Method for auditing sensitive data based on trusted computing
By deploying trusted computing base components in sensitive data processing areas, generating access behavior baselines and building judgment models, the problems of incomplete coverage and false positives/missed positives in traditional auditing methods are solved, achieving the accuracy and timeliness of end-to-end security control and risk assessment of sensitive data.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- BEIJING ZHONGAN NEBULA SOFTWARE TECH CO LTD
- Filing Date
- 2025-12-31
- Publication Date
- 2026-07-03
AI Technical Summary
Existing technologies cannot effectively build a dynamically adaptable security defense line, and are unable to meet the security needs of sensitive data during storage and transmission. Traditional auditing methods suffer from incomplete coverage and high false positive and false negative rates.
By collecting system architecture topology diagrams, deploying trusted computing base components to build a trusted execution environment, generating a baseline of normal access behavior and building an access behavior judgment model, and combining abnormal access records to analyze and calculate risk coefficients, triggering graded early warning responses.
It achieves full-chain security control over sensitive data processing, improves the accuracy of abnormal behavior identification and the timeliness of risk assessment, and reduces the risk of false positives and delayed responses.
Smart Images

Figure CN121435229B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of sensitive data security auditing technology, and specifically to a sensitive data auditing method based on trusted computing. Background Technology
[0002] With the deepening of digital transformation, the scale of sensitive data is growing exponentially, and the security risks during its storage, transmission, and use are becoming increasingly prominent. However, traditional sensitive data auditing methods have many limitations. On the one hand, the lack of precise control over the system architecture makes it difficult to know the exact location of sensitive data processing components and the data flow path, resulting in incomplete audit coverage. On the other hand, relying solely on rule bases or simple thresholds to detect abnormal access behavior leads to high false positive and false negative rates. With the rapid development of information technology, network attack methods are becoming increasingly complex and covert, posing a severe threat to sensitive data. Existing technologies cannot effectively build dynamically adaptable security defenses and are insufficient to meet the ever-increasing data security demands. Summary of the Invention
[0003] The purpose of this invention is to overcome the shortcomings of the prior art and provide a sensitive data auditing method based on trusted computing to solve the problems mentioned in the background art.
[0004] The objective of this invention can be achieved through the following technical solution: a sensitive data auditing method based on trusted computing, comprising the following steps:
[0005] Step 1: Collect the architecture topology diagram of the target system. Based on the location of components for sensitive data processing and the data flow path of sensitive data between components contained in the architecture topology diagram, determine multiple designated sensitive data processing areas and deploy trusted computing base components for each area to establish a trusted execution environment.
[0006] Step 2: Based on historical access records, analyze access behavior in multiple specified sensitive data processing areas to generate corresponding normal access behavior baselines; then, construct an access behavior judgment model based on the normal access behavior baselines to judge the access behavior of the current access records and obtain the judgment results.
[0007] Step 3: Based on the abnormal access behavior, obtain the corresponding access records and analyze them to obtain the baseline audit data of the corresponding access subject. Perform abnormal risk analysis on the baseline audit data, calculate the risk coefficient value of the baseline audit data, obtain the risk level of the corresponding abnormal access behavior, and trigger the graded early warning response mechanism.
[0008] Preferably, in step one, the target system refers to the full business coverage system that needs to be audited for sensitive data; each designated sensitive data processing area includes the relevant processing operations for the corresponding sensitive data;
[0009] A Trusted Execution Environment (TCB) is constructed by deploying Trusted Computing Base Components (TCBs) in designated sensitive data processing areas to ensure the security and integrity of sensitive data processing within each area. Specifically, the integrity of the TCBs is measured to generate an initial root of trust, ensuring that the components have not been tampered with.
[0010] Preferably, the process of analyzing access behavior in multiple designated sensitive data processing areas based on historical access records includes:
[0011] S21: Select any specified sensitive data processing area as the target analysis area, obtain the historical access records corresponding to the target analysis area and perform standardized processing, including converting the collected unstructured records into structures, unifying field formats and data types, and excluding invalid logs;
[0012] S22: Analyze the standardized historical access records, obtain the historical inertial behavior set of each access subject, and generate the normal access behavior baseline for each specified sensitive data processing area after correction, while setting a dynamic update cycle.
[0013] S23: Based on the baseline of normal access behavior, construct an access behavior determination model, and use the access behavior determination model to determine the access behavior of the current access record to obtain the determination result.
[0014] Preferably, the method for obtaining the baseline of normal access behavior in S22 is as follows:
[0015] S221: Based on the trusted measurement value, normal access samples that are always compliant with the integrity of the TCB component during the access process are selected, and abnormal samples that have the risk of component tampering are excluded; among them, when the access subject initiates a sensitive data access request, the system retrieves the trusted measurement value corresponding to the access subject in real time and compares it with the initial trusted root. If the trusted measurement value retrieved in real time during the access process is always consistent with the initial trusted root, the corresponding access request sample is recorded as a normal access sample.
[0016] S222: Statistically analyze the access frequency, access time distribution, Shannon entropy of common operation types, and access data range of different access subjects to determine the regular access characteristics of each access subject;
[0017] Among them, the Shannon entropy of a common operation type is the number of times the access operation type corresponding to the access subject is obtained, and the Shannon entropy of different access operation types is calculated. Where Pn is the proportion of different access operation types; when the calculated Hn is less than or equal to the preset stable threshold, it indicates that the distribution of the access operation type is relatively concentrated and has strong regularity, and it is marked as a common operation type.
[0018] The scope of accessed data refers to the percentage of sensitive data involved in the accessed data.
[0019] S223: Obtain the regular access characteristics of each access subject corresponding to the normal access sample, record them as the historical inertial behavior set, and correct them to generate the normal access behavior baseline for each specified sensitive data processing area.
[0020] Preferably, in S23, the input data of the access behavior determination model is the current access record of the target analysis area, and the output data is the access determination value, and the value of the access determination value is a value of 1 or 0.
[0021] The expression for the access behavior determination model is as follows:
[0022] ;
[0023] In the formula, i represents different designated sensitive data processing areas, j represents different access subjects; YS(xij) is the corresponding model judgment value, xij is the current access record, YCij is the corresponding normal access behavior baseline, and xij→YCij indicates that the current access record conforms to the normal access behavior baseline.
[0024] When the output access judgment value is 1, it means that the current access record is a normal access behavior;
[0025] When the output access judgment value is 0, it indicates that the current access record is an abnormal access behavior;
[0026] The judgment result is determined by whether the access behavior is normal or abnormal.
[0027] Preferably, the baseline audit data is obtained by acquiring the regular access characteristics of the corresponding access subject based on the access records corresponding to abnormal access behavior, and then marking them as baseline audit data.
[0028] Preferably, the formula for calculating the risk coefficient value in step three is:
[0029] ;
[0030] In the formula, FX is the risk coefficient value. This represents the m-th baseline audit data, where m = 1, 2, 3, ..., M, and M is the total number of baseline audit data types. This represents the median value corresponding to the m-th historical benchmark audit data. These represent different scaling factors.
[0031] Preferably, based on the calculated risk coefficient value, the risk level of the corresponding abnormal access behavior is obtained and a graded early warning response mechanism is triggered, including:
[0032] Set a risk threshold T1, compare the calculated risk coefficient value FX with the risk threshold T1. If FX ≥ T1, the risk level of the corresponding abnormal access behavior is high risk, i.e., high-risk abnormal access behavior; if FX < T1, the risk level of the corresponding abnormal access behavior is low risk, i.e., low-risk abnormal access behavior.
[0033] Issue high-risk warnings and block high-risk abnormal access behaviors in real time;
[0034] Low-risk abnormal access behavior is alerted, and the risk level is associated with the trusted authentication system of the target system. If the number of times the corresponding access subject triggers the low-risk alert is greater than or equal to the threshold X1, the access permissions of the corresponding access subject to sensitive data are reduced.
[0035] Compared to existing solutions, the beneficial effects achieved by this invention are:
[0036] This invention identifies sensitive data processing areas by collecting system architecture topology diagrams, deploys trusted computing base components to build a trusted execution environment, solves the problem of weak protection in sensitive data processing links in traditional auditing, builds a solid security foundation from the hardware and environment levels, and avoids the risk of leakage caused by the lack of regional protection during data flow;
[0037] This invention generates a baseline of normal access behavior based on historical access records and constructs a judgment model, breaking through the limitations of traditional auditing that relies on manual rules and has a high rate of false positives and false negatives. It achieves accurate judgment of current access behavior and improves the automation and accuracy of abnormal behavior identification.
[0038] This invention combines abnormal access record analysis with benchmark audit data, calculates risk coefficients, and triggers tiered early warnings. It changes the traditional audit's status quo of only being able to detect anomalies but not quantify risks and having a delayed response. It achieves closed-loop management from anomaly identification to risk assessment and then to tiered response, greatly improving the timeliness and risk control capabilities of sensitive data audits. Attached Figure Description
[0039] The invention will now be further described with reference to the accompanying drawings.
[0040] Figure 1 This is a flowchart of the sensitive data auditing method based on trusted computing proposed in this invention. Detailed Implementation
[0041] The technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings of the embodiments of the present invention. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments.
[0042] like Figure 1As shown, this invention is a sensitive data auditing method based on trusted computing, comprising the following steps:
[0043] Step 1: Collect the architecture topology diagram of the target system. Based on the location of components for sensitive data processing and the data flow path of sensitive data between components contained in the architecture topology diagram, determine multiple designated sensitive data processing areas and deploy trusted computing base components for each area to establish a trusted execution environment.
[0044] The target system refers to the entire business coverage system that needs to be audited for sensitive data; each designated sensitive data processing area includes the relevant processing operations for the corresponding sensitive data, including but not limited to querying, modifying, downloading, and deleting.
[0045] Furthermore, the locations of components involved in sensitive data processing include, but are not limited to, the specific locations of components such as data acquisition components, data storage components, and data computing components; the data flow path includes the flow direction and relationships of data input, transmission, processing, output, and archiving.
[0046] The Trusted Execution Environment (TEE) is constructed by deploying Trusted Computing Base (TCB) components in each designated sensitive data processing area. This TEB includes functions such as hardware isolation, identity authentication, access control, and data encryption, ensuring the security and integrity of sensitive data processing in each area and preventing unauthorized access, tampering, or leakage of data. In particular, integrity measurements are performed on the TCB components to generate an initial root of trust, ensuring that the components have not been tampered with.
[0047] In the implementation steps of this invention, by collecting the architecture topology diagram of the target system, multiple designated sensitive data processing areas are identified, and trusted computing base components are deployed for each area to establish a trusted execution environment. This achieves full-link security control of sensitive data, ensuring that its operations in the stages of collection, transmission, storage, computation, and archiving are all in a trusted environment, effectively preventing the risks of unauthorized access, tampering, or leakage.
[0048] Step 2: Based on historical access records, analyze access behavior in multiple specified sensitive data processing areas to generate corresponding normal access behavior baselines; then, construct an access behavior judgment model based on the normal access behavior baselines to judge the access behavior of the current access records and obtain the judgment results.
[0049] It should be further explained that the process of analyzing access behavior in multiple designated sensitive data processing areas based on historical access records includes:
[0050] S21: Select any specified sensitive data processing area as the target analysis area, obtain the historical access records corresponding to the target analysis area and perform standardized processing, including converting the collected unstructured records into structures, unifying field formats and data types, and excluding invalid logs, such as duplicate records and records with incorrect formats;
[0051] The historical access records include the access subject, access data, access operation type, access duration, and trust metric (TCB component integrity verification result); furthermore, the access operation type includes, but is not limited to, query, modify, download, and delete.
[0052] S22: Analyze the standardized historical access records to obtain the historical habitual behavior set of each access subject, and generate the normal access behavior baseline for each specified sensitive data processing area after correction. At the same time, set a dynamic update cycle, such as updating once a week, or triggering an update after system architecture adjustment or user permission change.
[0053] S221: Based on the trusted measurement value, normal access samples that are always compliant with the integrity of the TCB component during the access process are selected, and abnormal samples that have the risk of component tampering are excluded; among them, when the access subject initiates a sensitive data access request, the system retrieves the trusted measurement value corresponding to the access subject in real time and compares it with the initial trusted root. If the trusted measurement value retrieved in real time during the access process is always consistent with the initial trusted root, the corresponding access request sample is recorded as a normal access sample.
[0054] S222: Statistically analyze the access frequency, access time distribution, Shannon entropy of common operation types, and access data range of different access subjects to determine the regular access characteristics of each access subject;
[0055] Among them, the Shannon entropy of a common operation type is the number of times the access operation type corresponding to the access subject is obtained, and the Shannon entropy of different access operation types is calculated. Where Pn is the proportion of different access operation types; when the calculated Hn is less than or equal to the preset stable threshold, it indicates that the distribution of the access operation type is relatively concentrated and has strong regularity, and it is marked as a common operation type.
[0056] The scope of accessed data refers to the percentage of sensitive data involved in the accessed data.
[0057] Furthermore, the larger the Shannon entropy value, the more complex and varied the interaction pattern, and the higher the uncertainty and instability; the preset stability threshold is set by experts in this field based on actual application conditions.
[0058] S223: Obtain the regular access characteristics of each access subject corresponding to the normal access sample, record them as the historical inertial behavior set and correct them to generate the normal access behavior baseline for each specified sensitive data processing area;
[0059] It should be noted that the normal access behavior baseline refers to the inertial behavior in a normal and trusted environment when statistically analyzing the access sensitive data of each access subject; in this embodiment, the normal inertial behavior of each access subject is extracted from historical data and converted into an executable baseline set.
[0060] S23: Based on the baseline of normal access behavior, construct an access behavior determination model, and use the access behavior determination model to determine the access behavior of the current access record to obtain the determination result;
[0061] The input data of the access behavior determination model is the current access record of the target analysis area, and the output data is the access determination value, which is a value of 1 or 0.
[0062] The expression for the access behavior determination model is as follows:
[0063] ;
[0064] In the formula, i represents different designated sensitive data processing areas, j represents different access subjects; YS(xij) is the corresponding model judgment value, xij is the current access record, YCij is the corresponding normal access behavior baseline, and xij→YCij indicates that the current access record conforms to the normal access behavior baseline.
[0065] When the output access judgment value is 1, it means that the current access record is a normal access behavior;
[0066] When the output access judgment value is 0, it indicates that the current access record is an abnormal access behavior;
[0067] The judgment result is determined by whether the access behavior is normal or abnormal.
[0068] Step 3: Based on the abnormal access behavior, obtain the corresponding access records and analyze them to obtain the baseline audit data of the corresponding access subject. Perform abnormal risk analysis on the baseline audit data, calculate the risk coefficient value of the baseline audit data, obtain the risk level of the corresponding abnormal access behavior, and trigger the graded early warning response mechanism.
[0069] Among them, the baseline audit data is obtained by acquiring the regular access characteristics of the corresponding access subject based on the access records corresponding to abnormal access behavior, and then marking them as the baseline audit data;
[0070] The formula for calculating the risk coefficient is as follows:
[0071] ;
[0072] In the formula, FX is the risk coefficient value. This represents the m-th baseline audit data, where m = 1, 2, 3, ..., M, and M is the total number of baseline audit data types. This represents the median value corresponding to the m-th historical benchmark audit data. These represent different scaling factors, the specific values of which are determined by experts in the field based on numerous historical data experiments;
[0073] Based on the calculated risk coefficient value, the risk level of the corresponding abnormal access behavior is obtained, and a tiered early warning response mechanism is triggered, including:
[0074] A risk threshold T1 is set, and the calculated risk coefficient value FX is compared with the risk threshold T1. If FX ≥ T1, the risk level of the corresponding abnormal access behavior is high risk, i.e., high-risk abnormal access behavior; if FX < T1, the risk level of the corresponding abnormal access behavior is low risk, i.e., low-risk abnormal access behavior. The risk threshold T1 is set by experts in this field based on historical test data.
[0075] Issue high-risk warnings and block access in real time for high-risk abnormal access behaviors, such as banning the operation permissions of the corresponding access subject and interrupting sensitive data transmission links;
[0076] Low-risk abnormal access behavior is issued with a low-risk warning. At the same time, the risk level is associated with the trusted authentication system of the target system. If the number of times the corresponding access subject triggers the low-risk warning is greater than or equal to the threshold X1, the access rights of the corresponding access subject to sensitive data are reduced.
[0077] It should be noted that the specific value of threshold X1 can accurately identify the transformation from high-frequency, low-risk to high-risk, while avoiding excessive control that could interfere with normal business operations.
[0078] In the several embodiments provided by this invention, it should be understood that the disclosed system can be implemented in other ways. For example, the embodiments of the invention described above are merely illustrative; for example, the division of modules is only a logical functional division, and there may be other division methods in actual implementation.
[0079] The modules described as separate components may or may not be physically separate. The components shown as modules may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs.
[0080] Furthermore, the functional modules in the various embodiments of the present invention can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or in the form of hardware plus software functional modules.
[0081] It will be apparent to those skilled in the art that the present invention is not limited to the details of the exemplary embodiments described above, and that the present invention can be implemented in other specific forms without departing from the spirit or essential characteristics of the present invention.
[0082] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and are not intended to limit it. Although the present invention has been described in detail with reference to preferred embodiments, those skilled in the art should understand that modifications or equivalent substitutions can be made to the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention.
[0083] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims
1. A sensitive data auditing method based on trusted computing, characterized in that, include: Step 1: Collect the architecture topology diagram of the target system. Based on the location of components for sensitive data processing and the data flow path of sensitive data between components contained in the architecture topology diagram, determine multiple designated sensitive data processing areas and deploy trusted computing base components for each area to establish a trusted execution environment. The target system refers to the entire business coverage system that needs to be audited for sensitive data; each designated sensitive data processing area includes the relevant processing operations for the corresponding sensitive data. A Trusted Execution Environment (TCB) is constructed by deploying Trusted Computing Base Components (TCBs) in designated sensitive data processing areas to ensure the security and integrity of sensitive data processing within each area. Specifically, the integrity of the TCBs is measured to generate an initial root of trust, ensuring that the components have not been tampered with. Step 2: Based on historical access records, analyze access behavior in multiple specified sensitive data processing areas to generate corresponding normal access behavior baselines; then, construct an access behavior judgment model based on the normal access behavior baselines to judge the access behavior of the current access records and obtain the judgment results. The process of analyzing access behavior in multiple specified sensitive data processing areas includes: S21: Select any specified sensitive data processing area as the target analysis area, obtain the historical access records corresponding to the target analysis area and perform standardized processing, including converting the collected unstructured records into structures, unifying field formats and data types, and excluding invalid logs; S22: Analyze the standardized historical access records, obtain the historical inertial behavior set of each access subject, and generate the normal access behavior baseline for each specified sensitive data processing area after correction, while setting a dynamic update cycle. S23: Based on the baseline of normal access behavior, construct an access behavior determination model, and use the access behavior determination model to determine the access behavior of the current access record to obtain the determination result; Step 3: Based on the abnormal access behavior, obtain the corresponding access records and analyze them to obtain the baseline audit data of the corresponding access subject. Perform abnormal risk analysis on the baseline audit data, calculate the risk coefficient value of the baseline audit data, obtain the risk level of the corresponding abnormal access behavior, and trigger the graded early warning response mechanism. The formula for calculating the risk coefficient is: ; In the formula, FX is the risk coefficient value. This represents the m-th baseline audit data, where m = 1, 2, 3, ..., M, and M is the total number of baseline audit data types. This represents the median value corresponding to the m-th historical benchmark audit data. These represent different scaling factors.
2. The sensitive data auditing method based on trusted computing according to claim 1, characterized in that, The method for obtaining the baseline of normal access behavior in S22 is as follows: S221: Based on the trusted measurement value, normal access samples that are always compliant with the integrity of TCB components during the access process are selected, and abnormal samples that have the risk of component tampering are excluded; among them, when the access subject initiates a sensitive data access request, the system retrieves the trusted measurement value corresponding to the access session in real time and compares it with the initial trusted root. If the trusted measurement value retrieved in real time during the access process is always consistent with the initial trusted root, the corresponding access request sample is recorded as a normal access sample. S222: Statistically analyze the access frequency, access time distribution, Shannon entropy of common operation types, and access data range of different access subjects to determine the regular access characteristics of each access subject; Among them, the Shannon entropy of a common operation type is the number of times the access operation type corresponding to the access subject is obtained, and the Shannon entropy of different access operation types is calculated. Where Pn is the proportion of different access operation types; when the calculated Hn is less than or equal to the preset stable threshold, it indicates that the distribution of the access operation type is relatively concentrated and has strong regularity, and it is marked as a common operation type. The scope of accessed data refers to the percentage of sensitive data involved in the accessed data. S223: Obtain the regular access characteristics of each access subject corresponding to the normal access sample, record them as the historical inertial behavior set, and correct them to generate the normal access behavior baseline for each specified sensitive data processing area.
3. The sensitive data auditing method based on trusted computing according to claim 1, characterized in that, The input data of the access behavior determination model described in S23 is the current access record of the target analysis area, and the output data is the access determination value, and the value of the access determination value is a value of 1 or 0. The expression for the access behavior determination model is as follows: ; In the formula, i represents different designated sensitive data processing areas, j represents different access subjects; YS(xij) is the corresponding model judgment value, xij is the current access record, YCij is the corresponding normal access behavior baseline, and xij→YCij indicates that the current access record conforms to the normal access behavior baseline. When the output access judgment value is 1, it means that the current access record is a normal access behavior; When the output access judgment value is 0, it indicates that the current access record is an abnormal access behavior; The judgment result is determined by whether the access behavior is normal or abnormal.
4. The sensitive data auditing method based on trusted computing according to claim 3, characterized in that, Baseline audit data is obtained by extracting the regular access characteristics of the corresponding access subject from the access records corresponding to abnormal access behavior and marking them as baseline audit data.
5. The sensitive data auditing method based on trusted computing according to claim 1, characterized in that, Based on the calculated risk coefficient value, the risk level of the corresponding abnormal access behavior is obtained, and a tiered early warning response mechanism is triggered, including: Set a risk threshold T1, compare the calculated risk coefficient value FX with the risk threshold T1. If FX ≥ T1, the risk level of the corresponding abnormal access behavior is high risk, i.e., high-risk abnormal access behavior; if FX < T1, the risk level of the corresponding abnormal access behavior is low risk, i.e., low-risk abnormal access behavior. Issue high-risk warnings and block high-risk abnormal access behaviors in real time; Low-risk abnormal access behavior is alerted, and the risk level is associated with the trusted authentication system of the target system. If the number of times the corresponding access subject triggers the low-risk alert is greater than or equal to the threshold X1, the access permissions of the corresponding access subject to sensitive data are reduced.