is invoked to generate a target desensitization strategy for sensitive data based on the scenario risk score and sensitivity score. This includes determining the target desensitization strategy for each sensitive data in the sensitive data through the following methods: invoking a comprehensive risk assessment algorithm to determine the comprehensive risk level corresponding to each sensitive data based on the scenario risk score and the sensitivity score corresponding to each sensitive data; selecting a corresponding basic desensitization strategy from a predefined desensitization strategy rule library based on the data type and comprehensive risk level corresponding to each sensitive data, wherein the desensitization strategy rule library defines basic desensitization strategies for desensitized data of different data types under different comprehensive risk levels; optimizing and adjusting the basic desensitization strategy based on the Q-Learning algorithm according to the characteristics of the current usage scenario to obtain an optimized desensitization strategy; and fusing the basic desensitization strategy and the optimized desensitization strategy according to a preset fusion rule to obtain the target desensitization strategy.
[0015] Based on the above technical means, firstly, a comprehensive risk level is determined by combining a comprehensive risk assessment algorithm with scenario and sensitivity scoring, which can accurately measure the risk level of sensitive data in a specific scenario; secondly, a basic desensitization strategy is selected from the rule base according to the data type and risk level specification (page 2 / 18, CN 121278766 A) to ensure the standardization and adaptability of the strategy; then, the Q-Learning algorithm is used to optimize the basic strategy based on scenario characteristics to enhance the adaptability of the strategy to scenario changes; finally, the basic and optimized strategies are integrated to obtain the target desensitization strategy, realizing the comprehensive, accurate and dynamic generation of desensitization strategies, effectively improving the effect and flexibility of user information protection.
[0016] Further, scenario parameters include user permissions, network environment type, access time and data usage purpose; user permissions include: temporary visitors, ordinary users, business employees, management personnel and system administrators; network environment type includes: public network, private network and intranet; access time includes: working hours, non-working hours and holidays; data usage purpose includes: statistical analysis, business processing, system maintenance and data backup.
[0017] Based on the above technical means, the scenario parameters are clearly defined to cover user permissions, network environment type, access time, and data usage purpose, and each parameter category is further subdivided (e.g., user permissions are divided into five categories such as temporary visitors, and network environments are divided into three categories such as public networks). This detailed and comprehensive definition of scenario parameters can accurately depict the specific scenarios of data usage, providing rich and accurate basis for subsequent operations such as risk assessment and dynamic generation of desensitization strategies based on these parameters, thereby effectively improving the matching degree between user information protection strategies and actual scenarios, and enhancing the security and effectiveness of information protection.
[0018] Furthermore, after generating the reversible desensitized data identifier, the method also includes: encrypting the sensitive data to obtain ciphertext; mapping and storing the reversible desensitized data identifier and ciphertext corresponding to the sensitive data one by one; and returning the reversible desensitized data identifier and desensitization result.
[0019] According to the above technical means, after generating the reversible desensitized data identifier, the sensitive data is encrypted into ciphertext, which ensures the security of data storage and transmission and prevents data leakage; the reversible desensitized data identifier and the ciphertext are mapped and stored one by one, which facilitates subsequent accurate tracing and restoration of the original data and ensures the availability of the data; the reversible desensitized data identifier and the desensitization result are returned, which makes it convenient for users to understand the data desensitization situation, and realizes the comprehensive effect of improving the protection of user information while ensuring data security and taking into account data availability and manageability.
[0020] According to another aspect of the embodiments of this application, a user information protection device based on a dynamic desensitization strategy is also provided, comprising: a sensitive data identification module, configured to identify sensitive data in user data to be processed through a named entity recognition model, and call a sensitivity scoring algorithm to determine the sensitivity score corresponding to the sensitive data, wherein the sensitivity score is used to represent the sensitivity of the data; a risk level determination module, configured to extract scenario parameters of the current usage scenario of the user data, and call a risk quantification algorithm to determine the scenario risk score corresponding to the scenario parameters, wherein the scenario risk score is used to represent the risk level of the current usage scenario; a desensitization strategy generation module, configured to call a dynamic desensitization strategy generation algorithm to generate a target desensitization strategy for the sensitive data based on the scenario risk score and the sensitivity score; and a data desensitization processing module, configured to desensitize the sensitive data using the target desensitization strategy and generate a reversible desensitized data identifier.
[0021] According to another aspect of the embodiments of this application, an electronic device is also provided, including a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory communicate with each other through the communication bus; wherein the memory is used to store a computer program; and the processor is used to execute the method steps of any of the above embodiments by running the computer program stored in the memory.
[0022] According to another aspect of the embodiments of this application, a computer-readable storage medium is also provided, the storage...The medium stores a computer program, which is configured to execute the method steps in any of the above embodiments at runtime.
[0023] The beneficial effects of this application: This application determines sensitive data and its sensitivity score through a named entity recognition model and a sensitivity scoring algorithm. It extracts scene parameters and uses a risk quantification algorithm to determine the scene risk score, then calls a dynamic desensitization strategy generation algorithm to generate a target desensitization strategy, and finally uses the strategy to desensitize and generate a reversible desensitized data identifier. This series of steps realizes the dynamic generation of desensitization strategies according to different usage scenarios, overcomes the problem of lack of scene adaptability caused by the rigidity of static desensitization strategies, and at the same time, reversible desensitization reduces the security risk caused by the reverse cracking of rules, avoids excessive desensitization, and improves data availability. Brief Description of the Drawings
[0024] The accompanying drawings are incorporated in and constitute a part of this specification, illustrating embodiments consistent with this application, and together with the description, serve to explain the principles of this application.
[0025] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, for those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0026] Figure 1 is a schematic diagram of the hardware environment of an optional user information protection method based on a dynamic desensitization strategy provided in an embodiment of this application; Figure 2 is a flowchart of an optional user information protection method based on a dynamic desensitization strategy provided in an embodiment of this application; Figure 3 is a structural block diagram of an optional user information protection device based on a dynamic desensitization strategy provided in an embodiment of this application; Figure 4 is a structural block diagram of an optional electronic device provided in an embodiment of this application. Detailed Description
[0027] In order to enable those skilled in the art to better understand the solutions of this application, the technical solutions in the embodiments of this application will be clearly and completely described below in conjunction with the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments in this application, all other embodiments obtained by those skilled in the art without creative effort should fall within the scope of protection of this application.
[0028] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of this application described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover...The inclusion is not exclusive; for example, a process, method, system, product, or device that includes a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to these processes, methods, products, or devices.
[0029] According to one aspect of an embodiment of this application, a user information protection method based on a dynamic desensitization strategy is provided. Optionally, in this embodiment, the above-mentioned user information protection method based on a dynamic desensitization strategy can be applied to a hardware environment composed of a terminal and a server. The server is connected to the terminal through a network and can be used to provide services to the terminal or a client installed on the terminal. A database can be set up on the server or independently of the server to provide data storage services to the server.
[0030] The above-mentioned network may include, but is not limited to, at least one of the following: wired network, wireless network. The above-mentioned wired network may include, but is not limited to, at least one of the following: wide area network, metropolitan area network, local area network. The above-mentioned wireless network may include, but is not limited to, at least one of the following: WIFI (Wireless Fidelity), Bluetooth. The terminal is not limited to PCs, mobile phones, tablets, etc.
[0031] The user information protection method based on dynamic desensitization strategy in this application embodiment can be executed by a server, by a terminal, or by both a server and a terminal. The terminal executing the user information protection method based on dynamic desensitization strategy in this application embodiment can also be executed by a client installed on it.
[0032] Taking the execution of the user information protection method based on dynamic desensitization strategy in this embodiment by a server as an example, please refer to Figure 1. Figure 1 is a schematic diagram of the hardware environment of an optional user information protection method based on dynamic desensitization strategy provided in this application embodiment. As shown in Figure 1, the hardware environment of the user information protection method based on dynamic desensitization strategy includes: a terminal 102, and a server 104 connected to the terminal 102 via a network. The server 104 is used to deploy and execute the background program of the user information protection method based on dynamic desensitization strategy in this application embodiment, and to desensitize sensitive data in the user data to be processed; the terminal 102 is used to display the desensitized user data.
[0033] The user information protection method based on dynamic desensitization strategy in this embodiment can be applied to scenarios that require processing sensitive data, such as medical research, financial risk control, and e-commerce marketing. This embodiment uses an e-commerce marketing scenario as an example to illustrate the above-mentioned user information protection method based on dynamic desensitization strategy.
[0034] In the context of the digital age, user information protection faces severe challenges. Traditional static desensitization strategies process sensitive data through fixed rules (such as global field replacement or encryption), which can provide basic protection, but its core flaw lies in its inability to...Dynamically adapting to the security needs of different scenarios, such as the significant differences in security levels between internal business analysis and third-party data sharing scenarios, static strategies, lacking scenario awareness, can only adopt a conservative "one-size-fits-all" desensitization approach, making it difficult to balance data availability and security.
[0035] Existing technologies attempt to optimize desensitization through hierarchical rules or simple conditional judgments, but still have inherent limitations: on the one hand, fixed rules are easily reverse-engineered by attackers, and long-term use of the same pattern exposes data regularity; on the other hand, excessive desensitization seriously damages data value (e.g., ID numbers lose regional and age information after masking), and existing methods fail to establish a dynamic correlation between scenario characteristics and desensitization intensity, making it unable to respond to real-time risk changes (e.g., high-risk access outside of working hours).
[0036] It can be seen that existing technologies suffer from the following problems: the rigidity of static desensitization strategies leads to a lack of scenario adaptability, rules can be reverse-engineered causing security risks, and excessive desensitization reduces data availability. In e-commerce marketing scenarios, when the marketing department of an e-commerce platform needs to analyze user behavior profiles to plan promotional activities, directly using raw user data violates privacy policies, while traditional desensitization, if completely anonymized, will disrupt the user group's behavior patterns, rendering the analysis meaningless.
[0037] To solve the above problems, this embodiment provides a user information protection method based on a dynamic desensitization strategy running on the above-mentioned server. Please refer to Figure 2. Figure 2 is a flowchart of an optional user information protection method based on a dynamic desensitization strategy provided in this application embodiment. As shown in Figure 2, the user information protection method based on a dynamic desensitization strategy in this application embodiment specifically includes the following steps: Step S201: Identify sensitive data in the user data to be processed through a named entity recognition model, and call a sensitivity scoring algorithm to determine the sensitivity score corresponding to the sensitive data, wherein the sensitivity score is used to represent the sensitivity of the data; Step S202: Extract the scenario parameters of the current usage scenario of the user data, and call a risk quantification algorithm to determine the scenario risk score corresponding to the scenario parameters, wherein the scenario risk score is used to represent the risk level of the current usage scenario; Step S203: Call a dynamic desensitization strategy generation algorithm to generate a target desensitization strategy for the sensitive data based on the scenario risk score and the sensitivity score; Specification 5 / 18 pages 8 CN 121278766 A Step S204: Use the target desensitization strategy to desensitize the sensitive data and generate a reversible desensitized data identifier.
[0038] Through the above steps S201 to S204, sensitive data and its sensitivity score are determined by the named entity recognition model and sensitivity scoring algorithm, scene parameters are extracted and the scene risk score is determined by the risk quantification algorithm, then the dynamic desensitization strategy generation algorithm is called to generate the target desensitization strategy, and finally the strategy is used to desensitize and generate a reversible desensitized data identifier.This series of steps realizes the dynamic generation of desensitization strategies according to different usage scenarios, overcomes the problem of lack of scenario adaptability caused by the rigidity of static desensitization strategies, and at the same time, reversible desensitization reduces the security risks caused by the reverse engineering of rules, avoids excessive desensitization, and improves data availability.
[0039] The user information protection method based on dynamic desensitization strategy in this application embodiment will be explained below with reference to Figure 2.
[0040] In the technical solution of step S201, sensitive data in the user data to be processed is identified by the named entity recognition model, and the sensitivity scoring algorithm is called to determine the sensitivity score corresponding to the sensitive data.
[0041] In this embodiment, user data refers to user-related information obtained by the program or system, specifically covering multiple aspects: Basic identity-related information: including basic identity attributes such as name and gender, as well as the number information corresponding to various certificates.
[0042] Contact-related information: including various contact methods commonly used by users, such as mobile phone numbers, email addresses, etc.
[0043] Biometric-related information: involving biometric data such as fingerprints and facial features that can be used for identity recognition.
[0044] Financial information: including bank card number, various payment accounts, and financial status.
[0045] Health and medical information: such as medical records, allergy history, and other health-related information.
[0046] Behavioral trajectory information: covering GPS location data, browsing history, and other data that reflects the user's behavioral trajectory.
[0047] Social relationship information: including family member information, social network relationships, and other social relationship information.
[0048] For user data that cannot be directly identified as sensitive data, the program or system first performs format standardization processing on the input user information, removes redundant and invalid data, and establishes data indexes and metadata tags.
[0049] As an optional embodiment, the rules and processing methods for determining redundant and invalid data are as follows: duplicate spaces, tabs, and newlines are determined as format redundancy and cleaned up; duplicate records are deduplicated; duplicate primary key records are merged or deleted.
[0050] In this embodiment, some key information in the above-mentioned user-related information needs to meet certain format requirements, such as ID card number, mobile phone number, email address, and bank card number, which generally follow common format specifications, such as length requirements and specific starting numbers. It should be noted that in this embodiment, the specific verification algorithm is not specifically limited.
[0051] If some key information in the above-mentioned user-related information, such as ID card number, mobile phone number, email address, and bank card number, does not need to meet the format requirements, then the format is judged to be incorrect.
[0052] The following verifications or checks are judged to be logically incorrect if they fail: consistency check between age and date of birth; gender and parity check between ID card number; integrity and geographical location verification of address information; location of contact information.Matching with address information.
[0053] In this embodiment, sensitive data refers to sensitive data in user data. This sensitive data is identified by a BERT-based named entity recognition model according to predefined sensitive information categories. The predefined sensitive information categories include: identity identification (covering information that can identify identity such as name and ID number), contact information (including contact information such as telephone and email), financial information (including financial-related content such as bank card number and account information), biometrics (such as fingerprints, facial features, and other biometric data), and behavioral trajectory (including behavioral trajectory data such as location information and browsing history).
[0054] Sensitivity score S(d) is used to represent the sensitivity of the data. Based on each sensitivity score threshold, the data sensitivity is divided into different levels, for example: S(d)≥0.8: high sensitive data; 0.4≤S(d)<0.8: medium sensitive data; S(d)<0.4: low sensitive data. The sensitivity score serves as an important input parameter for comprehensive risk assessment, and together with the scenario risk assessment results, determines the final desensitization strategy level.
[0055] As an optional embodiment, the sensitivity scoring algorithm is invoked to determine the sensitivity score corresponding to sensitive data, including determining the sensitivity score corresponding to each sensitive data in the sensitive data through the following methods: querying a predefined data type weight mapping table to obtain the data type weight corresponding to each sensitive data; determining the usage frequency coefficient corresponding to each sensitive data based on the historical access count and total access count in the historical access log of each sensitive data; determining the leakage risk coefficient corresponding to each sensitive data based on the number of known leakage events of each sensitive data, the total amount of similar data of each sensitive data, and the severity weight of each sensitive data; querying a predefined compliance requirement coefficient mapping table based on the highest compliance requirement applicable to each sensitive data to obtain the compliance requirement coefficient corresponding to each sensitive data; and weighting and summing the data type weight, usage frequency coefficient, leakage risk coefficient, and compliance requirement coefficient corresponding to each sensitive data through the sensitivity scoring algorithm to obtain the sensitivity score corresponding to each sensitive data.
[0056] In this embodiment, the data type weight represents the importance of the sensitive data, and the data type weight mapping table predefines the data type weights corresponding to different sensitive information. Data type weights T(d) include, for example: ID card number: 0.9; biometrics: 0.85; bank card number: 0.8; mobile phone number: 0.6; name: 0.5; address: 0.4; IP address: 0.3; email address: 0.5, etc.
[0057] A frequency coefficient is used to represent the frequency of use or access to sensitive data. The higher the frequency of use or access, the greater the risk of leakage. This frequency coefficient can be based on the historical access count in the historical access logs of sensitive data.The total number of visits is determined by the following formula (1): F(d)=log(N+1) / log(M+1) (1) Wherein, F(d) represents the frequency coefficient, N represents the number of historical visits, and M represents the total number of visits. The value of F(d) is in the range of [0,1]. The higher the value of F(d), the greater the risk of leakage of the sensitive data.
[0058] The leakage risk coefficient is used to represent the magnitude of the leakage risk of sensitive data. The leakage risk coefficient is determined by the following formula (2) based on the number of known leakage events of sensitive data, the total amount of similar data of sensitive data, and the severity weight of sensitive data: R(d)=(n / m)×ω (2) Wherein, R(d) represents the leakage risk coefficient, n represents the number of known leakage events, m represents the total amount of similar data, and ω represents the severity weight. The severity weight is predefined according to the severity of the impact after the leakage of sensitive data. The severity weight ω is: slight = 1, moderate = 2, severe = 3, very severe = 4, extremely severe = 5.
[0059] Compliance requirements are used to indicate whether sensitive data complies with policies, regulations, or industry internal standards. The compliance requirement coefficient mapping table predefines the compliance requirement coefficients corresponding to different sensitive information. For example, the compliance requirement coefficient C(d) is: GDPR requirement: 1.0; domestic cybersecurity law: 0.8; industry standard requirement: 0.6; internal company regulations: 0.4.
[0060] In this embodiment, the data type weight, usage frequency coefficient, leakage risk coefficient, and compliance requirement coefficient corresponding to each sensitive data are weighted and summed using a sensitivity scoring algorithm to obtain the sensitivity score corresponding to each sensitive data. The sensitivity scoring algorithm is described by the following formula (3), including: S(d)=α×T(d)+β×F(d)+γ×R(d)+δ×C(d) (3) Wherein, α, β, γ, and δ are weight parameters and satisfy α+β+γ+δ=1, S(d) is the sensitivity score, T(d) is the data type weight, F(d) is the usage frequency coefficient, R(d) is the leakage risk coefficient, and C(d) is the compliance requirement coefficient. Specification 7 / 18 pages 10 CN 121278766 A
[0061] It can be understood that the data type weight and compliance requirement coefficient are obtained by querying a predefined table, the usage frequency coefficient is determined by combining historical access logs, the leakage risk coefficient is determined based on leakage events, etc., and finally the sensitivity score is obtained by weighted summation. This approach can comprehensively consider multiple dimensions of sensitive data, such as type, usage, leakage risk, and compliance requirements, to accurately assess its sensitivity and provide a reliable basis for subsequent targeted desensitization strategies, effectively improving the effectiveness and rationality of user information protection.
[0062] In the technical solution of step S202, the scenario parameters of the current usage scenario of the user data are extracted, and a risk quantification algorithm is called to determine the scenario risk score corresponding to the scenario parameters.
[0063] In this embodiment, the scenario parameters include user permissions, network environment type, access time, and data usage purpose; user permissions include: temporary visitors, ordinary users, business employees, management personnel, and system administrators; network environment type includes: public network, private network, and intranet; access time includes: working hours, non-working hours, and holidays; data usage purpose includes: statistical analysis, business processing, system maintenance, and data backup.
[0064] As an optional embodiment, the risk quantification algorithm is called to determine the scenario risk score corresponding to the scenario parameters, including: processing the scenario parameters using decision tree rules to determine the risk coefficient corresponding to each scenario parameter; and weighting and summing the risk coefficients corresponding to all scenario parameters using the risk quantification algorithm to obtain the scenario risk score.
[0065] In this embodiment, the risk coefficient values and quantifications corresponding to each scenario parameter are different, and the risk coefficients of each scenario parameter are specifically defined and quantified in advance. For example: User-dimensional permission levels correspond to permission risks P, the risk coefficient of which cannot be directly obtained: P=1: Temporary visitors (external users, temporary accounts); P=2: Ordinary users (registered users, basic permissions); P=3: Business employees (internal employees, business operation permissions); P=4: Management personnel (department heads, management permissions); P=5: System administrators (IT operations and maintenance, highest permissions).
[0066] Environment-dimensional network security levels correspond to network risks N, the risk coefficient of which cannot be directly obtained: Public network: direct access via the Internet, security level = 1; Private network: access via VPN or dedicated line, security level = 2; Internal network: physically isolated internal network, security level = 3.
[0067] Time-dimensional access time corresponds to time risk T, the basic risk coefficients of which are as follows: Working hours: 8:00-18:00, risk coefficient = 0.2; Non-working hours: 18:00-8:00, risk coefficient = 0.8; Holidays: statutory holidays, risk coefficient = 1.0.
[0068] The objective dimension uses the objective risk U, and its basic risk coefficients are as follows: Statistical analysis: data mining, report generation, risk coefficient = 0.9; Business processing: daily business operations, risk coefficient = 0.3; System maintenance: operation and maintenance management operations, risk coefficient = 0.1; Data backup: system backup operations, risk coefficient = 0.2.
[0069] In some complex scenarios, decision tree rules can be used to preprocess discrete scenario features and convert them into standardized risk coefficients. For example, decision tree rules are: IF(P≤2 AND N=public network) THEN P_risk=1.0, N_risk=1.0 ELSE IF(P≤3 AND U=statistical analysis) THENP_risk=0.7, U_risk=0.9 ELSE IF(P≥4 AND N=internal network AND T=working time) THEN P_risk=0.2, N_risk=0.1, T_risk=0.2 ELSE P_risk=0.5, N_risk=0.5, T_risk=0.5, U_risk=0.5.
[0070] Supplementary explanation of risk coefficient values: In scenarios that meet a certain IF condition (e.g., P≤2 and N=public network), one or more undefined risk coefficients (e.g., T_risk and U_risk) can be handled in two ways: Default ignore strategy: These risk coefficients are directly set to 0. For example, when P≤2 and N=public network, both T_risk and U_risk are set to 0, indicating that there is no need to focus on the risks of time (T) and purpose (U) dimensions in this scenario; Dynamic adaptation strategy: Values are dynamically assigned according to the actual scenario characteristics. For example, when P≤2 and N=public network, and the scenario simultaneously meets "working time" and "statistical analysis", T_risk can be set to 0.2 (reflecting working time risk) and U_risk can be set to 0.9 (highlighting statistical analysis purpose risk) in combination with other rules.
[0071] It can be understood that this dual-mode design not only ensures parameter simplification in basic scenarios but also supports refined risk assessment in complex scenarios, improving the scalability and practicality of decision tree rules.
[0072] In this embodiment, the risk quantification algorithm is described by the following formula (4), including: Risk_Score=w1×P_risk+w2×N_risk+w3×T_risk+w4×U_risk (4) Wherein, Risk_Score is the scenario risk score, P_risk is the permission risk coefficient, N_risk is the network risk coefficient, T_risk is the time risk coefficient, U_risk is the purpose risk coefficient, w1, w2, w3 and w4 are the weight parameters corresponding to each risk value, and satisfy w1+w2+w3+w4=1. In specific practice, the weight parameters are set as follows: w1=0.4 (permission risk weight is the highest), w2=0.3 (network environment weight is the second highest), w3=0.1 (time dimension weight is the lowest), w4=0.2 (purpose weight is the middle).
[0073] The scenario risk score is used to represent the risk level of the current usage scenario. Based on the risk scoring thresholds for each scenario, scenario risks are divided into different levels. For example, Risk_Score ≥ 0.7 indicates high scenario risk, 0.3 ≤ Risk_Score < 0.7 indicates medium scenario risk, and Risk_Score < 0.3 indicates low scenario risk.
[0074] According to the above technical means, the scenario parameters are first processed using decision tree rules to accurately determine each scenario parameter.The corresponding risk coefficients can fully explore the impact characteristics of different scenario parameters on risk; secondly, by using a risk quantification algorithm to weight and sum all risk coefficients to obtain a scenario risk score, the risk level of the current usage scenario can be comprehensively, objectively and comprehensively measured. This helps to dynamically adjust the desensitization strategy according to the actual scenario risk, improve the adaptability of user information protection strategy to the scenario, and enhance the information protection effect.
[0075] It is understood that clearly defining scenario parameters covers user permissions, network environment type, access time and data usage purpose, and further subdividing each parameter category (such as user permissions divided into five categories such as temporary visitors, network environment divided into three categories such as public network, etc.). This detailed and comprehensive definition of scenario parameters can accurately depict the specific scenario of data usage, providing rich and accurate basis for subsequent risk assessment and dynamic generation of desensitization strategies based on these parameters, thereby effectively improving the matching degree between user information protection strategy and actual scenario, and enhancing the security and effectiveness of information protection.
[0076] As an optional embodiment, after obtaining the scenario risk score, the method further includes: detecting abnormal user behavior based on the isolated forest algorithm; when abnormal user behavior is detected, adjusting the scenario risk score according to a preset score adjustment rule, wherein abnormal behavior includes: abnormal time access, frequent permission switching, large amount of data export, and cross-regional access. Specification 9 / 18 pages 12 CN 121278766 A
[0077] In this embodiment, abnormal access behavior detection is performed based on the isolated forest algorithm, and an abnormal threshold θ=0.6 is set. When the score of the access behavior is greater than θ, the risk level is automatically increased by one level.
[0078] The abnormal threshold θ=0.6 refers to the score threshold that limits abnormal access behavior. When the score of the user's access behavior exceeds 0.6, the system considers the user's access behavior to be abnormal and that there is an abnormal access pattern. Abnormal behavior includes: abnormal time access, frequent permission switching, large amount of data export, cross-regional access, etc.
[0079] When the access behavior score > 0.6, an additional risk value of 0.2 is added to the original scenario risk score Risk_Scor-old. That is, when the access behavior score > 0.6, the adjusted scenario risk score Risk_Score-new = Risk_Score-old + 0.2.
[0080] It can be understood that after obtaining the scenario risk score, the isolated forest algorithm can effectively detect abnormal user behavior and capture potential security threats in the early stages. When abnormal behavior (such as abnormal access time) is detected, the scenario risk score is adjusted according to preset rules so that the score can more accurately reflect the current actual risk situation, thereby providing a more reliable basis for dynamically adjusting the desensitization strategy, enhancing the user information protection system's ability to respond to abnormal situations, and improving the security and effectiveness of information protection.
[0081] In the technical solution of step S203, a dynamic desensitization strategy generation algorithm is called to generate a target desensitization strategy for sensitive data based on the scenario risk score and sensitivity score.
[0082] As an optional embodiment, the target desensitization strategy corresponding to each sensitive data is determined in the following way: a comprehensive risk assessment algorithm is called to determine the comprehensive risk level corresponding to each sensitive data based on the scenario risk score and the sensitivity score corresponding to each sensitive data; based on the data type and comprehensive risk level corresponding to each sensitive data, a corresponding basic desensitization strategy is selected from a predefined desensitization strategy rule library, wherein the desensitization strategy rule library defines the basic desensitization strategies for desensitized data of different data types under different comprehensive risk levels; based on the Q-Learning algorithm, the basic desensitization strategy is optimized and adjusted according to the characteristics of the current usage scenario to obtain an optimized desensitization strategy; the basic desensitization strategy and the optimized desensitization strategy are fused according to a preset fusion rule to obtain the target desensitization strategy.
[0083] In this embodiment, the comprehensive risk level is to comprehensively assess the data sensitivity and scenario risk and calculate the final risk level.
[0084] The comprehensive risk assessment is described by the following formula (5): Final_Risk_Score=ε×S(d)+ζ×Risk_Score+η×Interaction_Factor (5) Wherein, ε+ζ+η are the comprehensive assessment weight parameters and satisfy ε+ζ+η=1, S(d) represents the data sensitivity score, Risk_Score represents the scenario risk score, and Interaction_Factor represents the interaction between data sensitivity and scenario risk.
[0085] In practice, the data sensitivity weight parameter ε=0.3, the scenario risk weight parameter ζ=0.6, and the interaction factor weight parameter η=0.1.
[0086] The interaction effect is determined by the following formula (6): Interaction_Factor=S(d)×Risk_Score (6).
[0087] Based on various comprehensive risk score thresholds, the final comprehensive risk is divided into different levels. For example: Final_Risk_Score ≥ 0.85 is extremely high risk, 0.7 ≤ Final_Risk_Score < 0.85 is high risk, 0.4 ≤ Final_Risk_Score < 0.7 is medium risk, and Final_Risk_Score < 0.4 is low risk.
[0088] In this embodiment, the desensitization strategy rule base defines the basic desensitization strategies for desensitized data of different data types under different comprehensive risk levels. The desensitization method mapping table in the desensitization strategy rule base can select the corresponding basic desensitization method according to the data type and comprehensive risk level. For example: Specification 10 / 18 pages 13 CN 121278766 AID number desensitization: Extremely high risk and high risk: AES256 encryption, completely irreversible; Medium risk: SHA256 hash, maintaining uniqueness; Low risk: Format-preserving mask (1101011234); Mobile phone number desensitization: Extremely high risk and high risk: Randomly replaced with virtual numbers; Medium risk: Middle 4 digits masked (1385678); Low risk: Middle 3 digits masked (138**5678); Name desensitization: Extremely high risk and high risk: Completely replaced with random names; Medium risk: Surname retained, name replaced with "Moumou"; Low risk: First letter retained, the rest replaced with ""; Address desensitization: Extremely high risk and high risk: Region generalized to the city level; Medium risk: Street-level generalization, house number hidden; Low risk: House number masked; Email address desensitization: Extremely high risk and high risk: Completely replaced with system-generated email; Medium risk: Domain name retained, username part masked (u***@domain.com); Low risk: Middle part of username masked (user***@domain.com); Bank card number desensitization: Extremely high risk and high risk: AES256 encrypted storage; Medium risk: First 4 digits and last 4 digits retained (1234********5678); Low risk: First 6 digits and last 4 digits retained (12,3456****5678); IP address desensitization: Extremely high risk and high risk: Randomly replaced with virtual IP; Medium risk: Network segment retained, host bit masked (192.168..); Low risk: Last 8 digits masked (192.168.1.*); GPS coordinate desensitization: Extremely high risk and high risk: Region generalized to the city-level center point; Medium risk: Precision reduced to the 100-meter level; Low risk: Precision reduced to the 10-meter level; Biometric desensitization: Extremely high risk and high risk: Irreversible hashing; Medium risk: Feature dimensionality reduction, main features retained; Low risk: Gaussian noise added; Timestamp desensitization: Extremely high risk and high risk: Time period generalization (accurate to days); Medium risk: Accurate to hours; Low risk: Accurate to minutes.
[0089] The specific implementation of the desensitization methods for each of the above data is not specifically limited in this embodiment. Please refer to the relevant technical content.
[0090] It can be understood that in this embodiment, hierarchical desensitization is achieved by using different intensity desensitization methods for the same type of data according to the combination of risk level and data sensitivity. This not only uses different methods for different data types, but also uses corresponding levels of desensitization processing for the same data type in different risk scenarios, achieving refined privacy protection.
[0091] In this embodiment, the Q-Learning algorithm is used to optimize the strategy to obtain an optimized desensitization strategy. Its state space S = {data type, comprehensive risk level, usage scenario, data sensitivity}, action space A = {desensitization method 1, desensitization method 2,..., desensitization method n}, reward function R = λ × data availability - μ × privacy leakage risk, where λ and μ are weight parameters,The learning rate is 0.1 and the discount factor is 0.9.
[0092] In this embodiment, the basic desensitization strategy and the optimized desensitization strategy are fused according to the preset fusion rules to obtain the target desensitization strategy. The target desensitization strategy is a strategy object that includes information such as desensitization method, parameter configuration, and intensity level. The preset fusion rules include: selecting a safer strategy when there is uncertainty; determining the degree of adoption based on confidence level; fine-tuning key parameters; and ensuring the executability of the strategy. The structure of the target de-identification strategy's policy object is as follows: { "method":"De-identification method name", "strength":"De-identification strength value [0-1]", "parameters":{ "key_length":"Encryption key length", "mask_pattern":"Mask pattern", "noise_level":"Noise level", "generalization_level":"Generalization level"}, "metadata":{ "confidence":"Policy confidence", "source":"Policy source (rule / ml / hybrid)", "timestamp":"Generation timestamp", "version":"Policy version number"}} It is understandable that, firstly, by combining the comprehensive risk assessment algorithm with scenario and sensitivity scoring to determine the comprehensive risk level, the risk level of sensitive data in a specific scenario can be accurately measured; secondly, based on the data type and risk level, a basic desensitization strategy is selected from the rule base to ensure the standardization and adaptability of the strategy; then, the Q-Learning algorithm is used to optimize the basic strategy based on scenario characteristics to enhance the adaptability of the strategy to scenario changes; finally, the basic and optimized strategies are integrated to obtain the target desensitization strategy, realizing the comprehensive, accurate and dynamic generation of desensitization strategies, effectively improving the effect and flexibility of user information protection.
[0093] In the technical solution of step S204, the target desensitization strategy is used to desensitize sensitive data and generate a reversible desensitized data identifier.
[0094] In order to better illustrate the sensitive data desensitization method in this embodiment, the following is a specific explanation based on the following ID card data. The ID card data to be anonymized is as follows: data={ "type":"ID card number", "value":"110101198001011234", "sensitivity":0.9, "format":"18-digit numeric string"} final_risk_level="extremely high risk" scenario={ "user_permission":2,#ordinary user"network_env":"public network",The ID card data to be anonymized is "110101198001011234", with a sensitivity score of 0.9 and a scenario risk score of 0.8 (extremely high risk). AES256 encryption was ultimately used for anonymization, and the final anonymization result is as follows: { "method":"AES256_ENCRYPTION", "strength":0.95, "parameters":{ Manual 12 / 18 Page 15 CN 121278766 A "key_length":256, "salt_length":32, "iteration_count":10000}, "metadata":{"confidence":0.87, "source":"hybrid", "timestamp":"2024-12-01T10:30:00Z"}}.
[0095] As an optional embodiment, after generating the reversible desensitized data identifier, the method further includes: encrypting the sensitive data to obtain ciphertext; mapping and storing the reversible desensitized data identifier and ciphertext corresponding to the sensitive data; and returning the reversible desensitized data identifier and the desensitization result.
[0096] In this embodiment, the reversible desensitized data identifier is used to recover sensitive data that has already undergone desensitization processing.
[0097] After generating the reversible desensitized data identifier, the system also provides a secure and controllable data recovery mechanism. This mechanism ensures that authorized personnel can restore the original sensitive data only under strict conditions. The prerequisites for data recovery include: 1) Permission requirements: the user's permission level must reach level 4 (administrator) or above; 2) Identity authentication: three-factor authentication based on username and password, dynamic OTP password, and biometrics (such as fingerprint or facial recognition) is required; 3) Business approval: written confirmation from the business supervisor is required; 4) Compliance check: it must be confirmed that the recovery operation complies with the requirements of data protection regulations such as GDPR and cybersecurity laws.
[0098] The specific steps for data recovery include: Submitting a recovery application: The applicant needs to fill out a data recovery application form, detailing the business reasons, necessity, scope of data use, duration, and designated access personnel.
[0099] Multi-level permission verification: The system performs permission checks based on the RBAC (Role-Based Access Control) model, requiring approval confirmation from the business supervisor, authorization confirmation from the system administrator, and approval confirmation from compliance review in sequence.
[0100] Multi-factor authentication: The system verifies the authenticity of the applicant's identity to prevent permission theft and impersonation, and fully records the authentication process and results.
[0101] Data location and decryption: The system searches for the corresponding encrypted data in the mapping table using a reversible desensitized data identifier (fingerprint).The data is encrypted_data=mapping_table[fingerprint]. Then, the corresponding decryption key is obtained from the key management system: decryption_key=key_management_system.get_key(fingerprint). Finally, the AES256 algorithm is used to decrypt original_data=AES256_decrypt(encrypted_data,decryption_key) to restore the original data.
[0102] Access control and monitoring: Set the access validity period for the restored plaintext data (default is 24 hours) and monitor its usage in real time, recording all access and operation behaviors.
[0103] Audit log: Record a complete recovery operation log, including information such as time, operator, recovery reason, data range, etc., forming a traceable audit chain.
[0104] Timely cleanup mechanism: After the access validity period expires, the system automatically cleans up the restored plaintext data, while retaining the operation audit log and updating the data access status flag. It is understandable that after generating the reversible desensitized data identifier, the sensitive data is encrypted into ciphertext, which ensures the security of data storage and transmission and prevents data leakage; the reversible desensitized data identifier and the ciphertext are mapped one-to-one and stored, which facilitates subsequent accurate tracing and restoration of the original data and ensures data availability; the reversible desensitized data identifier and desensitization result are returned, which makes it convenient for users to understand the data desensitization situation, and achieves the comprehensive effect of ensuring data security while taking into account data availability and manageability, thereby improving the protection of user information.
[0105] It should be noted that, for the foregoing method embodiments, for the sake of simplicity, they are all described as a series of action combinations, but those skilled in the art should know that this application is not limited to the described order of actions, because according to this application, some steps can be performed in other orders or simultaneously. Secondly, those skilled in the art should also know that the embodiments described in the specification are all preferred embodiments, and the actions and modules involved are not necessarily required by this application.
[0106] Through the above description of the embodiments, those skilled in the art can clearly understand that the methods according to the above embodiments can be implemented by means of software plus necessary general-purpose hardware platforms. Of course, they can also be implemented by hardware, but in many cases the former is a better implementation method. Based on this understanding, the technical solution of this application, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product is stored in a storage medium (such as ROM (Read-Only Memory) / RAM (Random Access Memory)).The device (such as a mobile phone, computer, server, or network device) includes several instructions to cause a terminal device (such as a mobile phone, computer, server, or network device, etc.) to execute the methods of various embodiments of this application.
[0107] According to another aspect of the embodiments of this application, a user information protection device based on a dynamic desensitization strategy for implementing the above-described user information protection method based on a dynamic desensitization strategy is also provided. Please refer to Figure 3, which is a structural block diagram of an optional user information protection device based on a dynamic desensitization strategy provided in an embodiment of this application. As shown in Figure 3, the user information protection device 300 based on a dynamic desensitization strategy may include: a sensitive data identification module 301, used to identify sensitive data in the user data to be processed through a named entity recognition model, and call a sensitivity scoring algorithm to determine the sensitivity score corresponding to the sensitive data, wherein the sensitivity score is used to represent the sensitivity of the data; a risk level determination module 302, used to extract the scenario parameters of the current usage scenario of the user data, and call a risk quantification algorithm to determine the scenario risk score corresponding to the scenario parameters, wherein the scenario risk score is used to represent the risk level of the current usage scenario; a desensitization strategy generation module 303, used to call a dynamic desensitization strategy generation algorithm to generate a target desensitization strategy for the sensitive data based on the scenario risk score and the sensitivity score; and a data desensitization processing module 304, used to desensitize the sensitive data using the target desensitization strategy and generate a reversible desensitized data identifier.
[0108] It should be noted that the sensitive data identification module 301 in this embodiment can be used to execute the above step S201, the risk level determination module 302 in this embodiment can be used to execute the above step S202, the desensitization strategy generation module 303 in this embodiment can be used to execute the above step S203, and the data desensitization processing module 304 in this embodiment can be used to execute the above step S204.
[0109] Regarding the user information protection device based on dynamic desensitization strategy in this embodiment, the specific manner in which the sensitive data identification module 301, risk level determination module 302, desensitization strategy generation module 303, and data desensitization processing module 304 execute the above-mentioned user information protection method based on dynamic desensitization strategy has been described in detail in the embodiments related to the user information protection method based on dynamic desensitization strategy, and will not be elaborated here.
[0110] It is understood that the technical solution provided in this embodiment, in the user information protection device based on dynamic desensitization strategy, each module determines sensitive data and its sensitivity score through named entity recognition model and sensitivity scoring algorithm, extracts scene parameters and determines scene risk score using risk quantification algorithm, then calls dynamic desensitization strategy generation algorithm to generate target desensitization strategy, and finally uses the strategy to desensitize and generate reversible desensitized data identifier. This series of steps achievesDynamically generating desensitization strategies based on different usage scenarios overcomes the problem of lack of scenario adaptability caused by the rigidity of static desensitization strategies. At the same time, reversible desensitization reduces the security risks caused by the reverse engineering of rules, avoids excessive desensitization, and improves data availability.
[0111] In this embodiment, the user information protection device 300 based on dynamic desensitization strategies also includes an access management and auditing module. This module is the security core of the system and mainly undertakes the following functions: Access control core: Ensures that only strictly authorized users can access the desensitization system and perform operations, preventing data leakage risks caused by unauthorized access.
[0112] Risk assessment input: Uses the user's permission level as an important input parameter for the generation of dynamic desensitization strategies, which directly affects the desensitization intensity.
[0113] Strategy execution basis: Automatically adjusts the desensitization degree according to the user's real-time permission level to achieve identity-based dynamic access control.
[0114] Compliance guarantee mechanism: Meets the mandatory requirements of domestic and foreign data protection regulations for access control and operation auditing.
[0115] Security monitoring center: Monitors abnormal user access behavior in real time and provides data support for the anomaly detection module.
[0116] Accountability Guarantee: Complete audit logs ensure that all sensitive data operations are traceable to the specific responsible party.
[0117] The implementation of this access control and audit module includes: Multi-factor authentication process: Strong authentication is performed by combining username and password, time-based OTP dynamic password (TOTP), and biometric recognition (fingerprint or face), and user role permissions are confirmed based on the RBAC model.
[0118] Audit log design: Audit logs record basic information (timestamp, user ID, session ID, IP address), operation information (operation type, data type, access scope), security information (de-identification level, risk score, authentication method), and result information (operation result, anomaly marker, response time) for all key operations.
[0119] To further optimize and evaluate the de-identification effect, the user information protection device 300 based on the dynamic de-identification strategy also includes a de-identification effect evaluation module. This module quantifies and evaluates anonymized data using the following methods: Data usability assessment: Format preservation: format_preservation = 1 - |original_format - masked_format|, Statistical feature preservation: stat_preservation = 1 - |original_stats - masked_stats|, Functionality integrity: function_integrity = successful_operations / total_operations; Privacy protection effectiveness assessment:Re-identification risk: re_identification_risk = successful_attacks / total_attacks, Information leakage rate: information_leakage = mutual_information(original,masked), Differential privacy parameter: Ensure that υ differential privacy is met, usually requiring υ≤1.
[0120] The de-identification effect evaluation module uses a trained machine learning model for automated evaluation. The training data of the model consists of 50,000 positive samples (successfully de-identified data pairs) and 20,000 negative samples (de-identification failure cases). The feature vector includes data type encoding (10 dimensions), de-identification method encoding (15 dimensions), statistical feature retention (5 dimensions), and format features (8 dimensions). The model adopts a deep neural network architecture: input layer (38-dimensional) → fully connected layer (256 nodes, ReLU activation) → Dropout (0.3) → fully connected layer (128 nodes, ReLU activation) → Dropout (0.2) → fully connected layer (64 nodes, ReLU activation) → output layer (1 node, Sigmoid activation). It is trained using the Adam optimizer and the binary cross-entropy loss function, and uses 5-fold cross-validation to ensure stability. Evaluation metrics include precision, recall, F1-Score, AUC-ROC, and AUC-PR, and are comprehensively verified through offline evaluation, online A / B testing, expert evaluation, and adversarial testing.
[0121] Finally, the user information protection device 600 based on the dynamic desensitization strategy also realizes the continuous self-evolution of the desensitization strategy through a strategy optimization feedback module. This module mainly adopts two methods: Genetic algorithm optimization: the population size is set to 100, the crossover probability is 0.8, the mutation probability is 0.01, and the evolution is 500 generations. Its fitness function is defined as f=w1*privacy_score+w2*utility_score, where the privacy score is calculated based on the risk of re-identification and the degree of information leakage, and the utility score is calculated based on the format preservation and functional integrity (the weights are usually set to w1=0.6, w2=0.4). The algorithm adaptively adjusts the parameters according to the evaluation results and uses the NSGA-II algorithm to handle the multi-objective optimization problem and find the Pareto optimal solution.
[0122] A / B testing framework: users are randomly assigned to the control group (using the original strategy) or the experimental group (using the new strategy) through a hash function to ensure sample balance and stratified randomization. The new strategy adopts a gray release mode, gradually expanding from 5% of users toFull deployment. Key indicators such as re-identification success rate, information leakage, and business function integrity are monitored, and statistical methods such as two-sample t-test and chi-square test are used to verify the effectiveness of the new strategy. Finally, a weighted decision matrix (considering privacy protection effect 40%, re-identification risk 20%, data availability 20%, system performance 10%, and implementation cost 10%) is used to select the optimal strategy with the highest comprehensive score and controllable risk for full deployment.
[0123] Through the above implementation methods, the present invention not only realizes dynamic desensitization processing of sensitive data, but also constructs a complete closed-loop system for user information protection, including secure recovery, strict auditing, effect evaluation, and continuous optimization, significantly improving the balance between data security and availability. In addition to the modules described above, the device in this embodiment may also include modules that execute any method in any of the aforementioned embodiments of user information protection methods based on dynamic desensitization strategies.
[0124] It should be noted that the examples and application scenarios implemented by the above modules and corresponding steps are the same, but are not limited to the content disclosed in the above embodiments. It should be noted that the above-mentioned module, as part of the device, can run in the hardware environment that implements the method shown in FIG1. It can be implemented by software or by hardware, wherein the hardware environment includes a network environment.
[0125] According to another aspect of the embodiments of this application, an electronic device for implementing the above-mentioned user information protection method based on dynamic desensitization strategy is also provided. The electronic device may be a server, a terminal, or a combination thereof.
[0126] According to another embodiment of this application, an electronic device is also provided. Please refer to FIG4. FIG4 is a structural block diagram of an optional electronic device provided in the embodiments of this application. As shown in FIG4, the electronic device may include: a processor 1501, a communication interface 1502, a memory 1503, and a communication bus 1504, wherein the processor 1501, the communication interface 1502, and the memory 1503 communicate with each other through the communication bus 1504.
[0127] The memory 1503 is used to store computer programs; the processor 1501 is used to execute the program stored in the memory 1503, and implement the following steps: Step S201, identify sensitive data in the user data to be processed by the named entity recognition model, and call the sensitivity scoring algorithm to determine the sensitivity score corresponding to the sensitive data, wherein the sensitivity score is used to represent the sensitivity of the data; Step S202, extract the scene parameters of the current usage scenario of the user data, and call the risk quantification algorithm to determine the scene risk score corresponding to the scene parameters, wherein the scene risk score is used to represent the risk level of the current usage scenario; Step S203, call the dynamic desensitization strategy generation algorithm to generate the target desensitization strategy for the sensitive data according to the scene risk score and the sensitivity score;Step S204: Desensitize sensitive data using a target desensitization strategy and generate a reversible desensitized data identifier.
[0128] It is understood that the technical solution provided in this embodiment, the processor of the electronic device, determines sensitive data and its sensitivity score through a named entity recognition model and a sensitivity scoring algorithm, extracts scene parameters and determines scene risk score using a risk quantification algorithm, then calls a dynamic desensitization strategy generation algorithm to generate a target desensitization strategy, and finally uses the strategy to desensitize and generate a reversible desensitized data identifier. This series of steps realizes the dynamic generation of desensitization strategies according to different usage scenarios, overcomes the problem of lack of scene adaptability caused by the rigidity of static desensitization strategies, and at the same time, reversible desensitization reduces the security risk caused by the reverse cracking of rules, avoids excessive desensitization, and improves data availability.
[0129] Optionally, in this embodiment, the communication bus mentioned above may be a PCI (Peripheral Component Interconnect) bus or an EISA (Extended Industry Standard Architecture) bus, etc. This communication bus can be divided into an address bus, a data bus, a control bus, etc. For ease of representation, only one thick line is used in the figure, but this does not mean that there is only one bus or one type of bus. The communication interface is used for communication between the above-mentioned electronic device and other devices.
[0130] The memory may include random access memory (RAM), or non-volatile memory (NVM), such as at least one disk storage device. Optionally, the memory may also be at least one storage device located remotely from the aforementioned processor.
[0131] The processor described above can be a general-purpose processor, which may include, but is not limited to, CPU (Central Processing Unit), NP (Network Processor), etc.; it can also be DSP (Digital Signal Processor), ASIC (Application Specific Integrated Circuit), FPGA (Field-Programmable Gate Array), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components.
[0132] This application embodiment also provides a computer-readable storage medium, which includes a stored program, wherein the program executes the method steps of the above method embodiment when it runs.
[0133] Optionally, in this embodiment, the storage medium may include, but is not limited to, various media capable of storing program code, such as USB flash drives, ROM, RAM, mobile hard drives, magnetic disks, or optical disks.
[0134] The sequence numbers of the embodiments in this application are merely for description and do not represent the superiority or inferiority of the embodiments.
[0135] If the integrated units in the above embodiments are implemented in the form of software functional units and sold or used as independent products, they can be stored in the computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. The computer software product is stored in a storage medium and includes several instructions to cause one or more computer devices (which may be personal computers, servers, or network devices, etc.) to execute all or part of the steps of the methods of the various embodiments of this application.
[0136] In the above embodiments of this application, the descriptions of each embodiment have different focuses. For parts not described in detail in a certain embodiment, please refer to the relevant descriptions of other embodiments.
[0137] In the several embodiments provided in this application, it should be understood that the disclosed client can be implemented in other ways. The device embodiments described above are merely illustrative. For example, the division of units is only a logical functional division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Another point is that the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, indirect coupling or communication connection of units or modules, and may be electrical or other forms. Specification 17 / 18 pages 20 CN 121278766 A
[0138] The units described as separate components may or may not be physically separated. The components shown as units may or may not be physical units, that is, they may be located in one place or distributed on multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution provided in this embodiment.
[0139] In addition, the functional units in the various embodiments of this application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The integrated units described above may be implemented in hardware or in the form of software functional units.
[0140] The above are merely preferred embodiments of this application. It should be noted that, for those skilled in the art, several improvements and modifications can be made without departing from the principles of this application, and these improvements and modifications should also be considered within the scope of protection of this application. Specification 18 / 18 pages 21 CN121278766 A FIG. 1 FIG. 2 DESCRIPTION OF THE DRAWINGS PAGE 1 / 2 22 CN 121278766 A FIG. 3 FIG. 4 DESCRIPTION OF THE DRAWINGS PAGE 2 / 2 23 CN 121278766 A {HARTEND-26014-HKSPT / 02499514v1} Abstract This application relates to the field of information security technology, and specifically to a method and device for protecting user information based on dynamic desensitization strategies. This application determines sensitive data and their sensitivity scores through a named entity recognition model and a sensitivity scoring algorithm, extracts scenario parameters and uses a risk quantification algorithm to determine scenario risk scores, then invokes a dynamic desensitization strategy generation algorithm to generate a target desensitization strategy, and finally uses this strategy to desensitize and generate reversible desensitization data identifiers. This series of steps enable the dynamic generation of desensitization strategies based on different usage scenarios, overcomes the problem of missing scenario adaptability caused by the rigidity ofstatic desensitization strategies, and at the same time, reversible desensitization reduces the security risks arising from the reverse cracking of rules, avoids excessive desensitization, and improves data availability.
Claims
1. A user information protection method based on a dynamic desensitization strategy, characterized in that, The method comprises the following steps: identifying sensitive data in user data to be processed through a named entity recognition model, and calling a sensitivity score algorithm to determine a sensitivity score corresponding to the sensitive data, wherein the sensitivity score represents the sensitivity of the data; extracting scene parameters of a current use scenario of the user data, and calling a risk quantification algorithm to determine a scene risk score corresponding to the scene parameters, wherein the scene risk score represents the risk level of the current use scenario; calling a dynamic de-sensitization strategy generation algorithm to generate a target de-sensitization strategy for the sensitive data according to the scene risk score and the sensitivity score; performing de-sensitization processing on the sensitive data using the target de-sensitization strategy, and generating reversible de-sensitization data identification. 2.The user information protection method based on a dynamic desensitization strategy according to claim 1, characterized in that, The method comprises the following steps: querying a predefined data type weight mapping table to obtain a data type weight corresponding to each sensitive data; determining a use frequency coefficient corresponding to each sensitive data according to a historical access number and a total access number in a historical access log of each sensitive data; determining a leakage risk coefficient corresponding to each sensitive data according to a number of known leakage events of each sensitive data, a total amount of the same type of data of each sensitive data, and a severity weight of each sensitive data; querying a predefined compliance requirement coefficient mapping table to obtain a compliance requirement coefficient corresponding to each sensitive data according to the highest compliance requirement applicable to each sensitive data; weighting and summing the data type weight, the use frequency coefficient, the leakage risk coefficient, and the compliance requirement coefficient corresponding to each sensitive data through the sensitivity score algorithm to obtain a sensitivity score corresponding to each sensitive data. 3.The user information protection method based on a dynamic desensitization strategy according to claim 1, characterized in that, The method comprises the following steps: processing the scene parameters using a decision tree rule to determine a risk coefficient corresponding to each scene parameter in the scene parameters; weighting and summing the risk coefficients corresponding to all scene parameters through the risk quantification algorithm to obtain the scene risk score.
4. The user information protection method based on a dynamic desensitization strategy according to claim 3, characterized in that, After obtaining the scene risk score, the method further comprises the following steps: detecting user abnormal behavior based on an isolation forest algorithm; when it is detected that the user has abnormal behavior, adjusting the scene risk score according to a preset score adjustment rule, wherein the abnormal behavior includes abnormal time access, frequent permission switching, large data export, and cross-regional access.
5. The method of claim 1, wherein, The method comprises the following steps: calling a comprehensive risk assessment algorithm to determine a comprehensive risk level corresponding to each sensitive data according to the scene risk score and the sensitivity score corresponding to each sensitive data; According to the data type corresponding to each sensitive data and the comprehensive risk level, a corresponding basic de-sensitization strategy is selected from a pre-defined de-sensitization strategy rule library, wherein the de-sensitization strategy rule library defines the basic de-sensitization strategy of de-sensitization data of different data types under different comprehensive risk levels; Based on the Q-Learning algorithm, the basic de-sensitization strategy is optimized and adjusted according to the characteristics of the current use scenario, and an optimized de-sensitization strategy is obtained; The basic de-sensitization strategy and the optimized de-sensitization strategy are fused according to a pre-set fusion rule to obtain a target de-sensitization strategy. 6.The user information protection method based on a dynamic desensitization strategy according to claim 1, wherein, The scene parameters include user permissions, network environment types, access times, and data use purposes. The user permissions include temporary visitors, ordinary users, business employees, management personnel, and system administrators. The network environment types include public networks, private networks, and internal networks. The access times include working hours, non-working hours, and holidays. The data use purposes include statistical analysis, business processing, system maintenance, and data backup.
7. The method of claim 1, wherein the dynamic de-sensitization policy is based on a user's behavior. After generating the reversible de-sensitization data identifier, the method further includes: encrypting the sensitive data to obtain ciphertext; mapping and storing the reversible de-sensitization data identifier corresponding to the sensitive data and the ciphertext one by one; returning the reversible de-sensitization data identifier and the de-sensitization result.
8. A user information protection apparatus based on a dynamic desensitization policy, characterized by, It includes: A sensitive data identification module is configured to identify sensitive data in user data to be processed by a named entity recognition model, and to determine a sensitivity score corresponding to the sensitive data by calling a sensitivity scoring algorithm, wherein the sensitivity score represents the sensitivity of the data; A risk level determination module is configured to extract scene parameters of a current use scenario of the user data, and to determine a scene risk score corresponding to the scene parameters by calling a risk quantification algorithm, wherein the scene risk score represents the risk level of the current use scenario; A de-sensitization strategy generation module is configured to call a dynamic de-sensitization strategy generation algorithm to generate a target de-sensitization strategy for the sensitive data according to the scene risk score and the sensitivity score; A data de-sensitization processing module is configured to de-sensitize the sensitive data using the target de-sensitization strategy and generate a reversible de-sensitization data identifier.
9. An electronic device comprising a processor, a communication interface, a memory and a communication bus, wherein, The processor, the communication interface, and the memory complete communication with each other through the communication bus, and the memory is configured to store a computer program. The processor is configured to execute the user information protection method steps based on the dynamic de-sensitization strategy by running the computer program stored in the memory. The storage medium stores a computer program, and the computer program is configured to execute the user information protection method steps based on the dynamic de-sensitization strategy when running.
10. A computer readable storage medium, characterized in that,